[OR] [MAS] [E2] [C9] Case Study – Singapore Financial Institution

eBook 2: Chapter 9

 Monetary Authority of Singapore's (MAS) Case Study – Singapore Financial Institution

Introduction

To operationalise the concepts of operational resilience, financial institutions must  practical, service-level implementation.

The Monetary Authority of Singapore requires institutions to adopt a service-centric approach, focusing on the continuous delivery of Critical Business Services (CBS) even under disruption.

This chapter presents an illustrative case study of a Singapore financial institution, focusing on a digital payments service—one of the most critical and systemically important services in the financial ecosystem.

MAS has emphasised that disruptions to critical banking services can have widespread customer and systemic impact, reinforcing the need for robust resilience capabilities.

Illustrative CBS: Digital Payments Service

Overview of the CBS

The selected CBS for this case study is Digital Payments, encompassing services such as:

• Real-time fund transfers (e.g., PayNow, FAST)
• Online and mobile banking payments
• Corporate payment processing

These services are critical due to:

• High customer dependency for daily transactions
• Time sensitivity, especially for real-time payments
• Systemic importance within Singapore’s financial infrastructure

MAS has highlighted that financial institutions must ensure high availability of critical systems and services, particularly those supporting customer transactions.

Mapping Dependencies

End-to-End Service Mapping

To support operational resilience, the institution performs end-to-end mapping of dependencies for the digital payments CBS.

Key Dependency Categories

1. People

• Payment operations teams
• IT support and infrastructure engineers
• Cybersecurity and fraud monitoring teams

2. Processes

• Payment initiation and authorisation workflows
• Transaction clearing and settlement processes
• Exception handling and reconciliation

3. Technology

• Core banking systems
• Payment gateways and APIs
• Network infrastructure and data centres
• Cybersecurity monitoring systems

4. Third Parties

• Cloud service providers
• Payment network operators
• Telecommunications providers

Importance of Dependency Mapping

MAS expects institutions to identify interconnections and interdependencies to avoid hidden vulnerabilities and single points of failure.

Through mapping, the institution gains:

• Visibility of critical service pathways
• Identification of concentration risks
• Understanding of upstream and downstream dependencies

Identifying Vulnerabilities

Key Vulnerabilities Identified

Based on the dependency mapping and scenario testing, several vulnerabilities emerge:

1. Technology Single Points of Failure

• Legacy payment processing systems lack redundancy
• Failure in a core payment switch disrupts all transactions

Impact:

• Immediate service outage
• Breach of impact tolerance thresholds

2. Third-Party Dependency Risks

• Heavy reliance on a single cloud provider
• Limited visibility over subcontractors (fourth parties)

Impact:

• Cascading failures if vendor services are disrupted
• Reduced control over recovery timelines

3. Data and Monitoring Gaps

• Limited real-time visibility of transaction processing delays
• Incomplete monitoring across integrated systems

Impact:

• Delayed detection of service degradation
• Slower response to incidents

4. Cybersecurity Threat Exposure

• Vulnerabilities in API integrations
• Risk of Distributed Denial-of-Service (DDoS) attacks

Impact:

• Service unavailability
• Potential data compromise

5. Operational and Coordination Gaps

• Fragmented communication between IT and business teams
• Delays in escalation during incidents

Impact:

• Inefficient response
• Prolonged disruption duration

MAS Perspective on Vulnerabilities

MAS emphasises that institutions must identify and eliminate single points of failure and implement controls to minimise disruptions.

Scenario Testing and Validation

To validate resilience, the institution conducts scenario testing on the digital payments CBS.

Example Scenario

Scenario:

Cyberattack on payment gateway combined with cloud service degradation

Testing Objectives

• Assess ability to maintain payments within impact tolerance
• Validate failover to backup systems
• Test incident and crisis management response

Observations

• Recovery processes were slower than expected
• Communication gaps between teams delayed response
• Third-party coordination required improvement

Lessons Learned

1. Service-Centric Approach is Critical

Focusing on CBS rather than individual systems provides a clearer understanding of real business impact.

2. Dependency Visibility Must Be Continuously Updated

Static mapping is insufficient. Institutions must maintain dynamic, real-time visibility of dependencies.

3. Third-Party Risk is a Major Resilience Challenge

Heavy reliance on external providers requires:

• Stronger due diligence
• Continuous monitoring
• Inclusion in testing exercises

4. Scenario Testing Reveals Hidden Weaknesses

Testing under severe but plausible scenarios exposes:

• Interdependency risks
• Coordination gaps
• Recovery limitations

5. Governance and Coordination are Key

Effective resilience requires:

• Clear escalation frameworks
• Cross-functional collaboration
• Strong leadership oversight
  

Alignment with MAS Expectations

This case study demonstrates alignment with MAS operational resilience principles:

• Identification of Critical Business Services
• End-to-end dependency mapping
• Scenario testing against severe but plausible events
• Continuous improvement based on testing outcomes

MAS expects institutions to regularly test, review, and enhance their resilience frameworks to adapt to evolving risks and technological changes.

This illustrative case study highlights how a Singapore financial institution can implement operational resilience in practice, using digital payments as a critical business service. By mapping dependencies, identifying vulnerabilities, and conducting scenario testing, organisations can gain a comprehensive understanding of their resilience capabilities.

Guided by the expectations of the Monetary Authority of Singapore, financial institutions must move beyond theoretical frameworks to practical, evidence-based resilience. The lessons learned from such case studies provide valuable insights for strengthening operational resilience across the financial sector, ensuring that critical services remain available even in times of disruption.

 

eBook 1	C1	C2	C3	C4	C5
eBook 1	C6	C7	C8	C9	C10

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.