Jurisdiction - Singapore
Reports and Analysis
Singapore – MAS Issues Consultation Papers On Outsourcing.

29 September, 2014

 

Legal News & Analysis – Asia Pacific – Singapore  Regulatory & Compliance

 

Introduction

 

Outsourcing arrangements have become increasingly prevalent in the commercial landscape. With the growing complexity of these arrangements, the effective management of the risks involved have been brought into the foreground. In this light, the Monetary Authority of Singapore (“MAS”) has proposed certain changes in the regulations and guidelines for outsourcing arrangements of financial institutions (“institutions”).

 

MAS has issued two consultation papers for public feedback – the first relates to a set of updated Guidelines on Outsourcing (“Guidelines”), and the second introduces a new Notice on Outsourcing (“Notice”). These efforts are aimed at enhancing MAS’ regulatory framework, as well as raising the standards of institutions’ risk management practices.

In this article, we look at the proposed changes to the management of outsourcing arrangements, and what they may mean for institutions in terms of compliance.

 

Notice On Outsourcing

 

The proposed draft Notice demonstrates the firmer stance being taken by MAS regarding institutions’ risk management of outsourcing arrangements. Previously, outsourcing arrangements have been steered by the Guidelines. However, the proposed Notice will introduce a set of minimum standards for outsourcing management, effectively imposing compulsory requirements with which institutions are obliged to comply.

 

The main requirements of the Notice are set out below.

 

Management of Material Outsourcing Arrangements – The Notice requires institutions to establish proper policies and frameworks to identify, assess, control and monitor their material outsourcing arrangements. Institutions must ensure that all laws and regulations continue to be complied with, and must maintain a central register of all material outsourcing arrangements.

 

Assessment of Service Providers – Institutions must conduct appropriate due diligence processes to assess their service providers, including their ability to comply with all laws and regulations, as well as their ability to safeguard all information entrusted. Such due diligence should be documents and re- performed on at least an annual basis.

 

Access to Information – All outsourcing agreements must include provisions that allow the institution and MAS to conduct audits and inspections on the service provider and its sub-contractors, as well as to access and obtain reports or findings made in relation to the outsourcing arrangement. The provisions must indemnify and hold MAS and its officers harmless from liability, loss, or damage to the service provider and its sub-contractors arising out of any access or inspection.

 

Protection of Customer Data – The Notice introduces a strong focus on the protection of customer data, requiring the inclusion of provisions in outsourcing agreements for the protection of the confidentiality of such data, and the restriction of its movement. Institutions cannot disclose any more customer information than necessary, and should obtain legal advice on such disclosure if necessary.

 

Outsourcing to Overseas Institutions – The Notice also contains measures to protect customer information where the service provider is an overseas regulated financial institution. The supervisory authority of the service provider must provide written confirmation that MAS and the institution shall have sufficient access to the relevant documents and inspections, and that the supervisory authority will not access the customer information except where necessary and upon notification.

 

Audit – Institutions must conduct independent audits and/or expert assessments of all material outsourcing arrangements at least every three years. The audit should cover the service providers’ and sub-contractors’ security and control environment, incident management process, and the institution’s observance of the Guidelines and the Notice. The resulting reports are to be submitted to MAS.

 

Termination – The Notice introduces the requirement that all outsourcing agreements must provide for termination upon a specified list of events. MAS must be informed of the occurrence of such events, and may even direct the termination of the agreement upon notification.

 

Guidelines on Outsourcing

 

The Guidelines were initially introduced by MAS in 2004 to promote sound risk management strategies for outsourcing arrangements. However, MAS has recognised that the commercial and technological backdrop has changed significantly over the last ten years, and seeks to bring the Guidelines into the present day context with the new draft Guidelines.

 

While the structure of the draft Guidelines remains largely similar to the 2004 version, the new proposal provides further guidance on what constitutes sound practice, and introduces new considerations and issues to which institutions should set their minds.

 

The main changes are set out below.

 

Application – The Guidelines have been updated to apply to all financial institutions as defined in section 27A of the Monetary Authority of Singapore Act (Cap. 186). The scope of the Guidelines has thus been somewhat extended to include financial advisors, trustee-managers of business trusts, and trust companies.

 

Material Outsourcing Arrangement – To reflect the importance of protecting customer information, “material outsourcing arrangement” has been extended to include not just arrangements which could materially impact the institution upon failure, but also arrangements which involve customer information and could materially impact the customer. MAS has also provided a list of factors to be considered in assessing whether an arrangement would be considered a material outsourcing arrangement (Annex 3).

 

Notification of MAS – An institution should notify MAS before it commits to or amends any material outsourcing arrangement. MAS should also be notified of any adverse development or breach of legal and regulatory requirements from outsourcing arrangements, including events which could lead to the disruption or failure of the arrangement, and any unauthorised breach of security and confidentiality.

 

Responsibility of the Board and Senior Management – The draft Guidelines provides greater detail as to the content of the responsibility of the board and of senior management. For example, the board should ensure that senior management establishes appropriate governance structures, including a management body that reviews controls with an institution-wide view of risk. In turn, the senior management should monitor and maintain effective control of all risks from material outsourcing arrangements, and ensure the conduct of audits with timely remedial actions.

 

Assessment of Service Providers – The draft Guidelines further clarifies the scope of due diligence to be conducted on service providers, including their risk management framework and capabilities and their disaster recovery arrangements. Further, institutions are now advised to ensure that the employees of the service provider and its sub-contractors undertaking the outsourcing arrangement have been assessed to be fit and proper, such as whether they have been found liable under any disciplinary, criminal or civil proceedings. This due diligence should be documented and re-performed at least annually.

 

Monitoring and Control – It is clear that institutions should monitor and control their outsourcing arrangements. However, apart from the actions set out in the 2004 Guidelines, the new draft Guidelines puts forth further steps to be taken, including the establishment of policies to monitor the confidentiality and security adequacy and security vulnerability management of the service providers, and the establishment of service recovery procedures and reporting of lapses to the agreed service standards. The draft Guidelines also clarifies that the periodic review of outsourcing arrangements should be conducted on at least an annual basis.

 

Audit and Inspection – As required under the Notice, institutions must conduct independent audits and/or expert assessments of all material outsourcing arrangements at least every three years.

 

Register of Material Outsourcing Arrangements – The 2004 Guidelines advised a central record of all material outsourcing, including information on the service provider and reviews of the performance of the outsourced arrangement. The new draft Guidelines provides a template register of outsourcing arrangements (Annex 4) to be submitted to MAS upon appeal, which further includes reviews of the operation, internal control, and risk management standards of the outsourcing arrangement.

 

Concluding Words

 

The proposed draft Notice and Guidelines reflect a tightening of the controls over institutions’ outsourcing arrangements. In particular, the introduction of the Notice will establish minimum standards with which institutions must comply, as the requirements are backed by force of law. Institutions will have to exercise greater vigilance over their outsourcing arrangements, which will in turn require the establishment of institutional policies and frameworks to support the heightened control, monitoring, and review obligations.

 

Affected institutions should familiarise themselves with the proposed requirements and consider any issues in their compliance with these regulations and guidelines, and aim to provide feedback to MAS so as to ensure that their legal, commercial and operational needs are adequately taken into account during this consultation period.

 

References

 

Please refer to both the consultation paper on Guidelines on Outsourcing and the consultation paper on Notice on Outsourcing for more details on the proposals. The closing date for feedback and comments to be submitted to MAS is 7 October 2014.

 

Rajah & Tann

 

For further information, please contact:

 

Regina Liew, Partner, Rajah & Tann

regina.liew@rajahtann.com

 

Rajesh Sreenivasan, Partner, Rajah & Tann

rajesh@rajahtann.com

 

Larry Lim, Partner, Rajah & Tann

larry.lim@rajahtann.com

 

Comments are closed.