third party trust

8/18/2019 Third Party Trust

1/42

Third Party Trust

Manage your outsourcing arrangements Who's keeping your promises

October 2014

Issue 1


2/42

PwC

Contents

2

Page

MAS Outsourcing Guidelines and Notice 4

Implications of Notice 6

MAS Outsourcing Guidelines 18

Competitive Intelligence 37

Appendix 40

“An ecosystem of trustneeds to exist between you

and any stakeholder or partner who is making andkeeping promises on yourbehalf” Marco Amitrano

Global Assurance Markets Leader


3/42

PwC

MASOutsourcing Notices andGuidelines(consultation 09/2014)

3


4/42

PwC

Outsourcing Guidelines and Notice

• MAS released Outsourcing Guidelines and Notice for consultation inSeptember 2014

• “The Notice will be issued under the relevant provision(s) of the respective Act applicable to each institution, e.g. for banks, the Notice will be issuedpursuant to section 55 and paragraph 3 of Part II VII of the Third Scheduleof the Banking Act (Cap. 19):”

• What does this mean: “A bank in Singapore shall comply with any

direction given to the bank or any requirement imposed on thebank by any notice issued under this Act.”

• The notice will impact

− All Financial Institutions (FIs) (See Appendix for definitions)

− Includes all material outsourcing agreements

− Potentially any existing arrangements where customer information maynot be segregated or identified. Though this concept around protect in

also linked to the Technology Risk Management (TRM) Guidelines andNotice

4

The new MASOutsourcingGuidelines and Noticehave been enhancedto help financial

institutions’ to prevent their riskmanagement,internal control,business conduct orreputation from being

compromised orweakened by theiroutsourcingarrangement

Non compliance to the Notice can result in:• Financial penalties• Reputational damage• Revocation of licence to operate in Singapore


5/42

PwC

The Meaning of “material outsourcing arrangement”

5PwC

*Outsourcing arrangement where:

• A failure or security breach of service potentially have significant impact on business operations, reputation or profitability ; or prevent compliance withapplicable laws and regulations,

or• Which involves customer information and, in the event of any unauthorized access

or disclosure, loss or theft of customer information, may have significant impactan your customers;

• Which a service provider provides the institution with a service that maycurrently or potentially be performed by the institution itself and which includes thefollowing characteristics:

(i) the institution is dependent on the service on an ongoing basis but such serviceexcludes services that involve the provision of a finished product; and

(ii) the service is integral to the provision of a financial service by the institutionor the service is provided to the market by the service provider in the name of theinstitution;

*Extracted from MAS Consultation Paper on Notice on Outsourcing


6/42

PwC6

Terminationand

exit ofoutsourcing

Managementof material

outsourcing

arrangement

Audit

Assessmentof service

providers

Protection ofcustomer

data

Access toinformation

Outsourcingto overseasregulatedfinancial

institutions

Definitions,consistency

betweenregulation

MAS Notice onOutsourcing

Customer definition is different betweenBanking Act, TRM Notice, and PDPA

.

Create a materiality riskmanagement framework toassist in managementof outsourcing arrangements

Exiting of contract,change of ownership,

information loss

Authorities access to information

at service provider

Independent auditsand expert

assessments

Customer information to be isolated andappropriate controls to protect (need

t0 know)

Execute a due diligence

assessment of serviceproviders against FI’s policies and procedures.(Perform process annually)

Enable audits of service providers

.

What are the implications of the Notice ?


7/42

With the new Outsourcing Notice

Eight grouped areas that impact your businesswere identified

7

5. Protection ofcustomer data

7. Terminationand exit ofoutsourcing

1. Definitions 2. Managementof materialoutsourcingarrangements

8. Outsourcingto overseasregulated

financialinstitutions

4. Access toinformation

6. Audit

3. Assessmentof service

providers

PwC


8/42

“Will the newOutsourcing Notice supersede

the Notice 634 ?”

Clarifications

2 3 4 1 5 6

8PwC

Banking Act & Notice 634

When outsourcing any operational function to a service provider such that the

outsourced function will be performed by the service provider outsideSingapore and disclosure of customer information (as defined in section 40A ofthe Banking Act) to the service provider is involved, all banks in Singaporerelying on the exception provided in paragraph 3 of Part II of the ThirdSchedule of the Banking Act are required to comply with the Conditions set outin the Appendix to this Notice.

7 8

Legend: This is the first introduction of a Notice in respect to Outsourcing. The requirements in the Notice are all new.


9/42

DefinitionsandClarifications

Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you

Presented as a full notice Which act takes precedence? Banking Act,Notice 634, MAS TRM, PDPA?

Contains 8 detailed section ofrequirements

Attempts to cover material outsourcingagreements (see material definition)instead of all outsourcing agreementinvolving customer information.

Newly defines terminology used byintroducing definitions for words such as“customer”, “customer information”,

“outsourcing arrangement”, “sub-contracting”, etc.

Definitions need to be consistent againstMAS TRM, Banking Secrecy, PDPA and MASOutsourcing

2 3 4 1 5 6

9PwC

7 8

“The Notice hasdefinitions andare legallybindingrequirement for FI’s”



10/42


New requirement to demonstrate atminimum

A. policies and processes to identifyoutsourcing agreement

B. a risk management framework, systems,policies and processes to assess, control

and monitor its outsourcing arrangements with respect tocompliance to laws, rules, regulations,notices and directives applicable to theinstitution

Enhance policies and processes to identify allmaterial outsourcing arrangements

Have a risk management framework toassess, control and monitor outsourcingarrangements to remain compliantnotwithstanding outsourcing arrangements

Managementof materialoutsourcingarrangements

2 3 4 1 5 6

10PwC

7 8



11/42


New requirement to demonstrate atminimum A. maintenance of a central register of

all material outsourcingarrangements.

B. Steps and documentation taken uponrequest

Maintain a central register of all materialoutsourcing arrangements. Refine your currentpractices for adequate recording of youroutsourcing arrangements

Retain documentary evidence demonstratingcompliance to the notice

Establish good communication procedures between the board and the committee

2 3 4 1 5 6

11PwC

7 8

Managementof materialoutsourcingarrangements



12/42


New detailed requirements extend thedue diligence obligation to nownecessitate risk assessmentprocesses.

• Perform a due diligence undertaken duringthe assessment process as part of themonitoring and control processes of itsoutsourcing arrangements.

• Findings from due diligence should also be

considered in determining the audit scope

The capability of assessing suppliers’governance, security, internal controlsand the safeguarding of confidentiality, integrity andavailability of information.

An institution should conduct onsite visits to theservice provider by personnel who possess therequisite knowledge and skills to conduct theassessment, which includes physical and ITsecurity controls

An annual re-assessment is nowrequired.

An institution needs to assess employees of aservice provider and perform the assessment onannual basis

Assessmentof service providers

2 3 4 1 5 6

12PwC

7 8



13/42

Access toinformationConsultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you

Extended requirement to includeoutsourcing agreements provisions to:

A. Allow the institution, authority or anyagent appointed by the Authority ,auditors rights to audit, access and inspectthe service provider and its sub-

contractors records, transactions,information stored at or processed by theservice provider and its sub-contractors,reports and findings made internally orexternally.

B. Indemnify and hold the Authority, itsofficers, agents and employees harmlessfrom any liability, loss or damage to theservice provider and its sub-contractors

arising out of any action taken to accessand inspect the service provider or its sub-contractors pursuant to the outsourcingagreement.

The right to audit the service providerTo indemnify the authority “Regulator’ or it’s

Agents against any legal action if loss ordamage occurs

2 3 4 1 5 6

13PwC

7 8



14/42

2 3 4 1 5 6

14PwC

7 8


• The notion of deposit customer informationis now removed.

• Requirement to include outsourcingagreements provisions has beenextended to

A. protect the confidentiality of customerinformation.

B. isolate and clearly identify thecustomer information, institution’sdocuments, records, and assets.

C. Limit access to information by theemployees of the service provider and its sub-contractors on a need andduties obligation basis.

D. Restriction of information disclosure bythe service provider, its sub-contractors and their employees to

any other party unless required to do so by law;

E. Notify the institution as soon aspracticable prior to informationdisclosure.

F. Any information disclosed shall be used by the institution strictly for the purposefor which it was disclosed.

• An institution shall require the service

provider to isolate and clearly identifythe institution’s customer information,documents, records, and assets to protectthe confidentiality of the information.

• An institution shall only disclosecustomer information to the serviceprovider (need to know)

• Immediate notification upon breach/loss

of information

Protectionof customerdata



15/42

2 3 4 1 5 6

15PwC

7 8

Audit Consultation Paper on NoticeOutsourcing (Sept 2014) What does this means to you• Refined requirement, audits should now

be conducted by independent auditorand/or expert assessments based on thenature and extent of risk and impact to theinstitution from the outsourcingarrangements

• New - the elapse time between audits couldnow be up to 3 years.

• New – the scope of the audits nowincludes the service providers’ and itssub-contractors

• New – the sub-contractors also needto fulfill MAS’ Guidelines onOutsourcing and compliance with theNotice in relation to the outsourcingarrangement and provide a copy of theirreports

• Independent audit/expert assessment to beperformed at least every 3 years (previouslyonly stipulated as 'periodically‘ may beperformed and prepared by theinstitution‘s internal or external auditors,or by agents appointed by the institution

• The scope includes service provider andsub-contractors



16/42

2 3 4 1 5 6

16PwC

7 8

Terminationand exit ofoutsourcing


• Previous 2004 conditions are kept

• Requirements to have ability to terminateoutsourcing agreement are now extended toinclude events where

A. the institution is prevented fromconducting any audits or obtaining any

report and finding made on the serviceprovider;

B. the institution is prevented from assessingthe service provider’s compliance with theoutsourcing agreement;

C. the institution is directed by the Authorityto terminate the outsourcing arrangementas the service provider has failed to comply

with all applicable laws and regulations.

Upon the termination of an outsourcingagreement, an institution shall ensure thatall documents, records of transactions andinformation previously given to theservice provider are removed from thepossession of the service provider ordeleted, destroyed or rendered unusable.



17/42

2 3 4 1 5 6

17PwC

7 8

Outsourcingto overseasregulated financialinstitutions


Maintained requirement where for overseasregulated service provider institution a writtenconfirmation is to be given to the authority to theeffect that :

A. The Authority and any independent auditorsappointed by the Authority are allowed access

by the supervisory authority to the

institution's documents, records oftransactions, information previously given to,stored or processed by the service provider

B. Rights is granted to inspect the controlenvironment within the service providerreporting any findings to the Authority

C. The access is restricted to any customerinformation by supervisory authority unlessaccess to the information is required for thesole purpose of carrying out its supervisory

functions the Authority needs to be givenprior written notification whenever access toinformation is granted

D. It is prohibited under its laws from disclosingthe Information to any other person, or itundertakes to safeguard the confidentiality ofthe Information and not disclose theInformation to any other person

The institution must acquire writtenconsent from the regulated serviceprovider and give that to thesupervisory authority before anydisclosure.



18/42

PwC 18

2.

Applicability

11.

Audit and Inspection

4.

Responsibilityof Board and Management

9.

BusinessContinuity Management

5.

Evaluationof Risks

3.

Engagementwith MAS onoutsourcing

1.

Definitions

6.

Assessmentof Service Providers

7.

Outsourcing Agreement

8.Confidentialityand Security

10.

Monitoring andControl ofOutstanding

Arrangements

MAS Outsourcing Guidelines


19/42

Definitions

19

Key Requirements What you need to consider

• Definition of 'institution' has changed to

be now defined as 'any financial

institution as defined in section 27A of

the Monetary Authority of Singapore Act

(Cap. 186)

Guidelines now define:

− Customer− Customer information− Material outsourcing arrangement− Outsourcing arrangement

• Guidelines to assess the quality of its riskmanagement systems. MAS is

particularly interested in material

outsourcing which, if disrupted, has the

potential to significantly impact an

institution’s business operations,

reputation or profitability and which may

have systemic implications.

Further clarifies 'Material outsourcing' as'which, if disrupted:− significantly impact an institution’s

business operations− Reputation− Profitability and which may have systemic

implications

2 3 4 1 5 6

PwC

7 11 1098

Legend: The shaded requirements represent the new. The non-shaded represents changes to previous Outsourcing Guidelines.


20/42

Applicabilityof Guidelines

20


• An institution should conduct a self-assessment of all existing outsourcingarrangements

• Notify MAS in writing within twomonths

• Rectify the deficiencies identified in the

self-assessment no later than six

• Mitigate the risks in the interim

• Annex 4 provides a template for aninstitution to maintain a register of itsoutsourcing arrangements which is to besubmitted to MAS, upon request

• Requirement for remediation of issues

arising from self assessment has changed

from 1 year to 6 months

• New template for outsourcing registerprovided

2 3 4 1 5 6

PwC

7 11 1098



21/42


21

Key Requirements What you need to consider• Notify MAS before it commits to the

commencement of any material

outsourcing arrangement or amends

arrangement

• Observance of these Guidelines

MAS may require an institution to modify,

make alternative arrangements or re-

integrate an outsourced service:

(a) An institution fails, or is unable todemonstrate a understanding of the natureand extent of risks

(b) An institution fails or is unable toimplement adequate measures to addressthe risks in a and timely manner;

(c) Adverse developments(d) MAS‘ supervisory powers over theinstitution and ability to carry out MAS‘supervisory functions in respect of theinstitution‘s services are hindered; or

(e) The confidentiality of its customerinformation cannot be assured.

Requirement to notify MAS has changed

from 'when it is planning or has entered' to

before commitment to the contract

Additional requirements to modify, make

alternative arrangements or re-integrate an

outsourced service when

- (a) Understand the risk and remediate in a

timely manner

- (e) Protect customer information

2 3 4 1 5 6

PwC

7 11 1098



22/42

22


• Notify MAS as soon as possible of anyadverse development or breach of legaland regulatory requirements

− Newly regulated or acquisition should− Conduct a self-assessment of all

existing or newly acquired outsourcing

arrangements and inform MAS withintwo months

− Rectify the deficiencies identified inthe self-assessment no later than sixmonths

− Mitigate risks

• In supervising an institution, assess thequality of its board and seniormanagement oversight and governance

• New requirement for organisations whichhave recently come under the regulation

of MAS to now comply with theguidelines

• MAS intends to review implementation ofthe guidelines and assess the quality ofthe board and senior management

2 3 4 1 5 6

PwC

7 11 1098




23/42


23

Key Requirements What you need to considerThe board and senior management of aninstitution retain ultimate responsibility for theeffective management of risks arising fromoutsourcing.

The board, or a committee delegated by it, isresponsible for:

(a) approving a framework to evaluate the risksand materiality(b) setting a suitable risk appetite(c) laying down appropriate approvalauthorities and limits(d) assessing management competencies fordeveloping sound and responsive outsourcingrisk management policies and procedurescommensurate with the nature, scope andcomplexity of the outsourcing arrangements;

(e) ensuring that senior managementestablishes appropriate governance structuresand processes risk management,(f) undertaking regular reviews

• More detail around the need for the board and management to ensure an

'institution wide view' of riskmanagement

• Requirement for Materiality RiskFramework

• Responsibility and accountability is with the senior management and board.

2 3 4 1 5 6

PwC

7 11 1098



24/42

24


Where the board delegates its responsibility to acommittee, senior management is responsible for:

(a) evaluating the materiality and risks from allexisting and prospective outsourcingarrangements, based on the framework approved

by the board(b) developing sound and prudent outsourcingpolicies and procedures

(c) reviewing regularly the effectiveness of, andappropriately adjusting, policies, standards andprocedures to reflect changes in the institution‘soverall risk profile and risk environment;(d) monitoring and maintaining effective controlof all risks from its material outsourcingarrangements on an institution-wide basis;(e) ensuring that contingency plans, based onrealistic and probable disruptive scenarios, are inplace and tested;

(f) ensuring that there is independent review andaudit for compliance with set policies andprocedures;(g) ensuring appropriate and timely remedialactions are taken to address audit findings; and(h) communicating information pertaining to risksfrom its material outsourcing arrangements to the

board in a timely manner.

Evaluate, develop, review, monitor,contingency plans, independentreview, remediate in timelymanner, communicate

2 3 4 1 5 6

PwC

7 11 1098




25/42

Evaluationof Risks

25


The institution should establish a framework for riskevaluation which should include the following steps:

(a) identification of the role of its outsourcingarrangements in the overall business strategy andobjectives of the institution, and its interaction withcorporate strategic goals

(b) comprehensive due diligence on the nature, scope

and complexity of the outsourcing arrangement, toidentify the key risks and risk mitigation strategies

(c) assessment of the service provider and its sub-contractors in the outsourcing arrangement

(d) analysis of the impact of the arrangement on theoverall risk profile of the institution, and whetherthere are adequate internal expertise and resources tomitigate the risks identified

(e) analysis of the institution‘s as well as theinstitution‘s group aggregate exposure to theoutsourcing arrangement, to manage concentrationrisks in outsourcing to a service provider

(f) analysis of risk-return on the potential benefits ofoutsourcing against the vulnerabilities that may arise

• Risk Management framework

• Due Diligence on the nature andscope

• Assessment of Service provider

and Sub-contractors

• Analysis of arrangement on the

overall risk profile

• Risk benefit analysis

2 3 4 1 5 6

PwC

7 11 1098



26/42


26


An institution should address all relevant aspects ofthe service provider. Including its capability toemploy a high standard of care.

The due diligence should also take into considerationqualitative and quantitative aspects of financial,operational and reputation factors including the levelof ethical and professional standards held by the

service provider, and the service provider‘s ability tocomply with its obligations under the outsourcingarrangement. Compatibility, performance, andinternal controls should be emphasized in theassessment. Onsite visits to the service provider, and

where possible, independent reviews and marketfeedback on the service provider, should also be used

by the institution to supplement its findings. Onsite visits should be conducted by persons who possessthe requisite knowledge and skills to conduct theassessment, which includes physical and IT securitycontrols.

• Evaluate the service provider;

including ability to perform highstandards of care

• Perform due diligence

2 3 4 1

PwC

5 6 7 11 1098



27/42

27

Key Requirements

The due diligence should involve an evaluation of all available information about the service

provider. Information to be evaluated include the service provider‘s on an annual basis:

(a) experience and competence to implement and support the outsourcing arrangementover the contracted period;(b) financial strength and resources (the due diligence should be similar to a creditassessment of the viability of the service provider basedon reviews of business strategy and goals, audited financial statements, the strength of

commitment of major equity sponsors and ability to service commitments even underadverse conditions);(c) corporate governance, business reputation and culture, compliance, complaints andoutstanding or potential litigation;(d) security and internal controls, audit coverage, reporting and monitoring environment;(e) risk management framework and capabilities, including in technology riskmanagement7 and business continuity management8 in respect of the outsourcingarrangement;(f) disaster recovery arrangements made by the service provider and track record of itsdisaster recovery service provider if outsourcing service provider is responsible for such

provisions with the outsourcing arrangement;(g) reliance on and success in dealing with sub-contractors;(h) insurance coverage;(i) external factors (such as the political, economic, social and legal environment of the

jurisdiction in which the service provider operates, and other events) that may impactservice performance; and(j) its track record and ability to comply with applicable laws and regulations.

2 3 4 1

PwC

5 6 7 11 1098




28/42

Outsourcing Agreement

28


An institution should ensure that every outsourcingagreement addresses the risks and risk mitigationstrategies identified at the risk evaluation and duediligence stages. It should at the very least, haveprovisions to address all the following aspects ofoutsourcing:

(a) scope of the outsourcing arrangement;(b) performance, operational, internal control andrisk management standards;(c) confidentiality and security11;(d) business continuity management12;(e) monitoring and control13(f) audit and inspection14;(g) Notification of adverse developments(h) Dispute resolution

(i) Default termination and early exit(j) Sub-contracting(k) Applicable laws

A robust contract between theinstitution and service provider(including sub-contractor)

2 3 4 1 5 6

PwC

7 8 11 109



29/42

Confidentialityand Security

29

Key Requirements An institution should be proactive in identifying and specifying requirements for confidentialityand security in the outsourcing arrangement. An institution should take the following steps toensure that the confidentiality of customer information is addressed:(a) Address, agree and document the respective responsibilities of the various parties in theoutsourcing arrangement to ensure the adequacy and effectiveness of security policies andpractices, including the circumstances under which each party has the right to change securityrequirements. It should also address the issue of the party liable for losses in the event of a breach of security or confidentiality and the service provider‘s obligation to inform the institution; (b) Address issues of access and disclosure of customer information provided to the serviceprovider having regard to the institution‘s obligations under relevant laws and regulations.Customer information should be used by the service provider and its staff strictly for thepurpose of the contracted service. Any unauthorized disclosure of the institution‘s customerinformation to any other party should be prohibited;(c) Disclose customer information to the service provider only on a need-to-know basis andensure that the amount of information disclosed is commensurate with the requirements of thesituation;(d) Ensure the service provider is able to isolate and clearly identify the institution‘scustomer information, documents, records, and assets to protect the confidentiality of theinformation, particularly where multi-tenancy arrangements are present at the service provider. Aninstitution should also ensure that the service provider takes technical, personnel andorganizational measures in order to maintain the confidentiality of customer information betweenits various customers; and(e) Review and monitor the security practices and control processes of the service provider on aregular basis, including commissioning or obtaining periodic expert reports on confidentiality andsecurity adequacy and compliance in respect of the operations of the service provider, and requiringthe service provider to disclose breaches of confidentiality in relation to customer information.

2 3 4 1 5 6

PwC

7 87 11 109



30/42


30


An institution should ensure that its businesscontinuity is not compromised by any outsourcingarrangement, in particular, of the operation of itscritical systems as stipulated under the TechnologyRisk Management Notice. An institution shouldadopt the sound practices and standards containedin the Business Continuity Management (BCM)Guidelines issued by MAS, in evaluating the impactof outsourcing on its risk profile and for effective

BCM on an ongoing basis.

For assurance on the functionality andeffectiveness of its BCP plan, an institution shoulddesign and carry out regular, complete andmeaningful testing of its plans that commensurate

with the nature, scope and complexity of theoutsourcing arrangement, including risks arisingfrom interdependencies on the institution. Fortests to be complete and meaningful, the institution

should involve the service provider in the validation of its BCP and assessment of theawareness and preparedness of its own staff.Similarly, the institution should take part in itsservice providers‘ BCP and disaster recoveryexercises.

• Critical Systems from a BCM shouldnot be compromised due toOutsourcing

• Regular testing

• BCM should be based on worst casescenarios

2 3 4 1 5 6

PwC

8 97 11 10



31/42


31


The institution should base its business continuityconsiderations and requirements on worst-casescenarios.

Some examples of these scenarios areunavailability of service provider due tounexpected termination of the outsourcing orliquidation of the service provider, wide-areaoutage disruptions that result in collateral impact

on both the institution and the service provider. Where the interdependency on an institution inthe financial system is high18, the institutionshould maintain a higher state of businesscontinuity preparedness. The identification of

viable alternatives for resuming operations without incurring prohibitive costs is alsoessential to mitigate interdependency risk.

• Critical Systems from a BCM shouldnot be compromised due toOutsourcing

• Regular testing

• BCM should be based on worst casescenarios

2 3 4 1 5 6

PwC

8 97 11 10



32/42

Monitoringand Controlof Outsourcing Arrangements

32


An institution should put in place all thefollowing measures for effective monitoringand control of any material outsourcingarrangement:

(a) A register of all material outsourcingarrangements that is readily accessiblefor review by the board and seniormanagement of the institution.

(b) Multi-disciplinary outsourcingmanagement groups with members fromdifferent risk and internal control functionsincluding legal, compliance and finance.

(c) Establishment of management controlgroups to monitor and control theoutsourced service on an ongoing basis

(d) Establishment of service recoveryprocedures and reporting of lapses relatingto the agreed service standards by theservice provider;

• Implement a material outsourcingregister

• Outsourcing group needs to havepersonal with multiple skills(technical/legal/risk/compliance)

• Regular service delivery monitoring via validated reports:- confidentiality,security adequacy, compliance, security

vulnerability management.

• Establishment of service recoveryprocedures and reporting of lapsesrelating to the agreed service standards

by the service provider

• Periodic reviews, at least on an annual basis, of outsourcing arrangements.

2 3 4 1 5 6

PwC

7 8 9 107 118



33/42

Monitoringand Controlof Outsourcing Arrangements

33


An institution should put in place all thefollowing measures for effective monitoring andcontrol of any material outsourcing arrangement:

(e) Periodic reviews, at least on an annual basis,of outsourcing arrangements.

(g) Pre - and post- implementation reviews ofnew outsourcing arrangements or whenamendments are made to the outsourcingarrangements.

(f) Reporting policies and procedures. Reports onthe monitoring and control activities of theinstitution should be prepared or reviewed by itssenior management and provided to its board forinformation.

The institution should ensure that monitoring

metrics and performance data specific to theinstitution are available for reporting, and notaggregated with metrics or data belonging toother customers of the service provider. Theinstitution should also ensure that any adversedevelopment arising in any outsourcingarrangement is brought to the attention of thesenior management of the institution and service

• Implement a material outsourcingregister

• Outsourcing group needs to havepersonal with multiple skills

(technical/legal/risk/compliance)

• Regular service delivery monitoring via validated reports:- confidentiality,security adequacy, compliance,security vulnerability management.

• Establishment of service recoveryprocedures and reporting of lapsesrelating to the agreed service

standards by the service provider• Periodic reviews, at least on an annual

basis, of outsourcing arrangements.

2 3 4 1 5 6

PwC

7 8 9 107 118



34/42


34


An institution‘s outsourcing arrangements should notinterfere with the ability of the institution to effectivelymanage its business activities or impede MAS in carryingout its supervisory functions and objectives

An institution should include in all its outsourcingagreements clauses that:

(a) allow the institution to conduct audits on the serviceprovider and its sub-contractors, whether by its internalor external auditors, or by agents appointed by theinstitution

(b) allow MAS, or any agent appointed by MAS, wherenecessary or expedient, to exercise the contractual rights ofthe institution

(c) indemnify and hold MAS, its officers, agents and

employees harmless from any liability, loss or damage to theservice provider and its sub-contractors arising out of anyaction taken to access and inspect the service provider or itssub-contractors pursuant to the outsourcing agreement.

• Right to independently audit

• Indemnify MAS or any other

party that is requested to assessthe service provider

• Service provider to comply assoon as possible

• Maximum period between audits

2 3 4 1 5 6

PwC

7 8 9 10 11



35/42


35


The outsourcing agreement should also include clausesthat require the service provider to comply, as soon aspossible.

An institution should ensure that independent auditsand/or expert assessments of all its outsourcingarrangements are conducted.

The independent audit and/or expert assessment andreports on the service provider and its sub-contractorsmay be performed and prepared by the institution‘sinternal or external auditors, or by agents appointed bythe institution.

• Right to independently audit

• Indemnify MAS

• Service provider to comply as soon

as possible

• Maximum period between audits

2 3 4 1 5 6

PwC

7 8 9 10 11



36/42

36


Significant issues and concerns should be brought to the attentionof the senior management of the institution and service provider,or to its board, where warranted, on a timely basis.

Copies of audit reports should be submitted by the institution toMAS. An institution should also, upon request, provide MAS withother reports or information on the institution and serviceprovider that is related to the outsourcing arrangement.

The engagement of a service provider in a foreign country, or theengagement whereby the outsourced function is performed in aforeign country, exposes an institution to country risk - economic,social and political conditions and events in a foreign country thatmay adversely affect the institution. Such conditions and eventscould prevent the service provider from carrying out the terms ofits agreement with the institution. In its risk management of suchoutsourcing arrangements, an institution should take intoaccount, with due diligence and on a continuous basis:(a) government policies;

(b) political, social, economic conditions;(c) legal and regulatory developments in the foreign country; and(d) the institution‘s ability to effectively monitor the serviceprovider

• Senior management need to

beware of significant issues

• Copies of Audit reports made

available to MAS

• Be aware of the risks when

outsourcing to other countries

2 3 4 1 5 6

PwC

7 8 9 10 11




37/42

PwC

Competitive

Intelligence

Our observationof industry practices

37


38/42

PwC

In a Nutshell – Areas of focus

38

Core Business

Outsource Partner 1

Outsource Partner 2

Outsource Partner 3

Governance Policies

Independent Reviews

Selection

Due Diligence

Service level

agreements (SLAs)

People Procedures

Regularmonitoring

Regularreporting


39/42

PwC

Average losses are up 18% over last year, which is not surprising given the costs andcomplexity of responding to security incidents. Big liabilities are increasing faster thansmaller losses: Respondents reporting losses of $10 million-plus is up 51% from 2011.

19%

5%6%

24%

7% 7%

$100,000 to $999,999 $1 million to $9.9 million $10 million or more

2012 2013

39

The financial costs of incidents are rising, particularlyamong organisations reporting high dollar-value impact.

Question 22A: “Estimated total financial losses as a result of all security incidents” Global Information Security Survey

Financial losses of $100,000 or more

Industries reporting

$10 million+ losses:Oil & Gas: 24%Pharmaceuticals: 20%Financial Services: 9%Technology: 9%Industrial Products: 8%


40/42

PwC 40

Appendix:

Useful Resources


41/42

PwC

Useful

Resources

41

The MAS Notice on Outsourcinghttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdf

MAS Guidelines on Outsourcing

http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdf

http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Guidelines%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdfhttp://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Consultation%20Papers/ConsultationPaper_Notice%20on%20Outsourcing.pdf


42/42

Shine a brighter light on your business ecosystem

Mark Jansen

+65 8100 [email protected]

Tan Shong Ye +65 9820 [email protected]

Chan Hiang Tiak+65 9763 [email protected]

Manish Chawda +65 9180 [email protected]

This presentation has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You shouldnot act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (expressor implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law,PricewaterhouseCoopers, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for anyconsequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decisionbased on it.

© 2014 PricewaterhouseCoopers Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Limited which is amember firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

third party trust

Documents