Yes. Although there are no data localization requirements, financial institutions are required to ensure compliance with the transfer limitation obligation in the Personal Data Protection Act 2012 (i.e., ensuring that personal data may only be transferred to overseas locations with comparable data protection laws, or that the recipients, e.g., data centers or sub-processors in these locations, are legally bound by similar contractual standards).

In addition, financial institutions need to identify risks associated with any outsourcing outside Singapore (e.g., government policies, political, social and economic conditions, and legal and regulatory developments) and ensure such risks can be adequately addressed. Financial institutions also need to ensure that outsourcing outside Singapore does not impede the financial institution and the Monetary Authority of Singapore's ability to inspect the service provider and access data and records maintained by the service provider under the outsourced arrangement, and that the service provider is operating in jurisdictions that uphold a duty of confidentiality.