Marc P. Mealy Vice President - Policy

US-ASEAN Business Council 1101 17th Street, NW

Suite 411 Washington, DC 20036 Tel+1 (202) 416-6707 Fax +1 (202) 289-0519 mmealy@usasean.org

November 10, 2017

Madelena binti Mohamad

Jabatan Dasar Kewangan Pruden,

Bank Negara Malaysia,

Jalan Dato' Onn,

50480 Kuala Lumpur

RE: Exposure Draft on Outsourcing - Feedback

Dear Ms. Madelena,

Thank you for the opportunity to comment on Bank Negara Malaysia’s (BNM) Exposure Draft on

Outsourcing and for generously extending the deadline for our submission. We have appreciated

BNM’s engagement with the private sector as it develops policy for a changing financial services

industry. The digitalization of the financial sector creates many new opportunities for improving

market efficiency and consumer access, but at the same time we understand that the new business

processes and products in both the western and Islamic financial services sectors mean that BNM

and other institutions have new challenges to confront. We appreciate that BNM took private sector

input into account when developing its Fintech Sandbox Framework in 2016 and we hope that our

comments on the discussion paper were useful as BNM took these important steps to facilitate

innovation.

Our members are pleased to see the outsourcing regulations move forward. The completion of these

regulations, which the Council has previously requested the acceleration of, will be critical to helping

financial institutions in Malaysia upgrade their technology, compete in the 21st century, and provide

better and lower cost products to their customers, as well as providing increased investment certainty.

However, we are also concerned that the regulations will lead to greater restriction of outsourcing and

limit the competitiveness of financial institutions in Malaysia, without the corresponding improvements

in the values we know BNM places on the promotion of resilience and stability in the financial sector.

We hope that the financial industry can work with BNM further to find ways to address concerns about

risk management, recovery, and resolution plans that do not reduce the efficiency and

competitiveness of investors and firms in Malaysia's financial sector. You may find our detailed

comments on the Exposure Draft and responses to your specific questions on the following pages.

Our members are committed to taking part in the development of 21st century digital finance

platforms in Malaysia and look forward to continuing to work with you and the rest of BNM. Emma

Tabatabai, our Associate in Kuala Lumpur, will be happy to work with your staff to discuss further

details and provide additional information. Ms. Tabatabai can be reached at emma@usasean.org or

via telephone at 3-2615-7975.

Sincerely,

Marc P. Mealy

cc: The Honorable Kamala Shirin Lakhdhir, Ambassador of the United States to Malaysia

His Excellency Tan Sri Dr Zulhasnan Rafique, Ambassador of Malaysia to the United States

GENERAL COMMENTS For fintech companies and established financial institutions to invest in Malaysia and to deploy and test new services, we believe it to be in BNM’s best interest to complete these guidelines as soon as practicable and to design them in a way that keeps costs low, provides the best quality services, and enables international competition. The Council would welcome the opportunity to provide our expertise where appropriate. The Council is also interested in learning if BNM plans to apply any new transitional arrangements until the guidelines are fully implemented, so that the financial industry is not needlessly disrupted. It would be useful to consider how other regulators in the Asia have approached the issue. The Australian Prudential Regulation Authority’s (APRA) Prudential Standard CPS 231 on Outsourcing, the Monetary Authority of Singapore’s 2016 Guidelines on Outsourcing and the Bank of Thailand’s 2017 Regulations on IT Outsourcing for Business Operations of Financial Institutions are examples of relatively strong systems. These regulations provide modern risk management frameworks that allow financial services companies to keep their data management systems up to date while also providing the regulators with the ability to monitor and enforce necessary risk management procedures. The following pages review the Exposure Draft section by section and answer BNM’s specific questions where appropriate. Broadly, should these Guidelines be implemented in their current form, the Council is concerned the Guidelines would significantly limit the ability of financial institutions to outsource or offshore functions, even when proper risk management standards are met. The Council strongly encourages BNM to consider applying to regulations only to material services via a risk-based approach and to transparently define the standards, timeline, and process for approval of outsourcing arrangements (or to switch to a notification regime). Financial services companies and fintech startups leverage cloud services and other IT outsourcing systems both as a cost-effective method for rapidly deploying new technology and to ensure superior resiliency, security, and scalability beyond the capabilities a company can build for itself. Implicit in the value proposition of cloud services scale that comes from providing services to many clients. The capabilities offered by international offshore service providers especially cannot be matched by smaller cloud service providers at competitive prices. Local clouds may also be less secure, have connectivity issues, or provide fewer features. To reap the greatest benefit from the use of such services, many companies will want to use an offshore service provider. This is particularly important for fintech companies in the startup stage, when keeping costs low is important. In the absence of the possibility of using the cloud in Malaysia, it is unlikely that financial institutions or fintech companies will be able to fully participate in the BNM’s new sandbox initiative, given the more permissive regulatory climates in other jurisdictions. A more flexible approach to outsourcing would lower costs for financial services and fintech companies operating in Malaysia and support the internationalization of Malaysian start-ups. More flexible guidelines would also provide firms with the clarity and certainty they need to make decisions about investments in fintech and IT in Malaysia. A regulatory regime that encourages localization or otherwise prevents services from being handled in the most efficient way possible can also lead to other unintended consequences and operational risks. Cybersecurity risks and additional operational costs are two issues that stand out. Firms are able to maintain strong cyber security defense strategies because they use strategic regional and global locations with specialized resources. However, this approach is only effective if data can be moved to the relevant parties and locations. Significant costs could also be incurred by financial

services companies that are subject to overly strict limitations on outsourcing and offshoring. In addition to the increased capital investment required to comply with managing such systems in house, additional time and expenses would be incurred to hire and train the staff that would be needed to manage these systems, the deployment of new products could be delayed since they will have to be set up on isolated systems, local business units’ ability to leverage their parent companies’ economies of scale will be limited, and money laundering risks could be heightened or enforcement costs raised if monitoring systems are forced to be built separately.

PART A: OVERVIEW General Comments: Definition of customer information: The Council recommends that for the purpose of these guidelines, the definition of customer information be changed to exclude data that is “anonymized or encrypted in a secure manner such that the identities of the customers cannot be readily inferred” in addition to the exclusion for publicly available information. It is also recommended that the definition be amended to clarify that records should be material. Question 1: Please list the arrangements that the Bank should consider to scope out from this policy document. Financial institutions procure different types of outsourcing services, including some that are considered immaterial to core banking infrastructure. Material activities, those that are particular to or core to the provision of financial services and basic banking services and are inherent to the provision of financial services, should be those outsourcing arrangements that are addressed by the outsourcing policy. Using a materiality threshold would be consistent with the approach taken by regulators across jurisdictions. For example, in the U.K., the Financial Conduct Authority only regulates those outsourcing arrangements which are “critical or important”. The APRA Prudential Standard 231 only applies to the outsourcing of a “material business activity.” The MAS elected to apply a materiality threshold and specifically relate information handling to “customer information.” To this end (and in addition to the functions we recommend be scoped out below), we suggest using a more specific definition of outsourcing that incorporates the principles of a materiality threshold. We note BNM’s definition of outsourcing arrangement as “an arrangement in which a service provider performs an activity on behalf of a financial institution on a continuing basis, where the activity is normally or could be taken by the financial institution.” A more targeted definition that focuses on critical services would help scope the policy. The Council suggests that BNM amend to its definition, “where disruption in the conduct of those activities may reasonably be anticipated to impact provision of basic banking activities to existing customers of that registered bank.” The Council recommends that BNM develop a whitelist of specific services and that would be immaterial and therefore unnecessary to supervise. Financial institutions rightly will wish to be seen to be prudent and conservative in interpreting and applying the Policy, and unless an activity is clearly excluded, financial institutions are likely to regard that activity as included. The white list will likely be applied by financial institutions as an exhaustive list: that is, financial institutions will as a matter of prudence assume that any activity which is not expressly whitelisted is a relevantly regulated outsourcing arrangement. BNM should therefore be as thorough as possible in defining these lists of immaterial services. BNM should also distinguish between control and possession of data, with its focus on parties that exercise control. Control of data is a distinct concept from possession of data. It revolves around the ability of a party (the data controller) to exercise stewardship over data, to be confident that the data is up-to-date and to access or recover that data if the primary data repository is not available for any reason. The focus should be on whether the bank has appropriate contractual assurance as to these matters from a suitably reliable counter-party. Many businesses now depend upon third party data warehouses or data custodians to better assure availability of data, noting that tier one data warehouses generally provide a higher level of data security and reliability of infrastructure services

than is readily available to even large businesses in respect of their in-house data management functions. The following are services and arrangements the Council believes should be scoped out or whitelisted for immateriality:

1. Customer Relationship Management (CRM) systems: Provision of CRM systems for use by

financial institutions specifically to record and manage details of their third-party suppliers (and

not being a primary record of details about existing customers of the bank’s basic banking

activities), should be scoped out. The banking system is not relevantly dependent upon this

service. Accordingly, provision of a CRM system is not integral to the provision of a financial

service or a “basic banking service” (other than where a bank is using a CRM system as its

primary record of details about existing customers of the bank’s basic banking activities).

2. Back-up services: Requirements for a robust back-up arrangement should only apply to critical

functions, otherwise there would be massive cost implications for both financial institutions and

service providers if the requirements cover non-critical functions.

3. Customer information that are encrypted securely, anonymized, or aggregated such that the

identities cannot be readily inferred.

4. Group reporting/oversight functions (and any data that supports such function) where the

group/affiliates are regulated entities by an authority equivalent to BNM.

5. Services provided by affiliate entities that is regulated and supervised by an authority

equivalent to BNM.

6. Risk and control functions set up by the financial institutions’ group.

7. Ad hoc load balancing activities supported by affiliate entities due to unexpected manpower

shortages.

8. Internal employee support such as system access administrators and technology and

application support helpdesks

9. Internal and external legal advice.

10. Data discovery services for litigation or potential litigation cases

11. Technology infrastructure/components that do not have end user business access

12. Centralized Functions without access to customer data

13. Individual technology applications

14. Cyber Security and Intelligence Services

PART B: POLICY REQUIREMENTS Paragraph 8: Responsibilities of the board and senior management Question 2: Please detail out specific challenges your institution may face in meeting the requirements in paragraph 8.

a. The mandate that the Board itself must review all outsourcing arrangements (8.3) would

consume significant company resources and management time while adding little value to the

reviews that would have already been conducted by the relevant internal offices. At the same

time, as Boards do not typically meet daily, this would delay the processing of the outsourcing

arrangement and has the potential to significantly increase compliance costs. The Council

recommends BNM allow other groups within company management, as decided by the Board,

to review agreements instead.

b. In 8.6, the Council recommends instead that BNM should allow financial institutions to rely on

the assessments of service providers’ own external auditors, provided those auditors meet the

standards of the Outsourcing Guidelines.

c. In 8.7, the Council recommends that the mandate for annual assessments be modified to allow

a more efficient and focused risk-based approach. The recommended text would say “assess

the effectiveness of the management of material outsourcing risk.” An annual and thorough

review of all outsourced services, even those with low risk, would be more onerous than

current industry practice.

Paragraph 9: Risk management Assessment of Service Provider General Comments:

• 9.3: The Council proposes exempting affiliate service providers from this due diligence

requirement, as they are already known and monitored by the parent company through its own

frameworks and risks are relatively low.

• 9.6: The Council proposes exempting affiliate service providers from the need for due-diligence

to be conducted by a non-affiliate. The financial institution should be allowed to rely on the

assessment performed centrally by the group for its own affiliates.

Question 3: (a) Please describe the due diligence process currently undertaken, including the considerations applied, in considering a new outsourcing arrangement as well as for the renewal or renegotiation of an existing arrangement. Council members typically use a risk based approach for third party outsourcing risk management and assessments performed by the company group for services provided by affiliate entities. (b) Where there are differences in due diligence process applied to a new and an existing arrangement, what are the operational challenges that may arise in adopting similar due diligence process for both potential and existing service providers?

The proposed due diligence requirements would be especially onerous for existing service providers, as they are not typically reviewed in the same way as potential new contracts. The Council additionally recommends that for potential or existing services provided by affiliates within the group, the financial institution should be allowed to rely on the assessment performed centrally by the group. Outsourcing Agreement General comments: The Council recommends that BNM endorse risk-based approaches in 9.9 where measurable performance standards are specifically included in the contracts that have higher risk weightings. Regarding the extensive service provider auditing requirements in sections 9.10, 9.14, and 9.16, Council members who provide outsourcing services believe that these requirements would be overly burdensome and threaten the confidentiality of company and customer information in some situations. Data infrastructure, especially cloud services, are often in a multi-tenant environment and customer trust and data security would be eroded if specific companies had the right to enter the facilities and review their contents and data. The Council recommends instead that BNM should consider these varying business models and security concerns to allow financial institutions to rely on the assessments of service providers’ own external auditors (provided those auditors meet the standards of the Outsourcing Guidelines), allow financial institutions narrow access to just their own logs and data, and to qualify that access should only be granted to outside groups where practicable. These access requirements are further complicated by business models that involve data hosted on other platform providers. If BNM does require access to data infrastructure in some form, it will have to make allowances for situations where the site that needs to be inspected does not belong to the original service provider. The Council also requests additional clarification of what information would need to be shared in 9.10’s summary of business continuity test results, as this information is normally treated as highly confidential. 9.16 (c) would be additionally problematic because it would allow BNM to unilaterally circumvent the existing approved contracts and potentially disrupt critical services without proper coordination. 9.16 (c) should at the least be amended to involve the contracting financial institution in the intervention. In 9.13 (d), The Council requests further clarification of the timeline and procedures required for breach notifications. In 9.15, the financial institutions are not always able to impose conditions on sub-contractors, as they are not party to the original agreement. Instead, the Council recommends that outsourcing agreement should simply mandate that the terms agreed to by the service providers should also apply to their sub-contractors. It is common for business service providers to contract data management to sub-contractors that specialize in it, Question 4: (a) Please identify any potential operational challenges in implementing the requirement in paragraph 9.8. The Council recommends the removal of 9.8 (c) as it places unnecessary costs on the review process and the terms of the contracts are already defined in the Outsourcing Guidelines. It would be

standard practice for financial institutions to use a standard contract template, cleared by its legal teams and in compliance with relevant reporting requirements, that incorporates the relevant sections of the Outsourcing Guidelines. Instead of the legal advisory, BNM may wish to request an affirmation of compliance (without the need for a legal opinion) with the Outsourcing Guidelines. (b) The Bank is also considering specifying a maximum period for outsourcing agreements (i.e. 3 years). Do you agree with the proposal and the proposed duration? The Council proposes setting a longer duration, such as five years or longer, or no duration at all. For services provided by regulated and supervised affiliate entities, the Council especially recommends setting no time bound at all. Some current contracts may also have durations that are already set for longer than the time period that BNM envisions and the Council requests that BNM take these contracts into account. Service providers may have to invest in infrastructure, hardware, software, etc. to meet the needs of a contract. If the service providers cannot enter agreements that are long enough to recover these costs, they may be deterred from entering outsourcing arrangements or charge higher fees to the financial institutions. Protection of data confidentiality General comments: In 9.18 (c), the Council requests further clarification from BNM on the definition of physically or logically segregated. The Council proposes BNM distinguishes control requirements for affiliates within the group from true third-party providers and that the mandate for data to be physically or logically separated should only apply so far as it is practicable. In 9.18 (d), the Council requests that the mandate for confidentiality be clarified so that obligations can cease if data is returned or destroyed. In 9.18 (e), the Council proposes that the text should be amended to say, “information shared with a service provider is returned to the financial institution, deleted or otherwise rendered unusable on a timely and secure basis, and no longer resides with the service provider once the outsourcing arrangement ceases or is terminated,” in order to give parties greater flexibility. Question 5: Please describe measures taken by your institution to ensure that the service provider observes the confidentiality requirements, in particular once the outsourcing arrangement ceases or is terminated. N/A, as submitter is an industry association. Business continuity management General Comments In 9.20, alternative arrangements (like services being performed by a different part of the financial institution’s group) should be allowed in BCPs rather than a strict mandate for bringing back the functions to the financial institutions. The Council recommends dropping the phrase “by itself” to allow greater flexibility in responses.

In 9.21, the Council recommends removing the phrases “has in possession” and “to allow it to operate,” as these imply that this arrangement would need to be performed by financial institutions themselves and that they retain duplicates of all outsourced data processes. The Council recommends 9.22 be changed to require that service provider BCPs satisfy their customers’ general requirements instead of the current language requiring that they have alignment with the BCPs of specific customers. Service providers often provide services to multiple clients and their BCPs are designed to broadly satisfy the BCP needs of all their customers. In 9.23, the Council recommends that the mandate for financial institutions to participate in BCP tests where possible should be dropped because it would present practical challenges. Instead, BNM should mandate that financial institutions should have access to the results of the BCP tests. Question 6: Please describe your institution’s current practice on BCP testing with the service provider, including the frequency of testing. Council members typically use a risk-based approach for managing outsourcing risk with controls appropriate for the level of inherent risk in the agreement. Group policies separately guide BCP testing when the services are provided by affiliate entities.

PART C: REGULATORY PROCESS Paragraph 10: Approval for outsourcing arrangement Regarding 10.2, the Council’s preferred method of supervision is to require notification to BNM of outsourcing decisions instead of filing requests for approval. The notification would then be followed by prudent supervision and controls. This method allows companies to invest and innovate at a faster rate with less expense, while still leaving room for regulatory oversight. Notification regimes are common among regulators of other ASEAN countries and the wider world. BNM could also consider a materiality threshold, where only certain highly material outsourcing agreements need prior approval while less material ones only require notification. If an advance approval process is used, it is important that it be fast and transparent so that it does not disrupt business operations or prevent the proper upgrading of outdated infrastructure. The Council proposes that BNM publish detailed schedules, timelines, and performance targets for the approval process. Additionally, for Section 10.2, where BNM’s prior written approval is not required because the outsourced activity is to be performed by the parent company which is a financial institution, the Council recommends the exception be expanded to include associates of the parent company and the definition of financial institution to include licensed foreign financial institutions. This will allow companies flexibility to outsource to associates of their parent company as well as to outsource to licensed foreign financial institutions when the financial institution is a foreign owned entity. Since every outsourcing arrangement will be subjected to the policy requirements in Part B, there is no need for any distinction between outsourcing locally and abroad. Section 10.3 appears to apply to licensed on-shore financial institutions but not to locally incorporated licensed foreign financial institutions. The Council requests that the provisions be made more fair and flexible by explicitly including outsourcing activities to foreign affiliates providing support to locally incorporated licensed foreign financial institutions. The Council requests that 10.5 be expanded to clarify the standards that BNM will use to judge outsourcing arrangements. The existing language appears to imply that the requirements set out in Part B are not the only requirements that must be met, but it does not describe any other standards. Paragraph 11: Submission of information General comments: Regarding 11.1 (b), the Council requests clarification of the expected source of the legal advice required in 11.1 (b). Would this opinion come from the financial institutions’ own internal councils or an external law firm? As a more efficient alternative, BNM should also consider simply providing mandatory standard clauses which are to be adopted in outsourcing agreements. The Council believes that some of the information required is more detailed than necessary or not possible to obtain due to privacy concerns (for example, 11.1, (c), (iii), C) and business confidentiality (11.1, (i)). These requirements would be especially difficult to satisfy for cloud-based data services, which are not tied to specific locations or staff. The Council requests that BNM clarify why it needs this information so that it can work with the business community to find practical alternatives.

Further regarding 11.1, (c), (iii), C, the provision of inter-company charges as defined in the outsourcing contract would likely be more useful and practical than details of specific employee remuneration. Regarding 11.1 (h), the Council requests further clarification on the definition of “end-to-end outsourcing.” The Council proposes 11.2 be extended to also exempt subsidiaries of a financial institution.

PART D: TRANSITIONAL ARRANGEMENTS Paragraph 12: Transitional arrangements General comments: The Council requests additional detail on how the transition process for existing outsourcing arrangements will be conducted and the timeline for doing so, as these details are not currently disclosed in the Guidelines. This would include a timeline for review that targets completing the reviews in a timely manner. The Council also recommends that this includes clarification that the decisions regarding the transitions will be based on the criteria written in the Guidelines and to clearly define in Paragraph 12 any additional criteria that may be applied. The Council also requests that BNM includes a general transition period to comply with the Guidelines, in addition to the transition periods for existing agreements. APPENDIX 4: INFORMATION REQUIREMENTS FOR EXISTING OUTSOURCING ARRANGEMENTS The Council requests that the language in the column “Location from where service(s) is provided (including location of data center” be broadened so that it may account and cloud-based systems and other services that rely on larger networks of data centers.