The Monetary Authority of Singapore (MAS) has been engaged in a long public consultation since 2014 to update its Guidelines on Outsourcing, first issued in 2004, to reflect the more complex nature of outsourcing arrangements that now exist. The MAS is expressly concerned with the risk that a failure of a service provider can cause to a financial institution(s) (“FI” or “FIs”) in Singapore.
The MAS issued new guidelines on outsourcing risk management on 27 July 2016. Along with the guidelines MAS has also issued new FAQs, a template outsourcing register to be maintained by FIs and responses to the September 2014 consultation.
MAS stated it is reviewing feedback received in response to the draft Notice on Outsourcing which will be legally binding on all FIs. The new notice is expected to be released soon.
We address the key points of the guidelines below. It is important to note that these provisions apply to all banks, insurance companies, asset managers, brokers and others regulated or registered with the MAS. MAS notes that the extent and the degree to which firms follow the Guidelines will depend on the risks and materiality of their outsourcing arrangements. However from past experience, we note the Singapore auditors veer towards expecting all firms to comply with all requirements in order to sign off on the annual audit.
- FIs must conduct a self-assessment of all existing outsourcing arrangements against the Guidelines by 26 October 2016 and remedy any deficiencies by 26 July 2017
- The definition of outsourcing has not changed drastically. Outsourcing is an arrangement where a service provider provides the FI with a service that could be performed by the FI itself and where the FI is dependent on the service on an ongoing basis and the service is integral to the provision of the financial service by the FI or the service is provided to the market by the service provider in the name of the FI (i.e. white-labeling)
- The definition of material outsourcing has changed. Material outsourcing arrangements are arrangements where a failure or security breach would have potential impact on the FIs’ business operations, reputation or profitability; would impact the FIs’ ability to manage risk and comply with applicable laws and regulations; or which involves customer information and, in the event of any unauthorized access or disclosure loss or theft of customer information would have a material impact on the FIs’ customers
- FIs must assess the materiality of outsourcing arrangements and MAS has set out a variety of factors to be considered. Arrangements need to be reviewed periodically and a register of outsourcing arrangements must be kept. The register must be submitted to MAS at least annually.
- MAS no longer requires FIs to notify it before making any material outsourcing commitment. FIs must exercise appropriate due diligence of their outsourcing arrangements, and be ready to demonstrate to MAS their observance of the Guidelines
- MAS has specifically addressed cloud storage of data and its relationships to
ComplianceAsia is engaged with a number of clients to help with the self-assessment, new policies and procedures and due diligence of outsourced service providers and we would be happy to discuss any aspects of the new Guidelines.