On September 5, 2014, the Monetary Authority of Singapore (“MAS”) issued two related consultation papers entitled “Consultation Paper on Notice on Outsourcing” and “Consultation Paper on Guidelines on Outsourcing” (the “Consultation Papers”), which propose (i) the issuance of a new Notice on Outsourcing, that defines a set of minimum standards for outsourcing management (the “Notice”) and (ii) amendments to the existing Guidelines on Outsourcing (the “Guidelines”).
Under the Consultation Papers, the Guidelines remain applicable to all financial institutions including fund management companies (“FMCs”), both registered and licensed. However, the proposed Notice will apply to only some but not all financial institutions, for example, licensed FMCs will be subject to the Notice, but not registered FMCs.
Key proposals under the Notice
1. Material outsourcing
The scope of “material outsourcing” has been expanded to include an arrangement which:
- in the event of a service failure or security breach, has the potential to adversely affect an institution’s ability to manage risk and comply with applicable laws; or
- involves customer information and may, in the event of any unauthorized access or disclosure, loss or theft, materially impact an institution’s customers.
2. Outsourcing to regulated financial institutions outside Singapore (“overseas FIs”)
Where the service provider is an overseas FI, an institution must provide the MAS with a written confirmation by the service provider’s supervisory authority that:
- The MAS and any independent auditors appointed by it will be allowed access to the institution’s documents, records of transactions etc. stored or processed by the service provider, and that the institution and any auditor appointed by it may inspect the service provider’s control environment, insofar as it relates to the institution’s data processed by the service provider, and may report any findings to the MAS;
- in the case where the supervisory authority is a host supervisor, it shall not access any customer information of the institution that is in possession of the overseas FI and in the case where it is the home supervisor, it shall not access such information unless required solely for the purpose of carrying out its supervisory functions (a prior written notification must be provided to the MAS for such access); and
- the supervisory authority is prohibited under its laws from disclosing the information to any other person, or it undertakes to safeguard the confidentiality of the information.
An institution is required to ensure that periodic independent audits of all its material outsourcing arrangements are conducted. The scope of such audits must include an assessment of the service providers’ and its sub-contractors’ physical and IT security and control environments, incident management process and the institution’s observance of the Guidelines and compliance with the Notice (if applicable). A copy of the audit report is to be submitted to the MAS for information.
4. Outsourcing agreements
Outsourcing agreements must include provisions that indemnify and hold the MAS, its officers, agents and employees harmless from any liability, loss or damage to the service provider and its sub-contractors arising out of any access and inspection action.
5. Protection of customer data
Only those service providers that operate in jurisdictions which generally uphold confidentiality provisions and agreements may be engaged by an institution. Where customer information is to be disclosed, an institution must obtain appropriate legal advice in respect of the overseas jurisdiction where the outsourcing arrangement is to be performed. An institution is also required to notify the service provider in writing of its obligations of confidentiality under applicable laws and common law.
Key proposed amendments to the Guidelines
1. Notification of adverse developments
An institution is required to notify the MAS as soon as possible of any adverse development or breach of legal and regulatory requirements by itself or its service provider and sub-contractors from its outsourcing arrangement. The MAS must also be notified of such adverse development or breach encountered within the institution’s group.
2. Fit and proper assessment of service providers
An institution must ensure that the employees of the service provider and its sub-contractors undertaking any part of the outsourcing have been assessed to be fit and proper, consistent with the criteria applicable to its own employees. Any adverse findings should be considered in light of their relevance and impact to the outsourcing arrangement.
An institution must ensure that independent audits of all its outsourcing arrangements are conducted. The scope of such audits must include an assessment of the service providers’ and its sub-contractors’ physical and IT security and control environments, incident management process and the institution’s observance of the Guidelines and compliance with the Notice (if applicable), in relation to the outsourcing arrangement.
4. Register of outsourcing arrangements
The Guidelines now provide for a table format for the institutions to maintain an updated register of all existing outsourcing arrangements.
Invitation for Comments
Please refer to the Consultation Papers for the complete set of proposals. The deadline for comments and feedback to be submitted to the MAS is October 7, 2014. We are collating comments from clients and industry participants for submission to the MAS. If you have any comments on the proposals that you would like us to submit on your behalf, please contact Han Ming Ho (+65.6230.3966, email@example.com) or Josephine Law (+65.6230.3916, firstname.lastname@example.org).
If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work.
Han Ming Ho
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.