Are Singapore’s Monetary Authority’s proposed outsourcing rules clear enough?

The Monetary Authority of Singapore  (“MAS“) is consulting on a new notice and guidelines on outsourcing. Having already commented on its positive message for cloud services, this post addresses the rest of the consultation.

In summary, we think:

  1. MAS’s proposals are generally positive and helpful.
  2. However, in some areas more clarity could be provided.

Background

MAS first issued its ‘Guidelines on Outsourcing’ in 2004 (and updated them in 2005).  Under this consultation:

  1. MAS proposes to issue a Notice that defines a set of minimum mandatory standards for outsourcing. The Notice is in addition to the Guidelines.  The Notice sets out requirements for the assessment of service providers, access to information, conduct of audits on a service provider, protection of customer data, and termination of and exiting from an outsourcing arrangement.
  2. MAS has also proposed updated Guidelines.  The MAS has focused on certain areas, including the responsibility of boards and senior management, monitoring, notification, employee screening, audit and registries of outsourcing arrangements.

Interested parties should submit views and comments to MAS by email to outsourcing@mas.gov.sg by 7 October 2014.

What we like

  1. The consultation is, in and of itself, a good thing.  The original Guidelines are now nearly 10 years old.  The MAS recognises that practices have changed and there are risks that need to be addressed.
  1. MAS recognises the value that outsourcing can bring.  Outsourcing shouldn’t always be about cost reduction.   It is also be about improvement and innovation.  The MAS recognises therefore that outsourcing is fundamentally important to the financial industry but wants to make sure that the risks involved are properly dealt with.
  1. MAS embraces cloud computing.  There’s plenty to be relieved about (and grateful for):   see here.
  1. Clarity in relation to the application of the Technology Risk Management (TRM) and Business Continuity Management (BCM) guidelines.  Financial Institutions (“FIs“) are required to evaluate their outsourcing arrangements against these frameworks.  It’s good to see a clear link to these guidelines which were developed after the original Outsourcing Guidelines.  However, the MAS could add a helpful line by saying that not all of the TRM and BCM guidelines are relevant for each and every outsourcing arrangement (but this is probably clear enough).
  1. Emphasis on the responsibility of local boards/management.  This will encourage local branches and entities of international banks to think locally as well as internationally.  It’s not always good enough to roll out a global solution without thinking about local impact.
  1. Emphasis on staff awareness.  There’s a new line in the guidance that staff must be made aware of the policies and procedures for an FI’s outsourcing arrangements.  Increased awareness within FIs will be helpful.
  1. Contracts must be legally enforceable and have exercisable rights during a breach.  MAS stresses the importance of good legal contracts.  FIs must make sure their legal teams are vested in their outsourcing processes.

Some important points we would like to see MAS clarify

  1. The existing Technology Questionnaire on Outsourcing.  It’s not clear what will happen to this.  The questionnaire is not expressly mentioned in the new documents.  The questionnaire is a helpful document for FIs to use and helps with internal processes.  It would be useful if the MAS would express how the questionnaire will fit into the new (and more detailed) guidelines on notifying MAS of outsourcing arrangements (even if there is to be a new questionnaire, a mention of it would help).
  1. Definition of “outsourcing arrangement”:  An outsourcing arrangement must be something that is “integral to the provision of a financial service by the FI”.  This wording isn’t helpful.  It was in the old guidelines and is in the new guidelines.  It is hard to say that a lot of outsourcing is “integral” to financial services provided by FIs e.g. a printing service, a facilities management service or a cloud service for document storage.  These are “back of house” services.  However, it would seem that these will nevertheless  be regulated because they are services that may involve access to customer data (for example).  This definition seems contradictory (especially when you read the list (in the annex) of examples of outsourcing arrangements).
  1. Definition of material outsourcing.  The definition has changed and now includes the following line: “any outsourcing that adversely affects the ability to manage risk and to comply with laws/regulations or which involves customer information”.  It’s hard to think of many outsourcing arrangements that don’t fit this part of the definition.  Does the MAS intend that all of these kinds of arrangements would be deemed “material” and therefore subject to the additional requirements? 
  1. FIs must notify adverse developments.  There is currently no materiality threshold which suggests that “any” adverse development or breach of law must be notified.  This could be too onerous for FIs.
  1. The notification process (or lack thereof).  What happens after the notification process?  It has often been unclear for FIs undertaking outsourcing in the past how long their “discussion/consultation” process with MAS will last, or what the outcome is. It would more transparent and helpful if the MAS could provide a clearer idea of the timelines/process expected.
  1. MAS says that FIs “may” want to make Service Providers (SPs) contractually liable for their subcontractors.  How can MAS be sure FIs will be monitoring everything and complying with all obligations if an SP has no liability for acts of subcontractors?  This seems like a missing link in the chain, and we would expect that FIs will in practice ensure that their SPs are liable for their sub-contractors.
  1.  Audit.  MAS deals with annual reviews and audits in multiple different places in these proposals (and in its existing guidelines e.g. TRM guidelines).  Clarification for how these audits fit together would be helpful.  Can they be consolidated?  What if the information is made available by a SP so an audit doesn’t need to be carried out?  Can a SP impose limits on the audit e.g. no access to other customers’ information?  What about independent third party audits?
  1. Termination rights.  We think that the termination requirements are tough.  Not every breach is a material breach or one that would warrant a termination.  It will be tough for FIs to include this kind of right in negotiations with CPs.  The MAS could add a qualification to this requirement that breaches must be material (or that a series of repeated breaches may be material) and trigger a termination right.
  1. Requirements of written confirmations from supervisory authorities of the SP if the SP is an overseas FI. (a) It is not clear if this requirement applies to all outsourcing arrangements or material outsourcing arrangements.  (b) Is the MAS confident that overseas supervisory authorities will provide such written confirmations?  The concerns that the MAS lists are sensible but the practice for this kind of written confirmation from overseas supervisory authorities is not yet common.  Perhaps the MAS could state that this requirement is something that the MAS may ask for, but, for the moment, it is not a default requirement (until the practice becomes more common internationally).

Some less important points that could helpfully be clarified

  1. Requirement that SP can isolate and identify customer data.  The MAS could clarify that this can be achieved through technical means.
  1. Due diligence on staff of SP.  This is referred to in new guidance as the “fit and proper” criteria.  FIs must ensure that employees of the SP (and subcontractors) are not subject to disciplinary proceedings, not convicted, are financially sound.  In itself, this is a sensible rule and most FIs will do this already to some extent.  However, as it is a new rule, the MAS could help by more clearly saying that this criteria should be applied depending on the job that is being performed.
  1. RPO and RTO requirements.  How do these requirements apply to a SP who operates two active sites?  The MAS could say  that the RPO and RTO requirements are necessary where an immediately available alternative active site is not available.
  1. Clarification of whether or not SP is responsible for FIs compliance with rules.  The MAS seems to suggest that the SP is also to be held responsible for complying with these rules that apply to FIs.  IT should be clear that FIs are responsible for complying with the rules and that FIs should pass down the relevant obligations to the SPs in the outsourcing contract, where necessary for the FI to ensure that it has complied with the rules.  To say that the SP must comply with all of the same rules is not clear and in fact, unhelpful because it is too general an obligation.
  1. Application of the rules to overseas branches of FIs.  The new rules suggest that an overseas branch of an FI must comply with the rules.   If a branch in Singapore outsources services to an overseas branch, and the overseas branch further outsources some or all of the same services to a SP, then it is right that the rules should still apply.  However, if the overseas branch outsources services that are not connected to the Singapore operations or Singapore customers, then why would the MAS rules apply?
  1. Indemnity requirement.  The MAS has included a new requirements for FIs to obtain indemnities from SPs in favour of the MAS if the MAS exercises an audit/review right.  This isn’t something that regulators commonly ask for.  First, is it really necessary?  How often would a SP take action against the MAS?  Who else might bring a claim against the MAS in this situation?  Indemnities are often difficult to negotiate.  The MAS has not set out what the scope of the indemnity should be – which will make it more difficult to negotiate the indemnity with SPs.  We think that this requirement isn’t really necessary and could be dropped without harm to the MAS.

Next steps:

Customers, suppliers and advisors have until 7 October to submit a reply to the MAS.

Let’s see to what extent they address the points noted above.

Posted in ASEAN, Outsourcing, Regulatory action, Singapore, Technology | Tagged , , ,

MAS Embraces Cloud: A Silver Lining

There should be relief at the moment felt by financial institutions and cloud service providers alike, following the release of the MAS’s consultation on the proposed new outsourcing notice and updated guidelines as mentioned in Rob’s previous post.

The MAS doesn’t use the word “cloud” expressly in its consultation.  However, the MAS has made important changes to the outsourcing guidelines.  The changes are relevant to cloud services and, most importantly, there are positive references to cloud services.  Cloud is OK provided you follow MAS’s rules.

  1. An OK for SaaS, PaaS and IaaS. In Annex 1 of the proposed updated guidelines, the MAS expressly lists “SaaS, PaaS and IaaS” as kinds of services that, when performed by a third party, would be regarded as outsourcing arrangements (and therefore subject to the MAS’s notice and guidelines on outsourcing).  Therefore, the MAS is saying that cloud is a type of service that falls within outsourcing.  The implication must be that financial institutions can use cloud services as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.
  1. An OK to multi-tenancy arrangements.  In sections 5.6.2 and 5.7.2 of the updated guidelines, the MAS makes express reference to “multi-tenancy arrangements”.  In a footnote the MAS explains that “Multi-tenancy generally refers to a mode of operation adopted by service providers where a single computing infrastructure (e.g. servers, databases etc.) is used to serve multiple customers (tenants).”  The MAS goes on to say that if a financial institution is using a multi-tenancy arrangement then it should pay particular attention to the ability of the arrangement to isolate and clearly identify the financial institution’s documents, data, information etc.  Again, therefore, the implication must be that financial institutions can use cloud services as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.  In sections 5.6.2 and 5.7.2, the MAS has picked out certain areas where the financial institutions should pay particular attention if they are using cloud services.  So this isn’t a “no” to cloud services but rather a “yes, but be careful”.
  1. An OK to transfers of customer information.  The definition of a “material outsourcing arrangement” in the updated guidelines now expressly includes an arrangement “which involves customer information”.  Most cloud services will involve customer information.  The implication is that financial institutions can enter into outsourcing transactions that involve customer information and, therefore, can use cloud services, as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.  This means that the MAS will consider most cloud services as a “material outsourcing arrangement” and so the additional requirements will apply to cloud services (e.g. notification to the MAS, prior to committing to the cloud services).
  1. An OK to outsourcing outside of Singapore.  In section 5.10 of the updated guidelines the MAS deals with outsourcing outside of Singapore.  This section has not really changed but it is noteworthy that the MAS recognises that “the engagement of a service provider in a foreign country… exposes an institution to country risk”.  The MAS does not say that a financial institution cannot outsource outside of Singapore. The MAS points out that an outsourcing outside of Singapore carries additional risks that the financial institution must address.  Many cloud services will (to varying extents) be provided from locations outside of Singapore.  The implication is that a financial institution can carry out outsourcing outside Singapore, and therefore can use cloud services that are provided from locations outside of Singapore, as long as the cloud services they adopt comply with the notice and guidelines on outsourcing.  This means that financial institutions must address the additional “country risks”.

In summary, these are positive steps for customers and service providers of cloud services.  As the proposed new guidelines currently stand, the MAS has decided not to call out cloud services in much detail.  Instead the MAS seems to be moving towards accepting cloud services as just another service delivery model, rather than as something that needs additional regulation or treatment.  This is good news.

Apart from cloud, the new notice and update guidelines should be welcomed.  There are some points that the MAS should be asked to clarify and now’s the time to do that – more on these points in our next blog.  However, overall, these proposals are good for cloud and good for the financial services industry in Singapore.

Posted in ASEAN, Data protection, Government policy, Hardware, Outsourcing, Regulatory action, Services, Singapore, Software, Technology | Tagged , ,

Responsible investment in Myanmar

Myanmar image

Myanmar is a country with tremendous opportunities, but also tremendous risks. I was fortunate enough to host and chair a seminar in Singapore yesterday on responsible investment into Myanmar.

Introduction by Rt. Hon Hugo Swire MP

The seminar started with an introduction and overview by the Rt. Hon Hugo Swire MP, Minister of State, Foreign and Commonwealth Office. Hugo provided an overview of Myanmar’s historical context (including explaining  that, in deference to Daw Aung San Suu Kyi, the British Government calls Myanmar Burma) and current UK government actions to support its development and reintegration with the international community, in particular giving examples of how the UK is working to improve the business environment as a whole by strengthening the Myanmar government’s capacity for economic governance, transparency and accountability.

A framework for responsible investment

The next speaker, Richard Welford, Chairman, CSR Asia, set out a framework for responsible and inclusive investment into Myanmar. Author of CSR Asia’s report “Responsible and Inclusive Business in Myanmar” report, he explained that responsibility encompassed developing six aspects  of Myanmar’s capital (in the economic, not geographic sense) and addressing three areas to increase inclusion:

Development of capitals through responsibility

Richard explained his view that responsible companies will contribute to development of
Myanmar’s capitals through their business activities, in particular how companies make their profits and how they provide benefits to stakeholders through their economic activities. The six capitals are:

  • Economical Capital
  • Political Capital
  • Legal Capital
  • Technological Capital
  • Social Capital
  • Environmental Capital

Including the poorest members of society

Richard went on to explain that “inclusive” business is a commercially viable and scalable way to incorporate low-income populations into corporate value chains. It aims to combat the poverty challenge in Myanmar and provides access to goods, services and livelihood opportunities for the poorest. The report outlines three ways of including poor people in Myanmar:

  • New employment opportunities and capacity building
  • New consumer markets and distribution networks
  • Business linkages along the value chain

More details on responsibility and inclusion (including practical steps) can be found in the full report.

CSR in ASEAN context

The final speaker, Thomas Thomas, CEO, ASEAN CSR Network is the lead author of the report on CSR and human rights in ASEAN for the ASEAN Intergovernmental Commission on Human Rights. He explained the context for CSR across the ASEAN region and provided his perspective on practical steps companies could take.

The seminar closed with a lively interaction panel discussion of questions from the floor.

Posted in ASEAN, Foreign direct investment, Government policy, Myanmar | Tagged , | Leave a comment

Monetary Authority of Singapore publishes consultation on revising outsourcing guidelines

On Friday 5 September, the Monetary Authority of Singapore (which regulates financial institutions in Singapore) published a consultation on revising its existing guidelines on outsourcing.

Responses are due by the 7th October.

 

Posted in Outsourcing, Payment, Regulatory action, Singapore, Technology | Tagged , | 1 Comment

ECJ finds Data Retention Directive invalid. What next?

On 8 April 2014 the European Court of Justice ruled that the Data Retention Directive 2006/24/EC interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. The Directive is declared invalid. Today’s post by Sylvie Rousseau and Matthias Vierstraete explains what the court decided and the implications for national laws across Europe.

A. The Directive

Directive 2006/24/EC strives for harmonization of the Member States’ national legislations providing for the retention of data by providers of publicly available electronic communications services or of a public communications network for the prevention, investigation, detection and prosecution of criminal offences. The initial intention was that service and network providers would be freed from legal and technical differences between national provisions.

The Directive and national laws implementing the Directive were often criticized. The main argument being that massive data retention was said to endanger the right to privacy. The advocates of the rules, however, argued that these rules were necessary for authorities to investigate and prosecute organized crime and terrorism.

B. The Court of Justice

By way of preliminary rulings referred to the Court of Justice of the European Union, the Irish High Court and the Austrian Constitutional Court asked the Court of Justice to examine the validity of the Directive, in particular in the light of two fundamental rights under the Charter of Fundamental Rights of the EU, namely the fundamental right to respect for private life and the fundamental right to the protection of personal data.

Analysis of the data to be retained
The Court of Justice verified the data which providers must retain pursuant to the Directive. This data includes data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify the location of mobile equipment, the name and address of the user, the number called, IP addresses, etc. The Court observes that the retention of this data makes it possible to know the identity of the participants in communications, to identify the time of the communication, the place from where the communication took place and the frequency of communications with certain persons (§26).

This data, according to the Court allows very precise conclusions concerning private lives of persons whose data has been retained, such as habits of everyday life, places of residence, movements, social relationships and social environments frequented.

Analysis of the interference with fundamental rights
The Court comes to the conclusion that both requiring the retention of the data and allowing competent national authorities to access those data constitutes in itself interference with the fundamental right to respect for private life and with the fundamental right to the protection of personal data (respectively articles 7 and 8 of the Charter of Fundamental Rights of the European Union) (§ 32 – 36).

The Court agrees with the Advocate General when it states that the interference is “particularly serious”. The Court in this respect holds that “the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the person concerned the feeling that their private lives are the subject of constant surveillance” (§37).

This interference is according to the Court not only serious, but moreover it is not justified. Besides the fact that the retention of data as required by the Directive does not as such adversely affect the essence of the respect for private life and protection of personal data (content of the communications as such may not be reviewed) and the Directive genuinely satisfies an objective of general interest (public security), the Court is of the opinion that the Directive has exceeded the limits imposed by the proportionality principle (§69):

The Directive covers all persons and all means of electronic communications as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime (§57);
The Directive fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to data and their subsequent use (§60);
The data retention period is set at between a minimum of 6 months and a maximum of 24 months without any distinction being made between categories of data and not stating that the determination of the period must be based on objective criteria (§63 – 64);
The Directive does not provide for sufficient safeguards to ensure effective protection of data against the risk of abuse and against unlawful access and use (§66);
The Directive does not require data to be retained within the EU and thus does not meet the Charter’s requirement that compliance control by an independent authority is ensured.
The Court of Justice thus declares the Directive invalid.

C. What’s next?

Following the Court’s invalidation of the Directive, one could wonder how this will affect European legislation and national legislation.

Europe
The invalidity ruled by the Court applies from the day where the Directive entered into force. It is as if the Directive never existed.

The European Commission stated in a first reaction that it “will now carefully asses the verdict and its impacts”. It is not clear whether the Commission will draft new legislation replacing the invalidated Directive. Taking into account the fact that the current Commission’s term only runs until 31 October 2014, it is not much anticipated that new law will be put forward soon.

Member States
Member States having transposed the Directive into national laws may now consider the future of these laws.

In case their national law is a literal transposition of the now invalidated Directive, the national laws meet with the same fate. One may consider that in such situation Member States should redraft their laws in order to be in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.

If national law deviates from the Directive, Member States should assess whether the deviations are in line with the relevant Directives (95/46/EC and 2002/58/EC) and the Charter of Fundamental Rights of the European Union.

The Court of Justice’s ruling may also have an impact on national cases concerning the legality of national laws implementing the Directive, as there are several cases pending before the constitutional courts.

  • Austria and Ireland are obviously at the basis of the European Court of Justice’s ruling, following their constitutional courts’ requests for a preliminary ruling concerning the validity of Directive 2006/24/EC;
  • Belgium: On 24 February 2014, the Belgian “Liga voor Mensenrechten” and “Ligue des droits de l’Homme” together filed a complaint before the constitutional court in order to obtain cancellation of the Belgian law implementing the Directive. The complaint was funded through crowdfunding. Following the Court of Justice’s ruling, some political parties already asked government to take the necessary steps and to amend the current legislation;
  • Bulgaria: In 2008, the Bulgarian Constitutional Court found part of the national law incompatible with the right to privacy;
  • France: In 2006, the French Constitutional Court ruled that French law provisions similar to those provided for in the Directive are not contrary to the constitution. However, in December 2013, the French data protection authority (CNIL) reacted vigorously against a new law enabling certain ministries, including French secret services, access to data retained by telecommunications operators, internet and hosting service providers, without prior approval from a judge. On that occasion, the CNIL called for a national debate on surveillance issues which could be influenced by the recent ECJ’s ruling.
  • Germany: The German Constitutional Court already declared the German implementing act unconstitutional in 2010;
  • Romania: In 2009, the Romanian Constitutional Court declared the national law on data retention unconstitutional as breaching, among others the right to privacy and the secrecy of correspondence;
  • Slovakia: In 2012, a complaint was filed before the constitutional court in order to assess the conformity with the constitution;
  • Spain: The Directive was implemented into national laws in 2007. The Spanish data protection authority (AEPD) had voiced its reservations about the Directive and requested the Government to accompany the implementation of these rules with measures curtailing the impact on data subjects’ privacy;
  • Sweden: In May 2013, Sweden was ordered to pay the European Commission 3 million EUR because Sweden had failed its obligation to timely implement the Directive;
  • United Kingdom: As yet there has been no official comment from the UK government or the Information Commissioner on the ruling of the Court of Justice. Controversial 2012 proposals for a Communications Data Bill to overhaul and significantly extend the UK’s data retention obligations were already in the political long grass – and the Court of Justice’s ruling means they are likely to stay there as we understand it.
Posted in Belgium, Court decision, Data protection, EU, Fixed, France, Germany, Mobile, Regulatory action, Spain, Telecoms, UK | Tagged , | 1 Comment