“While outsourcing arrangements can bring cost and other benefits, it may increase the risk profile of an institution due to, for example, reputation, compliance and operational risks arising from the failure of a service provider in providing the service, breaches in security or the institution’s inability to comply with legal and regulatory requirements … It is thus important that an institution adopts a sound and responsive risk management framework for its outsourcing arrangements.” [MAS, Guidelines on Outsourcing, July 2016]
Wider definitions of ‘Institutions’ and ‘Material Outsourcing Arrangements’
The outsourcing guidelines published in July 2016 extended the regime to include all financial institutions defined under the MAS Act. Previously excluded firms – such as insurance intermediaries, financial advisers and trust companies – now must adhere to the requirements.
The types of outsourcing arrangements considered to be material – and therefore subject to the detailed measures set out in the guidelines – have increased. Currently, arrangements are material if their disruption could significantly impact an institution’s business operations, reputation or profitability. The new definition is wider and now includes due consideration of information security and operational risks. The definition now includes a materiality test for impact on an institution’s operations or ability to manage risk and meet regulatory and legal requirements. The regulator has set out characteristics that firms should take into account when assessing the materiality of an outsourcing arrangement.
Notifications to MAS
The need to notify MAS before commencing any material outsourcing arrangements has been dropped with immediate effect. Institutions are still expected to exercise appropriate due diligence over their outsourcing arrangements and document their adherence to the guidelines. A template for the register of all material outsourcing arrangements has been provided by MAS, and this or a similar register must be submitted to MAS at least annually or upon request. And of course firms must be ready to answer questions about the arrangements and the judgements they have made when asked by their supervisors.
Enhanced due diligence and oversight of service providers
Institutions were always required under the old outsourcing guidelines to carry out due diligence and monitor the activities of third party providers. However, under the new guidelines additional information must be considered during the due diligence evaluation, and it is important for firms to factor this in when first considering, renegotiating or renewing their arrangements. New information to be evaluated during due diligence includes considering the corporate governance arrangements, risk management framework and capabilities, including technology risk management, disaster recovery arrangements and ability to comply with applicable laws and regulations.
With respect to ongoing assessment, periodic reviews of all material outsourcing arrangements must be undertaken, on at least an annual basis. Onsite visits should be undertaken to supplement findings from offsite or desk-based reviews, under a risk based approach.
How Bovill can help
This is definitely an area in which firms should be using the release of updated guidelines to prompt a thorough and well-thought out review of their outsourcing risk management framework.
We can help with advice on setting up of appropriate risk based controls, and carry out independent third party due diligence and ongoing monitoring of material outsource providers.