Breaking News: Singapore tightening security controls on outsourcing

10 September 2014

Chia Ling Koh, Marcus Chow

Introduction

On 5 September 2014, the Monetary Authority of Singapore (MAS) released two consultation papers containing a proposed updated set of Guidelines on Outsourcing, and a new Notice on Outsourcing that will define a set of minimum standards for managing outsourcing (the "proposed Guidelines and Notice"). The proposed Guidelines and Notice are intended to raise the standards of financial institutions' risk management practices in view of evolving business and technological trends in the past decade.

Key Changes under the Proposed Guidelines and Notice

A detailed analysis and commentary on the key changes under the proposed Guidelines and Notice will be released at a later date.  For now, below are some preliminary observations on areas where substantial changes have been proposed:-

  • Obligations will be contained in a 'Notice' which is legally binding

While guidelines set out principles or "best practice standards" that govern the conduct of specified institutions or persons, contravention of guidelines is not an offence. Accordingly, financial institutions are encouraged to observe the spirit of the Guidelines on Outsourcing.

However, the new Notice would impose legally binding requirements on financial institutions. Unlike the Guidelines on Outsourcing, the obligations in the Notice are mandatory and non-compliance is an offence which may result in sanctions by the MAS. The risk exposure to financial institutions, and the consequences of non-compliance, would therefore be far greater under the proposed regulatory regime.

  • Broader definition of 'material outsourcing arrangement' means that financial institutions will have to revise their methods of assessing outsourcing arrangements

Under the proposed Guidelines and Notice, MAS has expanded the scope of the existing Guidelines on Outsourcing issued in 2004 (the "2004 Guidelines") to cover a wider spectrum of outsourcing arrangements. Currently, the 2004 Guidelines only apply to outsourcing arrangements that, if disrupted, have the potential to significantly impact a financial institution’s business operations, reputation or profitability.

Under the proposed changes, financial institutions will now also need to account for the potential impact of their outsourcing arrangements to their customers. This is because outsourcing arrangements that involve customer information and may materially impact the financial institution's customers in the event of any unauthorised access or disclosure, loss or theft of customer information, would also be considered material outsourcing arrangements.

Further, financial institutions must ensure that they consider whether their outsourcing arrangements could adversely affect the financial institution’s ability to manage risk and comply with applicable laws and regulations.

  • Notification requirements have been expanded to include adverse developments relating to the financial institution itself, the financial institution's group, the service provider, and the service provider's sub-contractors.

The existing 2004 Guidelines require financial institutions to notify MAS of any adverse development arising in any outsourcing that could significantly affect the financial institution, as well as any breach of legal and regulatory requirements by the service provider.

Under the proposed Guidelines and/or Notice, financial institutions would also need to notify MAS as soon as possible of any adverse development or breach of legal and regulatory requirements by the financial institution itself as well as by the service provider or service provider's sub-contractors.

This requirement to notify MAS also applies to any event that could potentially lead to prolonged service failure or disruption in or the termination and early exit of, the outsourcing arrangement, and any significant unauthorised access or breach of security and confidentiality that affect the financial institution or its customers.

Further, financial institutions will also be required to notify MAS of such adverse development or breach of legal and prudential requirements encountered within the financial institution's group.

Financial institutions would have to ensure that these notification requirements are met and that the outsourcing agreement contains provisions in place requiring the service provider to notify the financial institution, in view of the financial institution's obligations to notify MAS.

  • Financial institutions would be expected to assess the service provider's employees and sub-contractors

The proposed Guidelines would require the financial institution to ensure that the service provider's employees and sub-contractors have been assessed to be fit and proper, consistent with the criteria applied to the financial institution's own employees. A non-exhaustive list of examples of what could be considered under the fit and proper assessment includes:

     (a) whether they have been the subject of any proceedings of a disciplinary or criminal nature;
     (b) whether they have been convicted of any offence (in particular, that associated with a finding of fraud, misrepresentation or dishonesty);
     (c) whether they have accepted civil liability for fraud or misrepresentation; and
     (d) whether they are financially sound.

The above is a new requirement that is not found in the existing 2004 Guidelines.

  • MAS would require an indemnity where it exercises audit and inspection rights under the outsourcing agreement

The proposed Guidelines and Notice would require the financial institution to include in all outsourcing agreements clauses that indemnify and hold MAS and its officers, agents and employees harmless from any liability, loss or damage to service provider and sub-contractors arising out of any action taken to access and inspect them pursuant to the outsourcing agreement. This is another new requirement that is not found in the existing 2004 Guidelines.

  • Financial institutions would have to maintain an updated register of outsourcing arrangements

The proposed Guidelines on Outsourcing contains an Annex 4 that sets out a specific format in which financial institutions would be expected to maintain an updated register of all existing outsourcing arrangements.

This register must be furnished to MAS upon request.  Information maintained in the register should include the name and location(s) of the service provider, the value and expiry or renewal dates of the contract, and reviews on the performance, operational, internal control and risk management standards of the outsourcing arrangement. Financial institutions would therefore have to conduct due diligence on their outsourcing arrangements to ensure that this register is up to date.

Conclusion

The above are a non-exhaustive list of the key proposed changes from the existing 2004 Guidelines. Our detailed analysis and commentary on the proposed Guidelines and Notice will be released in due course.

MAS has welcomed comments and feedback on its consultation papers on the proposed Guidelines and Notice. The deadline for submission of responses is 7 October 2014.

For more information, contact us.

Authors

Chow-Marcus

Marcus Chow

Partner
Singapore

Call me on: +65 6534 5266