MAS RELEASES REVISED GUIDELINES ON OUTSOURCING RISK MANAGEMENT

Transcription

1 AUGUST MAS RELEASES REVISED GUIDELINES ON OUTSOURCING RISK MANAGEMENT On 27 July 2016, the Monetary Authority of Singapore ( MAS ) issued its new Guidelines on Outsourcing Risk Management ( Revised Outsourcing Guidelines ). The Revised Outsourcing Guidelines replace the previous Guidelines on Outsourcing that were last updated in 2005, as well as the Information Technology Outsourcing Circular dated 14 July The Revised Outsourcing Guidelines were issued further to the Consultation Paper on the Guidelines on Outsourcing which MAS had issued on 5 September 2014, together with the Consultation Paper on the Notice on Outsourcing. MAS response to feedback received on the Consultation Paper on the Guidelines on Outsourcing was also released at the same time. MAS is still in the process of reviewing the industry s feedback on the Consultation Paper on the Notice on Outsourcing and will issue the Notice on Outsourcing once the review has been completed. Key changes in the Revised Outsourcing Guidelines include: (i) (ii) (iii) (iv) introduction of a new section on cloud computing that sets out MAS stance on cloud computing; removal of the expectation for financial institutions to pre-notify MAS of material outsourcing arrangements; introduction of a new requirement for financial institutions to maintain and submit a central register of all outsourcing arrangements to MAS at least annually, or upon request; and revision to the definition of material outsourcing arrangement to include, under certain circumstances, an arrangement that involves customer information. This Update sets out the key changes under the Revised Outsourcing Guidelines. Applicability of the outsourcing requirements Financial institutions to be included The outsourcing requirements in the Revised Outsourcing Guidelines will apply to the following financial institutions: banks and merchant banks; finance companies; money-changers and remitters; insurers; insurance intermediaries; financial advisers;

2 AUGUST approved holding companies, approved exchanges, and approved clearing houses; recognised market operators, recognised clearing houses, licensed trade repositories, and licensed foreign trade repositories; holders of a capital markets services licence; trustees for collective investment schemes. trustee-managers of business trusts; trust companies; holders of stored value facilities; designated financial holding companies; and persons licensed to carry on the business of issuing credit cards or charge cards in Singapore. Adoption of risk management practices Group-wide assessment of outsourcing risks Institutions are encouraged to implement all the risk management practices contained in the Revised Outsourcing Guidelines for outsourcing arrangements involving a MAS-regulated entity. The extent and degree to which an institution implements the risk management practices should be commensurate with the nature of risks in, and materiality of, the outsourcing arrangement. Under the Revised Outsourcing Guidelines, an institution incorporated in Singapore is also encouraged to consider the impact of outsourcing arrangements by its branches and any corporation under its control, including those located outside Singapore and regardless of whether these are financial or nonfinancial related companies, on its consolidated operations. Institutions incorporated in Singapore should ensure that the Revised Outsourcing Guidelines are observed by branches and corporations under their control by applying a group-wide outsourcing risk management framework that complies with the Revised Outsourcing Guidelines. Implementation of Guidelines Management of outsourcing risks MAS expects financial institutions to ensure that the outsourced services (whether provided by a service provider or its subcontractor) continue to be managed as if the services were still managed by the institution. In supervising an institution, MAS will review its implementation of the Revised Outsourcing Guidelines, the quality of its board and senior management oversight and governance, internal controls and risk management with regard to managing outsourcing risks. MAS is particularly interested in material outsourcing arrangements.

3 AUGUST Prior notification of outsourcing contract not necessary Notification of adverse developments MAS has removed the expectation for institutions to notify MAS before making any material outsourcing commitment with immediate effect. Institutions are expected to exercise appropriate due diligence on their outsourcing arrangements, and be ready to demonstrate to MAS their observance of the Revised Outsourcing Guidelines. Institutions should notify MAS as soon as possible of any adverse development arising from its outsourcing arrangements that could impact the institution, as well as any such adverse development encountered within the institution s group. What constitutes outsourcing arrangements and material outsourcing arrangements Definition of outsourcing arrangement Cloud services to be considered as outsourcing MAS has revised the definition of outsourcing arrangement to clarify that a service that involves the provision of a finished product is not the sole determining factor in deciding whether the service falls within the definition of outsourcing arrangement. Instead an arrangement would be deemed outsourcing under the Revised Outsourcing Guidelines if the institution may currently or potentially perform the service itself, the institution is dependent on the service on an ongoing basis and the service is integral to the provision of a financial service by the institution (or the service is provided to the market by the service provider in the name of the institution). MAS has indicated in the Revised Outsourcing Guidelines that it considers cloud services operated by service providers as a form of outsourcing and thus subject to similar risks as that of other forms of outsourcing arrangements. Institutions are therefore responsible for maintaining oversight of cloud services and managing the attendant risks of adopting cloud services, as in any other form of outsourcing arrangements. For the purposes of the Revised Outsourcing Guidelines, cloud services refers to a combination of a business and delivery model that enables ondemand access to a shared pool of resources such as applications, servers, storage and network security.

4 AUGUST New examples of outsourcing What constitutes material outsourcing arrangements Additional factors to be applied when considering materiality Annex 1 of the Revised Outsourcing Guidelines also contains new examples of services which would be considered to be outsourcing arrangements: white-labelling arrangements such as for trading and hedging facilities; business continuity and disaster recovery functions and activities; information systems hosting (e.g., software-as-a-service, platform-as-a-service, or infrastructure-as-a-service); management of policy issuance and claims operations by managing agents; legal and compliance professional services; and support services related to archival and storage of data and records. The Revised Outsourcing Guidelines also expand the parameters of when outsourcing would be considered material. In summary, outsourcing is material if: in the event of a service failure or security breach, there is the potential to materially impact an institution s business operations, reputation or profitability, or its ability to manage risk and comply with applicable laws and regulations. Such failures and breaches may not necessarily involve disruptions; or it involves customer information and, in the event of any loss, theft, or unauthorised access or disclosure of customer information, may have a material impact on the institution s customers. For the purposes of the Revised Outsourcing Guidelines, public information or anonymised information relating to customers or encrypted customer information is not caught under the definition of customer information provided that the identities of the customers cannot be readily inferred. In considering the degree of materiality of an outsourcing arrangement, Annex 2 of the Revised Outsourcing Guidelines include the following factors in addition to the previous set of factors to be applied: the impact on the institution s customers, should the service provider fail to perform the service or encounter a breach of security or confidentiality; the impact on the institution s counterparties and the Singapore financial market, should the service provider fail to perform the service; and

5 AUGUST the cost of outsourcing failure, which will require the institution to bring the outsourced activity in-house or seek similar service from another service provider, as a proportion of total operating costs of the institution. Central register required Institutions will be required to maintain a central register of all outsourcing arrangements. The format for this central register is as per the template on MAS website. The central register must be submitted to the MAS at least annually or upon request. Review, due diligence, and audits Risk Management framework Responsibilities of board Responsibilities of senior management The board and senior management of an institution should ensure that there are adequate processes to provide a comprehensive institution-wide view of its risk exposures from all its outsourcing arrangements, and to incorporate the assessment of such risks into the institution s outsourcing risk management framework. However, the Revised Outsourcing Guidelines prescribe different responsibilities for the board and senior management. Ultimately, the board of the institution must approve a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements and the policies that apply to such arrangements. The board is also additionally responsible for, inter alia, the following: setting a suitable risk appetite to define the nature and extent of risks that the institution is willing and able to assume from its outsourcing arrangements; and ensuring that senior management establishes appropriate governance structures and processes for sound and prudent risk management. The senior management of the institution is responsible for, inter alia, the following additional areas: monitoring and maintaining effective control of all risks from its material outsourcing arrangements on an institution-wide basis; and ensuring that appropriate and timely remedial actions are taken to address audit findings.

6 AUGUST The MAS has also enhanced the areas of due diligence of service providers in several key ways: Assessment of employees Additional areas for due diligence Onsite visits encouraged Due diligence to be conducted periodically Institutions are expected to ensure that service providers and their sub-contractors have acceptable hiring and screening policies in place to ensure that their employees who undertake any part of the outsourcing arrangement have been assessed to meet the institution s hiring policies for the role they are performing, consistent with the criteria applicable to its own employees. Any adverse findings from this assessment should be considered in light of their relevance and impact to the outsourcing arrangement. Some of the additional areas of due diligence on the service provider which should be evaluated include: the physical and IT security controls the service provider has in place; the level of ethical and professional standards held by the service provider; the service provider s ability to comply with its obligations under the outsourcing arrangement; the business reputation, financial strength and resources of the service provider; its corporate governance; its risk management framework and capabilities, including its technology risk management; the disaster recovery arrangements and disaster recovery track record; and the service provider s ability to comply with applicable laws and regulations and track record in relation to its compliance with applicable laws and regulations. Onsite visits should be made to the service provider to supplement findings noted from offsite reviews. The Revised Outsourcing Guidelines make clear that due diligence undertaken during the assessment process should be documented and re-performed periodically to ensure that it is sufficiently current as part of the monitoring and control processes of outsourcing arrangements. MAS has removed the expectation for due diligence to be performed annually. However, institutions will need to adopt a risk-based approach in determining the appropriate scope, methodology (which may include the appropriate time interval for the refresh of information) and frequency of the assessment.

7 AUGUST Audits to be conducted periodically Under the Revised Outsourcing Guidelines, institutions are required to carry out periodic independent audit and expert assessments on all outsourcing arrangements on a regular basis. Such audits and assessments should be conducted, not only on the service providers as was previously required, but also on the sub-contractors of the service providers. The proposal for audit frequency not to exceed three years has been removed from the Revised Outsourcing Guidelines. In determining the frequency of audit and expert assessment, the institution should consider the nature and extent of risk and impact to the institution from the outsourcing arrangements. An institution could also consider the findings from its due diligence evaluation to determine the frequency and the scope of audit on its service provider. Outsourcing contracts The Revised Outsourcing Guidelines set out various terms that must be provided for in any material outsourcing agreement, in addition to those already specified in the previous set of Guidelines. The proposed new terms are as follows: Confidentiality and security The service provider must be able to protect the confidentiality of the institution s customer information, documents, records and assets particularly where multi-tenancy arrangements (i.e., where a single computing infrastructure (e.g., services, databases etc.) is used to serve multiple customers) are present at the service provider. Sub-contracting The institution should be allowed to conduct audits on the service provider and its sub-contractors. MAS should be allowed, where necessary or expedient, to exercise the contractual rights of the institution to access and inspect the service provider s sub-contractors. The institution and MAS should also be allowed to obtain copies of any audit report and finding made on the service provider s sub-contractors, whether produced by the service provider s or its sub-contractors internal or external auditors, or by agents appointed by the service provider and its subcontractor, in relation to the outsourcing arrangement. Indemnity The proposal for the service provider to indemnify MAS, its officers, agents, and employees has been removed following the industry s feedback.

8 AUGUST Request for reports The service provider should be required to comply, as soon as possible, with any request from MAS or the institution to the service provider and its sub-contractors to submit any reports on the security and control environment of the service provider and its sub-contractors in relation to the outsourcing arrangement. Reporting requirements The type of events and the circumstances under which the service provider should report to the institution in order for an institution to take prompt risk mitigation measures and notify MAS of such developments as required under the Revised Outsourcing Guidelines should be specified, such as where there are instances of breaches of confidentiality in relation to customer information. Smooth transition on termination The outsourcing contract should also contain provisions that will ensure a smooth transition when the contract is terminated or amended by either party. Such provisions may facilitate transferability of the outsourced services to a bridgeinstitution or a third party. A bridge-institution means an institution to temporarily take over and maintain certain assets, liabilities and operations of a distressed financial institution, as part of a resolution authority s exercise of resolution power. Business Continuity Management Under the Revised Outsourcing Guidelines, institutions are expected to ensure that their business continuity is not compromised by outsourcing arrangements; in particular, the operation of their critical systems as stipulated under the Technology Risk Management Notice. Institutions should adopt the sound practices and standards contained in the Business Continuity Management ( BCM ) Guidelines issued in 2003 and further supplemented in 2006 by MAS. Outsourcing outside Singapore MAS has clarified that only material outsourcing arrangements with service providers or sub-contractors located outside Singapore are subject to the expectation that such arrangements be conducted in a matter so as not to hinder MAS efforts to supervise their business activities. In particular, an institution

9 AUGUST should only enter into outsourcing arrangements with parties in jurisdictions that generally uphold confidentiality agreements. Furthermore, the institution should not enter into outsourcing arrangements with service providers in jurisdictions where prompt access to information by MAS or its agents may be impeded by legal or administrative restrictions. Next Steps Institutions are expected by MAS to conduct a self-assessment of all existing outsourcing arrangements against the Revised Outsourcing Guidelines within three months from the issuance of the Guidelines (i.e., by 26 October 2016). If there are deficiencies, then these will need to be rectified no later than 12 months from the issuance of the Revised Outsourcing Guidelines (i.e., by 26 July 2017). If you would like information on this or any other area of law, you may wish to contact the partner at WongPartnership that you normally deal with or contact the following lawyers: Rosabel Ng Head Derivatives & Structured Products Practice DID: Click here to see Rosabel s CV. Elaine Chan Senior Consultant Financial Services Regulatory Practice DID: Click here to see Elaine s CV. Lam Chung Nian Head Intellectual Property, Technology & Media, Telecommunications and Data Protection Practices DID: Click here to see Chung Nian s CV.

10 CASEWATCH AUGUST WONGPARTNERSHIP OFFICES SINGAPORE WongPartnership LLP 12 Marina Boulevard Level 28 Marina Bay Financial Centre Tower 3 Singapore Tel: Fax: /5722 CHINA WongPartnership LLP Beijing Representative Office Unit 3111 China World Office 2 1 Jianguomenwai Avenue, Chaoyang District Beijing , PRC Tel: Fax: INDONESIA WongPartnership LLP Shanghai Representative Office Unit 1015 Corporate Avenue Hubin Road Shanghai , PRC Tel: Fax: Makes & Partners Law Firm (an associate firm) Menara Batavia, 7th Floor Jl. KH. Mas Mansyur Kav. 126 Jakarta 10220, Indonesia Tel: Fax: Website: makeslaw.com MALAYSIA Foong & Partners Advocates & Solicitors (an associate firm) 13-1, Menara 1MK, Kompleks 1 Mont Kiara No 1 Jalan Kiara, Mont Kiara Kuala Lumpur, Malaysia Tel: Fax: Website: foongpartners.com MIDDLE EAST Al Aidarous International Legal Practice (an associate firm) Abdullah Al Mulla Building, Mezzanine Suite Hameem Street Al Nahyan Camp Area P.O. Box No Abu Dhabi, UAE Tel: Fax: Website: aidarous.com MYANMAR Al Aidarous International Legal Practice (an associate firm) Zalfa Building, Suite Sh. Rashid Road Garhoud P.O. Box No Dubai, UAE Tel: Fax: WongPartnership Myanmar Ltd. No. 1, Kaba Aye Pagoda Road Business Suite #03-02, Yankin Township Yangon, Myanmar Tel: Fax: contactus@wongpartnership.com wongpartnership.com