Systems check – getting ready for 1 July 2014
June 2014 | EXPERT BRIEFING | BANKING & FINANCE
The Monetary Authority of Singapore (MAS) has to date issued several guidelines and notices. One of the latest guidelines and notices issued by MAS relate to technology risk management. The requirements of these Guidelines (Technology Risk Management Guidelines 2013) and Notices (Notices on Technology Risk Management 2013) are to be observed by financial institutions operating in Singapore.
The Guidelines and Notices are aimed at encouraging financial institutions to adopt robust measures to safeguard their IT systems, as well as their customer information, against the risks associated with the increasingly widespread adoption by financial institutions of complex technology-based systems. Such technology-related risks originate not only from internal factors, such as a lack of proper management and oversight over the financial institution’s information security policies and processes, but also from external factors, such as cyber-attacks and hacking attempts, and risks in connection with the outsourcing of IT functions to overseas suppliers or suppliers’ use of overseas subcontractors.
1 July 2014 deadline
Importantly, the various Notices on Technology Risk Management 2013 take effect on 1 July 2014. By this deadline, financial institutions are required to roll out measures to comply with a set of legal requirements to safeguard critical systems and customer information.
In order to comply with the Notices, financial institutions must first be able to identify ‘critical systems’ within their establishment. Definitions are by nature problematic. They must be sufficiently broad to include all activities intended to be regulated, and yet narrow enough to have meaning and give sufficient guidance.
According to MAS, a ‘critical system’ means a system, the failure of which will cause significant disruption to the operations of the financial institution, or materially impact the financial institution’s service to its customers, such as a system which processes transactions that are time critical, or provides essential services to customers. Examples of critical systems include Automated Teller Machine (ATM) systems, online banking systems, and systems that support payment, clearing or settlement functions.
Among other things, financial institutions are required to put in place and document frameworks and formal processes to facilitate the identification of critical systems. Although the Notices do not require financial institutions to submit such documentation for MAS’ review and approval, MAS may request such documentation during its ongoing supervision of the financial institution.
Below are a number of observations about the MAS Notices and the concept of a critical system.
A critical system does not necessarily have to contain customer information, and a system that contains customer information is not necessarily a critical system. The MAS Notices are not merely about critical systems but also about systems that is connected to customer information. These two categories of systems, although not mutually exclusive, are treated differently by the Notices. The difference is that a critical system requires high availability, whereas a system that merely contains or is connected to customer information does not.
Customer information is not limited to information that identifies the customer. The Notices do not define ‘customer information’. The FAQs issued by MAS refers to ‘customer information’ as “information held by the [financial institution] that relates to its customers and these include customers’ accounts, particulars, transaction details and dealings with the [financial institution]”. Importantly, a system may contain information that does not identify the customer, but nonetheless relates to the customer. This system is regulated by the Notices.
A critical system is one of high availability, but is not so defined. A critical system is a system where there is a need for high availability. The standard imposed by the Notices is that the maximum unscheduled downtime must not exceed a total of four hours within any period of 12 months. Also, the recovery time objective (RTO) must not exceed four hours. Implicitly, the Notices recognise that no system is a fail-safe system. MAS would tolerate one major system failure per 12 months, provided service recovery is properly managed.
The requirement for high availability is not part of the definition of a critical system. The standard imposed by the Notices should therefore not be used to determine as part of a business impact analysis of whether a system is or is not a critical system. The Notices define a critical system only in terms of significant operational disruption and material service impact in the event of a system failure.
Thus, even if a financial institution has performed a business impact analysis and determined that the RTO of, say, 24 hours is sufficient for its system, this does not necessarily mean that the system is therefore not a critical system. Conversely, if the system has been identified by the financial institution as a critical system, then the financial institution must apply the standard imposed by the applicable Notice, regardless what its own impact analysis says about the RTO.
The threshold for a system to qualify as a ‘critical system’ is low. A critical system is defined by reference to the potential for significant operational disruption or material service impact in the event of a system failure. A higher rate of adoption of technology, greater customer expectations and improved market competition, all result in more pervasive deployment of just-in-time, real time and 24/7 systems. Along with time-critical systems and systems that provide essential services, these systems are likely to be critical systems. The result of these developments is that more and more systems of a financial institution will be upgraded to become critical systems.
Reporting and notification obligations
Under the Notices, both critical systems and systems connected to customer information attract certain reporting and notification obligations in respect of ‘relevant incidents’. A ‘relevant incident’ is a system malfunction or IT security incident that has a severe and widespread impact on the financial institution’s operations, or materially impacts the financial institution’s service to its customers. Where a relevant incident has occurred, the financial institution is required to notify MAS as soon as possible, in any event within one hour, from discovery of the relevant incident.
Further, within 14 days of the discovery of the relevant incident (or such longer period as MAS may allow), the financial institution is required to submit a root cause and impact analysis to MAS. The root cause and impact analysis should include an executive summary of the incident, detailed analysis and explanation on the causes of the incident, impact of the incident on the financial institution’s operations, customers and compliance with regulations, as well as remedial measures taken by the financial institution to address the impact and consequences of the relevant incident. A template format for the root cause and impact analysis report can be found on the MAS website.
Impact of notices
A failure to comply with the Notices may attract a fine, a termination of licence and other sanctions. The impact of these requirements is widespread, as the definition of financial institutions is broad.
‘Financial institutions’ refers to any persons licensed, approved, registered or regulated by MAS under any written law, which includes, banks, finance companies, money-changers and remitters, insurers and insurance intermediaries, financial advisers, approved holding companies, securities and futures exchanges, market operators, trade repositories, clearinghouses and holders of capital markets services licence, trustees of a collective investment scheme, trustee managers of a business trust and trust companies, and holders of a stored value facility.
From an IT procurement or IT outsourcing perspective, the Notices directly impact on the terms and conditions of a IT supply contract for systems identified as critical systems.
In view of the above, it is recommended that financial institutions ensure that reviews of each of their critical systems are completed ahead of the likely lead time required for the implementation of changes in the critical systems, and for the appropriate management of their IT suppliers.
Chia Ling Koh is a partner and Angelique Chan is an associate at ATMD Bird & Bird LLP. Mr Koh can be contacted on +65 6428 9452 or by email: firstname.lastname@example.org. Ms Chan can be contacted on +65 6534 5266 or by email: email@example.com.
© Financier Worldwide
Chia-Ling Koh and Angelique Chan
ATMD Bird & Bird LLP