The Monetary Authority of Singapore (“MAS“) is consulting on a new notice and guidelines on outsourcing. Having already commented on its positive message for cloud services, this post addresses the rest of the consultation. In summary, we think:
- MAS’s proposals are generally positive and helpful.
- However, in some areas more clarity could be provided.
Background MAS first issued its ‘Guidelines on Outsourcing’ in 2004 (and updated them in 2005). Under this consultation:
- MAS proposes to issue a Notice that defines a set of minimum mandatory standards for outsourcing. The Notice is in addition to the Guidelines. The Notice sets out requirements for the assessment of service providers, access to information, conduct of audits on a service provider, protection of customer data, and termination of and exiting from an outsourcing arrangement.
- MAS has also proposed updated Guidelines. The MAS has focused on certain areas, including the responsibility of boards and senior management, monitoring, notification, employee screening, audit and registries of outsourcing arrangements.
Interested parties should submit views and comments to MAS by email to firstname.lastname@example.org by 7 October 2014. What we like
- The consultation is, in and of itself, a good thing. The original Guidelines are now nearly 10 years old. The MAS recognises that practices have changed and there are risks that need to be addressed.
- MAS recognises the value that outsourcing can bring. Outsourcing shouldn’t always be about cost reduction. It is also be about improvement and innovation. The MAS recognises therefore that outsourcing is fundamentally important to the financial industry but wants to make sure that the risks involved are properly dealt with.
- MAS embraces cloud computing. There’s plenty to be relieved about (and grateful for): see here.
- Clarity in relation to the application of the Technology Risk Management (TRM) and Business Continuity Management (BCM) guidelines. Financial Institutions (“FIs“) are required to evaluate their outsourcing arrangements against these frameworks. It’s good to see a clear link to these guidelines which were developed after the original Outsourcing Guidelines. However, the MAS could add a helpful line by saying that not all of the TRM and BCM guidelines are relevant for each and every outsourcing arrangement (but this is probably clear enough).
- Emphasis on the responsibility of local boards/management. This will encourage local branches and entities of international banks to think locally as well as internationally. It’s not always good enough to roll out a global solution without thinking about local impact.
- Emphasis on staff awareness. There’s a new line in the guidance that staff must be made aware of the policies and procedures for an FI’s outsourcing arrangements. Increased awareness within FIs will be helpful.
- Contracts must be legally enforceable and have exercisable rights during a breach. MAS stresses the importance of good legal contracts. FIs must make sure their legal teams are vested in their outsourcing processes.
Some important points we would like to see MAS clarify
- The existing Technology Questionnaire on Outsourcing. It’s not clear what will happen to this. The questionnaire is not expressly mentioned in the new documents. The questionnaire is a helpful document for FIs to use and helps with internal processes. It would be useful if the MAS would express how the questionnaire will fit into the new (and more detailed) guidelines on notifying MAS of outsourcing arrangements (even if there is to be a new questionnaire, a mention of it would help).
- Definition of “outsourcing arrangement”: An outsourcing arrangement must be something that is “integral to the provision of a financial service by the FI”. This wording isn’t helpful. It was in the old guidelines and is in the new guidelines. It is hard to say that a lot of outsourcing is “integral” to financial services provided by FIs e.g. a printing service, a facilities management service or a cloud service for document storage. These are “back of house” services. However, it would seem that these will nevertheless be regulated because they are services that may involve access to customer data (for example). This definition seems contradictory (especially when you read the list (in the annex) of examples of outsourcing arrangements).
- Definition of material outsourcing. The definition has changed and now includes the following line: “any outsourcing that adversely affects the ability to manage risk and to comply with laws/regulations or which involves customer information”. It’s hard to think of many outsourcing arrangements that don’t fit this part of the definition. Does the MAS intend that all of these kinds of arrangements would be deemed “material” and therefore subject to the additional requirements?
- FIs must notify adverse developments. There is currently no materiality threshold which suggests that “any” adverse development or breach of law must be notified. This could be too onerous for FIs.
- The notification process (or lack thereof). What happens after the notification process? It has often been unclear for FIs undertaking outsourcing in the past how long their “discussion/consultation” process with MAS will last, or what the outcome is. It would more transparent and helpful if the MAS could provide a clearer idea of the timelines/process expected.
- MAS says that FIs “may” want to make Service Providers (SPs) contractually liable for their subcontractors. How can MAS be sure FIs will be monitoring everything and complying with all obligations if an SP has no liability for acts of subcontractors? This seems like a missing link in the chain, and we would expect that FIs will in practice ensure that their SPs are liable for their sub-contractors.
- Audit. MAS deals with annual reviews and audits in multiple different places in these proposals (and in its existing guidelines e.g. TRM guidelines). Clarification for how these audits fit together would be helpful. Can they be consolidated? What if the information is made available by a SP so an audit doesn’t need to be carried out? Can a SP impose limits on the audit e.g. no access to other customers’ information? What about independent third party audits?
- Termination rights. We think that the termination requirements are tough. Not every breach is a material breach or one that would warrant a termination. It will be tough for FIs to include this kind of right in negotiations with CPs. The MAS could add a qualification to this requirement that breaches must be material (or that a series of repeated breaches may be material) and trigger a termination right.
- Requirements of written confirmations from supervisory authorities of the SP if the SP is an overseas FI. (a) It is not clear if this requirement applies to all outsourcing arrangements or material outsourcing arrangements. (b) Is the MAS confident that overseas supervisory authorities will provide such written confirmations? The concerns that the MAS lists are sensible but the practice for this kind of written confirmation from overseas supervisory authorities is not yet common. Perhaps the MAS could state that this requirement is something that the MAS may ask for, but, for the moment, it is not a default requirement (until the practice becomes more common internationally).
Some less important points that could helpfully be clarified
- Requirement that SP can isolate and identify customer data. The MAS could clarify that this can be achieved through technical means.
- Due diligence on staff of SP. This is referred to in new guidance as the “fit and proper” criteria. FIs must ensure that employees of the SP (and subcontractors) are not subject to disciplinary proceedings, not convicted, are financially sound. In itself, this is a sensible rule and most FIs will do this already to some extent. However, as it is a new rule, the MAS could help by more clearly saying that this criteria should be applied depending on the job that is being performed.
- RPO and RTO requirements. How do these requirements apply to a SP who operates two active sites? The MAS could say that the RPO and RTO requirements are necessary where an immediately available alternative active site is not available.
- Clarification of whether or not SP is responsible for FIs compliance with rules. The MAS seems to suggest that the SP is also to be held responsible for complying with these rules that apply to FIs. IT should be clear that FIs are responsible for complying with the rules and that FIs should pass down the relevant obligations to the SPs in the outsourcing contract, where necessary for the FI to ensure that it has complied with the rules. To say that the SP must comply with all of the same rules is not clear and in fact, unhelpful because it is too general an obligation.
- Application of the rules to overseas branches of FIs. The new rules suggest that an overseas branch of an FI must comply with the rules. If a branch in Singapore outsources services to an overseas branch, and the overseas branch further outsources some or all of the same services to a SP, then it is right that the rules should still apply. However, if the overseas branch outsources services that are not connected to the Singapore operations or Singapore customers, then why would the MAS rules apply?
- Indemnity requirement. The MAS has included a new requirement for FIs to indemnify the MAS in respect of loss to the SP, if the MAS carries out an audit/review. FIs will have to work with the MAS to ensure that the MAS is comfortable with the indemnity offered. This isn’t something that regulators commonly ask for. We are not sure that this requirement is really necessary and we are not aware of a regulator needing to be indemnified in this way. We’ll have to watch this space but our view is that this requirement could be dropped without harm to the MAS.
Next steps: Customers, suppliers and advisors have until 7 October to submit a reply to the MAS. Let’s see to what extent they address the points noted above.