As businesses continue to digitalise and transform in Asia (and globally), so has the incentive for malicious actors to hack into systems to gather and steal data. In January of 2021, the Monetary Authority of Singapore (MAS) provided new rules for those in the fintech industry and financial institutions.
MAS stated that as financial institutions adopt new technologies, they have become highly reliant on third party providers. However, working with an external vendor can come with significant risks to the banking systems. This has also made having a Data Protection Certification and Advanced Certificate in Governance, Risk Management and Data Compliance increasingly important.
With skills gained from Data Protection Certification and Advanced Certificate in Governance, Risk Management and Data Compliance, the DPO or compliance officer can identify the weaknesses arising when working with third party providers. The gap could be from any of the following:
- Management of the vendors. This can include control on the vendors and risk assessment.
- Selecting the right service provider based on their strengths.
- Third parties may avail of subcontract solutions and specifications and requirements can become lost in translation.
- Adequacy of contract specifications to control and enforce specifications.
- Communication and translation of requirements in the scope of contract.
- Awareness of the data protection risks and regulatory requirements when personal data are involved.
In other words, third party management is crucial—from accurately specifying the requirements to identifying vendors that are strong in the requirements and working with their strengths.
When vendors work under the constraints of tight deadlines and limited resources, they can overlook the info-security of third party tools. They might also “over-provide” certain features that can be considered data protection risks.
The following are the inclusions in the revised Technology Risk Management (TRM) guidelines:
- Screening of component suppliers is now spelt out clearly. It also covers a vast range of topics so firms in the finance industry can fob off and recover from system failures and cyber attacks even if due diligence on technology vendors was already considered a must.
- Financial services firms need to vet entities that have access to their application programming interfaces (APIs) by looking at cyber security posture, track record, industry reputation, and the nature of their business. They also need to encrypt sensitive data and secure the development of APIs to prevent hackers from injecting malicious codes.
- Senior management and the board of directors in financial institutions should vet and approve key cyber-security and technology appointments.
The revision also took in expert engagements and other feedback from the public consultation done last 2019.
The guidelines also tackle the mandatory requirements that were set out in the MAS TRM notice. A fine of up to $100,000 was set for non-compliance under the Banking Act. If there is a continuing offence, a fine of up to $10,000 daily may be levied.
Nowadays, businesses are operating in an increasingly interconnected world, sharing access and sensitive data with third parties. While this has made many processes easier, it also increases the levels of risk that originate from their parties.
It is considered imperative to have capabilities at hand to be able to continuously manage and monitor third party performance and risks.
The organisation on the other hand needs to identify and assess data risks since they are accountable for the protection of the data they hold. Organisations also need to conduct compliance assessments that relate to data protection and manage the contract.
In line with this, teams in financial institutions need to maintain their upskill and maintain their knowledge with the latest development. Privacy and security are not interchangeable and app developers (whether outsourced or in-house) need to be aware of the differences when developing the app.