Updates to the ABS Guidelines for outsourced service providers

Summary of the Guidelines

The Guidelines generally set out controls relating to the security, availability, processing integrity and confidentiality of the service provided by OSPs. These controls have been categorised in the Guidelines under the following 3 main categories:

• Entity Level Controls – These are internal controls that ensure the implementation of the OSP's management directives. Such controls include components such as risk assessments, monitoring controls, information security policies and sub-contracting practices.
• General information Technology Controls – These controls ensure that the OSP maintains adequate processes in relation to the IT systems engaged within the outsourcing arrangement. Such controls include physical security controls, incident management, backup and disaster recovery and vulnerability assessments.
• Service Controls – These controls ensure that contractual and service level obligations between the OSPs and FIs are clearly defined and monitored.

Updates to the Guidelines

The latest update by the ABS introduced a number of minor changes to the Guidelines. These changes generally relate to the following:

Frequency of external audits

Under the Guidelines, OSPs should engage a qualified auditor to perform audits in accordance with the Guidelines once every 12 months. The updated Guidelines now require the audit sample data to cover the entire period since the previous audit, with a minimum testing period of 6 months (previously the minimum testing period was 12 months). Reasons should be provided in the audit report if the testing period covered is less than 6 months.

Periodic review of controls

The updated Guidelines place a stronger focus on the periodical review of the OSP's controls. An OSP has to now review its controls once every 12 months for:

• backup and disaster recovery policies and procedures;
• system vulnerability assessment policies and procedures;
• technology refresh management plan and procedures;
• operating procedures; and
• due diligence and risk assessments of sub-contractors providing sub-contracted services.

Greater collaboration with the FIs

The updated Guidelines also provide for a higher level of involvement by the FIs in the control of the outsourcing arrangement as the OSP is now required to provide FIs with:

• copies of any monitoring reports and findings made on the OSP and/or its subcontractors in relation to the outsourcing arrangement;
• notification of any substantial changes in the OSP's business continuity plans and of any adverse development that could substantially impact the services provided to the FIs; and
• immediate notification of any significant issues identified in an audit that may lead to prolonged service disruption or breach of security and confidentiality of the FI's customer information.

Additionally, the updated Guidelines now also require the OSP to seek the FI's agreement on the following:

• scope of risk assessment to be performed (if the OSP shares its premises with other entities);
• procedures on retention of information and data;
• procedures on destruction of information and data by the OSP; and
• frequency of independent audit/expert assessment of sub-contractors (if any).

Conclusion

The latest updates to the Guidelines, while fairly minor, represent the significant need for a greater level of communication and collaboration between OSPs and FIs in relation to their outsourcing arrangements.