REMINDER: MAS Revised Guidelines on Business Continuity Management (BCM) - Waystone

      REMINDER: MAS Revised Guidelines on Business Continuity Management (BCM)

      The MAS Guidelines on Business Continuity Management (BCM) set out the need for financial institutions (FIs) to take an end-to-end (both business flow and internal flow) service-centric view in order to ensure the continuous delivery of critical business services to their customers.

      Although customers are the primary objective to be protected, it should be noted that employees and the market itself are also protected.

      MAS Deadlines

      The revised MAS Guidelines issued on 6 June 2022 replace all previous versions that were published by MAS (including “Further Guidance on BCM”).

      FIs must meet the new Guidelines by June 2023 and establish a BCM audit plan, with the first BCM audit to take place by June 2024.

      The key message for firms is that there are new principles and practices that must be implemented in order to strengthen their operational resilience.

      Revised BCM requirements for Financial Institutions

      The new guidelines require FIs to go further, much further than before, to adopt a service centric approach. The new guidelines demand that the customer is the focal point of all decisions in respect of potentials risks and failings:

      • FIs must take a step back, identify those critical business services, unique to the FIs, but in addition to critical business functions, the FIs must safeguard the delivery of services to customers, on an ongoing basis and customers must have confidence that if an event occurs, the FIs have resilience built into their plans.
      • FIs must assess the critical Business Services, external facing service, which, if disrupted on short term or long term, is likely to have a significant impact on the FI’s safety and soundness, its customers or other FIs that depend on the business service.
      • FIs must undertake robust assessments of critical business functions, which is activity performed by individual organisational lines, such as department or unit, which, if disrupted, is likely to have a significant impact on the FI, whether directly or indirectly, financially, or non-financially.
      • FIs must set target recovery times and establish service recovery times, with the objectives to provide clarity on the recovery expectations for critical business services.
      • FIs must identify and map end-to-end dependencies, and through this it should cover people, processes, technology and other resources (including those involving third parties) that support each critical business service.
      • Significantly, FIs must conduct a BCM audit, to cover the FI’s overall BCM framework and the BCM of each of its critical business services, concentrating on the adequacy and effectiveness of its BCM framework, at least once every three years.
      • FIs must continuously review and improve throughproactively monitoring and scanning for relevant threats that could disrupt its normal operations andthey mustcontinuously seek out areas to enhance and ensure that their BCM remains relevant and forward looking.
      • FI’s Board and Senior Management have full responsibility and the Board and Senior Management are ultimately responsible for the FI’s BCM, they MUST (a) have in place crisis management structure, plans and procedures. (b) conduct regular and comprehensive testing (d) validate the effectiveness of the FI’s response and recovery arrangements (d) remediate any gaps or weaknesses identified (e) mitigate concentration risk, by reducing exposure to risk arising from the concentration of people, technology, or other required resources in the same zone, or reliance on a single service provider.

      What is the timeline?

      As we start the new year FIs should consider the revised BCM requirements and actions required.

      BCM covers the entire business, end-to-end, including business flow. FIs must have detailed assessments and documentation, which means time must be invested by preparing early.
      BCM requirements timeline for Financial Institutions – Waystone Compliance Solutions

      Reminder: FIs must undertake (either internally or outsourced) a gap analysis of a current BCM structure against the requirements of the new guideline to determine the extent of effort required.

      How can Waystone Compliance Solutions help?

      Our APAC Compliance Solutions team of experts can assist your firm at every stage, by assisting with a new or enhanced robust BCM policy, audit framework and providing a mock regulatory audit. Please reach out to your usual Waystone Compliance Solutions representative or contact us.

      Contact Us

      Previous post Next post

      More like this

      Regulatory Outlook and Trends for 2023

      MAS Priorities for 2023 Corporate Disclosures MAS will enhance effectiveness in pursuing corporate disclosure breaches, including collaboration with key regulatory…
      Read more

      Regulatory Compliance Updates January 2023 – APAC Region

      19 January 2023 - Form 26 - Notice of Commencement of Business/Additional Regulated Activities by a Person Exempted from Holding…
      Read more

      Compliance obligation reminders for licensed Venture Capital Fund Managers (VCFMs)

      Licensed Venture Capital Fund Managers (VCFMs) have various obligations that they must adhere to, and although not the same as…
      Read more

      The Personal Data Protection Act (PDPA) Singapore – what are the requirements?

      The Personal Data Protection Act (PDPA) sets out clear minimum standards of safeguarding personal data in Singapore. It aims to…
      Read more

      Regulatory Compliance Updates December 2022 – APAC Region

      Have a question about any of the updates below? Get in touch with the APAC Compliance Solutions team today. 28…
      Read more

      MAS Guidelines on Environmental Risk Management for Asset Managers

      What are the MAS Guidelines on Environmental Risk Management for Asset Managers?
      Read more