You are currently viewing Updates to the Outsourcing Guidelines for Non-Bank Financial Institutions

Updates to the Outsourcing Guidelines for Non-Bank Financial Institutions

On the 11th of December 2023, the Monetary Authority of Singapore (“MAS”) published a revised version of the outsourcing guidelines applicable to non-Bank Financial Institutions such as Fund Management Companies and Payment Service Providers. These guidelines help ensure that risk management practices are carried out accordingly when Fund Management Companies and Payment Service Providers wish to enter into outsourcing agreements or plan to outsource their business activities to a service provider. These guidelines are effective from the 11th of December 2024.

In the revised version of the Outsourcing guidelines, the guidelines have undergone some strategic refinement, drawing a distinction between Outsourcing for Non-Bank Financial Institutions, and Banks. This deliberate separation underscores the commitment to precision and relevance in regulatory frameworks, ensuring that each sector receives guidelines precisely tailored to its distinct operational requirements.

In addition to that, Annex 2 of the previous Outsourcing Guidelines only provided a non-exhaustive list of examples of outsourcing arrangements. The newly revised Outsourcing Guidelines take this a step further to include a list of exempted outsourced services in Annex 1. This annex exempts services that are exclusively provided by the Government Technology Agency or those unrelated to the conduct of financial business. Moreover, exempted services come with the condition that the service provider does not handle any of the financial institution’s confidential information (e.g. customer data). The inclusion of Annex 1 in the revised guideline serves to provide much-needed clarity on the parameters surrounding outsourced services, offering a nuanced approach to instances where certain services are exempted from stringent regulatory requirements, thereby fostering efficiency, and aligning with the evolving landscape of technology and business processes.

In addition to that, for ease of reference, guidance on the use of cloud computing services is now annexed in Annex 5 of the revised Outsourcing Guidelines. Professional services related to the business activities of the institution such as accounting, internal audit, and compliance also fall under the scope of outsourced arrangements. If an institution outsources all or substantially all its risk management or internal control functions such as the professional services listed it above, it then falls under a material outsourcing arrangement. Factors that an institution should consider when assessing materiality is listed in Annex 3 of the revised Outsourcing Guidelines

A financial institution should be able to follow the guidelines set by the MAS and ensure it is able to demonstrate compliance with the Guidelines when maintaining its Outsourcing Register using the template set out in Annex 4 of the revised Outsourcing Guidelines. In the newly revised Outsourcing Guidelines, it is no longer necessary for an institution to notify MAS before making any material outsourcing arrangement. This takes place with immediate effect. However, if MAS is not satisfied with an institution’s adherence with the Outsourcing Guidelines provided, they may require an institution to implement additional controls to address the issue. This may include the need to notify MAS before committing to any material outsourcing arrangements. To avoid such issues, institutions are expected to conduct appropriate due diligence on their outsourced service providers and ensure they can demonstrate their adherence of the guidelines to MAS.

The revised guideline incorporates the amendments relating to business continuity management for alignment with the revised Guidelines on Business Continuity Management. In the new guidelines, there is no requirement for outsourcing agreements to contain Business Continuity Plans (“BCP”) requirements on the service provider, in particular, recovery time objectives (“RTO”), recovery point objectives (“RPO”), and resumption operating capacities. It goes on further to remove the requirement for the service provider to ensure that the test conducted for BCP plans validate the feasibility of the RTO, RPO and resumption operating capacities

Things to take note of

  1. When submitting an outsourcing register to MAS, an institution should use the template provided for in Annex 4 of the Outsourcing Guidelines.
  2. Financial Institutions should not outsource their internal audit function to the institution’s external audit provider. This will give rise to a conflict of interest.
  3. If an internal audit function is outsourced, an institution should conduct periodic assessments to ensure that the service provider is able to perform the internal audit satisfactorily. This would apply similarly to any other outsourced function.

How can we help?

The regulatory landscape concerning Fund Management and Payment Services in Singapore is continually evolving to address emerging market risks and evolving requirements.

At Curia Regis, we’ve established a dedicated team in Singapore to provide indispensable regulatory and compliance support to institutions striving to meet MAS requirements across various strategies and business models. With extensive experience in this field, we are prepared to assist you in ensuring that your compliance frameworks not only align with MAS standards but are also tailored to be solution-oriented, addressing the unique characteristics of your business in terms of size, type, and structure.

Reach out to us today to leverage our years of expertise, particularly in the efficient implementation of these crucial compliance elements. Let us serve as your trusted guide in navigating the complexities of regulatory compliance and supporting your business through its obligations as it continues to grow.