“Riding the Waves of Technology Innovation – The Nexus between Payments and Cybersecurity” - Keynote Speech by Mr Tan Yeow Seng, Chief Cyber Security Officer, Monetary Authority of Singapore, at the 2018 Visa Security Summit on 17 May 2018
Ms Ellen Richey, Visa Vice Chairperson & Chief Risk Officer
Mr Joe Cunningham, Visa Chief Risk Officer for Asia Pacific
Ms Mandy Lamb, Visa Group Country Manager for Regional Southeast Asia
Mr Kunal Chatterjee, Visa Country Manager for Singapore
Distinguished guests, ladies and gentlemen,
1 Good morning. It is my pleasure to join you this morning at the VISA Security Summit.
2 Before I touch on payments and cyber security, let me first speak about food, one of the main preoccupations of typical Singaporeans. For the more fortuitous people, we have a constant supply of fresh food all year round, shipped from all corners of the world.
3 This was not the case two centuries ago. In our current world, the availability of fresh food on the table is an everyday miracle made possible by a technology called refrigeration. In the olden times, salt was the key ingredient in food preservation and power gravitated towards those who controlled the production and distribution of salt.
4 During the late Roman Empire, salt was a precious commodity carried along the salt roads into the heartlands of the Germanic tribes.
- Caravans consisting of thousands of camels traversed hundreds of miles of the Sahara bearing salt to in-land markets.
- Trade routes for merchandise naturally ran parallel to the salt roads and this had resulted in the flourishing of settlements along these roads.
- As a result, cities such as Liverpool rose from a small English port to become the prime location for entrepot trade in the 19th century.
5 The dawn of refrigeration in the 1800s changed the way we store and move food.
- Salt became less relevant as a means to preserve food. So there was less need to transport large amounts of salt across cities.
- As salt roads diminished, many other trade routes and distribution channels for merchandise outside the traditional salt roads began to form and multiply.
- Alongside these new routes, new towns and businesses emerged and thrived.
6 In the same vein, modern technology has revolutionized how we store and move money. Technology provides the impetus for the transformation of the financial sector as well as our daily lives as financial services are made more efficient, convenient and accessible to the general masses.
- In this regard, salt barons are akin to banks, and e-payments akin to refrigerators.
- History has a tendency to repeat itself.
7 There are several parallels between the story of salt and evolution of retail payments. Let me share some thoughts on three areas:
- Evolution of retail payments;
- Trust in an e-payment society; and
- Resilience of the e-payment ecosystem.
Evolution of retail payments
8 Firstly, let’s briefly trace the path of retail payment history.
9 Technology has spurred innovations in retail payments.
- Domestic interbank payments in Singapore have come a long way since centralised cheque clearing was first introduced in the 1900s.
- Today, we can transfer funds from one person to another instantly using PayNow without having to know the recipient’s bank account number.
10 In turn, e-payments have significantly changed the way goods and services are delivered.
- In the past, where Blockbuster, Tower Records and Barnes & Noble ruled video, music and books, they also owned the storefronts that allowed them to collect cash, cheque or card.
- But today, the very same services are offered by companies such as Amazon, Spotify, and Netflix. The difference now is that the storefronts are instantly in our palms when we seek them. And this is made possible through e-payments. Without the advent of e-payments, many of these business models would have been untenable.
11 Singapore aspires to be a Smart Nation and MAS seeks to build together with the industry a Smart Financial Centre. This means leveraging on technology and digital transformation to increase efficiency, create opportunities, enhance risk management, and improve people’s lives.
- As we forge forward in the direction of FinTech innovation, we must be cognizant that a smart financial centre has to be built on the foundation of safety and soundness.
- This foundation is essential to maintain trust in e-payments.
12 The take-up of e-payments has been building up fast. The number of card payments in Singapore – both debit and credit - has grown nearly 35% between 2015 and 2017. The volume of card-not-present payments – for example, using payment cards for online purchases - has nearly doubled during this period.
13 With the increasing trend towards mobile payments, it has become all the more important to maintain trust and resilience in e-payments.
- Trust is critical to pervasive adoption, and resilience is critical to long-term confidence. Let me first speak on trust.
Trust in an e-payments society
14 Singapore is an ageing society. We reached a critical inflection point this year – The number of people above 65 is equal to the number of people below 15.
- Many seniors would have spent a major portion of their lives using cash and cheques, and intuitively feel that cash is safer than e-payments. Having used cash all their lives, they would have learned how to keep cash safe.
- The knowledge of safeguarding cash does not apply naturally to cards, and certainly not to mobile payments. There could be fears that cards can be lost and accounts drained; especially so for debit products that are linked to bank accounts.
- These fears are even more pronounced for mobile payments; mobile phones can be hacked, passwords phished, and accounts drained. These concerns are not unjustified, and points towards a lack of trust in e-payments.
15 In a normal relationship, it is often said that trust is a two-way street. In the financial industry however, I would look on it as a three-way street. Users, financial institutions, and the regulator – MAS. All of us have a role to play. Let me begin with MAS’ role.
16 Earlier this year, MAS issued a public consultation on a set of user protection guidelines for users of e-payments.
- We received a broad range of feedback from the financial industry, and are in the process of reviewing and addressing the feedback.
- In order to build trust and encourage wider adoption of e-payments, we intend for the guidelines to set out general standards around the responsibilities of both users and financial institutions.
17 It is important to stress that trust is not simply making financial institutions liable for every loss suffered by a reckless user. It is about being a responsible participant in the payment ecosystem and that includes consumers, financial institutions, and fintech firms.
- While the specifics of the guidelines have not yet been finalised, we would broadly expect that financial institutions provide users with timely transaction notifications, and put in place clear dispute resolution processes in the event of a fraudulent transaction.
- Many financial institutions already do this, but it is important to assure users, especially those who have doubts about the security of e-payments, that there is a minimum safety standard across the industry.
- It is also equally important for users themselves to observe some basic safety hygiene practices.
18 It is unrealistic to expect every e-payments user to be a cyber security expert, or to keep up to date with the latest reports on malware or 0-day attacks. That said, users should keep their passwords safe, update their mobile operating system, and inform their financial institution promptly if their card is lost or they receive an SMS notifying of an unauthorised transaction. If users observe these simple security practices, they will find that e-payments is as safe as cash or even safer!
19 While we review the feedback from the public consultation, I would urge financial institutions in Singapore to take initiatives to deepen the trust with their customers.
- Communicate clearly the circumstances under which you will protect your customer, and the circumstances under which your customer will be considered to have been reckless.
- Give all your customers the peace of mind that they are able to leave home without carrying a stash of cash, and that if they were to lose their payment cards or mobile phones, they can simply revoke these payment instruments by calling their financial institution.
- Educate the customers that, in many ways, the e-wallet or payment card in the phone is much safer than cash in the physical wallet.
- It is impossible to lock one’s physical wallet but one would usually be able to protect his phone or app using various authentication measures.
- There is also the remote wipe function for the lost phone to remove the payment apps and data stored within.
Building a resilient e-payment ecosystem
20 I have spoken on trust, and how it is critical to maintaining confidence in e-payments. I will now speak on building resilience in the payment ecosystem.
21 In October last year, MAS established a Cyber Security Advisory Panel, comprising international cybersecurity thought leaders, to advise MAS on strategies to enhance the cyber resilience of Singapore’s financial sector.
22 I will now outline some of the major cyber security initiatives that MAS has embarked on.
Building a strong sense of solidarity within the financial sector
23 First, we are continuing our efforts to strengthen cyber collaboration through cyber threat information sharing.
24 It is near impossible for financial institutions to combat cyber threat alone in the interconnected and borderless cyberspace.
- The sharing of cyber security information among trusted parties is highly useful.
- One firm’s cyber incident can become every firm’s defence if timely and actionable threat information is shared within the community.
- Such collaboration can build collective situational awareness and communal immunity against similar forms of attacks.
25 Stakeholders in the financial ecosystem need to build a strong sense of solidarity.
- Recognising this, MAS had introduced several initiatives to help build a circle of trust and promote cooperation in the financial industry, these include the partnership with the Financial Services Information Sharing and Analysis Centre (FS-ISAC) to establish its Asia Pacific Regional Analysis Centre in Singapore.
- The Regional Centre, which supports member financial institutions across nine Asia Pacific countries, allows its members to share and receive cyber threat information and other resources tailored for the region.
26 Similar to information sharing between financial institutions, financial regulators stand to gain from sharing cyber threat information as it can enhance their supervision and policy making in respect of cyber risks.
- Regulators can share with their counterparts sanitised yet useful information relating to incidents such as indicators of compromise, attack tools and modus operandi as well as countermeasures to mitigate the risk of future attacks. The information would enable regulators to decide whether to alert their regulated entities so they can be better prepared.
Requiring the Adoption of Strong Cyber Hygiene in Financial Institutions
27 Second, MAS intends to issue a Notice on cyber hygiene which will require financial institutions in Singapore to implement a set of fundamental controls to raise their overall level of cyber resilience.
- Cyber hygiene plays a critical role in protecting financial institutions’ system, sensitive information and customer data by providing a strong foundation in security.
- Studies have shown that practicing good cyber hygiene can help to prevent a majority of cyber security incidents.
- In coming up with the Notice, MAS will be proposing to require all financial institutions to adopt cyber hygiene practices such as strong authentication, controlled use of administrative privileges and proper patch management.
28 We will also require financial institutions to conduct independent review of their compliance with the Notice. We intend to conduct a public consultation on the Notice soon.
Refreshing the MAS Technology Risk Management Guidelines
29 Third, we are currently reviewing the MAS Technology Risk Management Guidelines to give greater focus on cyber resilience and to incorporate new guidance to keep pace with technological advances and rapidly evolving cyber threats.
- We do this regularly, but this time we are doing it differently. For the first time, MAS is partnering the Association of Banks in Singapore, ABS, to co-create the guidelines. We are developing the cyber risk management guidance with the industry, for the industry.
30 MAS is also partnering ABS to establish guidelines for red-teaming to enhance cyber security testing.
31 To conclude, I would like to highlight that technology innovation is key to our financial sector evolution. Throughout history, there had been waves of technological advancements. The process is often slow and takes many years. But every few decades when the conditions are right, innovation leaps forward. I believe that we are at the cusp of another technological renaissance and the financial industry must be prepared to ride the current wave to fully reap its benefits.
32 In Chinese, there is a saying – 天时（Tian Shi）, 地利（Di Li）, 人和 (Ren He）. It means success depends on three elements, the right time, the right place and the right people. Indeed, there is an alignment of these three elements now. The time is ripe now as the technology is mature and our people are ready and willing to embrace technological changes.
33 Thank you and I wish everyone a fruitful session ahead.