Founded in 1970, the Monetary Authority of Singapore (MAS) is a central bank and financial regulator that provides prudential oversight of all financial institutions in Singapore – including ensuring financial and operational resilience against risks. In July 2016, MAS delivered guidelines on outsourcing third-party arrangements. MAS expanded their outsourcing guidance in October 2018, and again in August 2022 with the publication of an information paper, Operational Risk Management – Management of Outsourcing and Third Party Arrangements. In the information paper, MAS:
The figure below identifies the types of approvals required, assessments, assessment frequencies, and due diligence documentation that should be provided to support assessments as explained in the Management of Outsourcing and Third Party Arrangements information paper.
Courtesy: Operational Risk Management – Management of Outsourcing and Third Party Arrangements – Observations and Supervisory Expectations from Thematic Inspections – Information Paper, August 2022
This post examines key MAS provisions that govern outsourcing and non-outsourcing arrangements, and identifies best practices capabilities that can be used to address MAS requirements.
The MAS Operational Risk Management – Management of Outsourcing and Third Party Arrangements information paper, chapter 3, includes specific guidance for financial institutions in the following general areas of the third-party risk management lifecycle:
MAS requires financial services organizations to establish a governance structure and framework; set risk appetites; and establish management reporting.
To address these requirements, financial services organizations should consider defining the following criteria as part of their third-party risk management program:
Many organizations choose to align with an accepted risk management framework, such as ISO, to accomplish this. If you are looking to automate the process of measuring your TPRM program against an industry framework, be sure to select an assessment platform that provides several pre-built questionnaire options that align with multiple frameworks.
The MAS Third-Party Compliance Checklist
Download the Monetary Authority of Singapore (MAS) Third-Party Compliance Checklist to identify key MAS provisions that govern outsourcing and non-outsourcing arrangements.
MAS requires organizations to identify and categorize third-party dependencies. This includes establishing a management and governance framework; identifying and inventorying third parties; categorizing them based on their nature and risk characteristics; and establishing criteria to determine the governance and due diligence requirements that they should be subject to.
To address these requirements, financial institutions should:
In terms of due diligence and performing periodic reviews, MAS recommends taking the results generated from the identification and risk categorization exercise and developing an onboarding plan that facilitates ongoing reviews.
Third-party risk assessments should be conducted at the beginning of a relationship to gain a picture of the risks the third party presents to your organization; at the time of contract renewal; and whenever there is a compelling event such as a breach, compliance violation or other failure. Critical success factors include having access to a large library of questionnaire templates to add flexibility to assessment efforts, and prescriptive remediation recommendations to hold third parties to account. As part of this process, be sure to:
To enable ongoing risk management, MAS recommends deploying adequate risk monitoring tools and mechanisms to manage third party risk. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
All monitoring data should be correlated to assessment results and centralized in a unified risk register for each third party, streamlining risk review, reporting and response initiatives. Risks can be categorized into a heat map view with likelihood and impact axes.
Monitoring sources should include a mix of cyber and non-cyber sources to gain a comprehensive picture of a third party’s risk. Examples include:
The Prevalent Third-Party Risk Management Platform automates workflows required to onboard, periodically review and terminate material and non-material third-party outsourcing arrangements, delivering key capabilities for multiple teams to centralize TPRM across the enterprise. The solution delivers specific capabilities that address all due diligence requirements, from approval to termination.
Prevalent helps financial organizations add governance and oversight to their outsourcing and non-outsourcing arrangements by:
For more on how Prevalent can help address the requirements in MAS Operational Risk Management – Management of Outsourcing and Third-Party Arrangements, download our complete MAS checklist or request a demo today.