Monetary Authority of Singapore (MAS) Compliance

A: Controls Over Outsourcing Arrangements

This section on controls over outsourcing arrangements describes the practices in:

I) Governance and Management Oversight;
II) Due Diligence (Onboarding and Periodic Reviews); and
III) Ongoing Risk Management and Monitoring.

I) Governance and Management Oversight

Outsourcing governance structure and framework

“Banks establish a proper governance structure and framework for adequate management oversight and attention on risks arising from outsourcing arrangements, to ensure that risks undertaken are in line with the banks’ strategies and risk appetite.

"In the adoption of a risk-based approach, banks ensure that their approval framework facilitates management’s evaluation of the materiality and risks from existing and prospective outsourcing arrangements. Processes that support the evaluation and approval of outsourcing arrangements are sufficiently robust and effective.”

Setting of appropriate outsourcing risk appetite

“Banks establish a suitable strategy and risk appetite to define the nature and extent of risk that they are willing and able to assume from their outsourcing arrangements.”

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

As part of this process, Prevalent can help you define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories
• Risk scoring and thresholds based on your organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party criticality
• Fourth-party mapping
• Sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Governing policies, standards, systems and processes to protect data
• Compliance and contractual reporting requirements against service levels
• Incident response requirements
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies

Management reporting on outsourcing

“Banks have effective processes in place to enable a comprehensive bank-wide view of risk exposures arising from outsourcing. There is regular reporting to management on outsourcing risk profiles, significant outsourcing issues and KRIs, to facilitate oversight of outsourcing risk landscape, trends and concerns.”

Prevalent helps financial institutions reveal risk trends, third-party risk status, and exceptions to common behavior with embedded machine learning (ML) insights and customizable report views based on role.

In addition, Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments and providing a framework to measure against requirements.

With this capability, FIs can quickly identify outliers that could warrant further investigation and improve risk reduction efficiency by getting the right data into the right hands.

II) Due Diligence (Onboarding and Periodic Reviews)

Due diligence (onboarding and ongoing reviews)

“Banks specify clear requirements, and provide comprehensive guidance, on the due diligence and risk assessment processes for the onboarding of new outsourcing arrangements and periodic reviews of existing ones. Such processes are commensurate with the risks involved, where adequate consideration is given to risk factors such as arrangements that involve sharing of customer data. Banks institute the necessary checks and balances to ensure that these requirements and processes are adequately tracked for compliance in a timely manner.

"Banks enlist relevant SMEs to determine if the technical elements of risks pertaining to an outsourcing arrangement are adequately considered.”

Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties. Criteria include:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

Using this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

Prevalent features a library of more than 200 pre-built templates for third-party risk assessments. Assessments can be conducted at the time of contract renewal or at any required frequency (e.g., quarterly or annually). Assessment questionnaires can be globally focused or regional to address unique legal or operational requirements.

Prevalent delivers built-in remediation recommendations based on risk assessment results. These are backed by workflow and task management capabilities to ensure that third parties address risks in a timely and satisfactory manner.

III) Ongoing Risk Management and Monitoring

Control framework for outsourcing arrangements

“Banks establish a structured framework for ongoing monitoring and control of outsourcing arrangements, with adequate involvement of independent parties to provide effective challenge and oversight to business units that originate the outsourcing arrangements.”

The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.

Prevalent experts first review assessment responses from either custom or standardized questionnaires. We then map the responses to SIG, SCA, ISO, SOC II, AITECH and/or other control frameworks. Finally, we work with you to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help you reduce risk with your existing resources.

Ongoing risk monitoring and controls

“Banks are proactive in managing relationships with outsourced service providers, and apply more rigorous controls for higher risk arrangements. As the nature, materiality and complexity of outsourcing arrangements may evolve over time, the ongoing monitoring framework should be sufficiently robust to consider and manage such changes.

"Banks have adequate tools to monitor outsourcing risk. Significant risk trends identified from KRI and heatmap assessments, concerns (such as overdue remediation of risk/audit issues, service level breaches or overdue periodic reviews), as well as concentration analyses are reported to management.”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Risks can be categorized into a heat map view with likelihood and impact axes.

Monitoring sources include:

• 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
• A database containing 10+ years of data breach history for thousands of companies around the world
• 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• A global network of 2 million businesses with 5 years of organizational changes and financial performance, including turnover, profit and loss, shareholder funds, etc.
• 30,000 global news sources
• A database containing over 1.8 million politically exposed person profiles
• Global sanctions lists and over 1,000 global enforcement lists and court filings
• Performance, from adherence to contracts KPIs and remediations to SLAs and missed deadlines

B: Controls Over Non-Outsourcing Arrangements (NOAs)

This section on controls over NOAs describes the practices observed at banks under the following areas in a third party risk management framework:

I) Identification and Risk Categorisation;
II) Governance and Management Oversight; and
III) Due Diligence and Ongoing Monitoring.

I) Identification and Risk Categorisation

Risk identification and categorisation of third party dependencies

“Banks have a third party risk management and governance framework to manage their non-outsourcing third party dependencies.
Banks identify and inventorise a comprehensive list of NOAs, and categorise them based on their nature and risk characteristics.

"Banks establish clear criteria to risk assess their NOAs, so as to determine the governance and due diligence requirements that they should be subject to. Adequate consideration is accorded to risk factors such as arrangements that involve sharing of customer data.”

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

As part of this process, Prevalent can help you define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories and categorization
• Risk scoring and thresholds based on your organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party criticality
• Fourth-party mapping
• Sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Governing policies, standards, systems and processes to protect data
• Compliance and contractual reporting requirements against service levels
• Incident response requirements
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies

Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties. Criteria include:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

Using this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

Prevalent enables FIs to build a comprehensive vendor profile that includes ownership, financial performance, CPI scores, Modern Slavery statements, industry and business insights, and maps potentially risky 4th-party relationships. This helps to reduce complexity in managing third parties, providing a single source of the truth for vendor management across their relationship lifecycle.

II) Governance and Management Oversight

Implementation of risk management and governance frameworks for NOAs

“Banks have a governance committee to exercise oversight of NOAs. Banks also establish risk-appropriate governance and risk management frameworks, including due diligence requirements, to manage risks arising from NOAs in a holistic manner.”

Prevalent features a library of more than 200 pre-built templates for third-party risk assessments, including those that map to leading governance frameworks such as [ISO](/compliance/iso-27001-27002-27018-27036-2-27701/. Assessment questionnaires can be globally focused or regional to address unique legal, operational, or other due diligence requirements.

Reporting enables FIs to visualize and address compliance requirements by automatically mapping assessment results and data feeds to regulatory requirements and frameworks.

Management reporting on third party risk

“Banks ensure adequate management oversight through regular and timely reporting on risk profiles and performance of NOAs. Significant issues such as expired periodic reviews, vendor incidents, performance breaches, and KRI breaches, are regularly reported to the relevant governing forum. An appropriate party (e.g. a 2LoD unit) provides the necessary checks and balances on the reporting process.”

Prevalent helps financial institutions reveal risk trends, third-party risk status and exceptions to common behavior with embedded machine learning (ML) insights and customizable, role-based report views.

In addition, Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments and providing a framework to measure against requirements.

With this capability, FIs can quickly identify outliers that could warrant further investigation and improve risk reduction efficiency by getting the right data into the right hands.

Change management

“Banks have sound change management policies and procedures to manage risks arising from new NOAs. There is clear allocation of roles and responsibilities across the three lines of defense (LoDs) with change implementation subject to independent controls and oversight.”

The Prevalent Platform includes an automation and rules engine that automatically suggests actions or adjusts risk scores based on assessment results and external data feeds. With this capability, FIs can automatically create tasks based on continuous third-party changes and assign to owners to track issues to conclusion. This helps accelerate risk reduction timelines.

III) Due Diligence and Ongoing Monitoring

Due diligence and ongoing monitoring of NOAs and third party risk

“Banks implement risk assessment methodologies for risk rating NOAs that adequately consider higher risk factors, such as sharing of confidential information or providing support to critical functions.

"Banks set out clear requirements on due diligence and independent oversight for onboarding of new NOAs and reviews of existing ones, that are commensurate with risks involved. Due diligence considers all relevant stakeholders of the NOAs, including partners and service providers.

"Banks implement structured control processes for the ongoing monitoring of NOAs, over the life cycle of the relationships. High risk arrangements necessitate more stringent ongoing monitoring.

"Banks deploy adequate risk monitoring tools and mechanisms to manage third party risk. These tools and mechanisms include the setting of a third party risk taxonomy and implementation of appropriate KRIs to facilitate a holistic view on the third party risk of the bank.”

Once onboarding is complete, results from tiering, profiling and categorization assessments dictate the level of ongoing due diligence required across the third-party lifecycle.

To enable this, Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Risks can be categorized into a heat map view with likelihood and impact axes.

Monitoring sources include:

• 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
• A database containing 10+ years of data breach history for thousands of companies around the world
• 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• A global network of 2 million businesses with 5 years of organizational changes and financial performance, including turnover, profit and loss, shareholder funds, etc.
• 30,000 global news sources
• A database containing over 1.8 million politically exposed person profiles
• Global sanctions lists and over 1,000 global enforcement lists and court filings
• Performance, from adherence to contracts KPIs and remediations to SLAs and missed deadlines