Out-Law News | 18 Sep 2014 | 11:13 am | 1 min. read
MAS has released two consultation papers containing a proposed set of guidelines to update those published in 2004 and a new notice on outsourcing. MAS said both papers are designed to “enhance” its regulatory framework.
The new notice sets out requirements for the assessment of service providers, access to information, the conduct of audits on a service provider, protection of customer data, and termination of and exiting from outsourcing arrangements.
The notice would impose legally-binding requirements on financial institutions, such as subjecting service providers to “appropriate due diligences processes to assess the risks associated with outsourcing arrangements when considering, renegotiating or renewing an outsourcing arrangement”.
MAS said the “expectation is for an institution to manage outsourcing arrangements as if the services continue to be conducted by the institution”.
According to MAS, while outsourcing arrangements “can bring cost and other benefits”, it may increase the risk profile of an institution in terms of “reputation, compliance and operational risks arising from failure of a service provider in providing the service, breaches in security, or inability to comply with legal and regulatory requirements by the institution”.
MAS said institutions can also be exposed to ‘country risk’, when a service provider is based overseas and ‘concentration risk’ when several of the institution’s functions are outsourced to the same service provider. “It is therefore important that an institution adopts a sound and responsive risk management framework for its outsourcing arrangements.”
MAS said institutions should also conduct self-assessments of all existing outsourcing arrangements against the new guidelines.
However, MAS said: “While an institution may delegate day-to-day operational duties to the service provider, the responsibilities for effective oversight and governance, and management of all outsourcing arrangements and associated risks, accountability for all outsourcing decisions, and implementation of a consistent institution-wide outsourcing risk management framework, in accordance with these guidelines, continue to rest with the institution, its board and senior management.”
It is the responsibility of boards and senior management to ensure there are “adequate processes” to provide a comprehensive institution-wide view of risk exposures from all outsourcing arrangements and to incorporate the assessment of such risks into an institution’s outsourcing risk management framework, MAS said.