MAS is tightening rules to avoid protracted financial service outages amid rapid digitization


SINGAPORE – All financial institutions will soon be required to establish a recovery time should critical services experience an outage, including intermittent ones, under revised rules released Monday (June 6).

All suppliers, technology and people involved in the delivery of these critical services must also be specified to address gaps that may impede rapid recovery in the event of a disruption, per the Monetary Authority of Singapore’s Business Continuity Management Guidelines (MAS) in its first major update in nearly two decades.

For example, when third-party providers are used, financial institutions need to know, among other things, when the third-party provider’s systems were last checked for security vulnerabilities and the third-party provider’s emergency contact numbers.

Key services include cash withdrawals, wire transfers, card or e-wallet payments, insurance policy renewals and stock trading.

The updated guidelines, set to take effect from June 6 next year (2023), come amid heightened threats from pandemic outbreaks, cyber-hacking and terrorism.

The growing complexity and interdependence of online systems also means more potential points of failure or time-consuming restoration of services, necessitating policy updates to better address these risks.

“Incident recovery today is more difficult and requires more thoughtful and thorough business continuity planning,” said Mr. Vincent Loy, MAS vice president of technology.

“Rapid digitization and increasingly complex digital connections between systems, including those of third parties, can have a critical impact on financial operations,” he added.

A good example of this: The widespread unavailability of DBS Bank’s digital banking services, including PayNow instant payment option, on two days in November last year (2021). Similar were UOB customers in July last year unable to access internet and mobile banking services for about two hours.

Other high-profile cyberattacks abroad have also had an impact here over the past year — including network management company SolarWinds, American oil pipeline system Colonial Pipeline, and software company Kaseya — demonstrating just how disruptive supply chain breaches and ransomware attacks can be.

These disruptions reinforced MAS’s belief that the guidelines needed to be updated. The agency worked with feedback from two rounds of public consultations that began in 2019.

Under the new guidelines, financial institutions must also address concentration risks by centralizing people, technology and resources in the same physical location or by outsourcing functions to a service provider.

Taking into account the lessons of the Covid-19 pandemic, financial institutions must separate primary and secondary locations of critical business services, deploy key personnel in different zones, and activate cross-border support as an emergency in the event of disruptions, among other measures.

Third-party providers must meet similar requirements, or financial institutions could diversify their vendor choices to mitigate the risk of a single point of failure.

Source link
#MAS #tightening #rules #avoid #protracted #financial #service #outages #rapid #digitization

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.