Outsourcing: Singapore overview
A Q&A guide to outsourcing in Singapore.
This Q&A guide gives a high level overview of legal and regulatory requirements on different types of outsourcing; commonly used legal structures; procurement processes; formalities required for transferring or leasing assets; data protection issues; customer remedies and protections; contracting parties' remedies; dispute resolution; and the tax issues arising on an outsourcing.
To compare answers across multiple jurisdictions, visit the Outsourcing Country Q&A tool.
This Q&A is part of the multi-jurisdictional guide to outsourcing. For a full list of jurisdictional Q&As, visit www.practicallaw.com/outsourcing-mjg.
For the rules relating to transferring employees, visit Transferring employees on an outsourcing in Singapore: overview.
Regulation and requirements
Financial institutions (as defined by section 27A(6) of the Monetary Authority of Singapore Act (Cap.186)) are regulated by the Monetary Authority of Singapore (MAS). In connection with any outsourcing, financial institutions must comply with the following:
The MAS Guidelines on Outsourcing (2004, updated 1 July 2005).
The MAS Notice 634 Banking Secrecy, Conditions for Outsourcing (19 February 2003, revised 25 May 2004).
The MAS Circular on IT Outsourcing and related Technology Questionnaire (14 July 2011).
The MAS Guidelines on Technology Risk Management (June 2013) and the MAS Notice on Technology Risk Management (21 June 2013).
The 2004 MAS Guidelines on Outsourcing set out MAS' expectations of a financial institution that has entered into an outsourcing or is planning to outsource its business activities to a service provider. A financial institution must notify MAS when it is planning or has entered into a material outsourcing, or is planning to vary a material outsourcing.
The 2004 Guidelines define ''material outsourcing'' as an outsourcing arrangement which, if disrupted, has the potential to significantly impact a financial institution's business operations, reputation or profitability. However, note the reference to "significant" IT outsourcing in the MAS Circular on IT Outsourcing.
The Guidelines require a financial institution to assess, in an outsourcing, the degree of materiality to the institution. MAS lists the factors to be considered. Outsourcing of all or substantially all risk management and internal control functions including compliance, internal audit and financial accounting, is deemed material.
A financial institution is also required to undertake periodic reviews of its outsourcing arrangements to identify new material outsourcing risks as they arise. Material outsourcing risks may also arise when the service provider, in a material outsourcing, sub-contracts.
MAS also requires financial institutions to notify it of:
Any adverse development arising in an outsourcing that could significantly affect the financial institution.
Any breach of legal and regulatory requirements by the service provider.
Regardless of the materiality of the outsourcing, the Guidelines specify certain contractual provisions and safeguards to be included in the outsourcing agreement between the financial institution and its service provider (see Question 3).
MAS may require a financial institution to terminate or make alternative outsourcing arrangements if the confidentiality of its customer information or the ability of MAS to carry out its supervisory functions cannot be assured.
MAS Notice 634 Banking Secrecy, Conditions for Outsourcing provides that when a bank in Singapore outsources to a service provider any operational function which will be performed by the service provider outside Singapore and disclosure of customer information to the service provider is involved, the bank must comply with conditions set out in the Appendix to this Notice.
The 2011 MAS Circular on IT Outsourcing sets out obligations on financial institutions including a requirement to complete and submit a detailed Technology Questionnaire for Outsourcing and consult with MAS before committing to any significant IT outsourcing. Outsourcing involving customer personal or account data, transactions, deposits, loans, payment card data, trading details and investment portfolios is generally considered as significant.
The 2013 MAS Guidelines and Notice on Technology Risk Management are the most recent MAS pronouncements which have an impact on outsourcing by financial institutions. The Guidelines do not replace or supersede the 2004 Guidelines on Outsourcing or the 2011 Circular on IT Outsourcing. However, specified guidelines, circulars and security advisories will be cancelled on the issuance of the Guidelines and Notice. These include the 2008 Internet Banking and Technology Risk Management Guidelines, the 2009 Circular on Endpoint Security and Data Protection, and the 2010 Circular on Information Systems Reliability, Resiliency and Recoverability.
The Guidelines are statements of industry best practices which financial institutions are expected to adopt. While the Guidelines are not legally binding, MAS will take a keen interest as to how and the extent to which financial institutions have implemented the Guidelines, and stresses that the degree of observance with the spirit of the Guidelines by a financial institution will impact MAS' overall risk assessment of that financial institution.
MAS emphasises that outsourcing by financial institutions, in any configuration or at any location should not impede MAS in carrying out its supervisory functions and therefore its guidelines, circulars, notices, regulations are applicable to financial institutions which operate systems that are used by Singapore operations but hosted overseas.
Financial institutions are required to put in place a proper framework, policies and procedures to evaluate, approve, review, control and monitor the risks of all its outsourcing activities and to carry out due diligence, before the service provider is appointed, to determine its viability, capability, reliability, track record and financial position.
MAS stipulates that the power of regulatory authorities to carry out inspections, supervisions or examinations of the service provider’s roles, responsibilities, obligations, functions, systems and facilities must be set out in the outsourcing agreement. MAS has clarified that the right to examine service providers to obtain information stored at, or processed by service providers, and the right to access any report or finding made on the services rendered to financial institutions, is integral to MAS' supervisory efforts.
While MAS accepts that financial institutions may not have the legal prerogative to amend legacy outsourcing contracts, it expects financial institutions to ensure that the regulatory supervision requirement is met when revising, renewing or extending legacy outsourcing agreements.
As cloud computing is a form of outsourcing, the guidance in the 2013 MAS Guidelines would apply. Therefore, all financial institutions are expected to perform risk assessments and the necessary due diligence before engaging in any arrangements which include the use of cloud computing.
MAS advises that financial institutions should be aware of the unique attributes and risks of cloud computing in areas of data integrity, sovereignty commingling, platform multi-tenancy, recoverability and confidentiality, as well as regulatory compliance, auditing and data offshoring.
Financial institutions are advised to pay particular attention to cloud computing service providers' abilities to isolate and clearly identify its customer data and other information system assets for protection. Specifically, the financial institution should have the contractual power and means to promptly remove or destroy its data stored at the service provider's systems and backups if the service provider's contract is terminated.
MAS Notice 644 on Technology Risk Management contains prescriptive requirements for availability, recoverability and reliability of critical systems (for example, ATMs, online banking systems and systems which support payment, clearing or settlement functions). The Notice applies to financial institutions and not just banks.
In order to give financial institutions time to assess, prepare and implement the necessary infrastructure, controls, processes and procedures to meet the requirements stipulated in the Notice, the Notice will take effect on 1 July 2014.
The Notice requires the financial institution to:
Put in place a framework and process to identify critical systems.
Maintain high availability and ensure that the maximum unscheduled downtime for its critical systems does not exceed four hours within 12 months.
Recover critical systems in four hours or less in the event of any disruption to the critical system.
Inform MAS in writing within one hour of discovery of the relevant system malfunction or IT security incident and submit a root cause and impact analysis report to MAS within 14 days (or such longer period as MAS may allow) of occurrence.
Other than in relation to financial institutions, there are no additional regulations relevant to a business process outsourcing.
Other than in relation to financial institutions, there are no additional regulations relevant to an IT outsourcing.
Telecommunications operators are regulated by the Infocomm Development Authority of Singapore (IDA).
The Telecommunications Act 1999 (Cap. 323), as amended, does not directly prevent or restrict a telecommunications operator from outsourcing. Nonetheless, there may be specific restrictions in the conditions of any IDA licences (whether facilities-based or services-based) held by that telecommunications operator that could prevent or restrict the outsourcing transaction.
Public procurement is governed by the Government Procurement Act 1994 and related regulations. The Ministry of Finance is responsible for the Government Procurement (GP) policy framework, which governs how Government agencies conduct their procurement within the GP framework.
The GP framework is based on the principles of fairness, transparency and value-for-money:
Transparency. An open and transparent procurement system. The Singapore government's procurement requirements, procedures and evaluation criteria for quotations and tenders are published openly on the Government Electronic Business (GeBIZ) portal.
Open and fair competition. Suppliers are given equitable opportunities and access to compete on a level playing field and are treated fairly. All suppliers are given the same information for them to prepare their bids.
Value for money. The Singapore government procures from sources that can best meet its requirements and which offer the best value. Value for money is derived from the optimal balance of benefits and costs on the basis of total cost of ownership. Value for money does not necessarily mean that a tender or quotation must be awarded to the lowest bidder.
The need for any intended procurement must be approved by the relevant approving authority before the procurement process can commence. Depending on the estimated value of the procurement, the procurement procedure adopted could be by way of a small value purchase (up to SG$3,000 in estimated procurement value), quotations (SG$3,000, up to SG$70,000), or tender (more than SG$70,000).
There are three types of tender procedures:
Open tenders. Tender notices are posted on the GeBIZ website to invite any supplier who may be interested to bid based on the requirements specified.
Selective tenders. Selective tenders are used for more complicated purchases with sophisticated requirements. Applicants are shortlisted based on their capabilities through an open pre-qualification exercise. The shortlisted applicants are then invited to submit their tenders.
Limited tenders. These tenders are by invitation only, and may be open to one or a few suppliers. Limited tenders are used when the project concerns national security, or when it is not feasible or practical to call for open tenders.
The default tender procedure is generally an Open tender.
Public procurements, especially the Open and Selective tenders, involve standard terms and conditions and there is little or no scope to amend those. If the relevant agency or body is amenable to negotiating the terms and conditions, this will either be in the course of a Limited tender and/or will be flagged in the invitation to tender.
There are no additional sectoral rules for outsourcing.
In addition to the requirements described in Question 2 above, the MAS Outsourcing Guidelines 2004 require financial institutions to comply with the below.
Capability of service providers. The financial institution should undertake appropriate due diligence on the service provider to assess its capability to employ a high standard of care in performing the service and comply with its obligations under the outsourcing agreement. Due diligence undertaken during the selection process should be documented and re-performed periodically as part of the monitoring and control processes of outsourcing.
Required contractual terms. The financial institution should address certain specified issues in its outsourcing agreement including the following:
The financial institution must satisfy itself that the service provider's security policies, procedures and controls will enable the financial institution to protect confidentiality and security of the institution's customer information. The financial institution should notify MAS of any unauthorised access or breach of security and confidentiality by the service provider or its subcontractors.
The financial institution should ensure that its business continuity preparedness is not compromised by outsourcing. It is expected to adopt the sound practices and standards contained in the Business Continuity Management Guidelines issued by MAS. Steps to be taken include ensuring that the service provider has in place satisfactory business continuity plans which are tested regularly.
The financial institution should establish a structure for the management and control of outsourcing. MAS should be informed if there are any adverse developments or non-compliance with legal and regulatory requirements in an outsourcing arrangement.
Every financial institution must take steps to ensure that its outsourcing agreement allows:
the financial institution to conduct audits on the service provider;
MAS, or any agent appointed by MAS, to access both the service provider and the institution to obtain records and documents, of transactions, and information of the institution given to, stored at or processed by the service provider and the right to access any report and finding made on the service provider.
These requirements must also be met in arrangements with any sub-contractor that the service provider may engage.
The financial institution should also review its outsourcing arrangements periodically to ensure that its outsourcing risk management policies and procedures, and these Guidelines, are effectively complied with.
The financial institution should, at least annually, review the financial and operational condition of the service provider to assess its ability to continue to meet its obligations.
The financial institution should also periodically commission independent audit and expert assessments on the security and control environment of the service provider. Copies of audit reports should be submitted by the financial institution to MAS.
In its risk management of an outsourcing to a service provider in a foreign country, the financial institution should take into account, at due diligence and on a continuous basis, the government policies and political, social, economic and legal conditions in the foreign country, its ability to effectively monitor the service provider, and to execute its business continuity management plans and exit strategy.
The majority of outsourcing transactions adopt the traditional supplier/customer services agreement model. Many relationships are based on a framework or master services agreement structure under which services are provided. This approach facilitates the addition of further services as well as being able to accommodate local service agreements where required under a multi-jurisdictional arrangement.
Some companies have established captives (usually a wholly owned subsidiary) in lower cost offshore jurisdictions which provide services to support the company's core business, often using a shared services structure. Captive arrangements enable the outsourcing company to exercise greater control over the outsourced services. However, the outsourcing company will bear the cost of setting up (to the extent required) and operating the captive and, as a consequence, the cost savings associated with outsourcing may not be realised.
Some companies have implemented a multi-sourcing strategy to ensure that they are not over dependent on a single supplier and to give them greater business flexibility. However, managing multiple suppliers adds increased complexity and costs.
Some companies have therefore also outsourced their procurement function to assist with the management of multiple suppliers.
An outsourcing involving a joint venture structure can look commercially attractive and offer a customer greater control, but it will result in additional complexity to the outsourcing arrangement and potentially will require more management time.
For details on the public procurement process, see Question 2. Following the relevant tender process, the procurement procedure continues with an evaluation stage and finally the approval of the award of the contract:
Evaluation. Suppliers' bids are evaluated holistically, according to the principle of value for money. This means that the suppliers' offers are evaluated not only in terms of price, but also whether they have complied with all the requirements in the tender specifications and other factors such as quality of the goods and services, timeliness in delivery, reliability and after-sales service support. Depending on whether it is a quotation or a tender, one or more officers will evaluate suppliers' bids before making their recommendation to the appropriate approving authority for consideration.
Approval of award. To ensure checks and balances in the procurement process, the officer(s) evaluating the bids must be different from the officer(s) approving the award of the bid. This applies for both quotations and tenders. Quotations are approved by at least one officer while tenders are approved by a tender board of at least three officers. The approving authority considers the recommendation and justifications, and may seek clarifications from the evaluating officer(s) before accepting the recommendation. An award notice with the name of the supplier awarded the contract, as well as the contract sum awarded, will be published on GeBIZ (see Question 2).
Typically, a customer will identify its business requirements for outsourcing and undertake a baseline review to assess current services and systems and current associated costs. This will form benchmarks for performance and service levels, and confirm its outsourcing business case.
The customer could issue a request for information (RFI) setting out the services it wishes to outsource and requesting information about suppliers' capabilities and experience in relation to those services. It would also investigate the market to understand the likely price to pay for the required services.
The most appropriate sourcing strategy will depend on its needs and objectives. A tender may not be the best option. If a tender is chosen, the customer would prepare a detailed request for proposal (RFP) which contains all relevant information to enable suppliers to submit their best bids, including an accurate and full description of the customer's business, the services it requires and the outcomes it would like to achieve.
Engaging multiple suppliers can limit risks, encourage suppliers to be competitive and provide a fallback strategy if one supplier withdraws. However, managing multiple suppliers is more complex and time consuming.
Suppliers are then given time for due diligence and preparation of a comprehensive solution in response to the RFP.
The customer would evaluate bidders' responses, and undertake due diligence into each potential supplier (including supplier personnel interviews, reference site visits, and verifying references and financials) before selecting its preferred supplier.
Transferring or leasing assets
Formalities for transfer
The purchase of immovable property in Singapore has to be effected by deed. It is recommended that the deed is registered at the Singapore Land Registry to secure priority and as evidence of title. However, title passes on signing of the deed, not on registration. Stamp duty will be payable by the transferee, but goods and service tax (GST) is not currently payable. The transfer of title to immovable property outside Singapore will be governed by the formalities of the relevant jurisdiction.
IP rights and licences
The transfer of trade marks, patents, copyright and designs is by way of assignment and must be in writing in order to be effective. Where the assignment involves patents or applications for patents, the assignment has to be signed by or on behalf of the parties to the transaction. For trade marks (registered or pending applications), designs (registered or pending applications) and copyright, the assignment may be signed by or on behalf of the assignor. However, for maximum certainty, most assignments are also signed by the assignee in practice.
In order to be enforceable against third parties, the transfer of registrable IP must either have been:
Registered in the relevant register.
Notified to the relevant registrar.
The transfer of movable property will typically be formalised in a sale and purchase agreement signed by the relevant parties.
Contracts can be transferred by assignment under which the benefit but not the obligations of the contract will transfer (unless an express indemnity is included, which can leave some residual risk with the transferor). Contracts can also be transferred by novation which transfers both the benefits and the obligations.
Assignment or novation of key contracts must be effected in writing and the original contract should be reviewed to determine whether the consent of the counterparty is required. Alternatively, if the terms of the contract permit, the customer can retain ownership of the contract and allow the supplier to supply the services to the counterparty as agent of the customer on a "back-to-back" basis.
Export controls on strategic goods
To the extent that the customer is a Singapore company and needs to transfer (probably by way of a licence arrangement) its own technology to a supplier in a jurisdiction outside of Singapore for the purposes of that supplier using that technology to provide services to the customer, the application of export and licensing controls under Singapore's Strategic Goods (Control) Act 2002 (Cap. 300) (SGCA) should be considered.
The SGCA applies to so-called "dual-use" assets which are goods/technology capable of being used for both a military and non-military purpose.
The SGCA regulates the export and transfer of strategic goods, strategic goods technology as well as goods and technology capable of being used to create weapons of mass destruction. These exports and transfers include the electronic transfer of these strategic goods and technology, including the intangible transfer of technology (ITT).
Parties who wish to export relevant strategic goods and technology or engage in ITT must first obtain the relevant permit from Singapore Customs.
Formalities for leasing or licensing
All leases of immovable property in Singapore must be in writing, signed by all parties and must incorporate all the agreed terms in one document. It is advisable, although not a legal requirement that licences of immovable property should also comply with these formalities. There is no requirement to register leases in Singapore. The consent of a superior landlord or lender may be needed if the property is charged. Leases or licences of immovable property outside Singapore will be governed by the formalities of the relevant jurisdiction.
IP rights and licences
Licences of registered trade marks and patents must be in writing and signed by the relevant parties to the transaction. In relation to other IP rights, a written agreement should be entered into as a matter of good practice. It is usually advisable (but not a requirement) for an exclusive licensee of registered IP rights (such as patents or registered trade marks) to register the exclusive licence with the Intellectual Property Office of Singapore.
A written lease or licence should be entered into as a matter of good practice to record the terms agreed, and in particular should include sums payable, the term of the lease or licence, any restrictions on use of the property and termination provisions which mirror the termination provisions of the outsourcing arrangement.
The concept of a contract being leased or licensed is not generally recognised under Singapore law. In practice, contracts will be assigned or novated as detailed above.
Transfer/leasing considerations on offshoring
There are various considerations when outsourcing offshore, both financial and practical.
Customers remain responsible for their own risk management and compliance issues so should weigh the economic, political, and geographic stability of the country they are transacting with. This is of particular concern in Asia where in certain countries there is an increased risk of corrupt practices and geopolitical instability. In addition, companies should be aware of the usual financial considerations when entering into a cross-border transaction, such as the exposure to foreign exchange controls and withholding tax.
In practice, an outsourcing in Singapore may or may not involve a business transfer. The question of whether a business transfer is involved goes towards determining whether employees are transferred by operation of law to the recipient company.
There are two categories of employees in Singapore:
Employees who do not fall within the ambit of the Singapore Employment Act 2009 (Cap.91) (SE Act) (Non-EA Employees).
Employees falling within the ambit of the SE Act (EA Employees).
Non-EA Employees are employees with executive or supervisory functions which include the authority to influence or make decision on issues such as recruitment, discipline, termination of employment, assessment of performance and reward, or involvement in the formulation of strategies and policies of the enterprise, or the management and running of the business. They also include professionals with tertiary education and specialised knowledge/skills, and whose employment terms are comparable to those of managers and executives.
EA Employees are both:
Workmen who are in receipt of a salary not exceeding SG$4,500 a month.
Employees (other than workmen) who are in receipt of a salary not exceeding SG$2,500 a month.
Under section 18A(1) of the SE Act, the transfer of employment for EA Employees takes place automatically upon the transfer of an undertaking, or part of an undertaking, from one person to another. There will not be any automatic transfer of contracts of services for Non-EA Employees. The practice is to terminate their employment contracts with the transferor and for the Non-EA Employees to be offered new employment contracts with the transferee.
The SE Act defines an ''undertaking'' to include any ''trade or business'' and ''transfer'' to include ''the disposition of a business as a going concern and a transfer effected by sale, amalgamation, merger, reconstruction or operation of law''.
The above considerations would apply on the initial outsourcing, on a change of supplier and on termination of the outsourcing agreement.
For more information on transferring employees on an outsourcing, including structuring employee arrangements (including any notice, information and consultation obligations) and calculating redundancy pay, see Transferring employees on an outsourcing in Singapore: overview ( www.practicallaw.com/9-578-6825) .
Data protection and data security
Until recently, there was no specific legislation in Singapore to regulate the collection or use of personal data. That all changed when the Personal Data Protection Act 2012 (PDPA) came into effect on 2 January 2013. Although the operative provisions of the PDPA will not come into effect until 2014, organisations involved in the outsourcing are already addressing the issues it raises in their contractual documentation and operational processes.
The operative provisions of the PDPA will come into effect in two parts:
Part 1, on 2 January 2014, will see the launch of the "Do Not Call" rules relating to direct marketing messages. In most cases, it will not be directly relevant to outsourcing arrangements.
Part 2, on 2 July 2014, is what the majority of organisations will be most focused on, because it is the date on which all of the other requirements of the PDPA will come into effect, including the obligations regarding the collection, storage, use and transfer of personal data.
The PDPA applies to companies, associations and bodies as well as individuals who are resident in Singapore but not if they are acting as an employee or in a personal or domestic capacity. It does not apply to public bodies, which are subject to separate existing rules.
The PDPA only applies to "personal data", being data about an individual (whether or not it is true) who can be identified from that data or from that data and other information to which the person holding the data is likely to have access. Obligations continue to apply to personal data for ten years after an individual has died. Personal data that is more than 100 years old, and business contact details, are not subject to the PDPA.
In broad terms, the PDPA places obligations on how organisations collect, use and disclose personal data. The main obligations are as follows:
Consent must be obtained from individuals before their personal data is collected, used or disclosed.
Individuals must be given access to their personal data.
Personal data must be accurate and requests for errors and omissions to be rectified must be adhered to.
Personal data must be kept secure. There are no detailed security provisions in the PDPA, nor are there specific obligations around notification of breaches as in some jurisdictions. The PDPA simply states that organisations must protect personal data in their possession or control by ''making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks''.
Data must not be retained for longer than is reasonable for the purpose for which it was collected and no longer than is necessary for legal or business purposes.
Organisations must take responsibility for data intermediaries. The PDPA does make a distinction between organisations primarily responsible for the collection and use of data on the one hand and data intermediaries which process that data on behalf of those organisations on the other. Data intermediaries are subject to fewer direct obligations under the PDPA, being only the obligations regarding protection of personal data and retention of personal data.
Each organisation must appoint a compliance officer (although this only applies to organisations primarily responsible for the collection or use of data, rather than data intermediaries).
Organisations are not permitted to transfer personal data outside of Singapore unless they provide a "standard of protection to personal data so transferred that is comparable to the protection under the [PDPA]". There is currently no "white-list" of jurisdictions that are deemed to offer appropriate levels of protection, although established data protection regimes (for example in Europe) would be more likely to pass the test than those without an existing legal framework.
The jurisdictional scope of the PDPA is somewhat unclear, which will be unsatisfactory to many companies wanting to assess whether they will be caught by the PDPA or not. The current view is that it is unlikely that the PDPA will seek to have extra-territorial effect in respect of its general data protection provisions but will apply only to organisations that collect, use or disclose personal data in Singapore or transfer data out of Singapore. This would extend to foreign companies who have an office or place of business in Singapore. However, it is not clear that it would extend to a company based offshore who just happens to collect data from Singaporean customers along with data from individuals in other jurisdictions. This is a key issue that it is hoped will be cleared up in following regulations and guidance.
Mechanisms to ensure compliance
The operative provisions of the PDPA are not yet in effect and will not be until mid-2014. However, organisations involved in outsourcing (whether as customer or supplier) will need to start developing or amending contractual documentation now to deal with the issues raised by the PDPA.
The key issue to bear in mind for an outsourcing agreement is if an organisation is using a service provider to process data on its behalf, the organisation is responsible for the performance of that service provider.
Best practice for organisations undertaking activities that will be caught by the PDPA is as follows:
To undertake an appropriate level of due diligence to assure itself that the service provider is capable of complying with the PDPA. Organisations are already starting to build this into their tender documentation. Service providers will need to be ready to respond to customer questions regarding their security arrangements.
If the service provider is based outside of Singapore, or if its servers or systems are based outside of Singapore, the customer will be aiming to ensure that the jurisdiction in question has an adequate level of protection. As described above, there is no white-list, but territories in Asia without an existing legal regime for data protection could be at risk of being deemed inadequate for these purposes.
To include appropriate contractual protections in the outsourcing agreement, including:
an obligation on both parties to comply with the requirements of the PDPA and any other applicable regulatory requirements relevant to data protection;
an obligation on the service provider to comply with the customer's requests and instructions regarding the personal data. Service providers will of course want to ensure that the scope of this is limited and that requests are reasonable;
a right for the customer to audit the service provider's systems and processes for handling personal data. Again, service providers will want to limit the scope, have an appropriate notice mechanism and limit the number of times this right can be exercised; and
indemnity protection in relation to breaches of the PDPA.
For service providers to include appropriate back-to-back obligations in their agreements with sub-contractors.
In Singapore, compliance with international security standards is not required.
Sanctions for non-compliance
The kinds of financial liabilities that organisations could be exposed to under the PDPA include fines of up to SG$1 million. Indemnity protections in the contract will only cover financial liabilities and given that the PDPA could potentially make officers of an organisation personally liable, with certain breaches attracting imprisonment of up to three years, a process of thorough due diligence and contractual rights of inspection, will be at least as important as indemnity protection.
Financial institutions in Singapore are already subject to the relatively stringent banking secrecy requirements under the Banking Act 2008 (Cap.98) and other regulatory obligations specified by the Monetary Authority of Singapore.
The banking secrecy rules under section 47 of the Banking Act place financial institutions under statutory obligations of secrecy in respect of customer account information. Financial institutions are allowed to disclose information about customers and their accounts only in very limited circumstances.
Mechanisms to ensure compliance
The Singapore Government did consult on the concurrent application of the PDPA with existing sectoral rules and, despite some organisations arguing that any potential overlap could cause uncertainty and operational issues and that the financial services sector should therefore be exempted, financial institutions were not exempted and so the PDPA does apply to financial institutions.
There are some potential scenarios where the PDPA and the existing sectoral rules may overlap to some extent, in which case financial institutions will need to decide which applicable standard it must comply with. The higher standard (whether under the PDPA or the existing sectoral rules) would generally take precedence. In most cases, it is likely that the more stringent banking secrecy rules already applicable would take precedence over the more general principles of the PDPA. However, in some other cases (where, for example, the PDPA applies more broadly to all types of personal data, whether customer or employee data, whereas the Banking Act is more focused on customer data), it is possible that the PDPA will represent the higher standard.
If a financial institution is outsourcing operations in a way that will require the sharing of customer data or employee data with third parties, it will need to have in place systems and operational processes, as well as contractual documentation, to ensure compliance with both sets of rules.
Sanctions for non-compliance
A person who contravenes section 47 of the Banking Act may be liable on conviction to a fine and, in certain circumstances, to imprisonment for a term not exceeding three years, or to both.
Confidentiality of customer data
Other than express contractual obligations in an outsourcing agreement and as set out under Question 2 above or under the data protections and banking secrecy requirements described above, there are no other specific confidentiality requirements.
Service specification and levels
The outsourcing agreement will include detailed service descriptions against which certain service levels will be assigned. These service levels are used by the parties to monitor and measure service performance. Some of the service levels will be designated as critical performance indicators (CPIs) or key performance indicators (KPIs) and failure by the service provider to meet a CPI or a KPI would trigger payment by the service provider to the customer of a service credit.
Typically, the service provider and customer will agree an amount equal to a percentage of fees payable for the services which the service provider will put at risk under the service credit scheme.
Flexibility in volumes purchased
A typical customer likes to achieve a balance between certainty of pricing and flexibility in its outsourcing agreement to enable it to adjust its service requirements to meet its changing business needs. While suppliers are willing to accommodate flexibility, their business case will have been created on the basis of a minimum financial commitment by the customer in terms of anticipated fees. Therefore, a supplier will usually insist on a right to renegotiate the commercial deal if changes requested by the customer have an adverse impact on the supplier's business case.
There are various pricing models that can be used to address the customer's need for flexibility and the supplier's concerns about maintaining a deal which is economically viable and profitable. These include unit-based, transaction-based or resource-based pricing models.
Charging methods and key terms
The majority of outsourcing transactions are ITO although most BPO deals have a significant IT component and most ITO deals involve some process re-design. Therefore the distinction between ITO and BPO is blurring.
While the full spectrum of pricing models are possible in the market, many deals end up being fixed price for a fixed scope or fixed deliverables. Where the customer is unable to establish fixed scope or criteria because, for example, of their expanding or changing market or generally because the outsourcing market is (relative to Europe or the US) less mature, the pricing model on the deal ends up being unit or transaction-based or FTE (headcount)-based. Outcome-based pricing models are very rare.
Typically, outsourcing agreements will include indexation provisions using agreed cost of living indices particularly if services are provided from an offshore jurisdiction.
If there is an international element to the outsourcing agreement (for example, the services are provided across the Asian region), the agreement may address variations in foreign exchange rates against the billing currency by reference to an agreed external rate. For regional deals, there may be a requirement for local invoicing in local currency.
Given the diversity of tax regimes across the Asian region, regional deals will require tax input when they are structured.
Outsourcing agreements sometimes include benchmarking provisions but this would not be appropriate in fixed price deals.
Customer remedies and protections
Damages for the supplier's breach of the outsourcing agreement will be available as of right to the customer. Under common law, the customer is entitled to those losses that are directly caused by the supplier's breach where the losses are reasonably foreseeable or where special circumstances exist and have been notified to the supplier in a situation where it is reasonable to hold the supplier liable.
Penalties in contracts are unenforceable. However, it is acceptable to include provisions for liquidated damages for breach of contract provided they are a genuine pre-estimate of the likely loss which would be suffered by the relevant party.
Where the breach is sufficiently serious or where it is contractually provided for, the customer may also terminate the agreement.
In certain circumstances, specific performance may be ordered. However, where the outsourcing requires extensive co-operation of the parties involved, it is unlikely that specific performance will be ordered.
An outsourcing agreement would usually contain rights and remedies to protect the customer from a supplier’s breach or failure, including:
Service credits for service level breaches.
Adjustment of charging mechanisms that may have been more beneficial to the supplier (for example, minimum revenue commitments).
Step-in rights (in the case of material breach by the supplier).
Defined termination events, including termination for convenience (which avoids the need to justify the termination, although this right would usually be exercised at a cost to the customer).
Audit rights to cover financial, operational and security aspects of the agreement.
An appropriate governance structure with a clear dispute resolution procedure.
The outsourcing agreement would usually contain certain supplier obligations to provide the customer with protection, such as obligations to:
Measure and report service levels, highlighting actual and foreseeable problems, and obliging the supplier to remedy faults and take preventative action to minimise reccurrences.
Indemnify the customer for certain breaches and losses.
Maintain adequate insurance coverage (often with agreed limits and coverage).
Arrange execution of a parent company guarantee.
Warranties and indemnities
It is usual for a supplier to:
Warrant that it is entitled to enter into the agreement and perform its obligations.
Warrant that it will perform the services with reasonable care and skill, in a timely and professional manner and in accordance with applicable laws and recognised industry standards.
Warrant that material information provided by it in the proposal stages was and remains accurate, complete and not misleading.
Warrant that it has required certifications and accreditations, and operates in accordance with defined standards related to the services.
Indemnify the customer against loss suffered due to the supplier's actions related to IP breaches, breach of confidentiality, damage to property and wilful acts or omissions.
It is usual for the customer to provide more limited warranties, such as to:
Warrant that it is entitled to enter into the agreement and perform its obligations.
Provide assurances concerning title and condition of assets transferred to the supplier, including the absence of liabilities under transferred contracts (if not transferred "as is").
Singapore common law implies contractual terms that goods are merchantable, and that services will be performed with reasonable skill and care.
Furthermore, the Sale of Goods Act 1999 (Cap.393) implies certain conditions and warranties, including as to reasonable quality, fitness for purpose, conformity to sample and merchantability. However, the Act only applies to a contract for the sale of goods and would not apply to contracts for services.
These warranties and conditions implied by the Sale of Goods Act can also be expressly excluded or varied by agreement of the parties. Such exclusion or variation is subject to the test of reasonableness under the Unfair Contract Terms Act 1994 (Cap.396). Business entities can be considered consumers for the purposes of the Unfair Contract Terms Act when dealing on a standard terms contract basis. See Question 29.
Singapore is a key insurance market for insurance and reinsurance companies to underwrite risk both internationally and regionally. With rising awareness and increasing sophistication of risk management systems, the insurance industry has also matured in terms of its product offerings across various sectors, including increased capabilities to underwrite specialised risks.
Accordingly, the types of insurance which would be most pertinent for outsourcing risks and available on the market would be:
Professional indemnity insurance.
Business interruption insurance.
Comprehensive crime insurance which includes fraud committed by employees.
Comprehensive general liability (that is, public liability) insurance.
Directors' and officers' insurance (to cover directors and officers of a company against claims brought against them in that capacity).
Term and notice period
There is no legal requirement for a maximum or minimum term for an outsourcing agreement. However, it is not uncommon for an outsourcing agreement to be for a two to five year term with an automatic extension of the term until the agreement is terminated by either party with notice to the other party.
There is no legislated maximum or minimum length of notice period for termination or otherwise. Notice periods are generally left to the parties to determine in the outsourcing agreement. In the absence of a notice period for termination and where the agreement does not have a fixed term, Singapore common law will imply a "reasonable" notice period. What is "reasonable" will depend on the individual circumstances.
Termination and termination consequences
Events justifying termination
The Singapore courts recognise that the innocent party to a contract is entitled to elect to terminate the contract where the term breached is a condition of the contract. A condition is a term designated by the parties as being so important that a breach of that condition will justify the termination of the contract regardless of the consequence of the breach.
An innocent party may choose to terminate the contract where there has been a breach of a term, the consequence of which has been to substantially deprive the innocent party of the benefit it was to have received under the contract.
Where there has been negligent or fraudulent misrepresentation, the innocent party is entitled to terminate and/or rescind the contract ab initio.
However, the Singapore courts do not recognise the legal doctrine of "fundamental breach" insofar as it purports to render exclusion/limitation clauses null and of no effect.
Under Singapore insolvency law, a contract is not automatically terminated because of the insolvency of a party or where that party undergoes some insolvency process. Instead, a receiver or liquidator is given the powers to disclaim or otherwise proceed with a contract. However, most outsourcing agreements stipulate that insolvency events are grounds for immediate termination of the agreement.
A contract might also come to an end because of the doctrine of frustration. Frustration occurs when unforeseen supervening events arise without default of either party such that the nature of the contract has become so radically different that the performance of the contractual obligation would be fundamentally different from the obligations initially contemplated and undertaken. As a result, the Singapore courts consider that it would be unjust to hold the parties to their initial contractual obligations. As the effect of this doctrine is rather draconian, the mere fact that the contractual obligations have become more onerous to perform is insufficient grounds to amount to frustration.
The adjustment of rights and liabilities of parties to a frustrated contract is governed by the Frustrated Contracts Act 1985 (Cap.115).
The parties are free to vary, remove or extend termination rights implied by law, for example, by including termination rights for:
Unremedied material breach of the agreement. Typically, the breach must be material and it is usual to include a cure period in which the injured party gives written notice of the breach and allows the counterparty a reasonable period to remedy it (often 30 days or more). If it is not possible to remedy the breach or where the cure period has expired and the breach has not been remedied, the agreement can be terminated.
Minor but persistent breaches (with the type of breach and number of breaches needed to trigger the termination right defined in the agreement).
Insolvency and insolvency related proceedings.
Change of control of the supplier.
Termination for convenience by the customer on notice (termination without cause). This allows the customer to switch suppliers without having to give a reason (for example, if it is generally dissatisfied but unable to demonstrate any clear breach). This is usually an expensive option, since the supplier often requires compensation for early termination. This compensation will be calculated by reference to the supplier's potential loss of revenues and profits and costs incurred by the supplier that cannot be mitigated or avoided. Typically, the parties will agree appropriate formulae of principles for the calculation of termination compensation.
IP rights and know-how post-termination
In the absence of a contractual provision entitling the supplier to use the customer's licensed IP post-termination, there are no implied rights to use licensed IP right following termination of the outsourcing agreement. The parties are free to agree on the continued use of licensed IP rights post-termination.
Liability, exclusions and caps
The parties are generally free to agree to exclude most forms of liability. The key issues and exceptions are set out below:
The Singapore courts will construe exclusion or limitation of liability clauses strictly against the party seeking to rely on it. Accordingly, explicit wording is required if exclusions or limitations are intended to apply to liability arising from a party's negligence or deliberate breach. This also applies to indemnity clauses which fulfil the same purpose.
Limitation of liability clauses are interpreted less stringently than total exclusion of liability clauses.
Exclusions or restrictions of liability for misrepresentation must satisfy the "reasonableness" requirement under the Unfair Contract Terms Act (see Misrepresentation Act 1994 (Cap. 390)).
Exclusions or restrictions of liability for death or personal injury caused by a party's negligence are void and unenforceable pursuant to the Unfair Contract Terms Act. In the case of other loss or damage, the exclusion or restriction of liability for negligence must satisfy the Unfair Contract Terms Act's reasonableness requirement.
If the parties are dealing on the other's written standard terms of business, any exclusion or restriction of liability for breach of contract must satisfy the Unfair Contract Terms Act's reasonableness requirement. This is so even if both parties are commercial/business entities.
Under the Sale of Goods Act, implied terms as to title to assets cannot be excluded or restricted, while those relating to satisfactory quality, fitness for purpose and certain other matters can only be restricted where this meets the Unfair Contract Terms Act's reasonableness requirement.
Subject to the above, a supplier (and usually the customer) will aim to exclude liability for:
Indirect and consequential loss.
Loss of business, profit or revenue, whether these constitute a direct or indirect loss.
The two main formal dispute resolution methods used are arbitration and litigation in court.
Arbitration is a method of dispute resolution where parties refer their dispute to an impartial tribunal (consisting of one or more arbitrators). The parties agree to be bound by the tribunal's decision (known as an ''award''). Arbitration is an alternative to court litigation and can only take place if the parties have agreed to it. The parties can agree to arbitration either by:
Including an arbitration clause in a commercial or consumer agreement at the drafting stage.
Signing an arbitration agreement after the dispute has arisen.
The key benefits of arbitration are in its procedural flexibility, choice of arbitrators (legal and subject matter), privacy and confidentiality, the lack of an appeals process as well as the ability to enforce an award in 148 other jurisdictions under the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards 1958.
Singapore is a highly regarded and prominent centre for arbitration, often ranked in the top tier of seats and venues for arbitration alongside London, Paris and Zürich. Singapore is also home to top tier arbitration institutions such as the SIAC, WIPO, ICC and AAA's ICDR.
The choice of arbitration removes recourse to the courts except for support in aid of the arbitration or in the enforcement or recognition of the award. This can be an appealing option where there are concerns about the judiciary in the counterparty's home state.
Another form of ADR is expert determination where parties contractually provide that their dispute will be referred to and finally determined by a single expert whose ruling will be final and binding. The expert will be a person with technical expertise and the disputes that are referred tend to be disputes of a technical nature. Unlike in arbitration, an expert is entitled to adopt an inquisitorial and investigative approach, and need not refer the results to the parties for submissions prior to making his decision. The scope for setting aside an expert's decision is much narrower than for setting aside an arbitral award.
Negotiation/conciliation and mediation
Apart from arbitration, the most common forms of ADR are negotiation/conciliation or mediation. Negotiation/conciliation is conducted by and between the parties themselves. In mediation, that process of resolving the dispute is assisted by a neutral third party that is, the mediator. It is becoming increasingly common to have multi-tier clauses in which parties have to undergo a process of negotiation/conciliation or mediation prior to submitting the dispute to arbitration or litigation. The Singapore courts will uphold such a clause so long as the process is sufficiently certain and spelt out with enough detail for the court to police and monitor if necessary.
Unlike arbitration and litigation, the outcome of the negotiation/conciliation or mediation process is not formally binding unless the parties subsequently decide to embody that outcome in a settlement agreement.
Litigation involves bringing the dispute to court for judges to determine the matter. Unlike arbitrators, judges in court proceedings have the power to join third parties to the proceedings and as such subcontractors or other suppliers can be made part of the proceedings so all related disputes can be resolved in a single set of proceedings. In arbitration, non-signatories to an arbitration agreement are not bound and cannot be bound by that arbitration agreement and made to participate in an arbitration save in very limited and exceptional circumstances. Another advantage is that summary and default proceedings are available as a default option in Singapore court proceedings. The Singapore judiciary is well regarded for their independence, efficiency and expertise in commercial matters.
However, court proceedings are public by nature. This includes the documents and evidence adduced in those proceedings a matter of public record. Parties are also unable to choose which judge and the number of judges they would like to hear their dispute. Furthermore, parties are limited in their choice of counsel to those who have rights of audience before the Singapore courts.
Despite its very Western outlook and business environment, Singapore remains an Asian country. In this respect, it places a high(er) degree of emphasis on promoting consensus where possible. Accordingly, informal alternative dispute resolution (ADR) methods which focus on conciliation and consensus are popular and common.
Transfers of assets to the supplier
Stamp duty is payable on documents connected to the transfer of property including leases, sale and purchase agreements and mortgages, at the following rates, in each case assessed at the higher of the purchase price or market value of the property:
Up to SG$180,000: 1%.
SG$180,001 to SG$320,000: 2%.
SG$320,001 and over: 3%.
Additional stamp duty of up to 16% of the higher of the purchase price or value of the property is payable on a sliding scale if the property transferred is residential, industrial or "residential and mixed-residential" and was acquired less than four years from the date of its prior acquisition.
No stamp duty is due on the transfer of other tangible assets such as equipment and machinery, but GST may apply (see below).
Singapore does not have any capital gains tax.
Transfers of employees to the supplier
A transfer of employees is not a taxable event. However, the new employer should be aware that they will now be liable to make Central Provident Fund (CPF) contributions on behalf of any new Singaporean or Permanent Resident employee. CPF contributions do not apply to foreign staff on work visas.
The CPF contribution rates for private sector employees are determined by reference to the age and wage of the employee and, in the case of Permanent Residents, how long they have had Permanent Resident status. The maximum employer CPF contribution is currently 16% of the relevant employee's wages.
VAT or sales tax
GST is a broad-based consumption tax levied on the import of goods (collected by Singapore Customs), as well as nearly all supplies of goods and services in Singapore. GST is payable at 7%.
Exemptions exist for the sale and lease of residential properties, the provision of most financial services and where the business (whole or part of it) is transferred as a going concern. Export of goods and international services are taxable but are currently zero-rated.
GST may be payable (see above).
Stamp duty payable on transfer of real property as detailed above. There is no stamp duty payable on the transfer of tangible assets.
A company is taxed at a flat rate on its chargeable income regardless of whether it is a local or foreign company. The corporate tax rate is currently 17%, but certain tax exemptions are available. There is a full tax exemption available on the first SG$100,000 of income for qualifying start-ups (other than investment holding companies and property development companies) and a partial exemption available for all qualifying start-ups on subsequent bands of income. In addition, companies will be granted a 30% tax rebate capped at SG$30,000 for each year of assessment in 2013, 2014 and 2015.
*The author wishes to acknowledge the contributions of his colleagues Lucy Berry, Shaun Lee, Mun Yi Lee and Matt Pollins, and Oo Ban Leong of Prolegis LLC.
Monetary Authority of Singapore, Financial Services Regulation
Description. Website of the Monetary Authority of Singapore which contains laws and regulations and other MAS communications related to the financial services sector.
Ministry of Finance, Public Procurement
Description. Website of the Ministry of Finance which contains laws and regulations related to public procurement.
Personal Data Protection Commission Singapore
Description. Website of the Personal Data Protection Commission Singapore which contains the Personal Data Protection Act and related PDPC communications.
Ministry of Manpower, Employment
Description. Website of the Ministry of Manpower which contains laws and regulations and other MOM communications related to employment.
Infocomm Development Authority of Singapore, ICT
Description. Website of the Infocomm Development Authority which contains policies, laws and regulations and other IDA communications related to the information technology and communications sectors.
Inland Revenue Authority of Singapore, Tax
Description. Website of the Inland Revenue Authority of Singapore which contains laws and regulations and other IRAS communications related to taxation.
Ian Ferguson, Partner, Head of Technology and Sourcing
Olswang Asia LLP
Professional qualifications. England and Wales, Solicitor.
Areas of practice. Sourcing; procurement; information technology; telecommunications.
- Specialises in commercial transactions in relation to sourcing, technology, and telecommunications, with 30 years of experience in international law firms.
- Advising customers and suppliers on sourcing transactions across sectors including business processes, IT, communication and facilities management services, multi-jurisdictional and offshore transactions, shared services arrangements and outsourcings involving joint ventures.
- Advising on technology and communications infrastructure, services and integration projects, electronic banking, e-commerce and cloud based arrangements, as well as on acquisitions, disposals and joint ventures in the technology sector.
- Advising on strategic investments, mergers and acquisitions, joint ventures, privatisations, regulation and commercial contracts in the telecommunications sector.
Languages. English, conversational French
- International Association of Outsourcing Professionals (IAOP).
- British Chamber of Commerce, Singapore.
- American Chamber of Commerce, Singapore.
- French Chamber of Commerce, Singapore.
- International Bar Association.
- Gartner Outsourcing and IT Services Summit, 2007 - "Negotiating and Developing a Successful Outsourcing Partnership" when .
- Outsourcing Project, 2008 "Successful Outsourcing Partnerships".
- International Outsourcing Law and Practice, 2009 "Outsourcing Contract Structures" and "Exiting an Outsourcing Agreement".
- Financier Worldwide, 2010 "Managing Risks in Outsourcing".
- Pillsbury SourcingSpeak, 2011, blogs on Managing Risks in Outsourcing: Supplier Selection, Contract Negotiations, Relationship Management and Exit.
- Sourcing World, 2012 - UK Chapter on Outsourcing.
- Asian Legal Business, 2013 " Managing Outsourcing Risks".