The Monetary Authority of Singapore (MAS) updated its Business Continuity Management (BCM) Guidelines for Financial Institutions (FIs) based on what it has learned from the COVID-19 outbreak and the rise of digitalisation in the financial sector. This will help FIs be better prepared for service disruptions caused by IT outages, pandemics, cyberattacks, and physical threats.
“Against the backdrop of an increasingly volatile and complex environment, the new guidelines will help financial institutions to take an agile and holistic approach in sustaining their critical business services when faced with threats and risk of disruption,” said Vincent Loy, Assistant Managing Director for Technology, MAS.
The updated Guidelines offer additional insights into what FIs may do to better manage the increasingly complex operational environment and threat landscape so that they can continue to provide services to their clients on a consistent basis.
The FIs should follow the updated Guidelines by 1) adopting a service-centric approach through the timely recovery of critical business services facing customers; 2) identifying end-to-end dependencies that support critical business services and address any gaps that could hinder the effective recovery of such services; and 3) enhance threat monitoring and environmental scanning, and conduct regular audits, tests, and industry exercises.
MAS acknowledged all respondents from two rounds of public consultations for their helpful input in the development of the Guidelines.
Stability of the Financial System
MAS values both the soundness of individual financial institutions and the stability of the financial system, while FIs are expected to have procedures in place to decrease the likelihood of operational disruptions, including identifying and eliminating potential single points of failure early on.
Due to time and resource restrictions, it may not be practical or viable to restore all business services and functions as soon as possible in the case of an interruption. To establish the right recovery procedures and resource allocation, the FI should prioritise the recovery of its business services and functions based on their criticality.
Furthermore, FI should set Service Recovery Time Objective (SRTO) for each essential business service and should evaluate its responsibility to clients and other FIs that are using business services.
Increasing reliance on IT systems and external parties has networked the financial sector. The dependency mapping will help the FI identify resources vital to service delivery, analyse the implications of their unavailability, and resolve any gaps that could hinder the recovery of critical business services.
On the other hand, centralising activities has economic benefits, but concentration risk arises when people, technology, or other resources are concentrated in one zone. FIs may be susceptible to concentration risk when several of their core business services and functions. FIs may consider adopting various ways to limit concentration risk and reduce interference impact.
Globalisation and technical innovation allow FIs to better their business processes yet rely on technology and external parties to increase their risk, thus FI should proactively address these risks and seek out ways to improve its BCM.
In addition, the FI should conduct regular and comprehensive testing to ensure its response and recovery arrangements are resilient and can continue delivering important business services and functions after an interruption.
The FI should also ensure that its audit process assesses BCM preparedness based on operational risks and should have robust incident management methods to restart important services and functions within SRTOs/RTOs.
Furthermore, the board and senior management are accountable for business continuation. A protracted disruption in the FI’s core business activities and functions could harm its reputation, financial safety and soundness, or the financial ecosystem.