6 January 2021
On 18 December 2020, the Monetary Authority of Singapore (“MAS”) issued a consultation paper inviting public comments on proposed Notices on the Management of Outsourced Relevant Services for banks and merchant banks (“MBs”) in Singapore (collectively, the “Proposed Notices”). The Proposed Notices will be issued pursuant to the new section 47A of the Banking Act (Cap. 19) (“BA”) that was introduced by the Banking (Amendment) Act 2020 which was passed by Parliament on 6 January 2020 (please refer to our previous client update here). However, section 47A has yet to come into effect.
The Proposed Notices will implement the requirements under the new section 47A of the BA, that banks and MBs are obliged to comply with where they obtain or receive a “relevant service” from any person (including any branch or office of the bank located outside Singapore), and stipulate conditions for disclosure of customer information in connection with the performance of outsourced functions. Notwithstanding that separate Notices will apply to banks and MBs, the requirements in the respective Notices are expected to be similar. This client update provides a general overview of the scope of the Proposed Notices.
1. Existing Framework for Outsourcing by Banks and MBs
Currently, most classes of financial institutions in Singapore, including banks and MBs, are expected to observe the Guidelines on Outsourcing (“Guidelines”) which set out minimum standards for financial institutions’ management of outsourcing arrangements. Banks and MBs are additionally required to comply with the requirements set out under MAS Notice 634 (for banks) and MAS Notice 1108 (for MBs) if they wish to disclose customer information to service providers in respect of an outsourced function that is to be performed outside Singapore.
To enhance and consolidate the outsourcing regime for banks and MBs, MAS has proposed to incorporate under the Proposed Notices, the existing requirements under the Guidelines and under MAS Notices 634 and 1108. This means that going forward, banks and MBs will only need to refer to a single notice for all requirements concerning outsourcing arrangements, regardless of whether it may involve the disclosure of customer information. To avoid any overlap, MAS Notices 634 and 1108 will be repealed, and MAS has said that it intends to review the Guidelines for alignment amendments in conjunction with the issuance of the Proposed Notices. MAS has emphasised however, that pending the issuance of the Proposed Notices, banks and MBs should continue to observe the Guidelines and comply with existing requirements in MAS Notices 634 and 1108.
2. Scope of Proposed Notices
Under the new section 47A of the BA, the term “relevant service” is defined to mean, in relation to a bank in Singapore, any service obtained or received by the bank. This does not include services provided by employees, directors or officers of the bank in the course of his or her employment or appointment, or any service that is expressly excluded by the MAS.
While the ambit of the term “relevant service” appears broad, MAS has proposed to impose requirements under the Proposed Notices in respect of only “outsourced relevant services”. Under the Proposed Notices, an “outsourced relevant service” refers to a relevant service:
(i) that is or was performed by the bank or MB prior to it obtaining or receiving the relevant service;
(ii) which is commonly performed by banks or MBs in Singapore; or
(iii) which is specified as such by MAS.
To assist the industry in determining which relevant services are likely to be regarded (or not) as an outsourced relevant service, MAS has proposed to provide examples of such relevant services in the lists appended to the Proposed Notices:
• Annex A: a non-exhaustive list of relevant services that are commonly performed by banks or MBs, and are thus considered by MAS as outsourced relevant services which are subject to relevant requirements in the Proposed Notices;
• Annex B: an exhaustive list of relevant services that are not commonly performed by banks or MBs and are thus excluded from the definition of outsourced relevant service; and
• Annex C: an exhaustive list of relevant services that are not commonly performed by banks or MBs, but are nevertheless considered by MAS as outsourced relevant services which are subject to relevant requirements in the Proposed Notices.
3. Key Obligations under Proposed Notices
Broadly, the key requirements under the Proposed Notices that banks and MBs are required to comply with are:
(a) Maintenance of a register of ongoing outsourced relevant services and outsourced relevant services that involve the disclosure of customer information;
(b) Complying with a more stringent set of requirements in relation to material ongoing outsourced relevant services; and
(c) Complying with requirements for the protection of customer information in relation to outsourced relevant services.
MAS has however proposed to exempt banks and MBs from having to comply with the requirements in the Proposed Notices in respect of certain ongoing outsourced relevant services (“Exempted Outsourced Relevant Services”). The list of proposed Exempted Outsourced Relevant Services is set out in Annex D of the Proposed Notices and includes services which are wholly provided by the Government Technology Agency (“GovTech”) or its agents in connection with the roll-out of Singapore’s Smart Nation initiative, as well as services that are not for the conduct of banking business and where the service provider does not have access to the bank’s or MB’s confidential or customer information (including for example, cleaning, building maintenance and receptionist services).
a. Register of Outsourced Relevant Services
Banks and MBs will be required to maintain accurate and up-to-date registers of all ongoing outsourced relevant services (whether or not they may be material) and all outsourced relevant services that involve the disclosure of customer information (whether the services provided are once-off or on an ongoing basis).
For the purposes of the Proposed Notices, an “ongoing outsourced relevant service” is an outsourced relevant service that:
(a) the bank or MB obtains or intends to obtain, for a duration of more than 1 year; or
(b) the bank or MB obtains for a duration of 1 year or less, but where the outsourcing agreement is renewed or extended, or is intended to be renewed or extended, such that the cumulative duration of the agreement exceeds or would exceed 1 year.
MAS has proposed that the register be submitted to MAS at least semi-annually or upon request, in the format prescribed by MAS. In contrast, the existing expectation under the Guidelines is for the register to be submitted annually or upon request. MAS has explained that the rationale for a more frequent reporting is to allow MAS to be apprised in a timely manner of new ongoing outsourced relevant services of banks and MBs, given that MAS had previously done away with the expectation for banks and MBs to provide prior notification to MAS for material outsourcing arrangements.
In relation to the proposed expansion of the scope of the register to include services that involve the disclosure of customer information, MAS has also explained that this would not only ensure that banks and MBs maintain a record of the service providers whom they are disclosing customer information to, but would also preserve the existing notification requirements under MAS Notices 634 and 1108.
b. Requirements relating to Material Ongoing Outsourced Relevant Services
In general, to the extent that a bank or MB enters or intends to enter into a material ongoing outsourced relevant service, MAS has proposed that the bank or MB comply with the following requirements under the Proposed Notices:
(a) Implement policies and procedures to identify all material ongoing outsourced relevant services and to manage and control the corresponding risks posed to the bank or MB;
(b) Establish a framework for evaluating the ability of the service provider (“SP”) and perform due diligence checks against the framework. In this regard, MAS has also proposed that:
i. reduced due diligence checks may be performed on a SP that is a related party in the same banking group, given that in such cases the financial resources or reputation of the SP would be less of a concern. Nevertheless, the bank or MB should still be required to assess the SP’s risk management framework and track record, taking into account operational, jurisdictional or other differences;
ii. for material ongoing outsourced relevant services which involve the disclosure of customer information to SPs, the bank or MB must assess the risks to its ability to comply with its obligations to keep confidential customer information;
iii. the due diligence checks be refreshed within a year of entering into the material ongoing outsourced relevant service and thereafter, at a frequency that is approved by the bank’s or MB’s board (or a committee delegated by it) as being commensurate with the risk to the bank or MB that may arise from receiving the material ongoing outsourced relevant service;
(c) Ensure that the outsourcing arrangements for material ongoing outsourced relevant services include certain prescribed terms governing in particular:
i. protection of information (including customer information);
ii. the right to audit by MAS or an auditor appointed by MAS;
iii. provision of information to the bank or MB and MAS;
iv. grounds for termination; v. the requirement for the SP to enter into its own written agreement with any of its sub-contractor;
vi. (where feasible) the right for banks and MBs to audit their SPs or their sub-contractors;
(d) Implement measures to protect customer information that is disclosed to a SP, including:
i. notifying a SP of the bank’s or MB’s and SP’s obligation to keep customer information confidential;
ii. ensuring that customer information is disclosed or used only where it is necessary to provide the relevant service;
iii. ensuring that the bank or MB is notified where a SP or sub-contractor has been compelled by law to disclose customer information;
(e) To safeguard the privacy of customer information, sub-contracting arrangements in a material ongoing outsourced relevant service will not be permitted unless there is no disclosure of customer information by the SP to the sub-contractor, or the bank or MB has obtained written consent for such disclosure;
(f) Prior to obtaining any material ongoing outsourced relevant service where a SP is permitted to engage a sub-contractor, the bank or MB shall:
i. assess and ensure that the sub-contracting arrangement will not compromise the confidentiality and integrity of customer information disclosed to the SP, or pose undue risks that the bank or MB is unable to manage;
ii. include terms in the outsourcing agreement obliging the SP to in turn include terms in the SP’s agreement with its sub-contractors for the safeguarding of the confidentiality and integrity of customer information;
iii. implement procedures approved by the bank’s or MB’s board (or a committee delegated by it) for determining whether it should require that SPs enter into written agreements with their subcontractors, and if so, whether certain specified terms should be included in such agreements; iv. include terms in the outsourcing agreement requiring the SP to notify the bank or MB within 30 days of engaging a new sub-contractor. Upon receiving such notification, the bank or MB shall assess the ability of the sub-contractor to provide the relevant service and safeguard information confidentiality and integrity;
(g) Ensure that independent and regular audits are conducted on material ongoing outsourced relevant services at least once every 3 years. In this regard, MAS has clarified that while banks and MBs can rely on pooled audits or third-parties to carry out the audits, self-attestations will not satisfy the audit requirement as they are not considered independent. MAS has also proposed that banks and MBs submit a list of all audits of its material ongoing outsourced relevant services performed in the last 12-months, at a frequency prescribed by MAS (taking into account factors such as the complexity of the service and the extent of reliance on the service). Banks and MBs are also obliged to furnish specific audit reports to the MAS upon request;
(h) Ensure that its outsourcing agreements for material ongoing outsourced relevant services include grounds of termination under certain specific scenarios (for example, where a SP or sub-contractor fails to safeguard the confidentiality of customer information), and that upon termination, the SP and subcontractor be required to delete, destroy or render unusable any customer information in its possession unless otherwise required by law; and
(i) Where a material ongoing outsourced relevant service is received from an overseas regulated financial institution (“ORFI”), to comply with additional requirements including: i. to provide MAS with a written undertaking from the foreign supervisor of the ORFI relating to:
• the safeguarding of customer information; • the ability of the bank or MB, and MAS, to access customer and any relevant information; and
• the ability of the bank or MB, or any person it appoints, to audit the ORFI and submit reports to MAS; or
ii. alternatively, where it is not possible to obtain the above confirmation, the bank or MB may, in lieu of such confirmation and with MAS’ approval, provide MAS with:
• the bank’s or MB’s policies for managing requests for information from the foreign supervisor of the ORFI; and
• a written undertaking by the bank or MB to notify MAS of any disclosure of customer information to the foreign supervisor of the ORFI.
c. Requirements relating to outsourced relevant services that involve the disclosure of customer information
So as to streamline the requirements for outsourcing arrangements, MAS has proposed to adopt a broader meaning of “customer” under the Proposed Notices, which term is in turn defined to include any company which carries on banking business and such other financial institutions as may be designated by MAS by notice in writing. Notably, the proposed definition would be broader than the existing definition of “customer” as used in MAS Notices 634 and 1108, which excludes companies that carry on banking business, merchant banking business or investment banking business.
To ensure that banks and MBs take due care to protect customer information, MAS has proposed that banks and MBs be required to:
(a) Evaluate prior to and on an ongoing basis, the SP’s ability to safeguard the confidentiality and integrity of customer information disclosed to the SP;
(b) Enter into an outsourcing agreement with the SP, which must include specified requirements on the service provider in relation to the protection of customer information; and
(c) Implement measures to protect customer information disclosed to the SP against unauthorised disclosure or similar risks. MAS has proposed that the above requirements apply to all outsourced relevant services involving disclosure of customer information, regardless of whether they may be ongoing or material, whether the bank or MB has obtained written consent for such disclosure, or whether the disclosure of customer information is to a SP in Singapore or overseas.
Banks and MBs Incorporated in Singapore In relation to banks and MBs incorporated in Singapore, MAS has proposed that they implement a group policy on outsourced relevant services to ensure that all their branches as well as subsidiaries (unless there is strong justification not to do so) comply with the requirements in the Proposed Notices. Effective Dates MAS has proposed that banks and MBs comply with the relevant requirements (other than those relating to outsourcing agreements) within 12 months from the date of issuance of the Proposed Notices. As for requirements relating to outsourcing agreements, to allow banks and MBs greater flexibility in the negotiation of the outsourcing agreement with their SPs, MAS has proposed instead that banks and MBs be required to comply with such requirements within 12 months from the date of issuance of the Proposed Notices, or from the date on which the bank or MB enters into a new agreement or renews an existing agreement, whichever is later. Closing Date of Consultation The consultation closes on 29 January 2021 and a copy of the MAS consultation paper can be obtained here.