Financial institutions to face higher penalty for cyber attacks, disruptions under new Bill

Financial institutions today rely heavily on technology to deliver financial services. PHOTO: ST FILE

SINGAPORE - Financial institutions could face higher penalties for a cyber attack or disruption to essential services if a new Bill is passed in Parliament.

Financial institutions today rely heavily on technology to deliver financial services, Monetary Authority of Singapore (MAS) board member Alvin Tan told Parliament on Monday (April 4) during the second reading of the Financial Services and Markets Bill.

"However, the current maximum penalties that can be imposed for breaches of technology risk management requirements are not commensurate with the potential widespread impact to FIs' (financial institutions') customers and the financial industry that could result from such breaches," he added.

With the passing of the Bill, the maximum penalty for each breach of a technology risk management requirement will be raised to $1 million.

A technology event that impacts a financial institution's customers or other industry participants could involve breaches of several such requirements, so the financial penalty could be much more than $1 million for a serious cyber attack or disruption to an essential financial service. Such situations include ATM network and online trading disruptions.

"The quantum proposed is intended to underscore the critical importance of technology risk management to FIs' operations and the sound functioning of the financial system," said Mr Tan, who is also Minister of State for Trade and Industry, as well as for Culture, Community and Youth.

The quantum was derived after considering existing penalty regimes of other jurisdictions and Singapore government agencies, he added.

The MAS also takes other supervisory actions such as requiring financial institutions to set aside additional regulatory capital until it is satisfied that adequate risk control measures have been put in place.

In February, it required DBS Bank to set aside another $930 million in capital following the widespread outage of its digital banking services last November.

The Financial Services and Markets Bill, first tabled in Parliament in February, will also give the regulator more oversight in areas such as prohibition orders and digital token services.

It will give the MAS broader powers to impose prohibition orders - issued in cases of serious misconduct such as fraud - against people who have shown themselves to be unfit to perform key roles, activities and functions in the financial industry.

This is currently limited to certain people such as trading representatives and insurance agents, and not those carrying out other activities such as providing payment services and conducting risk management.

The proposed law will also allow MAS to regulate digital token service providers created in Singapore but which do not provide their services here. Digital tokens include digital payment tokens, or cryptocurrencies, and digital representations of capital markets products.

Currently, entities that provide digital token services in Singapore are subject to current legislation regardless of where they are established.

However, service providers created in Singapore that provide services only elsewhere are unregulated for anti-money laundering and countering the financing of terrorism (AML/CFT), which creates reputational risks for the Republic, said Mr Tan.

The Bill seeks to mitigate such risks by licensing these players and imposing AML/CFT requirements on them, among other requirements.

The proposed law will also provide statutory protection against liability for mediators, adjudicators and employees working in dispute resolution approved by MAS.

"This will strengthen the confidence and autonomy of these individuals when they carry out their duties and align the level of protection for them more closely with that of other public dispute resolution bodies in Singapore and internationally," said Mr Tan.

A total of seven MPs spoke on the Bill on Monday.

Mr Saktiandi Supaat (Bishan-Toa Payoh GRC) suggested subjecting Singapore digital token service providers who advertise outside of Singapore to the same restrictions placed on digital payment token players operating here.

He also cautioned that the high technology risk management penalty could discourage  financial institutions from working with fintech start-ups that might not be able to invest in complex cyber-security defences.

Workers' Party MP Louis Chua (Sengkang GRC) said that while digital token licences should not be hastily awarded, approving or rejecting such applications expeditiously will allow responsible market players to move forward with their business plans, and create a vibrant and innovative sector.

Mr Tan is expected to respond to the points raised when the debate on the Bill resumes on Tuesday.

Join ST's WhatsApp Channel and get the latest news and must-reads.