On 1 June 2017, the Association of Banks in Singapore ("ABS") released a revised version of the Guidelines on Control Objectives & Procedures for Outsourced Service Providers ("Guidelines"). First published on 26 June 2015, these non-binding Guidelines provide a set of recommended minimum standards and controls that Outsourced Service Providers ("OSPs") should consider implementing when undertaking material outsourcing arrangements for Financial Institutions ("FIs") in Singapore.
Summary of the Guidelines
The Guidelines generally set out controls relating to the security, availability, processing integrity and confidentiality of the service provided by OSPs. These controls have been categorised in the Guidelines under the following 3 main categories:
- Entity Level Controls – These are internal controls that ensure the implementation of the OSP's management directives. Such controls include components such as risk assessments, monitoring controls, information security policies and sub-contracting practices.
- General information Technology Controls – These controls ensure that the OSP maintains adequate processes in relation to the IT systems engaged within the outsourcing arrangement. Such controls include physical security controls, incident management, backup and disaster recovery and vulnerability assessments.
- Service Controls – These controls ensure that contractual and service level obligations between the OSPs and FIs are clearly defined and monitored.
Updates to the Guidelines
The latest update by the ABS introduced a number of minor changes to the Guidelines. These changes generally relate to the following:
Frequency of external audits
Under the Guidelines, OSPs should engage a qualified auditor to perform audits in accordance with the Guidelines once every 12 months. The updated Guidelines now require the audit sample data to cover the entire period since the previous audit, with a minimum testing period of 6 months (previously the minimum testing period was 12 months). Reasons should be provided in the audit report if the testing period covered is less than 6 months.
Periodic review of controls
The updated Guidelines place a stronger focus on the periodical review of the OSP's controls. An OSP has to now review its controls once every 12 months for:
- backup and disaster recovery policies and procedures;
- system vulnerability assessment policies and procedures;
- technology refresh management plan and procedures;
- operating procedures; and
- due diligence and risk assessments of sub-contractors providing sub-contracted services.
Greater collaboration with the FIs
The updated Guidelines also provide for a higher level of involvement by the FIs in the control of the outsourcing arrangement as the OSP is now required to provide FIs with:
- copies of any monitoring reports and findings made on the OSP and/or its subcontractors in relation to the outsourcing arrangement;
- notification of any substantial changes in the OSP's business continuity plans and of any adverse development that could substantially impact the services provided to the FIs; and
- immediate notification of any significant issues identified in an audit that may lead to prolonged service disruption or breach of security and confidentiality of the FI's customer information.
Additionally, the updated Guidelines now also require the OSP to seek the FI's agreement on the following:
- scope of risk assessment to be performed (if the OSP shares its premises with other entities);
- procedures on retention of information and data;
- procedures on destruction of information and data by the OSP; and
- frequency of independent audit/expert assessment of sub-contractors (if any).
The latest updates to the Guidelines, while fairly minor, represent the significant need for a greater level of communication and collaboration between OSPs and FIs in relation to their outsourcing arrangements.