In an effort to promote sustainable outsourcing relationships between Financial Institutions (“FIs”) and FinTech Service Providers (“FSPs”), the Singapore FinTech Association (SFA) with support from PwC, has undertaken a phased approach to enhancing the compliance maturity of FinTechs by establishing the Fintech Service Providers (“FSP”) Compliance Readiness Framework.
This initiative is part of the S$125 million support package announced by the Monetary Authority of Singapore (“MAS”) on 8th April 2020, for the financial services and FinTech sectors to deal with the immediate challenges arising from COVID-19 and to better position the sectors for stronger growth and recovery.
Digital self-assessment tool
The digital self-assessment accompanying the FSP Compliance Readiness Framework will allow FSPs to assess the maturity of their control environment against the minimum compliance requirements needed to operate within the FI industry, and to address the compliance gaps identified through the self-assessment.
FIs would be able to use the results of the self-assessment performed by FSPs as part of their vendor due diligence and perform onboarding of these FSPs with the condition that they resolve any gaps identified and eventually obtain a third-party assurance report over their controls.
The framework and the accompanying digital self-assessment draw references from the Outsourced Service Provider Audit Report (“OSPAR”), the MAS Technology Risk Management (“TRM”) Consultation Paper and the MAS Cyber Hygiene Notice, to create a set of minimum base requirements that the FSPs are expected to comply with. The framework and the digital self-assessment have been streamlined to take into consideration the FSP’s scale, operating model and their gradually evolving ability to eventually comply with the OSPAR, TRM and MAS Cyber Hygiene Notice requirements.
Based on the MAS Outsourcing Guidelines, FIs are expected to adopt their own approach/self-assessment to manage the risk arising from outsourcing arrangements with FSPs and be fully aware of any residual risks.
While FinTechs which are licensed under MAS are required to comply with the guidelines, those which are not are still expected to comply with the guidelines in order to aid the FIs with their outsourcing needs.
Regardless of their license status, FinTechs may face challenges in meeting compliance requirements due to their level of maturity, as some requirements are easier for a matured Fintech to attain compared to a new entrant. The framework and the digital self-assessment will help to alleviate some of these regulatory compliance issues by acting as the minimum baseline requirement for FSPs to assess the gaps in their existing control environment and provide guidance on areas for improvement.
In Singapore, about 80% of FinTech companies offer technological solutions to FIs. As such, there is a need for these FinTechs to adopt an efficient approach to demonstrate their compliance levels to FIs while maintaining a baseline level of governance, rigor and consistency over their activities.
With the completion of the digital self-assessment, FSPs will be able to provide a first-level of assurance on how robust they are in terms of complying with regulatory requirements in a clear and concise manner and the overall quality of their solutions. This can help enhance the FIs’ confidence in partnering with the FSPs.
“Over the last few years, technology risk management is a key area that financial institutions look at when working with FinTechs. However, many existing frameworks for technology evaluation are suited toward more mature service providers. This new FSP Compliance Readiness Framework and the Digitial Self-Assessment will provide an early indicator of where the FinTechs’ control environment stands when it comes to technology risk.”
Frequently asked questions (for FSPs)
- How do I complete the self-assessment?
- How do I determine if a section is applicable to my organisation?
- What do I get after completing the digital self-assessment? How often should I perform this digital self-assessment?
- How does the digital self-assessment ultimately increase FIs’ confidence to work with me?
- Can I use my self-assessment results instead of engaging an independent auditor?
- How can I transit from this initial phase of self-assessment to the next phase?
How do I complete the self-assessment?
The digital self-assessment is only available to existing SFA members.
How do I determine if a section is applicable to my organisation?
Applicability of a section will be dependent on the nature of your service provided to Fls.
For example the 'Physical Security' section will be deemed as not applicable if the FSP does not host data within their premises, because they either use a cloud service provider or a data center colocation service provider. In such cases, the questions pertaining to the respective section should be responded as 'N/A'.
What do I get after completing the digital self-assessment? How often should I perform this digital self-assessment?
Once you have completed the self-assessment, a report will be made available to your organisation showing the maturity level of the internal controls of your organisation.
This self-assessment can be performed anytime to help you understand the maturity of your company’s existing control environment. Once you have improved or strengthened your control environment, you may return to reperform the self-assessment.
How does the digital self-assessment ultimately increase FIs’ confidence to work with me?
By doing the self-assessment, your organisation is able to benchmark your control environment compared to the minimum baseline requirements. From the resulting report, FIs will be able to gain an understanding of where your organisation stands and assess accordingly.
Can I use my self-assessment results instead of engaging an independent auditor?
The results can be utilised in two ways. Firstly, the results attained will have the common industry practice stated which your organisation can consider implementing to enhance your control maturity. Secondly, the results can be used by your organisation to engage in a constructive partnership with FIs. These results are an indicator of your organisation’s current compliance maturity and can serve as a consideration for FI’s due diligence.
While a good first step for your organisation, FI’s will typically expect you to subsequently attain assurance from an independent auditor.
How can I transit from this initial phase of self-assessment to the next phase?
Once you are confident that you have achieved all the basic requirements set out in the FSP Compliance Readiness Framework, you can proceed to engage an independent auditor to perform a review of the self-assessment as well as your compliance to the FSP Compliance Readiness Framework or other relevant frameworks/guidelines such as OSPAR and SOC2.
Moving Forward
Is it compulsory for FSPs to have their technology to be assessed for compliance with the framework by an independent third party (eg. PwC)?
- It is not compulsory for FSPs to have their technology solution assessed for compliance with the framework by an independent third party (eg. PwC). However, by having an independent third party assess your compliance with the framework, it would provide FIs more assurance and comfort over your control environment. This can also act as a differentiator for you when engaging FIs for partnerships.
Would this digital self-assessment be able to replace the need to obtain an independent auditor’s opinion (e.g. ISAE3402, OSPAR, SOC 2)?
- This digital self-assessment will not replace an independent auditor's opinion (e.g. ISAE3402, OSPAR, SOC 2). The objective of the self-assessment is to allow your organisation to identify the maturity of your existing control environment and compare that against the minimum compliance requirements. Demonstrating compliance to the self-assessment will also enhance the FIs’ confidence level when partnering with FinTechs.
However, this does not provide assurance over your organisation's controls. FIs are mandated to comply with MAS regulations such as outsourcing requirements where an independent audit/expert assessment is required to be performed on all outsourcing arrangements which are also applicable to FinTechs.
How we can help you
Advise on the framework requirements, review of your self-assessment responses and provide feedback on how to address gaps
Perform agreed-upon procedures/independent attestation of your control environment against the FSP Compliance Readiness Framework and provide feedback on how to address the gaps
Perform readiness assessment/agreed-upon procedures/independent attestation of your control environment against the OSPAR/SOC2 requirements
