Professional Documents
Culture Documents
3D Printing
Access Controls
Act
Administrative controls
Apache Spark
Assets
Availability A
Big Data
Biometrics
Blockchain
Bow-tie Diagram
Capital Adequacy
Cloud Computing
Collaborative Sharing of ML/TF Information and
Cases COSMIC
Compliance Risk
Conduct Risk
Consumer Protection
Financial contract FC
Credit Risk CR
Crowdsourcing
Cyber Hygiene
Cyber Resilience
Cybersecurity Act CSA
Data Anonymization
Data Parallelism
Deep Learning
De-Identification
Descriptive Analytics
Detective Controls
Differential Privacy
Digital Identity
Digital Transformation DT
Drones
Ethics
External Audit
Fairness
Financial Institution FI
Financing of Terrorism FT
Foreign Account Tax Compliance Act FATCA
Governance
MAS Guidelines
Heat Map
Homomorphic Encryption
Information Silo
Integrity I
Internal Audit
Internal Controls
K-Anonymity
Legacy IT System
Liquidity
Market Abuse
Market Risk
Materiality
Money Laundering ML
MAS Notices
Nudging
Object Management Group OMG
Operational Risk
Outsourcing Arrangement
Parallel Processing
Personal Data
Platform-as-a-service PaaS
Predictive Analysis
Prescriptive Analysis
Preventive Controls
Privacy
Regulatory Sandbox
Residual Risk
Risk
Risk Acceptance
Risk Management
Risk Mitigation
Risk Transfer
Scenario Analysis
Security-By-Design
Security-by-design Framework
Solvency
Stress Testing
Synthetic Data
Task Parallelism
Tax Avoidance
Tax Compliance
Tax Evasion
Technical Controls
Threats
Transaction Monitor TM
Transparency
Vulnerability
Lecture/ Tutorial Slide/
Definition Article No. Page No.
3D printing is the construction of a 3D object from a digital model by layering
or printing successive layers of materials 9 14
Controls to decide and enforce who can view or use the different information
and computing systems of the organization 3 11
One of the principles for AIDA, which states that there should be clear
responsibility for and ownership of AIDA-driven decisions within an AIDA firm.
Covers 2 key aspects: 1) internal accountability, which is concerned with the
AIDA Firm’s internal governance; and 2) external accountability, which is
concerned with the AIDA Firm’s responsibility to data subjects. Tutorial A8 6
A statutory board under Singapore's Ministry of Finance. ACRA is the regulator
of business registration, financial reporting, public accountants and corporate
service providers. ACRA also acts as a facilitator for the development of business
entities and the public accountancy profession. 3 24
A statute or bill which has been passed by Parliament. These have the force of
the law. e.g., PDPA 6 13
Administrative implementations of controls include procedures/policies e.g.
Separation of duties (SOD) policies 3, 4 8, 5
An open-source standard representation of financial contracts (FCs), which are
the basic building blocks of the financial system. Tutorial A5 3
AI is often seen as a black box system whose inputs and outputs are visible, but
without any knowledge of its internal workings. Hence, difficult to explain how
it works. 9 11
Blockchain is a decentralized ledger of all transactions across a peer-to-peer
(P2P) network. It allows participants to transact with each other securely and
transparently without the need for a central authority. 8, 9 23, 12
A bow-tie diagram is a means to assess risk interactions. It combines a fault tree
and an event tree and takes its name from its shape. Fault trees are used for
analyzing events or combinations of events that might lead to a negative event.
Event trees are used for modeling sequences of events arising from a single risk
occurrence. 5 25
One of COBIT process domains, which deals with the definition, acquisition and
implementation of I&T solutions and their integration in business processes. 4 33
Business Process Model and Notation (BPMN) is a standard for business process
modeling that provides graphical notation for representing steps in a business
process e.g., business process for detecting ML Tutorial A3 6
Capital adequacy requirements from regulators (e.g., MAS) ensure the efficiency
and stability of a nation's financial system by lowering the risk of banks
becoming insolvent. Generally, a bank with adequate capital (resources to
absorb
The CSDBpossible losses) is
is a reference considered
database thatsafe to meet
contains itson
data financial obligations.
instruments, issuers and 3 14
prices for debt securities, equity instruments and investment fund shares
issued worldwide. For instance more than 13 million of such securities were
covered by the CSDB for the reporting month June 2020. The objective of the
CSDB is to cover all securities relevant for statistical purposes of the European Tutorial A5 4
The Culture and Conduct Steering Group (CCSG) was established in May 2019
to promote sound organizational culture and raise conduct standards among
banks in Singapore. The CCSG comprises members from 14 banks in Singapore 8 13
Customer due diligence (CDD) involves performing background checks and
other screening to verify customers' identity and nature of business
relationship before being onboarded (e.g., opening a bank account). It also
involves monitoring their transactions during the relationship. CDD is at the
heart of Anti-Money Laundering (AML) and Know Your Customer (KYC)
initiatives. 3, 8 32, 12
A fundamental principle by which organizations need to establish routine
measures to minimize the risks from cyber threats. MAS 2019 Notice on Cyber
Hygiene sets out the measures that FIs must take to mitigate the growing risk of
cyber threats 6 29
Organization's ability to ensure IT availability, backup, recoverability, even in
the face of adverse events. 6 29
The Cybersecurity Act of 2018 is a law for the oversight and maintenance of
national cybersecurity in Singapore. Its objectives are to: 1) Strengthen the
protection of Critical Information Infrastructure (CII) against cyber-attacks; 2)
Authorise CSA to prevent and respond to cybersecurity threats and incidents;
3) Establish a framework for sharing cybersecurity information; and 4) Establish
a light-touch licensing framework for cybersecurity service providers 7 31
The process of removing/masking personally identifiable information from data
sets, so that the people whom the data describes remain anonymous. The
purpose is for privacy protection. Common methods include k-anonymity and
differential privacy Tutorial A6 2
Rather than splitting the tasks, this kind of parallelism splits the data and
distributes it among the compute nodes in the computer cluster. This is a type
of parallel processing Tutorial A5 14
Tools that enable organisations to generate basic data protection template
notices to inform stakeholders how their personal data is being managed. 7 19
A DPO ensures, in an independent manner, that an organization applies the
laws protecting individuals' personal data. As per PDPA, each organization
must designate at least one DPO 7 8
One of the 2 main provisions of PDPA. Private organizations have 10 main
obligations with respect to individual's personal data i.e., consent, purpose
limitation, notification, access and correction, accuracy, protection, retention
limitation, transfer limitation, data breach, accountability 7 12
A voluntary enterprise-wide certification awarded to organisations that
demonstrate accountable data protection practices. Checked by an IMDA
approved assessment body 7 20
Processes used to prevent people's identity from being revealed. For example,
data from individuals could be deidentified using data anonymization
methods, such as k-anonymity, in order to comply with privacy laws. Tutorial A6 6
One of COBIT process domains, which addresses the operational delivery and
support of IT services, including security. 4 33
A common form of data analysis where historical data is analyzed to produce
summary statistics (e.g., averages) that describe or visualize what happened 9 11
Controls used to identify/discover/record the problem after a negative event
has happened. e.g., Intrusion Dectection System (IDS), audit 3, 4 8, 5
A method to add calculated noise to the data before release, thus producing
synthetic dataset. This differential privacy protected data can then be used by
companies for statistical and machine learning tasks. Tutorial A6 9
A digital identity is an unique identifier to verify a person in the digital space
e.g., Singpass, digital signature. Unlike physical identifiers e.g., passport, IC 8 21
Digital transformation is the process of using digital technologies to create new
— or modify existing — business processes, culture, and customer experiences
to meet changing business and market requirements. This reimagining of
business in the digital age is digital transformation. 9 7
One of the 2 main provisions of PDPA. Consumers who do not wish to receive
telemarketing messages via phone call, SMS or fax, can register their Singapore
telephone numbers in the DNC Registry. Organisations must check with the
DNC Registry to ensure that the Singapore telephone numbers that they are
sending telemarketing messages to, are not listed in the Registry 7 13
Drones are unmanned aerial vehicles, which can be equipped with a ground
based controller and on-board cameras. Can be used for aiding compliance in
construction monitoring, shipping, stocktaking, maintenance. Drones in turn
need to be regulated 9 9
End-user computing (EUC) refers to systems in which non-programmers can
create working applications. 9 10
A method for risk prioritization. Risks were plotted on a heat map (where colors
are used to indicated different levels of risk) to perform an initial prioritization. 5 27
Homomorphic encryption is a form of encryption that permits users to
perform computations on the encrypted data without first decrypting it. Tutorial A6 7
IMDA is a statutory board under the Singapore Ministry of Communications
and Information (MCI), whose main functions are to develop and regulate the
converging infocomm and media industry sectors Tutorial A8 6
Information silos occur when business units keep information within their unit
e.g., siloed databases. The lack of information sharing among silos prevents the
organization from having (and using) an integrated view of the information e.g.,
for risk assessment. Tutorial A1 4
An international professional association focused on IT governance, control,
risk, security, audit/assurance. Developed standards such as COBIT and helps
build the skills of cybersecurity professionals; 2 25
An industry framework designed to standardize the selection, planning,
delivery, maintenance, and overall lifecycle of IT (information technology)
services within a business 1 31
IaaS is a type of cloud computing service where the vendor provides essential
compute, storage, and networking resources on demand, on a pay-as-you-go
basis 6 11, 16
ISCA is the national professional body for accountants in Singapore. It aims to
develop, support and enhance the integrity, status and interests of the
accountancy profession in Singapore. 3 24
Preventing unauthorised modification or deletion of information. A related
term, data integrity refers to the maintenance of data accuracy and consistency
over its entire life-cycle and is a critical aspect for design, implementation, and
use of systems that store, process, or retrieve data. 3, Tutorial A7 12, 10
Internal audits involve audit staff/dept. of the business evaluating its internal
controls, including its corporate governance and accounting processes. These
audits help to ensure compliance with laws/regulations and maintaining
accurate/ timely financial reporting and data collection. 4 11
Policies, procedures and processes (include tools, techniques, physical
measures) established by the board and senior management for: 1) reasonable
assurance on the safety, effectiveness and efficiency of the company’s
operations, 2) their reliability of financial and managerial reporting, and 3)
their compliance with regulatory requirements. 3, 4 7, 6
The Personal Data Protection Act is a law in Singapore that governs the
collection, use and disclosure of individuals’ personal data by private
organizations. It contains 2 main sets of provisions, which organisationsmust
comply with: 1) Data protection, and 2) Do Not Call registry 7 6
PDPC is established under PDPA with 2 main functions: 1) to promote
awareness of data protection in Singapore, and 2) administering and enforcing
the PDPA. 7 8
Physical implementations of controls e.g., security guards and locked doors. 3, 4 8, 5
A type of cloud computing where the service provider offers access to a cloud-
based environment/platform in which users can build and deliver applications. 6 16
In financial regulation, a politically exposed person (PEP) is one who has been
entrusted with a prominent public function e.g., a minister. A PEP generally
presents a higher risk for potential involvement in bribery and corruption, by
virtue of their position and the influence that they may hold. Tutorial A7 8
Predictive analytics includes a variety of statistical techniques that analyze
current and historical facts to make predictions about future states or events
e.g., future sales 9 11
Prescriptive analytics is the process of using data to determine a future course
of action. Prescriptive Analytics extends beyond predictive analytics by
suggesting the actions necessary to achieve predicted outcomes, 9 11
Controls put in place to avert/stop a negative event from occurring e.g., guard,
firewall 3, 4 8, 5
The expectation that confidential personal information shared will not be
disclosed to third parties without consent. Broadly refers to having control
over the sharing and use of one's personal data 7 6
Quasi-identifiers are pieces of information that are not by themselves unique
identifiers of people, but are sufficiently well correlated that they can be
combined with other quasi-identifiers to create a unique identifier of the
person. e.g., gender, age, residential area Tutorial A6 5
Controls put in place to correct the problem after it has been detected, which
is why they are sometimes called corrective controls 3, 4 8, 5
Computing technology used to enhance regulatory and compliance processes.
Comprises Comptech and Suptech 1, 8 32, 6
A framework that enables firms to experiment with innovative products or
services in a live environment but within a well-defined space and duration.
Regulatory support is provided by relaxing specific requirements (e.g., capital
adequacy) in that period. The sandbox will include appropriate safeguards to
contain any consequences of failure. e.g., MAS Fintech Sandbox 9 18
The residual risk is the amount of risk remaining after the natural risk of a
negative event has been reduced by internal controls. 5 35
The probability that an event will occur that has negative consequences e.g.,
data breach. For a negative event occuring when a threat (e.g., cybercriminal)
harms an asset (e.g., customer database,) by exploiting a vulnerability (e.g.,
weak protection of the database), risk is computed by multiplying the asset
value, threat, and vulnerability 5 6
If the financial value of a risk is smaller than the cost of mitigating or
transferring it, the most reasonable option is to accept the risk. This means
doing nothing in response to the risk 5 29
A risk interaction map is the simplest form of graphical representation of risks,
in which the same list of risks form the x and y axes. Risk interactions are then
indicated by an X or other qualitative indicator. 5 24
A framework for organizations to deal with and react to uncertainty by
identifying, assessing, prioritizing, handling, and monitoring the areas of the
business exposed to risks 2 6
This is a risk response approach where attempt is made to reduce the risk by
applying appropriate controls. Cost-benefit analysis is undertaken to assess if it
is worth to put in the controls 5 29
When a risk has a significant financial value, it could be appropriate to transfer
the risk rather then accept it. In this approach, some or all aspects of a risk are
transferred to another party via insurance or via contractual obligations (e.g.,
outsourcing) 5 30
RPA software is a powerful tool to perform manual, time-consuming, rules-
based office tasks that can save time and costs. RPA replicates end user
activities, typically through a Graphical User Interface (GUI) that sits on top of
other front-end and back-end applications. 9 10
SOX was enacted in the US in reponse to major corporate accounting scandals,
such as Enron. It aims to protect investors by making the board and senior
management accountable/punishable for the accuracy of the company's
financial statements. Requires more oversight by external auditors 3 15
Scenario analysis is used as a quantitative risk assessment method. It involves
defining one or more risk scenarios, detailing the key assumptions (conditions
or drivers) that determine the severity of impact, and estimating the impact on
a key objective. 5 21
An information security operations center is a facility where enterprise
information systems (web sites, applications, databases, data centers and
servers, networks, desktops and other endpoints) are monitored, assessed, and
defended. It is sometimes outsourced to a third party 7 32
A software engineering term, which means that software products and
capabilities have been designed to be secure. 6 34
An SDLC approach which addresses cyber protection considerations
throughout a system’s lifecycle. It is one of the key components of the
Cybersecurity Code of Practice for Critical Information Infrastructure (CII) in
Singapore 7 34
SBVR - a standard of the Object Management Group (OMG) - is a structured
natural language to describe business rules, such that the information can be
shared across businesses and applications. SBVR has been used to interpret and
represent compliance requirements (e.g, for AML), such that they can be
verified against the related business processes. Tutorial A3 2
Separation of duties implies assigning different people to complete different
parts of key accounting and other tasks. It is an administrative control intended
to prevent errors or fraud, by ensuring that no single employee carries out the
task (e.g., claims processing) whereby he or she can both create and hide errors
or fraud 4 5
A service-level agreement (SLA) is a contract between a service provider and a
client. Particular aspects of the service – quality, availability, responsibilities –
are agreed between the service provider and the client. Tutorial A2 15
Small and medium-sized enterprises (SMEs) or small and medium-sized
businesses (SMBs) are businesses whose empoyee numbers fall below certain
limits. SME Singapore definition is a company that has annual turnover of less
than $100 million and also employs less than 200 workers. Tutorial A6 1
A member-owned cooperative providing secure messaging for international
transfers of money between participating banks. 8 11
Controls that a company uses to document, identify, and authorize changes to
its software systems. It reduces the chances of unauthorized alterations,
disruption and errors in the systems. 3 11
The systematic steps for software development that include planning, analysis,
design, development, testing, implementation, and maintenance. 7, 9 34, 10
A type of cloud computing where the service provider delivers software and
applications through the internet. Users subscribe to the software and access it
via the web or vendor APIs. 6 16
The degree to which the current assets of an individual or business entity
exceed the current liabilities of that individual or entity. 6, Tutorial A5 18, 8
Stress testing is a computer-simulated technique to analyze how banks and
investment portfolios fare in drastic economic scenarios. Stress testing helps
gauge investment risk and the adequacy of assets, as well as helps to evaluate
internal processes and controls. 8, Tutorial A2, A5 10
A subject-matter expert (SME) is a person who is an authority in a particular
area or topic. e.g., legal or business expert Tutorial A3 2
Computing technology for regulators to supervise/monitor organizations'
compliance with laws/rules e.g., MAS uses digitized reporting 1, 8 32, 6
STR is a report made by a financial institution to the Suspicious Transaction
Report Office about suspicious or potentially suspicious transactions e.g.,
suspected ML, TF, and other serious financial crimes. Tutorial A7 14
Synthetic data is any data produced artificially, that is not obtained by direct
measurement. Tutorial A6 10
One of the Parallel Computing paradigms. This approach splits a task into
subtasks and executes each subtask on a different compute node of the
computer cluster. This allows greater efficiency of computation for large
datasets and/or complex tasks Tutorial A5 14
Tax avoidance is any legal method used by a taxpayer to minimize the amount
of income tax owed. Opposite of tax compliance Tutorial A2 9
Policy actions and individual behaviour aimed at ensuring that taxpayers are
paying the right amount of tax at the right time and securing the correct tax
allowances and tax reliefs. Tutorial A2 9
Tax evasion is the illegal non-payment or under-payment of taxes, usually by
deliberately making a false declaration or no declaration to tax authorities e.g.,
IRAS. Differs from tax avoidance, which is legal 3 14
Technical implementations of controls are tools and software that logically
enforce controls, e.g. passwords 3, 4 8, 5
MAS set out technology risk management principles and best practices for the
financial sector, to guide FIs in the following: a) Establish Sound and Robust
Technology Risk Governance and Oversight; and b) Maintain Cyber Resilience 6 31
IIF is the global association for the financial industry. Its mission is to support
the industry in the management of risks; to develop sound industry practices;
and to advocate for regulatory, financial and economic policies that are in the
interests of its members and foster global financial stability and sustainable
economic growth. This includes reports on the use of regtech in this industry. Tutorial A2 1
IoT describes physical objects embedded with sensors, software, connectivity,
and computing ability. This allows them to collect, act on and exchange data
with other devices and systems over the Internet or other communications
networks. e.g., traffic rules violation cameras 9 14
A potential event e.g., cyberattack, that, if realized,would cause an undesirable
impact. Threat is calculated by multiplying exposure factor (the extent it
damages the asset) by the likelihood of occurence of the threat. 5 19
A well-established model for organizational risk governance by having 3 lines of
defence against risk: L ine 1 - business units (functions that own and manage
risks); Line 2 - independent compliance and risk management functions, and
Line 3 - an independent audit function. 2 18
The absence of a “common language” in the financial industry, and the
existence of heterogeneous terms and concepts to describe similar business
objects, processes, and products. Tutorial A1 2
TM is a key control in FI's AML and CFT procedures. An effective TM system
enables FIs to detect and assess whether customers’ transactions pose
suspicion. TM systems also facilitate the holistic reviews of customer
transactions over periods of time, in order to monitor for any unusual or
suspicious trends, patterns or activities Tutorial A7 3
One of the principles for AIDA. It includes the disclosure of use of AIDA to data
subjects, clear explanations on what data is used to make AIDA-driven decisions
about the data subject, and how the data affects the decision. Tutorial A8 6
An authentication method in which a user is granted access only after
successfully presenting 2 pieces of evidence (or factors) e.g., password and
fingerprint. 7 27
Unified Compliance is the integration of processes and tools to aggregate and
harmonize all compliance requirements applicable to an organization. It
involves extracting mandates from laws/notices, mapping them to common
controls accurately, and standardizing audit of the controls. 3 37
Defined as the absence or weakness of controls protecting a particular asset
e.g., lack of strong password 5 19
External Source
(if any) External Link
https://www.acra.gov.sg/
https://www.bis.org/bcbs/index.htm?m=2625
https://www.bis.org/publ/bcbs113.htm
https://www.bis.org/bcbs/publ/d328.htm
https://www.bpmn.org/
https://www.bundesbank.de/en/bundesbank/research/rdsc/research-data/csdb-769890
https://abs.org.sg/docs/library/abs-cloud-computing-implementation-guide.pdf
https://www.mas.gov.sg/news/media-releases/2021/mas-and-financial-industry-to-use-new-digital-platform-to-fight-money
https://www.coso.org/Pages/default.aspx
https://www.mas.gov.sg/publications/monographs-or-information-paper/2020/information-paper-on-culture-and-conduct
https://www.isaca.org/resources/cobit
https://abs.org.sg/industry-guidelines/culture-and-conduct-steering-group
https://www.mas.gov.sg/regulation/notices/notice-655
https://sso.agc.gov.sg/Acts-Supp/9-2018/
https://apps.pdpc.gov.sg/dp-notice-generator
https://www.dnc.gov.sg/index.html
https://www.coso.org/pages/erm.aspx
https://www.xbrl.org/
https://www.fatf-gafi.org/
https://www.fca.org.uk/
https://www.fincen.gov/
https://spec.edmcouncil.org/fibo/
https://github.com/GRCTC/FIRO
https://www.iras.gov.sg/taxes/international-tax/foreign-account-tax-compliance-act-(fatca)/fatca-overview-and-latest-develo
https://www.bis.org/bcbs/gsib/
https://www.isaca.org/
https://wiki.en.it-processmaps.com/index.php/Main_Page
https://isca.org.sg/
https://www.iso.org/home.html
https://www.mas.gov.sg/
https://abs.org.sg/docs/library/abs-cloud-computing-implementation-guide.pdf
https://abs.org.sg/docs/library/abs-cloud-computing-implementation-guide.pdf
https://www.nist.gov/cyberframework
https://apps.pdpc.gov.sg/resources/pato
https://www.mas.gov.sg/development/fintech/regulatory-sandbox
https://www.omg.org/spec/SBVR/1.5/About-SBVR/
https://www.swift.com/
https://www.iif.com/
gital-platform-to-fight-money-laundering
aper-on-culture-and-conduct-practices-of-financial-institutions
tca-overview-and-latest-developments