Regulations for E-wallets

What types of technology and cyber security risk management measures should a provider of e-wallets and e-money issuance services take note of?

A person providing e-wallets and e-money issuance services under the Payment Services Act 2019 should, among other things, take note of the technology and cyber security risks mitigation measures prescribed by MAS.

The MAS Notice on Cyber Hygiene (PSN06) sets out a set of essential cyber security practices that a person providing e-wallets and e-money issuance services must put in place to manage cyber threats. The Notice covers requirements on securing administrative accounts, applying security patching, establishing baseline security standards, deploying network security devices, implementing anti-malware measures and strengthening user authentication. Failure to comply with the requirements set out in the MAS Notice attracts a fine.

In addition, a person providing e-wallets and e-money issuance services should take note of the MAS Technology Risk Management Guidelines that provide guidance on best practices for the management of technology risk. The Guidelines provide that the board of directors and senior management of an FI plays an important role in ensuring the establishment of a sound and robust technology risk management framework and FIs should adopt a defence-in-depth approach to strengthening cyber resilience with particular focus on ensuring adequate policies are implemented to safeguard information assets and a comprehensive IT security awareness training programme is established for all staff. Notably, the Guidelines provide that in delivering online financial and payment services, an FI should implement security and control measures which are commensurate with the risk involved to ensure the security of data and online services. An FI offering online financial services access via a mobile device should be aware of the risks unique to mobile applications. Guidance on Mobile Application Security is provided in the Guidelines.

For a summary of some recent changes made to the Guidelines in January 2021, please click here to read Rajah & Tann publication titled “2021 Technology Risk Management Guidelines: Enhanced Requirements on Financial Institutions Concerning Technology Risk Governance and Security Controls”.