What's new and what is the best option?
This paper discusses the latest developments affecting outsourcing and considers the incentive schemes available in the region.
New developments
The Monetary of Singapore (MAS) announced new Guidelines On Outsourcing on 27 July 2016 that are applicable to "financial institutions", such as MAS-regulated banks, insurers and insurance brokers.
The key points are:
All existing outsourcing arrangements are captured. A self-assessment against the Guidelines is required by 27 October 2016. Any deficiencies identified need to be corrected by 27 July 2017.
Where the MAS is not satisfied by an institution’s observance of the Guidelines, it can require remedial measures to be taken. Under certain circumstances, the MAS can require an institution to re-integrate its outsourced services.
The previous requirement to notify the MAS of plans to enter, or entry into, outsourcing arrangements has been removed. Instead, a register of outsourcing arrangements must be maintained in a prescribed form (in Annex 3 to the Guidelines), to be submitted at least annually to the MAS and otherwise upon request.
The definition of what amounts to a “material outsourcing arrangement” has changed, and now includes arrangements which “involve customer information and, in the event of any unauthorised access or disclosure, loss or theft of customer information, may have a material impact on an institution’s customers”.
Additional supervision and control is required for outsourcing arrangements that are ‘material’. These include rights for the MAS to directly inspect and audit the performance of the service provider, and a requirement for compliance reviews on all such outsourcing arrangements to be conducted at least annually. The Guidelines also stress that material outsourcing overseas should not hinder MAS efforts to supervise the institution.
Cloud computing services offered by service providers are now considered a form of outsourcing and are subject to these Guidelines.
Any adverse developments arising from outsourcing that could “impact the institution” must be reported to the MAS. These include any event that could potentially lead to prolonged service failure or disruption in the outsourcing arrangement, or any breach of security and confidentiality of the institution’s customer information.
The Board and senior management of the institution are charged with establishing and implementing a risk management framework for outsourcing. This includes a method of assessing the materiality of the outsourcing arrangements.
A rigorous & periodic due diligence assessment on the service provider is required, which also extends to its staff who will undertake the outsourced service. Independent audits and/or expert assessments on the service provider are also required, and the reports must be submitted to the MAS.
The engagement must be supported by a written outsource agreement with certain prescribed conditions.
Additional assessments are required for outsourcing internal audit functions, to ensure the service provider is sufficiently independent and skilled for the role.
Consequences for regional outsourcing
Moving services from Singapore to elsewhere in south-east Asia inevitably entails assumption of country risk – economic, social and political conditions and events that may affect the service/institution. This then places additional pressure on being able to keep other risks from outsourcing within acceptable parameters under assessments required by the Guidelines, and could well impact upon the available pool of external service providers.
An additional complication is the need for an outsourcing agreement with certain prescribed terms. In many cases, external service providers will insist on using their own standard terms, without amendment. Even if amendments are possible, achieving all the provisions required by the Guidelines – which are generally favourable to the outsourcing institution - may be challenging.
An effective way to deal with these issues is to outsource intra-group, where risks such as physical/IT customer data security breaches, outsourcing contract termination and service provider bankruptcy should become significantly more manageable. Group-wide risk management policies and procedures may already address many of the expectations of the Guidelines.
This could be done by way of using existing overseas subsidiaries or establishing service companies. Section 5.4.5 of the Guidelines affirms this by stating that “reduced due diligence may be sufficient when the outsourcing arrangements are made within the institution’s group” and Section 5.11.2 goes on to describe what form it might take.
Intra-group outsourcing is further incentivised by various investment packages available around the region for international organisations establishing regional service centres.
Incentives available for regional service centres
Arguably the most attractive set of incentives in the region is currently offered by Thailand. Competing schemes offered elsewhere in south-east Asia tend to have more costly/awkward eligibility requirements and/or offer less attractive incentives.
Effective last year, the Thai authorities removed the old Regional Operating Headquarters scheme, which had too many qualifications and too few incentives, and replaced it with an International Headquarters (IHQ) scheme.
Essentially, a Thai company functioning as an IHQ would need:
at least 15 million Thai Baht in annual operating expenses paid to Thai recipients (approx. SGD578,000)
to be providing qualifying management, technical or support services to at least one overseas branch or overseas affiliated company.
Assuming these qualifications can be met, an attractive range of tax benefits is available. Among them:
Income from qualifying services to domestic affiliates attracts substantially reduced Thai tax rates;
No Thai tax on dividends paid to IHQ overseas shareholders from the net profits of activities which are Thai tax-exempt;
Expatriates employed by the IHQ are subject to a 15% flat personal income tax rate on their salaries (subject to conditions). The standard top rate, which becomes applicable at a relatively low level of income, is 35%.
The IHQ can be 100% foreign-owned and these incentives are available for up to 15 years.
The Thai IHQ could then charge fees for its outsourcing services to, for example, a Singaporean affiliate. These fees would be Thai tax-exempt and could be used to satisfy the annual operating expense requirement. Dividends from the net profits of these services could also be remitted without Thai tax to shareholders – perhaps the same Singaporean affiliate.
The Thai IHQ then potentially allows a Singaporean organisation to reduce its costs in a very tax efficient way while also facilitating compliance with the Guidelines by keeping outsourcing intra-group.
