On 27 July 2016, the Monetary Authority of Singapore ("MAS") issued new Guidelines on Outsourcing Risk Management ("Guidelines") to financial institutions ("FIs"), following extensive industry and public consultation which started in September 2014. MAS also issued its response to feedback received from the public consultation, clarifying the proposals that have been incorporated in the Guidelines, as well as its policies and expectations on the application of the Guidelines.
FIs are given a three month period to conduct a self-assessment of all existing outsourcing arrangements against the Guidelines, and will need to rectify any deficiencies identified by 26 July 2017.
MAS will also be issuing a new Notice on Outsourcing at a later date, but will engage the industry prior to the issuance of the Notice, where necessary.
Key Changes and MAS' Policies and Expectations
A summary of the key changes to the Guidelines and MAS' policies and expectations with respect to the application of certain requirements are set out below:
- Application of the Guidelines to all FIs: The Guidelines will apply to all financial institutions defined under Section 27A of the Monetary Authority of Singapore Act, thereby extending the guidelines to FIs such as licensed financial advisers, licensed trust companies, registered insurance brokers, registered fund management companies, exempt corporate finance advisers, money changers and remittance licence holders, and stored value facilities holders.
- Removal of pre-notification requirements: FIs no longer need to notify MAS before commencing any material outsourcing arrangements. Instead, MAS will continue to assess and monitor the robustness of the institution’s outsourcing risk management frameworks, while institutions continue to be responsible for ensuring the safety of all of their outsourcing arrangements.
- Materiality of outsourcing: Outsourcing arrangements that involve customer information and may have a material impact on the FIs' customers in the event of any unauthorised access or disclosure will, by default, be regarded as material. (Customers information that is public, made anonymous or encrypted securely will not be regarded as customer information.)
- Additional guiding examples of outsourcing arrangements: MAS has provided additional non-exhaustive examples of arrangements that would generally be regarded as outsourcing arrangements. These include: (a) white-labelling arrangements such as trading and hedging facilities, (b) information systems hostings (e.g. software-as-a-service, infrastructure- as-a-service, platform-as-a-service), investment management (including research and sub-advisory arrangements), management of policy issuance and claims operations by managing agents and support services related archival and storage of data and records. Further, certain low-risk arrangements that were previously excluded as outsourcing arrangements should no longer be automatically excluded. These include mail, courier service, printing service, purchase of goods, software and other commodities, credit and background investigations and employment of contract or temporary personnel.
- Maintenance and submission of outsourcing register: FIs will need to maintain an updated register of all outsourcing arrangements in the prescribed format available from the MAS website, and submit this to the MAS at least annually or upon request.
- Enhancing the responsibility of the Board and Senior Management: The new Guidelines illustrate a heightened emphasis on adequate oversight and governance, internal controls and institution wide risk management. The board should be responsible for setting a suitable risk appetite to define the nature and extent of risks that the FI is willing and able to assume from its outsourcing arrangements, and for ensuring the senior management establishes appropriate governance structures and processes for sound and prudent risk management.
- Application of the Guidelines to material and non-material outsourcing: Certain risk management practices will apply only to material outsourcing arrangements. These include the requirements to: perform periodic reviews on at least an annual basis; (b) incorporate contractual clauses to allow the FIs and MAS to be granted audit access and access to information and any report or findings made on the service provider and its sub-contractors; and (c) ensure that outsourcing arrangements with overseas service providers are conducted in such manner so as not to hinder MAS' supervisory efforts. Otherwise, FIs are expected to apply the risk management practices to all outsourcing arrangements in a manner that is commensurate to the risks involved.
- Outsourcing risks evaluation criteria: In evaluating the risks of outsourcing arrangements, FIs should analyse the FI's and the FI group's aggregate exposure to the outsourcing arrangement, to manage concentration risk. FIs may rely on its head office or parent company for this analysis , but will ultimately be responsible for its own aggregate exposure.
- Due diligence on service providers: FIs are expected to conduct more rigorous due diligence on service providers. In particular, FIs should conduct a risk-based assessment on whether employees of the service providers meet the FIs hiring policies for the role they are performing, consistent with the criteria applicable to the FIs' own employees. FIs should also take a risk-based approach in determining whether to conduct onsite visits. Further, FIs should assess the service provider's technology risk management even for non-IT outsourcing, where IT risks could manifest in the non-IT outsourcing arrangement.
- Data security and confidentiality: MAS continues to expect FIs to protect the confidentiality of customer information, and ensure strong controls and safeguards are implemented. MAS clarified that logical segregation of data is acceptable.
- Monitoring and control: All material outsourcing arrangements must be subject to an annual review, at minimum. Review and audit dates and a high level record of reviews performed should be captured in the outsourcing register. While monitoring may be carried out by business units, the FIs should establish a central function or committee, which is sufficiently senior and has the necessary expertise to maintain an institution wide view of the risks and ensure an optimal level of consistency in the management and control on all of the institutions outsourcing arrangements.
- Audit and inspection: MAS has not adopted the previous proposal for audits to be carried out at least every three years. However, MAS expects FIs to conduct audits or expert assessments for all outsourcing arrangements on a regular basis. The frequency should be commensurate to the nature and extent of risks and impact on the FI. For material outsourcing, FIs must ensure that MAS has the right to access any report or findings made on the service providers and its sub- contractors.
- Indemnity: MAS has not adopted the previous proposal to require FIs to indemnify and hold MAS harmless from any liability, loss or damage to the service provider and its sub-contractors arising out of any audit and inspection on the service providers and its sub-contractors.
- Notification of adverse development: FIs are required to notify the MAS as soon as possible of any adverse development in their outsourcing arrangements that could impact the FIs. The outsourcing agreement should specify the types of events and circumstances under which the service provider should report to the FI, in order for the FI to take prompt risk mitigation measures and notify MAS of such developments.
- Outsourcing agreement: In addition to ensuring that outsourcing agreements with service providers contain certain mandatory clauses, FIs should ensure that the outsourcing agreements are legally enforceable, even if it relates to outsourcing within the group.
- IT outsourcing: The new Guidelines supersede the Information Technology Outsourcing Circular issued by the MAS on 14 July 2011. FIs are no longer expected to consult and submit the completed MAS Technology Questionnaire for Outsourcing to the MAS before making any significant IT outsourcing commitment.
- Use of cloud services: MAS has also introduced a set of guidance on its expectations on the use of cloud computing services by FIs, including the use of public cloud. Please refer to the article below for further details.
A copy of the new Guidelines may be found here.