Following last month’s release of new guidelines on outsourcing for banks by the Monetary Authority of Singapore (MAS), Wayne Scott, Regulatory Compliance Solutions lead at NCC Group Escrow takes us through what this means for the future of third party risk management.
In a nutshell, under the new Guidelines, banks will now have to formally advise MAS about any services that they outsource, providing details on how they audit and manage the risk of working with third party suppliers that provide critical technology or services.
Put simply, for any outsourced service, from 11 December 2024 all banks must be able to demonstrate that they are observing the requirements set out in the Guidelines and also notify MAS should any disruption to the outsource arrangement occur that would have an impact on the ability to deliver a service or indeed a complete service failure.
Some of the key points include:
Board responsibility
The guidelines emphasise the important role that the board and senior management of banks play in making sure that sound risk management is evident across their institutions and goes as far to state that the ‘board, or a committee delegated by it’ must:
- Assign an owner of the risks
- Map the estate to understand the risks
- Set an appetite on how to deal with the risk
- Build plans to cope with the risks
- Test those plans to ensure the plans work
- Learn the lessons from the work above
Cloud Services (CS)
The Guidelines dedicate a section to highlight the inclusion of Cloud related outsourcing agreements, recognising that more and more banks are now reliant on ‘Cloud Service’s and therefore any cloud based service should be treated in the same way as non-Cloud outsourcing agreements.
Risk mitigation strategies – a case for Escrow
The Guidelines also stipulate that risk mitigation strategies should now be in place at the point of procurement, not at a later date, and should be reviewed annually – we see this as taking a resilience by design approach right from the start, and assuming supplier failure or service disruption by default and putting in place approaches to manage the risk.
When talking about how to build plans to cope with the risks and being proactive when addressing the safeguarding of access to third party business critical applications, the Business Continuity Management and Technology Risk Management regulations that these new Guidelines relate to, specifically call out Escrow as a way to mitigate the risk of default or supplier failure.
Escrow is a legal framework, combined with a knowledge transfer and a scenario test designed to mitigate the risk of relying on third party supplied software. It’s an effective proactive tool that can be put in place at the point of procurement and help organisations protect their investment in technology and, as evidenced by its inclusion in the above Regulations, a way to help ensure compliance with regulation.
With increased reliance on third-party providers and outsourced IT solutions, coupled with the ever-present risk of digital threats and other sources of business interruption, it’s certainly encouraging to see regulatory bodies implementing standards and guidelines that demand adequate risk planning to ensure improved business continuity is embedded in financial systems’ supply chains.
Contact
NCC Group Press Office
All media enquires relating to NCC Group plc.