Pages

Monday, June 18, 2012

Better IT practices needed

By-Ng Jing yng

Financial institution heads urged to be more involved in guarding against risk


SINGAPORE - With information technology (IT) becoming a "key enabler to business", the Monetary Authority of Singapore (MAS) yesterday called on leaders of financial institutions to be more involved in guarding against technology risk.

Senior management and the board of directors need to, among other things, be part of the decision-making process of key IT decisions and exercise greater oversight on outsourced IT functions, said the MAS, as it released two consultation papers on guidelines for financial institutions.

The first paper is on a set of enhanced guidelines for technology risk management and the adoption of sound security practices which will apply to all financial institutions.

The second paper is on a Technology Risk Management Notice which sets out the legal requirements for financial institutions.

The MAS noted: "IT is no longer a support function within a financial institution but a key enabler to business in reaching and supporting customers, local or overseas".

The board of directors and senior management are "fully responsible and accountable for managing technology risks" and they need to implement effective internal controls and risk management practices, said the statutory board.

Apart from regular reviews of standard operating procedures, the MAS proposed a comprehensive organisation-wide IT security awareness training programme, supported by senior management and reviewed regularly.

It also called on the board of directors and senior management to exercise greater oversight over outsourcing practices. The MAS recommended having a proper framework, policies and procedures to evaluate, approve, review, control and monitor the risks of outsourcing activities.

This could mean conducting checks on service providers before their appointment and instilling regular monitoring processes.

Senior management should also get service providers to develop and establish a disaster recovery contingency framework, it said.

A robust technology risk management framework is also needed. Some aspects include identifying risks and preparing remediation plans.

The proposed guidelines also touched on consumer protection, highlighting the need for two-factor authentication in online transactions and tamper-resistant keypads.

This comes less than five months after the Association of Banks in Singapore announced measures for better ATM and card payment security.

It had said the measures were not in response to the largest ATM card skimming fraud here in January, which saw about S$1 million stolen and some 700 DBS customers affected.

The MAS said its overall risk assessment of a financial institution would be impacted by how closely the institution follows the IT guidelines.

Banks are understood to be reviewing the guidelines.

A DBS spokesperson said: "DBS has an established technology risk management framework and has always engaged regional regulators including MAS on emerging risk trends. We are confident that we have met many of the requirements."
Ref:itoday

No comments:

Post a Comment