23 August, 2017
The Association of Banks in Singapore (“ABS”) had on 1 June 2017 released a revised version of the Guidelines on Control Objectives and Procedures for Outsourced Service Providers (the “Guidelines”). First released on 26 June 2015, the Guidelines operate within the existing regulatory framework for outsourcing that is established by the Monetary Authority of Singapore (“MAS”). They serve as a set of minimum or baseline standards against which Outsourced Service Providers (“OSPs”) are to be assessed when they serve banks in Singapore. While the Guidelines are not binding as such, the expectation of the ABS is that all banks in Singapore ought to follow them and should not depart from them without good reasons.
Broadly, the ambit of the Guidelines deal with the following three categories of controls:
- Entity Level Controls
- General Information Technology (“IT”) Controls
- Service Controls
The amendments made to the Guidelines, while generally minor, aim to refine the existing control processes on the OSPs. In so doing, it appears that financial institutions are to play a more involved role in relation to these outsourcing arrangements.
This note outlines the more significant changes made to the Guidelines.
Key Amendments
General audit and inspections requirements
(a) Clarification on engagement of external auditor
In the event of a change in the external auditor or a different external auditor is appointed for validation of remediation activities, the OSP should ensure that there is a proper handover from the outgoing auditor to the incoming auditor in order to safe-guard the interests of the financial institution.
(b) Frequency of audit
It is recommended that an audit be conducted once every 12 months. The updated Guidelines further recommend that the audit sample data should cover the entire period since the previous audit, with a minimum testing period of 6 months. This is an increase from the previous minimum testing period of 12 months. Additionally, should the testing period covered be less than 6 months, reasons should also be provided for the shorter period in the report.
(c) Reporting and handling of control failure / qualification of control objectives
The Guidelines recommend that the auditor identify control failures and assess their potential impact on the services provided to the financial institution. This should be guided by the relevant auditing standards which specify the procedures for qualification of a control objective. OSPs should notify the financial institutions of any significant issues and concerns and their respective remediation plans, no later than the release date of the Outsourced Service Provider Audit Report. In the event that such issues could potentially lead to a prolonged service failure or disruption in the outsourcing arrangement, or any breach of security and confidentiality of the financial institutions' customer information, immediate notification should be made to the financial institutions.
Additionally, the OSP should develop remediation plans to address the issues identified by the audit. If the issues require an extended time period to correct, the OSP should identify short term measures to mitigate these risks.
The remediation measures should be validated by the auditor or another competent independent party.
Entity Level Controls
Entity level controls are internal controls to ensure that the OSP's management directives pertaining to the entire entity are implemented. In this respect, the Guidelines propose more stringent standards in relation to entity level controls.
(a) Risk assessment controls
In relation to risk management controls, the Guidelines state that prior to introducing changes to the operating environment (including technology components), OSPs should assess the materiality of the changes to the financial institution's outsourced arrangement using a change management framework and should notify and/or seek approval from the financial institution. This also applies to sub-contractors used by the OSP.
(b) Monitoring
The OSP should also implement processes to bring significant issues and concerns, identified through internal audits or other monitoring procedures, to the OSP’s senior management and the financial institutions (if these impact the services provided to them). Copies of any reports and findings made on the OSP or its subcontractors, in relation to the outsourcing arrangements, must also be provided to the financial institution, and results discussed as part of ongoing service discussions.
(c) Information Security policies
The Guidelines have also suggested that an information security awareness training programme be established, and conducted for the OSP's staff, subcontractors and vendors who have regular access to the OSP’s IT resources and systems, to refresh their knowledge.
(d) Practices relating to sub-contracting
The Guidelines have also established practices in relation to sub-contracting. In particular, the Guidelines have highlighted that because financial institutions expect subcontractors of the OSP to be managed with the same rigour as the OSPs, OSPs should require and ensure that their subcontractors adhere to the requirements stated in the Guidelines. As such, an OSP should do the following in managing its subcontractors:
- Obtain approvals from the financial institution before engaging subcontractors
- Be able to demonstrate due diligence and risk assessment of its subcontractors
- Implement processes to inform and consult the financial institution on material changes to the subcontractors’ operating environment
- Conduct a review of its subcontractors every 12 months
- Monitor the performance and risk management practices of the subcontractors
In relation to due diligence and risk assessments of subcontractors, the Guidelines indicated that this should involve an evaluation of relevant information such as the experience and capability of the subcontractor to implement and support the outsourcing arrangement over the contracted period, as well as the financial strength and resources of the subcontractors, as specified in paragraph 5.4.3 of the Monetary Authority of Singapore's Guidelines on Outsourcing (published on 27 July 2016) ("MAS Outsourcing Guidelines"). Additionally, where the subcontractor operates outside Singapore, the requirements in paragraph 5.10 of the MAS Outsourcing Guidelines should be complied with.
In the event of an intra-group outsourcing arrangement, similar due diligence procedures should be undertaken.
General IT Controls and Service Controls
In general, the Guidelines recommend more stringent periodic reviews of the OSP's IT controls and service controls. It is recommended that the following controls be reviewed every 12 months:
- Change management controls
- Incident management controls
- Backup and disaster recovery policies and procedures
- Network and security management
- Security incident response procedures
- System vulnerability assessments, including vulnerability assessment policies and procedures, penetration testing, and procedures for fixing issues identified by vulnerability assessment and penetration testing
- Technology refresh management plans and procedures
- Operating procedures and processes
A copy of the Consultation Paper can be assessed here.