Singapore moots bill to slap banks with higher fines for security breach

Government debates a new bill that will tighten regulations of digital token service providers and push the maximum penalty financial institutions face to SG$1 million for each breach, and higher if multiple parties are affected.
Written by Eileen Yu, Senior Contributing Editor

Singapore has taken another step towards a new bill that seeks to impose higher penalties on financial institutions that suffer a security breach as a result of oversight. It also looks to tighten regulations of digital token services providers to guard against money laundering and terrorist financing risks.

If passed, the Financial Services and Markets Bill will push the maximum penalty for each breach of the sector's technology risk management requirements to SG$1 million ($736,791). The financial penalty can climb further should an incident impact the financial institution's customers or other partners, resulting in more than a single breach of risk management requirements.

This meant that financial companies could face much higher fines for a "serious" cyber attack or disruption to essential financial services, during which multiple breaches occurred, such as an ATM network or online trading disruption, said Alvin Tan, Singapore's Minister of State, Ministry of Culture, Community and Youth, and Ministry of Trade and Industry. 

The new Bill would provide Monetary Authority of Singapore (MAS) with powers to enforce technology risk management requirements, said Tan, who also sits on the board of the industry regulator. It also would enable MAS to ensure the "safe and sound" use of technology to deliver financial services and protect data, he said. 

"Financial institutions today rely heavily on technology to deliver financial services," the minister noted. "However, the current maximum penalties that can be imposed for breaches of technology risk management requirements are not commensurate with the potential widespread impact to financial institutions' customers and the financial industry that could result from such breaches. 

He added that the Bill would consolidate existing technology risk management requirements established under various MAS-administered Acts, which applied to financial institutions or class of financial institutions. These, for instance, included the Securities and Futures Act and Insurance Act. 

First read in parliament in February, the proposed Financial Services and Markets Bill also would enhance regulation of digital token services providers to better safeguard against risks involving money laundering and terrorist funding. 

Plugging current holes in digital token operations

Tan said: "The financial sector is dynamic and rapidly evolving, driven by innovation, digitalisation, and the design of new products and services. The sector has transformed significantly in recent years, in terms of the types of transactions, and the persons, institutions, and technology conducting these transactions. 

"We must ensure MAS keeps abreast of these developments and equip it with the tools to facilitate the development of these new products and services while managing the risks involved," he said.

He added that digital transformations could disrupt and challenge existing regulatory frameworks that were designed for more traditional forms of financial transactions and services. Digital token services providers, for instance, could easily structure their businesses to evade regulation in any one jurisdiction, since they operated mainly online, he said.

While these providers were governed under current legislation regardless of where they were established, companies created in Singapore without offering any digital token services in the country were currently unregulated for the two key activities. Tan said this carried risks to Singapore's global reputation. 

The new Bill would apply to all entities or individuals in Singapore that provided digital token services outside of the country, but created or operated their business from Singapore. It would regulate such providers as a new class of financial institutions, primarily for money laundering and terrorist financing risks. 

Specifically, the bill would introduce licensing requirements and regulatory powers over digital token services providers, including giving MAS the ability to conduct anti-money laundering inspections and provide assistance to local authorities. Requirements outlined in the bill would be in sync with those stipulated in the Payment Services Act.  

Entities or individuals providing digital token services within Singapore still would be regulated under other existing Acts. 

Tan said the proposed Bill not only addressed regulatory challenges and new risks brought about by the sector's digital transformation, but also ensured financial players strengthened the security and resilience of digital services.

The increase in penalty for breaches, for instance, underscored the importance of technology risk management to a financial institution's operations and the robustness of financial systems. He added that the quantum was established after evaluating existing penalty regimes of other jurisdictions and Singapore government agencies.

Apart from the penalties, the new Bill would enable MAS to take other supervisory actions, he said. These included requiring financial institutions to set aside additional regulatory capital until the regulator was satisfied that adequate technology risk control measures had been put in place to address deficiencies, the minister said.  

MAS in February said it was working on a framework that would detail how losses from online scams would be shared. Cautioning victims of online scams against assuming they would be able to recover their losses, the regulator said the new framework would outline responsibilities of key parties in the ecosystem. 

It added that all parties, including customers and financial institutions, had responsibilities to be vigilant and take precautions against scams. 


Editorial standards