Embed Size (px)
Citation preview
1
Risk and RegulatoryQuarterly Newsletter (HK, JP and SG)
Issue 8 – October2016
Regulatory Focus
Cybersecurity–a worldwide, dynamic and increasingly important topic
New York | London | Hong Kong | Singapore | Japan |Dubai | Abu Dhabi | Riyadh | Casablanca | Brussels | Amsterdam | Roma | Milano | Paris | Lyon
1CONFIDENTIAL © 2016 SiaPartners Website : http://www.sia-partners.com | Blog : http://en.finance.sia-partners.com/p a g e
Cyber risk is no longer considered an emerging risk. Every organization should consider the impact of cyber exposures on their financialstatements. Recently, disruptions to digital services have been increasing, and seen in various forms, ranging from system errors to directlydisruptive activities, such as DDoS attacks and indirect disruptions, which are caused by data breaching. The nature of cyber threats is evolvingfaster than the industry can respond, especially the financial services industry. Year after year, cyberattacks continue to escalate in frequency,severity and impact. 93% of businesses are maintaining or increasing their cybersecurity investments to manage these cyberattacks.
• 15 September 2015: publication of a letter drawing the attention of HKMA authorized institutions’ attention to the increasingimportance of cybersecurity risk management.“The Board and the Senior Management […] are expected to play a proactiverole in ensuring effective cyber security riskmanagement”.
• General Principles for Technology Risk Management (June 2003) & Guidelines on Business Continuity Planning following thecyberattack (December 2002).
• 24 August 2015: publication of a letter insisting on the importance of improving on intrusion detection measures as part ofcybersecurity defense planning.
• Technology Risk Management Guidelines (June 2013): general framework on technology risk including requirements relatedto cybersecurity such as Operational Infrastructure Security Management, data centres protection, and controls & paymentcard security.
• July 2015: publication of The Policy Approaches to Strengthen Cyber Security in the Financial Sector.
• First Basic Law for Cyber Security (November 2014): Cyber Security Strategy Headquarters set to inspect strengthening ofcyber security measures and ensure the information security of key infrastructure.
HKMA
MAS
FSANISC
Recent moves in Hong Kong, Singapore and Japan intent to strengthen Cybersecurity practices
1
Issue 8 – October2016
Regulatory Focus
Cybersecurity–a worldwide, dynamic and increasingly important topic
New York | London | Hong Kong | Singapore | Japan |Dubai | Abu Dhabi | Riyadh | Casablanca | Brussels | Amsterdam | Roma | Milano | Paris | Lyon
2CONFIDENTIAL © 2016 SiaPartners Website : http://www.sia-partners.com | Blog : http://en.finance.sia-partners.com/p a g e
HKMA-Cyber Fortification Initiative (CFI) - Overview
Three pillars of CFI
Professional Development Programme
Cyber Intelligence Sharing Platform
Cyber Resilience Assessment Framework (C-RAF)
Key components of C-RAF
Draft consultation sent to AIs
Implementation
25th May, 2016 2017
End of Consultation
31st August 2016 End of 2016
Final paper
Professional Development Programme
Cyber Intelligence Sharing Platform
Cyber Resilience Assessment Framework (C-RAF)
1st
3rd
2nd
Maturity Assessment
Intelligence-led Cyber Attack Simulation
Testing (iCAST)
Inherent Risk Assessment
2
3
1
1) CRAF: This is a risk-based framework for AIs to assess theirinherent risk profile and benchmark the level of defence andresilience that would be required to maintain an appropriatelevel of protection against cyber attacks.
2) Professional Development Programme: The HKMA is workingwith the Hong Kong Applied Science and Technology ResearchInstitute (ASTRI) and the Hong Kong Institute of Bankers (HKIB)on this training and certification programme, which definesqualifications for three levels of expertise within CRAF.
3) Cyber Intelligence Sharing Platform: The HKMA, incollaboration with the ASTRI and the Hong Kong Association ofBanks (HKAB), will launch a platform which provides aninfrastructure for sharing intelligence on cyber attacks.
Inherent Risk Assessment: Banks are required to perform thisassessment to determine their inherent risk level on cyber-attacks and to determine the expected maturity level.
Maturity Assessment: Banks are required to perform amaturity assessment for 25 components under 7 domains todetermine the actual maturity level. If the components’ actualmaturity level is lower than the expected maturity level, thebank will need to formulate an appropriate improvement planto be endorsed by the bank’s management for the submissionto HKMA.
Cyber Intelligence Sharing Platform: Under iCAST, thetraditional penetration test is augmented with furthervalidation of the knowledge from the penetration tester andintroduces threat intelligence to formulate end-to-end testingscenarios. In addition, the iCAST provides KPIs to helpbenchmark the ability of the AI to detect and respond to suchattacks.
What are the Impacts from inherent risk assessment and maturity assessment?
Three key components of CRAFThree pillars of CFI
• Need to carefully plan the technology set-up given it is thelargest driver in determining the inherent risk profile
• Consider use of less complex technology and “not too open butnot too close” operating environment if to avoid a “High”inherent risk profile
• One more dimension to consider when estimating technologycosts for the change-the-bank (CTB) initiatives
• Additional accountability is created for chief executives oralternate chief executives
• The assessment must be performed by qualified personneleither from external consultancy or from independent in-housefunctions (i.e. Internal audit, technology risk management)
• Additional resources for the assessment may be required due toenhanced workload
Given the increasing level of sophistication and potential impact of cyber attacks, HKMA has developed the CFI to further enhance the cyber resilience of the banking sector:
• Need to consider impacts to the inherent risk profile whendetermining your business and operation models
• Need to pay extra care when planning and reviewing theproduct/service offerings given it is the second largest driver indetermining the inherent risk profile.
• Exercise less flexibility in the risk and control self assessment interms of determining inherent risk level, gaps and neededremediation
• Enhance linkage between risk management actions and theinherent risk profile
• Standardize cyber risk assessment processes across the banks,making it possible to compare maturity levels between peers
Risk and Regulatory Quarterly Newsletter (HK, JP, and SG)Issue 8 – October 2016
1
iCAST brings additional governance and intelligence to traditional penetration testing
Issue 8 – October2016
Regulatory Focus
?
New York | London | Hong Kong | Singapore | Japan |Dubai | Abu Dhabi | Riyadh | Casablanca | Brussels | Amsterdam | Roma | Milano | Paris | Lyon
3CONFIDENTIAL © 2016 SiaPartners Website : http://www.sia-partners.com | Blog : http://en.finance.sia-partners.com/p a g e
Traditional Pentesting is well understood by cybercriminals Complex scenarios intelligence, collaboration and strong involvements at board level CFI enables strong governance when an executive board is aware of actions that have to be taken
APAC banks strive to reinforce their Information security framework & governance
… for Banks to efficiently implement an enhanced Information Security TOM, with 4 driving principles:
Investing in Technology is not negotiable, but does not totally solve the equation…The Real Story Behind:
HKMA understands it and proposes the CFI …
Integrate Security inRisk Management
• Information Security should be part of the bank’s overall Risk Management framework.
• Information Security is tightly linked to Operational Risk, and also to any other kind of risk such as Credit Risk, due to thepotential impact on business continuity, regulatory compliance or brand reputation.
Enhance cross-entity collaboration
• The CISO or IT Security team alone can no longer decide & control policies, standards and procedures that impact allentities across the Bank. Therefore, Business Lines, Operations, IT Development & IT Production teams should workclosely interact to make informed decisions which will collectively protect the right assets at the right cost.
Steer at Board level• Information Security is no longer only an IT, Operations or even Risk topic only: it now spans across any company Board.
• Due to this transversal nature and the possibility of far-reaching impacts, more mature companies now steer cybersecurity
at the Executive Committee level.
Become responsive
• The 90’s static approach for first setting up IT Security rules, then applying controls, is no longer valid. Efforts shouldfocus on identifying suspicious events before a security incident occurs & quickly responding to a security breach.
• Banks need to embrace a fully-dynamic approach, to control risk scenarios & protect assets according to their businessvalue.
Technology adoption only reduces mean cost of Cybersecurity incidents
Patchworks of point solutions are difficult to manage, create vulnerabilities, and reduce security
More is spent on Technology, but Cybercrime has never been more profitable
This shows the limit of traditional strategies against Cybercrime
Risk and Regulatory Quarterly Newsletter (HK, JP, and SG)Issue 8 – October 2016
33
Risk and Regulatory Quarterly Newsletter (HK, JP, and SG)Issue 8 – October 2016
3
Regulatory Updates
New York | London | Hong Kong | Singapore | Japan |Dubai | Abu Dhabi | Riyadh | Casablanca | Brussels | Amsterdam | Roma | Milano | Paris | Lyon
4CONFIDENTIAL © 2016 SiaPartners Website : http://www.sia-partners.com | Blog : http://en.finance.sia-partners.com/p a g e
Global | Key BCBS Regulatory Updates Source: BCBS
Date
Published Title Regulator’s Purpose and Objectives
11 Jul 16Revised securitisation framework with capital treatment for "simple, transparent and comparable" securitisations
The published standards sets out additional criteria for differentiating the capitaltreatment of STC securitisations from that of other securitisation transactions. Theadditional criteria excludes transactions in which the standardised risk weights forthe underlying assets exceed certain levels. This ensures that securitisations withhigher-risk underlying exposures do not qualify for the same capital treatment asSTC-compliant transactions. Compliance with the expanded set of STC criteriashould provide additional confidence in the performance of the transactions, andthereby warrants a modest reduction in minimum capital requirements for STCsecuritisations.The final standard has scaled down the risk weights for STC securitisationexposures, and has reduced the risk weight floor for senior exposures from 15%to 10%.
29 Aug
Implementation of Basel standards - A report to G20 Leaders on implementation of the Basel III regulatory reforms
Full, timely, and consistent implementation of Basel III remains fundamental tobuilding a resilient financial system, maintaining public confidence in regulatoryratios and providing a level playing field for internationally active banks. Thisreport updates G20 Leaders on progress and challenges in the implementation ofthe Basel III regulatory reforms since November 2015, when the Basel Committeelast reported to the G20.The report summarises the steps taken by Basel Committee member jurisdictionsto adopt the Basel III standards, banks' progress in bolstering their capital andliquidity positions, and the consistency of implementation in jurisdictions assessedsince the Committee's last report and the Committee's implementation work plan.
13 Sep 16 Basel III Monitoring Report
The Committee established a rigorous reporting process to regularly review theimplications of the Basel III standards for banks and it has published the results ofprevious exercises conducted since 2012.Data has been provided for a total of 228 banks, comprising 100 largeinternationally active banks and 128 "Group 2 banks".On a fully phased-in basis, data as of 31 December 2015 shows that all largeinternationally active banks meet the Basel III risk-based capital minimumCommon Equity Tier 1 (CET1) requirements, as well as the target level of 7.0%.
Global | Key FSB Consultation Paper Source: FSB
Date
Published Title Regulator’s Purpose and Objectives
16 Aug 16Essential Aspects of CCP Resolution Planning
This consultation paper focuses on several key aspects of the resolution of CCPs.It is based on the "FSB Key Attributes of Effective Resolution Regimes forFinancial Institutions" and “Implementation Guidance on Financial MarketInfrastructure (IMF)." This consultation covers the following aspects related to theresolution planning of CCPs:1. The time of entry into resolution2. The adequacy of financial resources3. Tools to rebalance the accounts and the allocation of losses in default4. The application of the safeguard "No Creditor Worse Off" and the treatment of
CCPs capital by resolution5. Cross-border cooperation and effective resolution action
33
Risk and Regulatory Quarterly Newsletter (HK, JP, and SG)Issue 8 – October 2016
3
Regulatory Updates
New York | London | Hong Kong | Singapore | Japan |Dubai | Abu Dhabi | Riyadh | Casablanca | Brussels | Amsterdam | Roma | Milano | Paris | Lyon
5CONFIDENTIAL © 2016 SiaPartners Website : http://www.sia-partners.com | Blog : http://en.finance.sia-partners.com/p a g e
Hong Kong | Key HKMA Regulations Source: HKMA
Date
Published Title Regulator’s Purpose and Objectives
30 Jun 16Financial Institutions (Resolution) Ordinance gazette
The Government published the Financial Institutions (Resolution) Ordinancewhich establishes a resolution regime in Hong Kong to mitigate the risks posed bythe non-viability of systemically important financial institutions to the stability andeffective workings of the financial system of Hong Kong. Under the Ordinance, theMA, the Insurance Authority (IA) and the SFC are conferred the power asregulation authorities. They are vested with a range of necessary powers tooversee and implement orderly resolution of the failure of a systemically importantfinancial institution. This means they maintaining continuity of access to theessential financial services it provides by imposing losses on creditors, whilstminimizing the risks posed to public funds.
30 Jun 16Supervisory Policy Manual (SPM): CR-G-12 Credit Risk Transfer Activities
This is a guidance note on the new SPM model replacing the existing module ofCR-G-12 "Credit Derivatives" and Guideline No. 4.6, about credit risk transfer(CRT) activities. Key sections include:1) The key elements of effective management of CRT activities and provideguidance on specific risk management topics2) HKMA’s supervisory approach to CRT activities, based on the "proportionalityprinciple”
29 Jul 16Supervisory Policy Manual (SPM): LM-1 “Regulatory Framework for Supervision of Liquidity Risk”
This document is a revision on the existing “Liquidity Risk Management”. Itincludes:1) An outline of the MA’s approach to supervising AIs’ liquidity risk2) An overview of the statutory requirements in respect of the Liquidity CoverageRatio (LCR) and the Liquidity Maintenance Ratio (LMR), as well as their updatedguidance3) The approach and criteria adopted by the MA for the designation of category 1institutions which are subject to the LCR requirements4) Guidance on the disclosure of liquidity information by AIs, under the Banking(Disclosure) Rules
Hong Kong | Key HKMA Consultation Papers Source:HKMA
Date
Published Title Regulator’s Purpose and Objectives
15 Jul 16
Consultation conclusions on introducing mandatory clearing and expanding mandatory reporting for OTC derivatives market
This is a conclusion of consultation regarding the introduction of mandatoryclearing and expansion of mandatory reporting for OTC derivatives. It outlinesvarious technical aspects of for the next stage of the regime. Key Highlightsinclude:1) removal of the requirement to submit in PDF format when reporting transactions2) Clarification, guidance and conclusion on proposed specific data fields3) acceptance of internal code references when reporting transactions involvingprivate individuals4) Provide a list of financial services providers for the purpose of mandatoryclearing
Hong Kong | Other Key HKMA Release Source: HKMA
Date
Published Title Regulator’s Purpose and Objectives
6 Sep 16 Fintech Supervisory Sandbox (FSS)
This is a circular about the launch of the Fintech Supervisory Sandbox (FSS). TheFSS is developed to facilitate pilot trials of Fintech and other technology initiativesof from authorized institutions (AIs) before a full-scale launch. The FSS isavailable to Fintech as well as other technology initiatives intended to be launchedin Hong Kong by AIs. Within the FSS, an AI is allowed to conduct a pilot trial of itsinitiatives involving actual banking services and a limited number of participatingcustomers (such as staff members or focus groups of selected customers) withoutthe need to achieve full compliance with the HKMA’s usual supervisoryrequirements during the trial period.
33
Risk and Regulatory Quarterly Newsletter (HK, JP, and SG)Issue 8 – October 2016
3
Regulatory Updates
New York | London | Hong Kong | Singapore | Japan |Dubai | Abu Dhabi | Riyadh | Casablanca | Brussels | Amsterdam | Roma | Milano | Paris | Lyon
6CONFIDENTIAL © 2016 SiaPartners Website : http://www.sia-partners.com | Blog : http://en.finance.sia-partners.com/p a g e
Japan | Japan Securities Dealers Association Source: JSDA
Date
Published Title Regulator’s Purpose and Objectives
30 Jun 16Final report of the working group on shortening stock settlement cycle
In July 2015, the Japan Securities Dealers Association (JSDA), TSE (TokyoStock Exchange) and JSCC (Japan Securities Clearing Corporation) set up theWorking Group on Shortening Stock Settlement Cycle (WG) to conductdiscussion among market participants and related parties and ultimately shortenthe stock settlement cycle in Japan (change of settlement cycle to T+2).Following the publication of the interim report of December 2015, the final reportdetailed key policies for each task related to cycle time migration to T+2 (go livein 2019 Q2).
30 Jun 16Report of the Working Group on Asset Management
The Japan Securities Dealers Association (JSDA) asset management workinggroup published a report highlighting measures to strengthen the Japanese assetmanagement industry and to provide investment products that would tie in withinvestors’ medium- to long-term asset building.
21 Sep 16Comments to FSB's Proposal on Structural Vulnerabilities from Asset Management Activities
The Japan Securities Dealers Association (JSDA) submits comments to keyinternational bodies and standard setters including G20, Financial Stability Board(FSB), the Basel Committee on Banking Supervision (BCBS) and theInternational Organization of Securities Commissions (IOSCO).
Hong Kong | Key Inland Revenue Department Regulatory Updates Source: IRD
Date
Published Title Regulator’s Purpose and Objectives
9 Sep 16CRS Guidance for Financial Institutions on HK IRD issues
This is a guidance intended to aid financial institutions in complying with theirobligations under Part 8A of the Inland Revenue Ordinance (Cap. 112). It containsthe Department’s views on the due diligence procedures required by the CommonReporting Standard of the Organization for Economic Co-operation andDevelopment (OECD). It also contains a set of sample self certification form forreference and adoption by reporting financial institutions and Financial Account
Japan | U.S. Commodity Futures Trading Commission Source: CFTC
Date
Published Title Regulator’s Purpose and Objectives
9 Aug 16
Final rules for testing requirements of system safeguards and a comparability determination for Japan’s uncleared swap margin rules for approval of substituted compliance purposes
The U.S. Commodity Futures Trading Commission (CFTC) approved two finalrules for system safeguards testing requirements, as well as a comparabilitydetermination for Japan’s margin requirements for uncleared swaps.
Singapore | Key MAS Regulations Source: MAS
Date
Published Title Regulator’s Purpose and Objectives
27 Jul 16 Operational Risk Management Framework
Operational Risk Management Framework sets out the key elements expected ofan institution’s operational risk management framework and includes guidelineson business continuity and outsourcing.The framework is updated to include the below documents and includes guidanceon Cloud services:1) Outsourcing Guidelines Jul 20162) Outsourcing Guidelines Jul 2016 Annex 33) Outsourcing Guidelines Jul 2016_FAQ4) Response to Consult Outsourcing Guidelines Jul 2016
33
Risk and Regulatory Quarterly Newsletter (HK, JP, and SG)Issue 8 – October 2016
3
Regulatory Updates
New York | London | Hong Kong | Singapore | Japan |Dubai | Abu Dhabi | Riyadh | Casablanca | Brussels | Amsterdam | Roma | Milano | Paris | Lyon
7CONFIDENTIAL © 2016 SiaPartners Website : http://www.sia-partners.com | Blog : http://en.finance.sia-partners.com/p a g e
Singapore | Key MAS Regulations (Cont’d) Source: MAS
Date
Published Title Regulator’s Purpose and Objectives
22 Aug 16Circular on Margin Requirements for Non-Centrally Cleared Derivatives
As part of the consultation paper published by MAS on 1-Oct-2015, it wasproposed originally that margin requirements for uncleared derivatives would bephased in from 1 September 2016.This circular is to convey MAS decision to defer the implementation beyond 1September 2016 which is seen as the most practical way forward at this point intime by MAS.The circular also says that MAS will continue to monitor progress in theimplementation schedules of other major markets, and will announce a revisedphase-in schedule for Singapore in due course.
1 Sep 16 TDSR Rules on Refinancing Fine-tuned
The Monetary Authority of Singapore (MAS) announced that the refinancing rulesunder the Total Debt Servicing Ratio (TDSR) framework will be fine-tuned to allowborrowers more flexibility in managing their debt obligations. This is in response tofeedback from some borrowers who are unable to refinance their existing propertyloans owing to the application of the TDSR threshold of 60 per cent.
Singapore | Key MAS Consultation Papers Source: MAS
Date
Published Title Regulator’s Purpose and Objectives
15 Jul 16 RBC 2 Review - Third Consultation
The Risk-Based Capital (“RBC”) framework for insurance companies was firstintroduced in Singapore in 2004. To cater to the need of reviewing the frameworkto enhance its risk sensitivity and global regulatory developments and follow-up tothe second consultation paper, MAS has published this third consultation papertaking into account the feedback received from the second consultation paper onMAS’ review of the RBC framework (“RBC 2”) in 20141, as well as the subsequentengagements MAS had with the industry. It contains detailed technicalspecifications for insurers to conduct the second full scope Quantitative ImpactStudy (“QIS 2”). Participating in QIS 2 will help insurers fully understand theimpact of the revised RBC 2 proposals and provide feedback on implementationissues.
18 Jul 16Consultation Paper on Enhancements to Regulatory Requirements on Protection of Customers Moneys and Assets
This consultation paper on enhancements to regulatory requirements andprotection of customers money and assets is published by MAS to enhance theregulatory regime governing the protection of client moneys and assets held bycapital markets intermediaries. These proposed enhancements take into accountthe international standards promulgated by the International Organization ofSecurities Commission (“IOSCO”) and Financial Stability Board (“FSB”). Theproposals in this consultation paper will subsequently be effected via new rules,which MAS will consult on after considering feedback from this consultation.
25 Aug 16MAS Proposes New Regulatory Framework and Governance Model for Payments
The Monetary Authority of Singapore (MAS) released a consultation paper onproposed changes to the payments regulatory framework and establishment of aNational Payments Council.
Singapore | Other Key MAS Release Source: MAS
Date
Published Title Regulator’s Purpose and Objectives
12 Sep 16Singapore and Switzerland to Expand Cooperation on FinTech
The Monetary Authority of Singapore (MAS) and the Swiss Financial MarketSupervisory Authority (FINMA) signed a cooperation agreement to foster greatercooperation on FinTech. This initiative was launched based on the secondFinancial Dialogue between MAS and the State Secretariat for InternationalFinance (SIF). The annual Dialogue aims to deepen bilateral cooperation andexchange views on domestic and international financial market developments andpolicies.
7
Risk and Regulatory Quarterly Newsletter (HK, JP, and SG)Issue 8 – October 2016
New York | London | Hong Kong | Singapore | Japan |Dubai | Abu Dhabi | Riyadh | Casablanca | Brussels | Amsterdam | Roma | Milano | Paris | Lyon
8CONFIDENTIAL © 2016 SiaPartners Website : http://www.sia-partners.com | Blog : http://en.finance.sia-partners.com/p a g e
Innovation and Strategic Technology Investment in Post Financial Crisis Environment Read more….
KYC On-Boarding Technologies – Solutions in the APAC Financial Services Industry
-- Part I-KYC Utility Model Read more…
-- Part II-Mobile KYC onboarding & blockchain KYC Read more…
Let’s get onboarded Read more…
Interview with Dr. Frank Tong & Dr. Duncan Wong of Hong Kong Applied Science and Technology Research Institute (ASTRI)
-- Part I-Introduction of ASTRI Read more…
-- Part II-Cyber Threat Read more…
-- Part III-Cybersecurity Fortification Initiative (CFI) and Future Cybersecurity Development Read more…
Sia Partners Compliance Booklet for Asia Read more…
The Panama Papers: Implications for Banks Read more…
Your Risk & RegulatoryContacts in Asia
Vincent KASBI
Head of Asia
David HOLLANDER
Head of Singapore
Nicolas TOLLIE
Head of Japan
Helina LO
Project Director, Hong Kong
Victoria NG
Manager, Hong Kong
About SiaPartners
Latest Sia Partners’ Financial Blog Updates
