Introducing Singapore’s new draft Cybersecurity Bill
Jul12

Introducing Singapore’s new draft Cybersecurity Bill

On 10 July 2017, Singapore’s long-awaited draft Cybersecurity Bill was introduced. This is a timely development, especially in view of recent cybersecurity attacks such as the Advanced Persistent Threat attacks targeting two of Singapore’s universities and the global WannaCry and Petya / Petna malware attacks. As a small and highly connected nation, Singapore is dependent on info-communications technology, and cybersecurity threats need to be taken seriously. Attacks on critical information infrastructure (CII) systems that manage utilities, healthcare, transportation and other essential services can lead to disruptions that can cripple Singapore’s economy and lead to loss of life. Even though the current Computer Misuse and Cybersecurity Act (CMCA) already has some provisions on cybersecurity, it primarily concerns cybercrime such as e-commerce scams and hacking. This draft Cybersecurity Bill caters more broadly to the security of a computer or computer system against unauthorised access or malicious acts, to preserve their availability and integrity, or the confidentiality of information stored or processed in them. The intention behind the draft Cybersecurity Bill is to have a coordinated national approach to cybersecurity, and ensure that CIIs across all sectors are protected consistently. Its provisions will apply equally to both public and private sectors. The following are the key provisions under the draft Cybersecurity Bill: Appointment of Commissioner and Powers. The powers of the Cybersecurity Bill will vest in the Commissioner of Cybersecurity, who has various functions including the overseeing and maintenance of cybersecurity in Singapore. Critical Information Infrastructure. CIIs are computers or computer systems that are necessary for the continuous delivery of essential services that Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. Currently, essential services have been identified in 11 sectors, including utilities, banking and finance, media, info-communications, healthcare and transportation. The owners of CIIs, which are defined as persons with, amongst others, effective control over the operations of the CII, have certain statutory duties, including the duty to comply with codes and directions, to conduct audits and risk assessments, to report cybersecurity incidents including any incident that occurs in respect of the CII and any incident that occurs in respect of any computer or computer system under the owner’s control that is interconnected with or communicates with the CII, and to participate in cybersecurity exercises. Responses to Cybersecurity Threats and Incidents. If there is a cybersecurity threat or incident, the Commissioner can choose to investigate it in order to determine its impact, to prevent further harm and to prevent further incidents. These investigative powers can be delegated to authorised...

Read More
Next step in Singapore’s payments journey
Jul03

Next step in Singapore’s payments journey

As Singapore moves towards a Smart Nation and a cashless society, our electronic payments system has also developed to allow consumers to send and receive money easily. The most recent development in this journey is PayNow, which allows bank customers to transfer funds using only the recipient’s mobile number or Singapore NRIC/FIN. Technology has transformed the way Singaporeans use financial services, and surveys show that 94% of Singaporeans have used mobile and internet banking to access their bank accounts. In addition, one in five consumers in South-East Asia use digital wallets, with Singapore being the top adopter in the region. Electronic payments are becoming more common, and Unified Point-of-Sale (UPOS) terminals are being used at major supermarkets across Singapore. Even traditionally cash-based hawker centres are catching up to this trend, and some are undergoing a trial to accept contactless cards or QR codes which customers can scan with their phones to make payments. MAS is also reviewing the regulatory framework for payments, and it recently proposed an activity-based regulatory regime for payments that will align requirements to the specific payment activities undertaken by businesses. It will be interesting to see how new developments such as PayNow will shape the industry feedback MAS receives on this proposal as well as the second round of public consultation. In addition, stakeholders in the payments ecosystem also have the opportunity to chart Singapore’s epayments journey, as MAS has also established a Payments Council under its leadership, which will function as a forum for the payments industry and businesses to discuss payment strategies and cross-cutting issues, and promote inter-operable payment solutions. With the recent launch of PayNow, transferring funds is not only fast and secure, but also convenient and efficient. PayNow rides on existing infrastructure used by Fast and Secure Transfers (FAST), which allows customers of 19 participating banks to make interbank fund transfers almost immediately and at no cost. Before PayNow, under FAST, transferring funds was almost immediate, but transferors need to know the recipient’s bank and account number. There is also no need for PayNow users to have a mobile wallet, which is required by existing solutions such as DBS’ PayLah!. Looking ahead, PayNow will soon also be introduced for transactions between individuals and businesses, and there is also potential for it to be implemented across South-East Asia. Making payments convenient, fast and secure is a key component in Singapore’s goal to become a Smart Nation, and PayNow is a step in the right direction. We are hopeful that the uptake of PayNow will be swift amongst Singaporeans, and that there will be continued innovations in the payments space in the near...

Read More
Blurred Lines: MAS streamlines regulation of banks’ non-financial services activities
Jul03

Blurred Lines: MAS streamlines regulation of banks’ non-financial services activities

16 years ago, when MAS introduced the anti-commingling framework to separate financial and non-financial businesses of banks, the iPhone did not exist and clamshell Motorola Razrs were cool. Today, almost all Singaporeans carry smart phones and our wireless broadband penetration has gone up to 200%, making Singapore one of the most connected societies in the world. This connectivity has made Singapore the perfect ground for technology disruption, and we have seen how technology disruption has impacted traditional business models and shaped consumer behaviour in Singapore. For example, instead of dining and shopping along Orchard Road, many of us now get our meals delivered via Deliveroo and make purchases on ecommerce platforms like Taobao or Honest Bee. Financial services are not immune to technology disruption and the manner in which their customers consume their services. Non-financial companies such as WeChat have created platforms that enable customers to chat, purchase and pay for goods and services, including financial products, all within one mobile application. Such disruption encroaches onto activities that were historically in the financial services remit. MAS recognises that this disruption has resulted in the increasing blurring of lines between financial and non-financial businesses, and that banks are facing increasing competition from non-financial businesses that have leveraged their large user base to provide digital wallets, payments and remittance services. In 2011, MAS took a first step in giving banks greater allowance to carry out non-financial businesses that are related or complementary to their core financial businesses under certain conditions. This time, MAS has gone further by streamlining the requirements for banks seeking to conduct or invest in permissible non-financial businesses. For example, banks will not need to seek prior regulatory approval before conducting or acquiring major equity stakes in permissible non-financial businesses. Other requirements such as conducting regular stress test or external audits have also been removed. As such, banks can more easily integrate banking services into customers’ day-to-day activities and deliver value added service to them by ensuring these additional services can be provided on the banks’ platform. MAS has highlighted that it is still important for banks to focus on their core financial businesses and has consequently limited such non-financial businesses to 10% of a bank’s capital funds. Apart from certain digital platforms which banks are now expressly allowed to operate, banks would also need to seek case-by-case approval from MAS. Going forward, non-financial businesses will continue to make inroads into traditional banking business, and banks need to be able to transform and adapt to such changes in the economy and society. We welcome MAS’ swift response to these changes around us, and look forward to the consultation...

Read More
Association of Banks in Singapore updates Guidelines for Outsourced Service Providers
Jun15

Association of Banks in Singapore updates Guidelines for Outsourced Service Providers

On 1 June 2017, the Association of Banks in Singapore (ABS) issued an update to their “Guidelines on Control Objectives and Procedures for Outsourced Service Providers”. The update replaces the first version of these guidelines previously issued on 25 July 2015. Overall, the update involved only minor changes. Nevertheless, these changes indicate a greater emphasis on review, monitoring and control of the outsourced service providers (OSPs). OSPs should take note of this new emphasis as banks and other financial institutions (FIs) will likely look to these guidelines to supplement their own regulatory obligations when engaging OSPs. ABS guidelines in a nutshell The ABS guidelines set standards for OSPs relating to audit and inspection, internal controls (e.g. human resource policies and procedures), IT controls (e.g. physical security policies and disaster recovery procedures) and service controls (e.g. client contracting procedures). The guidelines were first published following the 5 September 2014 release by the Monetary Authority of Singapore (MAS) of two consultation papers relating to outsourcing arrangements of FIs. Likewise, it appears that these updated guidelines follow on from MAS’ 27 July 2016 update of its Guidelines on Outsourcing. The MAS Guidelines on Outsourcing focus on standards FIs should adopt when engaging OSPs. The ABS guidelines, however, appear intended to address the other side of this coin by giving guidance to OSPs themselves on the minimum standards they should implement when dealing with FIs. Minor changes but greater emphasis on review, monitoring and control OSPs can take comfort in the fact that the ABS guidelines remain largely unchanged from their 2015 iteration. The entity level controls, general IT controls and service controls imposed by the 2015 guidelines do not see significant changes to their content. The most significant change is that the OSP’s controls should be “reviewed and updated at least every 12 months”. This requirement is newly included in Section II(e) on Backup and Disaster Recovery, Section II(f) on Network and Security Management and Section III(a)(2) on Setting up of New Clients/Processes. There is also a new focus on reporting substantial changes and adverse developments to the FIs. The section on frequency of external audits has also been updated. Previously, it was recommended that audits be conducted every 12 months with the sampling data covering a period of 12 months. The updated ABS guidelines now provide that the sample data should cover the entire period since the last audit, with a minimum period of 6 months and with reasons provided if the period covered is less than 6 months. What this means for OSPs While relatively minor, the changes suggest a greater focus on review, monitoring and control of the outsourcing...

Read More
Regulating Robo-advisors in Singapore
Jun15

Regulating Robo-advisors in Singapore

Introduction On 7 June 2017, the Monetary Authority of Singapore (MAS) issued a consultation paper on the provision of digital advisory services in Singapore. The consultation paper proposes amendments to the Securities and Futures Act and the Financial Advisors Act which are the existing framework governing the provision of financial advice, to allow for the wider use of digital advisors or robo-advisors whilst ensuring that there are adequate safeguards in place. In the consultation, the MAS expressly welcomes the offering of digital advisory services to complement the existing advisory channels as it is of the view that doing so would improve consumers’ access to low-cost investment advice, in effect resulting in a greater democratisation of financial advice. This move by the MAS is evidence of its commitment to strengthening Singapore’s position as a Smart Financial Centre and is a boost to Singapore’s standing as a FinTech hub. What are the key proposals? The following are the key proposals that the MAS has made to regulate digital advisers: Governance and supervision of algorithms. As digital advisers are primarily algorithm-driven, a fault or bias in the algorithms would affect all customers of such digital advisers. Therefore, the methodology of the algorithm needs to be robust to collect and analyse all necessary information. Controls also need to be in place to monitor and test the algorithms to ensure that they perform properly. Proper disclosures to ensure an informed decision on the digital adviser’s services are also necessary. Finally, the digital advisory service’s board and senior management would have the responsibility of ensuring compliance and maintaining effective oversight. Suitability of advice. The MAS is prepared to grant case-by-case exemptions to fully-automated digital advice services from the need to collect full information on the financial circumstances of a customer when advising on traditional exchange traded funds. This is because certain digital advisers already seek to eliminate unsuitable customers through the use of “knock-out” questions. Portfolio management. For portfolio rebalancing by digital advisers, which occurs at regular intervals, the MAS proposes to dispense with the requirement to obtain the customer’s prior approval for every transaction. Instead, a one-time prior acknowledgment in writing would be sufficient, provided that the customers are notified for every rebalancing transaction and are given the opportunity to object. In addition, the MAS is also prepared to admit digital advisers that do not meet the current requisite five-year corporate track record of managing funds for retail investors, provided certain safeguards are followed. Execution of investment transactions. Currently, digital advisers assist customers in the execution of recommended portfolios by passing the trade orders to brokerage firms for execution. However, such activities are currently...

Read More
IP in the Cloud: the South-East Asia Perspective
May05

IP in the Cloud: the South-East Asia Perspective

The fourth industrial revolution is transforming business in South-Asia faster and more dramatically than in almost any other region. Across South-East Asia, from emerging powerhouse economies such as Indonesia and Vietnam, to Singapore, already an established global economy, there is one issue that our clients consistently tell us is their boardroom priority: digital transformation. With the explosion in smartphone adoption, rapidly-improving broadband infrastructure and a generally young, tech-savvy population, the opportunity for organisations and governments to leverage new technologies to improve services and drive growth is clear – whether it is using digital wallet technologies to transform payments in Myanmar, or leveraging tele-health platforms to bring healthcare services to patients in remote locations in Indonesia and the Philippines. Many of these technologies are being built on cloud services, often provided by third party service providers. The cloud offers the ability to expand to new markets or new businesses faster than ever before. However, these new opportunities can come with new challenges and, like every transaction with a supplier, customers need to assess any associated risks . We have covered the region’s increasingly-supportive regulatory environment for cloud adoption in previous posts. This post focuses, instead, on an often-overlooked legal consideration in moving to the cloud – intellectual property (IP). What are the IP considerations associated with a move to the cloud for organisations in South-East Asia, and how can they be addressed? The IP landscape for companies in South-East Asia Let’s start by looking at the IP landscape in the region. There is a tendency to generalise about IP in South-East Asia. This is a mistake. While every country in South-East Asia has an IP regime designed to protect rights holders through patents, copyright, trade marks, and so on, it is still incorrect to assume that there is any real consistency across jurisdictions. Despite efforts to harmonise at an international level, the landscape still differs significantly from one country to the next – both in terms of the underlying legal framework and, even more so, in terms of the approach to enforcement. There is little value in comparing Vietnam, which has substantial room for improvement in terms of its patent system and approach to enforcement against infringers, with Singapore, which has a more-established system and is investing in becoming an IP hub for the region. What this all means for companies who do business across South-East Asia is that the picture is one of fragmentation, uncertainty and risk. Although the commercial team may regard South-East Asia as a single trading area, the legal and compliance team needs to navigate the myriad different legal systems and advise their board accordingly. The...

Read More