Jurisdiction - Singapore
Reports and Analysis
Singapore – Revised Regulatory Framework For The Oversight Of Outsourcing Arrangements By Financial Institutions.

16 September, 2014

 

Legal News & Analysis – Asia Pacific – Singapore   Regulatory & Compliance

 

On 5 Sep 2014, the Monetary Authority of Singapore (“MAS”) released two consultation papers, in which it has proposed several revisions to the regulatory framework for outsourcing arrangements by financial institutions. 


Presently, the regulatory framework consists of a set of guidelines which is not strictly speaking legally binding although in practice, most financial institutions would adhere to them quite closely. Under the revised framework, certain minimum requirements would henceforth be contained in notices issued under the respective statutes applicable to each class of financial institutions. The guidelines themselves would be enhanced both in terms of scope as well as in the inclusion of additional detail.


Proposed Revisions To The Guidelines On Outsourcing


Expansion In Scope


Currently, the Guidelines on Outsourcing apply only to banks, merchant banks, finance companies, insurance companies, approved holding companies, approved exchanges, clearing houses, holders of capital markets services licensees and approved trustees of collective investment schemes. Significantly, financial advisers, insurance intermediaries, trade repositories, licensed trust companies and holders of stored value facilities are not presently required to observe the guidelines. By referencing the definition of financial institution in section 27A of the Monetary Authority of Singapore, the scope of the revised Guidelines on Outsourcing will be expanded to apply to all classes of financial institutions that are the regulatory responsibility of MAS.


More Specific Definition Of Material Outsourcing


Currently, the Guidelines on Outsourcing define material outsourcing in relatively broad terms – any arrangement which if disrupted has the potential to significantly impact the financial institution’s business operations, reputation or profitability. 


The revised definition will be wider, but will involve a more nuanced approach. An outsourcing arrangement will be considered material on either of two grounds:
(a) where, in the event of a service failure or security breach, it has the potential to either materially impact business, operations, reputation or profitability or adversely affect the institution’s ability to manage risk and comply with applicable laws and regulations; or
(b) where customer information is involved and an unauthorised access or disclosure of customer information may materially impact the institution’s customers.


The factors to be considered when assessing materiality would also be expanded to include consideration of impact on customers and counterparties, and consideration of costs.


Notification Of Adverse Developments To MAS


As is presently already the case, MAS is to be notified of any adverse developments with regard to the outsourcing, but the revised Guidelines will make clear that this includes any prolonged service failure or disruption, as well as any breach of security or confidentiality.
It is also expected that the outsourcing agreement itself should defined the events which the service provider must report to the financial institution, so that the financial institution might in turn be able to report developments to MAS. 


More Specific Expectations When Evaluating Service Providers


The revised Guidelines include more specific requirements. For instance, as part of the process of evaluating candidate service providers, financial institutions should consider onsite visits to the service provider’s premises, to be conducted by persons who possess the requisite knowledge and skills.


The Fit and Proper criteria, conventionally applied to key staff of the financial institution engaged in the regulated financial service, would now also apply to key staff of the service provider that would be providing the outsourced service to the financial institution. Amongst other things, such staff of the service provider should generally not have been the subject of disciplinary or criminal proceedings, should not have been convicted of any offence (especially one involving fraud or dishonesty) and must be financially sound.


Audit Frequency And Scope


The revised Guidelines will set more specific requirements for audits to be conducted on all outsourcing arrangements. The financial institution still has the discretion to determine the frequency of such audits although it is now specified that the period between audits should not exceed three years. The audits must be managed independently from the unit or function responsible for the outsourcing arrangement.


Monitoring And Control Of Outsourcing Arrangements


While the existing Guidelines already require financial institutions to maintain a central record of all material outsourcing arrangements, the revised Guidelines will set out a template for a Register of Outsourcing Arrangements which financial institutions must maintain in order for more effective internal monitoring of their outsourcing arrangements.


New Notice On Outsourcing


Each class of regulated financial institutions would be required to observe certain minimum standards for outsourcing management that would be detailed in notices issued under the respective statutes applicable to that class of financial institution.


The Notices will have a more limited application as compared with the Guidelines. Financial institutions that operate on an exempt basis with minimal regulation from MAS (such as exempt fund managers registered under paragraph 5(1)(i) of theSecurities and Futures (Licensing and Conduct of Business) Regulations, and exempt financial advisers under regulation 27(1)(d) of the Financial Advisers Regulations) will be exempt from the Notices, as will certain foreign financial institutions that do not have a local presence, but are authorised by MAS to offer services within Singapore. 


The Notices will essentially put on a legally binding footing, requirements which previously were contained only in the Guidelines. Thus, they will impose on the relevant financial institutions the following binding obligations:


(a) to manage outsourcing risks prudently, by having proper policies and procedures in place to identify material outsourcing arrangements, manage the risks and comply with all laws and regulations;


(b) to undertake appropriate due diligence when entering into new outsourcing arrangements or when renegotiating or renewing existing outsourcing arrangements;


(c) to ensure that there are provisions in its outsourcing agreements that enable the financial institution to conduct audits on the service providers and its sub-contractors and to share the outcome of such audits with MAS, and that enable MAS itself to access the service provider and to obtain records and documents etc;


(d) to protect the confidentiality of customer information and data;


(e) to ensure that the outsourcing agreements contain appropriate provision to enable the outsourcing arrangements to be terminated upon certain significant events, such as insolvency of the service provider, breach of confidentiality, any deterioration in the ability of the service provider to perform the service contracted for, etc.


The Notices will also incorporate a requirement currently to be found in MAS Notices 634 (for banks) and MAS Notice 1108 (for merchant banks) that is designed to ring-fence sensitive customer information from being revealed to foreign regulatory authorities, namely that in outsourcing arrangements where the service provider is a foreign financial institution and customer information protected by confidentiality laws is to be transferred abroad by the local financial institution (as outsourcing party) to the foreign financial institution (as the service provider), the overseas regulatory authority responsible for supervising the foreign financial institution must provide to MAS a written confirmation assuring the MAS that:


(a) MAS and its agents will be allowed access to the service provider’s documents and records;


(b) the outsourcing party and its auditors will not be inhibited from inspecting the control environment within the service provider insofar as it relates to the outsourcing party’s data being processed by the service provider, or from reporting findings to MAS;

 

(a) in the case where the overseas regulatory authority is a host supervisor of the service provider, it shall itself not access any customer information of the outsourcing party that is in the possession of the service provider;


(b) in the case where the overseas regulatory authority is the home supervisor of the service provider, it shall not access any customer information of the outsourcing party unless such access is required for the sole purpose of carrying out its supervisory functions and shall give MAS prior notice whenever it does so; and


(c) the overseas regulatory authority is prohibited under its laws from disclosing any information it obtains to others or it undertakes to safeguard the confidentiality of any information it obtains.


Consultation Period


The consultation period for both papers close on 7 Oct 2014.

 

Shook Lin Bok LLP

 

For further information, please contact:

 

Eric Chan, Partner, Shook Lin & Bok
eric.chan@shooklin.com
 

Regulatory & Compliance Law Firms in Singapore

Comments are closed.