NOTICE ON OUTSOURCING



Similar documents
GUIDELINES ON OUTSOURCING

GUIDELINES ON OUTSOURCING

SUPERVISION GUIDELINE

Statement of Guidance: Outsourcing All Regulated Entities

Objective and key requirements of this Prudential Standard

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

GUIDANCE NOTE ON OUTSOURCING

Consultation Paper on Proposed Credit Bureau Regulatory Framework and Credit Bureau Bill

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Outsourcing Risk Guidance Note for Banks

the Financing of Terrorism

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Financial Services Guidance Note Outsourcing

Guidance Note on Outsourcing/Delegation of Functions

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

CONSULTATION PAPER P September Proposed Amendments to the Deposit Insurance and Policy Owners' Protection Schemes Act

TRUST COMPANIES ACT (CHAPTER 336)

Principles on Outsourcing by Markets

14 December 2006 GUIDELINES ON OUTSOURCING

Mapping of outsourcing requirements

Managing Outsourcing Arrangements

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

System of Governance

GUIDE TO INVESTMENT FUNDS IN BERMUDA

NEW NOTICE ON REQUIREMENTS FOR REGISTERED INSURANCE BROKERS EXEMPT FROM HOLDING A FINANCIAL ADVISER S LICENCE UNDER SECTION 23(1)(c)

Decision on outsourcing. Article 1

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

Financial Advisers (Amendment) Bill

OUTSOURCING POLICY

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

DRAFT AUDITOR SERVICES CONTRACT AGREEMENT FOR AUDITOR SERVICES

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

BE IT ENACTED by the Queen s Most Excellent Majesty, by

BANKING ORDINANCE. Authorization of Virtual Banks. A Guideline issued by the Monetary Authority under Section 16(10)

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

GUIDELINES ON FIT AND PROPER CRITERIA

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Insolvency INSOLVENCY PRACTITIONER REGULATIONS 2014

Guidance note on Outsourcing/Delegation of Functions and inward outsourcing

European Stability Mechanism Draft Guideline on Financial Assistance for the Direct Recapitalisation of Institutions

Ministry of Labour and Social Policy LAW ON VOLUNTARY FULLY FUNDED PENSION INSURANCE ( )

INTERNATIONAL COLLECTIVE INVESTMENT SCHEMES LAW

technical factsheet 176

BUSINESS ASSOCIATE AGREEMENT

Requirements made under the Intermediaries Byelaw

PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS

Managing General Agents (MGAs) Guideline

Payment and Settlement Systems (Finality and Netting) Bill

Act on Investment Firms /579

for Fund Management Companies and Exempt Financial Intermediaries

Standard conditions of purchase

CAYMAN ISLANDS. Supplement No. 1 published with Gazette No. 22 of 22nd October, MUTUAL FUNDS LAW (2012 REVISION)

SECURITIES AND FUTURES ACT (CAP. 289)

INVESTMENT FUNDS ACT 2006 BERMUDA 2006 : 37 INVESTMENT FUNDS ACT 2006

IAC 11/18/09 Insurance[191] Ch 58, p.1 CHAPTER 58 THIRD-PARTY ADMINISTRATORS

COLLECTIVE INVESTMENT LAW DIFC LAW No. 2 of 2010

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

INTRODUCTION... 3 OVERSEA COMPANIES... 9

Isle of Man Financial Supervision Commission. Business Plan Guidance for Licence Applicants

BUSINESS ASSOCIATE AGREEMENT

Guidelines. ADI Authorisation Guidelines. Australian Prudential Regulation Authority. April 2008

Supervisory Policy Manual

Business Associate Agreement

This form may not be modified without prior approval from the Department of Justice.

Authorised Persons Regulations

Singapore Diamond Investment Exchange Pte Ltd SDiX Depository Pte Ltd Application for Membership -- Approved Supplier

NOTICE TO BANKS MONETARY AUTHORITY OF SINGAPORE ACT, CAP. 186 PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS

BERMUDA TRUSTS (REGULATION OF TRUST BUSINESS) EXEMPTION ORDER 2002 BR 38 / 2002

Cloud Computing: Legal Risks and Best Practices

CONSULTATION PAPER NO

(Unofficial translation by the Financial and Capital Market Commission)

GENERAL LICENSING POLICY FOR THOSE SEEKING A BANKING, INVESTMENT BUSINESS OR FIDUCIARY SERVICES LICENCE

Prudential Practice Guide

British Virgin Islands Insurance Companies

PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS

Policy Statement: Licensing Policy in respect of those activities that require a permit under the Insurance Business (Jersey) Law 1996

Clause 1. Definitions and Interpretation

[To All Financial Institutions Exempt from Holding Capital Markets Services Licence]

Corporate Finance Adviser. Code of Conduct

BERMUDA INVESTMENT FUNDS ACT : 37

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

INSURANCE CORE PRINCIPLES, STANDARDS, GUIDANCE AND ASSESSMENT METHODOLOGY

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts

Janison Terms and Conditions. Updated Jan 2013

Supplement No. 5 published with Gazette No. 15 of 20th July, MUTUAL FUNDS LAW. (2009 Revision)

Transcription:

CONSULTATION PAPER P018-2014 SEPTEMBER 2014 NOTICE ON OUTSOURCING

PREFACE 1 MAS first issued the Guidelines on Outsourcing in 2004 1 ( Guidelines ) to promote sound risk management practices for the outsourcing arrangements of financial institutions ( institutions ). To enhance MAS regulatory framework, in addition to updating the Guidelines, MAS proposes to issue a Notice that defines a set of minimum standards for outsourcing management. The Notice sets out requirements for the assessment of service providers, access to information, conduct of audits on a service provider, protection of customer data, and termination of and exiting from an outsourcing arrangement. The expectation is for an institution to manage outsourcing arrangements as if the services continue to be conducted by the institution. 2 MAS invites interested parties to submit their views and comments on the proposed draft Notice. Electronic submission is encouraged. Please email your comments to outsourcing@mas.gov.sg by 7 October 2014. Alternatively, you may wish to submit your comments by post to: Outsourcing Workgroup (Attention: Banking Department II) Monetary Authority of Singapore 10 Shenton Way, MAS Building Singapore 079117 3 Please note that any submissions received may be made public unless confidentiality is specifically requested for the whole or part of the submission. 1 The Guidelines on Outsourcing was subsequently updated on 1 July 2005.

MAS XXX NOTICE TO FINANCIAL INSTITUTIONS XXX ACT DRAFT NOTICE ON OUTSOURCING (The Notice will be issued under the relevant provision(s) of the respective Act applicable to each institution, e.g. for banks, the Notice will be issued pursuant to section 55 and paragraph 3 of Part II of the Third Schedule of the Banking Act (Cap. 19).) MANAGEMENT OF OUTSOURCING ARRANGEMENTS 1. INTRODUCTION 1.1 This Notice is issued pursuant to section XXX of the XX Act. 2. DEFINITIONS 2.1 For the purpose of this Notice customer means (a) in relation to any trustee for a collective investment scheme authorised under section 286 of the Securities and Futures Act (Cap. 289), that is approved under that Act, the managers of and participants of the collective investment scheme; (b) in relation to an approved exchange, recognised market operator incorporated in Singapore, approved clearing house, recognised clearing house incorporated in Singapore, and licensed trade repository under the Securities and Futures Act, a person who may participate in one or more of the services provided by such entities; or (c) in relation to a licensed trust company under the Trust Companies Act (Cap. 336), a trust for which the trust company provides trust business services and includes the settlor and any beneficiary under the trust; 1

customer information means (a) in relation to a licensed trust company, protected information as defined in section 49 of the Trust Companies Act; (b) in relation to an approved exchange, recognised market operator incorporated in Singapore, approved clearing house and recognised clearing house incorporated in Singapore, user information as defined in section 2 of the Securities and Futures Act; (c) in relation to a licensed trade repository, user information and transaction information as defined in section 2 of the Securities and Futures Act; or (d) in the case of any other institution, information held by the institution that relates to its customers and these include customers accounts, particulars, transaction details and dealings with the financial institutions; institution means any financial institution as defined in section 27A of the Monetary Authority of Singapore Act (Cap. 186) but does not include any financial institution listed in Annex 1; material outsourcing arrangement means an outsourcing arrangement:- (a) which, in the event of a service failure or security breach, has the potential to either: (i) materially impact an institution s business operations, reputation or profitability; or (ii) adversely affect an institution s ability to manage risk and comply with applicable laws and regulations, or (b) which involves customer information and, in the event of any unauthorised access or disclosure, loss or theft of customer information, may materially impact an institution s customers; outsourcing agreement means a written agreement setting out the contractual terms and conditions governing relationships, functions, obligations, responsibilities, rights and expectations of the contracting parties in an outsourcing arrangement; 2

outsourcing arrangement means an arrangement in which a service provider provides the institution with a service that may currently or potentially be performed by the institution itself and which includes the following characteristics: (a) the institution is dependent on the service on an ongoing basis but such service excludes services that involve the provision of a finished product 2 ; and (b) the service is integral to the provision of a financial service by the institution or the service is provided to the market by the service provider in the name of the institution; overseas regulated financial institution means any person who is regulated as a financial institution outside Singapore, other than a financial institution which is approved, authorised, designated, recognised, registered, licensed or otherwise regulated by the Authority; service provider means any party which provides a service to the institution, including any entity within the institution s group 3, whether it is located in Singapore or elsewhere; sub-contracting means an arrangement where a service provider which has an outsourcing arrangement with an institution, further outsources the services or part of the services covered under the outsourcing arrangement to another service provider; supervisory authority means the supervisory authority which is responsible, under the laws of the country or territory where the overseas regulated financial institution is located, for supervising the overseas regulated financial institution. 2.2 The expressions used in this Notice shall, except where expressly defined in this Notice or where the context otherwise requires, have the same respective meanings as in the Act 4. 2 This refers to products such as insurance policies. 3 This refers to the institution s Head Office or parent institution, subsidiaries, affiliates, and any entity (including their subsidiaries, affiliates and special purpose entities) that the institution exerts control over or that exerts control over the institution. 4 The Act refers to the respective Acts under which the Notice will be issued, e.g. for banks, this would refer to the Banking Act. 3

3. MANAGEMENT OF MATERIAL OUTSOURCING ARRANGEMENTS 3.1 An institution shall manage all its material outsourcing arrangements prudently. When managing such material outsourcing arrangements, the institution shall, at the minimum: (a) establish proper policies and processes to identify all material outsourcing arrangements; (b) put in place an adequate risk management framework, systems, policies and processes to assess, control and monitor its material outsourcing arrangements. These include establishing proper approving authorities and limits 5 for material outsourcing arrangements; (c) ensure that the laws, rules, regulations, notices and directives applicable to the institution continue to be complied with notwithstanding its material outsourcing arrangements; and (d) maintain a central register of all material outsourcing arrangements. 3.2 An institution shall maintain adequate documentation of the steps taken in complying with paragraph 3.1 and furnish such documentation to MAS upon request. 4. ASSESSMENT OF SERVICE PROVIDERS 4.1 In considering, renegotiating or renewing any material outsourcing arrangement, an institution shall subject the service provider to appropriate due diligence processes to assess the risks associated with the outsourcing arrangement. These include assessing the service provider s: (a) corporate governance, risk management, security and internal controls (including information technology controls), audit, and compliance with applicable laws and regulations; (b) capability to employ a high standard of care in the performance of the outsourcing arrangement as if the outsourcing arrangement were being conducted by the institution to meet its obligation as a regulated entity; (c) financial strength and resources; and (d) ability to safeguard the confidentiality, integrity and availability of information entrusted to it. 5 This includes limits on the nature, value and extent of the material outsourcing arrangements. 4

4.2 An institution shall document and re-perform, at least on annual basis, the due diligence undertaken during the assessment process as set out in paragraph 4.1, as part of the monitoring and control processes of its outsourcing arrangements. 5. ACCESS TO INFORMATION 5.1 An institution shall include in all its outsourcing agreements provisions that: (a) allow the institution to conduct audits on the service provider and its subcontractors, whether by its internal or external auditors, or by agents appointed by the institution; and to obtain copies of any report and finding made on the service provider and its sub-contractors, whether produced by the service provider s and its sub-contractors internal or external auditors, or by agents appointed by the service provider and its subcontractors, in relation to the outsourcing arrangement and to allow such copies of any report or finding to be submitted to the Authority; (b) allow the Authority, or any agent appointed by the Authority, where necessary or expedient, to exercise the contractual rights of the institution to access and inspect the service provider and its sub-contractors, and the institution, to obtain records and documents of transactions, and information of the institution given to, stored at or processed by the service provider and its sub-contractors, and the right to access and obtain any report and finding made on the service provider and its sub-contractors, whether produced by the service provider s and its sub-contractors internal or external auditors, or by agents appointed by the service provider, in relation to the outsourcing arrangement; and (c) indemnify and hold the Authority, its officers, agents and employees harmless from any liability, loss or damage to the service provider and its sub-contractors arising out of any action taken to access and inspect the service provider or its sub-contractors pursuant to the outsourcing agreement. 6. PROTECTION OF CUSTOMER DATA 6.1 In all outsourcing arrangements involving the disclosure of customer information to the service provider, an institution shall include provisions to require the service provider to protect the confidentiality of customer information. 5

6.2 An institution shall require the service provider to isolate and clearly identify the institution s customer information, documents, records, and assets to protect the confidentiality of the information. 6.3 An institution shall engage service providers that operate in jurisdictions which generally uphold confidentiality provisions and agreements. Where customer information is to be disclosed, an institution 6 required by any law or regulation administered by the Authority to protect or not to disclose such customer information, shall obtain appropriate legal advice in respect of the overseas jurisdiction where the outsourcing arrangement is to be performed. The legal advice shall in particular highlight the circumstances under which the customer information may be required by law to be disclosed by the service provider notwithstanding any obligation of confidentiality assumed by the service provider. An institution shall regularly update its legal advice and inform its customers of the circumstances under which customer information might be so disclosed. 6.4 An institution shall only disclose customer information to the service provider to the extent the service provider strictly needs to have the information in order to perform its duties, and ensure that the amount of information disclosed is proportionate to the needs of the situation. 6.5 An institution shall notify the service provider in writing of the institution's obligations of confidentiality under laws applicable to the institution and under the common law. 6.6 An institution required by any law or regulation administered by the Authority to protect or not to disclose customer information shall also include into its outsourcing agreements confidentiality provisions which address the following matters: (a) access to information by the employees of the service provider and its sub-contractors shall be limited to those who strictly need to have the information in order to perform their duties. (b) the service provider, its sub-contractors and their employees shall be restricted from further disclosing the information to any other party unless required to do so by law; 6 This refers to the following institutions: banks, merchant banks, approved clearing houses, approved exchanges, recognised clearing houses incorporated in Singapore, licensed trade repositories and licensed trust companies. 6

(c) if the service provider, its sub-contractors and their employees are required by law to disclose the information, they shall notify the institution as soon as practicable prior to disclosure; and (d) any information disclosed shall be used by the institution strictly for the purpose for which it was disclosed. 7. AUDIT 7.1 An institution shall ensure that independent audits and/or expert assessments of all its material outsourcing arrangements are conducted. In determining the frequency of audit and expert assessment, the institution shall consider the nature and extent of risk and impact to itself from the outsourcing arrangements. The period between audits shall not exceed 3 years. The scope of the audits and expert assessments shall include an assessment of the service providers and its subcontractors security 7 and control environment, incident management process (for material breaches, service disruptions or other material issues) and the institution s observance of MAS Guidelines on Outsourcing and compliance with this Notice in relation to the outsourcing arrangement. The institution shall submit a copy of the reports to Authority for information. 8. TERMINATION AND EXIT OF OUTSOURCING 8.1 An institution shall include in all its outsourcing agreements a right to terminate the outsourcing agreement in the event that: (a) the service provider undergoes a change in ownership, becomes insolvent, goes into liquidation, receivership or judicial management; (b) there has been a breach of confidentiality by the service provider or its sub-contractors that affect the institution or the institution s customers; (c) there has been a deterioration in the ability of the service provider to perform the service as contracted; (d) the institution is prevented from conducting any audits or obtaining any report and finding made on the service provider; 7 The security environment refers to both the physical and IT security environments. 7

(e) the institution is prevented from assessing the service provider s compliance with the outsourcing agreement; or (f) the institution is directed by the Authority to terminate the outsourcing arrangement as the service provider has failed to comply with all applicable laws and regulations. 8.2 If any of the events in paragraph 8.1(a) to 8(e) occurs for material outsourcing arrangements, an institution shall: (a) notify the Authority of the event as soon as possible; (b) consider whether to terminate the outsourcing agreement; and (c) terminate the outsourcing agreement in accordance with its terms, if so directed by the Authority in writing. 8.3 An institution shall have in place contingency measures to minimise disruption of its operations should any such outsourcing agreement be terminated. 8.4 Upon the termination of an outsourcing agreement, an institution shall ensure that all documents, records of transactions and information previously given to the service provider are removed from the possession of the service provider or deleted, destroyed or rendered unusable. 9. OUTSOURCING TO OVERSEAS REGULATED FINANCIAL INSTITUTIONS 9.1 Where the service provider is an overseas regulated financial institution, an institution required by any law or regulation administered by the Authority to protect or not to disclose customer information shall give the Authority a written confirmation by the supervisory authority of the service provider to the effect that: (a) the Authority and any independent auditors appointed by the Authority shall be allowed access by the supervisory authority to the institution's documents, records of transactions, information previously given to, stored or processed by the service provider; (b) the institution and any auditor appointed by the institution shall not be inhibited from inspecting the control environment within the service provider 8

insofar as it relates to the institution's data that is processed by the service provider, or from reporting any findings to the Authority; (c) in the case where the supervisory authority is a host supervisor of the overseas regulated financial institution, it shall not access any customer information of the Singapore office that is in the possession of the overseas regulated financial institution ( the Information ); (d) in the case where the supervisory authority is the home supervisor of the overseas regulated financial institution: (i) it shall not access the Information unless access to the Information is required for the sole purpose of carrying out its supervisory functions; (ii) it shall give the Authority prior written notification whenever it accesses the Information; and (e) it is prohibited under its laws from disclosing the Information to any other person, or it undertakes to safeguard the confidentiality of the Information and not disclose the Information to any other person. 10. EFFECTIVE DATE 10.1 Subject to paragraph 10.2, this Notice shall take effect from xx ( the Effective Date ) [i.e. 6 months after the issuance of the Notice]. 10.2 An institution shall comply with paragraphs 5, 6.1, 6.6 and 8.1 in respect of all outsourcing agreements entered into or renewed on or after the Effective Date. 9

Annex 1 This Notice shall not apply to the list of institution classes stated below:- (a) (b) (c) (d) Any person exempt from the requirement to hold a capital markets services licence to carry on business in fund management under sub-paragraphs 5(1)(a), (b), (c), (f), (h) and (i) of the Second Schedule to the Securities and Futures (Licensing and Conduct of Business) Regulation. Any person exempt from the requirement to hold a trust business licence in respect of the carrying on of trust business under section 15(1)(d) of the Trust Companies Act and regulation 4(1) of the Trust Companies (Exemption) Regulations. Any person exempt from the requirement to hold a capital markets services licence to carry on business in advising on corporate finance under paragraph 7(1)(b) of the Second Schedule to the Securities and Futures (Licensing and Conduct of Business) Regulations. Any person exempt from the requirement to hold a financial adviser s license under regulation 27(1)(d) of the Financial Adviser s Regulations. (e) Any captive insurer as defined in section 1A of the Insurance Act (Cap. 142). (f) (g) (h) (i) (j) (k) (l) Any marine mutual insurer as defined in section 1A of the Insurance Act. Any foreign insurer carrying on insurance business under a foreign insurer scheme as defined in section 1A of the Insurance Act. Any authorised reinsurer as defined in section 1A of the Insurance Act. Any recognised market operator as defined in section 2 of the Securities and Futures Act (Cap. 289) which is incorporated overseas. Any recognised clearing house as defined in section 2 of the Securities and Futures Act which is incorporated overseas. Any licensed foreign trade repository as defined in section 2 of the Securities and Futures Act. Any approved holding company as defined in section 2 of the Securities and Futures Act. (m) Any trustee-manager of a business trust that is registered under the Business Trusts Act (Cap. 31A). 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information