In light of some IT glitches in certain financial institutions, MAS consulted with a workgroup of IT security specialists from the major banks and technology experts to come up with some technology risk management guidelines and notices.
The enhanced guidelines provide guidance on the oversight of technology risk management and security practices of financial institutions to address technology risks to the financial industry.
The guidelines will apply to all financial institutions, compared to the existing Internet Banking and Technology Risk Management Guidelines (IBTRM) which focused primarily on the banking sector.
I looked at the definition of financial institutions under the regulation and found that it included a very long list:
“financial institution” means —
- any bank licensed under the Banking Act (Cap. 19);
- any finance company licensed under the Finance Companies Act (Cap. 108);
- any person that is approved as a financial institution under section 28; [13/2007 wef 30/06/2007]
- any money-changer licensed to conduct money-changing business, or any remitter licensed to conduct remittance business, under the Money-changing and Remittance Businesses Act (Cap. 187);
- any insurer registered or regulated under the Insurance Act (Cap. 142);
- any insurance intermediary registered or regulated under the Insurance Act;
- any licensed financial adviser under the Financial Advisers Act (Cap. 110);
- any approved holding company, securities exchange, futures exchange, recognised market operator, designated clearing house or holder of a capital markets services licence under the Securities and Futures Act (Cap. 289);
- any trustee for a collective investment scheme authorised under section 286 of the Securities and Futures Act, that is approved under that Act;
- any trustee-manager of a business trust that is registered under the Business Trusts Act (Cap. 31A);
- any licensed trust company under the Trust Companies Act (Cap. 336);
- any holder of a stored value facility under the Payment Systems (Oversight) Act (Cap. 222A); and [42/2007 wef 01/11/2007]
- any other person licensed, approved, registered or regulated by the Authority under any written law,
I am not so sure whether all the financial institutions (especially the smaller ones) will be able to cope with the stringent requirements listed in the proposed guidelines and notice.
For example, even the big financial institutions might not be able to guarantee being able to recover their critical systems within four hours of a disaster.
The good thing is that “notice” and “guidelines” mean different things under the force of the law.
Nevertheless, interested parties should look at these two proposals and give their views and comments on the two consultation papers to MAS. The closing date for feedback is 16 July 2012.
Consultation Paper on Technology Risk Management Guidelines
Consultation Paper on Notice on Technology Risk Management