Jurisdiction - Singapore
Reports and Analysis
Singapore – MAS Proposes Changes To Outsourcing Regulatory Regime.

16 September, 2014

 

Legal News & Analysis – Asia Pacific – Singapore  Regulatory & Compliance

 

On 5 September 2014, the Monetary Authority of Singapore (“MAS”) issued two consultation papers on outsourcing: a Consultation Paper on Notice on Outsourcing and a Consultation Paper on Guidelines on Outsourcing.


The proposed changes will, in brief, do the following:

 

  • Bring all financial institutions regulated by the MAS under the ambit of the outsourcing requirements;
  • Increase the types of outsourcing arrangements considered to be material and hence covered by the outsourcing requirements; and
  • Enhance MAS oversight of service providers and their sub-contractors by enhancing the review, due diligence, and audit requirements.
 

Other significant changes include enhancing the provisions required to be incorporated into the outsourcing agreements with service providers, and providing for more stringent protection of confidential information.


This article takes a look at the proposed changes.


Implementation Of The Notice And Guidelines

 

While requirements on outsourcing are now currently set out in the Guidelines on Outsourcing (“Guidelines”), the MAS has proposed setting out the requirements in both a MAS Notice (“Notice”) and in updated Guidelines. Setting out the outsourcing requirements in a MAS Notice will have the effect of making them law as opposed to being simply guidelines, as is currently the case, which are not binding but will be taken into account by the MAS in its assessment of the institution.

 

This method of regulatory enforcement will remain the case in respect of those requirements set out only in the proposed Guidelines and not in the proposed Notice. The MAS has expressly stated in the proposed Guidelines that, in assessing the quality of the board and senior management of an institution, it will review the institution’s implementation of the Guidelines.

 

In addition, while currently, institutions may notify the MAS either when they are planning to enter into a material outsourcing arrangement or after they have done so, the proposed Guidelines instead provide that an institution must notify the MAS before it commits to the commencement of any material outsourcing arrangement.

 

As is currently the case, the MAS may take action if it is not satisfied with the institution’s observance of the Guidelines. In this regard, the following additional circumstances have been specified in the proposed Guidelines as allowing MAS intervention:

 

  • The institution fails or is unable to demonstrate a satisfactory level of understanding of the nature and extent of risks involved or emerging from the outsourcing arrangement; or
  • The confidentiality of its customer information cannot be assured.

 

Upon the proposed Guidelines coming into force, institutions will need to conduct a self-assessment of their extant outsourcing arrangements, and if there are deficiencies, they will have six months to rectify the deficiencies.


Applicability Of The Outsourcing Requirements

 

The outsourcing requirements in the Guidelines currently apply to the following financial institutions only:

 

  • banks and merchant banks;
  • finance companies;
  • insurers;
  • approved holding companies, approved exchanges, and designated clearing houses;
  • holders of a capital markets services licence; and
  • trustees for collective investment schemes.

 

The MAS has proposed bringing the following additional financial institutions under the ambit of the outsourcing requirements:

 

  • money-changers and remitters;
  • insurance intermediaries;
  • financial advisers;
  • recognised market operators, licensed trade repositories, and licensed foreign trade repositories;
  • trustee-managers of business trusts;
  • trust companies; and
  • holders of stored value facilities.


What Constitutes Material Outsourcing Arrangements


The proposed Notice and Guidelines contain a definition of “material outsourcing arrangement”. This proposed definition expands the parameters of what forms of outsourcing would be considered “material”. The key changes that will affect this expansion are:

 

  • Where the current Guidelines provide that outsourcing is material if a disruption to it has the potential to cause a significant impact on the institution, the new definition refers to service failures and security breaches. Such failures and breaches may not necessarily involve disruptions.
  • Where the current Guidelines consider outsourcing to be material if there is potential to have a material impact on an institution’s business operations, reputation, or profitability, the new definition includes the potential to adversely affect an institution’s ability to manage risk and comply with applicable laws and regulations.
  • Finally, the new definition provides that an outsourcing arrangement is material if it involves customer information and, in the event of any loss, theft, or unauthorised access or disclosure of customer information, may materially impact the institution’s customers.

 

In considering the degree of materiality of an outsourcing arrangement, the proposed Guidelines include the following factors in addition to the current set of factors to be applied:

 

  • the impact on the institution’s customers, should the service provider fail to perform the service or encounter a breach of security or confidentiality;
  • the impact on the institution’s counterparties and the Singapore financial market, should the service provider fail to perform the service; and
  • the cost of outsourcing failure, which will require in-sourcing or seeking a similar service from another service provider, as a proportion of total operating costs of the institution.

 

The revised Annex 1 of the proposed Guidelines, which sets out examples of outsourcing arrangements, now includes the following new examples of services which would be considered to be outsourcing arrangements for the purposes of the Notice and the Guidelines:

 

  • white-labelling arrangements such as for trading and hedging facilities;
  • business continuity and disaster recovery functions and activities;
  • information systems hosting (e.g., software-as-a-service, platform-as-a-service, infrastructure-as-a-service);
  • management of policy issuance and claims operations by managing agents;
  • legal and compliance professional services; and
  • support services related to archival and storage of data and records.

 

Institutions will be required to maintain a central register of all material outsourcing arrangements, using the format stipulated in Annex 4 of the proposed Guidelines.


Review, Due Diligence, And Audits


The MAS has enhanced the areas of due diligence/review of service providers in various key ways:

  • The employees of the service provider and its sub-contractors undertaking any part of the outsourcing arrangement must be assessed to determine if they are fit and proper, consistent with the criteria applicable to the institution’s own employees.
  • The following additional areas should also be evaluated:
    • the level of ethical and professional standards held by the service provider;
    • the service provider’s ability to comply with its obligations under the outsourcing arrangement;
    • its corporate governance;
    • its risk management framework and capabilities, including its technology risk management;
    • the disaster recovery arrangements made by the service provider and the track record of its disaster recovery service provider if the service provider is responsible for such provisions with the outsourcing arrangement; and
    • the service provider’s track record and ability to comply with applicable laws and regulations.

 

The proposed Guidelines also make it clear that due diligence undertaken during the assessment process should be documented. Furthermore, due diligence should be re-performed at least on an annual basis as part of the monitoring and control processes of outsourcing arrangements.

 

The current Guidelines require institutions to carry out periodic independent audits and expert assessments. The proposed Guidelines specifically stipulate that the time period between such audits and assessments should not exceed three years. The audits and assessments should be carried out, not only on the service providers as is currently required, but also on the subcontractors of the service providers.


Outsourcing Contracts


The proposed Notice and Guidelines set out various terms that must be provided for in any material outsourcing agreement in addition to those already specified in the current Guidelines. The proposed new terms are as follows: 

 

  • The institution should be allowed to conduct audits on the service provider’s sub-contractors.
  • The MAS should be allowed, where necessary or expedient, to exercise the contractual rights of the institution to access and inspect the service provider’s sub-contractors.
  • The institution and the MAS should also be allowed to obtain copies of any audit report and finding made on the service provider’s sub-contractors, whether produced by the service provider’s or its sub-contractors’ internal or external auditors, or by agents appointed by the service provider and its subcontractor, in relation to the outsourcing arrangement.
  • The service provider should indemnify and hold the MAS, its officers, agents, and employees harmless from any liability, loss, or damage to the service provider and its subcontractors arising out of any action taken to access and inspect the service provider or its sub-contractors pursuant to the outsourcing agreement.
  • The institution should have a right to terminate the outsourcing agreement upon any of the following events:
    • It is prevented from conducting any audits or obtaining any report and finding made on the service provider;
    • It is prevented from assessing the service provider’s compliance with the outsourcing agreement; or
    • It is directed by the MAS to terminate the outsourcing arrangement as the service provider has failed to comply with all applicable laws and regulations.
  • The service provider must comply, as soon as possible, with any request from the MAS or the institution to the service provider and its sub-contractors to submit any reports on the security and control environment of the service provider and its sub-contractors in relation to the outsourcing arrangement.

 

A material outsourcing contract must also deal with the following:

 

  • It should require the service provider to report to the institution the type of events (and these events must be specified in the contract) that the institution is required in the Guidelines to report to the MAS.
  • It should contain provisions that will ensure a smooth transition when the contract is terminated or being amended by either party. Such provisions may include provisions that facilitate transferability of the outsourced services to a bridge institution or a third party acquirer.

 

Protection Of Confidential Information


The proposed Notice and Guidelines set out a number of new requirements that address specifically the issue of protection of confidential information.

 

In this regard, the proposed Notice specifically requires that service providers must operate in jurisdictions which generally uphold confidentiality provisions and agreements. The institution must notify the service provider in writing of the institution’s obligations of confidentiality under laws applicable to the institution and under the common law. It must also obtain legal advice as to the circumstances under which the customer information may be required by law to be disclosed by the service provider notwithstanding any obligation of confidentiality assumed by the service provider. An institution must regularly update its legal advice and inform its customers of the circumstances under which customer information might be so disclosed.

 

The proposed Notice also imposes the following further requirements as to confidentiality where the institution entering into the material outsourcing contract is one that is required by any law or regulation administered by the MAS to protect or not to disclose customer information:

 

  • In addition to the provisions on confidentiality already required under the current Guidelines, such an institution must include in its outsourcing agreements confidentiality provisions which address the following matters:
    • Access to information by the employees of the service provider and its sub-contractors must be limited to those who strictly need to have the information in order to perform their duties.
    • The service provider, its sub-contractors, and their employees must be restricted from further disclosing the information to any other party unless required to do so by law.
    • If the service provider, its sub-contractors, and their employees are required by law to disclose the information, they must notify the institution as soon as practicable prior to disclosure.
    • Any information disclosed must be used strictly for the purpose for which it was disclosed.
  • Where the service provider is an overseas regulated financial institution, such an institution must also give the MAS a written confirmation by the supervisory authority of the service provider to the effect that:
    • The MAS and any independent auditors appointed by the MAS shall be allowed access by the supervisory authority to the institution’s documents, records of transactions, information previously given to, stored or processed by the service provider;
    • The institution and any auditor appointed by the institution shall not be inhibited from inspecting the control environment within the service provider insofar as it relates to the institution’s data that is processed by the service provider, or from reporting any findings to the MAS;
    • In the case where the supervisory authority is a host supervisor of the overseas regulated financial institution, it shall not access any customer information of the Singapore office that is in the possession of the overseas regulated financial institution (“Information”); and
    • In the case where the supervisory authority is the home supervisor of the overseas regulated financial institution:
      • it shall not access the Information unless access to the Information is required for the sole purpose of carrying out its supervisory functions;
      • it shall give the MAS prior written notification whenever it accesses the Information; and
      • it is prohibited under its laws from disclosing the Information to any other person, or it undertakes to safeguard the confidentiality of the Information and not disclose the Information to any other person.

 

wongpartnershiplogo

 

For further information, please contact:

 

Elaine Chan, Partner, WongPartnership

elaine.chan@wongpartnership.com

 

Joy Tan, Partner, WongPartnership

joy.tan@wongpartnership.com

 

Regulatory & Compliance Law Firms in Singapore

Comments are closed.