Post on 07-Jul-2018
8/18/2019 Third Party Trust
1/42
Third Party Trust
Manage your outsourcing arrangements Who's keeping your promises
October 2014
Issue 1
8/18/2019 Third Party Trust
2/42
PwC
Contents
2
Page
MAS Outsourcing Guidelines and Notice 4
Implications of Notice 6
MAS Outsourcing Guidelines 18
Competitive Intelligence 37
Appendix 40
“An ecosystem of trustneeds to exist between you
and any stakeholder or partner who is making andkeeping promises on yourbehalf” Marco Amitrano
Global Assurance Markets Leader
8/18/2019 Third Party Trust
3/42
PwC
MASOutsourcing Notices andGuidelines(consultation 09/2014)
3
8/18/2019 Third Party Trust
4/42
PwC
Outsourcing Guidelines and Notice
• MAS released Outsourcing Guidelines and Notice for consultation inSeptember 2014
• “The Notice will be issued under the relevant provision(s) of the respective Act applicable to each institution, e.g. for banks, the Notice will be issuedpursuant to section 55 and paragraph 3 of Part II VII of the Third Scheduleof the Banking Act (Cap. 19):”
• What does this mean: “A bank in Singapore shall comply with any
direction given to the bank or any requirement imposed on thebank by any notice issued under this Act.”
• The notice will impact
− All Financial Institutions (FIs) (See Appendix for definitions)
− Includes all material outsourcing agreements
− Potentially any existing arrangements where customer information maynot be segregated or identified. Though this concept around protect in
also linked to the Technology Risk Management (TRM) Guidelines andNotice
4
The new MASOutsourcingGuidelines and Noticehave been enhancedto help financial
institutions’ to prevent their riskmanagement,internal control,business conduct orreputation from being
compromised orweakened by theiroutsourcingarrangement
Non compliance to the Notice can result in:• Financial penalties• Reputational damage• Revocation of licence to operate in Singapore
8/18/2019 Third Party Trust
5/42
PwC
The Meaning of “material outsourcing arrangement”
5PwC
*Outsourcing arrangement where:
• A failure or security breach of service potentially have significant impact on business operations, reputation or profitability ; or prevent compliance withapplicable laws and regulations,
or• Which involves customer information and, in the event of any unauthorized access
or disclosure, loss or theft of customer information, may have significant impactan your customers;
• Which a service provider provides the institution with a service that maycurrently or potentially be performed by the institution itself and which includes thefollowing characteristics:
(i) the institution is dependent on the service on an ongoing basis but such serviceexcludes services that involve the provision of a finished product; and
(ii) the service is integral to the provision of a financial service by the institutionor the service is provided to the market by the service provider in the name of theinstitution;
*Extracted from MAS Consultation Paper on Notice on Outsourcing
8/18/2019 Third Party Trust
6/42
PwC6
Terminationand
exit ofoutsourcing
Managementof material
outsourcing
arrangement
Audit
Assessmentof service
providers
Protection ofcustomer
data
Access toinformation
Outsourcingto overseasregulatedfinancial
institutions
Definitions,consistency
betweenregulation
MAS Notice onOutsourcing
Customer definition is different betweenBanking Act, TRM Notice, and PDPA
.
Create a materiality riskmanagement framework toassist in managementof outsourcing arrangements
Exiting of contract,change of ownership,
information loss
Authorities access to information
at service provider
Independent auditsand expert
assessments
Customer information to be isolated andappropriate controls to protect (need
t0 know)
Execute a due diligence
assessment of serviceproviders against FI’s policies and procedures.(Perform process annually)
Enable audits of service providers
.
What are the implications of the Notice ?
8/18/2019 Third Party Trust
7/42
With the new Outsourcing Notice
Eight grouped areas that impact your businesswere identified
7
5. Protection ofcustomer data
7. Terminationand exit ofoutsourcing
1. Definitions 2. Managementof materialoutsourcingarrangements
8. Outsourcingto overseasregulated
financialinstitutions
4. Access toinformation
6. Audit
3. Assessmentof service
providers
PwC
8/18/2019 Third Party Trust
8/42
“Will the newOutsourcing Notice supersede
the Notice 634 ?”
Clarifications
2 3 4 1 5 6
8PwC
Banking Act & Notice 634
When outsourcing any operational function to a service provider such that the
outsourced function will be performed by the service provider outsideSingapore and disclosure of customer information (as defined in section 40A ofthe Banking Act) to the service provider is involved, all banks in Singaporerelying on the exception provided in paragraph 3 of Part II of the ThirdSchedule of the Banking Act are required to comply with the Conditions set outin the Appendix to this Notice.
7 8
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
9/42
DefinitionsandClarifications
Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you
Presented as a full notice Which act takes precedence? Banking Act,Notice 634, MAS TRM, PDPA?
Contains 8 detailed section ofrequirements
Attempts to cover material outsourcingagreements (see material definition)instead of all outsourcing agreementinvolving customer information.
Newly defines terminology used byintroducing definitions for words such as“customer”, “customer information”,
“outsourcing arrangement”, “sub-contracting”, etc.
Definitions need to be consistent againstMAS TRM, Banking Secrecy, PDPA and MASOutsourcing
2 3 4 1 5 6
9PwC
7 8
“The Notice hasdefinitions andare legallybindingrequirement for FI’s”
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
10/42
Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you
New requirement to demonstrate atminimum
A. policies and processes to identifyoutsourcing agreement
B. a risk management framework, systems,policies and processes to assess, control
and monitor its outsourcing arrangements with respect tocompliance to laws, rules, regulations,notices and directives applicable to theinstitution
Enhance policies and processes to identify allmaterial outsourcing arrangements
Have a risk management framework toassess, control and monitor outsourcingarrangements to remain compliantnotwithstanding outsourcing arrangements
Managementof materialoutsourcingarrangements
2 3 4 1 5 6
10PwC
7 8
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
11/42
Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you
New requirement to demonstrate atminimum A. maintenance of a central register of
all material outsourcingarrangements.
B. Steps and documentation taken uponrequest
Maintain a central register of all materialoutsourcing arrangements. Refine your currentpractices for adequate recording of youroutsourcing arrangements
Retain documentary evidence demonstratingcompliance to the notice
Establish good communication procedures between the board and the committee
2 3 4 1 5 6
11PwC
7 8
Managementof materialoutsourcingarrangements
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
12/42
Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you
New detailed requirements extend thedue diligence obligation to nownecessitate risk assessmentprocesses.
• Perform a due diligence undertaken duringthe assessment process as part of themonitoring and control processes of itsoutsourcing arrangements.
• Findings from due diligence should also be
considered in determining the audit scope
The capability of assessing suppliers’governance, security, internal controlsand the safeguarding of confidentiality, integrity andavailability of information.
An institution should conduct onsite visits to theservice provider by personnel who possess therequisite knowledge and skills to conduct theassessment, which includes physical and ITsecurity controls
An annual re-assessment is nowrequired.
An institution needs to assess employees of aservice provider and perform the assessment onannual basis
Assessmentof service providers
2 3 4 1 5 6
12PwC
7 8
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
13/42
Access toinformationConsultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you
Extended requirement to includeoutsourcing agreements provisions to:
A. Allow the institution, authority or anyagent appointed by the Authority ,auditors rights to audit, access and inspectthe service provider and its sub-
contractors records, transactions,information stored at or processed by theservice provider and its sub-contractors,reports and findings made internally orexternally.
B. Indemnify and hold the Authority, itsofficers, agents and employees harmlessfrom any liability, loss or damage to theservice provider and its sub-contractors
arising out of any action taken to accessand inspect the service provider or its sub-contractors pursuant to the outsourcingagreement.
The right to audit the service providerTo indemnify the authority “Regulator’ or it’s
Agents against any legal action if loss ordamage occurs
2 3 4 1 5 6
13PwC
7 8
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
14/42
2 3 4 1 5 6
14PwC
7 8
Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you
• The notion of deposit customer informationis now removed.
• Requirement to include outsourcingagreements provisions has beenextended to
A. protect the confidentiality of customerinformation.
B. isolate and clearly identify thecustomer information, institution’sdocuments, records, and assets.
C. Limit access to information by theemployees of the service provider and its sub-contractors on a need andduties obligation basis.
D. Restriction of information disclosure bythe service provider, its sub-contractors and their employees to
any other party unless required to do so by law;
E. Notify the institution as soon aspracticable prior to informationdisclosure.
F. Any information disclosed shall be used by the institution strictly for the purposefor which it was disclosed.
• An institution shall require the service
provider to isolate and clearly identifythe institution’s customer information,documents, records, and assets to protectthe confidentiality of the information.
• An institution shall only disclosecustomer information to the serviceprovider (need to know)
• Immediate notification upon breach/loss
of information
Protectionof customerdata
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
15/42
2 3 4 1 5 6
15PwC
7 8
Audit Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you• Refined requirement, audits should now
be conducted by independent auditorand/or expert assessments based on thenature and extent of risk and impact to theinstitution from the outsourcingarrangements
• New - the elapse time between audits couldnow be up to 3 years.
• New – the scope of the audits nowincludes the service providers’ and itssub-contractors
• New – the sub-contractors also needto fulfill MAS’ Guidelines onOutsourcing and compliance with theNotice in relation to the outsourcingarrangement and provide a copy of theirreports
• Independent audit/expert assessment to beperformed at least every 3 years (previouslyonly stipulated as 'periodically‘ may beperformed and prepared by theinstitution‘s internal or external auditors,or by agents appointed by the institution
• The scope includes service provider andsub-contractors
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
16/42
2 3 4 1 5 6
16PwC
7 8
Terminationand exit ofoutsourcing
Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you
• Previous 2004 conditions are kept
• Requirements to have ability to terminateoutsourcing agreement are now extended toinclude events where
A. the institution is prevented fromconducting any audits or obtaining any
report and finding made on the serviceprovider;
B. the institution is prevented from assessingthe service provider’s compliance with theoutsourcing agreement;
C. the institution is directed by the Authorityto terminate the outsourcing arrangementas the service provider has failed to comply
with all applicable laws and regulations.
Upon the termination of an outsourcingagreement, an institution shall ensure thatall documents, records of transactions andinformation previously given to theservice provider are removed from thepossession of the service provider ordeleted, destroyed or rendered unusable.
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
17/42
2 3 4 1 5 6
17PwC
7 8
Outsourcingto overseasregulated financialinstitutions
Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you
Maintained requirement where for overseasregulated service provider institution a writtenconfirmation is to be given to the authority to theeffect that :
A. The Authority and any independent auditorsappointed by the Authority are allowed access
by the supervisory authority to the
institution's documents, records oftransactions, information previously given to,stored or processed by the service provider
B. Rights is granted to inspect the controlenvironment within the service providerreporting any findings to the Authority
C. The access is restricted to any customerinformation by supervisory authority unlessaccess to the information is required for thesole purpose of carrying out its supervisory
functions the Authority needs to be givenprior written notification whenever access toinformation is granted
D. It is prohibited under its laws from disclosingthe Information to any other person, or itundertakes to safeguard the confidentiality ofthe Information and not disclose theInformation to any other person
The institution must acquire writtenconsent from the regulated serviceprovider and give that to thesupervisory authority before anydisclosure.
Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.
8/18/2019 Third Party Trust
18/42
PwC 18
2.
Applicability
11.
Audit and Inspection
4.
Responsibilityof Board and Management
9.
BusinessContinuity Management
5.
Evaluationof Risks
3.
Engagementwith MAS onoutsourcing
1.
Definitions
6.
Assessmentof Service Providers
7.
Outsourcing Agreement
8.Confidentialityand Security
10.
Monitoring andControl ofOutstanding
Arrangements
MAS Outsourcing Guidelines
8/18/2019 Third Party Trust
19/42
Definitions
19
Key Requirements What you need to consider
• Definition of 'institution' has changed to
be now defined as 'any financial
institution as defined in section 27A of
the Monetary Authority of Singapore Act
(Cap. 186)
Guidelines now define:
− Customer− Customer information− Material outsourcing arrangement− Outsourcing arrangement
• Guidelines to assess the quality of its riskmanagement systems. MAS is
particularly interested in material
outsourcing which, if disrupted, has the
potential to significantly impact an
institution’s business operations,
reputation or profitability and which may
have systemic implications.
Further clarifies 'Material outsourcing' as'which, if disrupted:− significantly impact an institution’s
business operations− Reputation− Profitability and which may have systemic
implications
2 3 4 1 5 6
PwC
7 11 1098
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
20/42
Applicabilityof Guidelines
20
Key Requirements What you need to consider
• An institution should conduct a self-assessment of all existing outsourcingarrangements
• Notify MAS in writing within twomonths
• Rectify the deficiencies identified in the
self-assessment no later than six
• Mitigate the risks in the interim
• Annex 4 provides a template for aninstitution to maintain a register of itsoutsourcing arrangements which is to besubmitted to MAS, upon request
• Requirement for remediation of issues
arising from self assessment has changed
from 1 year to 6 months
• New template for outsourcing registerprovided
2 3 4 1 5 6
PwC
7 11 1098
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
21/42
Engagementwith MAS onoutsourcing
21
Key Requirements What you need to consider• Notify MAS before it commits to the
commencement of any material
outsourcing arrangement or amends
arrangement
• Observance of these Guidelines
MAS may require an institution to modify,
make alternative arrangements or re-
integrate an outsourced service:
(a) An institution fails, or is unable todemonstrate a understanding of the natureand extent of risks
(b) An institution fails or is unable toimplement adequate measures to addressthe risks in a and timely manner;
(c) Adverse developments(d) MAS‘ supervisory powers over theinstitution and ability to carry out MAS‘supervisory functions in respect of theinstitution‘s services are hindered; or
(e) The confidentiality of its customerinformation cannot be assured.
Requirement to notify MAS has changed
from 'when it is planning or has entered' to
before commitment to the contract
Additional requirements to modify, make
alternative arrangements or re-integrate an
outsourced service when
- (a) Understand the risk and remediate in a
timely manner
- (e) Protect customer information
2 3 4 1 5 6
PwC
7 11 1098
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
22/42
22
Key Requirements What you need to consider
• Notify MAS as soon as possible of anyadverse development or breach of legaland regulatory requirements
− Newly regulated or acquisition should− Conduct a self-assessment of all
existing or newly acquired outsourcing
arrangements and inform MAS withintwo months
− Rectify the deficiencies identified inthe self-assessment no later than sixmonths
− Mitigate risks
• In supervising an institution, assess thequality of its board and seniormanagement oversight and governance
• New requirement for organisations whichhave recently come under the regulation
of MAS to now comply with theguidelines
• MAS intends to review implementation ofthe guidelines and assess the quality ofthe board and senior management
2 3 4 1 5 6
PwC
7 11 1098
Engagementwith MAS onoutsourcing
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
23/42
Responsibilityof Board and Management
23
Key Requirements What you need to considerThe board and senior management of aninstitution retain ultimate responsibility for theeffective management of risks arising fromoutsourcing.
The board, or a committee delegated by it, isresponsible for:
(a) approving a framework to evaluate the risksand materiality(b) setting a suitable risk appetite(c) laying down appropriate approvalauthorities and limits(d) assessing management competencies fordeveloping sound and responsive outsourcingrisk management policies and procedurescommensurate with the nature, scope andcomplexity of the outsourcing arrangements;
(e) ensuring that senior managementestablishes appropriate governance structuresand processes risk management,(f) undertaking regular reviews
• More detail around the need for the board and management to ensure an
'institution wide view' of riskmanagement
• Requirement for Materiality RiskFramework
• Responsibility and accountability is with the senior management and board.
2 3 4 1 5 6
PwC
7 11 1098
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
24/42
24
Key Requirements What you need to consider
Where the board delegates its responsibility to acommittee, senior management is responsible for:
(a) evaluating the materiality and risks from allexisting and prospective outsourcingarrangements, based on the framework approved
by the board(b) developing sound and prudent outsourcingpolicies and procedures
(c) reviewing regularly the effectiveness of, andappropriately adjusting, policies, standards andprocedures to reflect changes in the institution‘soverall risk profile and risk environment;(d) monitoring and maintaining effective controlof all risks from its material outsourcingarrangements on an institution-wide basis;(e) ensuring that contingency plans, based onrealistic and probable disruptive scenarios, are inplace and tested;
(f) ensuring that there is independent review andaudit for compliance with set policies andprocedures;(g) ensuring appropriate and timely remedialactions are taken to address audit findings; and(h) communicating information pertaining to risksfrom its material outsourcing arrangements to the
board in a timely manner.
Evaluate, develop, review, monitor,contingency plans, independentreview, remediate in timelymanner, communicate
2 3 4 1 5 6
PwC
7 11 1098
Responsibilityof Board and Management
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
25/42
Evaluationof Risks
25
Key Requirements What you need to consider
The institution should establish a framework for riskevaluation which should include the following steps:
(a) identification of the role of its outsourcingarrangements in the overall business strategy andobjectives of the institution, and its interaction withcorporate strategic goals
(b) comprehensive due diligence on the nature, scope
and complexity of the outsourcing arrangement, toidentify the key risks and risk mitigation strategies
(c) assessment of the service provider and its sub-contractors in the outsourcing arrangement
(d) analysis of the impact of the arrangement on theoverall risk profile of the institution, and whetherthere are adequate internal expertise and resources tomitigate the risks identified
(e) analysis of the institution‘s as well as theinstitution‘s group aggregate exposure to theoutsourcing arrangement, to manage concentrationrisks in outsourcing to a service provider
(f) analysis of risk-return on the potential benefits ofoutsourcing against the vulnerabilities that may arise
• Risk Management framework
• Due Diligence on the nature andscope
• Assessment of Service provider
and Sub-contractors
• Analysis of arrangement on the
overall risk profile
• Risk benefit analysis
2 3 4 1 5 6
PwC
7 11 1098
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
26/42
Assessmentof Service Providers
26
Key Requirements What you need to consider
An institution should address all relevant aspects ofthe service provider. Including its capability toemploy a high standard of care.
The due diligence should also take into considerationqualitative and quantitative aspects of financial,operational and reputation factors including the levelof ethical and professional standards held by the
service provider, and the service provider‘s ability tocomply with its obligations under the outsourcingarrangement. Compatibility, performance, andinternal controls should be emphasized in theassessment. Onsite visits to the service provider, and
where possible, independent reviews and marketfeedback on the service provider, should also be used
by the institution to supplement its findings. Onsite visits should be conducted by persons who possessthe requisite knowledge and skills to conduct theassessment, which includes physical and IT securitycontrols.
• Evaluate the service provider;
including ability to perform highstandards of care
• Perform due diligence
2 3 4 1
PwC
5 6 7 11 1098
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
27/42
27
Key Requirements
The due diligence should involve an evaluation of all available information about the service
provider. Information to be evaluated include the service provider‘s on an annual basis:
(a) experience and competence to implement and support the outsourcing arrangementover the contracted period;(b) financial strength and resources (the due diligence should be similar to a creditassessment of the viability of the service provider basedon reviews of business strategy and goals, audited financial statements, the strength of
commitment of major equity sponsors and ability to service commitments even underadverse conditions);(c) corporate governance, business reputation and culture, compliance, complaints andoutstanding or potential litigation;(d) security and internal controls, audit coverage, reporting and monitoring environment;(e) risk management framework and capabilities, including in technology riskmanagement7 and business continuity management8 in respect of the outsourcingarrangement;(f) disaster recovery arrangements made by the service provider and track record of itsdisaster recovery service provider if outsourcing service provider is responsible for such
provisions with the outsourcing arrangement;(g) reliance on and success in dealing with sub-contractors;(h) insurance coverage;(i) external factors (such as the political, economic, social and legal environment of the
jurisdiction in which the service provider operates, and other events) that may impactservice performance; and(j) its track record and ability to comply with applicable laws and regulations.
2 3 4 1
PwC
5 6 7 11 1098
Assessmentof Service Providers
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
28/42
Outsourcing Agreement
28
Key Requirements What you need to consider
An institution should ensure that every outsourcingagreement addresses the risks and risk mitigationstrategies identified at the risk evaluation and duediligence stages. It should at the very least, haveprovisions to address all the following aspects ofoutsourcing:
(a) scope of the outsourcing arrangement;(b) performance, operational, internal control andrisk management standards;(c) confidentiality and security11;(d) business continuity management12;(e) monitoring and control13(f) audit and inspection14;(g) Notification of adverse developments(h) Dispute resolution
(i) Default termination and early exit(j) Sub-contracting(k) Applicable laws
A robust contract between theinstitution and service provider(including sub-contractor)
2 3 4 1 5 6
PwC
7 8 11 109
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
29/42
Confidentialityand Security
29
Key Requirements An institution should be proactive in identifying and specifying requirements for confidentialityand security in the outsourcing arrangement. An institution should take the following steps toensure that the confidentiality of customer information is addressed:(a) Address, agree and document the respective responsibilities of the various parties in theoutsourcing arrangement to ensure the adequacy and effectiveness of security policies andpractices, including the circumstances under which each party has the right to change securityrequirements. It should also address the issue of the party liable for losses in the event of a breach of security or confidentiality and the service provider‘s obligation to inform the institution; (b) Address issues of access and disclosure of customer information provided to the serviceprovider having regard to the institution‘s obligations under relevant laws and regulations.Customer information should be used by the service provider and its staff strictly for thepurpose of the contracted service. Any unauthorized disclosure of the institution‘s customerinformation to any other party should be prohibited;(c) Disclose customer information to the service provider only on a need-to-know basis andensure that the amount of information disclosed is commensurate with the requirements of thesituation;(d) Ensure the service provider is able to isolate and clearly identify the institution‘scustomer information, documents, records, and assets to protect the confidentiality of theinformation, particularly where multi-tenancy arrangements are present at the service provider. Aninstitution should also ensure that the service provider takes technical, personnel andorganizational measures in order to maintain the confidentiality of customer information betweenits various customers; and(e) Review and monitor the security practices and control processes of the service provider on aregular basis, including commissioning or obtaining periodic expert reports on confidentiality andsecurity adequacy and compliance in respect of the operations of the service provider, and requiringthe service provider to disclose breaches of confidentiality in relation to customer information.
2 3 4 1 5 6
PwC
7 87 11 109
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
30/42
BusinessContinuity Management
30
Key Requirements What you need to consider
An institution should ensure that its businesscontinuity is not compromised by any outsourcingarrangement, in particular, of the operation of itscritical systems as stipulated under the TechnologyRisk Management Notice. An institution shouldadopt the sound practices and standards containedin the Business Continuity Management (BCM)Guidelines issued by MAS, in evaluating the impactof outsourcing on its risk profile and for effective
BCM on an ongoing basis.
For assurance on the functionality andeffectiveness of its BCP plan, an institution shoulddesign and carry out regular, complete andmeaningful testing of its plans that commensurate
with the nature, scope and complexity of theoutsourcing arrangement, including risks arisingfrom interdependencies on the institution. Fortests to be complete and meaningful, the institution
should involve the service provider in the validation of its BCP and assessment of theawareness and preparedness of its own staff.Similarly, the institution should take part in itsservice providers‘ BCP and disaster recoveryexercises.
• Critical Systems from a BCM shouldnot be compromised due toOutsourcing
• Regular testing
• BCM should be based on worst casescenarios
2 3 4 1 5 6
PwC
8 97 11 10
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
31/42
BusinessContinuity Management
31
Key Requirements What you need to consider
The institution should base its business continuityconsiderations and requirements on worst-casescenarios.
Some examples of these scenarios areunavailability of service provider due tounexpected termination of the outsourcing orliquidation of the service provider, wide-areaoutage disruptions that result in collateral impact
on both the institution and the service provider. Where the interdependency on an institution inthe financial system is high18, the institutionshould maintain a higher state of businesscontinuity preparedness. The identification of
viable alternatives for resuming operations without incurring prohibitive costs is alsoessential to mitigate interdependency risk.
• Critical Systems from a BCM shouldnot be compromised due toOutsourcing
• Regular testing
• BCM should be based on worst casescenarios
2 3 4 1 5 6
PwC
8 97 11 10
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
32/42
Monitoringand Controlof Outsourcing Arrangements
32
Key Requirements What you need to consider
An institution should put in place all thefollowing measures for effective monitoringand control of any material outsourcingarrangement:
(a) A register of all material outsourcingarrangements that is readily accessiblefor review by the board and seniormanagement of the institution.
(b) Multi-disciplinary outsourcingmanagement groups with members fromdifferent risk and internal control functionsincluding legal, compliance and finance.
(c) Establishment of management controlgroups to monitor and control theoutsourced service on an ongoing basis
(d) Establishment of service recoveryprocedures and reporting of lapses relatingto the agreed service standards by theservice provider;
• Implement a material outsourcingregister
• Outsourcing group needs to havepersonal with multiple skills(technical/legal/risk/compliance)
• Regular service delivery monitoring via validated reports:- confidentiality,security adequacy, compliance, security
vulnerability management.
• Establishment of service recoveryprocedures and reporting of lapsesrelating to the agreed service standards
by the service provider
• Periodic reviews, at least on an annual basis, of outsourcing arrangements.
2 3 4 1 5 6
PwC
7 8 9 107 118
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
33/42
Monitoringand Controlof Outsourcing Arrangements
33
Key Requirements What you need to consider
An institution should put in place all thefollowing measures for effective monitoring andcontrol of any material outsourcing arrangement:
(e) Periodic reviews, at least on an annual basis,of outsourcing arrangements.
(g) Pre - and post- implementation reviews ofnew outsourcing arrangements or whenamendments are made to the outsourcingarrangements.
(f) Reporting policies and procedures. Reports onthe monitoring and control activities of theinstitution should be prepared or reviewed by itssenior management and provided to its board forinformation.
The institution should ensure that monitoring
metrics and performance data specific to theinstitution are available for reporting, and notaggregated with metrics or data belonging toother customers of the service provider. Theinstitution should also ensure that any adversedevelopment arising in any outsourcingarrangement is brought to the attention of thesenior management of the institution and service
• Implement a material outsourcingregister
• Outsourcing group needs to havepersonal with multiple skills
(technical/legal/risk/compliance)
• Regular service delivery monitoring via validated reports:- confidentiality,security adequacy, compliance,security vulnerability management.
• Establishment of service recoveryprocedures and reporting of lapsesrelating to the agreed service
standards by the service provider• Periodic reviews, at least on an annual
basis, of outsourcing arrangements.
2 3 4 1 5 6
PwC
7 8 9 107 118
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
34/42
Audit and Inspection
34
Key Requirements What you need to consider
An institution‘s outsourcing arrangements should notinterfere with the ability of the institution to effectivelymanage its business activities or impede MAS in carryingout its supervisory functions and objectives
An institution should include in all its outsourcingagreements clauses that:
(a) allow the institution to conduct audits on the serviceprovider and its sub-contractors, whether by its internalor external auditors, or by agents appointed by theinstitution
(b) allow MAS, or any agent appointed by MAS, wherenecessary or expedient, to exercise the contractual rights ofthe institution
(c) indemnify and hold MAS, its officers, agents and
employees harmless from any liability, loss or damage to theservice provider and its sub-contractors arising out of anyaction taken to access and inspect the service provider or itssub-contractors pursuant to the outsourcing agreement.
• Right to independently audit
• Indemnify MAS or any other
party that is requested to assessthe service provider
• Service provider to comply assoon as possible
• Maximum period between audits
2 3 4 1 5 6
PwC
7 8 9 10 11
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
35/42
Audit and Inspection
35
Key Requirements What you need to consider
The outsourcing agreement should also include clausesthat require the service provider to comply, as soon aspossible.
An institution should ensure that independent auditsand/or expert assessments of all its outsourcingarrangements are conducted.
The independent audit and/or expert assessment andreports on the service provider and its sub-contractorsmay be performed and prepared by the institution‘sinternal or external auditors, or by agents appointed bythe institution.
• Right to independently audit
• Indemnify MAS
• Service provider to comply as soon
as possible
• Maximum period between audits
2 3 4 1 5 6
PwC
7 8 9 10 11
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
36/42
36
Key Requirements What you need to consider
Significant issues and concerns should be brought to the attentionof the senior management of the institution and service provider,or to its board, where warranted, on a timely basis.
Copies of audit reports should be submitted by the institution toMAS. An institution should also, upon request, provide MAS withother reports or information on the institution and serviceprovider that is related to the outsourcing arrangement.
The engagement of a service provider in a foreign country, or theengagement whereby the outsourced function is performed in aforeign country, exposes an institution to country risk - economic,social and political conditions and events in a foreign country thatmay adversely affect the institution. Such conditions and eventscould prevent the service provider from carrying out the terms ofits agreement with the institution. In its risk management of suchoutsourcing arrangements, an institution should take intoaccount, with due diligence and on a continuous basis:(a) government policies;
(b) political, social, economic conditions;(c) legal and regulatory developments in the foreign country; and(d) the institution‘s ability to effectively monitor the serviceprovider
• Senior management need to
beware of significant issues
• Copies of Audit reports made
available to MAS
• Be aware of the risks when
outsourcing to other countries
2 3 4 1 5 6
PwC
7 8 9 10 11
Audit and Inspection
Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.
8/18/2019 Third Party Trust
37/42
PwC
Competitive
Intelligence
Our observationof industry practices
37
8/18/2019 Third Party Trust
38/42
PwC
In a Nutshell – Areas of focus
38
Core Business
Outsource Partner 1
Outsource Partner 2
Outsource Partner 3
Governance Policies
Independent Reviews
Selection
Due Diligence
Service level
agreements (SLAs)
People Procedures
Regularmonitoring
Regularreporting
8/18/2019 Third Party Trust
39/42
PwC
Average losses are up 18% over last year, which is not surprising given the costs andcomplexity of responding to security incidents. Big liabilities are increasing faster thansmaller losses: Respondents reporting losses of $10 million-plus is up 51% from 2011.
19%
5%6%
24%
7% 7%
$100,000 to $999,999 $1 million to $9.9 million $10 million or more
2012 2013
39
The financial costs of incidents are rising, particularlyamong organisations reporting high dollar-value impact.
Question 22A: “Estimated total financial losses as a result of all security incidents” Global Information Security Survey
Financial losses of $100,000 or more
Industries reporting
$10 million+ losses:Oil & Gas: 24%Pharmaceuticals: 20%Financial Services: 9%Technology: 9%Industrial Products: 8%
8/18/2019 Third Party Trust
40/42
PwC 40
Appendix:
Useful Resources
8/18/2019 Third Party Trust
41/42
PwC
Useful
Resources
41
The MAS Notice on Outsourcinghttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdf
MAS Guidelines on Outsourcing
http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdf
http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdf
8/18/2019 Third Party Trust
42/42
Shine a brighter light on your business ecosystem
Mark Jansen
+65 8100 7123mark.jansen@sg.pwc.com
Tan Shong Ye +65 9820 3623shong.ye.tan@sg.pwc.com
Chan Hiang Tiak+65 9763 3190hiang.tiak.chan@sg.pwc.com
Manish Chawda +65 9180 1882manish.chawda@sg.pwc.com
This presentation has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You shouldnot act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (expressor implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law,PricewaterhouseCoopers, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for anyconsequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decisionbased on it.
© 2014 PricewaterhouseCoopers Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Limited which is amember firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.