MAS releases new technology risk guidance

SINGAPORE - "Technology risk is not a part of operational risk", said Tony Chew, head of the technology risk supervision at the Monetary Authority of Singapore (MAS), at OpRisk Asia 2008 in early June.

The MAS takes technology risk seriously, said Chew - the regulator released an updated version of its internet banking and technology risk management guidelines the day he addressed the conference. But he said the supervisors who drafted Basel II "did not have technology expertise" and so technology risk has not been appropriately handled. "They haven't got a clue about what technology risk is, and yet it is one of the most important risks banks have to manage," he said, adding that technology risk "has an immediacy that other risks don't have". If a system goes down, it can destabilise a firm in ways few other events can.

The guidelines aim to help banks establish a robust technology risk management framework; strengthen system security, reliability, availability and recoverability; and deploy strong cryptography and authentication mechanisms to protect customer data and transactions.

The emphasis is on firms taking a consistent risk-based approach to internet banking. "In view of the constant changes occurring in the internet environment and through online delivery channels, management should institute a risk monitoring and compliance regime on an ongoing basis to ascertain the performance and effectiveness of the risk management process," say the guidelines. "The impact of internet banking on risk management is complex and dynamic. Management should constantly reassess and update its risk control and mitigation approach to take into account varying circumstances and changes to its risk profile in the internet environment."

Chew presented startling statistics showing the effectiveness of two-factor authentication, which MAS encouraged banks to adopt by December 2006 in response to an increase in 'phishing' attacks in the region. After the implementation of two-factor authentication, incidents of online fraud fell from 534,000 in 2004 to 3,000 in 2006 and to almost zero in 2007, according to Chew's statistics. He did acknowledge that the zero figure would probably change, as it is impossible to operate an online banking service with a zero level of fraud. Hackers and criminals always find a way around the latest security controls, usually very quickly, which means that banks need to be constantly working on better securing their IT systems.

MAS also expects boards and senior management to be accountable for managing and controlling technology risks in their banks' operations. They must monitor the effectiveness of their risk management functions and security practices, and implement compliance and audit procedures to ensure measures and controls are observed and enforced. It also encourages financial institutions and industry associations to educate customers on the benefits and risks of online products, to help promote a security-conscious environment and enhance public confidence in online financial systems.