In an effort to promote sustainable outsourcing relationships between Financial Institutions (“FIs”) and FinTech Service Providers (“FSPs”), the Singapore FinTech Association (SFA) with support from PwC, has undertaken a phased approach to enhancing the compliance maturity of FinTechs by establishing the Fintech Service Providers (“FSP”) Compliance Readiness Framework.
This initiative is part of the S$125 million support package announced by the Monetary Authority of Singapore (“MAS”) on 8th April 2020, for the financial services and FinTech sectors to deal with the immediate challenges arising from COVID-19 and to better position the sectors for stronger growth and recovery.
The digital self-assessment accompanying the FSP Compliance Readiness Framework will allow FSPs to assess the maturity of their control environment against the minimum compliance requirements needed to operate within the FI industry, and to address the compliance gaps identified through the self-assessment.
FIs would be able to use the results of the self-assessment performed by FSPs as part of their vendor due diligence and perform onboarding of these FSPs with the condition that they resolve any gaps identified and eventually obtain a third-party assurance report over their controls.
The framework and the accompanying digital self-assessment draw references from the Outsourced Service Provider Audit Report (“OSPAR”), the MAS Technology Risk Management (“TRM”) Consultation Paper and the MAS Cyber Hygiene Notice, to create a set of minimum base requirements that the FSPs are expected to comply with. The framework and the digital self-assessment have been streamlined to take into consideration the FSP’s scale, operating model and their gradually evolving ability to eventually comply with the OSPAR, TRM and MAS Cyber Hygiene Notice requirements.
Based on the MAS Outsourcing Guidelines, FIs are expected to adopt their own approach/self-assessment to manage the risk arising from outsourcing arrangements with FSPs and be fully aware of any residual risks.
While FinTechs which are licensed under MAS are required to comply with the guidelines, those which are not are still expected to comply with the guidelines in order to aid the FIs with their outsourcing needs.
Regardless of their license status, FinTechs may face challenges in meeting compliance requirements due to their level of maturity, as some requirements are easier for a matured Fintech to attain compared to a new entrant. The framework and the digital self-assessment will help to alleviate some of these regulatory compliance issues by acting as the minimum baseline requirement for FSPs to assess the gaps in their existing control environment and provide guidance on areas for improvement.
In Singapore, about 80% of FinTech companies offer technological solutions to FIs. As such, there is a need for these FinTechs to adopt an efficient approach to demonstrate their compliance levels to FIs while maintaining a baseline level of governance, rigor and consistency over their activities.
With the completion of the digital self-assessment, FSPs will be able to provide a first-level of assurance on how robust they are in terms of complying with regulatory requirements in a clear and concise manner and the overall quality of their solutions. This can help enhance the FIs’ confidence in partnering with the FSPs.
“Over the last few years, technology risk management is a key area that financial institutions look at when working with FinTechs. However, many existing frameworks for technology evaluation are suited toward more mature service providers. This new FSP Compliance Readiness Framework and the Digitial Self-Assessment will provide an early indicator of where the FinTechs’ control environment stands when it comes to technology risk.”
The digital self-assessment is only available to existing SFA members.
Is it compulsory for FSPs to have their technology to be assessed for compliance with the framework by an independent third party (eg. PwC)?
Would this digital self-assessment be able to replace the need to obtain an independent auditor’s opinion (e.g. ISAE3402, OSPAR, SOC 2)?
Advise on the framework requirements, review of your self-assessment responses and provide feedback on how to address gaps
Perform agreed-upon procedures/independent attestation of your control environment against the FSP Compliance Readiness Framework and provide feedback on how to address the gaps
Perform readiness assessment/agreed-upon procedures/independent attestation of your control environment against the OSPAR/SOC2 requirements
Asia Pacific CEOs are showing increased confidence in economic prospects and their business viability. While there has been notable progress in business transformation, many leaders remain hesitant to take bold actions.
This report summarises discussion points from the JFF 2024 roundtable along with five key actions for financial institutions’ consideration.
Amid growing headwinds, doing deals in Asia Pacific has become more complex. Our latest report reveals that dealmakers are under more pressure than ever before to deliver value in disruption but plenty of opportunities exist to generate premiums. It is clear that a new approach is needed - a comprehensive and disciplined value-creation lens that is embedded across the entire corporate lifecycle and linked to strategy.
