The Monetary Authority of Singapore (“MAS”) first issued Guidelines on Outsourcing (“Guidelines”) in 2004 (subsequently updated on 1 July 2005), to promote sound risk management practices for outsourcing arrangements of financial institutions. As outsourcing arrangements have become more prevalent and complex, MAS has proposed revisions to the Guidelines as part of efforts to raise the standards of institutions' risk management practices. The proposed changes have potentially far-reaching consequences for the practices, management and outsourcing arrangements of financial institutions.
The updated Guidelines include further guidance on certain practices, which will require an institution-wide, responsive and rigorous approach towards management of outsourcing arrangements, in particular relating to:
- responsibilities of boards and senior management; and
- monitoring and control of outsourcing arrangements.
- In addition, significant changes are proposed in relation to the following areas:
- the definition of institutions to which the Guidelines apply;
- the definition of material outsourcing arrangements;
- the requirement to notify MAS of adverse developments;
- a requirement to assess employees of the service provider and its sub-contractors as being fit and proper;
- audit frequency and scope; and
- the requirement to keep a register of outsourcing arrangements.
In addition to updating the Guidelines, MAS proposes issuing a Notice (“Notice”) that defines a set of minimum standards for outsourcing management. The proposed Notice sets out other requirements for the management of material outsourcing arrangements, assessment of service providers, protection of customer data, termination of and exiting from an outsourcing arrangement and outsourcing to overseas regulated financial institutions. The expectation is for an institution to manage outsourcing arrangements as if the services continue to be conducted by the institution.
A summary of the proposed changes is set out below.
2. Responsibilities of boards and senior management
The proposed Guidelines provide that the responsibilities for effective oversight and governance, and management of all outsourcing arrangements and associated risks, accountability for all outsourcing decisions, and implementation of a consistent institution-wide outsourcing risk management framework, continue to rest with the institution, its board and senior management.
The board and senior management of an institution should ensure there are adequate processes to provide a comprehensive institution-wide view of its risk exposures from all its outsourcing arrangements, and to incorporate the assessment of such risks into the institution's outsourcing risk management framework.
As well as certain changes to the existing responsibilities of the board/committee, additional responsibilities involve:
- setting a suitable risk appetite to define the nature and extent of risks that the institution is willing and able to assume from its outsourcing arrangements; and
- ensuring that senior management establishes appropriate governance structures and processes for sound and prudent risk management, including a management body that reviews controls for consistency and alignment with a comprehensive institution-wide view of risk.
Where the board delegates its responsibility to a committee, the board should establish certain communication procedures between the board and the committee.
In addition to certain changes to the existing responsibilities of the senior management, additional responsibilities involve:
- ensuring that staff in the institution are made aware of policies and procedures for its outsourcing arrangements;
- monitoring and maintaining effective control of all risks from its material outsourcing arrangements on an institution-wide basis; and
- ensuring appropriate and timely remedial actions are taken to address audit findings.
3. Monitoring and control of outsourcing arrangements
In addition to the existing requirements, the proposed Guidelines provide that an institution has to be more proactive in its relationship with the service provider to ensure that performance, operational, internal control and risk management standards are upheld.
In addition to the existing requirements, an institution should put in place the following measures for effective monitoring and control of any material outsourcing arrangement:
- a register of all material outsourcing arrangements (as opposed to a central record of all material outsourcing as currently required), which should include reviews on the performance, operational, internal control and risk management standards of the outsourcing arrangement;
- policies and procedures to monitor confidentiality and security adequacy and compliance and security vulnerability management of the service provider, particularly where the service provider undertakes services for several customers. Such monitoring should be regular and further validated through the review of reports by auditors of the service provider or audits commissioned by the institution;
- service recovery procedures and reporting of lapses relating to the agreed service standards by the service provider;
- periodic reviews, at least on an annual basis, of outsourcing arrangements to ensure that the institution's outsourcing risk management policies and procedures, and the Guidelines, are effectively implemented;
- monitoring metrics and performance data specific to the institution available for reporting, and not aggregated with metrics or data belonging to other customers of the service provider; and
- pre- and post- implementation reviews of new outsourcing arrangements or when amendments are made to the outsourcing arrangements. These reviews should be comprehensive and include the end-to-end processes. If an outsourcing arrangement is materially amended, a full due diligence of the service provider should also be conducted.
An institution to which the Guidelines apply would include any financial institution as defined in section 27A of the Monetary Authority of Singapore Act (Cap. 186) (“MAS Act”). This would extend the scope of the Guidelines to:
any person that is considered by MAS to affect monetary stability and credit and exchange conditions in Singapore, the development of Singapore as a financial centre or the financial situation of Singapore generally and approved as a financial institution under section 28 of the MAS Act;
- any money-changer licensed to conduct money-changing business, or any remitter licensed to conduct remittance business, under the Money-changing and Remittance Businesses Act (Cap. 187);
- any insurance intermediary registered or regulated under the Insurance Act;
- any licensed financial adviser under the Financial Advisers Act (Cap. 110);
- any securities exchange, futures exchange, recognised market operator, licensed trade repository, licensed foreign trade repository, approved clearing house or recognised clearing house under the Securities and Futures Act (Cap. 289);
- any trustee-manager of a business trust that is registered under the Business Trusts Act (Cap. 31A);
- any licensed trust company under the Trust Companies Act (Cap. 336);
- any holder of a stored value facility under the Payment Systems (Oversight) Act (Cap. 222A); and
- any other person licensed, approved, registered or regulated by MAS under any written law.
5. Material outsourcing arrangements
A material outsourcing arrangement would be an outsourcing arrangement:
- which, in the event of a service failure or security breach, has the potential to either: (i) materially impact an institution's business operations, reputation or profitability; or (ii) adversely affect an institution's ability to manage risk and comply with applicable laws and regulations; or
- which involves customer information and, in the event of any unauthorised access or disclosure, loss or theft of customer information, may materially impact an institution's customers;
The test of it being prohibitive to change the service provider, as substitutes are lacking in the market or may only be replaced at significant cost to the institution, would be removed from the existing definition of outsourcing or outsourcing arrangement.
6. Adverse developments
The proposed Guidelines provide that an institution should notify MAS as soon as possible of any adverse development or breach of legal and regulatory requirements by the institution or its service provider or sub-contractors in relation to its outsourcing arrangement. This includes any event that could potentially lead to prolonged service failure or disruption in, or the termination and early exit of, the outsourcing arrangement and any significant unauthorised access or breach of security and confidentiality that affects the institution or its customers.
An institution should also notify MAS of such adverse development or breach of legal and prudential requirements encountered within the institution's group.
7. Fit and proper
The proposed Guidelines provide that an institution should ensure that the employees of the service provider and its sub-contractors undertaking any part of the outsourcing arrangement have been assessed to be fit and proper, consistent with the criteria applicable to its own employees. Any adverse findings from the fit and proper assessment should be considered in light of their relevance and impact to the outsourcing arrangement.
8. Audit frequency and scope
The proposed Guidelines provide that an institution should include certain provisions relating to audit and inspection in all outsourcing agreements. The Notice makes it mandatory for institutions to include such provisions unless otherwise specified in the Notice.
This includes clauses that:
- allow the institution to obtain copies of any report and finding made on the service provider and its sub-contractors, whether produced by the service provider’s and its sub-contractors’ internal or external auditors, or by agents appointed by the service provider and its sub-contractors, in relation to the outsourcing arrangement and to allow such copies of any report or finding to be submitted to MAS;
- allow MAS, or any agent appointed by MAS, where necessary or expedient, to exercise the contractual rights of the institution to access and inspect the service provider and its sub-contractors, and the institution, to obtain records and documents, of transactions, and information of the institution given to, stored at or processed by the service provider and its sub-contractors and the right to access any report and finding made on the service provider and its sub-contractors, whether produced by the service provider's and its sub-contractors' internal or external auditors or by agents appointed by the service provider and its sub-contractors, in relation to the outsourcing arrangement; and
- indemnify and hold MAS, its officers, agents and employees harmless from any liability, loss or damage to the service provider.
The proposed Guidelines provide that the outsourcing agreement should also include clauses that require the service provider to comply, as soon as possible, with any request from MAS or the institution, to the service provider and its sub-contractors to submit any reports on the security and control environment of the service provider and its sub-contractors, in relation to the outsourcing arrangement.
An institution should ensure that independent audits or expert assessments of all its outsourcing arrangements are conducted. In determining the frequency of audit and expert assessment, the institution should consider the nature and extent of risk and impact to the institution from the outsourcing arrangements. The period between audits should not exceed 3 years. The Notice makes these requirements mandatory for institutions unless otherwise specified in the Notice.
The scope of the audits or expert assessments should include an assessment of the service providers' and its sub-contractors' security (physical and IT) and control environment, incident management process (for material breaches, service disruptions or other material issues) and the institution's observance with the Guidelines and compliance with the Notice in relation to the outsourcing arrangement, which the Notice makes a mandatory requirement for institutions unless otherwise specified in the Notice.
The independent audit or expert assessment and reports on the service provider and its sub-contractors may be performed and prepared by the institution's internal or external auditors, or by agents appointed by the institution. Senior management should ensure appropriate and timely remedial actions are taken to address the audit findings. Institutions should have adequate processes in place to ensure that remedial actions are satisfactorily completed. Actions should be taken by the institution to review the outsourcing arrangement if the risk posed is no longer within the institution's risk tolerance, such as by modifying or terminating the existing arrangement.
Copies of audit reports should be submitted by the institution to MAS, which the Notice makes a mandatory requirement for institutions unless otherwise specified in the Notice. An institution should also, upon request, provide MAS with other reports or information on the institution and service provider related to the outsourcing arrangement.
9. Register of outsourcing arrangements
As indicated above, the proposed Guidelines provide that an institution should put in place a register of all material outsourcing arrangements (as opposed to a central record of all material outsourcing as currently required), which should include reviews on the performance, operational, internal control and risk management standards of the outsourcing arrangement.
The proposed Guidelines include a template for the format in which an institution is to maintain a register of its outsourcing arrangements, to be submitted to MAS upon request.
10. Management of material outsourcing arrangements
The Notice proposes that, unless otherwise specified in the Notice, an institution shall manage all its material outsourcing arrangements prudently, including (i) establishing proper policies and processes to identify all material outsourcing arrangements, (ii) putting in place an adequate risk management framework, systems, policies and processes to assess, control and monitor its material outsourcing arrangements, (iii) ensuring that the laws, rules, regulations, notices and directives applicable to the institution continue to be complied with notwithstanding its material outsourcing arrangements, (iv) maintaining a central register of all material outsourcing arrangements and (v) maintaining adequate documentation of the steps taken and furnishing such documentation to MAS upon request.
11. Assessment of service providers
The Notice proposes that, unless otherwise specified in the Notice, in considering, renegotiating or renewing any material outsourcing arrangement, an institution shall subject the service provider to appropriate due diligence processes to assess the risks associated with the outsourcing arrangement, including assessing the service provider's (i) corporate governance, risk management, security and internal controls (including information technology controls), audit, and compliance with applicable laws and regulations, (ii) capability to employ a high standard of care in the performance of the outsourcing arrangement as if the outsourcing arrangement were being conducted by the institution to meet its obligation as a regulated entity, (iii) financial strength and resources and (iv) ability to safeguard the confidentiality, integrity and availability of information entrusted to it.
An institution must document and re-perform, at least on annual basis, the due diligence undertaken during the assessment process, as part of the monitoring and control processes of its outsourcing arrangements.
12. Protection of customer data
The Notice proposes that, unless otherwise specified in the Notice:
- in all outsourcing arrangements involving the disclosure of customer information to the service provider, an institution must include provisions to require the service provider to protect the confidentiality of customer information;
- an institution must require the service provider to isolate and clearly identify the institution’s customer information, documents, records, and assets to protect the confidentiality of the information;
- an institution must engage service providers that operate in jurisdictions which generally uphold confidentiality provisions and agreements;
- where customer information is to be disclosed, an institution (banks, merchant banks, approved clearing houses, approved exchanges, recognised clearing houses incorporated in Singapore, licensed trade repositories and licensed trust companies) required by any law or regulation administered by MAS to protect or not to disclose such customer information, must obtain appropriate legal advice in respect of the overseas jurisdiction where the outsourcing arrangement is to be performed
- an institution must regularly update its legal advice and inform its customers of the circumstances under which customer information might be so disclosed;
- an institution can only disclose customer information to the service provider to the extent the service provider strictly needs to have the information in order to perform its duties, and ensure that the amount of information disclosed is proportionate to the needs of the situation;
- an institution must notify the service provider in writing of the institution's obligations of confidentiality under laws applicable to the institution and under the common law; and
- an institution required by any law or regulation administered by MAS to protect or not to disclose customer information must also include into its outsourcing agreements certain prescribed confidentiality provisions.
13. Termination and exit
The Notice proposes that, unless otherwise specified in the Notice:
- an institution must include in all its outsourcing agreements a right to terminate the outsourcing agreement in the event that (i) the service provider undergoes a change in ownership, becomes insolvent, goes into liquidation, receivership or judicial management, (ii) there has been a breach of confidentiality by the service provider or its sub-contractors that affect the institution or the institution’s customers, (iii) there has been a deterioration in the ability of the service provider to perform the service as contracted, (iv) the institution is prevented from conducting any audits or obtaining any report and finding made on the service provider, (v) the institution is prevented from assessing the service provider’s compliance with the outsourcing agreement or (vi) the institution is directed by MAS to terminate the outsourcing arrangement as the service provider has failed to comply with all applicable laws and regulations;
- if any of the events, other than in (vi) above, occurs for material outsourcing arrangements, an institution must notify MAS of the event as soon as possible, consider whether to terminate the outsourcing agreement and terminate the outsourcing agreement in accordance with its terms, if so directed by MAS in writing;
- an institution must have in place contingency measures to minimise disruption of its operations should any such outsourcing agreement be terminated; and
- upon the termination of an outsourcing agreement, an institution must ensure that all documents, records of transactions and information previously given to the service provider are removed from the possession of the service provider or deleted, destroyed or rendered unusable.
14. Outsourcing to overseas regulated financial institutions
The Notice proposes that, unless otherwise specified in the Notice, where the service provider is an overseas regulated financial institution, an institution required by any law or regulation administered by MAS to protect or not to disclose customer information shall give MAS a written confirmation by the supervisory authority of the service provider to the effect that:
- MAS and any independent auditors appointed by MAS shall be allowed access by the supervisory authority to the institution's documents, records of transactions, information previously given to, stored or processed by the service provider;
- the institution and any auditor appointed by the institution shall not be inhibited from inspecting the control environment within the service provider insofar as it relates to the institution's data that is processed by the service provider, or from reporting any findings to MAS;
- in the case where the supervisory authority is a host supervisor of the overseas regulated financial institution, it shall not access any customer information of the Singapore office that is in the possession of the overseas regulated financial institution (“Information”);
- in the case where the supervisory authority is the home supervisor of the overseas regulated financial institution (i) it shall not access the Information unless access to the Information is required for the sole purpose of carrying out its supervisory functions and (ii) it shall give MAS prior written notification whenever it accesses the Information; and
- it is prohibited under its laws from disclosing the Information to any other person, or it undertakes to safeguard the confidentiality of the Information and not disclose the Information to any other person.
15. Impact of the proposed changes
The proposed changes have potentially far-reaching consequences for the practices, management and outsourcing arrangements of financial institutions.