19 December 2019
On 6 December 2019, the Monetary Authority of Singapore (“MAS”) issued a “Guidance to Enhance Operational Controls in Payments and Electronic Funds Transfer Operations” (“Guidance”). From 2016 to 2019, MAS conducted thematic inspections targeted at strengthening banks’ operational controls in their Payments and Electronic Funds Transfer (“EFT”), inspecting and benchmarking selected banks whose operations ranged in size and complexity.
The Guidance summarises the key inspection findings and elaborates on how banks’ controls in Payments and EFT operations should be enhanced, in addition to the implementation of baseline SWIFT Customer Security Programme (“CSP”) controls.
The Guidance notes that MAS observed good practices at the banks but also noted the following areas for improvement:
- Improve governance and management oversight, to ensure adequate controls are in place for the proper management of SWIFT access rights and user profiles. Proper contingency procedures should be established for situations when SWIFT is unavailable.
- Enhance operational and system controls, by adhering to fundamental security principles of need-to-know access, least privilege and segregation of duties. This will ensure appropriate access rights and profile assignments, proper control of privileged accounts, and proper back-up arrangements for critical profiles such as security officers.
- Strengthen detection capabilities, as end-of-day reconciliation of SWIFT messages requiring manual intervention is critical to detect any outgoing SWIFT message that may be unauthorised or fraudulent. An adequate process for timely event journal review, including appropriate escalation procedures, is important as it serves to ensure that system access is duly authorised at all times and the system is functioning properly.
- Remain vigilant to evolving risks, incorporating key lessons from fraud events into their risk controls, as well as securing their IT environment and internal systems.
The Guidance states that banks should assess the effectiveness of their operational controls against MAS’ expectations and good practices as set out in the Guidance and take appropriate steps to address any gaps. This is in addition to the implementation of baseline SWIFT CSP controls. Banks should also dedicate adequate resources for effective risk detection and mitigation.
MAS looks to the banks’ senior management to provide oversight and maintain high standards in this area. MAS will continue to engage banks on the effectiveness of their operational controls in Payments and EFT operations as part of MAS’ ongoing supervision.