Everything is Outsourcing

Share This Post

Introduction

In the Guidelines on Outsourcing (the “Outsourcing Guidelines”), the Monetary Authority of Singapore (the “Authority”) provides detailed guidance on what service arrangements constitute outsourcing. In this article, we explain why various service arrangements, including third party compliance arrangements, will be deemed outsourcing arrangements requiring appropriate risk management controls, regardless of their frequency or scope. Understanding this regulatory framework is crucial for financial institutions to implement appropriate oversight and ensure compliance with the Authority’s requirements.

Core Definitions

What is Outsourcing?

Pursuant to the Outsourcing Guidelines, an outsourcing arrangement is an arrangement in which a service provider provides a financial institution with a service that may currently or potentially be performed by the institution itself and which includes the following characteristics:

the institution is dependent on the service on an ongoing basis; and
the service is integral to the provision of a financial service by the institution or the service is provided to the market by the service provider in the name of the institution.

What are material outsourcing arrangements?

Material outsourcing arrangements are those that could significantly impact a financial institution’s operations, reputation, or regulatory compliance if they fail. Under the Outsourcing Guidelines, an arrangement is considered material if it has the potential to materially impact an institution’s business operations, reputation or profitability, or its ability to manage risk and comply with applicable laws and regulations. Additionally, any outsourcing arrangement that involves customer information is deemed material if unauthorized access, disclosure, loss or theft of that information could materially impact the institution’s customers. For these arrangements, financial institutions must implement more stringent controls, including annual periodic reviews, multi-disciplinary management groups for monitoring, and comprehensive pre- and post-implementation reviews. They must also maintain detailed documentation in their outsourcing register, conduct thorough due diligence on service providers and any subcontractors, and ensure proper contractual safeguards are in place.

When does a service constitute ad hoc advisory rather than outsourcing?

In general, discreet advisory services that a financial institution is not legally or administratively able to provide do not constitute outsourcing. Examples include discreet advisory services (such as legal opinions and independent appraisals) as well as independent consulting (such as consultancy services for areas which the institution does not have the internal expertise to conduct). As the provision of advice would constitute a service, financial institutions should consider whether:

the service is provided on an ongoing basis;
the institution is dependent on the service for regular operations; and
the service is integral to the provision of the institution’s financial services.

Notwithstanding the foregoing, Annex 1 of the Outsourcing Guidelines makes clear that professional services performed by a third party related to the business activities of a financial institution, such as accounting, actuarial and compliance, constitute outsourcing arrangements. As a result, professional compliance services that are provided on an ad hoc basis may be deemed as outsourcing arrangements, regardless of whether such compliance services otherwise meet the definition of an outsourcing arrangement, such as being a service on which the financial institution is dependent on an ongoing basis.

Scope of Outsourcing Arrangements

Can a control function in its entirety,¹ such as the compliance function, be outsourced?

By definition, an outsourcing arrangement involves the provision of a service. The provision of a control function to a financial institution by an external service provider would be considered an outsourced service. For example, Paragraph 5.12.1 of the Outsourcing Guidelines sets out that the internal audit function can be an outsourced service.

What does it mean in practice to have a function partially outsourced?

A function is partially outsourced (rather than fully outsourced) when only certain components or activities of a business function are performed by a third party service provider.

Regulatory Framework and Requirements

Do the Outsourcing Guidelines create additional compliance obligations on a financial institution?

The Outsourcing Guidelines do not override any legislative provisions. Instead, they should be read together with relevant legislation, subsidiary legislation, written directions, notices, codes and other guidelines issued by the Authority. The Outsourcing Guidelines function as both a granular subset of broader regulatory expectations and additional expectations in certain areas.

What guidance applies to third party services that do not constitute outsourcing?

Under the Outsourcing Guidelines, third party services that are not defined as outsourcing should nevertheless be subject to adequate risk management and sound internal controls. Specifically, a financial institution should consider the Authority’ information paper on Operational Risk Management – Management of Third Party Arrangements (the “Information Paper”).

Does the Authority ask about outsourcing the compliance function in license applications?

For both capital markets services providers and payment service providers, the Authority asks a license applicant to provide an organisation chart, including the compliance function. At a minimum, if all or substantially all²of a compliance function is to be outsourced, that arrangement should be disclosed in the chart.

Do outsourced service providers have to meet the same operational requirements, such as cyber hygiene, as the financial institution to which they are providing the service?

No, an outsourced service provider should meet standards that allow financial institutions to fulfill their regulatory obligations, with the degree of compliance varying based on a risk-proportionate approach.

The Breadth of Outsourcing – Non-Compliance Examples

Annex 1 of the Outsourcing Guidelines include numerous examples of services that are regarded as outsourcing arrangement. Information systems that read documents may be considered outsourcing arrangements falling under the category of “document processing” given that those are tasks which a financial institution could do itself. Information systems hosting, such as software-as-a-service, is also listed as an outsourcing arrangement.

How is the use artificial intelligence considered under the Outsourcing Guidelines?

While neither the Outsourcing Guidelines nor the Information Paper explicitly mention artificial intelligence (“AI”), the framework would apply to AI services whether externally provided or internally developed. For externally provided AI solutions, these would qualify as outsourcing arrangements if the institution depends on the service on an ongoing basis and the service is integral to providing financial services or offered in the institution’s name. For example, AI-powered credit assessment systems, algorithmic trading platforms, or automated customer service solutions would likely meet this definition if they form an essential part of the institution’s service delivery.

For internally developed AI solutions, core development of AI solutions may not constitute outsourcing. However, financial institutions should carefully evaluate whether any components of their internal AI systems involve third-party elements that could trigger outsourcing considerations. This includes the use of third-party AI frameworks, cloud infrastructure for model training or deployment, external data providers, or specialized model development consultants. Even when AI solutions are primarily developed in-house, if the institution relies on external service providers for critical components, data processing, or operational support of the AI system, these arrangements should be evaluated against the outsourcing framework and risk-managed accordingly. Nevertheless, as a general matter, technology solutions that are developed and owned by the Singapore financial institution itself do not trigger outsourcing considerations as there is no third party service provider.

Regardless of whether an AI system is fully outsourced, partially outsourced, or developed entirely in-house, financial institutions remain responsible for ensuring these systems operate in compliance with applicable regulations and should implement appropriate governance, testing, and monitoring frameworks.

The Consequences of an Arrangement being Deemed an Outsourcing Arrangement

When an arrangement is deemed an outsourcing arrangement under the Outsourcing Guidelines, the financial institution must incorporate it into their outsourcing risk management framework and comply with comprehensive risk management requirements. This includes conducting due diligence on the service provider’s capabilities and controls, documenting the arrangement in a proper outsourcing agreement, implementing confidentiality safeguards, ensuring business continuity management, and maintaining ongoing monitoring and control processes. The arrangement should be included in the institution’s outsourcing register which needs to be submitted to the Authority at least annually. The institution’s board and senior management remain responsible for maintaining effective oversight and governance of the outsourcing arrangement, even though day-to-day operational duties may be delegated to the service provider. For material outsourcing arrangements, additional stringent controls and monitoring are required, as these could materially impact the institution’s business operations, reputation, risk management capabilities, regulatory compliance, or customer information security. The institution must also notify the Authority of any adverse developments arising from outsourcing arrangements that could impact the institution.

Conclusion

It is critical for a compliance function to accurately and comprehensively determine which of its service arrangement constitute outsourcing arrangements. Understanding the distinctions between outsourcing and ad hoc advisory services, as well as full versus partial outsourcing, is crucial for financial institutions to implement appropriate risk management controls. While including every service in a financial institution’s outsourcing register may prevent omissions, this approach can lead to inefficient use of limited resources and potentially disqualify suitable service providers who cannot meet the stringent requirements for material outsourcing arrangements. HM assists financial institutions in evaluating their third-party arrangements, establishing proper governance frameworks, and ensuring compliance with applicable regulation. In addition, HM is structured to satisfy the applicable due diligence requirements to offer outsourced compliance and internal audit to financial institutions.

With our deep expertise in navigating MAS outsourcing requirements and demonstrated ability to meet the Authority’s stringent due diligence standards, HM is uniquely positioned to both guide financial institutions through the complexities of outsourcing compliance and serve as a trusted provider of outsourced compliance services.

For further information, contact:

Chris Holland: Partner | chris.holland@hmstrategy.com

Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. is not a law firm and may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.

¹We believe the best definition of a “function” comes from the Authority Guidelines on Business Continuity Management which defines “business function” as an activity or set of activities performed by individual organizational lines (i.e. department or unit) in the financial institution.

² Please note that outsourcing all or substantially all of risk management or internal control functions, including compliance, should be considered a material outsourcing arrangement that is subject to enhanced risk assessments under the Outsourcing Guidelines.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Balancing Innovation and Risk: AI Governance in Financial Services

Introduction The rapid advancement and adoption of artificial intelligence (“AI”) technologies present financial institutions with powerful tools to transform their operations and service offerings, while

1 April 2025

MiCA’s Reverse Solicitation Rules and Global Regulatory Implications – The End of the Financial Hub?

Introduction The European Union’s (“EU”) Markets in Crypto-Assets Regulation (“MiCA”) introduces stringent reverse solicitation requirements1 that challenge cross-border financial services models. While designed to safeguard

24 March 2025

Subscribe to our insights to get updates with latest insights about trends shaping our world.

*HM is not a law firm and neither it nor its personnel may act as an advocate or solicitor for purposes of the Singapore Legal Profession Act. HM is a Singapore-headquartered management consulting firm.

HM operates under three brands: HM Strategy, HM Compliance and HM Counsel. HM Compliance offers Singapore compliance services, including outsourced compliance, MAS licensing services, ad hoc advisory and consulting services, corporate governance advisory, ESG consulting, training and internal audit. HM launched as a Singapore compliance consultancy in 2018. HM Strategy offers regulatory and management strategy advice to Boards of Directors and senior management as well as risk management consulting. HM Counsel offers in-house counsel services.



Meme Coins: Navigating the Regulatory Landscape in Singapore MiCA’s Reverse Solicitation Rules and Global Regulatory Implications – The End of the Financial Hub?