See https://www.mas.gov.sg/-/media/MAS/Sectors/Forms-and-Templates/Form-1—Application-for-a-Payment-Service- Provider-Licence.pdf

We are not going to lie. This article makes technology risk management (“TRM”) seem impossible. It is not impossible… but it is not easy either.

TRM involves a mix of technology, financial, operational and compliance considerations. TRM is arguably the most complex risk issue a payment service provider (a “PSP”) has to assess in its business. The biggest challenge is to develop a sound and robust TRM framework such that a PSP can be confident that it has managed its technology risks in a “systematic and consistent manner” ⁽²⁾ keeping in mind that (1) the potential severity and type of technology threats that PSPs face are constantly changing and (2) the PSP’s TRM framework is expected to be commensurate with the level of risk and complexity of the services it offers and the technologies supporting such services. ⁽³⁾

REGULATORY BACKDROP

For a PSP preparing to apply for a license under the PS Act, we recommend reviewing the following materials ⁽⁴⁾ as you prepare your TRM framework (which is generally required to be in place at the time of submission of Form 1)⁽⁵⁾

• The TRM Notice 2013
• The TRM Guidelines (the “Guidelines”)⁽⁶⁾ and ancillary documentation published in 2013. Checklist for the Guidelines (the “Checklist”);
  • Please note that this checklist should be completed each year by senior officers who have director knowledge of the PSP’s information systems and operations, and also reviewed by their ⁽⁷⁾
  • The checklist includes well over 100 TRM issues to consider, plus six
  • Instructions on Incident Notification and Reporting to
  • FAQ’s – Notice on TRM
• The MAS’s latest consultation paper on proposed revisions to the Guidelines (the “2019 TRM Consultation Paper”) published in March 2019;
• Notice PSN05 on Technology Risk Management published in 2019 (“PSN05”); and
• The MAS’ FAQ on the Payment Services Act (the “PS Act FAQ”) which includes a discussion of technology and cyber risk.

As an executive summary of the above, PSN05 sets out requirements of for a high level of reliability, availability and recoverability of critical IT systems and for PSPs to implement information technology controls to protect customer information from unauthorised access or disclosure). The Guidelines set out risk management principles and best practice standards that PSPs should adopt commensurate to the complexity of their operations.

Reviewing these materials will provide a PSP with a strong foundation to consider related notices and guidelines such as:

• MAS’ business continuity guidelines;
• a consultation paper on proposed revisions to these guidelines was published in 2019;
• the MAS’ Proposed Guidelines on Individual Accountability and Conduct;
• the MAS’ Outsourcing Guidelines (relevant if a PSP plans to outsource any technology functions);
• the MAS’ e-Payments User Protection Guidelines;
• Notice PSN06 on Cyber Hygiene which goes into effect on 6 August 2020; and other circulars the MAS has issued on matters such as vulnerability assessments and penetration testing, early detection of cyber intrusion.

THE MAS’ FOCUS WITH RESPECT TO TECHNOLOGY

Technology risk was one of the four key risks the MAS identified with respect to regulating PSPs. In particular, the MAS has highlighted the following areas of focus;(8)

• Governance;
• User authentication;
• Cyber hygiene;
• Encryption; and
• Anti-fraud

EMERGING TECHNOLOGY RISKS

Wearables: Apple Watch, Fitbit, Google Glass, and other wearables can expose companies to invasion of privacy and unforeseen dangers.

Internet of Things (“IoT”): The risks stemming from the use of IoT are very new and have grown exponentially over the last three years due to the sheer number of technologies available, from cameras, locks, to home automations systems. The ability to remotely control electronic devices raises privacy and other concerns. Meanwhile, physical risks exists relating to devices which monitor temperature and could overheat or explode.

Cloud Computing: Many organisations incorrectly believe that Cloud is natively secure. This is not true. The risks that exist with on-premise services exist in cloud computing too, and PSPs are required to implement appropriate controls to mitigate them. Types of risk include:

• unauthorised access to customer and business data;
• lack of availability of technology resources and data;
• incomplete data deletion;
• tertiary vendor risks;
• unauthorised access to credentials;
• comingling of data; and
• physical security

In addition, the MAS also addresses cloud computing in its Guidelines on Outsourcing. So PSPs that intend to utilise cloud computing should also consider outsourcing risks.

Quantum Computing: The next evolution of technology “more processing speed” will probably happen as a result of drops in pricing for Quantum computers. Quantum computers will stimulate the development of new breakthroughs in science, machine learning methods to diagnose illnesses faster, new machine made materials, financial strategies, and algorithms. However, the sudden access to Quantum computers will render all the encryption algorithms used to date vulnerable, making current implementation of HTTPS, and SSL open to abuse. Governments , beware all previously encrypted information will be open to brute force attacks that will take minutes not trillion years to decrypt.

Artificial intelligence (“AI”): The simulation of human intelligence in machines that are programmed to think like humans and mimic their actions is already taking place (see ridesharing apps like Uber). The term may also be applied to any machine that exhibits traits associated with a human mind such as learning and problem-solving. The risk is what happens if we cannot control how the AI thinks and what it does or create….Yes, we believe that the true villain of the Terminator films is the COO who failed to implement a proper TRM framework for Skynet!

An example of a more immediate concern is Google Translate. Google Translate is AI driven system that supports multiple language translations. Google has announced that the Google AI has created its own language to support new translations. However, no human can understand or use this new language. Presumably, Google didn’t plan for that to happen.

KEY CONSIDERATIONS WHEN PREPARING YOUR TRM POLICIES AND FRAMEWORKS

1. Have a framework to discern what technology/system is critical to your business – Is the technology relevant to your business from a financial perspective? Would a failure impact your operations or affect your customers’ data?
2. Ensure your critical technology is available for more than 99.954% of the time in each 12 month period (not more than four hours on a rolling 12 month basis).
3. Have a requirement to notify the MAS within 60 minutes of discovering a cyber security breach or an incident that has impacted your critical technology/systems. A report identifying the root cause analysis should be shared with the MAS within 14 days.
4. Implement information technology controls to protect customer information from unauthorised disclosure. There are approximately 400 controls identified in the Checklist that “senior officers who have direct knowledge” of a PSP’s information systems and operations should consider each year. The Checklist includes questions about:
   • Threat and vulnerability risk assessments;
   • Monitoring privileged accounts;
   • Implementation of perimeter security for your critical assets; and
   • Reviewing access controls and document security
5. Implement a “RACI Matrix” (see example next page). The 2019 TRM Consultation Paper states that a PSP may wish to consider delineating the roles and responsibilities for technology risks using a RACI matrix (9). A RACI matrix is a chart that maps out every task, milestone or key decision involved in completing a project. The RACI matrix assigns which roles are responsible for each action item, which personnel are accountable, and who needs to be consulted or informed. Establishment of a RACI matrix relating to technology risks should help demonstrate that the Board of Directors and Chief Executive Officer of a PSP demand accountability in terms of identifying and addressing technology risks.

Driver                                                Assists those who are responsible for a task.

Responsible                                     Assigned to complete the task or deliverable.

Accountable                                    Has final decision-making authority and accountability for completion. Only 1 per task.

Support                                           Provides support during implementation.

Consulted                                        An adviser, stakeholder, or subject matter expert who is consulted before a decision or action.

Informed                                         Must be informed after a decision or action.

THE HIGH STAKES OF TRM

Irrespective of the regulatory requirements, TRM is important because it mitigates risks that will adversely affect your revenues and customers.

However, if you only want to consider the adverse regulatory outcomes, potential disciplinary consequences include:

• Suspension of license until a problem is adequately addressed;
• Revocation of licence
• Public warning including details about the technology incident and governance failures; and Financial penalties.

Irrespective of the regulatory requirements, TRM is important because it mitigates risks that will adversely affect your revenues and customers.

However, if you only want to consider the adverse regulatory outcomes, potential disciplinary consequences include:

• Suspension of license until a problem is adequately addressed;
• Revocation of licence
• public warning including details about the technology incident and governance failures; and
• Financial

CONCLUSION

TRM is a subject that requires a range of stakeholders to work together. You need advisors who:

• are experts at identifying and solving technology and cyber-security issues and aware of the latest threats and solutions; and

• have compliance and ideally senior management (chief operating officer/chief executive officer) expertise who can properly advise a PSP’s board of directors on its responsibilities and governance relating to TRM.

Fortunately, the combination of Pragma and Holland & Marie offers all that capability, and more! If you are interested to explore how we may be able to assist you with your TRM framework, please reach either firm at our details below.

For further information, contact:

Chris Holland: Partner | Holland & Marie | 201802481R

7 Straits View, Marina One East Tower, #05-01 Singapore 018936 www.hmstrategy.com

Manish Chawda: Partner | Pragma | 201629205M 35A Keong Saik Road, #03-00. Singapore 089142 www.pragmastrategy.com

Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Neither Holland & Marie Pte. Ltd. nor Pragma Pte. Ltd. is a law firm and neither firm may act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.

(1) See https://www.mas.gov.sg/-/media/MAS/Sectors/Forms-and-Templates/Form-1—Application-for-a-Payment-Service-Provider-Licence.pdf

(2) See Paragraph 4.0.1 of the MAS TRM Guidelines 2 (as defined herein).

(3) See Question 7.26 of Form 1.

(4) All these materials are available on the MAS’ website – www.mas.gov.sg

(5) See Question 7.26 of Form 1.

(6) See https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-6 Guidelines– 21-June-2013.pdf?la=en&hash=813413DFB093943558376148934CF9AA44F26FB5

(7) See Instruction #1 to the Checklist, which can be found at https://www.mas.gov.sg/regulation/forms-and-templates/checklist-for-technology-risk- management-guidelines

(8)  See  https://www.mas.gov.sg/-/media/MAS/FAQ/Payment-Services-Act-Infographic.pdf?la=en&hash=D4635EDDB0CFB4AE8B1022D0E76F428E09B4F9BF

(9) RACI is an acronym for “Responsible”, “Accountable”, “Consulted” or “Informed”.