Effective as of July 2014, the Monetary Authority of Singapore (MAS) has imposed updated Technology Risk Management (TRM) Guidelines on all financial institutions that have any form of operations in the territory, no matter where in the world they are based. At the same time, MAS published several related TRM Notices, which are legally binding. Non-compliance can result in the following for financial institutions:
Previously only applying to banks with online operations, the guidelines were updated to address the need for all financial institutions to adopt sound operational practices for managing technology risks, given factors including:
The updated guidelines are intended to ensure that all financial institutions manage risk in a way that supports MAS’ approach of promoting a sound and progressive financial services sector. They aim to ensure that every financial institution establishes a sound and robust technology risk management framework by ensuring that technology controls are effective and resilient. They place a focus not only on resiliency, but also on availability and recoverability in the case of a serious security incident or systems outage. Further, they place an emphasis on ensuring that customers and sensitive data are adequately protected.
The TRM Guidelines specify technology processes and controls that financial institutions should implement in a range of functional areas, including risk management oversight and framework, system reliability, availability and recoverability, access control, provision of online services, and payment mechanisms. The guidelines are broad and detailed—to a level previously only seen in the PCI DSS industry standards.