Association of Banks in Singapore updates Guidelines for Outsourced Service Providers
Jun15

Association of Banks in Singapore updates Guidelines for Outsourced Service Providers

On 1 June 2017, the Association of Banks in Singapore (ABS) issued an update to their “Guidelines on Control Objectives and Procedures for Outsourced Service Providers”. The update replaces the first version of these guidelines previously issued on 25 July 2015. Overall, the update involved only minor changes. Nevertheless, these changes indicate a greater emphasis on review, monitoring and control of the outsourced service providers (OSPs). OSPs should take note of this new emphasis as banks and other financial institutions (FIs) will likely look to these guidelines to supplement their own regulatory obligations when engaging OSPs. ABS guidelines in a nutshell The ABS guidelines set standards for OSPs relating to audit and inspection, internal controls (e.g. human resource policies and procedures), IT controls (e.g. physical security policies and disaster recovery procedures) and service controls (e.g. client contracting procedures). The guidelines were first published following the 5 September 2014 release by the Monetary Authority of Singapore (MAS) of two consultation papers relating to outsourcing arrangements of FIs. Likewise, it appears that these updated guidelines follow on from MAS’ 27 July 2016 update of its Guidelines on Outsourcing. The MAS Guidelines on Outsourcing focus on standards FIs should adopt when engaging OSPs. The ABS guidelines, however, appear intended to address the other side of this coin by giving guidance to OSPs themselves on the minimum standards they should implement when dealing with FIs. Minor changes but greater emphasis on review, monitoring and control OSPs can take comfort in the fact that the ABS guidelines remain largely unchanged from their 2015 iteration. The entity level controls, general IT controls and service controls imposed by the 2015 guidelines do not see significant changes to their content. The most significant change is that the OSP’s controls should be “reviewed and updated at least every 12 months”. This requirement is newly included in Section II(e) on Backup and Disaster Recovery, Section II(f) on Network and Security Management and Section III(a)(2) on Setting up of New Clients/Processes. There is also a new focus on reporting substantial changes and adverse developments to the FIs. The section on frequency of external audits has also been updated. Previously, it was recommended that audits be conducted every 12 months with the sampling data covering a period of 12 months. The updated ABS guidelines now provide that the sample data should cover the entire period since the last audit, with a minimum period of 6 months and with reasons provided if the period covered is less than 6 months. What this means for OSPs While relatively minor, the changes suggest a greater focus on review, monitoring and control of the outsourcing...

Read More