As part of its role as prudential regulator, the Monetary Authority of Singapore (MAS) in 2016 delivered guidelines on outsourcing third-party arrangements. MAS expanded their outsourcing guidance in October 2018, and again in August 2022 with the publication of an information paper, Operational Risk Management – Management of Outsourcing and Third Party Arrangements.
In addition to publishing detailed requirements on how to achieve better oversight and governance over third parties, MAS has established comprehensive guidance on conducting due diligence over the lifecycle of outsourcing arrangements. MAS includes specific guidance for financial institutions in the following areas of the third-party risk management lifecycle:
Ensure that third parties relied upon for service delivery are subject to adequate governance, risk management and sound internal controls
Assess the risks arising from third party services and implement controls commensurate with the nature and extent of risks
Apply adequate risk management and sound internal controls to govern outsourcing and non-outsourcing arrangements
The MAS Third-Party Compliance Checklist
Download the Monetary Authority of Singapore (MAS) Third-Party Compliance Checklist to identify key MAS provisions that govern outsourcing and non-outsourcing arrangements.
Meeting MAS TPRM Guidelines
The summary table below maps capabilities in the Prevalent Third-Party Risk Management Platform to select articles in the MAS Operational Risk Management – Management of Outsourcing and Third Party Arrangements information paper, chapter 3.
NOTE: This is a summary of the most relevant articles only, and it should not be considered comprehensive, definitive guidance. For a complete list of articles, please review the complete document in detail and consult your auditor.
MAS Controls | How We Help |
---|---|
A: Controls Over Outsourcing Arrangements This section on controls over outsourcing arrangements describes the practices in: I) Governance and Management Oversight; |
|
I) Governance and Management Oversight |
|
Outsourcing governance structure and framework “Banks establish a proper governance structure and framework for adequate management oversight and attention on risks arising from outsourcing arrangements, to ensure that risks undertaken are in line with the banks’ strategies and risk appetite. "In the adoption of a risk-based approach, banks ensure that their approval framework facilitates management’s evaluation of the materiality and risks from existing and prospective outsourcing arrangements. Processes that support the evaluation and approval of outsourcing arrangements are sufficiently robust and effective.” Setting of appropriate outsourcing risk appetite “Banks establish a suitable strategy and risk appetite to define the nature and extent of risk that they are willing and able to assume from their outsourcing arrangements.” |
Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite. As part of this process, Prevalent can help you define:
|
Management reporting on outsourcing “Banks have effective processes in place to enable a comprehensive bank-wide view of risk exposures arising from outsourcing. There is regular reporting to management on outsourcing risk profiles, significant outsourcing issues and KRIs, to facilitate oversight of outsourcing risk landscape, trends and concerns.” |
Prevalent helps financial institutions reveal risk trends, third-party risk status, and exceptions to common behavior with embedded machine learning (ML) insights and customizable report views based on role. In addition, Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments and providing a framework to measure against requirements. With this capability, FIs can quickly identify outliers that could warrant further investigation and improve risk reduction efficiency by getting the right data into the right hands. |
II) Due Diligence (Onboarding and Periodic Reviews) |
|
Due diligence (onboarding and ongoing reviews) “Banks specify clear requirements, and provide comprehensive guidance, on the due diligence and risk assessment processes for the onboarding of new outsourcing arrangements and periodic reviews of existing ones. Such processes are commensurate with the risks involved, where adequate consideration is given to risk factors such as arrangements that involve sharing of customer data. Banks institute the necessary checks and balances to ensure that these requirements and processes are adequately tracked for compliance in a timely manner. "Banks enlist relevant SMEs to determine if the technical elements of risks pertaining to an outsourcing arrangement are adequately considered.” |
Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties. Criteria include:
Using this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations. Prevalent features a library of more than 750 pre-built templates for third-party risk assessments. Assessments can be conducted at the time of contract renewal or at any required frequency (e.g., quarterly or annually). Assessment questionnaires can be globally focused or regional to address unique legal or operational requirements. Prevalent delivers built-in remediation recommendations based on risk assessment results. These are backed by workflow and task management capabilities to ensure that third parties address risks in a timely and satisfactory manner. |
III) Ongoing Risk Management and Monitoring |
|
Control framework for outsourcing arrangements “Banks establish a structured framework for ongoing monitoring and control of outsourcing arrangements, with adequate involvement of independent parties to provide effective challenge and oversight to business units that originate the outsourcing arrangements.” |
The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place. Prevalent experts first review assessment responses from either custom or standardized questionnaires. We then map the responses to SIG, SCA, ISO, SOC II, AITECH and/or other control frameworks. Finally, we work with you to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help you reduce risk with your existing resources. |
Ongoing risk monitoring and controls “Banks are proactive in managing relationships with outsourced service providers, and apply more rigorous controls for higher risk arrangements. As the nature, materiality and complexity of outsourcing arrangements may evolve over time, the ongoing monitoring framework should be sufficiently robust to consider and manage such changes. "Banks have adequate tools to monitor outsourcing risk. Significant risk trends identified from KRI and heatmap assessments, concerns (such as overdue remediation of risk/audit issues, service level breaches or overdue periodic reviews), as well as concentration analyses are reported to management.” |
Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Risks can be categorized into a heat map view with likelihood and impact axes. Monitoring sources include:
|
B: Controls Over Non-Outsourcing Arrangements (NOAs) This section on controls over NOAs describes the practices observed at banks under the following areas in a third party risk management framework: I) Identification and Risk Categorisation; |
|
I) Identification and Risk Categorisation |
|
Risk identification and categorisation of third party dependencies “Banks have a third party risk management and governance framework to manage their non-outsourcing third party dependencies. "Banks establish clear criteria to risk assess their NOAs, so as to determine the governance and due diligence requirements that they should be subject to. Adequate consideration is accorded to risk factors such as arrangements that involve sharing of customer data.” |
Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite. As part of this process, Prevalent can help you define:
Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties. Criteria include:
Using this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations. Prevalent enables FIs to build a comprehensive vendor profile that includes ownership, financial performance, CPI scores, Modern Slavery statements, industry and business insights, and maps potentially risky 4th-party relationships. This helps to reduce complexity in managing third parties, providing a single source of the truth for vendor management across their relationship lifecycle. |
II) Governance and Management Oversight |
|
Implementation of risk management and governance frameworks for NOAs “Banks have a governance committee to exercise oversight of NOAs. Banks also establish risk-appropriate governance and risk management frameworks, including due diligence requirements, to manage risks arising from NOAs in a holistic manner.” |
Prevalent features a library of more than 750 pre-built templates for third-party risk assessments, including those that map to leading governance frameworks such as [ISO](/compliance/iso-27001-27002-27018-27036-2-27701/. Assessment questionnaires can be globally focused or regional to address unique legal, operational, or other due diligence requirements. Reporting enables FIs to visualize and address compliance requirements by automatically mapping assessment results and data feeds to regulatory requirements and frameworks. |
Management reporting on third party risk “Banks ensure adequate management oversight through regular and timely reporting on risk profiles and performance of NOAs. Significant issues such as expired periodic reviews, vendor incidents, performance breaches, and KRI breaches, are regularly reported to the relevant governing forum. An appropriate party (e.g. a 2LoD unit) provides the necessary checks and balances on the reporting process.” |
Prevalent helps financial institutions reveal risk trends, third-party risk status and exceptions to common behavior with embedded machine learning (ML) insights and customizable, role-based report views. In addition, Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments and providing a framework to measure against requirements. With this capability, FIs can quickly identify outliers that could warrant further investigation and improve risk reduction efficiency by getting the right data into the right hands. |
Change management “Banks have sound change management policies and procedures to manage risks arising from new NOAs. There is clear allocation of roles and responsibilities across the three lines of defense (LoDs) with change implementation subject to independent controls and oversight.” |
The Prevalent Platform includes an automation and rules engine that automatically suggests actions or adjusts risk scores based on assessment results and external data feeds. With this capability, FIs can automatically create tasks based on continuous third-party changes and assign to owners to track issues to conclusion. This helps accelerate risk reduction timelines. |
III) Due Diligence and Ongoing Monitoring |
|
Due diligence and ongoing monitoring of NOAs and third party risk “Banks implement risk assessment methodologies for risk rating NOAs that adequately consider higher risk factors, such as sharing of confidential information or providing support to critical functions. "Banks set out clear requirements on due diligence and independent oversight for onboarding of new NOAs and reviews of existing ones, that are commensurate with risks involved. Due diligence considers all relevant stakeholders of the NOAs, including partners and service providers. "Banks implement structured control processes for the ongoing monitoring of NOAs, over the life cycle of the relationships. High risk arrangements necessitate more stringent ongoing monitoring. "Banks deploy adequate risk monitoring tools and mechanisms to manage third party risk. These tools and mechanisms include the setting of a third party risk taxonomy and implementation of appropriate KRIs to facilitate a holistic view on the third party risk of the bank.” |
Once onboarding is complete, results from tiering, profiling and categorization assessments dictate the level of ongoing due diligence required across the third-party lifecycle. To enable this, Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Risks can be categorized into a heat map view with likelihood and impact axes. Monitoring sources include:
|
Align Your TPRM Program with 13 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
Align your third-party risk management program with MAS provisions governing outsourcing and non-outsourcing arrangements.
Discover best practices for meeting key third-party information security requirements in APRA CPS 234.
Use this guidance to address outsourcing requirements in the Bank of England's Prudential Regulation Authority (PRA)...