Financial Services and Markets Act 2022 — PART 5: TECHNOLOGY RISK MANAGEMENT

Part of a comprehensive analysis of the Financial Services and Markets Act 2022

All Parts in This Series

1. PART 1
2. PART 2
3. PART 3
4. PART 4
5. PART 4
6. PART 5 (this article)
7. PART 6
8. PART 7
9. PART 8
10. PART 9
11. PART 10
12. PART 11
13. PART 12
14. PART 13
15. Part 7
16. PART 14
17. Part 1
18. Part 2
19. Part 3
20. Part 1
21. Part 3

Regulatory Framework for Technology Risk Management in Financial Institutions under Section 29, Financial Services and Markets Act 2022

The Financial Services and Markets Act 2022 (hereinafter "the Act") establishes a comprehensive regulatory framework to ensure the prudent management of technology risks within financial institutions. Section 29 of the Act specifically empowers the Authority to issue directions and make regulations aimed at managing technology-related risks, including cyber security, and safeguarding the integrity and security of financial services and data. This article provides an authoritative analysis of the key provisions under Section 29, their purposes, penalties for non-compliance, and relevant cross-references within the Act.

Key Provisions and Their Purpose

Section 29(1) of the Act grants the Authority broad powers to issue directions or make regulations concerning any financial institution or class of financial institutions. The scope of these powers is explicitly focused on three critical areas:

"The Authority may, from time to time, issue such directions, or make such regulations under section 192, concerning any financial institution or class of financial institutions as the Authority considers necessary for — (a) the management of technology risks, including cyber security risks; (b) the safe and sound use of technology to deliver financial services; and (c) the safe and sound use of technology to protect data." — Section 29(1), Financial Services and Markets Act 2022

Verify Section 29 in source document →

The purpose of these provisions is multifold:

• Management of Technology Risks, Including Cyber Security Risks: The financial sector is increasingly reliant on technology, which exposes institutions to various risks such as cyber-attacks, system failures, and data breaches. By empowering the Authority to issue directions on managing these risks, the Act aims to enhance the resilience and security of financial institutions against technological threats.
• Safe and Sound Use of Technology to Deliver Financial Services: Financial services depend heavily on technology platforms for operations, customer interactions, and transactions. Ensuring that technology is used safely and soundly protects the stability of financial markets and maintains public confidence.
• Safe and Sound Use of Technology to Protect Data: Data protection is critical in the financial sector, given the sensitive nature of customer information. The provision ensures that technology use complies with data protection standards, mitigating risks of data loss or unauthorized access.

These provisions exist to address the evolving technological landscape in financial services, where risks can have systemic implications. The Authority’s ability to issue directions and regulations ensures a proactive and adaptive regulatory approach to emerging technology risks.

Absence of Definitions in Section 29

Notably, the excerpt of Section 29 does not provide any specific definitions related to technology risks or financial institutions within this Part of the Act. This absence suggests that definitions relevant to these terms are either provided elsewhere in the Act or are understood in their ordinary commercial and legal context.

"No definitions are provided in the excerpt." — Section 29, Financial Services and Markets Act 2022

Verify Section 29 in source document →

The lack of definitions within this section allows for flexibility in the Authority’s interpretation and application of the provisions, enabling it to address a broad range of technology risks as they evolve. However, it also places an onus on financial institutions to remain informed of applicable definitions and standards as set out in other parts of the Act or subsidiary legislation.

Penalties for Non-Compliance

Section 29(2) sets out stringent penalties for financial institutions that fail to comply with directions or contravene regulations issued under subsection (1). The penalties are designed to enforce compliance and deter breaches that could compromise the safety and soundness of financial services technology and data protection.

"A financial institution that fails to comply with a direction issued to the financial institution under subsection (1) or contravenes any regulations mentioned in that subsection shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $1 million and, in the case of a continuing offence, to a further fine of $100,000 for every day or part of a day during which the offence continues after conviction." — Section 29(2), Financial Services and Markets Act 2022

Verify Section 29 in source document →

The rationale behind these penalties includes:

• Deterrence: The high maximum fine of $1 million serves as a significant deterrent against non-compliance, reflecting the serious risks posed by technology failures or cyber security breaches.
• Accountability: Financial institutions are held accountable for adhering to regulatory directions, ensuring that they prioritize technology risk management as part of their governance frameworks.
• Continuous Compliance: The daily fine for continuing offences underscores the importance of prompt remediation and ongoing compliance, preventing prolonged exposure to technology risks.

These penalties underscore the Authority’s commitment to maintaining a robust regulatory environment that safeguards the financial system’s integrity and protects consumers.

Cross-References to Other Provisions

Section 29(1) explicitly references Section 192 of the Act as the enabling provision for making regulations:

"The Authority may, from time to time, issue such directions, or make such regulations under section 192..." — Section 29(1), Financial Services and Markets Act 2022

Verify Section 29 in source document →

Section 192 likely outlines the procedural and substantive requirements for the Authority to make regulations, including consultation, publication, and enforcement mechanisms. This cross-reference ensures that the issuance of directions and regulations under Section 29 is grounded in a broader statutory framework that governs regulatory rule-making.

The existence of this cross-reference serves several purposes:

• Legal Consistency: It ensures that all regulations issued under the Act follow a consistent process, enhancing transparency and legitimacy.
• Checks and Balances: By anchoring regulatory powers to Section 192, the Act provides a mechanism for oversight and accountability in the exercise of the Authority’s powers.
• Clarity for Regulated Entities: Financial institutions can refer to Section 192 to understand the procedural context of regulations affecting them, aiding compliance efforts.

Conclusion

Section 29 of the Financial Services and Markets Act 2022 establishes a critical regulatory mechanism empowering the Authority to manage technology risks within financial institutions effectively. By authorizing the issuance of directions and regulations focused on technology risk management, cyber security, and data protection, the Act addresses the growing challenges posed by technological advancements in the financial sector.

The absence of specific definitions within this section allows for adaptive regulatory responses, while the stringent penalties for non-compliance emphasize the importance of adherence to these regulatory requirements. The cross-reference to Section 192 ensures that the regulatory framework operates within a coherent statutory context, promoting legal certainty and procedural fairness.

Financial institutions must therefore remain vigilant in managing technology risks and comply with any directions or regulations issued under Section 29 to avoid significant penalties and contribute to the overall stability and security of Singapore’s financial system.

Sections Covered in This Analysis

• Section 29(1) – Authority’s power to issue directions and make regulations concerning technology risks
• Section 29(2) – Penalties for non-compliance with directions or regulations
• Section 192 – Enabling provision for making regulations (cross-referenced)

Source Documents

• Archived Copy — Litt Law CDN
• Original — Singapore Statutes Online

For the authoritative text, consult SSO.