MAS Technology Risk Management Guidelines
The extensive proposed changes to the Monetary Authority of Singapore’s (MAS) Technology Risk Management Guidelines released recently, reflect a fast-changing risk and security landscape engulfing financial institutions, particularly in the light of their digital transformation.
The increasingly complex information technology infrastructure supporting financial institutions, the ever-present cyber threats and the expansion of financial services to consumers are increasing institutions’ exposure to a range of operational risks including technology risks, MAS technology risk management guidelines said.
“In this regard, FIs [financial institutions] should fully understand the magnitude of technology risks and put in place adequate and robust risk management systems, as well as operating processes to manage these risks,” the Singapore regulator said.
The proposals were a result of MAS’ collaboration with financial institutions through the Association of in Singapore. The guidelines were first published in 2013, setting out technology risk management principles and best practices for the financial services sector.
Technology a clear agenda for MAS
The Technology Risk Management Guidelines, which replaces the Internet Banking and Technology Risk Management Guidelines, its predecessor, is a clear indication that technology is a top agenda item for MAS, said Chris Lim, advisory partner at EY in Singapore.
The Outsourcing Guidelines, which underwent consultation a few months ago, the Personal Data Protection Act (PDPA) regulations concerning data mobility, and now the proposed changes to the Technology Risk Management Guidelines and the proposed changes to the Business Continuity Management Guidelines are the pillars necessary for a sound base to support the digital agenda in Singapore’s financial services sector, Lim said.
“This also ties back to what we are seeing in Singapore and where it wants to head toward, especially if the country is going to be heavily focused on technology adoption and fintech,” he said.
Proposals will have major impact on financial institutions
The 14 proposed changes to the Technology Risk Management Guidelines cover a broad range of requirements from governance and internal audit, to new processes involving management of third-party service providers, technology refreshment management, change management and building cyber resilience, among others. They are expected to have significant impact on both large and smaller financial institutions, said Nizam Ismail, head of financial services at RHTLaw Taylor Wessing in Singapore.
“MAS technology risk management guidelines is setting a higher bar compared to the initial guidelines published in 2013. The approach of MAS technology risk management guidelines applies across the board. There will definitely be major impact, especially for the large institutions, which are expected to comply fully with these guidelines, given their scale and complexity. Because these expectations are in the form of guidelines rather than regulations, which have the force of law, smaller players will be allowed to deviate from these expectations, if they are able to justify why certain aspects of these guidelines might not be applicable to them given their lack the scale and complexity,” he said.
Governance is one important area which MAS technology risk management guidelines has given more prescriptive requirements with respect to the role of the board and senior management, according to Nizam. For instance, the board is now explicitly required to ensure sound and robust technology risk management is in place and that the appropriate risk appetite is set.
“The board must now oversee the process of setting the firm’s risk appetite and determine to what extent the firm is willing to accept the residual technology risks, after taking into account the risk mitigants the firm has put in place,” he said.
MAS technology risk management guidelines also requires the board to be tasked with appointing roles such as chief information officer, chief technology officer, head of IT and chief security officer, in addition to ensuring only people with the appropriate expertise and experience fill such positions.
“The board needs to look at the senior management and decide what competencies are required. The board can delegate certain tasks to a committee, but will remain accountable,” he said.
There are also new prescribed requirements for members of the senior management team. For instance, they must ensure the roles and responsibilities of staff who manage technology are clearly delineated and defined. MAS technology risk management guidelines technology risk management guidelines has introduced a new concept called a “responsibility assignment matrix”, also known as a RACI (responsible, accountable, consulted, informed) matrix, which sets out the people who are responsible for each technology function.
There are now expectations on senior managers to apprise the board of technology risk developments or incidents that might have significant impact on financial institutions.
Given that the boards of most financial institutions would have access to the knowledge and expertise needed to manage technology risk, what needs to be clarified is whether there is a need to change the composition of the members on the board, Lim said.
Managing third-party service providers
A proposal about managing third-party service providers including power supply companies, telcos, payment system service providers and trading platforms, is striking and will have significant impact on financial institutions, Nizam said. The underlying principle of this proposal requires financial institutions to conduct due diligence on third-party service providers, including looking into their financial viability, track record, reliability, capability and their expertise and experience in handling confidential customer information, and integrity, he said.
“The thinking of MAS technology risk management guidelines is that if using these third-party service providers involve confidential customer information, it could impact financial institutions if there are security failures or information breaches. Even though it is not an outsourcing arrangement, there is a risk to financial institutions, and they should therefore address these risks,” he said.
While carrying out due diligence on third-party service providers is already an industry practice and is set out as one of the requirements in the Outsourcing Guidelines, the challenge lies in its implementation, Lim said.
“If this requirement is enforced literally, it can delay banks in working with technology partners to keep pace with innovation. It needs clarification. Financial institutions won’t be looking at just the Technology Risk Management Guidelines. They need to look at how all the guidelines apply to them,” he said.
Section 3.5.2 of the proposed guidelines concerning insider threats, which fall under the broader topic of “competency and background review”, also needs clarification, according to Lim. Insider threats include theft of confidential data, sabotage of systems and fraud by staff, contractors and service providers. MAS technology risk management guidelines requires background checks on personnel who have access to financial institutions’ data and systems to be carried out to minimise such risk.
Such background checks, though not an entirely new process for financial institutions, could present significant challenges to them, particularly if they have a global footprint, Lim said.
“When the technology is not centrally managed in Singapore but decentralised over the global footprints, background checks could be difficult. This means that there are many people who you potentially have to perform background checks if you think of the people who support techs and ops,” he said.
Expectations on cyber resilience
MAS technology risk management guidelines has also set out its expectations on financial institutions in building cyber resilience.
“Section 12, which covers cyber surveillance and security operations, reflects the importance of cyber as an agenda and provides specific input on some of these areas. Cyber and technology risk are intertwined. Section 13, which covers cyber-security assessment, is another key area. The industry feedback has been that these principles are correctly articulated,” Lim said.
Financial institutions are expected to have well-defined processes on cyber resilience, procure cyber-intelligence monitoring services and participate in information sharing on cyber-related incidents. They are expected to have real-time monitoring systems to detect suspicious and malicious activities. Financial institutions are expected to put in place cyber incident response plans as well as conduct regular vulnerability assessments and testing to test the resilience of their systems.
The prescriptive requirements on encryption of information, particularly the need to use algorithms that are of international standards, further demonstrate MAS’ concern about cyber threats in the financial sector, Nizam said.
Other new requirements
Other significant changes to the Technology Risk Management Guidelines are focused on technology refreshment management and change management.
In the event that system upgrades are no longer available, financial institutions may be allowed to continue to use outdated systems, subject to MAS’ approval. Financial institutions are expected to set up a change management board which will be responsible for assessing, testing, reviewing and giving approval to any changes within the organisations.
MAS technology risk management guidelines has also proposed that financial institutions set up an independent audit function to assess the controls for managing technology risk.
Other regulators likely to follow suit
It is unclear from the consultation paper when these proposed changes will be implemented.
“In the absence of any implementation timelines, one interpretation is that you are expected to comply with the various new requirements immediately. Or it could be a drafting oversight, specially when there is a transitional period of a year for the proposed business continuity guidelines. While there are a lot of new[ly] prescribed requirements in the proposed Technology Risk Management Guidelines, it is likely that many of the larger and complex financial institutions would have addressed all these already out of business necessity,” Nizam said.
As a leading regulator in the region, MAS’ regulations have always been closely watched. Lim said he expects regulators in the region to make similar moves to revise their technology risk management guidelines.
Also read: Top 10 Reliable IT Companies in Singapore
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit