The Monetary Authority of Singapore (MAS) has issued recent guidelines on outsourcing which endorse cloud computing as a legitimate means of outsourcing for firms operating in the nation.

Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint venture partner of Pinsent Masons, the law firm behind Out-Law.com, said the recent guidance “represents the clearest indication to date of acceptance by MAS of cloud computing” and would be welcomed by the finance industry and cloud service providers.

MAS said it recognised the attraction for financial firms of being capable to access “scalable, standardised and secured infrastructure” via cloud services [CS]. It said the considerate of risks that arise in using cloud services are “not distinct from that of other forms of outsourcing arrangements” but set out a number of requirements firms will possess to meet to adopt cloud services in a way which complies with Singapore regulations.

“Institutions should be aware of CS’ typical characteristics such as multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations,” MAS said. “Hence, institutions should grab active steps to address the risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing.”

“In particular, institutions should ensure that the service provider possesses the ability to clearly identify and segregate customer data using strong physical or logical controls. The service provider should possess in place robust access controls to protect customer information and such access controls should survive the tenure of the contract of the CS,” it said.

MAS confirmed that while firms can outsource services to cloud providers they will be “ultimately responsible and accountable for maintaining oversight” of those services and for “managing the attendant risks”.

“A risk-based approach should be taken by institutions to ensure that the level of oversight and controls are commensurate with the materiality of the risks posed by the CS,” MAS said.

below the recent guidance Singapore firms will no longer be below an obligation to pre-notify MAS of “material outsourcing arrangements” but will be required to demonstrate their compliance with the guidance to the regulator, including through submissions of the register they require to hold of material outsourcing arrangements at least annually or upon request.

A material outsourcing arrangement is defined by MAS as “an outsourcing arrangement which, in the event of a service failure or security breach, has the potential to either materially impact an institution’s business operations, reputation or profitability; or ability to manage risk and comply with applicable laws and regulations, or which involves customer information and, in the event of any unauthorised access or disclosure, loss or theft of customer information, may possess a material impact on an institution’s customers”.

MAS stressed that the board and senior management at firms possess “pivotal roles” in setting a risk management culture that allows their business to handover appropriate oversight to outsourcing arrangements.

Firms considering outsourcing, whether at the point of contracting for the first period, renewal or renegotiation, must “subject the service provider to appropriate due diligence processes to assess the risks associated”, it said.

The assessment should see into the cloud provider’s “capability to employ a high standard of care in the performance of the outsourcing arrangement” as well as their “physical and IT security controls …, the business reputation and financial power of the service provider, including the ethical and professional standards held by the service provider, and its ability to meet obligations below the outsourcing arrangement”.

Firms should tote out on-site visits as piece of the due diligence process, and, where possible, obtain third party reviews and feedback on the cloud provider “to supplement the institution’s assessment”, MAS said.

The guidance has also outlined what provisions financial firms in Singapore must include within their outsourcing contracts.

Those provisions include basics befondof what the scope of the outsourcing arrangement is, and clauses on business continuity management and confidentiality and security, to additional specifications of “the type of events and the circumstances below which the service provider should report to the institution in order for an institution to grab prompt risk mitigation measures and notify MAS of such developments”.