Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS)

MAS and ABS Overview

Monetary Authority of Singapore (MAS)

In July 2016, the MAS, the sole bank regulator in Singapore and its central bank, issued its Guidelines on Outsourcing Risk Management. In the guidelines, the MAS set out its expectations for outsourcing cloud services by financial institutions in Singapore, including banks, insurance companies, and trust companies. This was the result of an industry-wide consultation that began in October 2014 that included Microsoft participation.

The MAS Guidelines substantially streamline the process for technology adoption, provide clarity on the regulator’s expectations, and address many of the misconceptions that had previously slowed the financial industry’s adoption of cloud solutions.

Furthermore, the guidelines are unequivocal in their support of the use of cloud services — including a public cloud — by financial institutions and that they stand to benefit from doing so. They have eliminated the expectation that financial institutions would notify the MAS before any significant material outsourcing commitments. Instead, MAS-regulated institutions are expected to refine their risk-based approach when assessing material outsourcing and conduct a self-assessment of all outsourcing arrangements against these guidelines. (For now, these guidelines are not legally binding, but the MAS has indicated that it will issue a statutory notice in the future.)

Association of Banks in Singapore (ABS)

Shortly after the release of the MAS Guidelines on Outsourcing Risk Management, the ABS, a non-profit organization representing the interests of local and foreign banks operating in Singapore (but not other financial institutions), introduced a non-binding practical guide, Cloud Computing Implementation Guide. It is designed to help banks implement outsourcing arrangements following MAS Guidelines.

Microsoft MAS and ABS

With the endorsement of cloud computing — including the use of public clouds — by the Monetary Authority of Singapore (MAS) and support from the Association of Banks in Singapore (ABS), Microsoft published the Microsoft response to MAS outsourcing guidelines and ABS guidance and a Compliance Checklist for financial institutions in Singapore. Together they demonstrate how financial firms can move data and workloads to the Microsoft Cloud with the confidence that they are complying with MAS guidelines and complete a self-assessment of their outsourcing arrangements against the new guidelines.

The Microsoft response to MAS guidelines and ABS guidance gives financial firms an overview of the key issues raised by the MAS Guidelines and the ABS Guide as they apply to cloud services, Microsoft interpretations of and responses to each of the key issues, and details on how Microsoft can help facilitate compliance with MAS guidelines. It addresses MAS and ABS guidance separately.

The Microsoft response to the MAS Guidelines focuses on MAS recommendations for prudent risk management practices for outsourcing. It describes point by point how Microsoft has the right policies, processes, and tools to help you evaluate the risks, provides checklists to help you assess our business cloud services, and describes the processes for governance and internal controls.

The Microsoft response to the ABS Guide centers on Sections 3 and 4.

  • Section 3 builds on the due diligence and vendor management requirements of the MAS Guidelines by addressing in more detail such matters as contractual considerations. We give detailed information about Microsoft vendor management tools and the assistance we can offer during the due-diligence assessment.
  • Section 4 recommends a set of key baseline controls — from encryption to penetration and vulnerability management — that cloud service providers should have in place when working with banks. We describe how our controls address the security concerns of each of the specified controls.

Get practical support for moving data and workloads to the Microsoft Cloud in compliance with MAS Guidelines

Download the Navigating your way to the cloud: Microsoft’s response to MAS outsourcing guidelines and ABS guidance

Compliance Checklist for Financial Institutions in Singapore

This document includes an overview of the regulatory landscape, which introduces the relevant requirements in Singapore, and a compliance checklist, which lists the regulatory issues that need to be addressed and maps Microsoft's cloud services against those issues. By reviewing and completing the checklist point by point, financial institutions can adopt Microsoft cloud services with confidence that they are complying with the relevant requirements in Singapore.

By relying on our comprehensive approach to risk assurance in the cloud, we are confident that financial institutions in Singapore can move to the Microsoft Cloud in a manner that is consistent with MAS Guidelines and the ABS Guide, while also providing a more advanced security risk management profile than many on-premises solutions.

Get practical support for moving data and workloads to the Microsoft Cloud in compliance with MAS Guidelines

Download the Compliance Checklist for Financial Institutions in Singapore

Microsoft in-scope cloud services

  • Azure
  • Dynamics 365
  • Intune
  • Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
  • Office 365

Frequently asked questions

Is regulatory approval required?

No, there is no requirement for prior notification, consultation, or approval of outsourcing arrangements. However, the MAS expects financial institutions to be ready to demonstrate how they comply, and to notify the MAS as soon as possible of adverse developments arising from a financial institution's outsourcing arrangements — for example, a data breach incident.

What is a “material” outsourcing arrangement and why is the definition important?

An outsourcing arrangement is “material” if a service failure or breach has the potential to materially affect a financial firm’s business operations or ability to manage risk and comply with applicable laws and regulations; or if it involves customer information and, in the event of any unauthorized access or disclosure, loss, or theft of customer information, has a material impact on a firm’s customers. The definition of “customer information” expressly excludes securely encrypted information.

This definition is important since certain provisions of MAS Outsourcing Guidelines apply only to “material outsourcing arrangements.” These include an obligation to perform annual reviews, mandatory contractual clauses addressing audit rights, and ensuring that outsourcing outside of Singapore does not affect MAS supervisory efforts.

Resources

Other Microsoft resources for financial services