On July 27, 2016, the Monetary Authority of Singapore (MAS) issued revised Guidelines on Outsourcing (Guidelines) that raise the standards of financial institutions’ outsourcing risk management practices.
Changes in the new Guidelines include a new section on cloud computing, which the Guidelines recognize as a form of outsourcing arrangement requiring the same level of sound governance and risk management practices mandated for other forms of outsourcing. Certain additional obligations are also imposed for “material outsourcing arrangements,” including the requirement to perform periodic reviews at least annually and to ensure that outsourcing agreements incorporate clauses granting MAS audit and information access.
The revised Guidelines apply to outsourcing arrangements with both third-party service providers and with entities within the institution’s corporate group (including its parent, subsidiaries, and affiliates). The Guidelines themselves are not legally binding, but MAS will consider an institution’s implementation of the Guidelines in determining the supervisory conduct of the institution’s board and senior management in the areas of governance, internal controls, and risk management.
In implementing the Guidelines, financial institutions should conduct a self-assessment of all existing outsourcing arrangements by no later than October 26, 2016 and rectify deficiencies identified in the self-assessments by July 26, 2017. A MAS Notice on Outsourcing, which will define a set of minimum standards for outsourcing management, will be issued at a later date once MAS completes an internal review of industry feedback.