Cybersecurity regulations shaping the future of fintech services in Singapore

The advent of new and emerging technologies, as well as a changing competitive landscape, has prompted organizations to explore new value propositions, business models and digital capabilities. Gartner estimates that 91% of businesses are currently engaged in some form of digital initiative. As a result, in the coming years, innovation is expected to play a critical role in driving growth for organizations across industries.

Singapore’s financial sector bears witness to innovation’s transformative powers and shines as a beacon of financial forward-thinking. The city-state’s government and other traditional institutions, such as the Monetary Authority of Singapore (MAS), have played a significant role in maintaining the momentum of innovation in the fintech industry by embracing technological transformation and being prepared for the security challenges it brings. Digitalizing financial infrastructure, deepening sustainable finance, and expanding cross-border payment linkages to enable digital currency connectivity are among the initiatives taken by regulators to strengthen the Republic’s position as a leading international financial centre in Asia. According to Vincent Loy, Assistant Managing Director, Technology Group, MAS, “only a robust and secure infrastructure can bring these plans to life and ensure the growth of a successful fintech industry in the country.”

Before delving into the approaches required to maintain risk-based compliance with emerging technologies and regulations, let us look at some of the existing regulatory compliance that are shaping the future of Singapore’s fintech industry.

Compliance & Guidelines – Financial Services

With the advent of new and emerging payment systems such as cryptocurrency and blockchain, state-issued digital currencies, and various types of e-payments, Singapore has experienced rapid growth in the financial sector. Apart from the globally recognized Payment Card Industry Data Security Standards (PCI DSS), which establishes comprehensive requirements for security in the payments industry, the nation’s regulatory authorities have established specific guidelines and regulations for financial institutions undertaking business in Singapore.

MAS – Technology Risk Management (TRM) Guidelines

The MAS-TRM Guidelines, released in January 2021, eight years after the last major release in 2013, serve as a benchmark for MAS to assess the risk of financial institutions. It consists of industry best practices statements and guidelines that are primarily focused on cyber resilience, software development, and cloud technologies.

The MAS-TRM Guidelines apply to all licensed financial institutions and their service providers, including funding and investment, insurance, financing companies and banks, credit payments, and financial exchange services. To comply with these guidelines, the organization should consider implementing policies to manage technology risks, roles and responsibilities, access control, data loss prevention, and mobile device or application authentication, among other actions.

Payments Services Act (PS Act)

The Singaporean government issued the Payments Services Act (PS Act) in January 2020 as a “forward-thinking and flexible framework for the regulation of payment systems and payment service providers.” The act supersedes the previous Payment Systems Oversight Act and the Money-Changing and Remittance Businesses Act. It ensures regulatory certainty and consumer protections while encouraging innovation and growth in Singapore’s payment services and fintech industries.

The PS Act includes risk management measures for payment systems and payment service providers in areas such as user protection, application security, anti-money laundering/ countering the financing of terrorism (AML/CFT), interoperability, and information technology. Under this act, MAS established two parallel regulatory frameworks: the first enables MAS to designate significant payment systems and regulate all stakeholders such as operators and settlement institutions, and the second is a licensing framework for payment service providers.

Notice on Cyber Hygiene

Financial Institutions are subject to various cyber hygiene notices based on entity type, which set the requirements for enterprises to ensure that cybersecurity practices are in place to manage relevant cyber threats and ensure cyber resilience. These notices contain mandatory guidelines for a wide range of entities, including banks, merchant banks, finance and trust companies, capital market entities, insurance brokers, credit card licensees, and financial advisers.

The following are the six cyber hygiene requirements outlined in the Cyber Hygiene Notices:

1. Securing administrative accounts
2. Applying security patching
3. Establishing written security standards
4. Network Perimeter Defense
5. Implementing anti-malware measures
6. Implementing Multi-factor Authentication

The MAS Cyber Hygiene Notices outline the best practices for organizations to update software and applications on a regular basis, perform anti-virus scans, educate employees on ransomware and phishing scams, and regularly backup data to minimize loss in the event of an attack.

Cybersecurity as the key to the future of Singapore’s financial services

With the rapid adoption of modern technologies such as decentralized finance, blockchain, and cloud computing, financial institutions will face unknown security risks and vulnerabilities. The MAS – the Singapore’s central bank – announced its vision for the next three years in September 2022, along with a refreshed industry transformation map for the country’s financial services sector. In October 2022, the regulatory body also issued two consultation papers proposing regulatory measures to reduce the risk of cryptocurrency trading to consumers. As part of the PS Act, these measures also aim to enhance the standards of stablecoin-related activities in Singapore.

The MAS proposed the following strategies to ensure the growth of a successful fintech industry in the country, while encouraging an ecosystem approach to secure digital adoption and compliance with security regulations:

Principle-based risk proportional approach

As new technologies emerge, organizations must be able to decide what to implement based on their risk appetite. As a result, regulations like MAS-TRM establish principle-based guidelines that allow financial institutions to cater to various risks in a proportionate manner. As cyber risks evolve, MAS is estimated to expand its regulatory approach to protect against the new risks introduced by decentralized finance, cryptocurrency, and blockchain.

Automation powering cybersecurity efforts

Traditionally, financial institutions relied on numerous manual processes to review, check, authorize, and even migrate data. Automating these processes with tech support not only saves time and effort, but it also reduces the likelihood of someone causing data breaches, either intentionally or unintentionally. For instance, in 2021, Singapore’s Cyber Security Agency (CSA) co-funded the development of an AI computer drive that automatically erased its stored data in less than a second if it was physically tampered with. The X-Phy drive detects unusual patterns in the way its stored data is accessed and locks itself to prevent further access. Automation and artificial intelligence can also aid in real-time log monitoring and incident response in the event of any suspicious activity.

Global collaboration

Singapore, as a leading fintech hub, has many influential ties with various international bodies in charge of keeping the global financial services systems running. Collaboration with the Bank for International Settlements and the Financial Stability Board (FSB), as well as other prominent technologists and cybersecurity experts, has given MAS an opportunity to actively promote global cyber hygiene standards even amidst various geopolitical tensions.

As we approach 2023, the ongoing digital expansion is expected to intensify and reshape the financial services landscape. Furthermore, a major regulatory reset for financial services in many large nations may impact financial technologies worldwide. While Singapore has a history of embracing new technologies as an opportunity to innovate and expand, secure digital adoption will be critical in shaping the nation’s future of fintech.