Singapore banks step up their game against internal fraud

Firms respond to MAS warnings about the dangers of remote working spurred by Covid
Monetary Authority of Singapore

Singapore’s banks are responding to prompts from their governing authority to beef up defences against internal fraud, since remote working – a necessity sparked by the pandemic – has increased the risk of staff misconduct.

The Monetary Authority of Singapore (MAS) warned in March of the increased risks created by remote working, including lack of physical oversight, circumventing controls, collusion with insiders or external parties and inappropriate communications with customers.

“It sets the bar quite high,” said John Keogan, head of internal fraud at Standard Chartered, during a recent Risk.net webinar on insider fraud. “There has been an uptick in awareness around breaches of controls. The world isn’t going to go back to the way it was, and people will be working in environments which can’t be controlled.”

While Singaporean financial institutions have policies in place to make sure that trading data is being properly captured in line with regulations, without the ability to monitor people at home, they have no way to ensure these guidelines are being followed.

Traditional business continuity plans (BCPs) for trading floors involved having a second trading floor somewhere else in case the primary site wasn’t working, says Chris Fordham, managing director at Alvarez & Marsal’s disputes and investigations team in Hong Kong.

“Organisations wouldn’t necessarily have had a BCP where everyone was suddenly working from home. If you weren’t on the trading floor, you weren’t trading. That would have been the concept previously,” he adds.

The MAS’s March paper sends a clear message to banks that they need to do a better job of managing controls over remote working environments. It recommends banks conduct periodic reviews of remote access activities – especially for staff in higher-risk functions, such as trading and client investment advisory – to identify any suspicious incidents and trends. It also recommends enhanced surveillance of trades, to ensure they were transacted in accordance with established procedures, and monitoring of keystroke logging.

Organisations will need to evaluate what the right balance is and what culture they want to have. Do they want to have a more controlled… or a more collaborative kind of culture?

John Lee, Maybank

“The recommendations… are trying to encourage organisations to move in the right direction,” says John Lee, Singapore chief executive of Maybank. “Organisations will need to evaluate what the right balance is and what culture they want to have. Do they want to have a more controlled… or a more collaborative kind of culture?”

Banks were already struggling with addressing and measuring risk culture, but Covid has accelerated the need to assess areas where they might need to improve, says Alvarez & Marsal’s Fordham.

“Organisations find it very difficult to measure culture because it’s a concept: it’s not something you can easily score,” he says. “Now, it’s even more important to be able to measure it if they are to reduce opportunities to commit fraud – especially when the economic environment is under stress.”

Remote interest

Many firms are at a critical juncture in determining how and to what extent people should be permitted to work remotely. Whereas offices provide a controlled environment in which access to parts of the business is restricted, and controls are placed around technology access, increased remote working has blurred some of these lines.

Firms are now under pressure to consider changes to the controlled environments they enacted during the crisis, and are working through which jobs are suited to working remotely, and what is needed to support them. The technology support and risk management framework required will inevitably depend on the individual employee’s role.

Maybank says it is investing in technology to create a ‘working bubble’ at home, which allows employees to access certain systems – with security protocols in place to govern access to email or copying a document from a personal device to a work device. For some firms, this this will entail a significant upgrade in technology.

“If you have older systems, introducing some of these practices can be harder,” says Maybank’s Lee. “I think it is probably safe to say that all banks and financial institutions are now looking at this to an extent. I don’t think anyone is able to say at the moment: ‘Yes, we are fully prepared for this.’”

This article first appeared in Central Banking sister title Risk.net.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.centralbanking.com/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Central Banking account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: