MAS tightens rules to avoid protracted financial service outages amid rapid digitalisation

The end-to-end dependencies of these critical services will also need to be laid out to plug gaps that may hinder speedy recovery in a disruption. PHOTO: ST FILE

SINGAPORE - All financial institutions will soon be required to specify a recovery time should critical services suffer an outage, including intermittent ones, under revised rules released on Monday (June 6).

All the suppliers, technology and people involved in delivering these critical services will also need to be specified, to plug gaps that may hinder speedy recovery in a disruption, according to the Monetary Authority of Singapore's (MAS) Business Continuity Management guidelines in its first major update in almost two decades.

For instance, if third-party service providers are used, financial institutions need to know when the third party's systems were last checked for security compromises, as well as the third party's emergency contact numbers, among other details.

Critical services include cash withdrawals, fund transfers, card or e-wallet payments, insurance policy renewals and stock trading.

To be effective from June 6 next year (2023), the updated guidelines come amid heightened threats from pandemic outbreaks, cyber hacking and terrorism.

The growing complexity and interdependence of online systems also mean more potential points of failure or a protracted service recovery, necessitating an update to the guidelines to better address these risks.

"Recovering from incidents is harder these days, and requires more thoughtful and in-depth business continuity planning," said Mr Vincent Loy, assistant managing director for technology at MAS.

"Rapid digitalisation and ever more complex digital links between systems, including those of third parties, can have critical impact on financial operations," he added.

A case in point: The widespread unavailability of DBS Bank's digital banking services, including instant payment option PayNow, over two days in November last year (2021). Similarly, in July last year, UOB customers were unable to access Internet and mobile banking services for about two hours.

Other high-profile cyber attacks overseas also had ripple effects here in the past year - involving network management company SolarWinds, American oil pipeline system Colonial Pipeline and software firm Kaseya - and demonstrated how disruptive supply chain breaches and ransomware attacks can be.

These disruptions reinforced the MAS' belief that the guidelines need an update. The authority worked in feedback from two rounds of public consultation that started in 2019.

Under the new guidelines, financial institutions also need to address concentration risks through the centralisation of people, technology and resources in the same physical location or when functions are outsourced to one service provider.

Applying lessons from the Covid-19 pandemic, financial institutions need to separate primary and secondary sites of critical business services, deploy critical personnel across different zones and activate cross-border support as a contingency during disruptions, among other measures.

Third-party vendors need to observe similar requirements, or financial institutions could diversify their vendor selection to mitigate the risk of a single point of failure.

The MAS also requires financial institutions to conduct an independent audit of their business continuity plans every three years, with the first audit due by June 6, 2024, to assess if their plans are adequate.

The business continuity guidelines work with another set of rules dubbed the MAS Technology Risk Management notice – which stipulates less than four hours of unscheduled downtime of critical systems in a year, among others – to ensure that essential services are not disrupted.

Under the Financial Services and Markets Bill passed in Parliament earlier this year, financial institutions could face up to $1 million of fines for each breach of a technology risk management requirement for a serious cyber attack or disruption to an essential financial service.

The MAS also takes other supervisory action such as requiring financial institutions to set aside additional regulatory capital until it is satisfied that adequate risk control measures have been put in place.

In February, it required DBS to set aside another $930 million in capital following the widespread outage of its digital banking services last November.

Join ST's Telegram channel and get the latest breaking news delivered to you.