MAS warns financial institutions to prep for risks

ATMs for Singapore banks UOB, DBS and OCBC at the city-state's Changi Airport. Photo taken April 2022ATMs for Singapore banks UOB, DBS and OCBC at the city-state's Changi Airport. Photo taken April 2022

This item originally appeared on finews.asia

Singapore’s central bank has issued tighter guidelines for financial institutions faced with business disruptions.

The Monetary Authority of Singapore (MAS) has revised its directions for financial institutions for handling service disruptions, issuing a fresh set of business continuity management (BCM) guidelines on Monday. The new guidelines took the impact of the Covid-19 pandemic as well as increased digitalization into account, the MAS said.

“Operational disruptions, if not recovered speedily, may compromise the ability of financial institutions (FIs) to meet their business obligations, resulting in financial and reputational damage, as well as inconvenience to customers,” the MAS said in the guidelines. “Given that FIs are highly interconnected, severe disruptions may have a broader contagion effect on the financial system.”

Recent Disruptions

The tighter guidelines come hard on the heels of recent disruptions at all three of Singapore’s banks.

In February, the MAS required DBS to set aside around S$930 million in additional regulatory capital after a serious failure of its digital banking services in November 2021. The central bank cited deficiencies in DBS’ incident management and recovery procedures. In February of this year, Singapore bank UOB also suffered hours-long disruptions to its ATMs and mobile app. OCBC was also required to hold more capital after criticism of its slow response to a surge in sophisticated scams targeting its customers late last year.

Under the new guidelines, FIs are expected to identify their critical business services to prioritise their recovery, as well as determine recovery strategies and asset allocation, the guidelines said. FIs will also need to establish a service recovery time objective (SRTO) for each critical business service to guide decision-making, the MAS said.

Mitigating Risks

FIs will need “dependency mapping” to show how systems including technology, people, third parties and other resources are connected, and to identify how their unavailability might hinder recovery of services, the MAS said. That would include ensuring third parties have BCM plans which are regularly tested, as well as measures to address disruption of utility services the MAS said.

FIs are also expected to mitigate concentration risks from having people, technology or other resources in the same zone, as well as the risks of having multiple critical business services outsourced to a single service provider, the guidelines said. In addition, FIs need to mitigate the risks from alternative work arrangements, the MAS said.

The MAS said FIs must also regularly conduct comprehensive, meaningful testing of its BCM framework, including practising decision making in simulated conditions and stress tests of severe but plausible scenarios. FIs should participate in industry and cross-sector exercises organized by government agencies and industry associations to strengthen joint responses, the MAS said.