Cloud Compliance Center

Singapore

Select a Topic
Quick Links
Start Comparison
Contract requirements
3. Are there any specific contractual requirements for cloud outsourcing?

The Monetary Authority of Singapore ("MAS") Guidelines on Outsourcing set out MAS' expectations about the provisions that should, minimally, be included in outsourcing agreements. These terms include the following:

  • The scope of the outsourcing arrangement and service description
  • Terms and standards on performance, operational, internal control and risk management matters
  • The parties' rights and responsibilities relating to confidentiality and security (This includes allocation of liability in the event of a breach, and rights of access to and disclosure of customer information by the service provider.)
  • Business continuity management, including as to recovery time objectives, recovery point objectives and resumption of operating capacities (See also MAS' Business Continuity Management Guidelines for the latest guidance on business continuity management generally.)
  • Terms to ensure there is effective monitoring and control by the institution on a continuing basis
  • Rights for the financial institution or MAS to audit the service provider and its subcontractors (whether by the financial institution's internal or external auditors, or their agents), and to obtain copies of any audit report on the service provider and its subcontractors
  • An obligation for the service provider to comply with any request from the financial institution or MAS to submit any reports on the security and control environment of the service provider and its subcontractors to MAS
  • The types of events and circumstances under which the service provider should report to the financial institution for the institution to take prompt risk mitigation measures and notify MAS of any adverse developments
  • A dispute resolution process, events of default, and the indemnities, remedies and recourse of the parties
  • The financial institution's rights to terminate for default and early exit (This includes the institution's right to terminate the agreement where the service provider undergoes a change in ownership or insolvency, a breach of security or confidentiality occurs, or where there is a demonstrable deterioration in its ability to perform.)
  • The minimum period to execute a termination and other provisions to ensure a smooth transition when the agreement is terminated or being amended
  • Rules and limitations on subcontracting, including the service provider's obligation to obtain the financial institution's prior consent for subcontracting any part of material outsourcing
  • Governing law and jurisdiction

The MAS Public Cloud Advisory also advises that contractual agreements should clearly delineate all parties' cybersecurity responsibilities and that contract terms should not impede financial institutions' ability to manage risk and meet regulatory requirements/expectations. Additionally, cloud agreements should provide rights for financial institutions to request that the cloud service provider remedy issues identified during audits and/or assessments in a timely manner.

In addition, the Association of Banks in Singapore Cloud Computing Implementation Guide 2.0, which contains best practice recommendations and guidance for the safe adoption of cloud, further adds that outsourcing agreements should include terms relating to the following:

  • Data confidentiality and control ownership, including change management processes and the circumstances under which each party has the right to change security requirements
  • Data transfers and location of data, including the financial institution's right to be notified of any changes to the location of the data and of any local requirements compelling the service provider to disclose the data to a third party
  • Data retention, such as the management of data in online or offline backups
  • Exit planning, including procedures and tools for the deletion of data, transferability of outsourced services and recovery of data for the purposes of continuity of services 

Finally, having made changes to the Banking Act, the Singapore government has proposed that MAS issue revised outsourcing notices, which will codify and build on certain aspects of the MAS Outsourcing Guidelines, and formally make compliance mandatory for banks. If the proposed revised outsourcing notices were issued, banks would (among other things) be required to comply with written notices issued by MAS when contracting with an outsourced service provider, stipulating requirements for the outsourcing contract. Such requirements might require the inclusion of a provision allowing the bank to terminate the contract in certain circumstances. It is also contemplated that MAS would be able to require the bank to exercise its right to terminate the outsourcing contract in those circumstances.

Quick Links
{{ $store.state.loadingScreen.message }} ...