"Sharpening Risk Management Capabilities" - Keynote Address by Mr Lim Hng Kiang, Minister for Trade and Industry (Trade), and Deputy Chairman, Monetary Authority of Singapore, at 43rd Association of Banks in Singapore Annual Dinner on 28 June 2016
Chairman and Council members of ABS,
Ladies and Gentlemen
It is my pleasure to join you at the 43rd ABS Annual Dinner this evening.
The global economy: slower for longer
2 Since I addressed the ABS in 2014, the global economy has continued to recover. But growth has been lacklustre and uneven. Risks remain, not least the prospect of political instability and the possibility of a rise in protectionist tendencies in the major economies.
3 In the near term, the unexpected results of the UK’s EU referendum or Brexit, would very likely continue to reverberate across financial markets around the world. It is a clear reminder of the risks that we face and how financial institutions and regulators must work together to ensure the continued resilience of our banking system and financial sector.
- MAS had been prepared for this possible outcome, and had taken precautionary measures, including keeping in close contact over the past weeks with banks in Singapore, foreign central banks and regulators. Our markets continue to function in an orderly manner and our financial system remains sound.
4 Beyond the immediate market turbulence, Brexit will also have wider economic implications for the region and Singapore. While it is too early to make a firm call on the longer term consequences of the event, it will certainly weigh on both market confidence and on an already listless global recovery.
- Among the developed economies, the US has been most advanced in its recovery. This provided the impetus for the first interest rate hike in more than nine years in December 2015. However, the Federal Reserve has since held back from further rate increases amid a moderation of growth in the US and in many other parts of the world, as well as a rise in financial market volatility.
- Some central banks in Europe and Japan have adopted negative policy rates alongside other monetary easing measures to further support their economies, with mixed results. Central banks will have to be vigilant against undue financial market stresses arising from last Thursday’s referendum in the UK, and to be prepared for a period of heightened uncertainty that such an unprecedented event might entail.
- In Asia, China’s economic slowdown, softer commodities prices and weak demand in key export markets have been a drag on the region’s economies. Nonetheless, more resilient domestic demand conditions have continued to provide support to growth in many countries, including those in ASEAN.
5 The present low-growth, low-inflation environment, which in all likelihood will continue for some time, suggests that monetary policy settings in many parts of the world will remain accommodative, especially in advanced economies where inflation has been below target for a number of years. The prolonged period of low interest rates presents particular challenges for the banking sector.
- First, lower interest rates, a flattening of the yield curve, and lower corporate investment mean net interest income and profits are being squeezed.
- Second, low interest rates and investment returns are driving a search for yield among households, asset managers and institutional investors, which could lead to excessive risk-taking and growing financial vulnerabilities.
6 Periodic bouts of heightened volatility in financial markets over the past few years, triggered by events such as the taper tantrum, normalisation of interest rates in the US, transition to a more market-based exchange rate system for the Chinese currency, and just days ago, the UK’s decision to leave the EU, underscore the fragility of global financial markets. At the same time, tightening financial conditions in the emerging market economies (EMEs) as a result of a stronger US dollar have exposed financial vulnerabilities due to excessive corporate and household borrowings in some EMEs.
7 This means that banks have to continue to update their risk management capabilities to cope with a more uncertain environment. MAS as the financial regulator has also been strengthening our risk surveillance and updating aspects of our regulatory framework. This evening I would like to touch on the following:
- stress test exercises to ensure resilience to emerging risks;
- efforts to enhance cyber security; and
- guidelines to strengthen risk management of outsourcing arrangements.
Singapore Banking System Resilient Under Stress Scenarios
8 As part of its financial stability mandate, MAS conducts an annual industry-wide stress test (IWST) of key financial institutions (FIs) in Singapore. When MAS first started the IWST in 2002, it was on a much smaller scale involving less than a handful of banks and a few test parameters. Today, the IWST exercise involves around 80 financial institutions across the banking, insurance and capital market sectors.
9 The stress test involves a severe adverse scenario incorporating significant weakening of the external economic environment spilling over to Singapore. The stress scenario includes
- the US, Eurozone, Japan and several emerging Asia economies slipping into recession and China’s economic growth falling below 3%;
- sharp depreciation in regional currencies and halving of commodity prices;
- severe and protracted recession in Singapore with unemployment spiking to historical highs and a large correction in the property market.
10 Overall, the results indicate that our banking system remains resilient under such a stress scenario. Non-performing loans would increase but still remain below the peaks seen during the Asian Financial Crisis. Under the prescribed stress scenario, the banks also continue to meet Basel regulatory requirements comfortably and would still have sufficient capital and liquidity to cover potential loan losses and cash outflows.
- The local banks and foreign bank subsidiaries have strong capital buffers, with their total capital adequacy ratios north of 15%, versus MAS’ regulatory requirement of 10%. In addition, the local banks’ all-currency liquidity coverage ratio (LCR) are already above 100%, well ahead of Basel’s implementation timeline of 1 January 2019.
11 However, we should not be complacent. Banks should continue to improve risk management processes, and watch out for risks arising from new and emerging trends such as persistently low interest rates, increasing interconnectedness between financial institutions and markets, and the growing use of sophisticated technology.
12 Stress tests will become an increasingly important and integral part of risk management in the financial sector.
- For individual participating banks, the results facilitate discussions with MAS on their resilience to plausible adverse scenarios, planned responses, and actions to mitigate risk management gaps identified from the exercise.
- For the banking sector, the stress test results help to identify common vulnerabilities across FIs, such as exposures to a particular sector or country. This helps banks enhance their risk mitigating responses.
13 To make the exercise more useful, MAS encourages banks to compare the IWST results against their internal stress tests and sensitivity analyses and to assess whether the differences in scenarios and corresponding results reflect particular risk exposures faced by the bank.
14 In addition to prescribed scenarios, MAS has also been working with participating banks to conduct reverse stress tests. This involves banks describing scenarios under which their solvency could come under threat, thereby providing further insights on the risks that could impair the financial system. This allows MAS to assess the sensitivity of the financial system to different stress events and ensure that the banking system remains resilient to severe but relevant stress scenarios.
Strengthening Cyber Resilience
15 Let me move on to cyber security and resilience.
16 Cyber security has emerged as a major priority among financial institutions. As banks increasingly leverage on digital technology platforms to process customer applications and transactions, raise operational efficiency and enhance customer engagement, it is paramount that banks continue to build cyber resilience in order to maintain credibility and customer trust. At the same time, cyber attacks are becoming more frequent, more sophisticated and more brazen.
- Earlier this year, security software company Symantec reported more than 430 million new pieces of malware in 2015 alone, which was an increase by more than a third from 20141. Symantec also discovered a doubling of vulnerabilities in vendor software or zero-day vulnerabilities that could expose computer systems and networks to attacks by hackers.
- A survey by Pricewaterhouse Cooper2 reported that approximately 40% more security incidents were detected than in 2015, compared to the year before. This had prompted respondents to the survey to increase their information security budgets by close to 25% in 2015.
- More recently, millions of dollars were stolen from banks in different countries in a spate of audacious cyber heists, reminding us yet again of the pervasiveness and increasing sophistication of cyber threats.
17 Cyber criminals and hackers often probe for and target the weakest links in the system to gain access to the critical IT assets. Within an FI, the weak links could also manifest in the carelessness or lack of cyber-security awareness by individuals or lax processes, on top of vulnerabilities in adopted technology systems.
18 Banks therefore need to take a holistic approach to address cyber risk. A system of cyber-intelligence exchange to identify potential vulnerabilities and frequent testing of the robustness of cyber defences are key to this effort.
19 MAS has been working closely with the ABS in both of these areas. The ABS Standing Committee on Cyber Security (ABS SCCS) was created to raise overall cyber awareness, to share cyber intelligence and build resilience among financial instutitions.
20 Some of the recent initiatives which MAS has collaborated closely with the ABS SCCS include:
- ABS Penetration Testing Guidelines. These set out the industry best practices for the conduct of penetration testing. The results of members’ penetration tests have been shared with the ABS SCCS members to engender collective learning.
- Cyber intelligence and information sharing through various channels, such as the global Financial Services Information Sharing and Analysis Centre. Given the interconnectedness of the financial eco-system, such information sharing is critical.
Enhacing Risk Management in Outsourcing Arrangements
21 The third topic is Risk Management of Outsourcing Arrangements. Banks have entered into arrangements with third party service providers or other entities within banking group to perform certain operations or process transactions. These include information systems hosting, applications processing and other middle and back office operations. These outsourcing arrangements can bring cost reductions and productivity benefits. However, they may also expose the bank to reputational, compliance and operational risks. For instance, the service provider might fail to deliver the contracted service, experience security breaches, or fall short of the legal and regulatory standards that the bank is required to comply with for these operations.
22 MAS issued a set of Outsourcing Guidelines in 2004 to promote sound risk management practices among financial institutions for their outsourcing arrangements. The key guiding principle is that MAS expects banks to manage outsourcing arrangements as if the services continue to be conducted in-house.
23 MAS has consulted the industry on the revision of the guidelines. Let me highlight some of the key changes.
- First, the Guidelines will set out MAS' expectations on the use of cloud computing services by FIs. MAS recognises cloud services can offer various benefits such as scalability and advanced functionalities, and is amenable to banks leveraging on cloud services to fulfil their business and operational needs. MAS expects banks to ensure that their risk management measures are commensurate with the nature, scope and complexity of the cloud deployment models that they adopt.
- Second, there will be a greater emphasis on safeguarding customer information. MAS views seriously the responsibility of banks to safeguard the integrity and security of customer information held by the bank and its service providers. To enhance the protection of critical customer information, outsourcing arrangements involving certain customer information will be subject to a higher standard of care.
- Third, a greater focus on FIs’ outsourcing risk management framework. FIs were previously expected to pre-notify MAS of any material outsourcing arrangements, and MAS would impose prudential requirements on the FI, where necessary. With the growing prevalence and complexity of outsourcing arrangements, such a case-by-case approach has become less tenable. Instead, MAS will continue to assess and monitor the robustness of FIs’ outsourcing risk management frameworks while FIs will continue to be responsible for ensuring the safety of all of their outsourcing arrangements. The revised Guidelines will no longer require FIs to pre-notify MAS of any outsourcing arrangements.
24 The Guidelines are not intended to be exhaustive. MAS recognises that the diverse range of outsourcing arrangements and rapid pace of progress in digital technology preclude a prescriptive approach to risk management practices for outsourcing or a one-size-fits-all set of rules. MAS will adopt a risk-based approach in implementing the guidelines.
Conclusion
25 Let me conclude.
26 A tougher macrcoeconomic environment and growing complexity of operational and technology risks will place greater demand on banks’ risk management and compliance systems. Even as banks continue to upgrade their systems and processes to strengthen their risk resilience, it is equally important that banks regularly test the robustness of their contingency plans and capability to manage tail risk events. I am glad that the industry continues to demonstrate its commitment to sound risk management with your investments in systems, technology and in your people. MAS appreciates your close co-operation to develop and update our risk management guidance, and your active participation in IWST exercises.
Thank you.
1 http://www.csoonline.com/article/3054570/security/symantec-zero-days-doubled-in-2015-more-companies-hiding-breach-data.html2 http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html