18 August, 2016
The Monetary Authority of Singapore (MAS) introduced new guidelines on outsourcing for financial institutions on 27 July, 2016 (the Guidelines). The Guidelines are the product of extensive industry and public consultation, and supersede the guidelines on outsourcing previously issued in October 2004 (as updated in July 2005).
The Guidelines provide expanded guidance to financial institutions (as defined under s 27A of the MAS Act (Cap. 186)) on the expectations of MAS in relation to prudent risk management practices for outsourcing arrangements. The Guidelines build on the previous version, and reflect the concerns of modern financial institutions operating in markets today.
The Guidelines can be accessed here, and you can also access the Response to Feedback Received on Public Consultation on Guidelines on Outsourcing (MAS Response to Feedback) and the FAQ on MAS Guidelines on Outsourcing (FAQ), which provide further background information and useful clarifications on the Guidelines.
This article provides a brief summary of the key changes and points to take-away from the Guidelines.
1. Application of the Guidelines
The Guidelines apply to all outsourcing arrangements, existing and future. The MAS Response to Feedback provides that institutions are required to conduct a self-assessment of all existing outsourcing arrangements against the Guidelines within three months (by 27 October 2016), and that any deficiencies in existing outsourcing arrangements that were identified in the self-assessment should be should be rectified within twelve months from the issuance of the Guidelines.
2. Removal of the requirement to notify MAS of new outsourcing arrangements
Previously, institutions needed to notify MAS when planning to enter, or of entry, into a material outsourcing arrangement or variations to such arrangement. This requirement has been removed in the Guidelines with immediate effect, demonstrating recognition from MAS that outsourcing arrangements are increasingly common in today's business environment, and that it is neither practical nor efficient to notify MAS of such arrangements. Institutions are still expected to exercise appropriate due diligence on their outsourcing arrangements, and be ready to demonstrate to MAS their observance of the Guidelines.
3. Introduction of a register of outsourcing arrangements
Institutions were previously required to maintain a central record of all material outsourcing arrangements that was readily accessible for review by the board and senior management of the institution. Now, institutions are required to maintain a register of outsourcing arrangements in the form provided in Annex 3 (access here), which must be submitted to MAS at least annually or upon request.
4. Notification of Adverse Developments
The previous guidelines included an obligation to notify of adverse developments that could significantly affect an institution, as well as an obligation to notify MAS of specific events, for example:
(a) any unauthorised access or breach of security or confidentiality;
(b) if an overseas authority were to seek access to its customer information; or
(c) if the service provider breaches legal or regulatory requirements.
The Guidelines now include a general obligation to notify MAS of any adverse development arising from its outsourcing arrangement that could "impact the institution". Such adverse developments include "any event that could potentially lead to prolonged service failure or disruption in the outsourcing arrangement, or any breach of security and confidentiality of the institution’s customer information", including adverse developments encountered within an institution's group and cyber security incidents.
5. The Circular on Information Technology Outsourcing Guidelines (2011) (IT Circular) and the MAS Technology Questionnaire for Outsourcing (2015) (Technology Questionnaire) are superseded
MAS has confirmed (in the FAQ) that the Guidelines supersede the IT Circular and the associated Technology Questionnaire. Institutions no longer need to complete the lengthy Questionnaire, and instead only need to submit the outsourcing register to MAS as detailed at 3 above. We expect that industry will develop its own practical checklists and processes, so that outsourcing arrangements may be appropriately assessed against the Guidelines.
6. Additional and revised definitions
Additional and revised definitions have been included in the Guidelines, providing increased clarity and certainty:
(a) The definition of "Customer Information" expressly excludes "any information that is public, anonymized or encrypted in a secure manner such that the identities of the customers cannot be readily inferred".
(b)The definition of "Institution" now includes any financial institution as defined under s 27A of the MAS Act (Cap. 186)).
(c) The definition of "Outsourcing Arrangement" no longer excludes the provision of a finished product, as MAS has advised that this is not the sole determining factor in deciding whether the service falls within the definition of "Outsourcing Arrangement".
7. Required provisions in the Outsourcing Agreement
The provisions required in outsourcing agreements under the Guidelines are largely the same as required under the previous version of the guidelines, with the addition of the following:
(d) a provision specifying the type of events and circumstances under which the service provider should report to the institution in order for an institution to take risk mitigation measures and notify MAS of adverse developments; and
(e) provisions to ensure a smooth transition when the agreement is terminated or being amended, for example transferability of outsourced services to a bridge-institution or third party.
Given the application of the Guidelines to existing outsourcing arrangements, institutions will need to plan to address any gaps in respect of such requirements within 12 months of the issuance of the Guidelines, as detailed at 1 above.
It is worth noting that MAS has removed from the Guidelines the requirement for service providers and subcontractors to provide an indemnity in favour of MAS, in response to feedback provided as part of the public consultation on the draft guidelines.
8. Due diligence (employees of service provider)
The previous guidelines detailed the due diligence evaluation that an institution should conduct on a service provider. The due diligence obligation remains, with additional assessments to be undertaken in relation to the employees of the service provider undertaking any part of the outsourcing arrangement. The guidelines provide examples of what should be considered, including (among others) whether employees have been the subject of any proceedings of a disciplinary or criminal nature, and whether employees have been convicted of any offence.
9. Cloud Computing
The Guidelines include specific guidance on cloud computing in section 6, which describes MAS' position on cloud computing. MAS considers cloud services operated by service providers as a form of outsourcing, and recognises that institutions may leverage on such services to enhance their operations and service efficiency. MAS considers the risks of cloud services are similar to general outsourcing services, however notes that institutions should be aware of characteristics typical to cloud services, such as multi-tenancy, data commingling and the higher propensity for data processing to be carried out in multiple locations.
MAS stresses that institutions are ultimately responsible and accountable for maintaining oversight of cloud services and managing the relevant risks, and should adopt an appropriate and prudent risk management approach.
For further information, please contact:
Mark Robinson, Partner, Herbert Smith Freehills
mark.robinson@hsf.com