Upload
vijaypaliwal9903
View
225
Download
0
Embed Size (px)
Citation preview
8/11/2019 Tech Risk Management 201307
1/38
www.pwc.com/sg
July 2013
Issue 1
Global Regulatory
Technology RiskRequirements
MAS Technology
Risk Management
Competitive
Intelligence
Appendix
Case StudyUseful Resources
2 5 27 32
Technology Risk Management
Managingtechnology risk isnow a business
priority
8/11/2019 Tech Risk Management 201307
2/38
PwC
GlobalRegulatoryTechnologyRiskRequirements
2
8/11/2019 Tech Risk Management 201307
3/38
8/11/2019 Tech Risk Management 201307
4/38
PwC
Impact of regulation: Overview
The interplay ofnew technologyrisk regulationwith othermarket changes
is drivingwide-rangingbusinessimpacts
Change-driven business impacts
Strategic ImpactsAttractiveness of markets, business
models and portfolios under new rules Operational effectiveness and cost
management Driven by strategic business choices and
new reporting/transparencyrequirements
Organisation, governance and culture Incentives and governance rules the
subject of more intense regulatory
interest GAAPchanges
RiskMgmt
Tax
TechnologyRisk
FATCA
Accountingpolicies
Capital &liquidity
Riskprocesses
Structuring/levies
Reserving
ExecCompensation
Disclosure Payment
structures Incentives
AML
External
Environment
FS Reg
ulations
Slow growth Depressedyields
4
8/11/2019 Tech Risk Management 201307
5/38
PwC
MASTechnologyRiskManagementNotices and
Guidelines
5
8/11/2019 Tech Risk Management 201307
6/38
PwC
Technology Risk ManagementNotice and Guidelines
The Notice and Guidelines were issued on 21 June 2013.
Notice will be effective on 1 July 2014.
All 12 notices tied to the Singapore Act and Laws willimpact:
All Financial Institutions (FIs) (See Appendix fordefinitions)
Includes all IT systems
6
Non compliance to the Notice can result in: Financial penalties Reputational damage Revocation of licence to operate in Singapore
The new MAS
Technology RiskManagementGuidelines (TRMG)have beenenhanced to help
financialinstitutionsimprove oversightof technology riskmanagement and
security practices.
8/11/2019 Tech Risk Management 201307
7/38
PwC
What are the implications ofthe Notice ?
Perform a Business Impact Analysisto identify Critical Systems
A FI shall put in place a framework andprocess to identify critical systems 1
Test your Disaster Recovery (DR)Plans are robust
Recovery Time Objective (RTO) of 4 hours for critical systems
2Encrypt customer data to protect
A FI shall implement IT controls to protectcustomer information from unauthorisedaccess or disclosure 3
Active: Active infrastructureHigh availability for critical systems 4 hours of unscheduled downtime 4Real time monitoring and reporting
procedures
Inform MAS of major security incidents,systems malfunction within 60 minutesand submit root cause with 14 days 5
7
8/11/2019 Tech Risk Management 201307
8/38
With the new
TRM Notice andGuidelines,six groupedareas that
impact yourbusiness wereidentified
1
Notice 2System Availability,Incident and CapacityManagement
4
Development andChange Management
3
OperationalInfrastructureSecurity and AccessManagement
5
Mobile OnlineServices
6Others
8PwC
8/11/2019 Tech Risk Management 201307
9/38
The Notice hasclear definitionsand are legallybindingrequirement forFIs
Notice Consultation Paper TRMG 2013
Single NoticeEach type of FI (banks, insurance company, brokers, etc.) isissued one Notice, but the contents is the same.
No Definitions
Redefinition of following terms: Critical system: Failure of which will cause significant
disruption into the operations of the FI or materially impactthe FIs service to its customers
System malfunction: failure of any of the FI's critical systems Relevant incident: System malfunction or IT security
incident, which has a severe and widespread impact on theFI's operations or materially impacts the FI's service to itscustomers
Notification to MASwithin 30 minutes for
all IT SecurityIncidents
Notification: no later than 1 hour upon discovery of a relevantincident. Upon discovery refers to after the FIs have ascertained
the nature and magnitude of an IT incident meets the criteriaset out in the Notice.
Submission of rootcause analysis withinone month
Root cause analysis changed to: submit within 14 days ofdiscovery. Can request for extension.
2 3 41 5 6
9PwC
8/11/2019 Tech Risk Management 201307
10/38
Consultation Paper TRMG 2013
Achieve near zero systemdowntime for criticalsystems
Achieve high availability for critical systems.
Public announcement ofmajor incidents should bemade in a timely manner
This requirement was removed. Expectation BCP willaddress this matter.
Conduct quarterly trendanalysis
Removal of quarterly trend analysis.
No RequirementsFI should inform MAS as soon as possible in the event thata critical system has failed over to its disaster recoverysystem.
SystemAvailability,Incident andCapacity
Management
2 3 41 5 6
10PwC
8/11/2019 Tech Risk Management 201307
11/38
Consultation Paper TRMG 2013
No requirement toencrypt USB disks.
Encrypt USB disks containing sensitive or confidentialinformation before transporting to off-site for storage. Theencrypting of sensitive information should be performed onall mediums that are transported off-site.
No requirement fortimeframe of review.
Evaluate the recovery plan and incident responseprocedures at least annually.
No detailedrequirements
New requirements: FI to ensure that indicators such as performance,
capacity and utilisation are monitored and reviewed. FI should establish monitoring processes and
implement appropriate thresholds to provide sufficienttime for the FI to plan and determine additionalresources to meet operational and businessrequirements effectively.
SystemAvailability,Incident andCapacity
Management
2 3 41 5 6
11PwC
8/11/2019 Tech Risk Management 201307
12/38
Strongauthentication oncustomer andtransactionalprocessing
OperationalInfrastructureSecurity andAccessManagement
Consultation Paper TRMG 2013
Implement 2FA forprivileged users
Implement strong authentication mechanisms forprivileged users.
Quarterly VulnerabilityAssessment requirement
Frequency of vulnerability assessment is removed.Expectation to perform annual penetration test is stillrequired.
2 3 41 5 6
12PwC
8/11/2019 Tech Risk Management 201307
13/38
Developmentand Change
Management
Non-productionenvironments canconnect to theinternet
Consultation Paper TRMG 2013
Only allowedproductionenvironment to beconnected to theInternet
Non-production environment is now allowed to connect tothe internet provided a risk assessment has been performedand appropriate controls are in place.
2 3 41 5 6
13PwC
8/11/2019 Tech Risk Management 201307
14/38
MobileOnline
Services
Magneticstripes areallowed
Consultation Paper TRMG 2013
Transaction-signing forhigh-risks / high-valuetransactions
Online financial systems servicing institutional investors,can use alternate controls, if assessed to be equivalent orbetter than using token-based mechanisms to authorisetransaction.
Magnetic stripes werenot allowed
If, for interoperability reasons, transactions could only be
effected by using information from the magnetic stripe on acard, the FI should ensure that adequate controls areimplemented to manage these transactions.
2 3 41 5 6
14PwC
8/11/2019 Tech Risk Management 201307
15/38
Others
More areas tofocus on
Consultation Paper TRMG 2013
Archival ofcryptographic key
The requirement that cryptographic keys should only beused for a single purpose, and archival of keys has beenremoved. Expectation a Key Management policy shouldcover lifecycle of keys.
Reliability and resiliencyRequirement to implement mirrored / parity redundancyfor RAID (Redundant Array of Independent Disk), as wellas allocation and configuration for hot spares removed.
Requirement for ITAudit to validate andverify issues raised byMAS inspection
Removal of IT audit (IA) requirement. Expectation that ITAudit will review MAS findings.It is good practice for IA to be aware of relevant issues andconsider as part of their risk universe.
2 3 41 5 6
15PwC
8/11/2019 Tech Risk Management 201307
16/38
Consultation Paper TRMG 2013
Requirement forclearing browser cacheafter online session didnot exist
Added one pre-caution that FI should advise the customerto adopt "clear browser cache after the online session.Expectation this be part of customer awareness.
Onsite visit to Datacentres, or serviceproviders should be
performed
Removed, good practice would verify data centres andservices providers are compliant to IT Outsourcing
requirements and MAS TRM guidelines.
Verify the authenticityand integrity of themobile apps
Removed; but transaction-signing should be implementedfor authorising transactions.
PIN should be changed
regularly
Added or when there is any suspicion that it has been
compromised or impaired.
2 3 41 5 6
16PwC
Others
More areas tofocus on
8/11/2019 Tech Risk Management 201307
17/38
Summary of Gap Analysis between IBTRM(Internet Banking and Technology Risk Management)
and the new TRM Notice and Guidelines
17
Applicable to all financial institutions and include all IT systems (inclusive internet).
64% 19% 17%
New and EnhancedRequirements
No Change inRequirements
Clarifications andStatements Update
PwC
8/11/2019 Tech Risk Management 201307
18/38
System Availability and Incident Management Impact and Costs
18PwC
Framework Processes Systems Cost
Define critical systems L
Critical Systems need to have high availability with 4 hours of unscheduled downtime
H
Mechanism to monitor downtime May be M-H
Develop and implement Recovery Plan for CriticalSystems (RTO) of 4 hours. Test & validateannually
H
Develop and implement incident handling process
to achieve 1 hr response upon discovery of relevantincident H
Develop and capacity management process May be M-H
Dependency and complexity in involving 3rdparty service providers
Legend: L Low; M Medium; H- High
Action Required Impact
8/11/2019 Tech Risk Management 201307
19/38
TechnologyRiskManagement
Guideline vs.IBTRM v3-Themes
19PwC
1
Technology RiskManagementFramework, Roles ofSenior Mgmt & Board
4
OperationalInfrastructureSecurity Management5
System Availability
and InfrastructureManagement
6
Others
3
Mobile OnlineServices
2
Enhanced DataCentre Requirements
8/11/2019 Tech Risk Management 201307
20/38
TechnologyRiskManagementFrameworkand Role of
SeniorManagementand the
Board
20
Key Requirements What you need to consider
Senior management involvementin the IT decision-making process
Implementation of a robust riskmanagement framework
Effective risk register bemaintained and risks to beassessed and treated
Implementation of a employeescreening process and annualsecurity awareness training
How is senior managementinvolved in IT decision makingand risk management?
Is there an effective governance in
place to ensure the board canmake informed decisions?
Is there a formalised IT riskmanagement framework in place?
Do employee screening processesinclude the third parties?
2 3 41 5 6
PwC
8/11/2019 Tech Risk Management 201307
21/38
EnhancedData CentreRequirements
21
Key Requirements What you need to consider
Data centre security shouldinclude physical: security guards,card access systems, mantraps
and bollards etc.
Define your data centres andclassify the critical systems inscope
The TVRA needs cover allpossible scenarios
A robust Threat and Vulnerability RiskAssessment (TVRA) should be performed oncritical systems and data centres
2 3 41 5 6
PwC
8/11/2019 Tech Risk Management 201307
22/38
MobileOnline
Services
22
Key Requirements What you need to consider
A security strategy that includedthe MAS requirements
Identification of fraud scenariosand payment card fraud countermeasures on mobile devices
Sensitive data should be encrypted
Customers should be educated onsecurity
Does your current security strategyencompass mobile bankingapplications?
Does current risk assessmentconsider mobile banking fraud,mobile-application?
What is sensitive data? Isinformation other thanauthentication-specific informationencrypted on the local device?
2 3 41 5 6
PwC
8/11/2019 Tech Risk Management 201307
23/38
OperationalInfrastructureSecurityManagement
23
Key Requirements What you need to consider
Inventory of software andhardware components and end of
support/life (EOS/L) Baseline standards for security
configurations
A robust patch managementprocess
Real-time monitoring of securityevents
Detection of unauthorised changesto critical systems
An asset management databasethat includes critical systems thatcan be monitored
File and system integritymonitoring
How does your current patchmanagement process classifypatches? Do you have a patchmanagement strategy that works?
How are you monitoring yourdatabase configuration changesand privileged access?
2 3 41 5 6
PwC
8/11/2019 Tech Risk Management 201307
24/38
SystemAvailabilityand
InfrastructureManagement
24
Key Requirements What you need to consider
Redundancies for single points of
failures (Cross-border)
Recovery time objective (RTO) andrecovery point objective (RPO)
Recovery plan and testing
Incident response procedures
Problem management process(root-cause analysis)
Are you looking at an Active/Active, or Active/Passive serviceto meet these guidelines and the
Notice. (n+1)
Have all critical systems andnetwork components (on andoffshore) been included?
Do you have a dedicated CERT anda defined plan for security andmajor incidents?
How and who will manage thepublic announcements anddisclosure?
2 3 41 5 6
PwC
8/11/2019 Tech Risk Management 201307
25/38
Others - ITSM(InformationTechnology
ServiceManagement)& Acquisitionand
Developmentof
Information
Systems
25
Key Requirements What you need to consider
A robust IT service management
framework should beimplemented
Problem management trendanalysis
A project management frameworkshould be used and established
End user applications should bedeveloped inline with bestpractices
Is there a problem managementprocess in place? Are you usingInformation TechnologyInfrastructure Library (ITIL)?
How and are you reviewingprojects and procurements ofsystems against the needs of thebusiness post implementation?
Is a cost benefit analysis andbusiness case developed for allsystem changes?
Do you know what end usertools/spreadsheets/ macros arecritical to your business? Whatwas the methodology used todevelop these tools?
2 3 41 5 6
PwC
8/11/2019 Tech Risk Management 201307
26/38
26
2 3 41 5 6
PwC
Others PaymentCard Security
Key Requirements What you need to consider
Sensitive payment card datashould be encrypted
Secure chips should be deployedto store sensitive payment card
FIs should only allow onlinetransaction authorisation
Implementation of FraudDetection Systems (FDS) withbehavioural scoring
Where is your payment card datastored? and is the data encryptedwhen stored and duringprocessing?
Is a FDS in place that usesbehavioural scoring?
8/11/2019 Tech Risk Management 201307
27/38
PwC
Competitive
intelligence
Our observationof industrypractices
27
8/11/2019 Tech Risk Management 201307
28/38
PwC
What you should consider
ScopeDefine your scope and risk assess your
critical systems
Feasibility
Perform a GAP analysis against the
TRM Notice and Guidelines
Ownership Obtain buy in from key stakeholders
Governance Create a robust governance structurethat can guide the development oforganisation controls
Ensure a robust
Technology
Risk
Managementframework is in
operation to
meet your
complianceresponsibilities
28
8/11/2019 Tech Risk Management 201307
29/38
PwC
27%
14%
10%9%
8%
8%
7%
7%
7%
3% 3%
Operational Infrastructure Security ManagementAccess ControlOnline Financial ServicesIT Service ManagementOversight of Technology Risks by Board and Senior ManagementData Centres Protection and ControlsSystems Reliability, Availability, and RecoverabilityManagement of It Outsourcing RisksAcquisition and Development of Information SystemsTechnology Risk Management FrameworkIT Audit
Banking benchmarking of issues
The single most popular issue:
Management of IT OutsourcingRisks, representing 7% of issues
reported
1
2Highest number of issues:
Operational Infrastructure SecurityManagement, representing 27% of
issues reported
12
Reported Issues by Domain
29
8/11/2019 Tech Risk Management 201307
30/38
PwC
31%
13%
11%
10%
10%
9%
6%4%
4%1%1%
Operational Infrastructure Security ManagementAcquisition and Development of Information SystemsOnline Financial ServicesIT Service ManagementOversight of Tech Risks by Board and Senior MgmtAccess ControlManagement of It Outsourcing RisksData Centres Protection and ControlsSystems Reliability, Availability, and RecoverabilityIT AuditTechnology Risk Management Framework
Insurance benchmarking of issues
The single most popular issue:
Management of IT OutsourcingRisks, representing 6% of issues
reported
1
2Highest number of issues:
Operational Infrastructure SecurityManagement, representing 31% of
issues reported
1
2
Reported Issues by Domain
30
8/11/2019 Tech Risk Management 201307
31/38
PwC
Ac
tivity
PwCs 4-Step MAS TRM Compliance program
12
Gap analysisfollowed by
risk prioritisation
Review existingframework, processes
& systems
ImplementProcesses &
Systems
Set up governancestructure and process
Test effectiveness ofsolutions and controls
Design TRMframework, policies,processes and related
controls
Design governancestructure to address
new requirements
Define and designtechnology solutions
Regular Post-implementation
review
On-going monitoringof risks and
effectiveness ofcontrols
Assess Define
Implementation
& Rollout
Review
& Monitor
Deliverables
Gap Analysisresults
Prioritise theissues
RemediationAction plan
TRM framework,policies, processes& controls
TRM governancestructure
TechnologySolutionSpecification
Rolled outprocesses solutions
Training materialsand proceduredocuments
Pre-implementationtest results
Technology riskreporting andregular test results,e.g. RTO
Compliance reviewreport
31
8/11/2019 Tech Risk Management 201307
32/38
PwC
Appendix:
Case Studies
32
8/11/2019 Tech Risk Management 201307
33/38
PwC
Case Studies Onshore banking
Assisted all stakeholders tounderstand their information
assets and technology risks. Insights on regulations
helped the bank making cost-effective decisions
Strong focus on adherence tobudgeted spend has beenobserved when definingsystems that require RTO of 4hours
Enabled the bank to reportto MAS that it has completedits first round of assessmentsin a timely manner
Provided an efficientapproach that enables thebank to capture and addressrisks in a uniform manner
The MAS completed its inspectionof Technology and issued a reportcontaining a number of findings.1. Risk Management of process
around critical systems2. Adhering to 4 hours RTO
PwC were engaged tofacilitate the remediationeffort: understanding the current
production environment/architecture for all criticalapplications and the business
lines supported by thoseapplications engaging stakeholders from
business, IT, technology riskand operational risks in riskassessment workshops
identify critical informationand technology assets residingin each application and
analyse possible consequencesthat bank may face
review the design effectivenessof internal controls in place
assess residual risks andfacilitate the discussion withstakeholders on treatmentplans if required
ImpactIssue Action
33
8/11/2019 Tech Risk Management 201307
34/38
PwC
Case Studies Offshore banking
The Global bank engaged PwC toperform an assessment to evaluatetheir Global stance on Technologypolices, procedures and controlsadherence to APAC regulators, withover 72 issues for Singapore. To address these , issues, a MAS
program was initiated and PwC
were engaged to facilitate theremediation effort:
understanding the currentprescriptive changes that canprocessed for a quick wins
engaging stakeholders frombusiness, to develop multipleplans to find cost effective
solution to especially withglobal data centres hostingcritical systems for Singapore
The MAS program provides agreat opportunity to make policychanges and innovate with cost
effect solutions already usedelsewhere in the bank: PwC have developed a
framework to adhere to futureregulatory requirements
Developed innovate solutionswith the banks staff to save costand become compliant
ImpactIssue Action
34
8/11/2019 Tech Risk Management 201307
35/38
PwC
Appendix:
UsefulResources
35
8/11/2019 Tech Risk Management 201307
36/38
PwC
Useful
Resources
The MAS TRM Notice:
http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-
and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=
Useful documents:
Instructions on Incident Notification and Reporting to MAS Incident Report Template FAQs Notice on Technology Risk ManagementGuidelines MAS TRM Guidelines
The documents above can be found by following the link below.http://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspx
36
http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/Technology-Risk.aspxhttp://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=http://www.mas.gov.sg/regulations-and-financial-stability/regulations-guidance-and-licensing.aspx?sc_p=2&sc_y=&sc_type=&sc_q=8/11/2019 Tech Risk Management 201307
37/38
PwC
Definition of Financial Institution
Financial institution has the same meaning as in section 27A(6) of Monetary Authority of Singapore Act(Cap.186).
(a) any bank licensed under the Banking Act (Cap. 19);
(b) any finance company licensed under the Finance Companies Act (Cap. 108);
(c) any person that is approved as a financial institution under section 28; [13/2007 wef 30/06/2007]
(d) any money-changer licensed to conduct money-changing business, or any remitter licensed to conduct remittancebusiness, under the Money-changing and Remittance Businesses Act (Cap. 187);
(e) any insurer registered or regulated under the Insurance Act (Cap. 142);(f) any insurance intermediary registered or regulated under the Insurance Act;
(g) any licensed financial adviser under the Financial Advisers Act (Cap. 110);
(h) any approved holding company, securities exchange, futures exchange, recognised market operator, designatedclearing house or holder of a capital markets services license under the Securities and Futures Act (Cap. 289);
(i) any trustee for a collective investment scheme authorised under section 286 of the Securities and Futures Act, that isapproved under that Act;
(j) any trustee-manager of a business trust that is registered under the Business Trusts Act (Cap. 31A);
(k) any licensed trust company under the Trust Companies Act (Cap. 336);(ka) any holder of a stored value facility under the Payment Systems (Oversight) Act (Cap. 222A); and [42/2007 wef01/11/2007]
(l) any other person licensed, approved, registered or regulated by the Authority under any written law,
but does not include such person or class of persons as the Authority may, by regulations made under this section,prescribe.
37
8/11/2019 Tech Risk Management 201307
38/38
This presentation has been prepared for general guidance on matters of interest only, anddoes not constitute professional advice. You should not act upon the information contained in
this publication without obtaining specific professional advice. No representation or warranty
(express or implied) is given as to the accuracy or completeness of the information contained
in this publication, and, to the extent permitted by law, PricewaterhouseCoopers, its members,
employees and agents do not accept or assume any liability, responsibility or duty of care for
any consequences of you or anyone else acting, or refraining to act, in reliance on the
information contained in this publication or for any decision based on it.
2013 PricewaterhouseCoopers Limited. All rights reserved. In this document, PwC refers to
PricewaterhouseCoopers Limited which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity.
Focus on risk, compliance will follow
Contact us
Tan Shong [email protected]+65 6236 3262
Mark [email protected]+65 6236 7388
Manish Chawda [email protected]+65 6236 7447