Effective as of July 2014, the Monetary Authority of Singapore (MAS) has imposed updated Technology Risk Management (TRM) Guidelines on all financial institutions that have any form of operations in the territory, no matter where in the world they are based. At the same time, MAS published several related TRM Notices, which are legally binding. Non-compliance can result in the following for financial institutions:
- Financial penalties
- Reputational damage
- Revocation of licence to operate in Singapore
Previously only applying to banks with online operations, the guidelines were updated to address the need for all financial institutions to adopt sound operational practices for managing technology risks, given factors including:
- Reliance on increasingly complex IT systems
- Recent, high-profile security incidents and system failures
- Emerging technology risks such as the increased use of mobile devices and virtual environments
- Growing concern regarding risks posed by rogue insiders
The updated guidelines are intended to ensure that all financial institutions manage risk in a way that supports MAS’ approach of promoting a sound and progressive financial services sector. They aim to ensure that every financial institution establishes a sound and robust technology risk management framework by ensuring that technology controls are effective and resilient. They place a focus not only on resiliency, but also on availability and recoverability in the case of a serious security incident or systems outage. Further, they place an emphasis on ensuring that customers and sensitive data are adequately protected.
The TRM Guidelines specify technology processes and controls that financial institutions should implement in a range of functional areas, including risk management oversight and framework, system reliability, availability and recoverability, access control, provision of online services, and payment mechanisms. The guidelines are broad and detailed—to a level previously only seen in the PCI DSS industry standards.
