FinTech Security and Regulation Suggestions

May 29, 2022

I’d like to provide a suggestion for what authorities should do about the FinTech application of Virtual Banking in Singapore’s financial industry. Banks are the most severely regulated industry by their very nature. The dynamic and intricate connection that exists between Virtual Banking innovation and regulation is always tense. Because risk is always associated with innovation, there appears to be a universal understanding that regulatory organizations are needed to limit the possible, unanticipated consequences of new business models and financial products. My advice to the regulator is to stay up with the pace of change in the fintech industry.

The supervisory organizations that govern and administer how market players can operate have been asked new questions by virtual banks. It has forced authorities to examine and wrestle with the risks associated with the types of technologies impacting the financial services industry. While much of the potential created by cloud technologies is unprecedented, their risk is also novel.

The motivation for regulating is useful to consider, and there are four major reasons: uncertainty, resource conflict, disruption and unforeseen events, and the public benefit. When cloud technologies are used to support the financial system, it will function in a completely different way than before. Safeguards should be put in place to ensure that the system does not collapse as a result of some unforeseeable event.

More specifically, it accounts for the precautions made to protect virtual banking consumers from the consequences of a completely market-driven system that disregards the interests of human actors. Having some kind of monitoring in the fintech area has a lot of benefits. However, there are significant obstacles to establishing a useful regulatory system.

Some market actors may view regulation with scepticism, believing that rules and obligations endanger their prospects or impede their activity. As a result, enlightened regulation for the fintech industry is unlikely to be simple. The three approaches that regulatory authorities could adopt to fintech innovation are as follows.

To begin with, it is a rule-based system. The regulatory authority establishes rigid and unyielding rules and processes that market participants must follow. This is frequently linked to stringent regulation.

Second, it is founded on principles: The regulatory body gives market players principles to guide their activity while allowing them to choose how they will achieve their regulatory duties. This is commonly used in conjunction with either light-touch or passive regulation.

Third, it is based on performance: The regulatory body establishes specific benchmarks that market players are expected or encouraged to reach. Regulation is light-handed in this case.

These ideas could be adopted in Singapore to help the industry develop. When regulation is administered with care, it helps to create the ideal environment for innovation to flourish. It creates a secure atmosphere for economic activity and, by building trust in the sector or market, frequently leads to widespread acceptance of new consumer goods and services. The city-state of Singapore is becoming known for its increasingly welcoming climate for fintech startups. Singapore’s Monetary Authority (MAS) wants to make the country an “experimental centre” for fintech innovation. This plan is in line with the MAS’s long-term goal of attracting fintech innovators to the Asia-Pacific region. Singapore is currently a very desirable location for fintech innovation.

In an ideal world, there would be no need to choose between innovation and regulation. Virtual banks can use a variety of innovative technologies to make regulatory compliance more efficient. The regulatory technology (reg-tech) industry is expanding. Regulators can use the new software solution to assist them to carry out their jobs more effectively.

With all of this shift in the regulatory landscape, it’s apparent that existing banks and future virtual banks will need to prepare for changes in the way regulation is carried out on a day-to-day basis. The formation of an open, respectful working relationship between policymakers and a number of players in the fintech field will be critical to the effective adoption of virtual banks.

The Monetary Authority of Singapore (MAS) amended its Guidelines on Outsourcing for Financial Institutions (FIs) in July 2016 to recognize that FIs can use cloud services to improve their operations and take advantage of the cloud’s size, standardization, and security. FIs are required by the MAS Guidelines on Outsourcing to do due diligence and use solid governance and risk management processes when using cloud services.

To ensure Cloud Security, environments should be reviewed on a regular basis, and infrastructure and services should be approved to operate under a variety of compliance standards and industry certifications that span geographies and verticals. In addition, for a variety of industry-specific workloads, the cloud provider should get certifications and independent third-party attestations.

ISO 27001, for example, is a security management standard that outlines security management best practices and comprehensive security controls based on ISO 27002 best practices. ISO 27017 provides information security recommendations for cloud computing, proposing the deployment of cloud-specific information security measures to enhance the ISO 27002 and ISO 27001 Standards. Furthermore, ISO 27018 is a code of practice for protecting personal data in the cloud. ISO 9001, on the other hand, specifies a process-oriented approach to documenting and reviewing the structure, roles, and procedures needed to ensure successful quality management inside a company.

MTCS Level 3 –Multi-Tier Cloud Security (MTCS) is an operational Singapore security management standard (SPRING SS 584:2013), based on ISO 27001/02 Information Security Management System (ISMS) standards, in addition to the above standards. PCI DSS Level 1 - The PCI Security Standards Council administers the Payment Card Industry Data Security Standard (commonly known as PCI DSS), which is a proprietary information security standard. PCI DSS applies to merchants, processors, acquirers, issuers, and service providers who store, handle or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Regulators might ensure that the cloud provider works in a secure control environment by bringing together governance-focused, audit-friendly service features with certifications, attestations, and audit standards.

The MAS Outsourcing Guidelines provide guidelines and recommendations on responsible risk management techniques for outsourcing, including the use of cloud services by financial institutions. Financial institutions that use the cloud must conduct due diligence, assess and mitigate risks, and enter into proper outsourcing agreements. The extent and degree to which a FI implements the specific guidelines in the Guidelines on Outsourcing should be commensurate with the nature of risks in, and materiality of, the outsourcing. FIs should be able to show MAS that they are following the rules by submitting an outsourced registration to MAS once a year or upon request.

A chapter on cloud computing is included in the new MAS Guidelines on Outsourcing. According to MAS, cloud services can possibly provide a number of benefits, including the following: Large-scale economies of scale, Cost-savings, and Quality system administration is available. Operations that follow a set of security guidelines and best practices Institutions need the flexibility and agility to quickly scale up or down computing resources as user needs change. Boost system resiliency in the event of localized calamities or disruptions.

The MAS further highlighted that it views cloud computing to be a form of outsourcing and that the risks posed to FIs by employing the cloud are similar to those posed by other types of outsourcing agreements. In the same way that a FI would for any other outsourcing deal, FIs are expected to do the requisite due diligence and use solid governance and risk management processes.

The MAS Technology Risk Management (TRM) Guidelines establish risk management concepts and best practice standards to assist financial institutions in the following areas: Putting in place a solid and reliable technology risk management framework, Increasing the security, dependability, robustness, and recoverability of systems, Strong authentication is used to safeguard client data, transactions, and systems.

The Association of Banks in Singapore (ABS) has recently released a handbook for banks looking to enter into cloud outsourcing agreements. The ABS Cloud Computing Implementation Guide contains recommendations that were discussed and agreed upon by members of the ABS Standing Committee for Cyber Security. These recommendations are intended to help banks better understand due diligence, vendor management, and key controls that should be implemented in cloud outsourcing arrangements. Importantly, whereas the MAS Guidelines on Outsourcing and Technology Risk Management are released by the appropriate regulator and provide assistance to a wide range of financial institutions, the ABS Cloud Computing Implementation Guide is not. The guide includes a number of practical suggestions from the banking industry association.

Overall, each virtual bank’s route to cloud adoption is distinct. Virtual banks must understand their existing state, the objective state, and the transition required to achieve the target state in order to successfully implement cloud adoption. Knowing this will aid virtual banks in setting goals and creating workstreams for successful cloud migration.

Profile picture

Experience in software development, application architecture, and deploying cloud solutions for enterprise customers. Strong hands-on skills with a Master's degree in Computer Science and business acumen with a master of business administration (MBA) in Finance. Certified in Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Kubernetes (CKA, CKAD, CKS, KCNA) and Scrum (PSM, PSPO) with experience in building banking products from scratch. Connect on Linkedin

© 2022, @victorleungtw