Singapore: Knowledge that cannot be outsourced. Are you ready for the latest MAS outsourcing regime?

Written By

kenneth lo Module
Kenneth Lo

Counsel
Singapore

I am a financial services regulatory lawyer, covering payments, capital markets services regulatory and crypto regulatory areas.

jolie giouw module
Jolie Giouw

Counsel
Singapore

I am a Counsel in our Corporate and Commercial Group in Singapore. I am involved in a wide range of corporate matters across various sectors, with a focus on corporate finance as well as mergers and acquisitions.

Key takeaways

  • On 11 December 2023, the Monetary Authority of Singapore (“MAS”) released a new regulatory framework for outsourcing. This framework will go live on 11 December 2024. This will bring new sets of additional requirements for Financial Institutions (“FIs”) to comply with.
  • The new framework differentiates (a) banks and merchant banks (“Banks”) and (b) financial institutions other than Banks (“FIOBs”) into two regimes. The framework is accompanied by guidelines and notices which apply to the FI relevant to it, for instance:
    • the new notices for Banks apply calibrated requirements depending on the materiality and nature of the outsourced relevant services and introduce new requirements on Banks regarding their outsourcing service providers;
    • the new Guidelines on Outsourcing applicable to Banks sets out MAS’ expectations for Banks in managing the risks of outsourced ongoing relevant services; and
    • the new Guidelines on Outsourcing applicable to FIOBs have new enhancements that increase the oversight that MAS has over these FIOBs.

Background

This new framework replaces the existing framework which remains in effect until 10 December 2024. The existing framework consists of:

  1. two Bank notices related to outsourcing - MAS Notice 634 for banks and MAS Notice 1108 for merchant banks which relates only to when the outsourced function was performed outside Singapore; and
  2. MAS Guidelines on Outsourcing which are applicable to all FIs (“2016 Outsourcing Guidelines”).

The new framework aims to better manage risks associated with outsourcing arrangements, including better protect customers’ confidential information by ensuring that Banks pay due care to any outsourcing arrangement that involves the disclosure of customer information whether such disclosure is in connection with the performance of an outsourced function in or outside Singapore.

Further, MAS seeks to adopt a more targeted approach in regulating outsourcing, given that between each class of FIs, there is a variation of scale and the nature of outsourcing utilised.

Who is impacted?

Previously, the 2016 Outsourcing Guidelines provided one unified set of guidelines on outsourcing which applied equally to all FIs.

In the new framework, there are two sets of guidelines, of which:

  1. the Guidelines on Outsourcing (Banks) (“Bank Guidelines”) apply only to Banks; and
  2. the Guidelines on Outsourcing (Financial Institutions other than Banks) (“FIOB Guidelines”) apply to financial institutions that are not Banks. These include finance companies, insurers, payment service providers and financial advisors.

Further, there are also new notices issued to banks (MAS Notice 658) and merchant banks (MAS Notice 1121) on the management of outsourced relevant services (“New Bank Notices”), which are referred to in the Bank Guidelines.

What has changed in the new framework?

Banks

The changes include:

  • introducing a definition for “Material Ongoing Outsourced Relevant Services” (“MOORS”), being: an outsourced relevant service that is provided on an ongoing basis and where the failure of the service provider to properly provide the service may materially adversely affect the business, customers, the financial soundness or reputation of the Bank, or the ability of the Bank to manage its risks or to comply with all laws and regulatory requirements applicable to the Bank.
  • introducing calibrated requirements depending on the materiality and nature of the outsourced relevant services:
    • MOORS are subject to the full set of requirements (being the relevant New Bank Notices and the Bank Guidelines); and
    • ooutsourced relevant services that involve the disclosure of customer information but are not classified as MOORS are subject to a subset of requirements aimed at protecting customer information.implementing new requirements for Banks such as to:
  • maintain and submit an outsourcing register to MAS;
  • include certain terms in their outsourcing agreements; and
  • oobtain customer consent for any sub-contracting that involves the disclosure of customer information.
  • implementing new requirements for outsourced relevant services that involve the disclosure of customer information but are not classified as MOORS, including:
    • conducting due diligence checks;
    • having prescribed terms in the outsourcing agreement with the service provider, such as the right of the Bank and MAS to audit the service provider; and
    • implementing adequate measures to protect customer information.

Financial Institutions other than Banks

For FIOBs, they should already be complying with the 2016 Outsourcing Guidelines, and the key provisions that continue to apply in the FIOB Guidelines include:

  • where MAS is not satisfied with the FIOB’s observance of the expectations in the FIOB Guidelines, MAS could require the FIOB to take additional measures to ensure its compliance;
  • due diligence undertaken during the assessment processes of outsourcing suppliers should be re-performed periodically. A risk-based approach may be used to determine the frequency for the re-performance of due diligence for outsourcing arrangements; and
  • FIOBs have to contractually ensure that the service provider has in place satisfactory business continuity plans (“BCP”) that are commensurate with the nature, scope and complexity of the outsourcing arrangement.

However, the good news is that outsourcing agreements are no longer required to contain recovery time objectives, or recovery point objectives. Further, to ensure its meaningfulness, tests of BCPs and disaster recovery should continue to include both the FIOB and the outsourced service provider.

What happens next?

For Banks and FIOBs

  • Carry out an in-depth review to identify within your existing outsourcing arrangements and outsourcing registers the outsourced relevant services. Thereafter, assess the materiality and risks of such services (including those that may not continue after December 2024). For Banks, where any outsourcing arrangements involve disclosure of customer information, notwithstanding that such services cease to be ongoing, sections in the New Bank Notices may still apply.
  • Review and renegotiate your agreements.
    • Ensure that the contractual terms and conditions governing relationships, obligations, responsibilities, rights and expectations of the contracting parties in the outsourcing arrangement are carefully and properly defined in written agreements.
    • Ensure that the terms are also updated to comply with the new requirements.
  • Review and update your policies.
    • Include policies to protect any customer information disclosed to service providers/sub-contractors. Note that sub-contracting that involves disclosure of customer information requires customer consent.
    • For Banks, implement a group policy relating to outsourced relevant services to ensure that the Bank’s branches and overseas subsidiaries comply with the requirements and expectations in the New Bank Notices and the Bank Guidelines.
    • Review your compliance manual and/or outsourcing policy and procedures to ensure that they are in line with the new requirements.
    • Maintain your outsourcing registers to track all outsourced service providers, regardless of whether the outsourcing arrangement is material or non-material.
  • Due diligence checks
    • Perform due diligence checks on outsourced service providers (including their reliance on and success in dealing with sub-contractors) and assessing the processes for procuring and evaluating your outsourcing arrangements.
    • Monitor the performance of outsourced service providers on an ongoing basis.

Assistance

We have called on our deep understanding of the commercial drivers of IT procurement and outsourcing, our financial services regulatory expertise and our commercial experience to establish a team capable of delivering complete, accurate, and commercial advice in relation to assisting our clients to be compliant with MAS’ latest outsourcing requirements.

We can help by:

  • working with you to update your outsourcing policies and compliance manual so that they fulfil MAS requirements and expectations;
  • reviewing your outsourcing agreements and put in legal clauses to avoid having all your affiliates and service providers re-sign your outsourcing agreements each time you take away or add a service provider;
  • assisting in vendor-related negotiations relating to outsourcing obligations;
  • undertaking mock MAS inspections on your outsourcing framework to identify enhancements to be made.

Should you have any questions or require any assistance, please contact us.

Discover more about the regime and key considerations for your digital transformation journey, particularly in human resources and payroll services, at our upcoming webinar on 6th August from 2:30 pm to 4:00 pm SGT. Don’t miss out — sign up here.

 

This article is produced by our Singapore office, Bird & Bird ATMD LLP. It does not constitute legal advice and is intended to provide general information only. Information in this article is accurate as of 26th July 2024.

Latest insights

More Insights
featured image

Update on recent UK data protection guidance in the financial services space

3 minutes Dec 19 2024

Read More
Bank card propped up against laptop

Germany: BaFin updates AML guidance

Dec 19 2024

Read More
Colourful building

FinTech Features December 2024

Dec 18 2024

Read More