MAS outsourcing guidelines: A quick guide

Last October 2018, the Monetary Authority of SIngapore (MAS) published the revised Guidelines on Outsourcing in replacement of previous guidelines on outsourcing and IT outsourcing of 2016. Here’s what you need to know about the revised outsourcing guidelines:

The Monetary Authority of Singapore (MAS)

The Monetary Authority of Singapore (MAS) is Singapore’s financial institution and financial administrative body. MAS not only regulates the financial sector of Singapore, but it promotes and sustains economic growth, too.

MAS’ functions as a financial organization include overseeing the country’s monetary policy, issuing currency, and overseeing financial systems. It supervises all of Singapore’s financial services, and also the surveillance of the country’s financial stability that includes foreign reserves and assets to compete better economically

This means that all of the country’s financial transactions, including outsourcing, are being overseen by MAS.

MAS revised Guidelines on Outsourcing

MAS has revised their 2016 Guidelines on Outsourcing last October 2018, and provided institutions with guidance on risk management on the subsequent outsourcing arrangements:

1. Notification of Adverse Developments

This section states that the institution should report back to MAS as soon as possible regarding any adverse development arising from its outsourcing arrangements.

Any adverse developments might be an event that would potentially prolong service failure or disruption within the outsourcing arrangement, in a breach of security and confidentiality of the institution’s customer information.

2. Assessment of service providers

• Due diligence on service providers

Institutions are required to confirm that the service provider has met the regulatory standards expected of the institution. The due diligence should take the physical and IT security controls into account and its financial strength. Information including the service provider’s risk management, contingency plans, and business continuity should be ensured moreover.

• Due diligence on employees of service providers

When it involves the workers, all staff of the service provider should have also been assessed if they meet the institution’s hiring policies. Service providers should know whether or not they are the topic of any proceedings of a disciplinary or criminal nature if they have been convicted of any offense, accepted civil liability for fraud or misrepresentation, and whether or not they are financially capable.

Outsourcing Agreement

The revised guidelines state that each outsourcing agreement should have provisions that address the scope of the outsourcing arrangement.

This covers confidentiality and security, business continuity management, monitoring and control, audit and inspection, notification of adverse developments, dispute resolution, default termination and early exit, sub-contracting, and applicable laws.

3. Material outsourcing arrangements

• Expanded definition of “material outsourcing arrangement”

In this section, the revised guidelines indicate that within the event of a service failure or security breach, that may materially impact an institution’s business operations, reputation or profitability, or its ability to manage the risk that involves customers’ information then it may impact on an institution’s customers.

• Requirements that apply to material outsourcing arrangements

Upon notifying MAS, MAS will still assess and monitor the power of institutions’ supported outsourcing risk management plans. Institutions are expected to satisfy due diligence and may be ready to demonstrate their adherence to the rules.

MAS has also provided requirements upon application to material outsourcing arrangements. Requirements include periodic reviews on material outsourcing arrangements a minimum of once a year, to permit the institution and MAS to be granted audit access or any report about the service provider and its subcontractors.

Additionally, another requirement is to confirm that every one material outsourcing arrangements outside Singapore are conducted with the adherence to those guidelines.

4. Monitoring and control of outsourcing arrangements

Concerning material outsourcing arrangements, the institution is further required to ascertain multi-disciplinary outsourcing management groups to confirm that every one relevant technical issues and legal and regulatory requirements are met.

That includes:

• the monitoring and control of the outsourced services,
• conduct periodic reviews on all material outsourcing arrangements a minimum of once a year
• prepare reports on the activities of the institution that are reviewed by senior management and provided to the board; and
• perform comprehensive implementation reviews for brand new or amended outsourcing arrangement.
  

5. Audit frequency and scope

In this section, an establishment is required to make sure that every one audits and experts’ assessments of all its outsourcing arrangements, both material and nonmaterial, should be conducted.

The institution should know the extent of risk and its impact on the institution from the outsourcing arrangements. All independent audits and expert assessments should include records and assessment of the service providers’ and its subcontractors’ security and control environment, and also the institution’s observance of the rules in relevance to the outsourcing arrangement.

6. Outsourcing outside Singapore

This revised section requires, as a part of its due diligence, a basis on government policies, political, social, and economic conditions, legal and regulatory developments within the foreign country, and also the institution’s ability to effectively monitor the service provider and execute its business continuity management plans and exit strategy.

It also states that the institution should take the disaster recovery arrangements into account established by the service provider where material outsourcing arrangements are entered into with service providers outside Singapore.

7. Cloud computing

MAS significantly revised its guidelines on cloud computing. The section states that an establishment is predicted to perform the required due diligence measures and perform risk management practices when subscribing to cloud services. they’re also required to adopt a risk-based approach to ensure control with the materiality of risks posed by cloud services.

The institution is required to perform necessary measures to handle the risks related to data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance, and auditing.

Frequently Asked Questions (FAQs) about MAS’ outsourcing guidelines

Q: What is the accepted template used by institutions in submitting its outsourcing registration for outsourcing to MAS?

A: You can check Annex 3 of the MAS Guidelines on Outsourcing for the template. An institution may however, use a different template to update its board and senior management of its outsourcing arrangements. The template needs to be submitted to MAS, at least annually or upon request.

Q: How could the institution ensure that independent audits assessments are conducted on the outsourcing arrangement if the outsourced service is the internal audit function?

A: In the case where an institution outsources its internal audit function, the institution is required to conduct periodic assessments to verify if they are suited to perform the internal audit function. These assessments might include Quality Assurance and Improvement Program as per the International Standards for the Professional Practice of Internal Auditing (Standards).