Business Continuity Management for Financial Institutions in Singapore
30 June 2022
30 June 2022
On 6 June 2022, the Monetary Authority of Singapore ("MAS") issued revised Guidelines on Business Continuity Management ("BCM") ("Guidelines") for financial institutions ("FIs") in Singapore, after taking into account feedback from two rounds of public consultation. FIs are expected to:
enhance threat monitoring and environmental scanning, and conduct regular audits, tests, and industry exercises.
Who does the Guidelines apply to?
The Guidelines apply to all FIs in Singapore that are regulated by the MAS, including banks, merchant banks, capital markets services licence holders, and payment services providers. The Guidelines do not have legal binding effect, although MAS would take compliance with the Guidelines into consideration when assessing the quality of an FI's oversight and governance structure, internal controls and risk management.
When must an FI comply with the Guidelines by?
FIs are expected to meet the requirements in the Guidelines by 6 June 2023, including establishing a new BCM audit plan. The first BCM audit should be conducted by 6 June 2024.
What must an FI be aware of?
Operational resilience is a key focus of regulators. This update includes material changes from the previous version of the Guidelines, which reflect the increasing complexity of today's operating environment.
Taking customer-centric approach | The MAS expects FIs to take a customer-centric approach in driving their BCM, and to safeguard the continuous delivery of services to customers. With this in mind:
| ||
Service Recovery Time Objective ("SRTO") | SRTO refers to a target duration of time to restore a specific business service from the point of disruption to the point when the specific business service is recovered to a level4 sufficient to meet business obligations. A SRTO should be established for each critical business service, taking into consideration an FI's obligations to customers, as well as other FIs that depend on its business services. | ||
Testing | Regular and comprehensive testing should be conducted to validate the FI's BCM preparedness. The types of tests, as well as their frequency and scope, should be commensurate with the criticality of the business services and functions. Test records should be properly documented, and gaps and weaknesses should be reported to senior management. | ||
Audit | The FI's overall BCM framework and the BCM of each of its critical business services at least once every three years. The auditors should be qualified and independent of the unit or function responsible for the BCM of the FI. | ||
Incident and Crisis Management | Incidents that will, or have, severely disrupted business operations, or when the business continuity plan ("BCP") is or will be activated, must be notified to MAS as soon as possible but not later than one hour upon discovery, through the MAS incident reporting template. A crisis management structure with clearly defined roles, responsibilities, reporting lines, and chain of command should be implemented. A set of pre-defined triggers and criteria for timely activation of the crisis management structure, and plans and procedures to guide the FI on the course of actions and decisions to be made during a crisis, should be established. Communication channels should be implemented to update all relevant stakeholders (including staff) for effective communication. Communications to external stakeholders should be proactive, transparent and factual. | ||
Responsibilities of Board and Senior Management | The board and senior management have ultimate responsibility for a FI's business continuity. An annual attestation (to be provided to MAS on request) should be provided from senior management to the board on the state of the FI’s BCM preparedness, the extent of its alignment with the Guidelines, and key issues requiring Board‘s attention such as significant residual risk. |
What immediate next steps should an FI take?
FIs should immediately perform a gap analysis of their current BCPs against the requirements in the Guidelines and update their BCPs to comply with the new Guidelines. In particular, identifying critical business systems and critical business functions, establishing SRTOs and implementing reportingchannels for incident escalation and reporting are key.
Please speak to us if you would further details or if you require assistance with this.
1. A business function which, if disrupted, is likely to have a significant impact on the FI (financial or non-financial).
2. A business service which, if disrupted, is likely to have a significant impact on the FI’s safety and soundness, its customers or other FIs that depend on the business service.
3. Please see paragraph 4.4 of the Guidelines for examples of measures that can be implemented.
4. A pre-determined minimum service level that is sufficient to meet the FI’s business obligations.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.