Monetary Authority of Singapore to gain new powers to enforce technology risk management requirements
Wayne Scott, Regulatory Compliance Solutions Lead at NCC Group
The Parliament of Singapore has passed new laws this month that will award the Monetary Authority of Singapore (MAS) with new powers to enforce technology risk management requirements for financial institutions.
Failure to comply with regulation could result in fines of up to $1 million – or even higher if several rules are broken, or if an incident impacts the financial institution’s customers or other partners, for example.
Singapore has been leading the way on promoting better operational resilience and third-party risk management in the financial services sector. The new laws follow the publication of new Technology Risk Management (TRM) guidelines last year, which required financial institutions to have risk mitigation and business continuity measures in place.
Regulating technology risk with escrow
Although not a new concept, it is vital that financial institutions consider the risks associated with increasing reliance on third-party software. The TRM guidelines lay out detailed steps financial institutions should take to mitigate the associated risk including specifically naming escrow agreements and verification testing as a viable mechanism to mitigate supplier failure. Indeed, escrow continues to be the most recommended and proportional way to regulate technology risk.
Software resilience by design no matter who develops critical software
The guidance also establishes the responsibilities of the Board of Directors and senior management in assessing and management in assessing and managing third-party network. And, sets out that where financial institutions are developing their own software in-house, they should implement and follow strict security standards – further assuring that even if a third-party provider is not used, TRM requirements are still considered.
People related risk
Setting an example for other governments to follow, the new laws go even further than before to regulate supply chain risk, by equipping the MAS with the power to issue prohibition orders to individuals who have shown themselves to be unfit to perform key roles in the industry, including those in risk management roles.
Making business continuity & risk management a priority
With technologies growing in complexity and the cyber threat landscape evolving rapidly, the approach taken by Singapore serves as a blueprint for other governments and regulators around the world to follow. For financial institutions, reviewing business continuity and risk management practices to ensure they are compliant with the guidelines should, as always, be a priority.