The Monetary Authority of Singapore (MAS) has on 27 July 2016 introduced the new Guidelines on Outsourcing (Outsourcing Guidelines) to financial institutions following extensive industry and public consultation which commenced in the later half of 2014. The key change to the Outsourcing Guidelines is the inclusion of a new section that covers the use of cloud services and a revision to the definition of “material outsourcing arrangement”.
The Outsourcing Guidelines treat cloud services operated by service providers as a form of outsourcing with risks that are not distinct from those associated with other traditional forms of outsourcing. In addition, financial institutions are required to take active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and audit when adopting cloud services. The inclusion of the new section of cloud services is against the backdrop of wider adoption of cloud technology by financial institutions for their business and operational requirements.
The Outsourcing Guidelines define “material outsourcing arrangement” as an arrangement which involves customer information. MAS has in the Outsourcing Guidelines removed the requirement for financial institutions to notify MAS before making any “material outsourcing arrangements”. However, the MAS expects that financial institutions will exercise appropriate due diligence on their outsourcing arrangements and should be able to evidence to the MAS their compliance with the Outsourcing Guidelines. Part of the compliance requirements under the Outsourcing Guidelines would be to submit an outsourcing register to MAS at least annually or upon request.
The Outsourcing Guidelines also remove the prior requirement to complete the MAS Technology Questionnaire for Outsourcing before making any significant IT outsourcing commitments as The Guidelines on Outsourcing supersedes the Information Technology (IT) Outsourcing Circular dated 14 July 2011.
The Outsourcing Guidelines still maintain MAS’s position that outsourcing does not diminish the obligations of a financial institution and that it is crucial for financial institutions to adopt a sound and responsive risk management framework for its outsourcing arrangements.
MAS is currently reviewing the industry’s feedback on the proposed Notice on Outsourcing, which was also issued in the later half of 2014 together with the proposed Guidelines on Outsourcing, and will issue the Notice once the review has been completed. We will keep you posted on any further developments in this space.