Heading size 2

Microsoft's Commitment to the Singapore Financial Services Sector

Microsoft is pleased to have been involved in the discussions with MAS and ABS that have led to these positive developments. We are also delighted to have helped a number of financial institutions in Singapore to move to the cloud. Whether it is ACE Travel Insurance, which is redrawing the online travel insurance playing field with Microsoft's cloud services, or DBS Bank, which deployed Microsoft cloud technology, Office 365, to provide a leap forward in mobility, efficiency and productivity for its teams, financial institutions are benefiting from cloud services to enhance operations and provide better services to their customers.

Through its partnership with financial institutions in Singapore and its long-standing engagement with MAS and ABS, Microsoft has developed deep experience of delivering solutions that meet all applicable compliance requirements. We understand that it is our role as service provider to Singapore's financial institutions to help facilitate compliance with the underlying guidelines and, as part of that, have developed a range of materials to help our cloud customers in the financial services sector. For example, our response to the MAS Outsourcing Guidelines and the ABS Cloud Implementation Guide was issued to help financial institutions understand the requirements and to comment on how they apply to the use of Microsoft's cloud services. Similarly, we have developed practical checklists for all of our cloud services so that financial institutions can see how the use of Microsoft's cloud services, and our contractual terms, map against the relevant guidelines. Our subject-matter experts are also available to understand your organization's needs and provide detailed information on the technical, contractual and practical aspects of your proposed cloud project.

By providing these tools and materials, Microsoft reaffirms our commitment to make the adoption of cloud as smooth as possible for financial institutions. This is all part of our commitment to providing clarity and helping our financial institution customers innovate and navigate their way to the Microsoft cloud with confidence, as Singapore becomes one of the world's great "Smart Financial Centers".

 

Regulatory Overview

Singapore is already delivering on its mission of becoming one of the world's leading "Smart Financial Centers".

The Monetary Authority of Singapore (MAS), Singapore's financial services regulator, issued a clear "green light" for cloud through its updated Outsourcing Guidelines in 2016 (MAS Outsourcing Guidelines). In doing so, it substantially streamlined the process for technology adoption, provided clarity on its regulatory expectations and addressed many of the misconceptions that had previously slowed the financial industry’s adoption of cloud. In taking this welcomed step, MAS opened the door for financial institutions across the city-state to benefit from new technologies in a manner that manages applicable risk and compliance requirements. Shortly after the release of the Outsourcing Guidelines , the Association of Banks in Singapore (ABS) introduced the ABS Cloud Implementation Guide (ABS Guide), a non-binding practical guide designed to assist banks in Singapore as they implement cloud services.

Financial institutions have been quick to take advantage of the recent positive developments in Singapore – not least DBS Bank, which was the first to use cloud-based productivity tools through the adoption of Office 365.

From a regulatory perspective, cloud is permitted. The regulatory framework in Singapore permits the use of cloud services, including public cloud services. There is no need to pre-consult with or pre-notify MAS, nor is there a requirement to complete a formal outsourcing questionnaire. However, financial institutions are expected to comply with all relevant MAS Outsourcing and Technology Guidelines mentioned in the sections below.

 

Regulatory Deep Dive

|

The Monetary Authority of Singapore (MAS) regulates financial institutions.

Yes.

The relevant requirements are set out in:

  1. the MAS Outsourcing Guidelines, which were updated on 27 July 2016 and which give a clear green light for the use of cloud services, whether private, public or hybrid cloud, by financial institutions;
  2. the Notice on Outsourcing, which has not yet been updated in light of the Outsourcing Guidelines but which is expected to be similar to the Outsourcing Guidelines. This sets the minimum standards required for a financial institution in respect of its outsourcing arrangements;
  3. Technology Risk Management Guidelines (TRM Guidelines);
  4. relevant Notices on Technology Risk Management (TRM Notices);
  5. Business Continuity Management Guidelines; and
  6. the Banking Act (in particular, banking secrecy rules).

Certification with the Info-communications Media Development Authority’s (IMDA) Multi-Tier Cloud Security (MTCS) Tier 3 is generally regarded as necessary for providing Cloud Services to regulated sectors such as financial services. Microsoft has the necessary certifications.

 

On 4 August 2016, ABS issued a Cloud Implementation Guide, which is designed to help banks with the adoption of cloud services. While this is not binding, it serves as a practical guide for member banks in respect of the implementation of cloud.

 

Microsoft has issued a detailed response to the Outsourcing Guidelines and the ABS Cloud Implementation Guide, available here.

No, but adverse developments arising from a financial institution's outsourcing arrangements (for example, a data breach incident) must be notified to MAS as soon as possible.

Institutions are expected to ensure that any outsourcing arrangements do not interfere with their ability to manage their activities or for MAS to carry out its supervisory functions and objectives. The need to include contractual inspection rights in favour of MAS and/or the financial institution only applies to “material outsourcing arrangements”. Inspections may be carried out by a range of parties and need not necessarily be carried out by the institution itself. MAS confirms that inspections may be carried out by the institution’s internal or external auditors, the cloud service provider’s external auditors and/or by agents appointed by the institution. Copies of all reports should be made available to MAS on request.

The use of data Centers outside of Singapore is permitted. Nonetheless, MAS is clear that institutions should, if services are provided from outside of Singapore, assess the applicable government policies, political, social and economic conditions, legal and regulatory developments and the institution’s ability to effectively monitor the service provider. Some additional considerations apply to material outsourcing arrangements, where the expected standards are higher. These include taking steps to protect confidentiality and the freedom of MAS to exercise its regulatory oversight. Institutions are also expected to notify MAS if any overseas authority seeks access to customer information.

 

The Singapore Personal Data Protection Act (PDPA) requires organizations to put in place safeguards (including contractual measures) to protect data transferred outside of Singapore. In practice, a number of organizations across regulated sectors use cloud services which may require the transfer of data outside of Singapore.