Singapore: New Requirements For Singapore Banks To Include Provisions In Service Contracts On Protection Of Customer Data

On 4 November 2019, Singapore's Parliament published a draft amendment to the Banking Act.

Under the amendment, all banks will be required to evaluate the ability of their service providers (whether these be a branch or office, or an external party) to:

(a) safeguard the confidentiality and integrity, and ensure the availability, of the banks' information; and

(b) protect all customer information against unauthorised disclosure, retention, or use.

Where the service provider is a branch or office of the bank, specific provisions covering the above must be included in the branch or office's policies and procedures.

Where the service provider is an external party, however, then the relevant provisions must be included in the contract between the bank and the provider.

Such policies and procedures, or contract, as the case may be, must also confer on the bank, the regulator (the Monetary Authority of Singapore or MAS), or an auditor appointed by the bank, the right to audit the books of the service provider to ensure that the above requirements have been complied with.

By serving a written notice, MAS may also require a bank to implement measures to ensure that:

(a) customer information disclosed to its service provider is protected against unauthorised disclosure, retention, or use; and

(b) the bank and MAS have access to customer information and any record or information relating to the service provider's provision of services to the bank.

Any bank that contravenes the relevant requirements could be found guilty of an offence and liable to a fine of up to SGD 250,000 and if the offence is continuing, to a further fine of up to SGD 25,000 per day for as long as the offence continues.

Comment

Ensuring that customer information is protected is now not only a mandatory obligation imposed on regulated financial institutions pursuant to Singapore's underlying personal data protection law, but must also be incorporated into specific clauses of these institutions' contracts with their service providers. While it remains to be seen whether other regulated sectors in Singapore will adopt similar requirements in due course, it is imperative that banks review thoroughly all of their outsourcing and service agreements, including any intercompany contracts, to ensure that they will be fully compliant with the new law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.