A financial institution should notify the Monetary Authority of Singapore of any "adverse development" arising from its outsourcing arrangements that could affect it as soon as possible. Such is the opinion - not backed by any stated statute or rule - of the regulator in its latest paper regarding outsourcing.

Although there is no reference to regulatory rules at all - the word 'rule' only appears once in the entire document, and then only to refer to criteria laid down by companies in their outsourcing agreements - the paper bombards the reader with vague diktats. One such is the assertion that any institution incorporated in Singapore should consider the effect on its consolidated operations of outsourcing arrangements by its branches and any corporation under its control, including those located outside the jurisdiction. Another states that the institution should be able at all times to monitor and control its outsourcing arrangements even when one of its service providers uses a sub-contractor.

The regulator is a firm believer in institutions assessing the 'materiality' of their outsourcing arrangements. It wants them to use 'qualitative judgment' in every case and consider:
(a) the importance of the business activity to be outsourced (e.g., in terms of contribution to income and profit);
(b) the effect that the outsourcing exercise might have on earnings, solvency, liquidity, funding, capital and risk profile;
(c) the effect of the service provider failing to perform the service (or breaking confidentiality) on the institution’s reputation and the value of its brand, and its ability to achieve its business objectives;
(d) the effect of such a failure on the institution’s customers;
(e) the effect of such a failure on the institution’s counterparties and the Singapore financial market;
(f) the cost of the outsourcing as a proportion of the institution's total operating costs;
(g) the cost of 'outsourcing failure' which might require the institution to co-opt another service provider or do the job internally, as a proportion of its total operating costs;
(h) the institution's aggregate exposure to a particular service provider if it delegates more than one job to the same one; and
(i) how it can keep up appropriate internal controls and meet its regulatory requirements if the service provider faces operational problems.

Among the services that third parties perform for financial institutions, the regulator lists the following as outsourcing arrangements:
(a) application processing (e.g. loan origination, credit cards);
(b) white-labelling arrangements such as for trading and hedging facilities;
(c) middle- and back-office operations (e.g. electronic funds transfer, payroll processing, custody operations, quality control, purchasing, maintaining the register of participants of a collective investment scheme (CIS) and sending of accounts and reports to CIS participants, order processing, trade settlement and risk management);
(d) business continuity and disaster recovery functions and activities;
(e) claims administration (e.g. loan negotiations, loan processing, collateral management and the collection of bad loans);
(f) document processing (e.g. cheques, credit-card payments, bill payments, bank statements, other corporate payments and the printing of customers' statements);
(g) information systems hosting (e.g. software-as-a-service, platform-as-a-service, infrastructure-as-a-service);
(h) information systems management and maintenance (e.g. data entry and processing, data centres, data centre facilities management, end-user support, local area networks management, help desks and IT security operations);
(i) investment management (e.g. discretionary portfolio management and cash management);
(j) management of policy issuance and claims operations by managing agents;
(k) manpower management (e.g. benefits and pay administration, staff appointments, training and development);
(l) marketing and research (e.g. product development, data warehousing and mining, media relations, call centres, telemarketing);
(m) professional services related to the business activities of the institution (e.g. accounting, internal audit, actuarial, compliance); and
(n) support services related to archives and the storage of data and records.

As in all known common-law jurisdictions including Singapore, outsourcing does not diminish the obligations of any institution or its directors to comply with relevant laws and regulations. This is why the regulator believes that it is important for every firm to have a sound and responsive risk management system in place for its outsourcing arrangements.