public document request for proposal project name
TRANSCRIPT
Page 1 of 34
PUBLIC DOCUMENT
REQUEST FOR PROPOSAL
Project Name: RFP.CE.2020.0012
IBF Customer Relationship Management System (‘’IBF CRMS’)
The Institute of Banking & Finance 10 Shenton Way
#13‐07/08 MAS Building Singapore 079117 Tel: 62208566 Fax: 62244947
Email: [email protected]
Page 2 of 34
CONTENTS
1. INTRODUCTION ..................................................................................................... 3
2. BACKGROUND ...................................................................................................... 3
3. OBJECTIVE ............................................................................................................. 3
4. PROJECT SPECIFICATIONS AND REQUIREMENTS ................................................... 3
5. SCOPE OF WORK ................................................................................................... 5
6. SYSTEM REQUIREMENTS ....................................................................................... 5
7. PROJECT DELIVERABLES & SCHEDULE .................................................................... 7
8. EVALUATION CRITERIA .......................................................................................... 7
9. SUBMISSION DETAILS ........................................................................................... 8
10. SECURITY CLEARANCE ........................................................................................... 8
11. PAYMENT .............................................................................................................. 9
12. CONFIDENTIALITY ................................................................................................. 9
13. INDEMNITY AGAINST A THIRD PARTY ................................................................... 9
14. NOTIFICATION OF UNSUCCESSFUL BID .................................................................. 9
15. ENQUIRIES ............................................................................................................ 9
ANNEX A: PROPOSAL ................................................................................................ 10
Page 3 of 34
1. INTRODUCTION 1.1 The Institute of Banking and Finance (“IBF”) is issuing this Request for Proposal (“RFP”) to identify suitable entity(ies) (hereinafter referred to as the “Vendor”) to submit proposals for the provision of a IBF Customer Relationship Management System (hereinafter referred to as the “IBF CRMS”). 2. BACKGROUND 2.1 The Institute of Banking and Finance Singapore (IBF) was established in 1974 as a not‐for‐profit industry association to foster and develop the professional competencies of the financial industry. IBF represents the interests of close to 200‐member financial institutions including banks, insurance companies, securities brokerages and asset management firms. In partnership with the financial industry, government agencies, training providers and the trade unions, IBF is committed to equip practitioners with capabilities to support the growth of Singapore’s financial industry. 2.2 IBF is the national accreditation and certification agency for financial industry competency in Singapore under the Skills Framework for Financial Services, which were developed in partnership with the industry. Since 2018, IBF is the appointed programme manager for the administration of professional conversion programmes for the financial industry under Workforce Singapore’s Adapt and Grow initiative. 2.3 IBF also provides personalised career advisory services to Singapore Citizens and Singapore Permanent Residents exploring a new role in, or career switch into the financial industry, under IBF Careers Connect. 2.4 IBF’s main stakeholders/customers can be classified into three main groups, finance professionals, financial institutions and financial training providers. 3. OBJECTIVE
3.1 IBF is looking for a CRM solution to manage and nurture customer relationships. The solution should be on cloud, secure, AI‐enabled and provide IBF with marketing and customer management tools to manage marketing campaigns and customer relationships. It should also provide holistic views for business users to manage and nurture customers supported with business intelligence and dashboard reporting
4 PROJECT SPECIFICATIONS AND REQUIREMENTS 4.1 Digital Outreach 4.1.1 To strengthen IBF’s digital outreach with its key target audience, the CRMS should increase the scale and efficiency of its outreach. At the minimum it should be able to: a) Have a user‐friendly interface b) Track customer engagement and behaviour across digital channels
Page 4 of 34
c) Equip IBF with the ability to self‐manage email marketing campaigns d) Measure and track the effectiveness and success rates of such email marketing campaigns. e) Compile email addresses from different collection points f) Tag and segment them according to target audiences g) Flag out key milestones for re‐marketing campaigns h) Automate the sending out of the email campaigns i) Support lead generation and custom form creation 4.2 Customer Case Management
4.2.1 To help IBF grow and nurture its customer base, the IBF CRMS should also provide a consolidated view of key IBF touchpoints, as well as of each individual customer. IBF interacts with its customers across various touchpoints, from face to face interactions, webinars, email and phone queries. As IBF continues to expand its services offerings, the diversity and range of customer requests will also increase. A CRMS that can track the different customer touchpoints, provide a consolidated customer overview, and highlight any lapses in service level agreements (SLA) timelines, will equip IBF to provide a seamless customer service delivery. 4.2.2 Below are some functionalities that the IBF CRMS should have to facilitate this seamless customer journey: a) Integrate various data sources, channels and platforms to give a 360‐degree view of customers
interactions and engagement with IBF b) Set‐up a member engagement model and journey, and track progression; increase member
acquisition and retention by improved engagement c) Develop an integrated dashboard to track current open cases, closed cases across IBF d) Provide a functionality that can assign cases and manage cases through the system e) Offer performance management of internal SLAs e.g. compliments vs complaints, cases closed
within 3 days f) Provide multi‐channel contact support for IBF Customers g) Integrate with other social platforms for end to end customer management (for e.g.
Whatsapp/SMS) h) Collect customer satisfaction score i) Include AI‐powered functionalities to facilitate customer engagement and knowledge building j) Build in advanced analytics to provide actionable customer insights k) Generate FAQs from responses with an in‐platform live knowledge base l) Customize an appointment booking function for IBF’s Career Advisory services m) Host CRMS on Cloud n) Project and secure customers’ data by meeting international and industry standards on data
protection
Page 5 of 34
5. SCOPE OF WORK
5.1 Once selected, the scope of service required shall include:
5.2 Business User Requirements and Customisation
a) Conduct workshops with business users to identify and construct the customer journeys that the IBF CRMS should be tracking, and to gather the customer management functionalities for the IBF CRMS. Based on these requirements, vendor to propose the platform configuration for the IBF CRMS.
b) Vendor to assess the system and software requirements required to implement the IBF
CRMS. Vendor to present proposed platform configuration and functionalities, and system integration required to IBF Management for approval.
5.3. Platform Configuration and User Acceptance Testing
a) Vendor to set up platform prototype for User Acceptance Testing (UAT) based on above approved requirements.
b) To make adjustments based on UAT. Where required, perform data migration and data
clean‐up and the implementation of relevant APIs from IBF’s current database system
5.4 Deployment and Training for staff
a) Upon successful UAT, to deploy IBF CRMS. During deployment, relevant staff from vendor may need to be on‐site to ensure a smooth roll‐out of the system.
b) Vendor to also provide training to IBF staff on the usage of the IBF CRMS. The training
should also include a presentation on the IBF Customer Journey, and how the IBF CRMS can be used to deepen and engage customers.
a) Vendor to also provide user guide for the IBF CRMS.
5.5 Contract Duration
b) The contract is for a period of 2 years, with the option to extend for a period of 12 months (but not exceeding 24 months) through mutual agreement between IBF and the Vendor.
6. SYSTEM REQUIREMENTS 6.1 Security Measures
a) Vendor shall submit a report to IBF before the launch of the platform, and thereafter on a yearly basis: (i) Vulnerability Assessment and Penetration Testing (VAPT) performed by an independent party conducted on the platform; and (ii) Rectification of all identified security gaps.
Page 6 of 34
b) All IBF user access shall be equipped with Two Factor Authentication or Multi‐factor
Authentication c) Vendor shall propose appropriate BCP and data backup measures and frequency to
ensure minimum data loss to business operations. d) The Vendor shall ensure it has sufficient security controls in place and meet ISO 27001,
SOC2, NIST or any other relevant security framework. Vendor shall ensure that data in transit and at rest is protected/encrypted. Transport Security Layer (TSL) shall be implemented for secure transmission of data online via major browsers.
e) Ensure that certificates used are of minimum SHA256 algorithm.
6.2 Data Governance
a) IBF has full ownership of all customer data and reference materials in the CRMS. All data
disclosure to third parties, retention and disposal by Vendor shall be subjected to IBF’s
approval.
b) The Vendor shall ensure that the data is protected against loss, corruption, unauthorised
access, use, amendments etc. and only authorised staff has access to the data in both UAT
and PROD environments. All data migration must be approved by IBF.
c) The Vendor shall ensure that all staff who may have access to IBF’s data sign the
Confidentiality and Non‐Disclosure Agreement (CNDA) not to access, use, share, divulge
or retain data unless this is required in discharging their duties during their employment.
The CNDA is binding even if the staff has resigned or is transferred to another project
team or after the termination or expiry of the Contract. Non‐compliance could result in
legal action being taken against the Vendor by IBF and/or referred to relevant authorities.
6.3 Availability
a) The System shall be available on a twenty‐four (24) hours per day, seven (7) days per Week , three hundred and sixty five (365) days per year basis ( 24 X 7 X 365 ) except for scheduled routine system maintenance or downtime in which IBF is to be notified at least one (1) week in advance to inform users.
6..4 Technical and User Support Requirements
a) The Vendor shall provide Helpdesk support (preferably local) for the System conforming to all IBF business hours (Monday to Friday, 9am to 6pm). For all issues reported by the users or by IBF, Vendors should adhere to response time as prescribed by IBF. An issue or incident is deemed resolved when the reporting party is notified and satisfied with the resolution steps taken by the Vendor.
Page 7 of 34
7. PROJECT DELIVERABLES & SCHEDULE 7.1 The Vendor shall complete the project deliverables based on the stipulated timeline unless otherwise instructed by IBF.
Project Deliverables Timeline
Stage 1 – Gathering of user requirements
1. Discovery session with IBF management and team leads on customer journey
2. Workshops to understand IBF requirements for customer management
3. Presentation to IBF management and team leads on proposed platform configuration before UAT
3 weeks
Stage 2 – CRMS Platform Configuration
4. Preview of prototype based on above IBF Requirements. 5. Customisation and acceptance of platform configuration
3 weeks
Stage 3 – User Acceptance Test (UAT)
6. UAT
2 weeks
Stage 4 – Data Migration and System integration
7. Migration of relevant databases 8. Integration with relevant IBF Systems
3 weeks
Stage 5 – Full Deployment and Training for Staff
9. Preparation of User Guide and user training (Refer to para 5.4)
3 weeks
8. EVALUATION CRITERIA
8.1 The following are the criteria used for the evaluation of all proposals received by IBF for this RFP and its weightage (%):
8.2 Proposed platform and implementation (30%)
a) Quality and comprehensiveness of proposal to meet all the stated objectives and in compliance to the requirement specifications in sections 4, 5 and 6.
8.3 Relevant experience and expertise of Vendor (20%)
a) Track record of Vendor in delivery of similar services
b) Expertise and experience of the proposed project team
Page 8 of 34
8.4 Price (30%)
a) Price proposed that meets all requirements as specified in this tender
8.5 Ability to meet Timeline (20%)
a) Ability to meet project timeline and achieve the objectives of the survey
8.6 As part of the evaluation process, shortlisted Vendors will be required to make a presentation of the proposal to IBF.
8.7 In the event that IBF seeks clarification upon any aspect of the proposal, the Vendor shall provide full and comprehensive responses within three (3) days of notification.
9. SUBMISSION DETAILS 9.1 All Vendors are required to complete the attached form “Proposal – IBF CRMS” in Annex A. 9.2 Two (2) hard copies and one (1) soft copy (PDF format) of the proposal shall reach IBF no later than 30 June 2020, 5 PM, Singapore time. All proposals must be clearly marked as “Proposal – IBF CRMS (RFP.CE.2020.0012)” and addressed to:
The Institute of Banking & Finance 10 Shenton Way #13‐07/08 MAS Building Singapore 079117 Email: [email protected]
9.3 The IBF reserves the right not to accept late submissions.
9.4 The IBF reserves the right to cancel, or modify in any form, this RFP for any reason, without any liability to IBF. 9.5 All proposals submitted will remain confidential.
10. SECURITY CLEARANCE
a. The Vendor shall subject all their personnel who will be involved in the performance of the Services to security clearance by IBF before commencing their work. IBF reserves the right to reject any of the Vendor’s personnel and the Vendor is responsible for finding replacements immediately and at the Vendor's own expense. b. The Vendor shall observe the secure usage and handling of all IBF’s information. All the Vendor’s personnel shall sign an Undertaking to Safeguard Official Information to protect IBF’s information against unauthorised disclosures by the Vendor’s personnel during the course of their
Page 9 of 34
work. The Vendor shall ensure that all its personnel and subcontractors are informed that failure to comply with the undertaking would be a criminal offence. c. All the Vendor’s personnel shall fully comply with any written instructions from IBF regarding security matters. 11. PAYMENT 11.1 The vendor shall propose a detailed cost breakdown for each of the phases, and any licensing fees. 11.2 Payment schedule to be as follows: a) 50% of implementation cost to be paid upon start of project. The remaining 50% to be paid upon successful implementation of project. IBF to determine when it considers the CRMS to be successfully implemented. b) Annual licensing fee for CRMS to be invoiced to IBF separately from implementation cost. 12. CONFIDENTIALITY 12.1 The Vendor shall ensure the absolute confidentiality of the data and information provided by IBF or any other organisation identified by IBF for this project and shall not, under any circumstances, release or communicate through any means, in whole or in part, any information to any third parties. All correspondence and communication with all external parties, pertaining to matters relating to this project, shall be made only through IBF.
12.2 IBF may require an unsuccessful Vendor to return all materials that IBF provided during the period from the issue of this RFP to the acceptance of the successful proposal. 12.3 The Service Provider shall submit, together with their proposals, an undertaking to safeguard the confidentially of any and all information revealed to them. 13. INDEMNITY AGAINST A THIRD PARTY
13.1 The Vendor shall indemnify and hold harmless IBF and its partners and employees from and against any foreseeable loss, expense, damage or liabilities (or actions that may be asserted by any third party) that may result from any third party, claims arising out of or in connection with the project and will reimburse IBF for all costs and expenses (including legal fees) reasonably incurred by IBF in connection with any such action or claim. 14. NOTIFICATION OF UNSUCCESSFUL BID
14.1 Notification will not be sent to unsuccessful Vendors by IBF. 15. ENQUIRIES
15.1 All enquiries pertaining to this RFP may be directed to [email protected]
Page 10 of 34
ANNEX A: PROPOSAL
Project Name:
RFP.CE.2020.0012
IBF Perceptions and Customer Satisfaction Survey
(‘’IBF CRMS’’)
Name of Corporate Entity:
For Internal (IBF) Use only
Date Received:
Officer‐in‐charge:
Page 11 of 34
USEFUL NOTES
(A) Submission of Quotation
To assist us in reviewing your proposal in the shortest time possible, please provide the requested information completely and accurately. If the space provided is insufficient, a separate sheet may be used. Where information is not yet available or not applicable, please indicate accordingly.
You are advised to contact us should you have any difficulties in completing the form or if you need any further information.
Two (2) hard copies and one (1) soft copy (PDF format) of the proposal shall reach IBF no later than 03 July 2020, 5 PM, Singapore time. All proposals must be clearly marked as “Proposal – IBF CRMS ( RFP.CE.2020.0012)”, and addressed to:
The Institute of Banking & Finance 10 Shenton Way #13‐07/08, MAS Building Singapore 079117 Email: [email protected]
(B) Structure of the Quotation
The complete proposal consists of 6 parts:
Part I – Company Data
Part II – Details of Proposed Project
Part III – Project Costs & Fees
Part IV – References / Other Considerations
Part V – Non‐disclosure and Undertaking (Third Parties)
Part VI – IBF IT Service Provider Checklist
(C) IBF reserves the right to conduct interviews and on‐site visits during the review of the proposal.
(D) The Company in submitting this proposal undertakes not to divulge or communicate to any person or party any confidential information, including but not limited to any documents that may be forwarded from IBF to you subsequently, without having first obtained the written consent of IBF.
Page 12 of 34
PART I – COMPANY DATA
1. GENERAL
(a) Company Name: _____________________________________________
(b) Mailing Address: _____________________________________________
2. OWNERSHIP: Information on Paid‐Up Share Capital & Shareholders
3. CLIENTELE LIST
Please provide a list of your company’s key clients.
4. SIGNIFICANT ACHIEVEMENTS, AWARDS & CERTIFICATIONS (where applicable)
Please indicate significant achievements, awards and certifications received by company or staff.
5. SUPPORTING DOCUMENTS REQUIRED
A copy of the latest updated ACRA search.
Full set of the latest audited financial / management report for the last 1 year.
Any other relevant reports or information available.
Page 13 of 34
PART II – DETAILS OF PROPOSED PROJECT
A) Functional Specifications
S/N No. Specifications Ability to Deliver
(Yes / No)
If yes, please provide brief
description and state any other relevant details
If no, please state reasons
and proposed
variations or alternatives
1. Database Management
1.1 Member 360 view setup (Corporate and Individual); Manage profiles of individual professionals, corporate members and training providers
1.2 Comprehensive profiling and segmentation covering contact details, experience, qualifications, interactions, applications, assessments, certifications etc
1.3 Activity and interaction management; Track all interactions, emails, calls, follow‐ups, reminders etc
2. Customer Engagement Management
2.1 Track customer engagement and behaviour across digital channels
2.2 Integrate with other social platforms for end to end customer management (for e.g. Whatsapp/SMS)
2.3 Set‐up a member engagement model and journey, and track progression; increase member acquisition and retention by improved engagement
2.4 Ability to setup engagement levels and definition of criteria for each customer
2.5 Automatic member engagement level update based on member data updates
2.6 Customer satisfaction score collection
Page 14 of 34
2.7 Be equipped with advanced analytics to provide actionable customer insights
3. Marketing Automation
3.1 Track behavior for website visitors; page visits, whitepaper downloads etc using website tracking code; Automatically convert visitors into prospects once an identification is available
3.2 Setup dynamic lists based on customer engagement level for automatic segmentation for marketing communications
3.3 Setup a custom lead scoring model for prospects to score based on various engagement activities and behavior such as page visits, email open, campaign participation, form submissions etc
3.4 Setup engagement campaigns to identify, nurture and convert prospects.
3.5 Create and manage marketing events and track participation. Track RSVP, registrations, attendance and conversion from marketing activities, with marketing ROI analysis
3.6 Setup landing pages and marketing assets
3.7 Support lead generation and customer form creation
3.8 Collect email addresses from different collection points, and tag and segment them according to target audiences
3.9 Equip IBF with the ability to self‐manage, plan and execute targeted mass email marketing campaigns
3.10 Automate the sending out of email campaigns, and flag out key milestones for re‐marketing campaigns
Page 15 of 34
4. Service & Support Automation
4.1 Enable multi‐channel contact, support (IBF Member Portal, IBF Website, Chat, Email, Social media) for IBF customers
4.2 Ability to assign cases and manage cases through the system
4.3 Automatically route cases to respective departments, teams based on pre‐defined rules
4.4 Establish SLAs and entitlements to define service standards. Track escalations
4.5 Performance management of internal SLAs e.g. compliments vs complaints, cases closed within 3 days
4.6 Have functionalities powered by AI to facilitate customer engagement and knowledge building
4.7 Setup a knowledge‐base as a repository of responses; Enable knowledge‐base on member portal for member self‐service and case deflection
4.8 Ability to generate FAQs from responses with an in‐platform live knowledge base
4.9 Setup member surveys to measure member satisfaction ratings and feedback
4.10 Enable chat/chatbots on corporate website and member portal to facilitate self‐service for common functions
4.11 Appointment booking function for IBF’s Career Advisory services
5. Overall System features and integration
5.1 File‐based or Web Services API based integration for data sync for member profile data with the following systems (backend)
5.2 CRM system must have user‐friendly interface
5.3 Be clouded‐based for easier accessibility
Page 16 of 34
5.4 Meet international and industry standards on data protection to secure to protect customer’s data.
5.5 Others (TBD)
6. Reports and Dashboards
6.1 An integrated dashboard to track current open cases, closed cases across IBF.
6.2 Integrate various data sources, channels and platforms to give a 360‐degree view of customers interactions and engagement with IBF
6.3 Real‐time reports and dashboards including the following: ‐ Member Segmentation Reports; Journey Progression ‐ Service & Support Reports ‐ Marketing Automation Reports Others (Users can customize their own reports and dashboards)
B) System Requirements
S/N No. Specifications Ability to Deliver
(Yes / No)
If yes, please provide brief
description and state any other relevant details
If no, please state reasons and proposed variations or alternatives
1. Security Measures
1.1 Vendor shall submit a report to IBF before the launch of the platform, and thereafter on a yearly basis: (i) Vulnerability Assessment and Penetration Testing (VAPT) performed by an independent party conducted on the platform; and (ii) Rectification of all identified security gaps.
Page 17 of 34
1.2 All IBF user access shall be equipped with Two Factor Authentication or Multi‐factor Authentication
1.3 Vendor shall propose appropriate BCP and data backup measures and frequency to ensure minimum data loss to business operations.
1.4 The Vendor shall ensure it has sufficient security controls in place and meet ISO 27001, SOC2, NIST or any other relevant security framework. Vendor shall ensure that data in transit and at rest is protected/encrypted. Transport Security Layer (TSL) shall be implemented for secure transmission of data online via major browsers.
1.5 Ensure that certificates used are of minimum SHA256 algorithm.
1.6 The Vendor shall enable IBF to keep complete control over the encryption key management
1.7 The Vendor shall conduct configuration management review on regular basis and validated by external auditor and provide report to IBF for review.
2. Data Governance
2.1 IBF has full ownership of all customer data and reference materials in the CRMS. All data disclosure to third parties, retention and disposal by Vendor shall be subjected to IBF’s approval.
2.2 The Vendor shall ensure that the data is protected against loss, corruption, unauthorised access, use, amendments etc. and only authorised staff has access to the data in both UAT and PROD environments. All data migration must be approved by IBF.
2.3 The Vendor shall ensure that all staff who may have access to IBF’s
Page 18 of 34
data sign the Confidentiality and Non‐Disclosure Agreement (CNDA) not to access, use, share, divulge or retain data unless this is required in discharging their duties during their employment. The CNDA is binding even if the staff has resigned or is transferred to another project team or after the termination or expiry of the Contract. Non‐compliance could result in legal action being taken against the Vendor by IBF and/or referred to relevant authorities
3. Availability
3.1 The System shall be available on a twenty‐four (24) hours per day, seven (7) days per Week , three hundred and sixty five (365) days per year basis ( 24 X 7 X 365 ) except for scheduled routine system maintenance or downtime in which IBF is to be notified at least one (1) week in advance to inform users.
4. Technical and User Support Requirements
The Vendor shall provide Helpdesk support (preferably local) for the System conforming to all IBF business hours. For all issues reported by the users or by IBF, Vendors should adhere to response time as prescribed by IBF. An issue or incident is deemed resolved when the reporting party is notified and satisfied with the resolution steps taken by the Vendor.
Page 19 of 34
PART III –PROJECT COSTS & FEES
Please provide information on the detailed applicable fees and any other applicable costs and payment schedule expected for the completion of this project.
Project Fee Quotation Template
Item
Fee Quote in S$
(Year 1)
Fee Quote in S$
(Year 2)
Fee Quote in S$
(Optional +1 Year)
1. User Requirements Gathering
2. CRMS Configuration
3. UAT
4. Data Migration and System Integration
5. Full Deployment and Training
6. One Year Maintain Service Fee
a) Pls state monthly/annual
b) To commence only after successful deployment
6. Licensing Fee
a) Pls state monthly/annual
b) To commence only after successful deployment
7. Ad hoc Jobs
a) Please state man‐day rate
Total Cost
Page 20 of 34
PART IV – REFERENCES / OTHER CONSIDERATIONS
Please indicate reference or highlight any other useful factors you would like us to consider in reviewing your quotation.
PART V – NON‐DISCLOSURE AND UNDERTAKING (THIRD PARTIES)
IMPORTANT NOTES
1. The Institute of Banking and Finance (“the Organisation”) is legally required to comply with the provisions of the Personal Data Protection Act (No. 26 of 2012) (“the Act”). Failure to comply with the Act may result in penalties being issued against the Organisation.
2. To ensure compliance with the Organisation’s internal policies in relation to the Act, all third party contractors and/or service providers are required to sign this Undertaking.
3. This Undertaking shall be signed before the commencement of work and/or services for
the Organisation.
A. SERVICE PROVIDER’S DETAILS
1. Name of Service
Provider’s Company
(“Service Provider”):
2. Company UEN No:
3. Contact Number:
4. Address:
5. Email Address:
6. Nature of Work / Service
provided to Organisation
(“Purpose”):
B. UNDERTAKING
1. Access to Personal Data, non‐public and sensitive information (“Confidential Information”) may be required in the performance of the Service Provider’s Purpose. “Personal Data” shall have the meaning given to it in the Act, and refers to information about an identified or identifiable individual, where the individual refers to a natural person, whether living or deceased. It covers all forms of personal data, whether in electronic or non‐electronic form.
Page 21 of 34
2. Should the Service Provider have access to such Confidential Information, the Service Provider undertakes that it shall not under any circumstances, release or disclose such Confidential Information to any third party or third party organisation. The Service Provider shall protect such Confidential Information and will employ all reasonable efforts to maintain the confidentiality of such Confidential Information.
3. The Service Provider shall implement such security measures as are reasonably necessary to protect the Confidential Information against unauthorised access, collection, use, disclosure, copying, modification, disposal or any other form of processing (as defined under the Act). 4. The Service Provider shall immediately notify the Organisation of any suspected or confirmed unauthorized access, collection, use, disclosure, copying, modification, disposal or any other form of processing (as defined under the Act) and/or misuse of Confidential Information. Without prejudice to any other rights and remedies that the Organisation may have, the Service Provider shall at its own expense render all necessary assistance to the Organisation to investigate, remedy and/or otherwise respond to such unauthorised access, collection, use, disclosure, copying, modification, disposal or any other form of processing (as defined under the Act). 5. The Service Provider shall immediately inform the Organisation if any Confidential Information is lost or destroyed or becomes damaged, corrupted or unusable. Without prejudice to any other rights and remedies that the Organisation may have, the Service Provider shall restore such Confidential Information at its own expense. 6. Before the Service Provider discloses Personal Data of any third party individuals to the Organisation, the Service Provider undertakes to obtain all necessary consents required under the Act for the Organisation to collect, use and/or disclose such personal data. 7. The Service Provider undertakes to comply with any and all obligations that apply to it under the Act and all subsidiary regulations that may be enacted from time to time under the Act. C. CONSEQUENCES OF BREACH OF UNDERTAKING
The Service Provider acknowledges that:
1. In the event of any breach or neglect of its obligations under this Undertaking, the Organisation may exercise its right to refuse the Service Provider access to the Organisation’s premises and facilities. 2. If the Service Provider should breach any provisions of this Undertaking, the Organisation may suffer immediate and irrevocable harm for which damages may not be an adequate remedy. Hence, in addition to any other remedy that may be available in law, the Organisation is entitled to injunctive relief to prevent a breach of this Undertaking. 3. Without prejudice to any other clause(s) in this Undertaking, the Service Provider shall bear all liability and shall fully indemnify the Organisation against any and all actions, claims, proceedings (including proceedings before the Personal Data Protection Commission (“PDPC”)), costs (including costs of complying with any remedial directions and/or financial penalties that may be imposed by
Page 22 of 34
the PDPC on the Organisation), damages, legal costs and/or other expenses incurred by the Organisation or for which the Organisation may become liable due to any failure by the Service Provider or its employees or agents to comply with any of its obligations under this Undertaking. 4. Even after the Service Provider ceases its Purpose at the Organisation, it agrees that the obligations herein shall continue.
Name of Service Provider:
________________________________
Service Provider’s Company Stamp:
_________________________________
Name of Representative of Service Provider:
_________________________________
Signature of Representative of Service Provider:
_________________________________
Date:
_________________________________
Page 23 of 34
PART VI: IBF IT SERVICE PROVIDER CHECKIST
Name of Service Provider
Date Completed
Name of Respondent
Designation / Title
Contact Number
Email Address
Signature
Company Stamp
For the Institute of Banking and Finance (“IBF”) use only:
Name of Reviewer
Designation / Title
Contact Number
Email Address
Page 24 of 34
Instructions
1. This security checklist should be completed by senior officers who have direct knowledge of the information systems and operations. The information provided in this checklist should be reviewed by their superiors.
2. For each guideline description, place an “X” in the appropriate column to indicate whether the financial institution is fully compliant, partially compliant, or not compliant. Otherwise, place an “X” in the NA column. 3. If full compliance has not been achieved, explain in the Comments column why, and how and when remedial action would be made. 4. Evidence of Vulnerability Assessment and Penetration Testing, Configuration Assessment for Cloud systems, and Incident Management Plan to be attached together with this submission.
5. System and Organization Controls Report (preferably SOC 2 plus) and Outsourced Service Provider Audit Report (OSPAR) will have to be attached together with this submission.
Page 25 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
1 Usage Risk
1.1
Recent released version of Transport Layer Security (minimally
TLS version 1.2 or later) is implemented to provide
communication security.
(Adopted from MAS TRM E.2.5)
1.2 Application and database are physically hosted in Singapore.
1.3
The service provider has established a disaster recovery
contingency framework which defines its roles and
responsibilities for documenting, maintaining and testing its
contingency plans and recovery procedures.
(Adopted from MAS TRM 5.1.7)
1.4
A data backup strategy is developed for the storage of critical
information on a regular basis.
(Adopted from MAS TRM 8.4.1)
1.5 Periodic testing and validation of the recovery capability of
backup media is carried out.
(Adopted from MAS TRM 8.4.3)
Page 26 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
1.6 Service provider provide logging is available to IBF via download or through a web application for:
User to role/privilege mapping
User activity
Administrative activity
1.7
Service Provider has achieved compliance certifications. (please
indicate certification, e.g. PCI Compliance, STAR, SAS70/SSAE16‐
3)
1.8
Service Provider has completed the Cloud Security Alliance (CSA)
self‐assessment or Consensus Assessments Initiative
Questionnaire (CAIQ).
1.9 Service Provider conforms to a specific industry standard security
framework, e.g. NIST Cyber Security Framework or ISO 27001.
1.10 Service Provider has a dedicated Information Security office or
staff.
Page 27 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
1.11 Service Provider has not suffered any significant breaches in the
last 5 years.
1.12 All components of the disaster recovery plan are reviewed at
least annually and updated as needed.
1.13 Service Provider has a formal incident response plan.
2 Application Risk
2.1 Mobile and Desktop application do not store data on devices.
(e.g. PII, confidential data)
2.2 Service Provider complies with GDPR and PDPA.
2.3 Annual Vulnerability Assessment and Penetration Test (VAPT) is
performed.
2.4
Penetration testing is conducted prior to the commissioning of a
new modules/enhancements which offers internet accessibility
and open network interfaces.
(Adopted from MAS TRM 6.2.4)
Page 28 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
2.5 Application supports role‐based access control (RBAC) for end‐
users.
2.6 Application and infrastructure support role‐based access control
(RBAC) for system administrators.
2.7 Application and infrastructure support password/passphrase
aging.
2.8 Audit logs minimally include the following: login, logout, actions
performed, and source IP address.
2.9 Service Provider has existing policies and/or procedures guiding
how security risks are mitigated until patches can be applied.
2.10 Vulnerabilities discovered in the systems or applications are
remediated prior to release.
3 Data Security Risk
3.1 Data resides physically in Singapore.
Page 29 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
3.2
Service Provider to promptly remove or destroy data stored at
the service provider’s systems and backups in the event of
contract termination and provide a certification.
(Adopted from MAS TRM 5.2.4)
3.3 The data loss prevention strategy and encryption take into consideration the following:
(Adopted from MAS TRM 9.1.2)
a) Data at endpoint ‐ Data which resides in notebooks, personal
computers, portable storage devices and mobile devices;
b) Data in motion ‐ Data that traverses a network or that is
transported between sites; and
c) Data at rest ‐ Data in computer storage which includes files
stored on servers, databases, back‐up media and storage
platforms.
3.4 Service Provider does not have access to IBF’s data.
3.5 The Service Provider is able to isolate and clearly identify IBF's
data and other information system assets for protection.
(Adopted from MAS TRM 5.2.3)
Page 30 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
3.6
Measures are implemented to protect sensitive or confidential
information such as personal, account and transaction data
which are stored and processed in systems.
(Adopted from MAS TRM 9.0.2)
3.7
IBF is properly authenticated before access to online transaction
functions and sensitive personal or account information is
permitted.
(Adopted from MAS TRM 9.0.2)
3.8
Only encryption algorithms which are of well‐established
international standards are adopted.
(Adopted from MAS TRM 12.1.3)
3.9
Monitoring or surveillance systems are implemented so that the
organisation can be alerted of any abnormal system activities,
transmission errors or unusual online transactions.
(Adopted from MAS TRM 12.1.5)
Page 31 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
3.10 Service Provider has a data privacy policy.
3.11 Sensitive data is encrypted in transit (e.g. system to client).
3.12
Service Provider has an existing documented media handling
process covering, but not limited to, end‐of‐life, repurposing,
and data sanitisation procedures.
3.13 Service Provider owns the physical hosting location (e.g. data
centre) where IBF’s data will reside.
3.14 Service Provider has obtained Systems and Organisation Controls
(SOC) 2 Type II certification for the hosting location.
3.15
Service Provider has implemented a physical barrier in the
hosting location to fully enclose the physical space preventing
unauthorised physical contact with any of the devices inside.
3.16 Service Provider has physical security controls and policies in
place to protect the hosting location.
Page 32 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
3.17
Employees of Service Provider are not allowed or able to take
home any assets in any form (including any hardware, software
or data) belonging to IBF.
4 IT Service Management
4.1 Service Provider provides Service Level Agreement (SLA).
4.2
Service Provider to support and assist in audit activity by
providing necessary documents upon request.
(Adopted from MAS TRM 5.1.3)
4.3
The Service Provider is required to employ a high standard of
care and diligence in its security policies, procedures and
controls to protect the confidentiality and security of IBF's
sensitive or confidential information, such as personal data,
computer files, records, object programs and source codes.
(adopted from MAS TRM 5.1.4)
4.4 IBF is kept informed of any major incident.
(Adopted from MAS TRM 7.3.9)
Page 33 of 34
S/N
Risk Category
Full
Compliance
Partial
Compliance
Non‐
compliance
N.A.
Comments
4.5 IBF is kept informed of any enhancement to the system.
4.6
A root‐cause and impact analysis are performed for major
incidents which result in severe disruption of IT services.
(Adopted from MAS TRM 7.3.10)
4.7
Employees of Service Provider are subjected to close supervision,
monitoring and access restrictions.
(Adopted from MAS TRM 11.1.2)
4.8
Service Provider’s access privileges to support/maintain the
system are regularly reviewed to verify that privileges are
granted appropriately and according to the ‘least privilege’
principle.
(Adopted from MAS TRM 11.1.4)
4.9 Service Provider has a documented and currently followed
change management process (CMP).
4.10 Service Provider has monitoring in place for Next‐Generation
Persistent Threats (NGPT).