Financial Technology Risk Management – Changes, Challenges and Solutions: an in-depth discussionJuly 19, 2018
By Horangi Cybersecurity
On 17 May 2018, the Chief Cyber Security Officer of the Monetary Authority Singapore (MAS) indicated in his speech that the MAS intends to issue a Notice on cyber hygiene to raise their overall level of cyber resilience and are currently reviewing the MAS Technology Risk Management (TRM) Guidelines. To provide insights by interpreting the changes, challenges and solutions for medium sized Financial Institutions (FI) and FinTech organisations, Horangi Cybersecurity and ICE71 co-organized this Panel discussion on 19 July 2018 at ICE71 in Singapore.
The Background of MAS TRM
In June 2013, the MAS recognised the need to regulate rampant technological disruption in the financial industry, as IT has evolved to become a critical component within a financial institution. The TRM Guidelines were what MAS proposed in response to the digital age, in order to guide FIs in the following:
1. Establishing a sound and robust technology risk management framework;
2. Strengthening system security, reliability, resiliency, and recoverability; and
3. Deploying strong authentication to protect customer data, transactions and systems.
Q&A of the Panel Discussion
Our esteemed guests for the afternoon:
From left to right: Chia Ling Koh (Managing Director, Osborne Clarke), Demetris Booth (Cybersecurity Consultant), Angus Thorn (Head of Incident Response and Threat Intelligence, Horangi), Phoram Mehta (Head of Information Security APAC, Paypal), Vincent Caldeira (Chief Technology Office, Bondlinc).
Q1: What is the objective of the TRM guidelines? What role should MAS play in the whole FinTech Security landscape?
Chia Ling: Technology plays a big part in the delivery of financial services today. The guidelines seek to ensure the integrity and availability of financial services and protection of customer information, by promoting the adoption of sound practices and processes for managing technology. The TRM guidelines serve as a reference for Financial Institutions in establishing their risk management framework. The guidelines are non-prescriptive and are non-exhaustive – as such, FIs should observe the spirit of the guidelines and take into account other factors like their unique business processes when coming up with risk management. MAS should be both the enabler and safeguarder in the FinTech ecosystem.
Q2: As a regulated entity that prides its security credentials, how do you balance compliance and security?
Phoram: Compliance enables Security to become a key strength and a differentiator. Being a two-sided network our value and promise is to both buyers as well as sellers. With 237 million customers across 200+ markets around the world, we pay special attention to building a compliance program that is able to meet the needs of various local regulations as well as industry requirements. Building on top of that foundation, our focus in Security then is to strengthen the trust with our customers. In appreciation of our responsibility to make the internet ecosystem, we share our learnings and research with the industry to help develop innovative security technologies and standards like FIDO, HSTS, DMARC etc.
Q3: What are some of the key operational challenges FinTech service providers face in terms of meeting the control requirements in the FI sector?
Vincent: The key operational challenges faced by FinTech providers, in particular if they provide a service be it operational or software provisioned on SaaS model, stem from the differences in processes and organisational structure between the FinTech and their customers. From a process point of view, while FinTech providers are able to refer to and implement controls around the same control objectives that are required of FIs (as in the TRM Guidelines), the actual implementation of the control can differ greatly because of the different operational processes employed internally to perform the same task. One example of this would be the Privileged Identity Management process: while a bank could use a process such as Dual Control of password (i.e. two halves of the password for a privileged user are kept in separate vaults and retrieved by two different administrators who would need to be physically present to log into a system with privileged credentials), the FinTech provider could be relying mostly on DevOps tools and use privileged service accounts to automate the release of changes into a controlled environment. In this case it is likely the FinTech service provider would be using detective controls including the monitoring of privileged activity on controlled environments as opposed to the preventative controls used by the Financial Institutions, but could very still meet the same control requirements.
From an organisational point of view, one key challenge is for smaller FinTech providers where the smaller size of the technical team often means that employees have to wear many hats across the development, release and support processes. In these conditions, it is hard to achieve the same level of segregation of duties that is typically enforced in Financial Institutions. For example, in a typical Financial Institution the people writing / releasing the code into testing and production environments necessarily have to be from different departments, with multiple levels of checks performed at each stage of the release process, while employees in smaller FinTech startups often have to perform the technical tasks across the release management process. Again the way for FinTech providers to manage this is to look at greater automation using standardised, well-controlled and monitored processes in such a way that the control objectives of not releasing software changes that are not properly reviewed, assessed for impact and properly tested is not possible.
Q4: What is the best practice you have seen of mid-sized Financial Institutions and FinTech companies in complying with higher standards of regulation for e-payment?
Demetris: Acknowledging there are varying degrees of standards and compliance in different locations, best practice would be ensuring compliance to the toughest standard or regulation that governs e-payments. This way, they ensure compliance with lesser standards specified by the countries or regions where they may expand their services.
Q5: As FinTech startups and SMEs here expand beyond Singapore what tips would you give them around the tech risk management?
Phoram: It is no longer an option to bolt-on security in response to an incident at the enterprise or in the neighbourhood. The global, persistent, non-discriminatory landscape in cybercrime is pushing regulators in Singapore and beyond to mandate that technology risk management is a priority for not just established financial services firm but also for FinTech startups and SMEs. I would highly recommend entrepreneurs to view this as a strategic opportunity and make smart investments that help build trust with their customers, partners and regulators alike.
Demetris: The best advice is to have a solid Risk Management Program in place. This would include addressing the people, processes, and technology considerations of risk. It also means understanding global best practices, risk management frameworks, and region & country specific data privacy laws. Factoring these into their Risk program will ensure they are in compliance with the regions to which they will take their services, and be ready and able to evolve these services as necessary. Additionally, having this Risk Management Program in place will enable them to innovate and develop their services with security and risk factored in from the beginning, and throughout the entire lifecycle of that service.
Chia Ling: Regulations around the world are evolving in the face of innovation. However, if you are TRM compliant, you are likely to be able to comply with the overseas risk management regulations. In any event, businesses that believe in building trust should look at technology risk management and cybersecurity as competitive advantages rather than mere expenses.
Vincent: The control objectives set in the MAS TRM guidelines are standards that would pretty much apply in any country that they could market their solution in, so they are a good base for discussion with your potential customers once the preliminary business case discussions are over and discussions on actual implementation start. However, my advice is not to wait for FIs to come up with extensive list of questions and challenges on the solution, Be ready to share on your solution architecture, implementation model(s) and integration strategies (with the Financial Institution systems), and share on your internal controls with the relevant departments that are responsible for performing due diligence on you as a potential service provider. One useful tool for that we have identified at Bondlinc is the ABS Guidelines on Outsourcing Service Provider Audit Report (OSPAR) which defines a standardised audit scope and procedure to ensure with a third-party, independent audit that the service provider meets the requirements set in MAS Outsourcing Guidelines, and provides a regular report that can be shared with customers to ensure them that the controls relevant to the provision of outsourced services are designed and operate effectively.
To wrap things up, cyber security laws aim to create an ecosystem where innovation and protection is balanced. Companies should view regulation as less of a cost, more of an investment to build trust within their consumer base, ensuring the long-term success of their business.