MAS RELEASES REVISED GUIDELINES ON OUTSOURCING RISK MANAGEMENT

Similar documents
Third Party Trust Manage your outsourcing arrangements

Statement of Guidance: Outsourcing Regulated Entities

Outsourcing Guidelines. for Financial Institutions DRAFT (FOR CONSULTATION)

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 9

ASX CLEAR OPERATING RULES Guidance Note 9

RECOMMENDATIONS ON CLOUD OUTSOURCING EBA/REC/2017/03 28/03/2018. Recommendations. on outsourcing to cloud service providers

Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03)

BOM/BSD 17/May 2006 BANK OF MAURITIUS. Guidelines on Outsourcing by Financial Institutions

Banking Regulation and Policy Department Bangladesh Bank Head Office Dhaka

Farm Data Code of Practice Version 1.1. For organisations involved in collecting, storing, and sharing primary production data in New Zealand

New Zealand Farm Data Code of Practice. For organisations involved in collecting, storing, and sharing primary production data in New Zealand

Request for Proposal PROFESSIONAL AUDIT SERVICES. Luzerne-Wyoming Counties Mental Health/Mental Retardation Program

City of Coquitlam. Request for Expressions of Interest RFEI No Workforce Scheduling Software

COMIC RELIEF AWARDS THE GRANT TO YOU, SUBJECT TO YOUR COMPLYING WITH THE FOLLOWING CONDITIONS:

JOINT CODE OF PRACTICE FOR RESEARCH

PPEA Guidelines and Supporting Documents

Outsourcing. a practical guide on how to create successful outsourcing solutions

BOT Notification No (4 September 2017)-check

IAF Guidance on the Application of ISO/IEC Guide 61:1996

HSQF Scheme HUMAN SERVICES SCHEME PART 2 ADDITIONAL REQUIREMENTS FOR BODIES CERTIFYING HUMAN SERVICES IN QUEENSLAND. Issue 6, 21 November 2017

This Agreement dated DD/MM/YYYY (the Effective Date ) is between

Collaborative Operations and Services Grant Program GUIDELINES Revised January 15, 2014

Framework for Risk Management in Outsourcing Arrangements by. Financial Institutions

STATE OF RHODE ISLAND OFFICE OF THE GENERAL TREASURER

REQUEST FOR PROPOSALS. For: As needed Plan Check and Building Inspection Services

Abu Dhabi Occupational Safety and Health System Framework (OSHAD-SF) Mechanisms

2012 Medicare Compliance Plan

Georgia Lottery Corporation ("GLC") PROPOSAL. PROPOSAL SIGNATURE AND CERTIFICATION (Authorized representative must sign and return with proposal)

REGULATORY DOCUMENTS. The main classes of regulatory documents developed by the CNSC are:

Deutsche Börse Group Response

Marina Strategy: Section A Request for Proposal. 1. Request for Proposal. 2. Communication. 3. Key Contacts

PRIVACY BREACH GUIDELINES

COMMISSION IMPLEMENTING REGULATION (EU)

The Request for Proposal consists of the following documents, and should be read in conjunction with any Addenda issued:

Request for Proposal PROFESSIONAL AUDIT SERVICES

Rules. gen[in] Student Innovation Challenge

AGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers

Joint Statement on the Application of Good Clinical Practice to Training for Researchers

Guidelines on Regulation of Markets under Section 34 of CMSA SC-GL/2-2015

CCS Consults on Proposed Amendments to the Competition Act

RESOLUTION NUMBER 2877

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

Human Research Governance Review Policy

Call for Participants: ITIL Update October 2009

REQUEST FOR PROPOSALS ACCOUNTING AND AUDITING SERVICES

Sample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere s hospital

Quality Management Plan

DOH Policy on Healthcare Emergency & Disaster Management for the Emirate of Abu Dhabi

Maine Turnpike Authority Procurement Policy

SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD for NON-CHANNELERS

004 Licensing of Evaluation Facilities

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

Use of External Consultants

GRANTS AND CONTRACTS (FINANCIAL GRANTS MANAGEMENT)

WATERFRONT COMMISSION OF NEW YORK HARBOR

England. Questions and Answers. Draft Integrated Care Provider (ICP) Contract - consultation package

Data Breach Notification Guide Policies and Procedures

Multi-Year Accessibility Action Plan

Document Title: Document Number:

Request for Proposal. Independent Living

practice standards CFP CERTIFIED FINANCIAL PLANNER Financial Planning Practice Standards

Health Care Alert. Proposed Rules Seek to Offer Hospitals Clarity and Flexibility. Physician Supervision of Outpatient Services.

Republic of Latvia. Cabinet Regulation No. 50 Adopted 19 January 2016

Licensing application guidance. For NHS-controlled providers

FAFSA Completion Initiative Participation Agreement

FINANCIAL CONFLICT OF INTEREST POLICY Public Health Services SECTION 1 OVERVIEW, APPLICABILITY AND RESPONSIBILITIES

Radiation Safety Code of Practice

Human Samples in Research

GDPR DATA PROCESSING ADDENDUM. (Revision March 2018)

Responsibilities Work Health and Safety Minimum. October, 2013

REQUEST FOR PROPOSALS INTEGRITY SCREENING CONSULTANT

POLICY: Conflict of Interest

Singapore Legal In-house Financial Services Salary Survey 2018

PRIVACY MANAGEMENT FRAMEWORK

REQUEST FOR PROPOSALS RFP# CAFTB

Consolato d Italia. Cape Town

Request for Proposal. Interpretation/Translation Services

Request for Proposal. Parenting Education

In evaluating whether to support a training course, the following criteria will be considered:

Hong Kong Tourism Board Hong Kong Transit Programme Guide to Application. Table of Contents

Lower Manhattan Development Corporation Avi Schick, Chairman David Emil, President. March 2, 2009

Research Governance Framework 2 nd Edition, Medicine for Human Use (Clinical Trial) Regulations 2004

HAAD Standard for CBRNE Contaminated Material Management and Disposal Document Ref. Number: HAAD/CBRNECMMD/0.9 Version: 0.9

STRUCTURE AND ORGANISATION OF LANGHAM HOSPITALITY INVESTMENTS AND THE COMPANY

Report of the Information & Privacy Commissioner/Ontario. Review of Cancer Care Ontario:

NOT PROTECTIVELY MARKED

REQUEST FOR PROPOSALS (RFP) For HAAD s COFFEE SHOP RENTAL

Grant Agreement Tool Model Contract Provisions

PRIVACY BREACH MANAGEMENT POLICY

OWENS STATE COMMUNITY COLLEGE COMMERCIAL REALTOR SERVICES REQUEST FOR PROPOSALS

THIS AGREEMENT made effective this day of, 20. BETWEEN: NOVA SCOTIA HEALTH AUTHORITY ("NSHA") AND X. (Hereinafter referred to as the Agency )

Practice Review Guide

Dun & Bradstreet Partner Code of Conduct

December, 2017 Request for Proposals for Airport Business and Financial Consultant At Savannah/Hilton Head International Airport

Privacy Code for Consumer, Customer, Supplier and Business Partner Data

Request for Proposals

BOARD OF FINANCE REQUEST FOR PROPOSALS FOR PROFESSIONAL AUDITING SERVICES

I. Preamble: II. Parties:

Good Practice Principles:

DOD DIRECTIVE INTELLIGENCE OVERSIGHT

Transcription:

AUGUST 2016 1 MAS RELEASES REVISED GUIDELINES ON OUTSOURCING RISK MANAGEMENT On 27 July 2016, the Monetary Authority of Singapore ( MAS ) issued its new Guidelines on Outsourcing Risk Management ( Revised Outsourcing Guidelines ). The Revised Outsourcing Guidelines replace the previous Guidelines on Outsourcing that were last updated in 2005, as well as the Information Technology Outsourcing Circular dated 14 July 2011. The Revised Outsourcing Guidelines were issued further to the Consultation Paper on the Guidelines on Outsourcing which MAS had issued on 5 September 2014, together with the Consultation Paper on the Notice on Outsourcing. MAS response to feedback received on the Consultation Paper on the Guidelines on Outsourcing was also released at the same time. MAS is still in the process of reviewing the industry s feedback on the Consultation Paper on the Notice on Outsourcing and will issue the Notice on Outsourcing once the review has been completed. Key changes in the Revised Outsourcing Guidelines include: (i) (ii) (iii) (iv) introduction of a new section on cloud computing that sets out MAS stance on cloud computing; removal of the expectation for financial institutions to pre-notify MAS of material outsourcing arrangements; introduction of a new requirement for financial institutions to maintain and submit a central register of all outsourcing arrangements to MAS at least annually, or upon request; and revision to the definition of material outsourcing arrangement to include, under certain circumstances, an arrangement that involves customer information. This Update sets out the key changes under the Revised Outsourcing Guidelines. Applicability of the outsourcing requirements Financial institutions to be included The outsourcing requirements in the Revised Outsourcing Guidelines will apply to the following financial institutions: banks and merchant banks; finance companies; money-changers and remitters; insurers; insurance intermediaries; financial advisers;

AUGUST 2016 2 approved holding companies, approved exchanges, and approved clearing houses; recognised market operators, recognised clearing houses, licensed trade repositories, and licensed foreign trade repositories; holders of a capital markets services licence; trustees for collective investment schemes. trustee-managers of business trusts; trust companies; holders of stored value facilities; designated financial holding companies; and persons licensed to carry on the business of issuing credit cards or charge cards in Singapore. Adoption of risk management practices Group-wide assessment of outsourcing risks Institutions are encouraged to implement all the risk management practices contained in the Revised Outsourcing Guidelines for outsourcing arrangements involving a MAS-regulated entity. The extent and degree to which an institution implements the risk management practices should be commensurate with the nature of risks in, and materiality of, the outsourcing arrangement. Under the Revised Outsourcing Guidelines, an institution incorporated in Singapore is also encouraged to consider the impact of outsourcing arrangements by its branches and any corporation under its control, including those located outside Singapore and regardless of whether these are financial or nonfinancial related companies, on its consolidated operations. Institutions incorporated in Singapore should ensure that the Revised Outsourcing Guidelines are observed by branches and corporations under their control by applying a group-wide outsourcing risk management framework that complies with the Revised Outsourcing Guidelines. Implementation of Guidelines Management of outsourcing risks MAS expects financial institutions to ensure that the outsourced services (whether provided by a service provider or its subcontractor) continue to be managed as if the services were still managed by the institution. In supervising an institution, MAS will review its implementation of the Revised Outsourcing Guidelines, the quality of its board and senior management oversight and governance, internal controls and risk management with regard to managing outsourcing risks. MAS is particularly interested in material outsourcing arrangements.

AUGUST 2016 3 Prior notification of outsourcing contract not necessary Notification of adverse developments MAS has removed the expectation for institutions to notify MAS before making any material outsourcing commitment with immediate effect. Institutions are expected to exercise appropriate due diligence on their outsourcing arrangements, and be ready to demonstrate to MAS their observance of the Revised Outsourcing Guidelines. Institutions should notify MAS as soon as possible of any adverse development arising from its outsourcing arrangements that could impact the institution, as well as any such adverse development encountered within the institution s group. What constitutes outsourcing arrangements and material outsourcing arrangements Definition of outsourcing arrangement Cloud services to be considered as outsourcing MAS has revised the definition of outsourcing arrangement to clarify that a service that involves the provision of a finished product is not the sole determining factor in deciding whether the service falls within the definition of outsourcing arrangement. Instead an arrangement would be deemed outsourcing under the Revised Outsourcing Guidelines if the institution may currently or potentially perform the service itself, the institution is dependent on the service on an ongoing basis and the service is integral to the provision of a financial service by the institution (or the service is provided to the market by the service provider in the name of the institution). MAS has indicated in the Revised Outsourcing Guidelines that it considers cloud services operated by service providers as a form of outsourcing and thus subject to similar risks as that of other forms of outsourcing arrangements. Institutions are therefore responsible for maintaining oversight of cloud services and managing the attendant risks of adopting cloud services, as in any other form of outsourcing arrangements. For the purposes of the Revised Outsourcing Guidelines, cloud services refers to a combination of a business and delivery model that enables ondemand access to a shared pool of resources such as applications, servers, storage and network security.

AUGUST 2016 4 New examples of outsourcing What constitutes material outsourcing arrangements Additional factors to be applied when considering materiality Annex 1 of the Revised Outsourcing Guidelines also contains new examples of services which would be considered to be outsourcing arrangements: white-labelling arrangements such as for trading and hedging facilities; business continuity and disaster recovery functions and activities; information systems hosting (e.g., software-as-a-service, platform-as-a-service, or infrastructure-as-a-service); management of policy issuance and claims operations by managing agents; legal and compliance professional services; and support services related to archival and storage of data and records. The Revised Outsourcing Guidelines also expand the parameters of when outsourcing would be considered material. In summary, outsourcing is material if: in the event of a service failure or security breach, there is the potential to materially impact an institution s business operations, reputation or profitability, or its ability to manage risk and comply with applicable laws and regulations. Such failures and breaches may not necessarily involve disruptions; or it involves customer information and, in the event of any loss, theft, or unauthorised access or disclosure of customer information, may have a material impact on the institution s customers. For the purposes of the Revised Outsourcing Guidelines, public information or anonymised information relating to customers or encrypted customer information is not caught under the definition of customer information provided that the identities of the customers cannot be readily inferred. In considering the degree of materiality of an outsourcing arrangement, Annex 2 of the Revised Outsourcing Guidelines include the following factors in addition to the previous set of factors to be applied: the impact on the institution s customers, should the service provider fail to perform the service or encounter a breach of security or confidentiality; the impact on the institution s counterparties and the Singapore financial market, should the service provider fail to perform the service; and

AUGUST 2016 5 the cost of outsourcing failure, which will require the institution to bring the outsourced activity in-house or seek similar service from another service provider, as a proportion of total operating costs of the institution. Central register required Institutions will be required to maintain a central register of all outsourcing arrangements. The format for this central register is as per the template on MAS website. The central register must be submitted to the MAS at least annually or upon request. Review, due diligence, and audits Risk Management framework Responsibilities of board Responsibilities of senior management The board and senior management of an institution should ensure that there are adequate processes to provide a comprehensive institution-wide view of its risk exposures from all its outsourcing arrangements, and to incorporate the assessment of such risks into the institution s outsourcing risk management framework. However, the Revised Outsourcing Guidelines prescribe different responsibilities for the board and senior management. Ultimately, the board of the institution must approve a framework to evaluate the risks and materiality of all existing and prospective outsourcing arrangements and the policies that apply to such arrangements. The board is also additionally responsible for, inter alia, the following: setting a suitable risk appetite to define the nature and extent of risks that the institution is willing and able to assume from its outsourcing arrangements; and ensuring that senior management establishes appropriate governance structures and processes for sound and prudent risk management. The senior management of the institution is responsible for, inter alia, the following additional areas: monitoring and maintaining effective control of all risks from its material outsourcing arrangements on an institution-wide basis; and ensuring that appropriate and timely remedial actions are taken to address audit findings.

AUGUST 2016 6 The MAS has also enhanced the areas of due diligence of service providers in several key ways: Assessment of employees Additional areas for due diligence Onsite visits encouraged Due diligence to be conducted periodically Institutions are expected to ensure that service providers and their sub-contractors have acceptable hiring and screening policies in place to ensure that their employees who undertake any part of the outsourcing arrangement have been assessed to meet the institution s hiring policies for the role they are performing, consistent with the criteria applicable to its own employees. Any adverse findings from this assessment should be considered in light of their relevance and impact to the outsourcing arrangement. Some of the additional areas of due diligence on the service provider which should be evaluated include: the physical and IT security controls the service provider has in place; the level of ethical and professional standards held by the service provider; the service provider s ability to comply with its obligations under the outsourcing arrangement; the business reputation, financial strength and resources of the service provider; its corporate governance; its risk management framework and capabilities, including its technology risk management; the disaster recovery arrangements and disaster recovery track record; and the service provider s ability to comply with applicable laws and regulations and track record in relation to its compliance with applicable laws and regulations. Onsite visits should be made to the service provider to supplement findings noted from offsite reviews. The Revised Outsourcing Guidelines make clear that due diligence undertaken during the assessment process should be documented and re-performed periodically to ensure that it is sufficiently current as part of the monitoring and control processes of outsourcing arrangements. MAS has removed the expectation for due diligence to be performed annually. However, institutions will need to adopt a risk-based approach in determining the appropriate scope, methodology (which may include the appropriate time interval for the refresh of information) and frequency of the assessment.

AUGUST 2016 7 Audits to be conducted periodically Under the Revised Outsourcing Guidelines, institutions are required to carry out periodic independent audit and expert assessments on all outsourcing arrangements on a regular basis. Such audits and assessments should be conducted, not only on the service providers as was previously required, but also on the sub-contractors of the service providers. The proposal for audit frequency not to exceed three years has been removed from the Revised Outsourcing Guidelines. In determining the frequency of audit and expert assessment, the institution should consider the nature and extent of risk and impact to the institution from the outsourcing arrangements. An institution could also consider the findings from its due diligence evaluation to determine the frequency and the scope of audit on its service provider. Outsourcing contracts The Revised Outsourcing Guidelines set out various terms that must be provided for in any material outsourcing agreement, in addition to those already specified in the previous set of Guidelines. The proposed new terms are as follows: Confidentiality and security The service provider must be able to protect the confidentiality of the institution s customer information, documents, records and assets particularly where multi-tenancy arrangements (i.e., where a single computing infrastructure (e.g., services, databases etc.) is used to serve multiple customers) are present at the service provider. Sub-contracting The institution should be allowed to conduct audits on the service provider and its sub-contractors. MAS should be allowed, where necessary or expedient, to exercise the contractual rights of the institution to access and inspect the service provider s sub-contractors. The institution and MAS should also be allowed to obtain copies of any audit report and finding made on the service provider s sub-contractors, whether produced by the service provider s or its sub-contractors internal or external auditors, or by agents appointed by the service provider and its subcontractor, in relation to the outsourcing arrangement. Indemnity The proposal for the service provider to indemnify MAS, its officers, agents, and employees has been removed following the industry s feedback.

AUGUST 2016 8 Request for reports The service provider should be required to comply, as soon as possible, with any request from MAS or the institution to the service provider and its sub-contractors to submit any reports on the security and control environment of the service provider and its sub-contractors in relation to the outsourcing arrangement. Reporting requirements The type of events and the circumstances under which the service provider should report to the institution in order for an institution to take prompt risk mitigation measures and notify MAS of such developments as required under the Revised Outsourcing Guidelines should be specified, such as where there are instances of breaches of confidentiality in relation to customer information. Smooth transition on termination The outsourcing contract should also contain provisions that will ensure a smooth transition when the contract is terminated or amended by either party. Such provisions may facilitate transferability of the outsourced services to a bridgeinstitution or a third party. A bridge-institution means an institution to temporarily take over and maintain certain assets, liabilities and operations of a distressed financial institution, as part of a resolution authority s exercise of resolution power. Business Continuity Management Under the Revised Outsourcing Guidelines, institutions are expected to ensure that their business continuity is not compromised by outsourcing arrangements; in particular, the operation of their critical systems as stipulated under the Technology Risk Management Notice. Institutions should adopt the sound practices and standards contained in the Business Continuity Management ( BCM ) Guidelines issued in 2003 and further supplemented in 2006 by MAS. Outsourcing outside Singapore MAS has clarified that only material outsourcing arrangements with service providers or sub-contractors located outside Singapore are subject to the expectation that such arrangements be conducted in a matter so as not to hinder MAS efforts to supervise their business activities. In particular, an institution

AUGUST 2016 9 should only enter into outsourcing arrangements with parties in jurisdictions that generally uphold confidentiality agreements. Furthermore, the institution should not enter into outsourcing arrangements with service providers in jurisdictions where prompt access to information by MAS or its agents may be impeded by legal or administrative restrictions. Next Steps Institutions are expected by MAS to conduct a self-assessment of all existing outsourcing arrangements against the Revised Outsourcing Guidelines within three months from the issuance of the Guidelines (i.e., by 26 October 2016). If there are deficiencies, then these will need to be rectified no later than 12 months from the issuance of the Revised Outsourcing Guidelines (i.e., by 26 July 2017). If you would like information on this or any other area of law, you may wish to contact the partner at WongPartnership that you normally deal with or contact the following lawyers: Rosabel Ng Head Derivatives & Structured Products Practice DID: +65 6416 8269 Email: rosabel.ng @wongpartnership.com Click here to see Rosabel s CV. Elaine Chan Senior Consultant Financial Services Regulatory Practice DID: +65 6416 8010 Email: elaine.chan @wongpartnership.com Click here to see Elaine s CV. Lam Chung Nian Head Intellectual Property, Technology & Media, Telecommunications and Data Protection Practices DID: +65 6416 8271 Email: chungnian.lam @wongpartnership.com Click here to see Chung Nian s CV.

CASEWATCH AUGUST 2016 10 WONGPARTNERSHIP OFFICES SINGAPORE WongPartnership LLP 12 Marina Boulevard Level 28 Marina Bay Financial Centre Tower 3 Singapore 018982 Tel: +65 6416 8000 Fax: +65 6532 5711/5722 CHINA WongPartnership LLP Beijing Representative Office Unit 3111 China World Office 2 1 Jianguomenwai Avenue, Chaoyang District Beijing 100004, PRC Tel: +86 10 6505 6900 Fax: +86 10 6505 2562 INDONESIA WongPartnership LLP Shanghai Representative Office Unit 1015 Corporate Avenue 1 222 Hubin Road Shanghai 200021, PRC Tel: +86 21 6340 3131 Fax: +86 21 6340 3315 Makes & Partners Law Firm (an associate firm) Menara Batavia, 7th Floor Jl. KH. Mas Mansyur Kav. 126 Jakarta 10220, Indonesia Tel: +62 21 574 7181 Fax: +62 21 574 7180 Website: makeslaw.com MALAYSIA Foong & Partners Advocates & Solicitors (an associate firm) 13-1, Menara 1MK, Kompleks 1 Mont Kiara No 1 Jalan Kiara, Mont Kiara 50480 Kuala Lumpur, Malaysia Tel: +60 3 6419 0822 Fax: +60 3 6419 0823 Website: foongpartners.com MIDDLE EAST Al Aidarous International Legal Practice (an associate firm) Abdullah Al Mulla Building, Mezzanine Suite 02 39 Hameem Street Al Nahyan Camp Area P.O. Box No. 71284 Abu Dhabi, UAE Tel: +971 2 6439 222 Fax: +971 2 6349 229 Website: aidarous.com MYANMAR Al Aidarous International Legal Practice (an associate firm) Zalfa Building, Suite 101-102 Sh. Rashid Road Garhoud P.O. Box No. 33299 Dubai, UAE Tel: +971 4 2828 000 Fax: +971 4 2828 011 WongPartnership Myanmar Ltd. No. 1, Kaba Aye Pagoda Road Business Suite #03-02, Yankin Township Yangon, Myanmar Tel: +95 1 544 061 Fax: +95 1 544 069 contactus@wongpartnership.com wongpartnership.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback