Heads up for non-banking financial institutions including m-payment, online payment and prepaid card firms, Singapore‘s new Technology Risk Management Guidelines (TRMG) include you. They are not legally binding, but how far firms observe the spirit of the guidelines will be considered during a regulatory risk assessment.
The guidance places the onus on FIs to report IT system outages to the MAS, which requires firms to enhance existing systems and implement new frameworks to allow swift reporting of technological failures to the Monetary Authority of Singapore (MAS). Firms must report all system outages to MAS as soon as possible, or not more then one hour after the discovery of the outage.
According to the Notice on TRM, which outlines the relevant legal requirements, the guidance covers all financial institutions, holders of remittance licences and all operators and settlement institutions of designated payment systems, which includes many providers of new payment products and services (NPPS).
Who is responsible for what?
Board directors and senior management are called out immediately in the guidance, which pinpoints their responsibility for implementing and maintaining tech frameworks, based upon the risks faced, to achieve security, reliability, resiliency and recoverability.
Policies, standards and procedures should be updated regularly to reflect changes in operations and new technology, including updating compliance processes to reflect developments.
Employee, vendor and contractor screening processes should be in place to identify any risks from the people you work with.
All staff, contractors and vendors should undergo IT security awareness training annually, at a minimum.
The guidance offers some very useful pointers on how to manage the risks – from identification to treatment, monitoring and reporting to MAS. THe regulator has also produced a compliance checklist, to be completed annually by senior managers with oversight of IT systems.
- S’pore financial sector to require stricter Technology Risk Management (zdnet.com)
- Cybersecurity should be a compliance issue, says expert (blogs.reuters.com)