Singapore eases approval process for fintech trials, unveils cybersecurity rules

Monetary Authority of Singapore launches an "express" 21-day route to approval for fintech companies applying to test products in a sandbox environment, and mandates measures aimed at improving cybersecurity posture of financial firms.
Written by Eileen Yu, Senior Contributing Editor on

Singapore has eased the approval process for fintech companies looking to trial their products in a sandbox environment, slashing the time it takes to 21 days if applicants adhere to standard disclosures and pre-determined rules. It also has implemented new legislation aimed at enhancing the cybersecurity posture of financial organisations, outlining mandatory requirements with which these businesses will have to comply by August 2020.

Monetary Authority of Singapore (MAS) said the new Sandbox Express option would allow fintech companies to more quickly test their products and services in the market compared to the existing FinTech Regulatory Sandbox, which required them to spend more time customising their sandboxes. 

Launched in 2016, the existing sandbox regulations still would be available to applicants with more complex business models or for products that required more time to assess potential risks of running such running such tests, the industry regulatory said in a statement Wednesday.

Because the Express route comprised standard disclosures and pre-determined rules, it would be more suitable for trials where risks were low and well understood by the market, MAS said. These product tests also should be "reasonably managed" within pre-defined parameters, it added.

The new Express option initially would be available only to insurance brokers, recognised market operators, and remittance businesses, with each sandbox running within pre-defined boundaries, regulatory reliefs, and expectations. Approved applicants must adhere to all stated conditions, including providing "clear and proper disclosure" to customers and submitting progress reports to MAS every two months from the start of the approved period. 

For instance, remittance businesses conducting tests within the sandbox must ensure the aggregated amount of moneys not received by the respective intended beneficiaries did not exceed S$100,000. 

Trials could be conducted within these sandboxes for up to nine months, which the regulator said would afford these companies more time to address business and technical challenges that surfaced during the experiments as well as for MAS to evaluate potential regulatory issues. 

MAS's chief fintech officer Sopnendu Mohanty said: "For innovation to take root, it is important for ideas to be tested quickly and in a safe environment. Sandbox Express aims to achieve this through appropriate disclosures and pre-defined rules. This introduction of Sandbox Express builds on the experience we have gained from running the FinTech Regulatory Sandbox and reflects our commitment to encouraging more experimentation and greater adoption of innovative technologies in the financial sector."

New rules to boost financial cyber resilience

MAS also formalised new legislation aimed at ensuring financial institutions in Singapore adopted the necessary measures to boost their cybersecurity posture

The Notice on Cyber Hygiene outlined steps these businesses must take to mitigate the growing risk of cyber threats, and essentially would made mandatory key components within the existing MAS Technology Risk Management Guidelines. Introduced in 2013, these guidelines set out best practices on risk management, security practices, and controls, to address technology risks.

Under the Notice, financial institutions must comply with six main requirements such as implementing robust security for IT systems, ensuring updates were applied "in a timely manner" to address system security flaws, and deploying security devices to restrict unauthorised network traffic. 

it also would be mandatory for these companies to implement measures to mitigate risks of malware infection, secure the use of system accounts that have special privileges, and beef up user authentication for critical systems, including systems used to access customer data. 

Financial organisations would have a year to ensure compliance of these measures, which would come into effect on August 6 next year. 

On the penalty and enforcement actions for non-compliance, MAS said the mandatory measures would be parked under various statues it administered and penalties would depend on the provisions stated in the respective statute. For instance, if the Notice was issued to banks under section 55(1) of Singapore's Banking Act, the penalty for non-compliance could be found in section 71 of the act, the regulator noted. 

In determining the enforcement actions, should there be a breach, MAS said it would assess the extent to which the financial entity had implemented the necessary measures to meet the requirements outlined in the Notice.

On the issue of accountability where cybersecurity policies and systems were outsourced and managed by third parties, the regulator noted that these systems remained within the control of the financial entity as these entities could impose terms and conditions in their contractual agreements with third-party contractors. These contracts would ensure systems implemented and used by the financial entities met the requirements outlined in the Notice, MAS said. 

The regulator's chief cyber security officer Tan Yeow Seng said: "Cyber threats in the financial sector are growing as a result of an increased digital footprint and pervasive use of the internet. The financial sector needs to remain vigilant and ensure that defences are able to counter varied and evolving threats. 

"Good cyber hygiene can go a long way in protecting financial institutions from common types of cyber incursions. These fundamental and essential measures can be implemented by all financial institutions regardless of size or system complexity," Tan said.


Singapore proposes new security guidelines to beef up financial resilience

Monetary Authority of Singapore is looking to introduce changes to existing technology risk and business continuity management guidelines that will require financial organisations to implement more measures, including cyber surveillance, to boost operational resilience.

Singapore outlines fintech strategy, releases sandbox guidelines

Monetary Authority of Singapore underscores the importance of a regulatory regime that aids innovation while ensuring security, as well as the right infrastructure and ecosystem to support new technologies.

Singapore banks offered $21M in funds to boost cybersecurity capabilities

Monetary Authority of Singapore is dishing out S$30 million (US$21.88 million) in a new grant to help local financial institutions boost their cybersecurity operations and skillsets, funding up to half of such expenses.

Singapore to issue digital bank licenses

Move to issue up to five new digital bank licenses will add market diversity and boost the local banking system in Singapore's bid to become a digital economy, says industry regulator, which will begin reviewing applicants in August

Singapore looks to prep financial workforce for data analytics, automation era

Country's government agencies identify 121 job roles in banking, asset management, and insurance that they believe will be necessary in future when the financial sector sees increased adoption of data analytics and automation.

Editorial standards


Meta warns its new chatbot may forget that it's a bot

Meta warns its new chatbot may forget that it's a bot

Parallels Remote Application Server 19, hands on: Flexibility, security and usability are all improved
Parallels RAS

Parallels Remote Application Server 19, hands on: Flexibility, security and usability are all improved

How to take a full-page screenshot in Google Chrome: Four different ways

How to take a full-page screenshot in Google Chrome: Four different ways