Monetary Authority of Singapore
Instead of issuing separate operational resilience guidelines, the Monetary Authority of Singapore (MAS) has doubled down and renewed focus on enforcing existing operational risk management as well as the management of outsourcing and third parties and has also substantially updated its business continuity guidance.
Like other global regulators, the MAS expects financial institutions to ensure that the third parties in their value chain are subject to adequate governance and risk management as well as sound internal controls. Risk management programs are expected to take into consideration the nature and extent of risks.
In an effort to help pave the path, the MAS’s revised Technology Risk Management Guidelines also set expectations for financial institutions to exercise strong oversight of arrangements with third-party service providers to ensure system resilience as well as maintain data confidentiality and integrity.
The MAS also revised its Business Continuity Management Guidelines. The updated guidance sets the expectation that financial institutions must consider third-party dependencies when engaging third parties to support the delivery of their critical business services. The MAS approach to resilience is unique in that it mandates a crisis management structure.
Australia Prudential Regulatory Authority
In July 2022, the Australia Prudential Regulatory Authority (APRA) published the Prudential Standard CPS 230 Operational Risk Management document. The standard establishes minimum objectives for managing operational risk, including updated requirements for business continuity and technology and data service provider (TSP) management. This document is set to replace existing operational resilience standards.
The goal of the standard is to improve operational risk practices through enhanced focus of boards and senior management as well as minimize the impact of disruptions to customers and the financial system.
While the outcome is the same as other operational regulations, the APRA takes a larger focus on risk to achieve the outcome. Its objectives include:
- Enhance Operational Risk – Focus on management of operational risks with effective internal controls, monitoring, and remediation.
- Improve Business Continuity – Ensure that APRA-regulated entities are ready to respond to severe business disruptions and maintain critical operations (such as payments, settlements, fund administration, and claims processing) to minimize the impact of disruptions to customers.
- Enhance Third-Party Risk Management – Entities must understand and manage the risks from the use of service providers.
This law is expected to go into effect in 2024.