TRM background
Currently, the MAS administers TRM requirements through various acts including the Banking Act 1970 and the Payment Services Act 2019 (PSA). These acts are supplemented by guidelines and notices, such as Notice PSN05 Technology Risk Management (last updated on 5 December 2019) (PSN05) and Notice 1114 Technology Risk Management (last updated on 1 July 2021) (Notice 1114).
The status quo for regulated entities allows them to enjoy sector-specific guidelines and notices, such as for payment services and banks. However, technology security risks have grown steadily across the finance sector. These risks came to a head in 2021, with around 800 Singapore bank customers collectively losing almost S$14 million to phishing scams, among others. The status quo of sector-specific guidelines and notices is no longer relevant because all entities are facing increasing technology risks.
The existing sector-specific enforcement options are disproportionately smaller than the scale of damage. For example, a breach of PSN05 is punishable upon conviction with a maximum fine of S$100,000 under section 102(5) of the PSA even if the financial impact of the breach is substantially larger.
With consumers being exposed to a wider range of financial services underpinned by technology, it is timely for the MAS to adopt a harmonised approach to TRM requirements across all financial institutions (FIs) with increased fine amounts to reflect growing risks.
Key TRM changes
The FSM Bill gives the MAS a harmonised power to impose the same TRM requirements across all FIs and increases the fine amounts for breaches.
Under the FSM Bill, the maximum penalty per breach of a TRM requirement is S$1 million. A major disruption with multiple breaches of TRM requirements could result in a multi-million dollar fine for an FI. This can arise when an FI’s various services, like ATMs and online banking, are disrupted simultaneously. The penalty quantum is in line with the penalties imposed in other acts, like the Telecommunications Act 1999 and the Personal Data Protection Act 2012, reflecting the critical importance of TRM in FI operations. This quantum also deters FIs from delaying their implementation of TRM measures.
The imposition of a maximum financial penalty in the FSM Bill is a significant shift from the MAS TRM Guidelines (last updated in January 2021), which do not specify any enforcement actions and serve primarily as a set of principles for FIs to consider as part of their best practices. The FSM Bill’s penalty quantum gives the MAS a greater range of options in punishing breaches of TRM-related notices like PSN05 and Notice 1114. Previously, the MAS was limited to smaller fines like the maximum S$100,000 fine for breaching PSN05 above, supervisory actions such as additional capital requirements imposed after the outage of a Singapore bank’s services in 2021, and the more drastic option of revoking licences under sections 11(c) and 11(e) of the PSA.
The enhanced penalty regime supports concurrent MAS measures, such as the measures announced on 19 January 2022 to bolster the security of digital banking and mitigate phishing scams like those seen at the end of 2021. It is a major step forward in elevating and clarifying the role of TRM for FIs.
Next steps
When the FSM Bill takes effect, the MAS is expected to clarify and update its expectations of FIs in its notices and guidelines. Ministries and other state authorities are also in the process of reviewing related legislation and soft laws. For example, in March 2022, the Cyber Security Agency of Singapore commenced a review of the Cybersecurity Act 2018 and the Cybersecurity Code of Practice. With future legislation appearing to favour a harmonised approach, FIs should keep abreast of the regulatory landscape to ensure compliance.
Our recognised financial regulatory and cybersecurity lawyers are experienced and highly familiar with the sector’s latest developments. If you wish to discuss any aspects of the FSM Bill, please reach out to our team below or to your usual Reed Smith contact.
Client Alert 2022-115
