Article (12): Technology and Specific Risk Management
C 6/2020 Effective from 30/10/2020
A Licensee is expected to take into account international best practices and standards when designing and implementing the technology and specific risk management systems and processes.
All technology and specific risk management requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.
Technology risk management
A Licensee must establish an effective technology and cyber security risk management framework to ensure (a) the adequacy of IT controls, (b) cyber resilience, (c) the quality and security, including the reliability, robustness, stability and availability, of its computer and payment systems, and (d) the safety and efficiency of the operations of the SVF scheme. The framework must be “fit for purpose” and commensurate with the risks associated with the nature, size, complexity and types of business and operations, the technologies adopted and the overall risk management system of the Licensee. Consideration should be given to adopting recognized international standards and practices when formulating such risk management framework.
A Licensee must establish an incident management framework with sufficient management oversight to ensure effective incident response and management capability to deal with significant incidents properly. This includes: (a) timely reporting to the Central Bank of any confirmed technology-related fraud cases or major security breaches, including cyber-attacks, cases of prolonged disruption of service and systemic incidents where Customers suffer from monetary loss or Customers’ interests are being affected (e.g. data leakage) and (b) a communication strategy to address the concerns any stakeholders may have arising from the incidents, and restore the reputational damage that the incidents may cause.
An effective technology risk management framework should comprise proper IT governance, a continuous technology risk management process and implementation of sound IT control practices.
IT governance
A Licensee must establish a proper IT governance framework. IT governance covers various aspects, including a clear structure of IT functions and the establishment of IT control policies. While there could be different constructs, the major functions should include an effective IT function, a robust technology risk management function, and an independent technology audit function.
A set of IT control policies that fits the Licensee’s business model and technology applications, must be put in place. The IT control policies which establish the ground rules for IT controls must be formally approved by Senior Management and properly implemented among IT functions and business units. Processes used to verify compliance with IT control policies and the process for seeking appropriate approval by Senior Management for dispensation from IT control policies must also be clearly specified, and consequences associated with any failure to adhere to these processes are in place.
Technology risk management process
A Licensee must put in place an effective risk management system that fits its specific business model and risk profile.
A robust process must be established to manage all changes (e.g. changes arising from new products, services, processes, contract terms, or any changes of external factors such as law and regulations) that might change a Licensee’s technology risk exposures. All identified risks must be critically evaluated, monitored and controlled on an ongoing basis.
A general framework for management of major technology-related projects, such as in-house software development and acquisition of information systems must be established. This framework should specify, among other things, the project management methodology to be adopted and applied to these projects.
Project life cycle
A full project life cycle methodology governing the process of developing, implementing and maintaining major computer and payment systems should be adopted and implemented.
Where a Licensee acquires a software package from vendors, a formal software package acquisition process should be established to manage risks associated with acquisitions, such as breach of software license agreement or patent infringement.
Quality assurance review of major technology-related projects by an independent party, with the assistance of the legal and compliance functions should be conducted if necessary.
Security requirements
Security requirements should be defined clearly in the early stage of system development or acquisition as part of business requirements and adequately built during the program development stage.
Coding practice
Guidelines and standards for software development with reference to industry generally accepted practice on secure development should be developed. Source code reviews (e.g. peer review and automated analysis review), which could be risk-based, as part of software quality assurance process should be conducted.
System testing, acceptance and deployment
A formal testing and acceptance process should be established to ensure that only properly tested and approved systems are promoted to the production environment. The scope of tests should cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions.
Segregated environments for development, testing and production purposes should be maintained. System testing and user acceptance testing (UAT) should be properly carried out in the testing environment. Production data should not be used in development or acceptance testing unless the data has been desensitized and prior approval from the information owner has been obtained.
Segregation of duties
Segregation of duties among IT teams should be properly maintained. Developers should not be able to get access to production libraries and promote programming code into the production environment. If automated tools are used for the promotion of programming code, adequate monitoring, reviews and checks by independent teams should be done. Vendor accesses to the UAT environment, if necessary, should be closely monitored.
End-user computing
An inventory of end-user developed applications should be maintained and where necessary, control practices and responsibilities with respect to end-user computing to cover areas such as ownership, development standard, data security, documentation, data/file storage and backup, system recovery, audit responsibilities and training should be established.
IT service support - Problem management
A problem management process to identify, classify, prioritize and address all IT problems in a timely manner should be established. A trend analysis of past incidents should be performed regularly to facilitate the identification and prevention of similar problems.
Change management
A formal change management process should be developed to ensure the integrity and reliability of the production environment and that the changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems and other IT facilities and equipment, are proper and do not have any undesirable impact on the production environment. Formal procedures for managing emergency changes (including the record keeping and endorsement arrangement) should also be established to enable unforeseen problems to be addressed in a timely and controlled manner.
Security baseline standards
Control procedures and baseline security requirements, including all configurations and settings of operating systems, system software, databases, servers and network devices should be adequately and accurately documented. Periodic reviews on the compliance of the security settings with the baseline standards should be performed.
IT operation - Job scheduling
The initial schedules and changes to scheduled jobs should be appropriately authorized. Procedures should be in place to identify, investigate and approve departures from standard job schedules.
Vulnerability and patch management
A combination of automated tools and manual techniques should be deployed to regularly perform comprehensive vulnerability assessments. For web-based external facing systems, the scope of vulnerability assessment should include common web vulnerabilities.
Patch management procedures should be formulated to include the identification, categorization, prioritization and installation of security patches. To implement security patches in a timely manner, the implementation timeframe for each category of security patches should be defined based on severity and impact on systems.
Security monitoring tools should be implemented to retain system, application and network device logs to facilitate examination when necessary in accordance with the Licensee’s defined log retention policy. The tools should also monitor and report, on a real-time basis if possible, critical configurations and security settings to identify unauthorized changes to these settings and block anomalies on IT assets, e.g. abnormal user behaviors, unusual system processes and memory access and malicious callbacks to devices.
IT facilities and equipment maintenance
IT facilities and equipment should be maintained in accordance with the industry practice, and suppliers’ recommended service intervals and specifications to ensure the facilities and equipment are well supported.
Mobile computing
Where a Licensee provides mobile devices for its employees, policies and procedures covering, among others, requisition, authentication, hardening, encryption, data backup and retention should be established.
Network and infrastructure management
Overall responsibility for network management should be clearly assigned to individuals who are equipped with expertise to fulfil their duties. Network standards, design, diagrams and operating procedures should be formally documented, kept up-to-date, communicated to all relevant network staff and reviewed periodically.
A Licensee should have in place adequate measures to maintain appropriate segregation of databases for different purposes to prevent unauthorized or unintended access or retrieval and robust access controls should be enforced to ensure the confidentiality and integrity of the databases. In respect of any personal data of Customers, including merchants, a Licensee should at all times comply with this Regulation, the relevant data protection laws as well as any relevant codes of practice, guidelines or best practice issued by the relevant authorities from time to time.
Access to the information and application systems should be restricted by an adequate authentication mechanism associated with access control rules. A role-based access control framework should be adopted and access rights should only be granted on a need-to-have basis.
A security administration function and a set of formal procedures should be established for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities.
Due care should be exercised by Licensees when controlling the use of and access to privileged and emergency IDs. The necessary control procedures include: (a) changing the default password; (b) restricting the number of privileged users; (c) implementing strong controls over remote access by privileged users; (d) granting of authorities that are strictly necessary to privileged and emergency IDs; (e) formal approval by appropriate senior personnel prior to being released for usage; (f) logging, preserving and monitoring of the activities performed by privileged and emergency IDs (e.g. peer reviews of activity logs); (f) prohibiting sharing of privileged accounts; (g) proper safeguard of privileged and emergency IDs and passwords (e.g. kept in a sealed envelope and locked up inside the data center); and; (h) changing of privileged and emergency IDs’ passwords immediately upon return by the requesters.
Cyber resilience
Cyber security risk assessment process
Where a Licensee is heavily reliant on Internet and mobile technologies to deliver its services, cyber security risks must be adequately managed through the Licensee’s technology risk management process. The Licensee should also commit adequate resources to ensure its capabilities to identify the risk, protect its critical services against the attack, contain the impact of cyber security incidents and restore the services.
Cyber threat intelligence
A Licensee must keep pace with the trends in cyber threats. It may consider subscribing to quality cyber threat intelligence services, which are relevant to its business, to enhance its ability to precisely respond to new type of threats in a timely manner. The Licensee may also seek opportunities to collaborate with other organizations to share and gather cyber threat intelligence with the aim of facilitating the SVF industry to better prepare and manage cyber security risks.
Penetration and cyber-attack simulation testing
A Licensee must regularly assess the necessity to perform penetration and cyber-attack simulation testing. Coverage and scope of testing should be based on the cyber security risk profile, cyber intelligence information available, covering not only networks (both external and internal) and application systems but also social engineering and emerging cyber threats. A Licensee should also take appropriate actions to mitigate the issues, threats and vulnerabilities identified in penetration and cyber-attack simulation testing in a timely manner, based on the impact and risk exposure analysis.
Internet connected device
As Internet evolves, more devices or appliances are embedded with Internet connectivity. These devices with “always on” network connectivity may create more end-points which allow intruders to get access to a Licensee’s critical IT infrastructure. The Licensee should pay attention to related risks and take appropriate measures accordingly.
Payment security management
A Licensee must put in place a robust payment security management framework that is commensurate with the scale and nature of payment security risks associated with its SVF schemes to effectively monitor, identify, evaluate, respond and mitigate the payment security risks arising from the operation of the SVF schemes.
A Licensee must have adequate policies and procedures on the ownership, classification, storage, transmission, processing and retention of information collected from Customers through registration of SVF service and execution of payment transactions to ensure confidentiality and integrity of the information.
Information ownership
An information owner should be assigned to the specific information being collected, processed, created, and maintained. The information owner should be accountable for classification, usage authorization and protection of information processed by and stored in systems.
Information classification
Information should be classified into different categories according to the degree of sensitivity to indicate the extent of protection required. To aid the classification process, a Licensee should develop guidelines and definitions for each classification and define an appropriate set of procedures for information protection in accordance with the classification scheme.
Information in storage
Sensitive data stored in end-user devices as well as the backend systems of Licensees, such as payment data, personal identifiable information and authentication data must be appropriately secured against theft and unauthorized access or modification. Sensitive data should be encrypted and stored in a secure storage environment, using strong and widely recognized encryption techniques.
Information in transmission
A Licensee must ensure that when transmitting sensitive data, e.g. from a Customer’s device to a Licensee’s server, a strong and secure end-to-end encryption is adopted and maintained in order to safeguard the confidentiality and integrity of the data, using strong and widely recognized cryptographic techniques.
Where applicable, communication channels for data exchange should only be open on a need-to-use basis. For example, where it is practical to do so, communications via contactless channels should only be allowed after activation by the Customer and within a limited time window.
Information in processing
If a Licensee offers merchant acquiring services, it should require its merchants to have necessary measures in place to protect sensitive data related to payments and should refrain from providing services to merchants which cannot ensure such protection. The Licensee should also implement sufficient controls to maintain and verify the integrity of the information processed by its systems.
Information retention and disposal
A Licensee must implement an information retention and disposal policy to limit the data storage amount and retention time, having regard to applicable legal, regulatory, and business requirements.
Information minimization
In designing, developing and maintaining payment services, a Licensee should ensure that information minimization is an essential principle of the core functionality: gathering, routing, processing, storing and/or archiving.
A Licensee must implement adequate security measures to protect each payment channel (including cards and user devices) provided to Customers for using its SVF against all material vulnerabilities and attacks. A Licensee providing payment card services should implement adequate safeguards to protect sensitive payment card data.
Customer device
A Licensee should assume that Customer devices are exposed to security vulnerabilities and take appropriate measures when designing, developing and maintaining payment services. Security measures should be in place to guard against different situations, including unauthorized device access, malware or virus attack, compromised or unsecure status of mobile device and unauthorized mobile applications.
Mobile device for payment acceptance
If mobile devices are used by merchants to accept a Licensee’s payment solutions, additional security measures should be implemented to safeguard the mobile payment acceptance solution, including the detection of abnormal activities and logging them in reports, and the provision of merchant identification for Customers to validate its identity.
Customer authentication
A Licensee should select reliable and effective authentication techniques to validate the identity and authority of its Customers. Two-factor authentication is normally expected for high-risk transactions. Customer authentication is stronger when two-factor authentication is adopted by combining any two of the following three factors: (a) something a Customer knows (e.g. user IDs and passwords); (b) something a Customer has or possesses (e.g. one-time passwords generated by a security token or a Licensee’s security systems); and (c) something a Customer is (e.g. retina, fingerprint or voice recognition).
If a password (including a personal identification number) is used as one factor of authentication, a Licensee must put in place adequate controls related to the strength of the password (e.g. minimum password length).
Login attempts and session management
Effective controls include limiting the number of login or authentication attempts (e.g. wrong password entries), implementing time-out controls and setting time limits for the validity of authentication. If one-time password is used for authentication purpose, a Licensee should ensure that the validity period of such passwords is limited to the strict minimum necessary.
Activities logging
A Licensee should have processes in place ensuring that all transactions are logged with an appropriate audit trail.
A Licensee should have robust log files allowing retrieval of historical data including a full audit trail of additions, modifications or deletions of transactions. Access to such tools, including privileged responsibilities, should only be available to authorized personnel and should be appropriately logged.
Channels should be provided for Customers to check their past transactions.
Fraud detection systems
A Licensee must operate transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions. Suspicious or high-risk transactions should be subject to a specific screening, filtration and evaluation procedure.
Where an SVF enables a Customer to bind a credit/debit/prepaid card as a funding source for his/her SVF account, the Licensee should implement appropriate verification arrangements, to be conducted by the card issuer with the cardholder (e.g. SMS one-time password or other effective measures), to confirm that cardholder gives consent to the card binding. Such verification arrangement should be triggered at least during the binding process or when the card is initially used by the relevant SVF account. Licensees should disallow binding a card if the relevant card issuer does not support the verification arrangement required by the Licensee or fails to perform the required verification with the relevant cardholder.
Where an SVF enables a Customer to set up a direct debit from a bank account, the Licensee should implement appropriate measures to ensure that the setting up of such a direct debit has been authorized by the relevant bank account owner.
Administration of Customer accounts
If a Licensee allows a Customer to open an account through online channel, a reliable method should be adopted to authenticate the identity of the Customer. In general, the electronic know your customer (eKYC) process currently adopted by licensed banks is acceptable for SVF account opening.
A Licensee should perform adequate identity checks when any Customer requests a change to the Customer’s account information or contact details that are useful for the Customer to receive important information or monitor the activities of the Customer’s accounts.
Controls over higher-risk transactions
A Licensee should implement effective controls, such as two-factor authentication, to re-authenticate the Customer before effecting each high-risk transaction. High-risk transactions should, at least, include: (a) transactions that exceeded the predefined transaction limit(s); (b) change of personal contact details; and (c) unless it is not practicable to implement in the SVF concerned, transactions that exceeded the aggregate rolling limit(s) (i.e. total value of transactions over a period of time).
A Licensee should define the per transaction limit(s) and the aggregate rolling limit(s), having regard to factors such as its fraud monitoring capability, maximum stored value per SVF (if applicable), maximum daily top up limit (if applicable) and other fraud protection mechanism implemented. Such limits should be clearly communicated to Customers.
Business continuity management
A Licensee must have in place an adequate business continuity management program to ensure continuation, timely recovery, or in extreme situations orderly scale-down of critical operations in the event of major disruptions caused by different contingent scenarios. An adequate business continuity management program comprises business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and IT recovery. These components are elaborated further below.
Business impact analysis
A business impact analysis normally comprises two stages. The first stage is to (a) identify potential scenarios that may interrupt a Licensee’s services over varying periods of time, and (b) identify the minimum level of critical business and payment services that must be maintained in the event of a prolonged service interruption.
The second stage of a business impact analysis is a recovery time-frame assessment. It aims to develop key realistic, measurable and achievable recovery time objectives: (a) maximum tolerable downtime to recover and resume the minimum service levels of critical business and payment services; (b) recovery time objective to recover critical IT resources and critical business and payment services; and (c) recovery point objective to recover data in a secure, timely manner and full integrity.
Recovery strategies
A set of recovery strategies should be put in place to ensure that all critical business functions identified in business impact analysis can be recovered in accordance with the recovery timeframe defined. These recovery strategies should be clearly documented, thoroughly tested and regularly drilled to ensure achievement of recovery targets.
A crucial element of service recovery is robust record management. A Licensee must put in place effective measures to ensure that all business records, in particular Customer records, can be timely restored in case they are lost, damaged, or destroyed. It is also crucial for a Licensee to allow Customers to access their own records in a timely manner.
In determining a Licensee’s levels of minimal services and the recovery objectives, it should take into account a host of relevant factors, including but not limited to interdependency among critical services/systems, expectations of Customers and other stakeholders in terms of speed, stability, and reliability of its services, legal and reputational risk implications.
Business continuity plan
A business continuity plan must be developed based on the business impact analysis and related recovery strategies. A business continuity plan should comprise, at a minimum, (a) detailed recovery procedures to ensure full accomplishment of the service recovery strategies, (b) escalation procedures and crisis management protocol (e.g. set up of a command center, timely reporting to the Central Bank, etc.) in case of severe or prolonged service disruptions, (c) proactive communication strategies (e.g. Customer notification, media response, etc.), (d) updated contact details of key personnel involved in the business continuity plan; and (d) assignment of primary and alternate personnel responsible for recovery of critical systems.
Alternate sites for business and IT recovery
A Licensee should examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites should be sufficiently distanced to avoid any shared risk and being affected by the same disaster.
A Licensee’s alternate site should be readily accessible, installed with appropriate facilities and available for occupancy within the time requirement specified in its business continuity plan. Appropriate physical access controls should be implemented. If certain recovery staff are required to work from home in the event of a disaster, adequate computer and systems facilities should be made available in advance.
Alternate sites for IT recovery should have sufficient technical equipment, including communication facilities, of appropriate model and capacity to meet recovery requirements.
A Licensee must avoid placing excessive reliance on external vendors in providing business continuity management support, including the provision of the disaster recovery site and back-up equipment and facilities. A Licensee should satisfy itself that such vendors do have the capacity to provide the services when needed and the contractual responsibilities of the vendors, including the lead-time, types of support and capacity, are clearly specified.
If a Licensee is reliant on shared computing services provided by external providers, such as cloud computing, to support its disaster recovery, it should manage the risk associated with these services.
Senior Management oversight
Senior Management of the Licensee must establish clearly, which function has the responsibility for the entire process of business continuity management, and ensure that it has sufficient resources and expertise.
Given the importance of business continuity management, the chief executive of a Licensee should prepare and sign-off a formal annual statement submitted to the board of directors on whether the recovery strategies adopted are still valid and whether the documented business continuity plan is properly tested and maintained.
Implementation of business continuity plan
A Licensee is expected to conduct testing of its business continuity plan at least annually. Senior Management, primary and alternate relevant personnel should participate in the annual testing to familiarize themselves with their recovery responsibilities.
All business continuity planning related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. Formal testing documentation (including test plan, scenarios, procedures and results) should be produced. A post mortem review report should be prepared for formal sign-off by Senior Management.
Reputation risk management
A Licensee must establish and implement an effective process for managing reputation risk that is appropriate for the size and complexity of its operations. A Licensee should integrate into its business processes proper due diligence work to (a) critically assess the potential reputational implications of its plans and activities for itself and for the industry; (b) take proactive actions to avoid or contain the identified risks; and (c) respond swiftly to mitigate the potential impact should such risks materialize.
A Licensee must also devote appropriate resources to conduct surveillance work with a view to identifying any issues with reputational implications for its operations. The objective is to protect the Licensee from potential threats to its reputation and, should there be a reputation event, minimize the effects of such an event.
A Licensee must ensure that the relevant process is capable of detecting and responding swiftly to new and emerging threats to reputation, monitoring the changing status of risks, providing early warning of potential problems to enable remedial actions to be taken, and providing assurance that the risks affecting reputation are under control.
Book traversal links for Article (12): Technology and Specific Risk Management