Outsourcing requirements for banks (including merchant banks) in Singapore is changing on 11 December 2024. Suppliers of financial technology to the banking sector should prepare for the new regulatory framework for outsourcing released by the Monetary Authority of Singapore (MAS).
The new framework replaces the current one: MAS Notice 634 for banks, MAS Notice 1108 for merchant banks, and the 2016 MAS Outsourcing Guidelines for all financial institutions. However, many of the current outsourcing obligations will remain in place.
The aim of the new framework is to embed additional information protections and oversight into arrangements between banks and outsourced service providers. Specifically, there is a focus on protecting customer confidential information disclosed to the service provider, whether inside or outside Singapore. That means the new MAS framework is applicable to Fintech suppliers with customers who are banks in Singapore
What's new?
Firstly, there are now three sets of guidelines; Notice 658 relevant to banks, Notice 1121 relevant to merchant banks; and a new set of Outsourcing Guidelines to replace the version issued in 2016, which is relevant to all financial institutions other than banks (FIOBs) such as insurers, payment service providers and finance companies.
Under the new guidelines, the compliance burden on banks in relation to material ongoing outsourced relevant services (MOORS) is the heaviest; with obligations on FIOBs more streamlined in comparison.
However, for Fintech suppliers with customers across the financial spectrum, this distinction may not be particularly important, as standard global contracting terms will need to anticipate the additional regulatory burden on banks, over and above those relevant to FIOBs.
Which suppliers are caught?
The new MAS framework is relevant to suppliers who provide an 'outsourced relevant service'. The definition of this is broad under the new MAS guidelines, and will capture any service provided to a bank that:
- is a service that is or was performed by the bank prior to the tech provider providing the service;
- is integral to any service that the bank may carry on (note – this is analogous to a 'critical or important function' under the European frameworks); or
- is listed within Annex C; Annex C includes all public cloud services (SaaS, PaaS and IaaS), IT helpdesks, data centres, HR services, and certain IT management functions.
Because of this, the MAS framework casts a wide net. Some services are excluded from being caught, and those are listed in Annex B.
Ongoing outsourced relevant services that are considered 'material' (MOORS), according to the bank's assessment of the associated risks with the service provided, attract additional obligations.
Fintech suppliers providing any of these services directly or under an enterprise agreement that includes local country addendums for Singapore (or where the Singapore branch is directly benefiting from the enterprise service provision), will be caught under the new framework; as will suppliers who may not be physically present in Singapore but whose services are used by the Singapore branch of a bank. Suppliers likely to be caught under the new MAS framework should ensure that their contractual documents reflect the new requirements in advance.
Similar regulations elsewhere?
The new MAS framework is more prescriptive than similar regulations in Europe, such as the EBA Guidelines or the Digital Operational Resilience Act (DORA). Though they cover broadly the same subject matter, comparatively, the MAS framework does not offer the same level of flexibility and in a departure from the European regulations, does not incorporate the overarching concept of proportionality. The language used in the MAS guidelines is also more definitive – obligations on banks are couched in the language of 'must' rather than the more flexible language found in the EBA guidelines and DORA. This reflects the stringent approach that MAS is taking towards outsourcing in the financial sector.
The obligations on banks in terms of providing information to MAS are more robust under the new framework as banks are required to maintain a register of all suppliers, which must be submitted to MAS semi-annually. Banks should ensure MOORS suppliers inform the bank in writing prior to engaging any subcontractors (or within a reasonable time).
What next?
For tailored advice on how the new MAS guidelines, the EBA, SYSC and the Digital Operation and Resilience Act should guide contract updates for Fintech suppliers, or if you are interested in our Fintech Supplier Checklist, please contact our team.