Singapore Internet Banking and Technology Risk Management Guidelines – Risk Management Framework – Summary of Requirements

  • By: Staff Editor
  • Date: April 11, 2013

The Monetary Authority of Singapore published its Internet Banking and Technology Risk Management guidelines in June 2008. This article provides an overview of the risk management framework that the guidelines require financial institutions to follow.
1.     Aim of the Guidelines
By issuing these guidelines and expecting financial institutions to comply with them, the MAS expects the following to be achieved:
  • Establishment of  Technology-Risk Management Frameworks
  • Strong Systems Security -make the technology infrastructure more reliable, available and recoverable
  • Deployment of strong authentication mechanisms to secure customer data and protect transactions
2.     Risk Management Framework
a.      Action Principles
  • Conduct proper risk analysis - Identify, categorize and assess relevant risks
  • Develop and document a risk management plan consisting of policies and processes to help control these risks
  • Continuously monitor these risks and the effectiveness of the plan
  • Update the plan regularly; account for changes in
    • Technology
    • Legal requirements
    • Business Environment (including internal and external threats)
    • Security Vulnerabilities
b.      Primary Requirements
  • The board and the management must the responsibility for managing technology-risks. The senior management must directly oversee risk management functions.
  • There must be a clear understanding between internet applications and back-end support
  • Technology risks must form a part of the conceptualization stage of new internet based products or services
  • Management should conduct periodic security risk assessment to identify internal and external threats that may undermine system integrity, interfere with service or result in the disruption of operations
  • Security awareness, training and education programs should be conducted regularly
  • Disaster recovery and business continuity plans must be developed and implemented and their effectiveness monitored
3.     Risk Management Process
  • Assess the value of the information system assets to be protected
  • Categorize, rank and prioritize the assets
  • Take business decisions on the control measures to be implemented in order to protect assets
  • Implement and institutionalize asset protection policy and ensure top management commitment to it
  • Integrate IT security strategy with top management deliverables
4.     Risk Identification
  • Enlist threats present in the Internet System Configuration
  • This includes hardware and software, internal and external networks, applications, operations and human factors
  • Consider both internet applications and the back-end implications
  • Look at the interaction between the applications and the back end support as this is a key link
  • Actively monitor risks that arise from the denial of service attacks, internal sabotage and malware infestations
5.     Risk Assessment
  • Quantify Risks. Define and rate non-quantifiable risks using a parallel scaling method
  • Develop threat and vulnerability matrix
  • Perform cost benefit analysis of risk management and risk control techniques
  • Develop list of human factors such as motivations, resources and competencies required to carry out attacks to identify possible sources
6.     Risk Control
  • Entails the disaster recovery and business continuity parameters
  • Must be instilled before implementation of framework
  • Procedures must be developed in the context of cost effectiveness
  • Must be a combination of technical, procedural and functional controls
  • Needs to be constantly reassessed
  • Risk control needs to be implemented as a regime or institutionalized as a part of the organization’s culture
7.     Risk Treatment
  • Risk treatment must adhere to all the listed treatment procedures 
  • Alternate treatments must be developed with cost impact in mind
  • Risk treatment must be documented each time and the feedback must be included in the reassessment of risk control policies
Additional Resources

Read the Singapore Internet Banking and Technology Risk Management Guidelines in full.

Best Sellers
You Recently Viewed