Argomi User Guide to MAS Outsourcing Regulations in Singapore September 2017 Aarti Sreenivas & Ned Lowe
Contents Page 1. Introduction 2. A Fresh Take on Compliance 3. Argomi & AWS 4. MAS Outsourcing Guidelines Page 1
I. Introduction Regulators worldwide recognise the monetary and operational benefits outsourcing brings to financial institutions. Nevertheless, they are also aware of its risks and place a direct responsibility on financial institutions to uphold stringent outsourcing standards. At Argomi, we recognise how crucial risk management is to your business. Your trust is important to us; which is why we have prepared this document to illustrate how we work with our clients to mitigate reputational, compliance and operational risks that may arise from an outsourcing arrangement. For this purpose, we have relied on the MAS Outsourcing Guidelines as a benchmark. 1 This whitepaper evaluates MAS s Outsourcing Guidelines to Argomi s current processes. II. A Fresh Take on Compliance Argomi s mission is to eliminate data fragmentation across the financial industry. The problem of data fragmentation is especially rife across compliance departments, where data is often stored manually across different files and excel spreadsheets that are not secure. Furthermore, data governance has been an area of focus for regulators since the Global Financial Crisis and firms are increasingly pressured to furnish digital copies of files and records upon request. ediscovery is increasingly common and in such cases, firms must assure that information is able to be searched and retrieved in a timely manner. Yet, most asset managers are struggling to keep abreast of these fast-moving requirements and fail to solidify their compliance framework in a technologically sound manner. This is where Argomi wants to make a difference. Argom i incorporates cutting-edge technology to support audit trails which include timestamps and user-modification traceability. Our cloud based system automatically provides financial institutions the ease of data management without the cost and operational challenges of physical servers. Please see argomi.com for more information. 1 MAS Outsourcing Guidelines ( http://www.mas.gov.sg/~/media/mas/regulations%20and%20financial%20stability/regulatory%20and %20Supervisory%20Framework/Risk%20Management/Outsourcing%20Guidelines_Jul%202016.pdf ) Page 2
III. AWS & Argomi The Argomi platform sits on top of Amazon Web Services (AWS) and heavily leverages the huge amount of experience and platform maturity that they have built up over the years. Argomi has teamed with AWS to ensure that Argomi is following best practices and is engineered to be as secure and compliant as possible. Argomi uses a safe and secure database in the cloud, built on the infrastructure provided by Amazon Web Services. The AWS Cloud operates 44 Availability Zones within 16 geographic regions around the world and is used by a number of established institutions including DBS, Land Transport Authority of Singapore, Morningstar, Netflix, Capital One, Financial Institutions Investment Authority (FINRA) and others. In Singapore, AWS has a dedicated team with security experts who focus on compliance for Financial Institutions. A number of Argomi s compliance practices rests on AWS platform. This includes strong: Security and internal controls audit coverage Reporting and monitoring, Disaster recovery arrangements Cyber-security monitoring and recoverability measures. In addition, AWS has a suite of assurance programs and has obtained certifications and independent third-party attestations including ISO 27001, ISO 27017, ISO 27018, ISO 9001 and MTCS Level 3, amongst others. These AWS frameworks assure Argomi that our infrastructure rests on a secure and compliant network that takes our client s data needs seriously. Page 3
IV. Outsourcing Guidelines - MAS Section 5.4.3 of MAS s guidelines offers Financial Institutions a due diligence checklist to evaluate service providers. Argomi is keen to be proactive in supporting our clients to mitigate reputational, operational and compliance risks and to provide assurance to clients that Argomi is a trusted partner. MAS Guidelines Experience and capability to implement and support the outsourcing arrangement over the contracted period; Argomi s Response Argomi is built by a team that has deep knowledge of the finance industry. Our team is led by Ned Lowe (Chief Executive Officer), who has 12 years of experience at Bank of America Merrill Lynch and Chang Yoong Pin (Chief Product Officer) who has more than 20 years of experience across JL Capital, Temasek and Monetary Authority of Singapore. Both Ned and Pin are well supported by a technology and business team who have the experience and capability to lead Argomi. We use Amazon Web Service (AWS) for cloud computing and data storage. The fact that clients like DBS Bank also use AWS is a good indicator that AWS is well respected across leading financial institutions in Singapore and the broader region. Financial strength and resources (the due diligence should be similar to a credit assessment of the viability of the service provider based on reviews of business strategy and goals, audited financial statements, the strength of commitment of major equity sponsors and ability to service commitments even under adverse conditions); Corporate governance, business reputation and culture, compliance, and pending or potential litigation; Argomi is currently funded by our Co-Founder, Tim Loh - a partner at JL Capital Pte Ltd, a Singapore Licensed Fund Management Company. Argomi has robust internal corporate governance systems, which have been implemented across all departments. Our Chief Compliance Officer and CEO conduct regular checks to ensure that there are no breaches to our Internal Protocols. Argomi s culture is built on integrity and employees are mandated to read and adhere to Argomi s Code of Ethics and Business Conduct. Argomi has no pending or potential litigation. Security and internal controls, audit coverage, reporting and monitoring environment; Ned Lowe (CEO), Chang Yoong Pin (CPO) and Roland Santos (Lead Developer) are responsible for coordinating, developing, implementing and maintaining an organisation wide information Page 4
security program. This process requires management to identify risks within its areas of responsibility and to implement appropriate measures designed to address those risks. Argomi staff attend security-related training programs. For more details please review Argomi s Internal Security Access Policy. Argomi plans to have formal IT audit program in due course and re-evaluates this security program at least biannually. In addition, our server provider, AWS has established a formal audit program that includes continual, independent internal and external assessments to validate the implementation and operating effectiveness of the AWS control environment. Risk management framework and capabilities, including technology risk management and business continuity management in respect of the outsourcing arrangement; Disaster recovery arrangements and disaster recovery track record; Argomi has developed a strategic business plan, which includes risk identification and implementation of controls to manage risks. Argomi s management re-evaluates the strategic business plan at least biannually. Management identifies risks within its areas of responsibility and implements appropriate measures designed to address those risks. Argomi has developed disaster recovery processes for multiple severity levels and has an internal call tree which alerts all staff in an expedited manner. For more details, please read Argomi s Crisis Management Guide. Furthermore, leveraging AWS Disaster Recovery track record, Argomi s users enjoy some of the most robust disaster recovery arrangements in place. Argomi has configured multiple availability zones on AWS system which means Argomi uses Availability Zones at distinct locations that are engineered to be insulated from each other. Reliance on and success in dealing with sub-contractors; Argomi does not have sub-contractors. Insurance coverage; Argomi does not currently have a business insurance coverage However Argomi s platform relies on AWS, which maintains appropriate insurance, including Commercial General Liability insurance with limits of not less than $1,000,000 per occurrence and $5,000,000 general aggregate, and (b) Page 5
Crime/Employee Dishonesty insurance with limits of not less than $500,000 per claim. External environment (such as the political, economic, social and legal environment of the jurisdiction in which the service provider operates); and ability to comply with applicable laws and regulations and track record in relation to its compliance with applicable laws and regulations. Argomi operates out of the Republic of Singapore, which maintains a Aaa rating from Moody s for its political, economic, social and legal environment. Argomi works to comply with applicable international and local laws, statutes, ordinances, and regulations concerning security, privacy and data protection of Argomi's services in order to minimize the risk of accidental or unauthorized access or disclosure of customer content. Page 6
Further Reading In addition to this whitepaper, Argomi has a suite of other compliance documents. The purpose of this kit is threefold: 1. Provide users a thorough understanding of Argomi s security systems 2. Simplify a user s due diligence process 3. Act as a communication channel for the wider compliance and IT security community To gain more clarity on our compliance frameworks and how they affect financial institutions, please review: 1. Argomi Technology Risk Management Policy 2. Argomi Whitepaper ABS Cloud Computing Implementation Guide 3. Argomi Internal Access Policy 4. Argomi Business Continuity and Disaster Recovery 5. Argomi Crisis Management For further queries please approach our team at info@argomi.com. Document Revisions Date September 2017 Description First Publication Page 7