On 27 July 2016, the Monetary Authority of Singapore (“MAS”) issued revised Guidelines on Outsourcing (“Outsourcing Guidelines”) to financial institutions (“FIs”) and announced that a new Notice on Outsourcing will be issued on a later date.
These regulatory changes follow from a MAS consultation process that began in September 2014 relating to the desire to raise the standards of FIs’ outsourcing risk management practices, as outsourcing arrangements become more prevalent and complex. Stemming from such developments, various industry guidelines on outsourcing have also been issued by the Investment Management Association of Singapore (IMAS) and the Association of Banks in Singapore (ABS).
Key changes in the Outsourcing Guidelines include the following:
- Greater focus on a FI’s internal outsourcing risk management framework;
- Enhanced responsibilities of the board and senior management;
- New requirement to maintain an “Outsourcing Register”;
- Removal of the expectation to notify MAS of material outsourcing arrangements;
- New examples and wider definition of “outsourcing arrangements”;
- Revised definition of “material outsourcing arrangements” to include certain arrangements involving “customer information”;
- Additional prescribed provisions to be included in outsourcing contracts; and
- New provisions on cloud services as a form of outsourcing.
When the Outsourcing Guidelines were issued, the MAS provided the following transition timetable for existing outsourcing arrangements:
- By 26 October 2016, FIs should conduct a self-assessment of all existing outsourcing arrangements against the revised expectations in the Outsourcing Guidelines; and
- By 26 July 2017, FIs should rectify deficiencies identified in their self-assessment.
We have set out below certain practical action steps that FIs should be taking leading up to 26 July 2017.
(1) Outsourcing Register
FIs should ensure that a register of all their outsourcing arrangements is maintained based on the MAS-prescribed template. Items to be completed in the Outsourcing Register in respect of each outsourcing arrangement include recording the dates when various risk management practices were last carried out such as the materiality assessment, due diligence on the outsourcing and sub-contracting arrangement, independent audit on the service provider and material sub-contractor, and business continuity plan tests.
The Outsourcing Register has to be submitted to the MAS at least annually or upon request.
(2) Outsourcing Contracts
The Outsourcing Guidelines continue to require that written contracts (a) are entered into for all outsourcing arrangements (whether material or non-material, intra-group or third-party); (b) contain certain prescribed minimum contents; and (c) are vetted on their legality and enforceability by a competent authority (e.g. FI’s legal counsel).
At this juncture, FIs should have reviewed existing arrangements to determine if they are classified as “outsourcing arrangements” under the revised definition and examples in the Outsourcing Guidelines. To facilitate remediation of existing outsourcing contracts as appropriate, we recommend that FIs consider, among others, preparing a suitable template addendum.
(3) Outsourcing Policies and Procedures
We recommend that FIs update their documented policies and procedures in relation to existing outsourcing arrangements. For example, FIs should update their processes in relation to due diligence conducted on service providers and sub-contractors to appropriately meet the extensive expectations in the Outsourcing Guidelines.
It is also imperative that FIs retain appropriate compliance records, such as documentation and reports of the due diligence and audit conducted.