Background
The Monetary Authority of Singapore ("MAS") released its consultation paper (the "Consultation Paper") on notices to banks and merchant banks ("MBs") on management of outsourced relevant services (each a "Notice", and collectively the "Notices") on 18 December 2020. The consultation period closes on 29 January 2021. A copy of the proposed Notice for banks is attached as an annex to the Consultation Paper (the requirements in this draft Notice will be mirrored in a separate Notice for MBs).
The Consultation Paper forms part of a series of proposed amendments to the regulatory framework for banks and MBs in Singapore, following the passing of the Banking (Amendment) Act 2020. In particular, the Consultation Paper addresses proposed requirements in the new Section 47A of the Banking Act, Chapter 19 of Singapore, that applies when a bank or MB in Singapore obtains or receives any relevant service from any branch or office of the bank located outside Singapore or any person.
What you need to know
Who does this apply to?
The Notices apply to banks and MBs with "outsourced relevant services".
What are "relevant services"?
A “relevant service” is defined in section 47A of the Banking Act to mean any service obtained or received by the bank, other than a service provided in the course of employment by an employee of the bank or a service provided by a director or an officer of the bank in the course of the director’s or officer’s appointment. This does not include any service specified by the MAS by written notice.
What are "outsourced relevant services"?
Relevant services are considered outsourced when they are:
- performed by the bank or MB prior to it obtaining or receiving the relevant service;
- commonly performed by banks or MBs in Singapore; or
- specified by MAS.
This would include services such as processing of loan or credit card applications, manpower management, investment management, the performance of due diligence measures on potential customers, and public cloud services; but will not include custody account services (for the purposes of the bank or MB maintaining a custody account), telecommunication services, public utilities, postal services.
Services that are provided by the Government Technology Agency (GovTech) and services that do not provide the service provider with access to the bank's or MB's confidential or customer information are exempted.
What are the specific requirements under the proposed Notices?
- If your arrangements are ongoing outsourced relevant services, you are required to maintain a register of all such services obtained or received. This applies regardless of whether the services are material. A service is considered "ongoing" if the bank or MB obtains the service for more than a year (or if less than a year, the agreement is renewed or extended and the cumulative duration of the agreement is for at least a year).
- If your arrangements are material ongoing outsourced relevant services, you must comply with the full set of requirements in the proposed Notices.
- If your arrangements are outsourced relevant services involving disclosure of customer information, you must comply with requirements focused on protecting customer information, and maintain a register of such services.
What are the requirements with respect to the register of outsourced relevant services?
A bank or MB must maintain a register containing a record of (a) all ongoing outsourced relevant services (material or otherwise); and (b) outsourced relevant services that involve the disclosure of customer information, whether the services are provided one-off or on an ongoing basis.
The register must be submitted at least semi-annually (up from the current annual submission requirement) or upon request.
What should I look out for in terms of my material ongoing outsourced relevant services?
A bank or MB must manage and control any risk from its material ongoing outsourced relevant services, including having policies and procedures in place to identify material ongoing outsourced relevant services and their corresponding risks.
The requirements are set out in Section B of the proposed Notice. Some key points to note:
- Establishment of framework to evaluate service providers: The bank or MB must establish a framework for evaluating the ability of the service provider, perform due diligence checks against the framework, and be satisfied of the results, prior to obtaining or receiving any material ongoing outsourced relevant service. The due diligence checks must be re-performed within a year, and thereafter at a frequency approved by the board (or a committee delegated by the board).
- Entry into outsourcing agreements: Outsourcing agreements must be entered into for material ongoing outsourced relevant services, and include the following terms:
(i) protection of information by the service provider;
(ii) the MAS' right to audit;
(iii) provision of information to the bank or MB, and MAS;
(iv) certain grounds for termination; and
(v) requirement for service provider to enter into its own written agreement with sub-contractors.
This is set out in paragraph 7.1 of the draft Notice.
- Protection of customer information: Banks would need to implement adequate measures to protect customer information that is disclosed to a service provider. Banks should also obtain legal advice in situations where customer information may have to be disclosed by a service provider by law.
Customer information can only be disclosed to the service provider (and its sub-contractor) if permitted in writing by the customer in writing.
- Use of sub-contractors permissible under certain circumstances: Sub-contracting of the material ongoing outsourced relevant service by the service provider will only be permitted under limited circumstances where there is no disclosure of customer information or express written permission has been obtained by the customer. Certain due diligence checks must also be conducted on the sub-contracting arrangement.
- Additional requirements where material ongoing outsourced relevant services are received from an overseas regulated financial institution ("ORFI"): The MAS requires a written confirmation from the supervisor of the ORFI relating to the safeguarding of customer information, the ability of the bank/MB or MAS to access customer information and other relevant information, as well as audit requirements.
What requirements apply where outsourced relevant services involve disclosure of customer information?
Where disclosure of customer information is involved, additional requirements apply regardless of whether (a) the relevant services are ongoing or material, (b) written customer consent has been obtained for disclosure, or (c) whether the disclosure is made to a service provider in Singapore or overseas.
The bank or MB must:
- evaluate the service provider's ability to safeguard customer information;
- enter into an outsourcing agreement with the service provider with requirements on protecting customer information; and
- implement measures to protect customer information.
These are set out in Section C of the proposed Notice (or Section B if the outsourced relevant service is a material ongoing relevant service that involves the disclosure of customer information).
Are there requirements to implement a group policy on outsourced relevant services?
Yes, if you are incorporated in Singapore.
When are the Notices expected to come into force?
The exact timetable of implementing the changes is to be confirmed. The MAS has proposed a general 12 month transition period from the date the Notices are issued.
Banks and MBs have to comply with requirements relating to outsourcing agreements 12 months from the date the Notices are issued, or from the date in which they enter into a new agreement or renew an existing agreement, whichever is later.
Is there anything else I need to know?
- Expansion of definition of "customer": A "customer", for the purposes of the proposed Notices, will include companies which carry on banking business, merchant banking business or investment banking business. This is wider than the definition of "customer" in section 40A of the Banking Act.
- Repeal of MAS Notices 634 and 1108: MAS Notices 634 and 1108 (which impose requirements on banks and MBs respectively on the protection of the confidentiality of customer information in all outsourcing arrangements) will be repealed following the coming into effect of the Notices.
- Penalty for breach: The failure to comply with the Notices is an offence, which will subject the offending bank or MB to a fine not exceeding S$250,000 and, in the case of a continuing offence, to a further fine not exceeding S$25,000 for every day or part of a day during which the offence continues after conviction.
With special thanks to Jermaine Ng (Associate) and Zhan Teng Chua (Trainee Solicitor) for their contributions.
