On 21 January 2021, the Monetary Authority of Singapore (“MAS”) issued revisions to the Technology Risk Management Guidelines (the “Guidelines”) applicable to financial institutions (“FIs”). Among other key changes, the MAS stated: “In light of FIs’ growing reliance on third party service providers, the revised Guidelines set out the expectation for FIs to exercise strong oversight of arrangements with third party service providers, to ensure system resilience as well as maintain data confidentiality and integrity.” (1)

In this article, we will explore how this new arrangement may affect businesses that are not licensed by the MAS, such as marketing firms, law firms and consultancies.

REGULATORY BACKGROUND

The MAS has issued notices setting out how FIs must handle technology risk management (the “TRM Notices”). The Guidelines do not override the TRM notices. Instead, the MAS has explained that the Guidelines:

• “do not affect, and should not be regarded as a statement of the standard of care owed by FIs to their customers. The extent and degree to which an FI implements the Guidelines should be commensurate with the level of risk and complexity of the financial services offered and the technologies supporting such services. In supervising an FI, the degree of observance with the spirit of the Guidelines by an FI is an area of consideration by MAS; and
• provide general guidance, and… should be read in conjunction with the provisions of the relevant legislation, the subsidiary legislation made under the relevant legislation, as well as written directions, notices, codes and other guidelines that MAS may issue from time to time pursuant to the relevant legislation and subsidiary legislation.” ⁽²⁾

THE EXPECTATION TO MANAGE THIRD PARTY SERVICES

The revised Guidelines include enhanced expectations for FIs to oversee third party service providers. The scope of this expectation is broad and includes all third party service providers rather than providers that provide “outsourcing arrangements” pursuant to the MAS’ Guidelines on Outsourcing. ⁽³⁾

Paragraph 3.4 of the Guidelines sets out the following expectations for FIs regarding the management of third party service providers:

• The FI should assess and manage its exposure to technology risks that may affect the confidentiality, integrity and availability of the information technology (“IT”) systems and data at the third party before entering into a contractual agreement or partnership.
• On an ongoing basis, the FI should ensure the third party employs a high standard of care and diligence in protecting data confidentiality and integrity as well as ensuring system

While these expectations enable a FI to exercise judgement relating to its use of third party service providers, the MAS also stated:

The use of a third party service providers should not result in a deterioration of controls and compromise of risk management. FIs should ensure their third party service providers are able to meet regulatory standards expected of them. [emphasis added] ⁽⁴⁾

WHAT DOES “NO DETERIORIATION” MEAN?

The MAS offered the expectation that the use of third party service providers should not result in a deterioration of controls or compromise risk management (the “No Deterioration Expectation”) in response to the public feedback the MAS received during the consultation on the revisions to the Guidelines. ⁽⁵⁾ The MAS acknowledged the difficulty for FIs to impose their policies, standards and procedures on third party service providers since the service providers’ IT services support different customers. The No Deterioration Expectation (which is not qualified for materiality) is the MAS’ reply to that specific feedback.

While the No Deterioration Expectation is not set out in the Guidelines themselves, the comment was published at the same time as the revised Guidelines were issued. We believe it reflects the MAS’ view on prudent technology risk management.

WHICH SERVICE PROVIDERS ARE COVERED BY THE NO DETERIORATION EXPECTATION?

MAS’ examples of third parties that may be covered by the Guidelines include IT forensics, penetration testing and online marketing services. ⁽⁶⁾  However, the MAS also expressed its concern about services involving “confidential or sensitive customer information being stored or processed electronically by the third party, [and] the FI’s operations and its customers may be adversely impacted if there is a system failure or security breach at the third party.” ⁽⁷⁾ Therefore, we believe that all service providers which utilize IT services (including email) in their services are covered by the No Deterioration Expectation if the third party service provider electronically stores or processes confidential or sensitive customer information (“Sensitive Information”).

THE PRACTICAL ISSUES

Meeting the Requirements of the PDPA May Not Be Enough

Most service providers are not regulated and by the MAS and are required to comply with applicable law such as the Singapore Personal Data Protection Act 2012 (the “PDPA”). Therefore, neither the TRM Notices nor the Guidelines apply to them. While service providers offering outsourcing arrangements to FIs are already subject to audits and higher standards per the MAS’ Guidelines on Outsourcing, the extension of these types of standards to other third party service providers is new. We believe the revised Guidelines will cause third party service providers that wish to do business with FIs to incur additional costs to ensure that their IT controls are sufficient for the Guidelines.

The Law Firm Example

For example, consider law firms obtaining confidential information about FIs’ customers in the course of assisting FIs with disputes. Must FIs now ensure that these law firms meet the minimum requirements of the Guidelines? We believe the answer is yes, assuming Sensitive Information is stored or processed by the law firm. Although the law firm will not be subject to any discipline from the MAS for not following the Guidelines, we believe FIs will subject law firms to the Guidelines by contract.

If a law firm does not want to be subject to the Guidelines but still wants to do business with a FI, one solution would be to not store or process Sensitive Information. A law firm could ask for an undertaking from the FI that the FI will not send any information that would effectively require the law firm to comply with the Guidelines. In practice, it is unclear how practical such solutions would be. For example, a law firm’s assistance on a contract dispute between a FI and a customer could foreseeably involve a contract that contains Sensitive Information. While there are ways to work around these issues (such as redacting the information or providing all the contractual documents on a FI’s server) implementing these measures in real life are easier said than done.

Counterarguments

One could argue that legal services present a unique case and are a poor example because arrangements that a FI is not legally or administratively able to provide, such as discreet advisory services (such as legal opinions) and independent consulting services, would generally not be considered outsourcing arrangement ⁽⁸⁾ and, by analogy, such services should not be covered by the Guidelines. However, because (i) the No Deterioration Expectation applies to services that do not qualify as outsourcing arrangements and (ii) the exceptions set forth in the MAS’ Guidelines on Outsourcing are not repeated in the Guidelines, we do not concur with this analysis.

One could also argue that our understanding of the No Deterioration Expectation is not what the MAS intended. We have spoken to multiple third party service providers that believe the MAS did not intend to extend the No Deterioration Expectation to third party service providers that utilise, but do not provide, IT services. In particular, service providers contested the idea that the use of email to receive Sensitive Information would trigger consideration of the No Deterioration Expectation. Regardless, absent further statements from the MAS, we think the literal reading of the No Deterioration Expectation must be the baseline from which FIs implement the Guidelines.

The Additional Requirements

In order for third party service providers to meet the Guidelines’ standards, they may have to take measures such as:

• conducting regular penetration tests;
• establishing a robust IT service management framework;
• establishing user access management controls; and
• procuring cyber intelligence monitoring

All of these measures will likely benefit the service provider from a technology risk management perspective. However, they may not be commensurate with the nature and risks of the service providers overall business. Cost considerations may also prevent service providers, especially smaller service providers, from taking these initiatives. The No Deterioration Expectation may benefit larger service providers to the extent smaller service providers cannot afford the costs of compliance and are forced to drop certain FI clients.

FI Due Diligence

If something goes wrong with the technology risk management controls of a service provider, the MAS still looks to the FI to address it. As a result, FIs will likely spend considerable effort conducting due diligence on their service providers and helping such service providers augment their IT controls to be compliant with the No Deterioration Expectation. We note the Guidelines went into effect immediately without any transition period, so FIs are already responsible for ensuring their existing service providers satisfy the applicable expectations.

CONCLUSION

Rightfully, the MAS and the public have high expectations of FIs regarding their handling of Sensitive Information which goes beyond the PDPA’s requirements. Extending the IT control expectations in the Guidelines to all service providers that handle Sensitive Information is not unreasonable. However, if our understanding is correct, the No Deterioration Expectation is a big change that will take time and money for FIs and third party service providers to implement. While the Guidelines do not have the force of law, the MAS considers the degree of observance with the spirit of the Guidelines in its supervision of a FI. Therefore, we believe a FI should carefully consider the No Deterioration Expectation in all circumstances where the FI shares Sensitive Information.

HOLLAND & MARIE

Holland & Marie is a compliance, risk, C-Suite and legal solutions firm based in Singapore. We have extensive experience resolving typical compliance issues including regulatory inspections, satisfying regulatory requirements and maintaining best practices in corporate governance to navigate the rapidly changing regulatory landscape.

For further information, contact:

Chris Holland: Partner | Holland & Marie | 201802481R

7 Straits View, Marina One East Tower, #05-01 Singapore 018936

[email protected]

www.hmstrategy.com

 

Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act and is not a law firm.

---

(1) See the MAS Media Release “MAS Enhances Guidelines to Combat Heightened Cyber Risks”.

(2) See Paragraphs 2.2 and 2.3 of the Guidelines.

(3) See Paragraph 3.44 of the Response to Public Feedback for Consultation Paper – TRM  Guidelines (the “Response Paper”).

(4) Id, Paragraph 3.36.

(5) Id, Paragraph 3.35.

(6) Id, Paragraph 3.45.

(7) See Paragraph 3.4.1 of the Guidelines.

(8) See Annex 1 of the MAS’ Guidelines on Outsourcing.