Singapore legislation
Section 47A
Section 47A
Relevant services obtained or received by bank in Singapore
(1)
This section applies where a bank in Singapore obtains or receives any relevant service on or after 1 July 2021 from —
a branch or office of the bank (including its head office) that is located outside Singapore (called in this section its branch or office); or
any person.
(2)
Before obtaining any relevant service from its branch or office, a bank in Singapore must —
take the steps specified by the Authority by written notice to the bank to evaluate the ability of the branch or office to perform any of the following:
to provide the relevant service;
to ensure continuity of the relevant service;
to safeguard the confidentiality and integrity of, and ensure the availability of, information of the bank related to the provision of the relevant service that is in the custody of the branch or office;
to comply with written laws related to the provision of the relevant service;
to manage the legal, reputational, technological and operational risks to the branch or office related to the provision of the relevant service; and
implement policies and procedures by which the branch or office is to provide the relevant service, that satisfy requirements specified by the Authority by written notice to the bank.
(3)
Requirements in subsection (2)(b) may include (but are not limited to) the following:
a requirement that the policies and procedures be recorded in writing;
a requirement that the policies and procedures provide that the branch or office must protect all customer information of the bank in Singapore against unauthorised disclosure, retention or use;
a requirement that the policies and procedures provide that the bank in Singapore or the Authority, or an auditor appointed by the bank in Singapore or the Authority, be allowed to audit the books of the branch or office for any of the purposes mentioned in subsection (10) at the times specified in the notice;
a requirement that the policies and procedures provide that the branch or office must, on a request by the bank in Singapore, provide to the bank or the Authority any record, document, information or report relating to the provision of the relevant service;
a requirement that the policies and procedures provide that the bank in Singapore must, should circumstances specified in the notice arise, stop receiving the relevant service from the branch or office;
a requirement that the policies and procedures provide that the branch or office must not arrange for the relevant service to be provided by another branch or office or sub‑contract the provision of the relevant service to any person, or may only so arrange or sub‑contract under conditions specified in the notice.
(4)
Before obtaining any relevant service from any person, a bank in Singapore must —
take the steps specified by the Authority by written notice to the bank to evaluate the ability of the person to perform any of the following:
to provide the relevant service;
to ensure continuity of the relevant service;
to safeguard the confidentiality, integrity and availability of information related to the provision of the relevant service that is in the custody of the person;
to comply with written laws related to the provision of the relevant service;
to manage the legal, reputational, technological and operational risks to the person related to the provision of the relevant service; and
enter into a contract with the person that satisfies requirements specified by the Authority by written notice to the bank.
(5)
Requirements in subsection (4)(b) may include (but are not limited to) the following:
a requirement that the contract be in writing;
a requirement that the contract provides that the person must protect all customer information of the bank in Singapore against unauthorised disclosure, retention or use;
a requirement that the contract provides that the bank in Singapore or the Authority, or an auditor appointed by the bank in Singapore or the Authority, be allowed to audit the books of the person for any of the purposes mentioned in subsection (10) at the times specified in the notice;
a requirement that the contract provides that the person must, on a request by the bank in Singapore, provide to the bank or the Authority any record, document, information or report relating to the provision of the relevant service;
a requirement that the contract provides that the bank in Singapore may terminate the contract should circumstances specified in the notice arise;
a requirement that the contract provides that the person must not arrange for the relevant service to be provided by a branch or office or sub‑contract the provision of the relevant service to another person, or may only so arrange or sub‑contract under conditions specified in the notice.
(6)
The Authority may, by written notice to a bank in Singapore that receives a relevant service from its branch or office, require the bank —
to take steps specified by the Authority to evaluate the ability of the branch or office to perform the acts mentioned in subsection (2)(a);
if the bank is required to implement policies and procedures that satisfy subsection (3)(c), to take reasonable steps to ensure that the books of the branch or office are audited for any of the purposes mentioned in subsection (10);
if the bank is required to implement policies and procedures that satisfy subsection (3)(d), to request the branch or office to provide to the bank or the Authority any record, document, information or report relating to the provision of the relevant service;
if the bank is required to implement policies and procedures that satisfy subsection (3)(e) and any of the circumstances specified in the notice mentioned in subsection (3)(e) have arisen —
to notify the Authority of the circumstances that have arisen; or
to stop receiving the relevant service from the branch or office;
to establish measures to minimise any disruption to the operations of the bank in Singapore in the event the branch or office cannot adequately provide the relevant service to the bank in Singapore;
to implement the measures mentioned in paragraph (e) in the event the branch or office cannot adequately provide the relevant service to the bank in Singapore;
to develop and implement policies and procedures to manage, monitor and control any risk to the bank that may arise from receiving the relevant service from the branch or office;
to take reasonable steps to supervise and monitor the provision of the relevant service by the branch or office;
to record, in a list or register of relevant services received by the bank, the fact that the relevant service is received by the bank from the branch or office;
to implement measures that protect customer information of the bank disclosed to the branch or office against unauthorised disclosure, retention or use; or
to implement measures to ensure that the bank in Singapore, and the Authority (in accordance with this Act), have access to customer information and any record, document, information or report relating to the provision of the relevant service by the branch or office.
(7)
The Authority may, by written notice to a bank in Singapore that receives a relevant service from another person, require the bank —
to take steps specified by the Authority to evaluate the ability of the person to perform the acts mentioned in subsection (4)(a);
if the contract provides for the matter mentioned in subsection (5)(c), to take reasonable steps to ensure that the books of the person are audited for any of the purposes mentioned in subsection (10);
if the contract provides for the matter mentioned in subsection (5)(d), to exercise its right to obtain any record, document, information or report relating to the provision of the relevant service from the person;
if the contract provides for the matter mentioned in subsection (5)(e) and any of the circumstances specified in the notice mentioned in subsection (5)(e) have arisen —
to notify the Authority of the circumstances that have arisen; or
to exercise its right to terminate the contract;
to establish measures to minimise any disruption to the operations of the bank in Singapore in the event the person cannot adequately provide the relevant service to the bank in Singapore;
to implement the measures mentioned in paragraph (e) in the event the person cannot adequately provide the relevant service to the bank in Singapore;
to develop and implement policies and procedures to manage, monitor and control any risk to the bank that may arise from receiving the relevant service from the person;
to take reasonable steps to supervise and monitor the provision of the relevant service by the person;
to record, in a list or register of relevant services received by the bank, the fact that the relevant service is received by the bank from the person;
to implement measures that protect customer information of the bank disclosed to the person against unauthorised disclosure, retention or use; or
to implement measures to ensure that the bank in Singapore, and the Authority (in accordance with this Act), have access to customer information and any record, document, information or report relating to the provision of the relevant service by the person.
(8)
Notices for the purposes of subsections (2), (4), (6) and (7) —
may impose requirements on a bank in Singapore or a class of banks in Singapore;
may impose different requirements on different banks in Singapore or different classes of banks in Singapore; and
may impose different requirements in relation to different types of relevant services.
(9)
In specifying any requirement in a notice under subsection (2), (4), (6) or (7) to a bank in Singapore or class of banks in Singapore, the Authority must have regard to —
the risk arising from the activities of the bank or class of banks; and
the systemic impact of the bank or class of banks on the financial sector.
(10)
The purposes of an audit mentioned in subsections (3)(c), (5)(c), (6)(b) and (7)(b) are the following:
determining whether the branch or office, or person, is properly providing the relevant service;
assessing —
the ability of the branch or office, or person —
to ensure continuity of the relevant service;
to safeguard the confidentiality, integrity and availability of information related to the provision of the relevant service in the custody of the branch or office, or person; and
to manage its legal, reputational, technological and operational risks arising from the provision of the relevant service; and
the level of compliance of the branch or office, or person, with written laws related to the provision of the relevant service.
(11)
Any bank in Singapore which contravenes subsection (2) or (4) or any requirement imposed by a notice under subsection (6) or (7) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $250,000 and, in the case of a continuing offence, to a further fine not exceeding $25,000 for every day or part of a day during which the offence continues after conviction.
(12)
In this section, “relevant service”, in relation to a bank in Singapore, means any service obtained or received by the bank, other than a service provided in the course of employment by an employee of the bank or a service provided by a director or an officer of the bank in the course of the director’s or officer’s appointment, and does not include any service specified by the Authority by written notice.