The Monetary Authority of Singapore (MAS) has issued new notices to banks and merchant banks in Singapore (collectively referred to as Banks) on the management of outsourced relevant services (Notices). These Notices set out the requirements that a Bank must comply with for the purposes of managing the risks associated with the Bank’s outsourced relevant services.

Background

Currently, Banks are subject to the Guidelines on Outsourcing (Existing Guidelines), which provide guidance on sound practices on risk management of outsourcing arrangements, and in particular, material outsourcing arrangements. Guidelines are not legally binding, and contravening guidelines does not attract civil penalties. However, how well an institution observes guidelines issued by MAS may have an impact on MAS' overall risk assessment of that institution.

In September 2014, MAS proposed to issue a Notice on Outsourcing that sets out the minimum standards for outsourcing management for financial institutions (FIs). This proposal was subsequently refined in February 2019 and December 2020 where MAS issued a consultation paper on the proposed enhancements to the outsourcing management regime for Banks (February 2019) and another consultation paper on the proposed Notices to Banks (December 2020).

Unlike guidelines, notices issued by MAS have legal effect. In effect, MAS' proposal will elevate the requirements on outsourcing management to have a legally binding effect on Banks.

In December 2023, MAS published its response to the feedback received to its December 2020 consultation on the proposed Notices. At the same time, MAS also published:

(i)           the new Notices, being MAS Notice 658 to Banks and MAS Notice 1121 to Merchant Banks;

(ii)          a new set of 'Guidelines on Outsourcing (Banks)' (New Guidelines);

(iii)         an updated set of Frequently Asked Questions (FAQs) on Guidelines on Outsourcing; and

(iv)          a template of Outsourcing Register.

New Notices

The requirements in the new Notices apply depending on whether the outsourced relevant service: (i) is material and ongoing (such service is termed as "material ongoing outsourced relevant service" or MOORS); or (ii) involves the disclosure of customer information by Banks to service providers.

Generally, the term "outsourced relevant services" refers to any service obtained or received by a Bank that: (i) is or was performed by the bank prior to the Bank obtaining or receiving such service; or (ii) is integral to any business that the Bank may carry on under the Banking Act.   

The Notices set out further examples on services which may or may not be considered "outsourced relevant services".

A summary of key requirements in the new Notices is set out below.

(A)         Outsourced relevant service

In relation to all outsourced relevant services, Banks are to maintain and keep updated a register (Outsourcing Register) listing all:

(i)           ongoing outsourced relevant services (essentially an outsourced relevant service that extends beyond 12 months); and

(ii)          outsourced relevant services (including those which are non-material or one-off) that involve the disclosure of customer information.

The Outsourcing Register is to be submitted to MAS semi-annually and upon request.

Banks must also implement a group policy relating to outsourced relevant services to ensure that each of its branches complies with the requirements in the Notices as if it were a Bank. MAS expects Singapore-incorporated Banks to extend these group policies to their overseas subsidiaries.

(B)          Material Ongoing Outsourced Relevant Service or MOORS

1.            Due diligence

Banks are required to establish a framework for evaluating a service provider and such framework should minimally assess the matters set out in the Notices. Banks must conduct initial due diligence checks against this framework, and be satisfied of the results, before obtaining any MOORS.

Subsequently, post-commencement due diligence may be performed on a risk-based approach, but no later than 24 months of obtaining the MOORS. Thereafter, due diligence may be performed at a frequency approved by the board of the Bank. All due diligence checks are to be documented.

This approach applies to both intragroup and non-intragroup MOORS.

2.            Sub-contracting

Barring certain exceptions, MOORS are not permitted to be sub-contracted by a Bank unless the sub-contracting does not involve any disclosure of customer information, or where the sub-contracting involves the disclosure of customer information, the Bank has obtained the written consent of the customer.

Where a MOORS is permitted to be sub-contracted, further requirements apply, such as ensuring Banks are notified within a reasonable period of the engagement of a sub-contractor.

3.            Outsourcing Agreement

Before obtaining a MOORS, a Bank must enter into an outsourcing agreement which should address certain matters set out in the Notices, such as the right of MAS to audit the service provider, the right of the Bank to request for any information relating to the MOORS to be provided by the service provider to the Bank or MAS, and the right of the Bank to terminate the outsourcing agreement in specified circumstances.

4.            Protection of Customer Information

Banks must implement adequate measures in a MOORS to protect customer information that is disclosed to a service provider or sub-contractor. Such measures must minimally include, amongst other things, notifying them in writing of the Bank's confidentiality obligations under the Banking Act 1970 (Banking Act) and common law, and ensuring that customer information is disclosed to or accessed by the service provider or sub-contractor and its employees only to the extent necessary to provide the MOORS.

5.            Audit

Banks are to conduct independent audits on each of its MOORS minimally once every three years. For intragroup MOORS, the independent audits may be conducted at a frequency approved by the board.

6.            Termination

Upon the occurrence of certain circumstances, a Bank should consider whether to exercise its right to terminate the outsourcing agreement. In severe circumstances (such as where the service provider or sub-contractor has failed, or demonstrated a deterioration in their ability, to safeguard the confidentiality of information in its custody), if the Bank chooses to terminate the outsourcing agreement, it should notify the MAS as soon as possible.

7.            MOORS from an Overseas Regulated FI (ORFI)

Where the service provider or sub-contractor for a MOORS is an ORFI, Banks must implement measures to ensure that, amongst other things, customer information is adequately protected when accessed by the supervisory authority of the ORFI. Banks must also provide a written undertaking to notify MAS in writing of any disclosure of customer information in the possession of the ORFI to its supervisory authority, within 14 days after such disclosure.

(C)          Outsourced relevant service (which are non-material or non-ongoing) involving disclosure of customer information

Baseline requirements aimed at protecting customer information apply to such outsourcing. These include, but are not limited to the Bank having to:

(i)            conduct initial due diligence, and be satisfied, before obtaining the outsourcing. The due diligence should minimally cover matters such as the service provider's reputation and track record for safeguarding the confidentiality and integrity of customer information in its custody;

(ii)           satisfy itself, on an ongoing basis, of the service provider's ability to safeguard the confidentiality and integrity of customer information in its custody;

(iii)         enter into an outsourcing agreement which should address certain matters, such as the right of the Bank to terminate the agreement in specified circumstances (such as the failure to safeguard customer information or a deterioration in the ability to safeguard customer information);

(iv)          implement adequate measures to protect customer information that is disclosed to the service provider. Such measures must minimally include, amongst other things, notifying the service provider in writing of the Bank's confidentiality obligations under the Banking Act and common law, and ensuring that the customer information is disclosed to or accessed by the service provider and its employees only to the extent necessary to provide the outsourced relevant service; and

(v)          upon the occurrence of the circumstances specified in (iii) above, notify MAS as soon as possible, and consider whether to exercise its right to terminate the outsourcing agreement.

New Guidelines

MAS has issued the New Guidelines to complement the Notices which take effect on 11 December 2024. The New Guidelines set out MAS' expectations on a Bank that has entered into or is planning to enter into, an arrangement for ongoing outsourced relevant services (save for exempted outsourced relevant services).

Primarily, the New Guidelines align the existing expectations in the Existing Guidelines with the requirements in the new Notices, and incorporate new expectations on MOORS (such as requirements for Banks to use outsourcing agreements to cascade certain requirements to sub-contractors).

Banks should apply the New Guidelines from 11 December 2024, and the Existing Guidelines in the interim. The Existing Guidelines will be amended and renamed as 'Guidelines on Outsourcing (Financial Institutions other than Banks)' with effect from 11 December 2024.

Effective dates

For requirements in the Notices relating to outsourcing agreements, the MAS will allow a longer timeline for Banks to bring their outsourcing agreements into compliance, as set out below. All other requirements in the Notices which do not relate to outsourcing agreements will take effect from 11 December 2024.

The MAS has updated the FAQs on Guidelines on Outsourcing on 11 December 2023.

The MAS has also published a template of Outsourcing Register that Banks should adopt for submissions to MAS from 11 December 2024.

Conclusion

Given the increasing complexity and dependency on outsourcing arrangements, it is prudent for Banks to regularly assess their risk management practices for outsourcing arrangements.

In view of the new Notices and Guidelines, Banks should critically assess the following areas:

(i)            Policies and procedures -- Banks should review their current policies and procedures on outsourcing management, particularly those concerning MOORS and services that involve the disclosure of customer information, against the requirements set out in the new Notices and New Guidelines, ahead of the 11 December 2024 deadline. Factoring in the time needed to update policies and procedures, obtain relevant stakeholders and management approvals, and train or educate employees on the updated policies and procedures, this may mean that Banks should start looking into this as early as possible in 2024.

(ii)           Outsourcing agreements -- The new Notices and New Guidelines may require Banks to renegotiate the terms of their existing outsourcing agreements, or update the Banks' internal positions when it comes to entering into new outsourcing agreements. Banks should be prepared that they may have to change and source for new contractors, should the new terms not be acceptable to their existing contractors. Again, such process takes time and Banks should note the staggered deadlines for outsourcing agreements to come into compliance with the new requirements. 

Authors: Lena Ng, Sheena Teng