Singapore Banking New Outsourcing Requirements
The Monetary Authority of Singapore (MAS) has recently issued two notices and two guidelines to strengthen the regulatory framework for outsourcing arrangements used by financial institutions, particularly those involving technology and cloud services. These include:
• Notice 1121 for Merchant Banks
• Notice 658 for Banks
• Guidelines on Outsourcing (Banks)
• Guidelines on Outsourcing (Financial Institutions other than Banks)
These regulations take effect on December 11, 2024, and apply to all existing and new outsourced arrangements, subject to specific transitional provisions. They are legally binding and cover services integral to a bank’s operations under the Banking Act 1970 (the BA).
Different requirements exist depending on the materiality and nature of the outsourced relevant services. Material Ongoing Outsourced Relevant Services (MOORS) will be subject to the complete set of requirements. Outsourced relevant services involving the disclosure of customer information are subject to a subset of requirements to protect the customers’ data.
Key Requirements
• Banks need to perform thorough due diligence on service providers and any subcontractors involved.
• Outsourcing agreements must include specific terms addressing various aspects.
• Customer consent is mandatory for subcontracting that involves disclosure of customer information.
• Banks are required to maintain and submit an outsourcing register to MAS to facilitate due diligence.
The Guidelines set out MAS’s expectations for financial institutions to manage risks of outsourced relevant services. The Annexes help financial institutions determine which relevant services are outsourced relevant services.
Given the new requirements, Banks and Merchant Banks will take practical steps to align with the Notices and the Guidelines.
For additional information about the new outsourcing requirements for Banks and Merchant Banks, please get in touch with Commercial Specialist Amelia Yeo.