Monetary Authority of Singapore - Circular regarding its outsourcing and cloud computing

July 2011

Contacts

Introduction

The Monetary Authority of Singapore (MAS) has introduced the new MAS Technology Questionnaire (Questionnaire) for Outsourcing through the issuance of a circular, dated 14 July 2011, on information technology outsourcing. A financial institution should complete and submit the Questionnaire to MAS before effecting any significant IT outsourcing. The MAS deems any IT outsourcing involving customer personal or account data, transactions, deposits, loans, payment card data, trading details and investment portfolios as a significant IT outsourcing. The circular also specifically references cloud computing and reminds financial institutions of their responsibilities for effective due diligence, oversight and management of outsourcing and that accountability for all outsourcing decisions continue to rest with the financial institution, its board and senior management.

Financial institutions obligations in relation to IT outsourcing

When carrying out any form of information technology outsourcing, including that employing cloud computing technology, financial institutions are obliged to ensure that:

  • effective due diligence, oversight and management of outsourcing and accountability for the outsourcing remains with the financial institution;
  • proper framework, policies and procedures are in place to evaluate, approve, review, control and monitor the risk and materiality of the outsourcing;
  • outsourcing does not result in any weakening or degradation of a financial institution’s internal controls; and
  • the service provider employs a high standard of care and diligence in protecting the confidentiality and security of its sensitive information such as customer data, computer files, records and computer codes.
^Back to top

Further concerns in relation to cloud computing services and IT outsourcing

The circular stresses the need for financial institutions to be aware of the unique attributes and risks of cloud computing, especially with regard to data integrity, recoverability, confidentiality and legal issues such as regulatory compliance and auditing.

Financial institutions need to:

  • evaluate the service provider’s ability to clearly identify and protectively isolate their customer data and other sensitive information from that of other financial institutions, given that the service provider is likely to be processing data for multiple financial institutions
  • ensure that they retain a contractual right to have all information and assets promptly removed or destroyed upon termination of the service provider’s services, regardless of the reasons for termination;
  • assess the resiliency and safety of the service provider’s infrastructure to ensure that its business continuity preparedness is not compromised by this outsourcing.
^Back to top

Conclusion

Financial institutions should perform a thorough risk assessment of the proposed outsourcing arrangements against all relevant MAS regulations, guidelines and other requirements prior to making any significant IT outsourcing. Financial institutions must be mindful that the Questionnaire should be completed and submitted to the MAS before committing to any significant IT outsourcing.

A copy of the MAS Technology Questionnaire for Outsourcing is available here here

^Back to top