On 6 February 2024, the Monetary Authority of Singapore (“MAS“) issued the revised MAS Notice PSN05 Notice on Technology Risk Management (“PSN05“) to extend its application to include all holders of a payment services licence under the Payment Services Act 2019 that carry on a business of providing digital payment token services (“DPT Service Licensees“). The revised PSN05 will take effect on 6 November 2024.
Currently, DPT Service Licensees are required to comply with cyber hygiene requirements set out in the MAS Notice on Cyber Hygiene and the MAS Technology Risk Management Guidelines, which require financial institutions generally to establish sound and robust technology risk governance and maintain cyber resilience.
To improve information technology (“IT“) resilience, as well as maintain trust and confidence in digital payment token services, MAS has mandated the requirements in PSN05 for DPT Service Licensees, which include:
(a) Putting in place a framework and process to identify critical systems;
(b) Making all reasonable efforts to maintain high availability for critical systems (maximum unscheduled downtime for each critical system not to exceed a total of four hours within any period of 12 months);
(c) Establishing a recovery time objective of not more than four hours for each critical system;
(d) Notifying MAS as soon as possible, but not later than one hour, upon the discovery of a system malfunction or IT security incident, which has a severe and widespread impact on the licensee’s operations or materially impacts the DPT Service Licensee’s service to its customers, and submitting a root cause and impact analysis report to MAS, within 14 days or such longer period as MAS may allow, from the discovery of the relevant incident; and
(e) Implementing IT controls to protect customer information from unauthorised access or disclosure.
For details, please refer to the revised PSN05, the Amendment Notes to PSN05 and the updated accompanying FAQs – Notice on Technology Risk Management.
DPT Service Licensees will also note that there will be other new regulatory measures on consumer access and business conduct that will be prescribed for DPT Service Licensees in 2024. For more information, please refer to our Legal Update on “Digital Payment Token Service Providers to Comply with Enhanced Regulatory Measures from 2024“.
For background, please refer to the following links: