FAQ on MAS Guidelines on Outsourcing

Following the publication of guidelines on outsourcing arrangements (please see EventID 24383 in this context), the Monetary Authority of Singapore (MAS) has also published an accompanying set of frequently asked questions (FAQs) relating to various issues addressed in the guidelines. These FAQs aim to clarify the application of the guidelines and various requirements thereunder, including requirements pertaining to the audit and review obligations or the requirement to maintain an outsourcing register. The following FAQs are enclosed in the document – as quoted:
Q1: Does the removal of the expectation for an institution to notify MAS before it enters into or varies a material outsourcing arrangement take effect immediately?
MAS has removed the expectation for institutions to notify MAS before making any material outsourcing commitment with immediate effect. Institutions are expected to exercise appropriate due diligence on their outsourcing arrangements, and be ready to demonstrate to MAS their observance of the Guidelines on Outsourcing. As highlighted in the Guidelines, this includes submitting the outsourcing register to MAS at least annually or upon request.
Q2: Does the MAS Guidelines on Outsourcing supersede the Information Technology (IT) Outsourcing Circular dated 14 July 2011?
The MAS Guidelines on Outsourcing supersedes the IT Outsourcing Circular issued by MAS on 14 July 2011. Institutions are no longer expected to consult and submit the completed MAS Technology Questionnaire for Outsourcing to MAS before making any significant IT outsourcing commitment.
Q3: Does MAS expect an institution to apply all the risk management practices in the MAS Guidelines on Outsourcing with regard to outsourcing arrangements involving an MAS regulated entity (e.g. institution-to-institution outsourcing)?
Institutions are encouraged to implement all the risk management practices contained in the Guidelines on Outsourcing for outsourcing arrangements involving a MAS-regulated entity. The extent and degree to which an institution implements the risk management practices should be commensurate with the nature of risks in, and materiality of the outsourcing arrangement. The risk management framework used by the institution to evaluate the risks and materiality of such outsourcing arrangement should be approved by the institution’s Board of Directors, or a committee delegated by the Board of Directors.
Q4: Is encrypted customer information caught under the definition of “customer information” in the MAS Guidelines on Outsourcing?
In general, encrypted customer information is not caught under the definition of “customer information” provided that the identities of the customers cannot be readily inferred from the encrypted information. Institutions are expected to adopt encryption algorithms that are of well-established international standards, and subjected to rigorous scrutiny by an international community of cryptographers or approved by authoritative professional bodies, or government agencies. An institution should refer to the practices and standards set out in the Technology Risk Management (TRM) Guidelines issued by MAS when evaluating the strength of the encryption.
Q5: Under the MAS Guidelines on Outsourcing issued on 27 July 2016, the words “finished product” does not appear in the definition of “Outsourcing Arrangement”. Does this mean that the service which involves the provision of a finished product will now be considered an “Outsourcing Arrangement”?
MAS has revised the definition of “Outsourcing Arrangement” to clarify that a service that involves the provision of a finished product is not the sole determining factor in deciding whether the service falls within the definition of “outsourcing arrangement”. The other criteria in the definition of “Outsourcing Arrangement” have to be met. MAS has provided examples of outsourcing arrangements that are generally not intended to be subject to the guidelines in Annex 1 of the Guidelines on Outsourcing.
Q6: Can an institution rely on the audit opinion of a service provider’s external auditor to obtain assurance on the service provider’s security and control environment, and observance of the MAS Guidelines on Outsourcing?
An institution may rely on the audit opinion of a service provider’s external auditor provided that the institution has verified that the audit carried out by the external auditor meets the standards set out in the Guidelines on Outsourcing and the institution’s outsourcing risk management framework. The party performing the audit should possess the requisite knowledge and skills to perform the engagement, and be independent of the units or functions involved in the outsourcing arrangement.
Q7: Can an institution submit its outsourcing register to MAS using a different template from the one provided in Annex 3 of the MAS Guidelines on Outsourcing?
An institution should submit its outsourcing register to MAS using the template provided in Annex 3 of the MAS Guidelines on Outsourcing. An institution may however, use a different template to update its board and senior management of its outsourcing arrangements.
Q8: When will MAS issue the Notice on Outsourcing?
MAS is reviewing the industry’s feedback on the proposed Notice on Outsourcing and will issue the Notice once the review has been completed.
Q9. In the case where the outsourced service is the internal audit function of an institution, how could the institution ensure that independent audits and/or expert assessments are conducted on the outsourcing arrangement?
In the case where an institution outsources its internal audit function, the institution should conduct periodic assessments to satisfy itself of the continuing ability of the service provider to perform the internal audit function satisfactorily. These may include assessments that are in line with the Quality Assurance and Improvement Program as per the International Standards for the Professional Practice of Internal Auditing (Standards).