Singapore issues FSI guidelines on managing remote work risks

Monetary Authority of Singapore outlines key security and operational risks financial institutions face as remote work practices take hold, including outsourcing and staff conduct, and what these organisations should do to mitigate such risks.
Written by Eileen Yu, Senior Contributing Editor

Singapore has released guidelines on heightened risks businesses in the financial services industry (FSI) now face as remote work practices take hold and how they can mitigate such risks. These include implementing safeguards in their outsourcing arrangements as well as security controls to combat data leaks and fraud. 

The document aimed to outlined key risks associated with a remote workforce for FSI companies and drive the adoption of good practices to manage these risks, said the Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) in a joint statement Tuesday. 

A non-profit group representing interests of the FSI, ABS currently has a membership base of 154 local and overseas banks and financial institutions with local operations. Members of its Return to Onsite Operations Taskforce (ROOTS) -- specifically, its Workstream 8 team that focused on remote work -- had participated in the establishment of the document, including DBS Bank, Standard Chartered Bank, Barclays Bank, Bank of China, and Bank of America. 

"Remote working requires changes to policies and operational processes, some of which could lead to new risks and risk management challenges," they said. With organisations expected to extend remote work arrangements and adopt hybrid work models in future, financial institutions would have to remain vigilant and take preemptive steps to manage the risks arising from this work environment.

In particular, the document highlighted 10 key areas financial institutions should review, such as assessing changes to outsourcing and third-party vendors' risk profiles amidst the new work environment including their remote working controls and operational resiliency. 

"Vendors' infrastructure and controls, including business continuity plans, may not be as robust as the financial institutions' to allow them to fully manage remote working risks [and] this translates to heightened risks for financial institutions, especially if vendors have access to sensitive information, client data, or connectivity to the financial institutions' systems, or provide critical services to financial institutions," the report noted. 

In addition, vendor services previously provided on-site at the financial institutions' premises, such as IT development and support, would no longer be under close supervision with remote working.  This could lead to higher error rates or delays in service delivery. In its place, financial institutions might conduct alternative procedures such as desktop or virtual reviews, which generally relied more on vendors' attestations. These were less effective in detecting risk issues, including weaknesses in vendors' infrastructure, controls, and operational resiliency. 

Financial institutions should assess such changes and roll out safeguards and contingency plans to ensure service continuity, the document recommended. 

Organisations also should review the risks and implications of data loss when identifying activities that could be carried out remotely, and put in preventive and detection controls to address these risks. In addition, cybersecurity controls should be in place to ensure employees' remote working infrastructure, including personal devices, were secured. 

"To facilitate remote working, financial institutions may have amended information governance policies to allow staff to access customer and other sensitive information when they are working remotely, [where] staff could previously only access such information within the office premises," the report stated.

Enabling employees to access customer and other sensitive data remotely heightened inherent risks of data leaks, for instance, through eavesdropping amongst family members, employees browsing online on corporate devices while bypassing corporate proxy or gateway, and staff forwarding sensitive data to personal devices. 

They should continue to have robust technology risk management practices to manage hardware and software deployed to support large-scale remote working, MAS said. 

Furthermore, financial institutions would need to keep updated on fraud typologies from remote work environments and roll out the necessary countermeasures, as well as implement guidelines to identify situations where in-person meetings, site visits, and verification against original documents were needed. 

MAS' deputy managing director of financial supervision Ong Chong Tee said: "Financial institutions in Singapore have swiftly adapted to remote working and split-team arrangements in response to COVID-19. The operational resilience of our financial institutions during this period reflects the soundness of their business continuity management plans. It also underscores the importance of regular tests through internal drills and industry-wide exercises jointly organised by the MAS and the financial industry."


Editorial standards