On 1 June 2017, the Association of Banks in Singapore (ABS) issued an update to their “Guidelines on Control Objectives and Procedures for Outsourced Service Providers”. The update replaces the first version of these guidelines previously issued on 25 July 2015.
Overall, the update involved only minor changes. Nevertheless, these changes indicate a greater emphasis on review, monitoring and control of the outsourced service providers (OSPs). OSPs should take note of this new focus as banks and other financial institutions (FIs) will likely look to these guidelines to supplement their own regulatory obligations when engaging OSPs.
ABS guidelines in a nutshell
The ABS guidelines set standards for OSPs relating to audit and inspection, internal controls (e.g. human resource policies and procedures), IT controls (e.g. physical security policies and disaster recovery procedures) and service controls (e.g. client contracting procedures).
The guidelines were first published following the 5 September 2014 release by the Monetary Authority of Singapore (MAS) of two consultation papers relating to outsourcing arrangements of FIs. Likewise, it appears that these updated guidelines follow on from MAS’ 27 July 2016 update of its Guidelines on Outsourcing.
The MAS Guidelines on Outsourcing focus on standards FIs should adopt when engaging OSPs. The ABS guidelines, however, appear intended to address the other side of this coin by giving guidance to OSPs themselves on the minimum standards they should implement when dealing with FIs.
Minor changes but greater emphasis on review, monitoring and control
OSPs can take comfort in the fact that the ABS guidelines remain largely unchanged from their 2015 iteration. The entity level controls, general IT controls and service controls imposed by the 2015 guidelines do not see significant changes to their content.
The most significant change is that the OSP’s controls should be “reviewed and updated at least every 12 months”. This requirement is newly included in Section II(e) on Backup and Disaster Recovery, Section II(f) on Network and Security Management and Section III(a)(2) on Setting up of New Clients/Processes. There is also a new focus on reporting substantial changes and adverse developments to the FIs.
The section on frequency of external audits has also been updated. Previously, it was recommended that audits be conducted every 12 months with the sampling data covering a period of 12 months. The updated ABS guidelines now provide that the sample data should cover the entire period since the last audit, with a minimum period of 6 months and with reasons provided if the period covered is less than 6 months.
What this means for OSPs
While relatively minor, the changes suggest a greater focus on review, monitoring and control of the outsourcing arrangement. The need to report changes and adverse developments to FIs also indicates that OSPs should be prepared for greater engagement with the FIs. It is unlikely that the standards and procedures adopted at the start of the relationship will remain stagnant throughout the life of the outsourcing arrangement.
The ABS guidelines are not legally binding. Nevertheless, it is likely that ABS members (including local and foreign banks) will be looking to these guidelines to supplement their own obligations under the MAS Guidelines on Outsourcing when reviewing and engaging OSPs.
FIs will thus want to work with OSPs who are able to constantly adapt to meet various security and IT challenges as they arise. This is especially so in the area of outsourced IT systems, where threats are ever evolving. OSPs who are successful at integrating a review-and-refresh process into their operations and services will therefore come out ahead.