"Electronic Safety and Soundness for Financial Services  -  
A Pragmatic View"

WELCOMING REMARKS

I am delighted to welcome all of you to this World Bank Conference.  I am impressed that so many of the guests at this Conference have come from different corners of the globe, including China, India, Japan, various countries from the Asia Pacific region, Europe, North America, Latin America and the Middle East, as well as our close neighbours - Malaysia, Thailand, Indonesia and the Philippines.

I would like to share with you, over the next few minutes, a regulator's pragmatic view of "Electronic Safety and Soundness for Financial Services," the theme of this Conference.

STARTING POINTS

First, a quick sweep of the promises, and the key threats and challenges the technology revolution has brought to the financial services industry.

The Promises

Technology offers financial institutions tremendous opportunities to surmount geographical, commercial and demographic barriers.  It offers the potential of virtually zero marginal cost delivery combined with unbounded reach.  Through wired and wireless technology, financial services can now be delivered to places and markets without requiring physical branch networks and distribution structures.

The promise of technology is limitless.  But we have to retain some professional scepticism.  Recent history is littered with examples of where promises failed to materialise.  Many financial institutions have had bad experiences with over-hyped business models.

For instance, for many, the much-touted cost savings from some electronic delivery business models simply failed to materialise.  Systems development, process re-engineering, new distribution channels and consumer education have often required greater investments than initially foreseen.  Financial institutions have also been taught lessons about consumer behaviour as online penetration took place at a much slower pace than projected.  Even when consumers began to use the new electronic delivery platforms, they often refused to abandon the traditional brick-and-mortar services they had been so accustomed to.  It has become clear that new technologies should not be adopted merely to be fashionable or trendy.  To succeed, electronic service offerings have to be both purposeful and compelling, and there must be strong channel integration.

Threats and Challenges

Despite false promises and often excessive expectations, benefits are real, and today, technology has come to play a big part in the way the operations of financial institutions are conducted and the way their risks are managed.  But, with this growing dependence on technology by the financial services industry, comes a new set of threats and challenges.

I would like to talk about three groups of threats and challenges:

(1) those posed by the "open" nature of the Internet,
(2) cyber-terrorism, and
(3) cross-border challenges.

Later, I will discuss risks associated with outsourcing and "off-shoring".

"Open" Nature of the Internet

There are more financial products and services being delivered via electronic channels and networks than ever before.  The Internet is fast becoming the predominant platform.  A recent newspaper article reported that in Singapore, which has a total population of 4 million people, about 1 million people use Internet banking regularly.  This seems to reflect the trend in many countries across the world.

However, the "open" nature of the Internet exposes financial institutions to fundamentally different operational risks.  It poses new threats to the safety and stability of the financial system.  Internet bank attacks are far removed from the bank hold-ups that we grew up watching in the movies, although they can be just as exciting.  Hackers can run pernicious programs, such as digital worms, viruses and Trojans, from remote sites anywhere across the globe, to assault or disrupt the delivery of financial services.  As online financial services and products grow in popularity, online channels are increasingly being targeted and exploited by criminals and hackers.

There appears to be an increasing array of cyber attacks on electronic banking systems and services.  One of the newest attacks is "phishing" - a type of identify theft whereby fraudsters trick bank customers to logon to fake websites to obtain sensitive personal information such as user ID and password, PIN, account details or credit card number.  Such information could then be used for impersonation at a later time.  These scams, in different combinations, have been experienced repeatedly in several countries, including Australia, USA, UK, Hong Kong and Singapore.

Cyber-Terrorism

In our post-911 world, the spectre of large-scale disruptions from cyber-terrorism and cyber-warfare has become a much-dreaded reality.  Establishing rapid recovery capability, implementing incident response procedures and planning for business continuity have become a necessity in today's uncertain and volatile environment.  Where attacks occur, financial institutions must act quickly to restore public confidence and safeguard their reputation.  Hence, it is critical for them to be able to quickly reconstruct and reinstate mission critical assets comprising people, systems, processes, technology and facilities after a disaster.

Cross-Border Challenges

The borderless nature of the Internet and the increasing trend of financial institutions "off-shoring" various business processes have thrown up some difficult and complex regulatory and supervisory problems.  In practice, enforcement beyond one's own jurisdiction will depend largely on the co-operation given by regulators and supervisors in other jurisdictions.  Unfortunately, such co-operation may be impeded by dissimilar regulatory and supervisory approaches between home and host jurisdictions. 

PROCESS GOING FORWARD

How should we respond to these threats and challenges?  The first step is obviously awareness.  It is important for all of us - financial services providers, vendors, supervisors, policymakers and legislators - to be constantly mindful of the interplay of economic, technological, social, legal and political realities which affect the adoption of technology in the world of financial services.

Mitigating Operational Risks

In seeking to mitigate the growing operational risks, we must also understand that electronic security standards become accepted only when they are closely aligned with commercial, technological, social and legal realities.  This occurs when the costs are well understood and acceptable, the technology is mature and robust, broad user acceptance is attainable, and the existing legal framework provides the necessary legal support. 

Supervisory Philosophy and Strategy

Supervisors, of course, have an important role to play in helping the financial sector respond to these threats and challenges.  In doing so, they have to strike a sensible balance between the wish to prevent problems from occurring and the benefits from the deployment of new technologies.  Zero tolerance of errors and mishaps would be prohibitively costly, and in any event, unattainable and impractical.  We must take a pragmatic view that the financial services industry can afford a certain level of mishaps, and try to encourage practices that will keep fallout within acceptable bounds.

In doing this, supervisors must realise that the development and enforcement of standards need not, and should not, reside with us exclusively.  Well-managed and reputable financial institutions have a primary role to play.  Indeed, institutions have a strong incentive to build customer confidence by developing strong security standards and robust codes of conduct; these can then be implemented more broadly through a process of industry peer pressure.  Against this backdrop, supervisors should seek to act as catalysts.  By engaging the industry and sharing industry best practices through supervisory guidance and forums such as this conference, supervisors can encourage and stimulate the adoption of high standards of electronic safety and soundness.

In our dealings with the industry, we should not be overly prescriptive or intrusive.  Also, because technologies are constantly evolving, supervisory standards need to be flexible.  Supervisory benchmarks and expectations should be updated as risk issues evolve.

What We Do at MAS

Here at the Monetary Authority of Singapore, we have tried to embrace the above realities in our Internet Banking Technology Risk Management Guidelines.  The Guidelines were issued in March 2001, following a period of industry consultation.  They were specifically designed to provide a greater understanding of the diversity and complexity of Internet banking systems and the emerging practices for managing technology risks.  They were intended to put in place a definitive industry-based framework for managing technology risks at a level comparable to those in place for financial risks. 

Since then, the banking industry has matured in the way it addresses technology risks and related security issues.  Recognising this, we recalibrated our approach in June 2003 to give financial institutions more flexibility in the way they comply with the guidelines in the context of their individual risk and business profiles.  Although item-by-item compliance is not required, MAS has incorporated these guidelines into our supervisory expectations.  How and to what extent each financial institution is observing these guidelines will be factored into our risk ratings of institutions.

Addressing Cross-Border Challenges

Some industry pundits have called for the global harmonisation of legislation, as well as regulation and supervision, as the way to address cross-border challenges.  Clearly, this is the right direction, but in the short-term there are some difficulties.  Countries at different stages of development in the adoption of technology will naturally have different concerns and priorities, and harmonisation of legislation between countries is always difficult.

A more realistic approach is to work towards enhanced co-operation among regulators and supervisors.  This involves greater sharing of information and perspectives, including co-ordinated surveillance and supervision.  This is what we are doing at MAS.  We are strengthening our relationship with other supervisors and, where possible, co-ordinating our supervisory work with theirs.

OUTSOURCING AND "OFF-SHORING"

Trends

Financial institutions worldwide are under intense pressure to cut costs and to refocus on their core activities.  Outsourcing offers the potential to replace large fixed overheads with transparent variable costs, which are often more linear and controllable.  Outsourcing, commonly adopted for data centres and other operational areas, is beginning to gain traction for many banking and capital markets processing activities, and even some core banking functions.

In many instances, these outsourcing activities will take on an "off-shoring" dimension, when lower cost locations are seen to offer greater cost savings.  Financial institutions are also actively centralising activities on a regional and even global basis into these cost-effective locations.  Such consolidation offers financial institutions the potential to exploit economies of scale, reduce operational risk and provide better customer service.

Associated Risks

While outsourcing and "off-shoring" can bring cost and other competitive advantages, they increase the risk profile of a financial institution - particularly strategic, reputational, operational, legal, compliance and business continuity risks, to name only a few.  Failure of a vendor in providing the service, breaches in security, or non-compliance with legal and regulatory requirements can lead to financial losses for the institution, and possible contagion effects within the financial system.  One of the most important risks is that the arrangement will not succeed in commercial terms and will have to be unwound.  I am not convinced that all financial institutions have made adequate provision for this in their outsourcing arrangement with independent suppliers.

Mitigating the Risks

Both outsourcing and "off-shoring" are realities of operating in today's competitive global markets.  What is important here is to address their generic and specific risks whilst maintaining a conducive business environment.

What We Do at MAS

The Monetary Authority of Singapore, while permitting outsourcing and offshoring activities to take place, expects the Board and Management of a financial institution to retain full responsibility and accountability for all significant functions and operations that have been outsourced.  Before a service provider is appointed, financial institutions should carry out sufficient due diligence to determine its viability, capability and track record.  The contractual terms and conditions governing the relationships, obligations and responsibilities of all the contracting parties should be carefully and properly defined in the outsourcing agreements.

One of our key concerns is with data security and confidentiality: the preservation and protection of customer information residing with service providers.  Financial institutions should ensure that their service providers implement data security policies, procedures and controls that are at least as stringent as their own.

We are also concerned about business continuity in the event of a disruption in the outsourcing arrangement.  Financial institutions should have robust business continuity management plans, based on probable worst-case scenarios, to mitigate the risk of the unexpected termination of an outsourcing agreement or liquidation of the service provider.  They should ensure that in such events, they are able to quickly reinstate their operations elsewhere and regain immediate custody of all their data from the service provider in order to continue business operations and safeguard data confidentiality.  

Last but far from least, MAS and other regulators require financial institutions to ensure that the service providers engaged by them provide the relevant authorities with the necessary access to systems, data and facilities for the purpose of conducting inspections or investigations.

CONCLUDING REMARKS

Technology is a powerful force transforming the financial services landscape, but it brings with it new risks, some of them quite significant.  To-date, I am not aware of any financial institution that has collapsed as a result of a failure in managing its technology risk.  But I certainly don't want to see it happen on my watch, and I can't predict that it would never occur in the future.  To minimise the risk of this occurring, there is still much to be done.  Ensuring a high level of electronic safety and soundness for financial services in the face of continuing rapid change will not be an easy task.  Many challenges lie ahead and new ones will emerge.

In this spirit, I am greatly encouraged by the wide participation from the financial services industry, the electronic security services industry, the legal profession and various governmental agencies at this Conference, and wish you all very successful deliberations over the next two days.  I am confident that your work will help to advance the cause of improving electronic safety and soundness for financial services in our region and beyond.