8 February 2024 Peiying Chua Heikes  -  Evan Lam Cyber Security - Financial Regulation - Fintech - Technology

Implementation of the Technology and Cyber Risk Measures for DPT Services

On 6 February 2024, the Monetary Authority of Singapore (“MAS”) has issued the revised MAS Notice PSN05 on Technology Risk Management (the “Notice”), as part of the measures set out in its final part of responses to feedback received on the proposed regulatory measures for digital payment token service providers (“DPTSPs”) (“Responses”). Please read our publication for more details on the Responses.

Summary

Previously, the Notice only applies to operators and settlement institutions of designated payment systems under the Payment Services Act 2019. Following global IT disruptions that adversely impacted customers of DPTSPs, the MAS recognised the importance for DPTSPs to (i) maintain high system availability and recoverability, (ii) protect customers’ information and (iii) report incidents on a timely basis. Accordingly, the MAS has expanded the scope of the Notice to require compliance by DPTSPs as well. 

Under the Notice, DPTSPs are required to: 

  • put in place frameworks and processes to identify critical systems;
  • implement IT controls to protect customer information from unauthorised access or disclosure;
  • maintain high availability for critical systems, and ensure that the maximum unscheduled downtime for each critical system does not exceed a total of 4 hours within any period of 12 months;
  • establish a recovery time objective of not more than 4 hours for each critical system. This requirement will not apply to the underlying public blockchain of DPTs;
  • take the following actions upon discovery of a system malfunction or IT security incident, which has a severe and widespread impact on their operations, or material impact on their services to their customers:
    • notify the MAS within 1 hour; and
    • submit a root cause analysis report within 14 days (or such longer period as the MAS may allow).

The MAS clarified that DPTSPs are also expected to establish a proper framework and process to assess and identify the type of threshold of such “severe and widespread impact” mentioned above. 

Next steps

DPTSPs will have a 9-month transition period for implementation of the Notice, and are expected to comply to the Notice by 6 November 2024.