BNM is Raising the Stakes: Inside the 2024 RMiT Exposure Draft
In last week’s newsletter, I shared my thoughts on Section 8 of BNM’s latest RMiT Exposure Draft (ED) 2024, focusing on the evolving role of the board in managing technology and cyber risks. The feedback was overwhelming (thank you!) - many of you DM-ed me to discuss further.
I barely scratched the surface in my last post.
So, this week, I’m diving deeper. I’ve combed through the ED to analyze the key differences between the June 2023 RMiT policy and this new ED. Before we begin, let me add a caveat: this is my interpretation of the draft. I could be wrong, and I welcome feedback. The idea is to spark collaboration and surface insights together. Let’s get into it.
1. Applicability: Expanding the Net
The June 2023 version of RMiT was applicable to eight types of financial institutions—your usual suspects: licensed banks, insurers, takaful operators, and so on.
The 2024 ED expands the scope to include non-bank merchant acquirers and intermediary remittance institutions. Why? Because these non-bank entities are becoming increasingly critical players in the financial ecosystem. Think about how many transactions flow through these players. These entities are equally vulnerable to cyber threats, and their inclusion ensures a consistent baseline of risk management across the sector.
2. Uniform Standards: Goodbye, LFI Distinction
One of the most interesting moves in the ED is the removal of the Large Financial Institution (LFI) classification. In the 2023 policy, LFIs had more stringent requirements than smaller institutions.
That distinction is gone. Now, all FIs—big or small—must adhere to the same high standards.
This change raises the bar for non-LFIs, who may struggle with the increased compliance burden. BNM has asked for feedback on potential challenges, costs, and timelines for implementation. But let’s be clear: this move aims to elevate the cybersecurity and technology resilience posture of the entire financial sector.
3. Cybersecurity: The Heart of the ED
If I had to sum up this ED in one word, it would be cybersecurity. The 2024 ED doubles down on cyber resilience with new sections and requirements.
Cyber Supply Chain Risks: Institutions must now address risks from third-party vendors. Given the high-profile supply chain attacks in the recent past (think SolarWinds, Kaseya), this is a critical addition.
Independent Compromise Assessments and Red Team Exercises: Every three years (currently annually for LFIs only), FIs must conduct independent assessments of their critical systems. This ensures vulnerabilities are identified and addressed proactively.
Other key additions:
Open-source Software Security: Policies to manage risks associated with open-source tools, which are often overlooked but widely used.
Shadow IT: The silent killer in many organizations. Institutions must now actively identify and mitigate risks from unauthorized IT systems and applications.
Tamper-proof Backups and Isolated Recovery: A direct response to ransomware threats, ensuring that backups are both secure and recoverable.
Crowdsourced Security Testing: FIs are encouraged to implement vulnerability disclosure programs (VDP) or bug-bounty programs or something along those lines. This is expected to serve as a valuable complement to traditional security assessments.
4. Digital Fraud Management: A Rising Priority
With digital fraud becoming more sophisticated, the ED introduces a dedicated section on Digital Fraud Management and Customer Awareness.
FIs are expected to:
Enhance fraud detection capabilities by leveraging advanced analytics and machine learning.
Educate customers on emerging fraud techniques and how to spot them.
Verify the authenticity of communications through SMS, email, or any other FIs use.
BNM is signaling that fraud management isn’t just an operational issue; it’s a strategic priority. The goal is to protect customer trust, which, as I always say, is the currency of the digital age.
5. Emerging Technologies: Balancing Innovation and Risk
Emerging technologies are exciting but come with their own set of risks. The ED introduces specific guidance on managing these, which I suppose include techs such as AI, blockchain, quantum computing, and 5G networks (they are not explicitly mentioned in the ED).
FIs must:
Disclose the use of these technologies to users and explain potential risks.
Implement robust testing and risk mitigation strategies before deployment.
Continuously monitor performance and security post-deployment.
This is crucial. While these technologies offer significant advantages, they can also introduce unintended consequences if not managed carefully.
6. Updated Appendices: Practical Guidance
The ED doesn’t just outline what FIs need to do; it provides detailed guidance in its appendices. Key updates include:
Appendix 6: Criteria for notifying BNM about significant IT changes.
Appendix 7: Updated formats for risk assessment reports.
Appendix 8: Enhanced guidance on managing third-party risks.
Appendix 10: Best practices for cloud services, reflecting the increasing reliance on cloud infrastructure.
These updates provide practical, actionable steps for compliance.
Final Thoughts
The RMiT Exposure Draft 2024 is a comprehensive blueprint for a resilient financial ecosystem. From tightening cybersecurity measures to managing emerging tech risks, BNM is raising the bar.
For FIs, the message is clear: cybersecurity and resilience are non-negotiable. The road ahead won’t be easy, but it’s a necessary journey to safeguard the future of our financial system.
Let’s keep the conversation going. What do you think of these changes? Are we moving in the right direction, or do you foresee challenges in implementation?
Final Final Thoughts
The ED proposes an immediate effective date for most FIs once the final document is issued. But non-bank merchant acquirers and intermediary remittance institutions will get a one-year grace period. Moreover, BNM acknowledges that some requirements—especially the more complex ones—might need longer timelines.
The ED emphasizes the importance of industry feedback. BNM is actively seeking input on:
Implementation challenges and timelines.
Cost implications for new requirements.
Potential impact on business operations.
BNM is inviting feedback on what’s feasible and what’s not. If you think certain requirements will be hard to meet within the proposed timeline, now’s the time to speak up!
This collaborative approach is important; it ensures the final policy will be both robust and practical, balancing security needs with business realities.
Cheers,
Sivanathan