Mas Outsourcing Agreement
Guidelines for the operational risk management framework of a financial institution, including business continuity and outsourcing. In the past, IEs were required to notify MAS before entering into or varying an essential outsourcing agreement. These obligations have been abolished, which has reduced compliance with the rules by ISPs. However, MAS will continue to require IS to inform them as soon as possible of any harmful developments that may affect FI or within the FI group. For example, service outages or prolonged interruptions in the outsourcing agreement or a breach of the security and confidentiality of FI customer information. In addition, ISDs should be included in outsourcing agreements, events and circumstances that require the provider to report to the IF in order to enable THE IF to take immediate risk reduction measures and to inform the data of these developments. New outsourcing notifications for banks and commercial banks regarding essential FIs outsourcing agreements have, until 27 October 2016, self-assessed all existing outsourcing agreements on the basis of the guidelines. Any deficiencies should be corrected no later than 12 months after the guidelines are published. These guidelines define MAS`s expectations of a financial institution that has entered into an outsourcing agreement or is considering outsourcing its operations to a service provider. The guidelines apply: Current notices only apply if customer information regarding the implementation of an outsourced function outside Singapore is disclosed. On the other hand, the proposed outsourcing communications apply to any outsourcing agreement involving the disclosure of customer information, regardless of where the outsourced function is to be performed.
In this context, MAS proposes requirements for dealer banks to protect the confidentiality of customer information in all outsourcing agreements. Although the regulation has been strengthened, the procedure is less cumbersome. Companies are no longer required to notify DSS before entering into essential outsourcing agreements. However, you should keep an outsourcing registry available for an annual audit or at the request of MAS. Among the revised parameters is a new assessment of what “material outsourcing” is. Previously, an outsourcing agreement was considered essential if an infringement would have a significant impact on your company`s operational capabilities or revenue. The term has now been expanded to include information security, including services that include customer data whose loss or theft can have a significant impact on their customers. An important change that has been highlighted in the review is the recognition of IT services – especially cloud computing services – as a form of outsourcing. The type of IS makes it a natural adaptation to the scalable IT services that the cloud offers, and using the green light potential of MAS, multi-tenancy agreements or information system hostings (such as Software as a Service or Platform as a Service) based in Singapore, is good news for companies that were not previously ready for fear of risks of interdependence or regulatory disapproval. A stricter approach is now needed to assess the performance of service providers.
These include conducting assessments of physical and computer security checks, ethical and professional standards, as well as on-site visits to the service provider. In particular, fi should ensure that the outsourcing agreement has been evaluated in accordance with the criteria applicable to its own staff in order to comply with THE IF recruitment rules for the role they play.