Cybersecurity key to the future of Singapore’s financial services
By Yogesh Hirdaramani
Singapore’s central bank, the Monetary Authority of Singapore (MAS), has laid out its vision for the next three years. Cybersecurity and trust in the financial services sector will be critical towards achieving the nation-state’s ambitions, says Vincent Loy, Assistant Managing Director, Technology Group, MAS, to GovInsider.
Emerging technologies, such as cloud computing and blockchain, are potential sources of cyber risk to the financial sector. Image: Envato Elements
The Financial Services Industry Transformation Map 2025 sets out the central bank’s key priorities and plans to strengthen the Republic’ position as a leading international financial centre in Asia, said Mr Lawrence Wong, Singapore’s Deputy Prime Minister and Minister of Finance, and Deputy Chairman of MAS.
These include digitalising financial infrastructure to promote the development of digital platforms for the bond markets and funds industry, catalysing Asia’s net-zero transition and deepening sustainable finance, and shaping the future of financial networks through expanding cross-border payment linkages and enabling digital currency connectivity.
Central to these plans is the use of secure technology, says Vincent Loy, Assistant Managing Director, Technology Group, MAS, to GovInsider. Not only can robust and secure digital infrastructure bring these plans to life, they can also ensure the growth of a successful fintech industry in the country, he explains.
“If there's no trust, FinTech will not survive, or will not develop further,” he notes.
This is why MAS is actively involved in carefully managing cyber risks and applying a principle-based approach towards the regulation of new technologies, he says.
An ecosystem approach to secure digital adoption
One key concern highlighted by Loy is cyber risks arising from the adoption of third-party services by financial institutions for critical functions. This is why MAS is working closely with financial institutions and tech vendors to build ecosystems for secure digital adoption, he explains.
Take the case of cloud computing services. As financial institutions increasingly adopt the cloud, there is a risk of overreliance, he notes. Any cybersecurity incidents that affect key cloud vendors could potentially have an outsized impact on the financial services sector, he says.
Beyond MAS, regulators around the world are keeping an eye on the growing dependence on such third-party providers. A recent report by the Bank for International Settlements, an international financial institution owned by central banks, identified the growing dependence on a small pool of cloud computing providers as a key risk for the financial sector, reported The Financial Times.
“At the same time, we are also cognisant that the cloud plays a very important role in financial services’ innovation journey,” says Loy. As such, it is critical that MAS does not stifle the adoption of such technology. Rather, the central bank is working with the senior technology leaders of various banks to understand the risks.
At the same time, MAS works with tech vendors to understand these emerging technologies and their position better. Loy shares that they meet with cloud providers and raise such security concerns, so they can ideate and come to solutions together.
“Regulators alone cannot solve a lot of these issues. It needs an ecosystem approach to solve these issues,” says Loy.
The regulatory body also works with fintech players to test-bed new technologies and develop regulations to ensure these technologies remain secure while giving them space to flourish. The MAS FinTech Regulatory Sandbox allows fintech players to experiment with innovative financial services in a live environment, where specific regulations are relaxed for a clearly defined period of time.
This lets the regulator observe these emerging services in a controlled way through smaller transactions as well as identify and account risks early on, Loy says.
A principle-based approach towards regulation
As new technologies come into play, a principle-based risk proportional approach can be useful in guiding institutions in making their own decisions about what to adopt based on their risk appetites, says Loy. This means that rather than prescribing very detailed rules and requirements, MAS sets principle-based guidelines – such as establishing a robust technology risk management framework – for financial institutions.
He highlights that regulation should not impede innovation or customer services. As such, the country adopts a principle-based approach that allows Singapore to cater to the various risks in financial services in a proportionate manner. The same holds true for new technologies, he says.
One example is the emergence of decentralised finance and blockchain technology. As these are relatively newer forms of technology, there are unknown security risks and vulnerabilities that come with their adoption that financial institutions will need to deal with, even as they learn about the new use cases they offer, says Loy.
In Wong’s announcement of MAS’ financial services industry transformation roadmap, he highlighted that MAS will continue to evolve its regulatory approach to safeguard against the new risks decentralised finance poses, from money laundering to cyber related risks.
One way in which MAS has enacted this principle-based approach is through technology risk management guidelines, which support institutions in developing technology governance principles.
The MAS has previously issued an advisory highlighting risk management principles on the adoption of public cloud services by financial institutions. The advisory recommended institutions develop a cloud risk management strategy, taking into account factors such as vendor lock-in and best practices such as the principle of least privilege and multi-factor authentication.
In a recent speech addressing Singapore’s position on decentralised finance, cryptocurrency, and blockchain, MAS’ Managing Director, Ravi Menon, highlighted that MAS was one of the earliest regulators to impose cyber hygiene standards and technology risk management principles on digital asset players.
He said that as cyber risks continue to evolve in this field, MAS will continue to review measures in line with what jurisdictions like the EU and Japan are doing.
Tech can also be a tool in supporting financial institutions in powering their cybersecurity efforts, Loy notes.
Automation can be deployed to reduce human error. Traditionally, financial institutions depend on numerous manual processes to review, check, authorise, and even migrate data. Automating these tasks has supported financial institutions in reducing the effort needed to complete these tasks, and also reducing the incidences of someone either intentionally or unintentionally causing data breaches.
When key controls are automated, financial institutions can free up time for people to focus on more valuable tasks. Such automation can also provide real-time verification that tasks have been completed as well as report when something goes awry, ensuring that auditors can respond quickly if needed.
Artificial intelligence can also be deployed to monitor system performance and perform predictive analytics about when systems might break down. Such analytics can support institutions in predicting and managing risks, he says.
Finally, Loy highlights that Singapore is only one of the nodes that keeps the global financial services systems running. Geopolitical tensions, such as the Russian-Ukraine conflict, have also increased cyber risks around the world, including for the financial sector, he notes. This is why MAS plays an active role globally in promoting cyber hygiene standards.
The regulator works with the aforementioned Bank for International Settlements as well as the Financial Stability Board (FSB), an international body that oversees the global financial system, in driving the cybersecurity agenda. In 2020, MAS chaired the FSB’s working group on Cyber Incident Response and Recovery, which aimed to develop a toolkit for responding to cyber incidents effectively.
Additionally, MAS has worked with prominent technologists and cybersecurity experts through the Cybersecurity Advisory Panel since 2017 to learn from best practices, he shares.
Vincent Loy will be participating in a panel titled ‘Increasing Local and Extraterritorial Regulations’ happening from 2:15pm to 3:45pm on 18 October at Level 3, Room GW4B, Sands Expo and Convention Centre.
Keen to hear from him but have yet to reserve your slot at GovWare? Do so now through the link here!
This article is published in partnership with GovWare 2022.