The Monetary Authority of Singapore (MAS) has issued new Notices to Banks and Merchant Banks on Management of Outsourced Relevant Services (the Notices), which will take effect from 11 December 2024.
The Notices set out legally binding requirements for banks and merchant banks (collectively, Banks) to manage the risks arising from their use of outsourced relevant services, which are services that are integral to any business that the Banks may carry on under the Banking Act 1970 (the BA).
The Notices apply different levels of requirements depending on the materiality and nature of the outsourced relevant services. Material ongoing outsourced relevant services (MOORS) are subject to the full set of requirements, while outsourced relevant services that involve the disclosure of customer information are subject to a subset of requirements aimed at protecting customer information.
The Notices introduce new requirements for Banks to maintain and submit an outsourcing register to the MAS, to perform due diligence on service providers and sub-contractors, to include certain terms in their outsourcing agreements, and to obtain customer consent for sub-contracting that involves disclosure of customer information.
The Notices are complemented by a new set of Guidelines on Outsourcing (Banks) (the Guidelines for Banks), which set out the MAS’ expectations for Banks to manage the risks of outsourced relevant services, including those that are not MOORS.
Background and scope of the Notices
The Notices are part of the MAS’ efforts to enhance the regulatory framework for the outsourcing arrangements of financial institutions in light of the increasing use and complexity of such arrangements, especially those involving technology service providers and cloud services.
The Notices will replace the existing MAS Notices 634 and 1108 on Outsourcing, which were issued in 2005 and 2014 respectively, and apply to all Banks in Singapore, regardless of whether they are incorporated in Singapore or not.
The Notices define an outsourced relevant service as a “relevant service” that is integral to any business that the Bank in Singapore may carry on under the BA and is obtained or received by the Bank from a service provider. A “relevant service” means any service obtained or received by the Bank, other than a service provided in the course of employment by an employee of the Bank or a service provided by a director or officer of the Bank in the course of the director’s or officer’s appointment.
The Notices provide several annexes to help Banks determine which relevant services are outsourced relevant services, namely:
- Annex A: a non-exhaustive list of relevant services that are considered outsourced relevant services because they are integral to any business that the Bank in Singapore may carry on under the BA;
- Annex B: a list of relevant services that are excluded from being considered outsourced relevant services;
- Annex C: a list of relevant services that are deemed by the MAS to be outsourced relevant services; and
- Annex D: a list of exempted outsourced relevant services, which are services wholly provided by GovTech or agents appointed by GovTech, or services that are not for the conduct of any financial business of the Bank and where the service provider does not receive, handle or have access to the Bank’s confidential information or customer information.
The Notices also define a MOORS as an outsourced relevant service that is provided on an ongoing basis and where the failure of the service provider to properly provide the service may materially adversely affect the business, customers, the financial soundness or reputation of the Bank, or the ability of the Bank to manage its risks or to comply with all laws and regulatory requirements applicable to the Bank.
The Notices further define a “customer” as a person who has an account with the Bank or who has entered into a transaction or a contract with the Bank in relation to any product or service provided by the Bank, including any person who is designated by the MAS for the purposes of the definition of “customer” in section 40A of the BA. “Customer information” means any information relating to a customer of the Bank that is received, accessed, collected, copied, modified, used, stored or processed by the Bank or the service provider in the course of providing or receiving an outsourced relevant service.
Requirements for MOORS
The Notices require Banks to comply with the following requirements for each of their MOORS:
- Perform due diligence on the service provider and any sub-contractor before engaging them, and re-perform due diligence within the first 24 months of engaging them or at a frequency approved by the Bank’s board, whichever is earlier.
- Include certain terms in the outsourcing agreement with the service provider, such as the right of the Bank and MAS to audit the service provider, the right of the Bank to terminate the outsourcing agreement in specified circumstances, and the obligation of the service provider to protect the confidentiality and integrity of the Bank’s information.
- Ensure that independent audits are conducted on each MOORS at least once every three years, or at a frequency approved by the Bank’s board for intragroup MOORS.
- Implement adequate measures to protect customer information that is disclosed to the service provider or sub-contractor, such as ensuring that customer information is disclosed or accessed only to the extent that is necessary for the service provider or sub-contractor to provide the MOORS, and notifying the service provider or sub-contractor of their obligations of confidentiality under the BA and common law.
- Obtain customer consent for the disclosure of customer information to sub-contractors, unless the customers are other Banks or other financial institutions designated by the MAS for the purposes of the definition of “customer” in section 40A of the BA.
- Notify the MAS within 14 working days if the Bank elects to exercise its right to terminate the outsourcing agreement on grounds pertaining to a failure to safeguard customer information or a deterioration in the ability to safeguard customer information.
Requirements for outsourced relevant services that involve the disclosure of customer information
The Notices require Banks to comply with the following requirements for each of their outsourced relevant services that involve the disclosure of customer information, regardless of whether the outsourced relevant service is ongoing or not:
- Include certain terms in the outsourcing agreement with the service provider, such as the right of the Bank and MAS to audit the service provider, the right of the Bank to terminate the outsourcing agreement in specified circumstances, and the obligation of the service provider to protect the confidentiality and integrity of the Bank’s information.
- Implement adequate measures to protect customer information that is disclosed to the service provider or sub-contractor, such as ensuring that customer information is disclosed or accessed only to the extent that is necessary for the service provider or sub-contractor to provide the outsourced relevant service, and notifying the service provider or sub-contractor of its obligations of confidentiality under the BA and common law.
- Obtain customer consent for the disclosure of customer information to sub-contractors, unless the customers are other Banks or other financial institutions designated by the MAS for the purposes of the definition of “customer” in section 40A of the BA.
Other requirements
The Notices also require Banks to comply with the following requirements for all of their outsourced relevant services, regardless of their materiality or nature:
- Maintain and keep updated an outsourcing register that includes a list of all ongoing outsourced relevant services and all outsourced relevant services that involve the disclosure of customer information, and submit the outsourcing register to the MAS semi-annually or upon request.
- Implement a group policy relating to outsourced relevant services to ensure that each of the Bank’s branches complies with all of the requirements in the Notices as if these branches were Banks in Singapore, and extend the group policy to the Bank’s overseas subsidiaries.
Guidelines for Banks
The Guidelines for Banks will complement the Notices and set out the MAS’ expectations for Banks to manage the risks of outsourced relevant services, including those that are not MOORS. Whereas Banks will be subject to the Guidelines for Banks, the previously applicable MAS Guidelines on Outsourcing will continue to apply only to non-Bank financial institutions.
The Guidelines for Banks cover the following areas:
- Risk management framework for outsourced relevant services, which includes the roles and responsibilities of the board and senior management, the risk assessment and approval process, the outsourcing policy and procedures, and the monitoring and review mechanisms.
- Due diligence on service providers and sub-contractors, which includes the evaluation of the service provider’s track record, financial strength, technical competence, business reputation, and compliance with laws and regulations.
- Outsourcing agreements, which includes the expectation for Banks to include certain terms in their outsourcing agreements, such as the scope of services, service levels, performance indicators, reporting requirements, business continuity arrangements and dispute resolution mechanisms.
- Protection of customer information, which includes the expectation for Banks to implement measures to safeguard customer information that is disclosed to service providers or sub-contractors, such as encrypting or anonymising customer information, restricting access to customer information, and conducting audits or reviews on the service provider’s or sub-contractor’s compliance with confidentiality obligations.
- Audit, which includes the expectation for Banks to ensure that audits are conducted by independent and competent parties, and to rely on pooled audits or third-party certification performed by independent parties subject to certain conditions.
- Sub-contracting, which includes the expectation for Banks to assess and manage the risks involved before allowing sub-contracting of outsourced relevant services, and to consider including certain terms in their outsourcing agreements to cascade requirements to sub-contractors.
- Cloud services, which includes the expectation for Banks to adopt a risk-based approach when using cloud services, and to consider certain factors when assessing the suitability of cloud service providers, such as the cloud service provider’s governance and security capabilities, the data location and segregation arrangements, the portability and interoperability of data and systems, and the exit plan and transition arrangements.
Summary and timeline
The Notices and the Guidelines for Banks represent a significant enhancement of the regulatory framework for the outsourcing arrangements of Banks in Singapore, and reflect the MAS’ recognition of the growing importance and complexity of such arrangements in the financial sector.
The Notices and the Guidelines for Banks will take effect from 11 December 2024. The existing MAS Guidelines on Outsourcing, which will be renamed the Guidelines on Outsourcing (Financial Institutions other than Banks), will also take effect from the same date.
The Notices and the Guidelines for Banks will apply to all existing and new outsourcing arrangements of Banks, subject to certain transitional arrangements for outsourcing agreements, as follows:
- For outsourcing agreements entered into on or before 11 December 2023 (T), Banks must comply with the relevant requirements in the Notices by the later of (i) the next renewal of the outsourcing agreement as determined at T, or (ii) 11 December 2024 (T+12 months).
- For outsourcing agreements entered into between T and T+12 months, Banks must comply with the relevant requirements in the Notices at the later of (i) the first renewal of the outsourcing agreement, or (ii) T+12 months.
- For outsourcing agreements entered into after T+12 months, Banks must comply with the relevant requirements in the Notices upon entering into the outsourcing agreement.
Recommendations
In view of the new outsourcing requirements, we recommend that Banks take the following practical steps to align with the Notices and the Guidelines for Banks:
- Conduct a comprehensive review of their existing outsourcing arrangements and outsourcing register to identify and classify their outsourced relevant services, including MOORS and outsourced relevant services that involve the disclosure of customer information, and assess the materiality and risks of such services.
- Review and update their outsourcing policy and procedures to align with the requirements and expectations in the Notices and the Guidelines for Banks, and ensure that the policy and procedures are approved by the board and senior management, and communicated to relevant staff and stakeholders.
- Review and renegotiate their existing outsourcing agreements with service providers and sub-contractors to include the required terms in the Notices, and ensure that the outsourcing agreements are consistent with the outsourcing policy and procedures.
- Review and enhance their due diligence, monitoring and audit processes for service providers and sub-contractors, and ensure that the due diligence, monitoring and audit results are documented and reported to the board and senior management.
- Review and implement adequate measures to protect customer information that is disclosed to service providers or sub-contractors, and obtain customer consent for sub-contracting that involves disclosure of customer information, where applicable.
- Review and implement a group policy relating to outsourced relevant services to ensure that the Bank’s branches and overseas subsidiaries comply with the requirements and expectations in the Notices and the Guidelines for Banks, as applicable.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
In-depth 2023-286