This section states that the Institute should report to MAS as soon as possible any adverse developments arising from its outsourcing arrangements. While outsourcing customer information would normally have been one of the checkpoints for determining the materiality of an outsourcing agreement, the new definition means that any outsourcing that grants a provider access to customer information is likely to be significant outsourcing. Paragraph (b) above should not necessarily be interpreted as applying to clients of the institution as a whole and could therefore be interpreted as triggering a small number of clients of an institution because of the potential material impact on (for example). Overall, we believe the guidelines represent an important step forward in the regulation of outsourcing by Singaporean institutions. While the guidelines apply to all outsourcing, some of the key changes reflect the commitment to technological developments that are in line with Singapore`s ambitions to become ASEAN`s leading financial and FinTech hub. The guidelines recognize the benefits of IT innovation and the pervasive nature of outsourcing, while demonstrating MAS`s growing focus on cybersecurity and technology risk management. In July 2016, MAS, Singapore`s sole banking regulator and central bank, released its risk management outsourcing policy. In the guidelines, MAS outlined its expectations for outsourcing cloud services by financial institutions in Singapore, including banks, insurance companies and trust companies. This is the result of an industry-wide consultation that began in October 2014 and in which Microsoft participated. In addition, the business continuity guidelines issued in June 2003 continue to apply to all outsourcing arrangements that may have an impact on business continuity, whether or not they are related to information technology. Microsoft`s response to the MAS guidance focuses on MAS recommendations for prudent risk management practices in outsourcing. It describes point-by-step how Microsoft has the right policies, processes, and tools in place to help you assess risk, provides checklists to help you evaluate our enterprise cloud services, and describes governance and internal control processes. “Outsourcing of materiel” was defined in the 2005 Guidelines as “an outsourcing arrangement that, if interrupted, is likely to have a significant impact on the business, reputation or viability of an institution”.
This gave an institution considerable flexibility to establish its own materiality “gates” in its own compliance framework. While the guidelines reinforce MAS`s approach to outsourcing activities, the Technology Risk Management (TRM) Guidelines (published in June 2013) continue to apply to technology risk management in general and should continue to be considered by institutions with respect to technology outsourcing. It also states that the institution should take into account the disaster recovery arrangements made by the service provider when entering into equipment outsourcing agreements with service providers outside Singapore.7. Cloud Computing No, no notice, consultation or approval of outsourcing agreements is required. However, MAS expects financial institutions to be willing to demonstrate how they comply and to notify MAS as soon as possible of adverse developments arising from a financial institution`s outsourcing agreements – for example, a data breach. Q: How could the institution ensure that independent audits of the outsourcing agreement are conducted if the outsourced service is the internal audit function? The guidelines contain a clear statement from MAS that cloud services are fundamentally no different from other outsourced services. While there are unique risks associated with cloud services, they need to be assessed and managed in the same way as other outsourcing risks. At the same time, the reference to `hosting of information systems (e.g. software as a service, platform as a service, infrastructure as a service` in the list of examples of `outsourcing agreements` in Annex 1 to the Guidelines suggests that almost any type of cloud computing agreement is prima facie considered to be an `outsourcing agreement`. Obligation for commercial banks to protect the confidentiality of customer information in all outsourcing agreements. All outsourcing agreements should address the following additional issues. While the MAS guidelines are not legally binding, MAS expects financial institutions to follow best practices when using outsourced services, particularly outsourcing agreements that MAS considers “significant,” a qualitative assessment that takes into account factors such as the impact and significance of outsourced activities.
Financial institutions are ultimately responsible for adapting to industry frameworks, certifications and regulations that apply to their use of cloud services and are subject to MAS oversight. To support your compliance, we provide a white paper on MAS guidelines and best practices for financial institutions in Singapore that outlines how Google Cloud helps financial institutions comply with MAS guidelines.