Regulatory challenges in Singapore, especially for FSIs
By Benjamin Cher October 23, 2015
- FIs now required to ensure service providers are ‘fit and proper’
- Non-regulated businesses have to contend with the PDPA as well
WHEN Singapore introduced its Personal Data Protection Act 2012 (PDPA), many businesses had to quickly put in place policies to comply.
But for a heavily regulated sector like the financial services industry (FSI), it was just another box to tick on a long list of compliance and regulatory requirements.
And with financial services technology (fintech) taking off, and an increasing danger of data breaches, that list is only going to get longer.
Regardless, the PDPA’s overarching reach requires all businesses to look into the potential of cyber-breaches, according to Lena Ng, counsel with law firm Clifford Chance.
“If they have online systems, there’s potential for a cyber-breach, whether externally or internally,” she told Digital News Asia (DNA) in Singapore.
“From a legal perspective, the concern is that there could be an inadvertent disclosure of customer data which violates the PDPA,” she said, which would affect the business’ reputation as well as invite complaints from customers.
All financial institutes are subject to regulations enacted by the Monetary Authority of Singapore (MAS), regulations which lay out risk management guidelines that are currently not binding, according to Ng.
“Of course, MAS will take into consideration how you have kept to the guidelines and whether there was proper risk management in place,” she said.
“For the more critical financial institutes like banks, exchanges or clearinghouses, they are subject to technology risk requirements, under a binding notice that focuses on critical systems,” she added.
Ultimately, all financial institutes need to have the requisite policies, compliance and systems in place to meet the myriad of regulations, from the PDPA and technology risk management guidelines, to statutory secrecy.
Digital due diligence
Aside from dealing with data security, financial institutes also have to meet due diligence requirements.
Regulators have become more sensitive about the concept of ‘fit and proper,’ according to Ng (pic).
MAS has published guidelines on what it terms ‘fit and proper,’ covering everything from character to competence.
“Everyone – the directors, CEO (chief executive officer), key appointment holders – have to be ‘fit and proper’ [individuals],” Ng said.
It used to be, getting the ‘fit and proper’ certification for such executives was done before they were appointed to these roles, but now MAS is increasing its authority to be informed of any breach, and to remove such people from their roles.
And these guidelines are not just for the top guys, but extend to service providers the financial institute may outsource their IT operations to.
“MAS proposed a new set of outsourcing guidelines last year, which it has not finalised,” Ng said.
The proposed guidelines put the onus on the financial institute to monitor its service providers to ensure they are ‘fit and proper,’ she said, although it remains to be seen whether this will remain in the finalised guidelines.
“It is a clear direction of pushing that responsibility to the financial institutes, which would then need to put in place policies and steps to ensure that the relevant information is communicated to MAS to deal with,” Ng said.
And this produces its own set of complications, she argued.
“There’s the issue of creep, where things happen incrementally – how do you determine when the trigger for a violation of the ‘fit and proper’ guidelines occur?
“That is [going to be] very challenging for financial institutes in Singapore,” she added.
While most companies in Singapore are still averse to disclosing breaches, MAS is now stepping in to make disclosure mandatory for financial institutes at least.
The regulator has put in place requirements for such companies to disclose ‘material adverse developments,’ according to Ng.
Material adverse developments are defined by MAS as breaches of MAS laws, regulations or requirements that have occurred, may have occurred, or may occur.
The term also covers developments that have an impact on the financial soundness or reputation of the financial institute, as well its ability to serve customers on a ‘business as usual’ basis.
“While this does not apply specifically to fintech companies, it will have an impact on financial institutes providing fintech applications,” Ng said.
“With the drive towards fintech … as an increasingly important way of extending services … cybersecurity will come into play, and if there is something that impacts this in a materially adverse way, the financial institute will have to inform MAS,” she added.
Non-regulated industries have it easier, just needing to comply with the PDPA. Under the Act, there is no obligation for them to inform Singapore’s Personal Data Protection Commission of a breach, according to Ng.
“This is unlike other countries, where you have a legal obligation to notify [customers and/ or the authorities] when you have had a breach,” she said.
“But when you look at some of the data breach management guidelines the Commission has come up with, you’ll see in there that they encourage you to inform the Commission,” she added.
In time, this might become an expectation by the PDP Commission to be informed whenever there is a breach, Ng argued.
As a breach is not an automatic offence under the PDPA, the Commission would look at the circumstances, she added.
Regulation and enablement
Singapore’s Cyber Security Agency (CSA) recently signed a memorandum of understanding (MoU) with the Cabinet Office of the United Kingdom that covers areas such as cybersecurity incident response, talent development, as well as joint research and development.
The MoU will have an effect on both regulation and enablement, from the CSA’s National Cyber Security Masterplan to MAS setting up its own fintech department to boost not just policing, but also collaboration.
“There are two aspects – you regulate to make sure that people have the right policies to police themselves internally,” Ng said.
“But also externally, you enable companies to come together to set up cybersecurity structures, and countries to come together to fight cybercrime,” she added.
Legal eagles: The computer science-law mashup Legalese.io
PDPA: Businesses have responsibilities and burdens
PDPA: Need for mandatory data breach notification; SMBs vulnerable
What’s Next: Disruptors will not kill off banking incumbents
Singapore is world’s No 1 target for banking trojans: Kaspersky
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.