Association of Banks in Singapore (ABS) Outsourced Service Provider's Audit Report (OSPAR)
ABS OSPAR overview
When financial Institutions outsource business functions, they must ensure that their service providers maintain the same level of governance, rigor, and consistency as if the financial institutions managed it themselves.
To that end, the Association of Banks in Singapore (ABS), a non-profit organization representing the interests of local and foreign banks operating in Singapore, has issued ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers (or, ABS Guidelines). The ABS Guidelines set out information security guidance for service providers who deliver services to financial institutions operating in Singapore. The guidelines specify the baseline organizational controls that service providers must implement in cloud outsourcing arrangements, particularly for material workloads. The Outsourced Service Provider's Audit Report (OSPAR) is the framework that external auditors use to validate the service provider's controls against the criteria specified in the ABS Guidelines.
Microsoft and ABS OSPAR
An independent service auditor, performed a rigorous audit of the security capabilities of Microsoft Azure and Microsoft Dynamics 365, which include more than 120 Azure services and 10 Dynamics 365 applications, to assess their compliance with the ABS Guidelines.
The auditor attested that the security controls of Azure and Dynamics 365 were suitably designed to meet the applicable ABS controls criteria and operated effectively during the year-long testing period.
Achieving this ABS OSPAR attestation demonstrates that the set of security controls of Microsoft in-scope services meet the ABS Guidelines, putting these services on the official list, OSPAR Audited Outsourced Service Providers. This, in turn, provides assurance to financial services customers with facilities in Singapore that Microsoft meets these high standards for deploying compliant financial services solutions.
Microsoft and in-scope cloud services
- Dynamics 365
- Microsoft Cloud App Security
- Microsoft Graph
- Microsoft Managed Desktop
- Microsoft Stream
- PowerApps cloud service: either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power Automate: either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service: either as a standalone service or as included in an Office 365 branded plan or suite
- Power Virtual Agents
Audits, reports, and certificates
The audit is usually performed once every 12 months.
Frequently asked questions
What is a 'material' outsourcing arrangement and why is the definition important?
An outsourcing arrangement is 'material' if a service failure or breach has the potential to materially affect a financial firm's business operations or ability to manage risk and comply with applicable laws and regulations; or if it involves customer information, and any unauthorized access or disclosure, loss, or theft of customer information, has a material impact on a firm's customers. The definition of 'customer information' expressly excludes securely encrypted information.
This definition is important because certain provisions of MAS Outsourcing Guidelines apply only to 'material outsourcing arrangements'. These provisions include an obligation to perform annual reviews, mandatory contractual clauses addressing audit rights, and ensuring that outsourcing outside of Singapore does not affect MAS supervisory efforts.
ABS OSPAR resources
- ABS Guidelines for Outsourced Service Providers
- Compliance Checklist for Financial Institutions in Singapore
- Microsoft and the Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS)