Currently, the MAS administers TRM requirements through various acts including the Banking Act 1970 and the Payment Services Act 2019 (PSA). These acts are supplemented by guidelines and notices, such as Notice PSN05 Technology Risk Management (last updated on 5 December 2019) (PSN05) and Notice 1114 Technology Risk Management (last updated on 1 July 2021) (Notice 1114).
The status quo for regulated entities allows them to enjoy sector-specific guidelines and notices, such as for payment services and banks. However, technology security risks have grown steadily across the finance sector. These risks came to a head in 2021, with around 800 Singapore bank customers collectively losing almost S$14 million to phishing scams, among others. The status quo of sector-specific guidelines and notices is no longer relevant because all entities are facing increasing technology risks.
The existing sector-specific enforcement options are disproportionately smaller than the scale of damage. For example, a breach of PSN05 is punishable upon conviction with a maximum fine of S$100,000 under section 102(5) of the PSA even if the financial impact of the breach is substantially larger.
With consumers being exposed to a wider range of financial services underpinned by technology, it is timely for the MAS to adopt a harmonised approach to TRM requirements across all financial institutions (FIs) with increased fine amounts to reflect growing risks.