On 10 May 2024, the provisions in the Financial Services and Markets Act 2022 (“FSMA“) which empower the Monetary Authority of Singapore (“MAS“) to impose harmonised technology and risk management (“TRM“) requirements on all financial institutions (“FIs“) took effect.
Before 10 May 2024, MAS relied on the powers in the respective Acts regulating the FIs to specify its requirements on TRM for regulated activities. MAS’ powers to issue directions or make regulations on TRM are migrated from these Acts to the FSMA to empower MAS to impose TRM requirements on any FI or any class of FIs for the management of technology risks (including cyber security risks), the safe and sound use of technology to deliver financial services, and safe and sound use of technology to protect data.
In addition, the provisions relating to the control and resolution of FIs were migrated from the Monetary Authority of Singapore Act 1970 (“MAS Act“) to the FSMA and took effect on 10 May 2024.
TRM Requirements
With the enhanced powers under the FSMA, on 10 May 2024, MAS issued a set of new Notices on Technology Risk Management and Notices on Cyber Hygiene to FIs regulated by MAS. These FIs include banks, finance companies, merchant banks, insurers and insurance agents, insurance brokers, capital markets financial institutions, licensed financial advisers, licensed trust companies, and digital payment token service providers, etc.
The TRM requirements under the FSMA are enhanced as follows to address the growing technology risks (including cyber security risks) faced by FIs which rely heavily on technology to deliver their services:
- Wider scope of systems and activities subject to TRM requirements. MAS is empowered to impose TRM requirements on any FI or any class of FIs in relation to the FIs’ systems, irrespective of whether the systems support a regulated activity, if such systems pose contagion cyber risk as they are interlinked to the other systems of the FIs. FIs are expected to implement the relevant security measures for all systems because cyber threat actors exploit every possible entry point and move laterally within the FI’s network to perform malicious activities.
- Increase of maximum penalty for breaches of TRM requirements to S$1 million. To ensure that the maximum penalty for any breaches of TRM requirements is commensurate with the most serious types of breaches that can be committed by FIs, the maximum penalty for breaches of Regulations and Notices issued the FSMA is increased to S$1 million. There is a composition framework where MAS considers the severity of the breach to determine a composition amount for an FI in breach.
Control and Resolution of FIs
Pursuant to the commencement of Parts 7 and 8 of the FSMA, MAS’ powers relating to the control and resolution of FIs in distress which cut across the different sectors within the financial sector are now consolidated under the FSMA, which acts an omnibus Act.
Background Information on FSMA
The FSMA, which seeks to implement a financial sector-wide regulatory approach for financial services and markets, was passed in Parliament on 5 April 2022. The FSMA consolidates the provisions and powers that relate to MAS’ regulatory oversight of different FI classes in a single Act. For more information about the FSMA, read our Legal Update titled “Singapore Parliament Passes Bill to Regulate Certain Digital Token Service Providers, Harmonise and Enhance MAS Regulatory Power over FIs“.
MAS is implementing the FSMA in phases. In the Phase 1 implementation of the FSMA on 28 April 2023, MAS’ supervisory and regulatory powers over FIs that relate to the AML/CFT framework, the financial dispute resolution schemes framework, and MAS’ general powers over FIs (including inspection powers and offences) were migrated from the MAS Act to the FSMA. For more information about the Phase 1 implementation of the FSMA, read our April 2023 NewsBytes write-up titled “Implementation of First Phase of Financial Services and Markets Act 2022 Relating to Supervisory and Regulatory Powers of MAS over FIs Commenced on 28 April 2023” (link here).
The above changes which came into force on 10 May 2024 represent Phase 2A implementation of the FSMA.
The remaining phases of implementation of the FSMA are targeted for H2 of 2024.
Click on the following links for more information:
- List of MAS Notices on Technology Risk Management and MAS Notices on Cyber Hygiene (available on the MAS website at www.mas.gov.sg)
- Resources and Information on the FSMA (available on the MAS website at www.mas.gov.sg)
- Financial Services and Markets Act 2022 (Commencement) Notification 2024 (available on the Singapore Statutes Online website at www.agc.gov.sg)