MAS steps up focus on outsourcing requirements

The MAS has released revised guidelines on managing outsourcing risks. The original set of guidelines applying to all financial institutions has become two separate versions since December 2023: one for banks / merchant banks (Notice 658 and Notice 1121) and another for all other types of firms. With the new guidelines taking effect on 11 December 2024, now is the time to take stock of your outsourcing processes and third-party arrangements to make sure they’re up to the mark.

Why has this change come about?

When banks’ outsourcing arrangements fall over, a large number of consumers can be impacted. The MAS’ renewed supervisory focus on banks, whilst not turning up the dial for non-banking financial institutions (FIs) which are inherently less risky, is welcome news.

This doesn’t mean that fund management companies, financial advisors and other types of non-bank FIs are off the hook, however. There are changes to the outsourcing guidelines that need to be considered.

What are the changes for non-bank FIs?

A new category of “exempted outsourced services” has been added to the guidelines – services provided by GovTech, and those which are both not related to the conduct of financial services and where service providers have no access to confidential information. The MAS has also reinforced that FIs are also expected to conduct periodic assessments on their internal auditors.

Can we expect further attention from the MAS on this topic?

There are rumours (thus far unsubstantiated) that the MAS may carry out a number of thematic inspections of FIs to assess compliance with the outsourcing requirements. This is expected to cover up to 250 licensees, which suggests that the focus isn’t solely on the banking sector.

It’s feasible that the MAS may explore this further by issuing a survey on this topic, so one to keep a close eye on.

Are you meeting the MAS’ expectations?

For those wanting to double-check they have everything in place, it’s worth doing the following:

  • Maintaining an Outsourcing Register to track all outsourced service providers, whether material or non-material.
  • Performing due diligence checks on outsourced service providers and sub-contractors.
  • Including certain terms and conditions in outsourcing agreements.
  • Monitoring the performance of outsourced service providers on an ongoing basis.

How we can help

We can work with you to update your compliance manual and outsourcing policies so that they meet MAS expectations. Our team also regularly carry out mock MAS inspections of outsourcing frameworks.