Singapore – MAS Releases Revised Guidelines On Outsourcing Risk Management.

Adoption of risk management practices 

 

Institutions are encouraged to implement all the risk management practices contained in the Revised Outsourcing Guidelines for outsourcing arrangements involving a MAS-regulated entity. The extent and degree to which an institution implements the risk management practices should be commensurate with the nature of risks in, and materiality of, the outsourcing arrangement. 

 

Group-wide assessment of outsourcing risks 

 

Under the Revised Outsourcing Guidelines, an institution incorporated in Singapore is also encouraged to consider the impact of outsourcing arrangements by its branches and any corporation under its control, including those located outside Singapore and regardless of whether these are financial or non- financial related companies, on its consolidated operations. Institutions incorporated in Singapore should ensure that the Revised Outsourcing Guidelines are observed by branches and corporations under their control by applying a group-wide outsourcing risk management framework that complies with the Revised Outsourcing Guidelines. 

 

Implementation of Guidelines 

 

Management of outsourcing risks 

 

MAS expects financial institutions to ensure that the outsourced services (whether provided by a service provider or its sub- contractor) continue to be managed as if the services were still managed by the institution. In supervising an institution, MAS will review its implementation of the Revised Outsourcing Guidelines, the quality of its board and senior management oversight and governance, internal controls and risk management with regard to managing outsourcing risks. MAS is particularly interested in material outsourcing arrangements.

 

 

Prior notification of outsourcing contract not necessary

 

MAS has removed the expectation for institutions to notify MAS before making any material outsourcing commitment with immediate effect. Institutions are expected to exercise appropriate due diligence on their outsourcing arrangements, and be ready to demonstrate to MAS their observance of the Revised Outsourcing Guidelines.

 

Notification of adverse developments

 

Institutions should notify MAS as soon as possible of any adverse development arising from its outsourcing arrangements that could impact the institution, as well as any such adverse development encountered within the institution’s group.

 

What constitutes outsourcing arrangements and material outsourcing arrangements

 

Definition of outsourcing arrangement

 

MAS has revised the definition of “outsourcing arrangement” to clarify that a service that involves the provision of a finished product is not the sole determining factor in deciding whether the service falls within the definition of “outsourcing arrangement”. Instead an arrangement would be deemed outsourcing under the Revised Outsourcing Guidelines if the institution may currently or potentially perform the service itself, the institution is dependent on the service on an ongoing basis and the service is integral to the provision of a financial service by the institution (or the service is provided to the market by the service provider in the name of the institution).

 

Cloud services to be considered as outsourcing

 

MAS has indicated in the Revised Outsourcing Guidelines that it considers cloud services operated by service providers as a form of outsourcing and thus subject to similar risks as that of other forms of outsourcing arrangements. Institutions are therefore responsible for maintaining oversight of cloud services and managing the attendant risks of adopting cloud services, as in any other form of outsourcing arrangements. For the purposes of the Revised Outsourcing Guidelines, cloud services refers to a combination of a business and delivery model that enables on- demand access to a shared pool of resources such as applications, servers, storage and network security. 

 

New examples of outsourcing

 

Annex 1 of the Revised Outsourcing Guidelines also contains new examples of services which would be considered to be outsourcing arrangements:

 

• white-labelling arrangements such as for trading and hedging facilities;
• business continuity and disaster recovery functions and activities;
• information systems hosting (e.g., software-as-a-service, platform-as-a-service, or infrastructure-as-a-service);
• management of policy issuance and claims operations by managing agents;
• legal and compliance professional services; and support services related to archival and storage of data and records.

 

What constitutes material outsourcing arrangements

 

The Revised Outsourcing Guidelines also expand the parameters of when outsourcing would be considered “material”.

In summary, outsourcing is material if:

 

• in the event of a service failure or security breach, there is the potential to materially impact an institution’s business operations, reputation or profitability, or its ability to manage risk and comply with applicable laws and regulations. Such failures and breaches may not necessarily involve disruptions; or
• it involves customer information and, in the event of any loss, theft, or unauthorised access or disclosure of customer information, may have a material impact on the institution’s customers. For the purposes of the Revised Outsourcing Guidelines, public information or anonymised information relating to customers or encrypted customer information is not caught under the definition of “customer information” provided that the identities of the customers cannot be readily inferred.

 

Additional factors to be applied when considering “materiality”

 

In considering the degree of materiality of an outsourcing arrangement, Annex 2 of the Revised Outsourcing Guidelines include the following factors in addition to the previous set of factors to be applied:

 

• the impact on the institution’s customers, should the service provider fail to perform the service or encounter a breach of security or confidentiality;
• the impact on the institution’s counterparties and the Singapore financial market, should the service provider fail to perform the service; and
• the cost of outsourcing failure, which will require the institution to bring the outsourced activity in-house or seek similar service from another service provider, as a proportion of total operating costs of the institution.

• the cost of outsourcing failure, which will require the institution to bring the outsourced activity in-house or seek similar service from another service provider, as a proportion of total operating costs of the institution.

 

Central register required

 

Institutions will be required to maintain a central register of all outsourcing arrangements. The format for this central register is as per the template on MAS’ website. The central register must be submitted to the MAS at least annually or upon request. 

 

Review, due diligence, and audits

 

Risk Management framework

 

The board and senior management of an institution should ensure that there are adequate processes to provide a comprehensive institution-wide view of its risk exposures from all its outsourcing arrangements, and to incorporate the assessment of such risks into the institution’s outsourcing risk management framework. However, the Revised Outsourcing Guidelines prescribe different responsibilities for the board and senior management.

 

Responsibilities of board

 

Ultimately, the board of the institution must approve a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements and the policies that apply to such arrangements. The board is also additionally responsible for, inter alia, the following:

 

• setting a suitable risk appetite to define the nature and extent of risks that the institution is willing and able to assume from its outsourcing arrangements; and
• ensuring that senior management establishes appropriate governance structures and processes for sound and prudent risk management.

 

Responsibilities of senior management

 

The senior management of the institution is responsible for, inter alia, the following additional areas:

 

• monitoring and maintaining effective control of all risks from its material outsourcing arrangements on an institution-wide basis;
• and ensuring that appropriate and timely remedial actions are taken to address audit findings.

 

The MAS has also enhanced the areas of due diligence of service providers in several key ways: 

 

Assessment of employees 

 

Institutions are expected to ensure that service providers and their sub-contractors have acceptable hiring and screening policies in place to ensure that their employees who undertake any part of the outsourcing arrangement have been assessed to meet the institution’s hiring policies for the role they are performing, consistent with the criteria applicable to its own employees. Any adverse findings from this assessment should be considered in light of their relevance and impact to the outsourcing arrangement.

 

Additional areas for due diligence

 

Some of the additional areas of due diligence on the service provider which should be evaluated include:

 

• the physical and IT security controls the service provider has in place;
• the level of ethical and professional standards held by the service provider;
• the service provider’s ability to comply with its obligations under the outsourcing arrangement;
• the business reputation, financial strength and resources of the service provider;
• its corporate governance;
• its risk management framework and capabilities, including its technology risk management;
• the disaster recovery arrangements and disaster recovery track record;
• and the service provider’s ability to comply with applicable laws and regulations and track record in relation to its compliance with applicable laws and regulations.

 

Onsite visits encouraged

 

Onsite visits should be made to the service provider to supplement findings noted from offsite reviews. 

 

Due diligence to be conducted periodically 

 

The Revised Outsourcing Guidelines make clear that due diligence undertaken during the assessment process should be documented and re-performed periodically to ensure that it is sufficiently current as part of the monitoring and control processes of outsourcing arrangements. MAS has removed the expectation for due diligence to be performed annually.

 

However, institutions will need to adopt a risk-based approach in determining the appropriate scope, methodology (which may include the appropriate time interval for the refresh of information) and frequency of the assessment. 

 

Audits to be conducted periodically

 

Under the Revised Outsourcing Guidelines, institutions are required to carry out periodic independent audit and expert assessments on all outsourcing arrangements on a regular basis. Such audits and assessments should be conducted, not only on the service providers as was previously required, but also on the sub-contractors of the service providers.

 

The proposal for audit frequency not to exceed three years has been removed from the Revised Outsourcing Guidelines. In determining the frequency of audit and expert assessment, the institution should consider the nature and extent of risk and impact to the institution from the outsourcing arrangements. An institution could also consider the findings from its due diligence evaluation to determine the frequency and the scope of audit on its service provider.