Background
The TRM Guidelines and BCM Guidelines, which apply to all types of FI in Singapore, aim to promote best-practice standards for FIs in the management of technology risk and business disruption risk. While contravention of these guidelines is not a criminal offence and does not attract civil penalties, FIs are encouraged to observe the spirit of these guidelines, and the degree of observance by an FI may have an impact on the MAS’ overall risk assessment of that FI.
The CPs issued on 7 March 2019 propose that FIs further enhance their operational resilience, and are driven in large part by the emergence of new risks since the TRM Guidelines and BCM Guidelines were issued (in 2013 and 2003 respectively), such as cyber threats and risks arising from the Internet of Things.1 These proposals confirm the MAS’ continued focus on cyber risks and coincide with the creation of a new MAS Technology Group, which has a mandate to drive digital transformation, enable an integrated approach to providing technology solutions and systems, and strengthen supervision of technology risks.
The proposals in the CPs have already received initial industry input, notably from the MAS Cyber Security Advisory Panel, which comprises international cyber security thought leaders.
Key changes proposed
The CPs contain updated versions of the TRM Guidelines and BCM Guidelines. Although much of the existing substance of the guidelines has been retained, the new versions have been almost entirely redrafted and expand the requirements for FIs.
Key proposed changes to the TRM Guidelines include the following:
- Board and senior management: Additional emphasis is placed on the board of directors and senior management of FIs having the necessary skills and understanding of technology risks, and establishing a strong risk culture and a sound and robust technology risk management framework.
- Software development best practices: FIs should adopt secure software development best practices, such as secure coding and code review when using Agile development methods2 and enforcement of the segregation of duties in key DevOps practices.3
- Emerging technologies: Additional guidance is included to manage risks arising from emerging technologies such as APIs,4 smart electronic devices and virtualisation, to improve service delivery and efficiency.
- Cyber threats: Further guidance has been included on cyber surveillance, cyber security assessment and testing, and cyber incident management.
- MAS circulars: MAS circulars issued after July 2013 on vulnerability assessment and penetration testing, IT security risks posed by personal mobile devices, early detection of cyber intrusions and technology risk, and cyber security training for FIs’ boards of directors have been incorporated.
Key proposed changes to the BCM Guidelines include the following:
- New definition of ‘business function’: In connection with the requirement for an FI to identify business functions that are critical and prioritise them for recovery in the event of a disruption, the definition of ‘business function’ has been revised to reflect the fact that a service may depend on processes performed by several different units within an FI.
- Board and senior management: Additional responsibilities are placed on the board and senior management of FIs, including (among others) the annual review and endorsement of an FI’s business continuity management framework (BCM), critical business functions, business continuity objectives and risk tolerance. Senior management should have clearly defined and documented responsibilities, and are expected to play a key role in implementing the BCM (e.g., via annual attestation of BCM preparedness to the board).
- Business continuity plans (BCPs): FIs will be expected to maintain end-to-end BCPs for each service that is delivered to their customers, which should cover the full recovery process for a given business function.
- Testing and audit: FIs will be required to conduct an annual crisis management and communications exercise and test the BCP for each critical business function. They will also be required to conduct BCM audits through a unit that is independent of the staff involved in the planning and execution of the BCM itself (e.g. internal audit).
- MAS circular: The BCM Guidelines will supersede the MAS’ 2006 Circular on Further Guidance to Business Continuity Management.5
The MAS confirms that it will expect FIs to adopt the revised BCM Guidelines within a year following their publication. No equivalent timing indication is provided in respect of the TRM Guidelines.
Practical steps for FIs
While implementing some of the requirements outlined above may pose practical challenges for certain FIs (e.g., smaller FIs or FIs established as a branch in Singapore), FIs will be expected to apply the TRM Guidelines and BCM Guidelines in accordance with the nature, size and complexity of their operations. Where a deviation from the detailed requirements of the guidelines cannot reasonably be avoided, an FI will nonetheless be required to comply with the spirit and intent of the guidelines. For example, the board of a smaller FI may take on responsibilities that would fall to senior management in a larger FI.
Key steps which FIs should take in light of the MAS’ proposals include the following:
- FIs should conduct a gap analysis between their existing risk management policies and procedures and the TRM Guidelines and BCM Guidelines as now proposed, and should identify areas in which their internal control framework requires enhancement.
- The gap analysis should also extend to internal governance arrangements, including reporting lines, committee structures and job descriptions, to ascertain whether these reflect the MAS’ proposals. FIs within scope of the separate MAS proposals for guidelines on individual accountability and conduct (IAC – consulted on in April 2018) may wish to merge this exercise into their broader IAC implementation workstreams.
- FIs should pay particular attention to any new technologies or practices which they have adopted and which may not yet be specifically catered for in their risk management framework (APIs, smart electronic devices, etc.), and should assess which control measures may be required to address the attendant risks.
- An FI should consider whether critical business functions may depend on processes performed by different units within the FI, and whether this operational structure is appropriately catered for in its BCM.
- Organisations designated as owners of critical information infrastructure for essential services for the purposes of the Cybersecurity Act should consider integrating their obligations under the Cybersecurity Act with the requirements in the TRM Guidelines and BCM Guidelines.
- Where risk controls are outsourced, banks and merchant banks should consider overlaying the requirements of the TRM Guidelines and BCM Guidelines with the new outsourcing framework proposed by the MAS in February 2019.
- Organisations that make extensive use of new types of technology will be particularly affected by the MAS’ proposals in relation to emerging technologies, and should factor these into their compliance planning. These may include, for example, firms in the payment services space, including firms such as digital payment token exchanges that will become newly regulated under the Payment Services Act, which is expected to take effect later this year.
- Any practical issues or considerations arising from the implementation process should be fed back to the MAS as part of the consultation process, which closes on 8 April 2019.
How we can assist you
- We can assist by reviewing any of your risk management policies and procedures, advising on their consistency with the TRM Guidelines and BCM Guidelines, highlighting gaps, collating comments for feedback to the MAS, and recommending measures for remediation or enhancement.
- As part of any BCM review, we are able to assess whether your FI has a sufficiently comprehensive incident response plan. For this purpose, we can conduct a tabletop exercise involving relevant stakeholders, to discuss and review the FI’s response to and recovery from incidents.
- We are able to conduct a review of your governance framework to ensure that supervisory activities and the allocation of responsibilities accord with regulatory expectations, and can provide corresponding board and senior management training.
- We are able to advise on the interaction between the TRM Guidelines, BCM Guidelines and other frameworks that impact an FI’s technology and business continuity risk management framework, such as the MAS Outsourcing Guidelines, the Cybersecurity Act, the Personal Data Protection Act and the MAS Principles to Promote Fairness, Ethics, Accountability and Transparency in the Use of Artificial Intelligence.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
- The Internet of Things represents, in broad terms, an extension of internet-enabled networks to traditionally non-internet-enabled physical devices and everyday objects.
- Agile software development uses an iterative and incremental development model to accelerate software development and delivery to accommodate business and customer needs.
- DevOps is the practice of automating and integrating IT operations and quality assurance into the software development process to enable frequent, efficient and reliable releases of software products.
- An API (application programming interface) comprises a set of definitions, protocols and tools for building software.
- Circular No. SRD BCM 01/2006. This circular is addressed to the CEOs of all banks, merchant banks and finance companies, principal officers of all insurers, all holders of capital market services licences, and Singapore Exchange Ltd.
Client Alert 2019-062