2023-12-11
Added
The Monetary Authority of Singapore issued Notice 1121 to establish comprehensive regulatory requirements for merchant banks managing risks associated with outsourced relevant services. The Notice mandates the maintenance of a semi-annual register of outsourced services and imposes strict due diligence, monitoring, and contractual obligations specifically for material ongoing outsourced services. It further enforces rigorous protections for customer information, including restrictions on sub-contracting and requirements for service provider audits and data confidentiality.
1 MAS Notice 1121 11 December 2023 NOTICE TO MERCHANT BANKS Banking Act 1970 Management Of Outsourced Relevant Services
2 “deposit information”, in relation to a merchant bank in Singapore, means any information relating to – (a) any deposit of a customer of the merchant bank; (b) funds of a customer under management by the merchant bank; or (c) any safe deposit box maintained by, or any safe custody arrangements made by, a customer with the merchant bank, but does not include any information that is not referable to any named person or group of named persons; “exempted outsourced relevant service” means any outsourced relevant service that is set out in Annex D; “intragroup entity” in relation to a merchant bank in Singapore, means – (a) an entity that has the same ultimate holding company as the merchant bank; (b) an entity that is the ultimate holding company of the merchant bank; or (c) a branch or office of the merchant bank; “material ongoing outsourced relevant service” means any ongoing outsourced relevant service where the merchant bank in Singapore has reasonable grounds to believe that – (a) any unauthorised disclosure of, access to, collection of, copying of, modification of, use of, disposal of or acts with similar risks done in relation to, any information, held by the service provider or sub-contractor, as the case may be; (b) any unauthorised access to the books, systems or premises of the service provider or sub-contractor, as the case may be; or (c) a failure by the service provider to provide the relevant service in accordance with the outsourcing agreement, will materially affect adversely or is likely to materially affect adversely – (i) any of the business of the merchant bank referred to in section 55V(1) of the Act;
3 (ii) the customers or any group of customers, financial soundness or reputation of the merchant bank; (iii) the ability of the merchant bank to manage its risks (including legal, reputational, technological and operational risks) arising from the relevant service; or (iv) the ability of the merchant bank to comply with all laws and regulatory requirements that apply to the merchant bank, whether in Singapore or elsewhere; “ongoing outsourced relevant service”, in relation to a merchant bank in Singapore, means an outsourced relevant service that – (a) the merchant bank obtains or receives or intends to obtain or receive, for a duration of more than 12 months; or (b) the merchant bank obtains or receives for a duration of 12 months or less, but where the outsourcing agreement is renewed or extended, or which the merchant bank intends to renew or extend, such that the cumulative duration of the merchant bank obtaining or receiving the relevant service exceeds or will exceed 12 months; “outsourced relevant service”, in relation to a merchant bank in Singapore, means a relevant service, other than a relevant service set out in Annex B, that – (a) is performed by the merchant bank or was performed by the merchant bank at any time prior to it obtaining or receiving the relevant service; (b) is integral to any business that the merchant bank may carry on under section 55V(1) of the Act, which includes, but is not limited, to any relevant service set out in Annex A; or (c) is set out in Annex C; “outsourcing agreement” means – (a) in the case where the service provider of a merchant bank in Singapore is a branch or office of the merchant bank, written policies and procedures by which the branch or office is to provide an outsourced relevant service; and (b) in the case where the service provider is any person, a written contract between a merchant bank in Singapore and the person setting out the terms by which the person is to provide the outsourced relevant service;
4 “overseas regulated financial institution” means an institution that is licensed, approved, registered or otherwise regulated under any law administered by a corresponding authority in a foreign country to carry on any financial activities in that country, or that is exempted from such licensing, approval, registration or regulation for the carrying on of any financial activities in that country; “relevant service” has the same meaning as defined in Section 47A(12) of the Act; “service provider”, in relation to a merchant bank in Singapore, means – (a) any branch or office of the merchant bank that is located outside Singapore; or (b) any person, that provides a relevant service to the merchant bank; “sub-contracting arrangement” means an arrangement between a service provider and a sub-contractor, or between two sub-contractors, under which the subcontractor or one of the sub-contractors, as the case may be, agrees to provide the whole or any part of a relevant service to the merchant bank in Singapore; “sub-contractor”, in relation to a merchant bank in Singapore, means – (a) another branch or office of the merchant bank, or any person, that is engaged by a service provider or another sub-contractor, as the case may be, to provide the whole or any part of a relevant service pursuant to a sub-contracting arrangement, where the service provider or sub-contractor is a branch or office of the merchant bank; and (b) a branch or office of the merchant bank, or any person, that is engaged by a service provider or another sub-contractor, as the case may be, to provide the whole or any part of a relevant service pursuant to a sub-contracting arrangement, where the service provider or sub-contractor is a person; “supervisory authority”, in relation to a foreign country or territory, means an authority of the foreign country or territory exercising any function that corresponds to a regulatory function of the Authority under the Act, the Monetary Authority of Singapore Act 1970 or any of the written laws set out in the Schedule to that Act; "ultimate holding company" has the same meaning as set out in section 5A of the Companies Act 1976. 2.2 For the purposes of this Notice, unless the context otherwise requires, a reference to a “branch or office” of a merchant bank in Singapore includes its head office.
5 2.3 The expressions used in this Notice shall, except where expressly defined in this Notice or where the context otherwise requires, have the same respective meanings as in the Act. 2.4 A merchant bank in Singapore that obtains or receives any exempted outsourced relevant service does not need to comply with the requirements in this Notice in relation to the exempted outsourced relevant service. SECTION A. MONITORING AND CONTROL OF OUTSOURCED RELEVANT SERVICES 3. Register of Outsourced Relevant Services 3.1 A merchant bank in Singapore must record in a register, a list of all – (a) ongoing outsourced relevant services obtained or received from a service provider; and (b) outsourced relevant services obtained or received from a service provider, which involves the disclosure of customer information. 3.2 The merchant bank must ensure that the register is to be updated promptly and submit the register to the Authority semi-annually and at any time upon request by the Authority. SECTION B.REQUIREMENTS RELATING TO MATERIAL ONGOING OUTSOURCED RELEVANT SERVICES 4. Management of Material Ongoing Outsourced Relevant Services 4.1 A merchant bank in Singapore must – (a) implement policies and procedures to identify all material ongoing outsourced relevant services, and assess, manage and monitor any risk to the merchant bank that may arise from obtaining or receiving each of these relevant services; (b) maintain effective supervision and monitor the provision of the material ongoing outsourced relevant service, including establishing appropriate levels of approving authorities that is commensurate with the scale and complexity of the material ongoing outsourced relevant service, to approve matters relating to the relevant service; (c) establish measures to minimise any disruption to the operations of the merchant bank in the event that the service provider cannot adequately provide the
6 material ongoing outsourced relevant service or where the merchant bank needs to exercise its right to terminate the outsourcing agreement or to stop obtaining or receiving the material ongoing outsourced relevant service; (d) implement the measures mentioned in sub-paragraph (c) in the event that the service provider cannot adequately provide the material ongoing outsourced relevant service or where the merchant bank needs to exercise its right to terminate the outsourcing agreement or to stop obtaining or receiving the material ongoing outsourced relevant service; and (e) keep documentation sufficient to demonstrate compliance by the merchant bank with the requirements in this paragraph. 5. Evaluation of Service Provider for Material Ongoing Outsourced Relevant Services 5.1 For the purposes of section 47A(2)(a) and 47A(4)(a) of the Act, as applied by section 55ZJ(1), before obtaining any material ongoing outsourced relevant service, a merchant bank in Singapore must establish a framework for evaluating the ability of the service provider to perform the acts mentioned in section 47A(2)(a)(i) to 47A(2)(a)(v) or 47A(4)(a)(i) to 47A(4)(a)(v), as applied by section 55ZJ(1), of the Act, as the case may be. The merchant bank must conduct due diligence checks against the framework and be satisfied of the results. The merchant bank must ensure that the framework includes an assessment of all of the following matters at the minimum: (a) in the case where the service provider is an intragroup entity of the merchant bank in Singapore, the service provider’s risk management framework, and its track record in providing similar relevant services; (b) in all other cases other than that mentioned in paragraph (a), – (i) the service provider’s risk management framework; (ii) the service provider’s reputation and track record in providing similar relevant services; and (iii) the service provider’s financial strength and resources; (c) in the case where the material ongoing outsourced relevant service is obtained or received outside Singapore by the merchant bank and involves the disclosure of customer information to the service provider, – (i) the risks of the merchant bank not being able to comply with any obligations under any written law that requires it to keep confidential, any of its customer information;
7 (ii) the service provider’s reputation and track record for safeguarding the confidentiality and integrity of customer information in its custody; (iii) the service provider’s ability to ensure that employees who are authorised to access the customer information are subject to confidentiality obligations; and (iv) the measures that the service provider has put in place to safeguard the confidentiality and integrity of customer information of the merchant bank that is in the custody of the service provider, in relation to the provision of the relevant service. 5.2 A merchant bank in Singapore must satisfy itself, on an ongoing basis, of the service provider’s ability to perform the acts mentioned in section 47A(2)(a)(i) to 47A(2)(a)(v) or 47A(4)(a)(i) to 47A(4)(a)(v), as applied by section 55ZJ(1), of the Act, as the case may be. The merchant bank must, at the minimum: (a) after performing the initial due diligence checks mentioned in paragraph 5.1, perform the same due diligence checks within a period assessed by the merchant bank to be commensurate with the risks of the material ongoing outsourced relevant service, but no later than 24 months of obtaining the material ongoing outsourced relevant service; and (b) thereafter, perform the due diligence checks mentioned in paragraph 5.1 at a frequency approved by the board of the merchant bank that is commensurate with the risks of the material ongoing outsourced relevant service. 5.3 A merchant bank in Singapore must document the due diligence checks required under paragraphs 5.1 and 5.2, where applicable, (“Due Diligence Checks”) conducted by it and furnish the documentation to the Authority upon request. 5.4 Notwithstanding paragraphs 5.1 and 5.2, a merchant bank in Singapore may rely on a third party to perform the Due Diligence Checks if all of the following requirements are met: (a) the merchant bank is satisfied that the third party it intends to rely on is able to perform the Due Diligence Checks; and (b) the third party is able and willing to provide to the merchant bank or Authority, upon the merchant bank’s or Authority’s request, as the case may be, any record, document, report or information obtained by the third party with respect to the Due Diligence Checks, and the merchant bank has obtained a written undertaking from the third party to this effect.
8 5.5 Where a merchant bank in Singapore places reliance on a third party to perform the Due Diligence Checks, the merchant bank must – (a) document the basis for its satisfaction that the requirements in paragraph 5.4 have been met; (b) obtain from the third party a record, document or report, or information setting out the basis for the third party’s assessment pursuant to the Due Diligence Checks; and (c) review the third party’s evaluation of the service provider. 5.6 To avoid doubt, notwithstanding any reliance on a third party in accordance with paragraph 5.4, the merchant bank in Singapore remains responsible for its obligations mentioned in paragraphs 5.1 to 5.3. 6. Requirements relating to Use of Sub-Contractor for Material Ongoing Outsourced Relevant Services 6.1 Subject to paragraph 6.2, a merchant bank in Singapore must not allow a material ongoing outsourced relevant service to be sub-contracted unless – (a) the sub-contracting arrangement does not involve any disclosure of customer information; or (b) where the sub-contracting arrangement requires the disclosure of customer information, the merchant bank has obtained the consent in writing of the customer or, if the customer is deceased, the customer’s appointed personal representative, for the merchant bank to disclose the customer information to the service provider or the sub-contractor, as the case may be. 6.2 Paragraph 6.1 does not apply where the customer information pertains to a customer which is – (a) a company which carries on banking business; or (b) a financial institution designated by the Authority by notice in writing for the purposes of the definition of “customer” in section 40A, as applied by section 55ZJ(1), of the Act. 6.3 Where a merchant bank in Singapore allows a material ongoing outsourced relevant service to be sub-contracted, the merchant bank must do all of the following:
9 (a) ensure that the service provider notifies the merchant bank in writing prior to or within a reasonable time of the engagement of a sub-contractor unless the merchant bank’s agreement for the engagement of the sub-contractor had been obtained prior to the sub-contractor’s engagement; (b) ensure that prior to obtaining or receiving any material ongoing outsourced relevant service, the merchant bank documents its assessment that allowing the sub-contracting arrangement for the material ongoing outsourced relevant service, or any part of it, – (i) would not pose any risks to the merchant bank which it is not prepared, or is unable, to manage, in particular, legal, reputational, technological and operational risks; and (ii) would not compromise: (A) the provision of the relevant service to the merchant bank; and (B) the confidentiality and integrity of all information disclosed to, or accessed, collected, copied, modified, used, stored or processed by, the service provider or the sub-contractor, as the case may be, in accordance with the outsourcing agreement and subcontracting arrangement respectively; (c) ensure that the merchant bank regularly reviews its assessment in paragraph (b), and documents any changes to its assessment, including the reasons for the changes. 7. Outsourcing Agreement and Access to Information relating to Material Ongoing Outsourced Relevant Services 7.1 For the purposes of section 47A(2)(b) and 47A(4)(b), as applied by section 55ZJ(1), of the Act, before obtaining a material ongoing outsourced relevant service, a merchant bank in Singapore must enter into an outsourcing agreement that contains terms which achieve the same effect as all of the following: (a) a requirement that the service provider protects the confidentiality and integrity of all information of the merchant bank in its custody, in relation to the provision of the material ongoing outsourced relevant service; (b) a requirement that the service provider ensures that it and its employees only access, collect, copy, modify, use, store or process any customer information of the merchant bank to the extent that is necessary for it and its employees to provide the material ongoing outsourced relevant service;
10 (c) a requirement that the service provider ensures that it and its employees do not disclose any customer information of the merchant bank to any third party unless compelled by law, in which case the service provider must notify the merchant bank as soon as practicable to the extent permitted by law; (d) a requirement that the Authority, or an auditor appointed by the Authority, be allowed to audit the books, systems and premises of the service provider for the purposes of determining whether the service provider is properly providing the material ongoing outsourced relevant service and assessing – (i) the ability of the service provider to – (A) ensure continuity of the material ongoing outsourced relevant service; (B) safeguard the confidentiality and integrity of all information in its custody, in relation to the provision of the material ongoing outsourced relevant service; and (C) manage its legal, reputational, technological and operational risks arising from the provision of the material ongoing outsourced relevant service; and (ii) the level of compliance of the service provider with written laws related to the provision of the material ongoing outsourced relevant service; (e) a requirement that the service provider, on a request by the merchant bank, provides to the merchant bank or the Authority, or any person appointed by the merchant bank or the Authority, any record, document, report or information relating to the provision of the material ongoing outsourced relevant service; (f) a requirement that if the merchant bank terminates the outsourcing agreement or stops receiving the material ongoing outsourced relevant service provided by the service provider, the service provider ensures that all customer information given to the service provider are deleted, destroyed or rendered unusable as soon as possible except where – (i) the service provider is prohibited from doing so by written law or foreign laws, in the case where the material ongoing outsourced relevant service is performed overseas; or (ii) in the case where the service provider is an intragroup entity, the record, document or information is stored in a system of the service provider which, upon the termination of the outsourcing agreement, can only be accessed by the merchant bank; and
11 (g) a requirement that the merchant bank may terminate the outsourcing agreement or stop receiving the material ongoing outsourced relevant service from the service provider under any of the following circumstances: (i) by giving reasonable notice to the service provider; (ii) if directed by MAS to terminate the outsourcing agreement or to stop receiving the material ongoing outsourced relevant service from the service provider; (iii) if the service provider or a sub-contractor, where applicable, has failed to safeguard the confidentiality or integrity of customer information of the merchant bank that is in the custody of the service provider or subcontractor, where applicable, in relation to the provision of the material ongoing outsourced relevant service; (iv) if there has been a demonstrable deterioration in the ability of the service provider or a sub-contractor, where applicable, to safeguard the confidentiality or integrity of the customer information in its custody. 7.2 Where an intragroup entity of the merchant bank in Singapore has entered into an outsourcing agreement on behalf of the merchant bank, the merchant bank must ensure that the terms set out in paragraph 7.1 are included in the outsourcing agreement before obtaining or receiving the material ongoing outsourced relevant service. 8. Protection of Customer Information relating to Material Ongoing Outsourced Relevant Services 8.1 A merchant bank in Singapore that receives a material ongoing outsourced relevant service from a service provider must implement adequate measures to protect customer information that is disclosed to the service provider or sub-contractor, as the case may be, against unauthorised disclosure, access, collection, copying, modification, use, disposal or similar risks. The merchant bank must at the minimum ensure that the measures include all of the following: (a) notifying the service provider in writing of – (i) the merchant bank’s obligation to keep customer information confidential under the Act and common law; (ii) the service provider’s obligation to keep customer information confidential under the Act; and
12 (iii) in the case where the material ongoing outsourced relevant service is to be performed outside Singapore, the merchant bank’s obligations to protect customer information in accordance with the laws of the place where the material ongoing outsourced relevant service is to be performed; (b) ensuring that customer information is disclosed to, or accessed, collected, copied, modified, used, stored or processed by, a service provider and its employees or a sub-contractor and its employees only to the extent that is necessary for the service provider or the sub-contractor, and their respective employees, as the case may be, to provide the material ongoing outsourced relevant service. 9. Audit of Material Ongoing Outsourced Relevant Services 9.1 Subject to paragraph 9.2, a merchant bank in Singapore must conduct independent audits on each of its material ongoing outsourced relevant services, for the purposes mentioned in paragraph 7.1(d) at least once every three years. 9.2 Where any material ongoing outsourced relevant service is provided by an intragroup entity, the merchant bank must ensure that independent audits are conducted on the material ongoing outsourced relevant service for the purposes mentioned in paragraph 7.1(d) and at a frequency approved by the board that is commensurate with the nature, scope and complexity of the relevant service. 9.3 The merchant bank must, upon request by the Authority, provide the Authority with copies of, or access to, the reports of the independent audits referred to in paragraphs 9.1 and 9.2, within such time as may be specified by the Authority. 10. Termination of Material Ongoing Outsourced Relevant Services 10.1 If any of the circumstances specified in paragraph 10.3 has arisen, a merchant bank in Singapore must – (a) where the circumstance is one referred to in paragraph 10.3(a) or 10.3(e), or both: (i) consider whether to exercise its right to terminate the outsourcing agreement or to stop receiving the material ongoing outsourced relevant service from the service provider, and document the merchant bank’s considerations; and (ii) if it decides to terminate the outsourcing agreement or to stop receiving the material ongoing outsourced relevant service from the service provider, notify the Authority of the circumstances that have arisen as soon as possible; or
13 (b) in all other cases, consider whether to exercise its right to terminate the outsourcing agreement or to stop receiving the material ongoing outsourced relevant service from the service provider, and document the merchant bank’s considerations. 10.2 Upon the termination of the outsourcing agreement relating to a material ongoing outsourced relevant service, the merchant bank in Singapore mustensure that all customer information given to the service provider or sub-contractor, where applicable, are removed from the possession of the service provider or sub-contractor, as the case may be, or deleted, destroyed or rendered unusable as soon as possible except where – (a) the service provider or sub-contractor, as the case may be, is prohibited from doing so by written law or foreign laws, in the case where the material ongoing outsourced relevant service is performed overseas; or (b) in the case where the service provider or sub-contractor is a branch or office of the merchant bank, the customer information is stored in a system used by the merchant bank which upon the termination of the outsourcing agreement, can only be accessed by the merchant bank. 10.3 The circumstances referred to in paragraph 10.1 are: (a) the service provider or sub-contractor, where applicable, has failed to safeguard the confidentiality or integrity of information of the merchant bank that is in the custody of the service provider or sub-contractor, where applicable, in relation to the provision of the material ongoing outsourced relevant service; (b) the service provider has failed to comply with any written law related to the provision of the material ongoing outsourced relevant service; (c) the service provider has undergone or is undergoing a change in ownership and where such a change might adversely affect whether the merchant bank is able to satisfy itself of the service provider’s ability to provide the material ongoing outsourced relevant service based on the framework in paragraph 5.1 of this Notice; (d) there has been a deterioration in the ability of the service provider to provide the material ongoing outsourced relevant service in accordance with the outsourcing agreement; (e) there has been a demonstrable deterioration in the ability of the service provider or sub-contractor, where applicable, to safeguard the confidentiality or integrity of the customer information in its custody;
14 (f) the merchant bank or any person appointed by the merchant bank is prevented by the service provider, from obtaining any record, document, report or information relating to the provision of material ongoing outsourced relevant service; and (g) the merchant bank is prevented by the service provider from assessing the service provider’s compliance with the outsourcing agreement. 11. Material Ongoing Outsourced Relevant Services obtained or received from an Overseas Regulated Financial Institution 11.1 For material ongoing outsourced relevant services where the service provider or a sub-contractor is an overseas regulated financial institution, a merchant bank in Singapore must – (a) implement measures to ensure that the merchant bank and the Authority (in accordance with the Act) have access to customer information and any record, document, report or information relating to the provision of the service by the service provider; and (b) ensure that customer information relating to the material ongoing outsourced relevant service of the merchant bank is adequately protected when accessed by a supervisory authority of the service provider or sub-contractor, as the case may be. 11.2 For the purposes of paragraph 11.1(b), the merchant bank must provide all of the following to the Authority: (a) a written set of policies and procedures of the merchant bank for managing requests for any customer information of the merchant bank that is in the possession of the service provider or sub-contractor (“the Customer Information”) from the supervisory authority to the merchant bank or the service provider or sub-contractor, as the case may be. The merchant bank must ensure that the written policies and procedures at the minimum set out the criteria under which the merchant bank or the service provider or sub-contractor, as the case may be, may disclose the Customer Information to the supervisory authority and how the merchant bank will ensure that it is notified of any requests for Customer Information from the supervisory authority; (b) a written undertaking to notify the Authority in writing of any disclosure of Customer Information to the supervisory authority, within 14 working days after such disclosure.
15 SECTION C. REQUIREMENTS RELATING TO OUTSOURCED RELEVANT SERVICES THAT INVOLVE THE DISCLOSURE OF CUSTOMER INFORMATION 12.1 A merchant bank in Singapore which obtains or receives an outsourced relevant service that is a material ongoing outsourced relevant service does not need to comply with the requirements in Section C in respect of the outsourced relevant service. Evaluation of Service Provider relating to Outsourced Relevant Services 12.2 For the purposes of section 47A(2)(a) and 47A(4)(a), as applied by section 55ZJ(1), of the Act, before obtaining an outsourced relevant service which involves the disclosure of customer information, to evaluate the ability of the service provider to safeguard the confidentiality and integrity of customer information disclosed to, or accessed, collected, copied, modified, used, stored or processed by, the service provider, a merchant bank in Singapore must conduct due diligence checks to assess and be satisfied of all of the following matters at the minimum: (a) the service provider’s reputation and track record for safeguarding the confidentiality and integrity of customer information in its custody; (b) the service provider’s ability to ensure that employees who are authorised to access the customer information are subject to confidentiality obligations; (c) the measures that the service provider has put in place to safeguard the confidentiality and integrity of customer information of the merchant bank that is in the custody of the service provider, in relation to the provision of the relevant service. 12.3 A merchant bank in Singapore must satisfy itself, on an ongoing basis, of the service provider’s ability to safeguard the confidentiality and integrity of customer information disclosed to, or accessed, collected, copied, modified, used, stored or processed by, the service provider. 12.4 A merchant bank in Singapore must document the due diligence checks required under paragraphs 12.2 and 12.3 and furnish the documentation to the Authority upon request. 12.5 Notwithstanding paragraphs 12.2 and 12.3, a merchant bank in Singapore may rely on a third party to perform the due diligence checks required under paragraphs 12.2 and 12.3 if the merchant bank is satisfied that the third party it intends to rely on is able to perform the due diligence checks. 12.6 Where a merchant bank in Singapore places reliance on a third party to perform the due diligence checks required under paragraphs 12.2 and 12.3, the merchant bank must –
16 (a) document the basis for its satisfaction that the requirements in paragraph 12.5 have been met; (b) obtain from the third party a record, document or report, or information setting out the basis for the third party’s assessment pursuant to the due diligence checks; and (c) review the third party’s evaluation of the service provider. 12.7 To avoid doubt, notwithstanding any reliance on a third party in accordance with paragraph 12.5, the merchant bank in Singapore remains responsible for its obligations mentioned in paragraphs 12.2 to 12.4. Outsourcing Agreement and Access to Information relating to Outsourced Relevant Services 12.8 For the purposes of section 47A(2)(b) and 47A(4)(b), as applied by section 55ZJ(1), of the Act, before obtaining an outsourced relevant service which involves the disclosure of customer information, a merchant bank in Singapore must enter into an outsourcing agreement with the service provider, which must include all of the following: (a) a requirement that the service provider protects the confidentiality and integrity of all customer information; (b) a requirement that the service provider ensures that the service provider and its employees only access, collect, store, process or use any customer information to the extent that is necessary for the service provider to provide the outsourced relevant service; (c) a requirement that the service provider ensures that the service provider and its employees do not disclose any customer information to any third party unless compelled by law, in which case the service provider must notify the merchant bank as soon as practicable to the extent permitted by law; (d) a requirement that the service provider, on a request by the merchant bank, satisfies the merchant bank, its auditors, the Authority or any person appointed by the Authority, by the production of such evidence or information as the relevant person may require, that the service provider is in compliance with paragraph (a); (e) a requirement that the merchant bank may terminate the outsourcing agreement or stop receiving the outsourced relevant service from the service provider under any of the following circumstances:
17 (i) theservice provider has failed to safeguard the confidentiality or integrity of the customer information in its custody; (ii) there has been a demonstrable deterioration in the ability of the service provider to safeguard the confidentiality or integrity of the customer information in its custody. Protection of Customer Information relating to Outsourced Relevant Services 12.9 A merchant bank in Singapore that receives an outsourced relevant service which involves the disclosure of customer information must implement adequate measures to protect such customer information that is disclosed to the service provider against unauthorised disclosure, access, collection, copying, use, modification, disposal or similar risks. The merchant bank must at the minimum ensure that the measures include all of the following: (a) notifying the service provider in writing of – (i) the merchant bank’s obligation to keep customer information confidential under the Act and common law; (ii) the service provider’s obligation to keep customer information confidential under the Act; and (iii) in the case where the outsourced relevant service is to be performed outside Singapore, the merchant bank’s obligations to protect customer information in accordance with the laws of the place where the outsourced relevant service is to be performed; (b) ensuring that customer information is disclosed to, or accessed, collected, copied, modified, used, stored or processed by, a service provider and its employees only to the extent that is necessary for the service provider and its employees to provide the outsourced relevant service. Termination of Outsourced Relevant Services 12.10 If any of the circumstances specified in paragraph 12.8(e) arise, a merchant bank in Singapore must: (a) notify the Authority of the circumstances that have arisen as soon as possible; (b) consider whether to exercise its right to terminate the outsourcing agreement or to stop obtaining or receiving the outsourced relevant service from the service provider, and document the merchant bank’s considerations; and
18 (c) exercise its right to terminate the outsourcing agreement or to stop obtaining or receiving the outsourced relevant service from the service provider if the Authority directs the merchant bank to do so, having regard to public interest or the interest of depositors. 12.11 Upon the termination of the outsourcing agreement relating to an outsourced relevant service that involves the disclosure of customer information or when a merchant bank in Singapore stops obtaining or receiving an outsourced relevant service that involves the disclosure of customer information, the merchant bank must ensure that all customer information given to the service provider are removed from the possession of the service provider or deleted, destroyed or rendered unusable as soon as possible except where – (a) the service provider is prohibited from doing so by written law or foreign laws, in the case where the outsourced relevant service is performed overseas; or (b) in the case where the service provider is a branch or office of the merchant bank in Singapore, the customer information is stored in a system used by the merchant bank which upon the termination of the outsourcing agreement, can only be accessed by the merchant bank. SECTION D. GROUP POLICY RELATING TO OUTSOURCED RELEVANT SERVICES 13. Group Policy 13.1 Subject to paragraph 13.2, a merchant bank incorporated in Singapore must implement a group policy relating to outsourced relevant services to ensure that each of its branches comply with all requirements in this Notice, as if it were a merchant bank in Singapore. 13.2 Where a branch of a merchant bank in Singapore, that is located outside Singapore, obtains or receives material ongoing outsourced relevant services, the merchant bank may elect not to comply with paragraph 7.1 as if the branch was a merchant bank in Singapore provided the merchant bank ensures the branch has entered into an outsourcing agreement with the service provider and the merchant bank documents and satisfies itself that the risks from not complying with paragraph 7.1 would be addressed and how the merchant bank would so address the risks. SECTION E. EFFECTIVE DATES OF REQUIREMENTS IN THIS NOTICE 14. EFFECTIVE DATES 14.1 This Notice, other than paragraphs 7.1 and 12.8, takes effect on 11 December 2024.
19 14.2 Paragraph 7.1 takes effect on the following dates: (a) where the outsourcing agreement relating to a material ongoing outsourced relevant service is entered into prior to 11 December 2023, on the date which the merchant bank next extends the tenure of the outsourcing agreement or 11 December 2024, whichever is later. (b) where the outsourcing agreement relating to a material ongoing outsourced relevant service is entered into: (i) between 11 December 2023 and 11 December 2024 (both dates inclusive), on the date which the merchant bank next extends the tenure of the outsourcing agreement or 11 December 2024, whichever is later; or (ii) after 11 December 2024, on the date which the merchant bank enters into the outsourcing agreement; 14.3 To avoid doubt, in the case where a merchant bank in Singapore assesses an ongoing outsourced relevant service to be a material ongoing outsourced relevant service after 11 December 2023, paragraph 7.1 takes effect on the date on which the merchant bank next extends the tenure of the outsourcing agreement in respect of such relevant service or 11 December 2024, whichever is later. 14.4 Paragraph 12.8 takes effect on the following dates: (a) where the outsourcing agreement relating to an outsourced relevant service which involves the disclosure of customer information is entered into prior to 11 December 2023, on the date which the merchant bank next extends the tenure of the outsourcing agreement or 11 December 2024, whichever is later. (b) where the outsourcing agreement relating to an outsourced relevant service which involves the disclosure of customer information is entered into: (i) between 11 December 2023 and 11 December 2024 (both dates inclusive), on the date which the merchant bank next extends the tenure of the outsourcing agreement or 11 December 2024, whichever is later; or (ii) after 11 December 2024, on the date which the merchant bank enters into the outsourcing agreement.
Annex A RELEVANT SERVICES INTEGRAL TO ANY BUSINESS THAT THE MERCHANT BANK MAY CARRY ON UNDER SECTION 55V(1) OF THE ACT
Annex B RELEVANT SERVICES THAT ARE EXCLUDED FROM THE DEFINITION OF OUTSOURCED RELEVANT SERVICE The following are relevant services that are excluded from the definition of “outsourced relevant service” in paragraph 2.1 of the Notice:
(xi) services provided via payments systems such as those provided via Fast And Secure Transfers (FAST), Interbank GIRO (IBG), NETS EFTPOS, Grabpay or Paypal; (xii) services provided via central addressing system provided via PayNow; (xiii) bill payment services provided by AXS Pte Ltd and SingPost Self-Service Automated Machines (SAM); (xiv) training on usage and technical support of third-party IT tools (including Commercial Off-The-Shelf software) by a vendor who developed the IT tools; (xv) supply and maintenance of equipment for incident management or emergency use such as fire protection, physical surveillance, power supply disruption, emergency communications and personal protection1 ; (xvi) advisory services, including services provided under a retainer arrangement, such as the provision of legal opinions, independent appraisals, advisory services by trustees in bankruptcy, loss adjusters and specialised tax advisory services; (xvii) expert assessment or independent consulting for areas where the merchant bank does not have the internal expertise to conduct; and (xviii) services provided by any of the following persons in the course of operating an organised market, or a clearing facility or carrying on business in a regulated activity, as the case may be: (a) approved exchange; (b) overseas exchange; (c) approved clearing house; (d) recognised clearing house; (e) recognised market operator; (f) holder of a capital markets services licence; (g) exempt person; (h) a person operating an organised market or a clearing facility or carrying on business in a regulated activity outside of Singapore that is regulated by a financial services regulatory authority of a country or jurisdiction other than Singapore 1 Personal protection refers to protection and minimisation of staff’s exposure to injuries or infection. In this context, this term refers to Personal Protection Equipment (PPE). Masks and bullet-proof vests would be examples of PPE.
The persons referred to in paragraph 1(xviii) have the meanings given by section 2(1) of the Securities and Futures Act 2001. 2. The following relevant services relating to introducer arrangements and principal-agent relationships: (i) sale of insurance policies by agents on behalf of the merchant bank and ancillary services relating to those sales; (ii) introducer arrangements between the merchant bank and an introducer, where the merchant bank does not have any existing contractual relationship with the person introduced. 3. Statutory audit and independent audit assessments performed by external auditors, which the merchant bank is not legally able to perform or not able to perform due to conflict of interest.
Annex C RELEVANT SERVICES CONSIDERED AS OUTSOURCED RELEVANT SERVICES
Annex D EXEMPTED OUTSOURCED RELEVANT SERVICES