[MAS] BCM Guidelines Issued by Monetary Authority of Singapore

Introduction

MAS, the central bank of Singapore, emphasizes the importance of robust BCM frameworks for financial institutions (FIs) to maintain operational resilience and minimize disruption in the event of incidents.

Auditing BCMS in this context requires understanding the specific expectations laid out by MAS, which may differ from a purely ISO 22301-based approach.

Key Considerations for MAS-based BCM Audits

Alignment with MAS Guidelines

• The primary focus should be ensuring the BCMS aligns with the latest MAS Guidelines on Business Continuity Management. This includes:
  

  Risk-Based Approach

• Evaluate if the BCMS employs a comprehensive risk assessment that identifies threats and vulnerabilities specific to the Singaporean financial sector (e.g., disruptions impacting cross-border transactions, cyberattacks targeting financial institutions).
• Consider how the risk assessment methodology aligns with MAS's expectations for scenario development and risk prioritisation.
  
  

• Analyze whether the BCMS addresses MAS's current supervisory priorities as outlined in its publications. This may highlight specific areas of concern for FIs in Singapore.
• Regularly review MAS publications to stay updated on evolving supervisory expectations.

Critical Business Services (CBSs)

• Scrutinize how CBSs are identified and prioritized according to MAS's definition. This may involve functions crucial for maintaining financial stability in Singapore's unique financial ecosystem, such as:
  
  • Retail banking services (e.g., deposits, withdrawals, payments)
    
  • Wholesale banking services (e.g., trade finance, cash management)
    
  • Capital markets activities (e.g., securities trading, investment banking)
    
  • Payment systems operations

Scenario-Based Testing

• Assess the effectiveness of scenario-based testing that considers disruptions relevant to the Singaporean financial sector.
• This could include disruptions impacting key infrastructure, technological outages affecting specific financial services (e.g., real-time gross settlement systems), or regional or global events.
  
• Evaluate if scenarios incorporate potential cascading effects from interconnectedness within the financial system.

Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)

• Evaluate if the established RTOs and RPOs for CBSs consider MAS's expectations for the timely resumption of operations within the Singaporean financial sector.
   
• Consider how RTOs and RPOs are determined based on the CBS's criticality and the potential financial impact of downtime.

Incident Response

• Analyze the BCMS's incident response procedures, ensuring they align with MAS's expectations for prompt notification, effective escalation protocols, and clear communication strategies.
   
• Verify if procedures incorporate reporting requirements to MAS as mandated by relevant regulations.
  

Additional Considerations

Third-Party Dependencies

• The Singaporean financial sector relies heavily on third-party vendors. The audit should assess how the BCMS addresses potential disruptions impacting these critical third-party relationships.
   
• Evaluate if the BCMS includes provisions for ensuring continuity of service through contracts with third-party vendors or alternative service providers.

Technology Dependence

• Singapore's financial sector is highly reliant on technology. The audit should evaluate the BCMS's plans for mitigating disruptions impacting critical technological infrastructure, including:
  

  • Data center outages
    

  • Cyberattacks
    

  • Technological obsolescence

Cross-Border Operations

• For FIs with cross-border operations, the audit should assess how the BCMS addresses potential disruptions impacting these international activities.
   
• Consider how the BCMS ensures coordination and communication with overseas branches or subsidiaries during disruptions.