The Monetary Authority of Singapore (MAS) is Singapore's central bank and financial regulatory authority. Along with regulating monetary policies, banking, and currency issuance, MAS sets standards for financial institutions' operational practices. MAS’ third-party risk management guidelines provide structure for financial institutions to ensure resilience against third-party outsourcing arrangements risks, including supply chain vulnerabilities and information security.
In this blog post, we will explore the Monetary Authority of Singapore's guidelines for third-party risk management, including who should implement them and the benefits of using their guidelines. These guidelines are crucial in today's ecosystem of interconnected financial services, where security risks and liabilities can arise from various sources, including cloud services and external partnerships.
What are the TPRM Guidelines from the MAS?
The MAS issued guidelines on outsourcing arrangements in 2016, further expanding these recommendations in October 2018 and August 2022. The most recent guidelines are presented in an information technology paper titled "Operational Risk Management - Management of Third Party Arrangements." This paper outlines the measures that entities should take to manage third-party risks to mitigate operational risks, encompassing a risk management framework that addresses technology risk management, the criticality of different business operations, and the need for comprehensive risk assessments and remediation strategies.
The objective is to guide better oversight and governance of third-party relationships and conduct due diligence throughout the outsourcing life cycle. Included is specific information for financial institutions across the following areas of the third-party risk management life cycle:
- Governance and Management Oversight
- Identification and Risk Categorization
- Due Diligence
- Ongoing Risk Management and Monitoring
Governance and Management Oversight
Establishing robust governance and management oversight structures is crucial for financial institutions, as emphasized by the MAS guidelines. This part of the guidelines mandates the creation of clear policies, procedures, and frameworks to oversee third-party engagements. It involves defining well-defined roles and responsibilities for senior management and staff, ensuring accountability, and effective decision-making in managing third-party risks.
This governance structure is essential to consistently identify, assess, manage, and monitor third-party service provider risks with the institution's overall risk appetite and regulatory obligations. It also includes implementing internal controls and considering customer data protection as a key aspect of risk management practices. To comply with these requirements, financial institutions can implement the following aspects into their third-party risk management program:
- Data protection policies, standards, and systems
- Defined roles and responsibilities for all team members
- Risk rating systems, like vendor tiering programs, to check alignment with organizational risk appetite
- Diverse monitoring sources (i.e., cybersecurity, business, reputation, financial, etc.)
- Incident response plans to handle operational disruptions, including reporting mechanisms
- Risk mitigation and correction strategies
- Templates for standardizing responses to common scenarios
- Metrics for evaluating the effectiveness of risk management strategies
Identification and Risk Categorization
In this section, MAS outlines the importance of systematically identifying and categorizing risks associated with third-party service providers. As per regulations, financial institutions must conduct a thorough analysis to understand the risks that third parties can pose. These risks may include cybersecurity threats, operational dependencies, legal and compliance risks, reputational impacts, and concentration risks.
The process of categorization involves assessing the severity and likelihood of these risks. This helps in prioritizing risk management efforts and resources. This step is crucial to determine the level of due diligence and ongoing monitoring required for different third-party relationships. It aligns with business continuity planning and timely manner response requirements.Financial institutions can implement these guidelines through:
- Conducting risk assessments for all vendors and third parties
- Categorizing vendors based on what service they provide and how integral they are to the organization
- Implement a risk scoring system to help prioritize risks and identify which third parties require more management and oversight
- Ensure continuous monitoring and reporting mechanisms to track the risk status of third parties.
MAS emphasizes the importance of conducting due diligence in a third-party risk management framework, which includes comprehensive assessments and monitoring of third parties to ensure compliance with operational risk management standards. This involves a detailed examination of third-party security requirements and their capabilities in information security.
Using the results from identification and risk categorization, organizations can develop an onboarding plan that utilizes ongoing reviews and assessments for all third-party vendors, taking into account the FIS (Financial Institutions Security) standards. Financial institutions can comply with this guideline by:
- Examining third-party responses and documents by comparing them with predefined testing protocols to confirm the implementation of recommended security controls
- Aligning the third-party responses with the control framework chosen by your organization
- Creating plans for corrective actions and monitoring progress until fully implemented
- Ensuring that security requirements are met and that there are strategies for remediation of any identified vulnerabilities
Ongoing Risk Management and Monitoring
To practice ongoing risk management, MAS recommends continuous monitoring across both digital and physical environments. Financial institutions are responsible for assessing the performance and compliance of their third-party service providers regularly. This includes monitoring for any changes in the risk profile of the third party, identifying new risks, and ensuring that the third-party service providers adapt to changing regulatory and threat landscapes.
Ongoing risk management also involves planning for and responding to incidents involving third parties, thereby maintaining the resilience and security of the institution's operations. To comply with this guideline, financial institutions can implement the following:
- Continuous monitoring systems that track changes in third-party operations, compliance status, cybersecurity posture, etc.
- Regular audits of third-party providers that assess their compliance with contractual obligations, service level agreements (SLAs), and regulatory requirements
- Dynamic risk assessments evolve with changes in the business environment, regulatory landscape, and operational status of third-party providers
- Regulatory compliance checks that identify if third-party providers are compliant with relevant regulations and guidelines
Who Should Comply with the TPRM Guidelines from the MAS?
The main audience for the TPRM Guidelines from MAS is financial institutions operating in Singapore. This category can include a broad range of organizations and businesses that utilize third-party outsourcing arrangements, including:
- Banks and Financial Companies: Retail and commercial banks, investment banks, and other banking institutions
- Insurance Companies: Life and general insurance companies that may engage with third-party providers for claims processing, data analysis, etc.
- Payment Service Providers: Companies that offer payment services like electronic payments and remittance services
- Capital Market Intermediaries: Brokerage firms, asset managers, and other intermediaries in the capital markets
- Fintech Companies: Singapore’s growing fintech sector includes those providing financial services or partnering with regulated financial institutions
- Credit and Finance Companies: Businesses that provide credit facilities or financing solutions
Penalties for Non-Compliance
While the TPRM guidelines from MAS are not a strict requirement, they are heavily encouraged for financial institutions in Singapore because they are closely linked to the broader regulatory framework set by MAS. Some of those requirements include:
- Capital Adequacy Requirements
- Risk Management Standards
- Anti-Money Laundering and Countering Financing of Terrorism
- Cybersecurity Measures
- Corporate Governance
- Data Protection and Privacy
- Consumer Protection
- Liquidity Management
- Outsourcing Management
- Compliance with International Standards
Much overlap exists between the TPRM guidelines provided by MAS and these requirement categories. When organizations meet these requirements, they often are already implementing the guidelines for TPRM as well. This helps prevent non-compliance penalties, including regulatory action, increased supervisory scrutiny, financial penalties, and reputational damage.
How Does the TPRM Guidelines from MAS Enhance Security?
The TPRM Guidelines from MAS play a pivotal role in enhancing the security and resilience of Singapore’s financial sector. These guidelines comprehensively address managing and mitigating risks with third-party service providers, a critical aspect of modern finance operations.
The MAS TPRM guidelines help manage third-party risks as more financial institutions outsource operations. This proactive approach to risk management strengthens the institutions and bolsters Singapore's financial security framework. Below are a few main outcomes of utilizing the TPRM Guidelines from MAS.
Strengthened Oversight and Governance
Implementing third-party risk management guidelines from the MAS greatly improves oversight and governance in financial institutions. It requires establishing robust governance structures and clear management policies, ensuring that risks associated with third-party engagements are effectively overseen and managed. This enhanced governance framework leads to better decision-making, increased accountability, and a more comprehensive understanding of the risks and benefits associated with third-party relationships.
Enhanced Due Diligence and Risk Assessments
It is crucial to follow the guidelines highlighting the significance of enhanced due diligence and risk assessments on third-party service providers. This includes a detailed evaluation of a third party's security measures, operational resilience, compliance status, and overall risk management practices. Conducting such comprehensive assessments assists institutions in identifying potential risks at an early stage and enables them to make well-informed decisions regarding their third-party engagements.
Continuous Monitoring and Management
Ensuring adherence to these guidelines is crucial for maintaining continuous monitoring and managing third-party relationships. Institutions must regularly review and assess the performance and risk profiles. This ongoing scrutiny helps promptly detect any changes in risk exposure or non-compliance issues, allowing for timely interventions to safeguard the institution's interests.
Incident Management and Reporting
Financial institutions must have effective strategies and protocols in place to respond to and manage incidents involving third parties. The guidelines aim to strengthen the incident management and reporting processes by outlining clear communication channels, predefined response plans, and mandatory reporting of significant incidents. This will enhance the institution's capacity to handle disruptions and mitigate their impact.
Contractual and Compliance Requirements
Implementing the MAS TPRM guidelines is vital as it ensures that the contractual agreements with third parties contain specific security, operational, and compliance requirements. This makes third-party entities responsible for adhering to the same high standards as the hiring institution, reinforcing compliance with regulatory and internal standards.
Risk Mitigation Strategies
The TPRM guidelines help guide the development and implementation of comprehensive risk mitigation strategies. These strategies entail identifying potential risks and establishing measures to avoid, transfer, mitigate, or accept these risks. By proactively managing third-party risks, institutions can maintain operational resilience and minimize the impact of potential risk events.
How UpGuard Can Help Your Third-Party Risk Management
Third-party risk management is important to financial institutions and any organization that outsources to third-party vendors. If your organization wants to enhance its third-party risk management, UpGuard is here to help.
Our Vendor Risk platform is a comprehensive TPRM solution that empowers you to manage your organization's Vendor Risk Management processes easily. With Vendor Risk, you can streamline your third-party risk assessment workflows, receive real-time security alerts about your vendors, and access all this information through a centralized dashboard. Vendor Risk also offers various advanced features to enhance your Risk Management capabilities.
- Security Questionnaires: Automate security questionnaires with workflows to get deeper insights into your vendors’ security and utilize templates (NIST, GDPR, HIPAA, etc.) and custom questionnaires for your specific needs
- Security Ratings: Instantly understand your vendors' security posture with our metric-driven, objective, and dynamic security ratings
- Risk Assessments: Let us guide you each step of the way, from gathering evidence, assessing risks, and requesting remediation
- Monitoring Vendor Risk: Monitor your vendors daily and view the details to understand what risks are impacting a vendor’s security posture
- Reporting and Insights: UpGuard’s Reports Library makes it easier and faster for you to access tailor-made reports for different stakeholders
- Managed Third-Party Risks: Let our expert analysts manage your third-party risk management program and allocate your security resources