MAS proposes new outsourcing standards

Globally, regulators are updating the standards that financial institutions must adhere to when outsourcing services*.

With isolated high-profile lapses in Singapore by outsourced service providers**, the Monetary Authority of Singapore (MAS) similarly proposed to revise its outsourcing standards, which were last updated in 2005. Public consultation on MAS’ proposals ended last October.

This article explains why Singapore firms and their outsourced service providers should monitor the release of MAS’ revised outsourcing standards, which is expected soon.

MAS’ proposals significantly enhance existing obligations

Key takeaways include:

• More entities will need to adhere to MAS’ outsourcing standards
• More examples of services that must be assessed for outsourcing risk
• Many new obligations pertaining to outsourcing arrangements
• Breach of certain outsourcing standards may have consequences beyond supervisory action

More entities will need to adhere to MAS’ outsourcing standards

MAS’ outsourcing standards apply now to MAS-licensed banks, finance companies, registered insurers, approved exchanges, designated clearing houses, capital markets services licensees (comprising certain securities firms and fund managers) and approved collective investment scheme trustees.

MAS proposes to extend outsourcing standards to other entities, including licensed insurers, registered or regulated insurance intermediaries, licensed financial advisers, recognized market operators, licensed trade repositories, trustee-managers of registered business trusts and licensed trust companies.

There are more examples of services that must be assessed for outsourcing risk

While there is no exhaustive list, MAS proposed new examples of services that if performed by a service provider for a firm would need to be assessed for outsourcing risk. These include middle office functions, order processing, trade settlement, risk management, legal, compliance, business continuity and disaster recovery functions and activities, IT systems hosting and security and data archiving and storage.

Currently, employment of temporary staff, credit and background checks and printing services are not intended to be subject to assessment for outsourcing risk. MAS proposed to change this so that firms must consider if the provision of such services needs to be subject to, and is adequately served by, risk management and controls.

There are many new obligations pertaining to outsourcing arrangements

Examples are:

1. Firms should notify MAS before committing to starting a material outsourcing arrangement. Currently, the firm has an option of notifying MAS after entering into a material outsourcing arrangement.
2. Firms that become regulated by the MAS or bound by an outsourcing arrangement after acquiring another firms’ business should self-assess all existing or newly-acquired outsourcing arrangements against MAS’ outsourcing standards and give MAS written notice of material outsourcing arrangements within 2 months of becoming regulated by the MAS or the acquisition date.
3. Enhanced obligations on the board and senior management. For instance, the board, or a committee deleted by it, must set a suitable risk appetite to define the nature and extent of risks that the firm is willing and able to assume from its outsourcing arrangements and ensure that senior management establishes appropriate governance structures and processes for sound and prudent risk management, including a management body that reviews controls for consistency and alignment with a comprehensive institution-wide view of risk.
4. Firms must at least yearly have appropriately-skilled persons visit service providers onsite to do due diligence. This should be supplemented where possible with independent reviews and market feedback. Due diligence should extend to the service provider’s risk management frameworks and capabilities and disaster recover arrangements if the service provider is responsible for providing this. Firms should ensure that a service provider’s employees are fit and proper.
5. At least yearly reviews of outsourcing arrangements to ensure that the firms outsourcing risk management policies and procedures and the MAS’ outsourcing standards are effectively implemented.

Breach of certain outsourcing standards may have consequences beyond supervisory action

Currently, MAS’ outsourcing standards are contained in guidelines and breaches result in supervisory action. MAS proposed that selected standards form the subject of formal notices, possibly to levy fines in the event of breach. These standards relate for instance to the need to:

1. Have and document the existence and function of a proper risk management framework for material outsourcing arrangements
2. Perform due diligence on service providers
3. Ensure the right of the firm and MAS to access information
4. Protect customer data
5. Audit or have expert assessments of material outsourcing arrangements
6. Have the right to terminate an outsourcing arrangement

*The US Office of the Comptroller of the Currency issued guidance on Third-Party Relationships in October 2013. The UK Financial Conduct Authority issued “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions” in July 2014.

**Standard Chartered Client Data Stolen in Singapore”, Wall Street Journal, 5 Dec 2013. Read the MAS media release here.