From the second half of 2016, outsourced service providers (OSPs) servicing financial institutions (FIs) in Singapore will be required to adhere to a set of industry guidelines released by the Association of Banks in Singapore (ABS).
The guidelines spell out the minimum standards and controls for OSPs undertaking FIs' material outsourcing or handling customer data. Subcontractors of Singapore-based OSPs are required to meet the guidelines too.
Currently, OSPs are subjected to individual FI's due diligence processes and service control audits. This means that OSPs have to go through multiple control audits if they have more than one client, which can be costly and time consuming, explained Ong-Ang Ai Boon, Director of ABS, in a media briefing earlier today.
ABS thus hopes that the guidelines will help "reduce the number of control audits for OSPs, and raise the level of compliance standards among OSPs," she added.
Since FIs regard OSPs as extensions of themselves, OSPs should be subjected to the same level of governance, rigour and consistency as FIs' in-house teams. ABS' guidelines for OSPs were therefore developed based on two of the Monetary Authority of Singapore's (MAS) consultation papers. Titled "Notice on Outsourcing" and "Guidelines on Outsourcing", the papers defined a set of minimum standard for outsourcing management and stated that FIs are expected to manage outsourcing arrangements as if the services are conducted in-house.
According to ABS, the guidelines consist of three broad areas of control:
- Entity-level controls, which set the requirement on the priority and culture of the OSPs such as human resources policies and practices, management philosophy, and operating style.
- General IT controls, which provide FIs assurance that the OSP has the relevant controls and procedures over the IT systems used within the outsourcing agreement. This includes change management, backup and disaster recovery, security incident response, system vulnerability assessments, and technology refresh management.
- Service controls, which require OSPs to define and monitor their contractual and service level obligations as agreed.
While the entity-level controls will be required from all OSPs, the emphasis on the two other controls would vary depending on the services the OSPs provide. "FIs could add further requirements to the audit if they're embarking on unique or complex outsourcing agreements (with control requirements over and above the control standards state in the ABS Guidelines) with an OSP," said Ong.
To encourage the adoption of the guidelines within the next 12 months, ABS will be hosting workshops to educate OSPs and clarify their doubts on the requirements. "Training sessions on different aspects of the guidelines will be held in batches, in which the content will be similar to what banks provide to their in-house teams," said Ong.