The Monetary Authority of Singapore's revised guidelines on outsourcing
The key issues for you to consider
18 July 2019
The Monetary Authority of Singapore (MAS) has published revised guidelines on how financial institutions should manage risk in their outsourcing arrangements.
Here are some of the key differences between the revised Guidelines and the previous Guidelines.
The revised Guidelines cover cloud computing for the first time. Amongst other things, institutions are expected to:
- perform the due diligence measures and apply the sound governance and risk management practices set out in the Guidelines when subscribing to cloud services;
- take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing;
- ensure that its service provider has the ability to clearly identify and segregate customer data; and
- have in place robust access controls to protect customer information for the length of the contract.
Material outsourcing arrangements
The definition of "material outsourcing arrangement" has been amended and expanded in the revised Guidelines to mean an outsourcing arrangement that:
- in the event of a service failure or security breach, has the potential either to materially impact an institution's business operations, reputation or profitability, or its ability to manage risk and comply with applicable laws and regulations; or
- involves customer information and, in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on an institution's customers.
Expansion of scope of institutions
The Guidelines have been expanded to include any other person licensed, approved, registered or regulated by MAS, which would include licensed money-changers, holders of stored value facilities and licensed trust companies.
Removal of MAS notification requirement
Financial institutions are no longer obliged to notify MAS of any material outsourcing arrangements. However, MAS will continue to assess and monitor the robustness of institutions' outsourcing risk management frameworks. Institutions are expected to exercise appropriate due diligence on their outsourcing arrangements and be able to demonstrate to MAS their observance of the Guidelines.
Notification of adverse developments
An institution is required to notify MAS as soon as possible of any adverse development arising from its outsourcing arrangements that could impact the institution or the institution's group. This includes any event that could potentially lead to prolonged service failure or disruption in the outsourcing arrangement, or any breach of security and confidentiality of the institution's customer information.
Institutions are required to carry out due diligence on their service providers and their service providers' employees. Amongst other things, institutions should consider the physical and IT security controls, and the business reputation and financial strength of its service providers. Institutions should ensure that its service providers' employees meet the institution's own hiring policies and have not been convicted of offences such as fraud.
We have published a full briefing on the revised guidelines on the Clifford Chance website. To read this, please click here.