MAS TRM Notice: Raising the Bar for Application Availability

MAS TRM Notice: Raising the Bar for Application Av...


MAS TRM Notice: Raising the Bar for Application Availability

by Ian Tivey
about the authors
MAS TRM Notice: Raising the Bar for Application Availability

Share this Blog with a friend.

About the Author

dark mode

The first of July, 2014, is not a day that financial technology managers in Singapore will have celebrated. It is the day the Monetary Authority of Singapore (MAS) started the clock on what is probably the world’s strictest regulatory requirement when it comes to availability of financial IT systems. As of the last few months, financial institutions operating in Singapore have been subject to a new rule that means the “maximum unscheduled downtime” for critical systems cannot exceed four hours in any 12 month period.

If “unscheduled” means during trading hours, the requirement translates into 99.8% availability. For systems that need to be available 24×7, like an ATM network, it means 99.95% availability. Not impossible, but certainly the most challenging regulatory target we have seen.

Thankfully, the MAS’ Recovery Time Objective (RTO) is also four hours (we have seen RTOs of two hours being demanded in the US and Europe, but those only apply to core financial infrastructure providers). That means a single outage per year of up to four hours would be acceptable. But any more would be in breach of the rules.

Exactly how the MAS reacts to this rule being broken has not yet been tested, but I am sure no one wants to be the first to find out. Given that the four hour threshold is contained within a regulatory ‘notice’ makes it a legally binding requirement. In the MAS’ own words, that means the regulator can “specify whether a contravention… is a criminal offence.”

Having managed programs to meet the MAS’ Technology Risk Management (TRM) guidelines, I know how respectfully financial firms in Singapore treat their regulator. Most have already invested a significant amount of money in meeting the new requirements. Even so, there are still aspects of the TRM guidelines and notice that many may still be worrying about.
To address those concerns, here are a few suggestions that we would recommend for any firm subject to the new rules:

  1. Ensure you have a framework in place to identify critical systems, which should be periodically reviewed. Only systems that directly impact the markets, economy or citizens of Singapore should be identified as critical. That means much of the focus will be on retail operations, with critical corporate and institutional systems predominantly focused on clearing and settlement.
  2. Conduct a thorough assessment of all critical applications, and their underlying infrastructure, to ensure they are highly resilient, available and can be recovered within four hours. Don’t be afraid to seek outside help. Even if you have already reviewed your application architecture and infrastructure, a fresh set of expert eyes can help identify risks that you have not considered.
  3. Enhance incident management processes to ensure you can meet the obligation to report incidents affecting critical systems to the MAS within an hour. Also, make sure problem management functions are aware that the MAS expects a root cause analysis report of any such incident to be delivered within 14 days. Carry out dry runs to test that those processes work as expected.
  4. Review all applications containing sensitive data to make sure there are sufficient controls to prevent unauthorised access or data leakage. If you haven’t done so already, carry out appropriate penetration tests to verify your information security.
  5. Finally, remember that application availability is a moving target. It requires continuous review. Even when you feel like you have identified and remedied all current risk factors, new ones will surface over time.

Citihub has been asked to evaluate hundreds of mission critical financial applications over the last couple of decades. Over that time, our Application Availability Assessment (AAA) methodology has been honed to do exactly what regulators are asking for.

Related Insights

See technical discoveries and coding insights from our developers.

Find out more about life at Citihub

about us