Term Abbreviation

3D Printing

Access Controls

Accountability (in FEAT)

Accounting and Corporate Regulatory Authority ACRA

Act

Administrative controls

Algorithmic Contract Types Unified Standard ACTUS

Align, Plan and Organize APO

Anti-Money Laundering AML

Apache Spark

Application Programming Interface API

Artificial Intelligence and Data Analytics AIDA

Assets

Augmented Reality and Virtual Reality AR and VR

Availability A

Backups and Disaster-Recovery Plans

Basel Committee on Banking Supervision BCBS

Basel Committee on Banking Supervision 113 BCBS 113

Basel Committee on Banking Supervision -
d328(2015) BCBS 2015

Big Data

Biometrics

Black Box System

Blockchain

Bow-tie Diagram

Build, Acquire and Implement BAI

Business Process Model and Notation BPMN

Capital Adequacy

Centralized Securities Database CSDB

CGRC, CGEIT, CRISC…

Chief Compliance Officer CCO

Cloud Computing
Collaborative Sharing of ML/TF Information and
Cases COSMIC

Committee of Sponsoring Organizations COSO

Company Code of Conduct

Compliance

Compliance Risk

Compliance Technology Comptech

Organizational/ conduct culture

Conduct Risk

Conduct Risk Diagnostic System CRDS

Conduct Risk Model CRM

Confidentiality C

Confidentiality, Integrity, and Availability CIA Triad

Consumer Protection

Financial contract FC

Control Objectives for Information and Related

Technology COBIT
COSO Internal Controls: Integrated Framework COSO-ICF

Countering the Financing of Terrorism(or Anti-

Financing of Terrorism) CFT/ATF

Credit Risk CR

Critical Information Infrastructure CII

Compliance Request Language CRL

Crowdsourcing

Culture and Conduct Steering Group CCSG

Customer Due Diligence (or Client Due Diligence) CDD

Cyber Hygiene

Cyber Resilience
Cybersecurity Act CSA

Data Anonymization

Data Parallelism

Data Protection Notice Generator

Data Protection Officer DPO

Data Protection Provisions

Data Protection Trustmark DPTM

Data Residency (or data localization) DR

Deep Learning

De-Identification

Deliver, Service and Support DSS

Descriptive Analytics

Detective Controls
Differential Privacy

Digital Identity

Digital Transformation DT

Do Not Call Registry DNC

Drones

End-User Computing EUC

COSO Enterprise Risk Management (ERM) -

Integrated Framework COSO ERM 2004

COSO Enterprise Risk Management- Integrating with

Strategy and Performance COSO ERM 2017

Ethics

European System of Central Banks ESCB

European Union General Data Protection Regulation EU GDPR

Evaluate, Direct, and Monitor EDM

Explainable AI

eXtensible Business Reporting Language XBRL

External Audit

Fairness

Fairness, Ethics, Accountability and Transparency MAS FEAT

Federated Learning (or collaborative machine

learning without data sharing)

Financial Action Task Force FATF

Financial Conduct Authority FCA

Financial Crimes Enforcement Network FinCEN

Financial Industry Business Ontology FIBO

Financial Industry Regulatory Ontology FIRO

Financial Institution FI

Financing of Terrorism FT
Foreign Account Tax Compliance Act FATCA

Global Systematially Important Banks G-SIB

Governance

Governance, Risk Management, Compliance GRC

Gramm-Leach-Bliley Act GLBA

Graphic User Interface GUI

MAS Guidelines

Health Insurance Portability and Accountability Act HIPAA

Heat Map

Homomorphic Encryption

Infocomm Media Development Authority IMDA

Information Silo

Information Systems Audit and Control Association ISACA

Information Technology Infrastructure Library ITIL

Infrastructure-as-a-service IaaS

Institute of Singapore Chartered Accountants ISCA

Integrity I

Internal Audit

Internal Controls

International Bank Account Number IBAN

International Organisation for Standardization ISO

IT General Controls (originally for SOX compliance) ITGC

K-Anonymity

Know Your Customer KYC

Legacy IT System

Legal Entity Identifier LEI

Linear Temporal Logic LTL

Liquidity
Market Abuse

Market Risk

Materiality

Monetary Authority of Singapore MAS

Money Laundering ML

Monte Carlo simulations

Multi-Tier Cloud Security Standard MTCS

Multi-Tier Cloud Security Certification Scheme

National Institute for Standards and Technology NIST

Natural Language Processing NLP

MAS Notices

Nudging
Object Management Group OMG

Operational Risk

Outsourcing Arrangement

Parallel Processing

PDPA Assessment Tool for Organisations PATO

Penetration Test (or Pen Test)

Personal Data

Personal Data Protection Act PDPA

Personal Data Protection Commission PDPC

Physical controls

Platform-as-a-service PaaS

Politically Exposed Person PEP

Predictive Analysis

Prescriptive Analysis

Preventive Controls
Privacy

Quasi identifiers (or Indirect identifiers)

Reactive Controls / Corrective Controls

Regulation Technology RegTech

Regulatory Sandbox

Residual Risk

Risk

Risk Acceptance

Risk Interaction Map

Risk Management

Risk Mitigation

Risk Transfer

Robotic Process Automation RPA

Sarbanes-Oxley Act of 2002 SOX

Scenario Analysis

Security Operations Centre

Security-By-Design

Security-by-design Framework

Semantics of Business Vocabulary and Business Rules SBVR

Seperation of Duties (or Segregation of Duties) SOD

Service Level Agreements SLA

Small and Medium-sized Enterprises SMEs

Society for Worldwide Interbank Financial
Telecommunications SWIFT

Software Change Controls

Software Development Life Cycle SDLC

Software-as-a-service SaaS

Solvency

Stress Testing

Subject-matter Expert SME

Supervisory Technology Suptech

Suspicious Transaction Report STR

Synthetic Data

Task Parallelism

Tax Avoidance

Tax Compliance

Tax Evasion

Technical Controls

MAS Technology Risk Management Guidelines TRM

The Institute of International Finance IIF

The Internet of Things IoT

Threats

Three lines of defence 3 LoD

Tower of Babel ToB

Transaction Monitor TM

Transparency

Two-Factor Authentication 2FA

Unified Compliance Framework UCF

Vulnerability
 Lecture/ Tutorial Slide/
Definition Article No. Page No.
3D printing is the construction of a 3D object from a digital model by layering
or printing successive layers of materials 9 14
Controls to decide and enforce who can view or use the different information
and computing systems of the organization 3 11
One of the principles for AIDA, which states that there should be clear
responsibility for and ownership of AIDA-driven decisions within an AIDA firm.
Covers 2 key aspects: 1) internal accountability, which is concerned with the
AIDA Firm’s internal governance; and 2) external accountability, which is
concerned with the AIDA Firm’s responsibility to data subjects. Tutorial A8 6
A statutory board under Singapore's Ministry of Finance. ACRA is the regulator
of business registration, financial reporting, public accountants and corporate
service providers. ACRA also acts as a facilitator for the development of business
entities and the public accountancy profession. 3 24
A statute or bill which has been passed by Parliament. These have the force of
the law. e.g., PDPA 6 13
Administrative implementations of controls include procedures/policies e.g.
Separation of duties (SOD) policies 3, 4 8, 5
An open-source standard representation of financial contracts (FCs), which are
the basic building blocks of the financial system. Tutorial A5 3

One of COBIT process domains, which addresses the overall organization,

strategy and supporting activities for IT. 4 33
Anti money laundering (AML) refers to regulations and procedures aimed at
uncovering ML efforts to disguise illegal funds as legitimate income 3, 8 30, 11
Apache Spark is an open-source unified analytics engine for large-scale data
processing. Spark provides an interface for programming clusters with implicit
data parallelism and fault tolerance. Tutorial A5 4
An application programming interface (API) is a connection between computer
programs. It is a type of software interface, offering a service to other pieces of
software. Tutorial A2 4
AIDA referes to artificial intelligence or data analytics. AI are defined as
technologies that assist or replace human decision-making Tutorial A8 5
Normally represented as a monetary value, assets can be defined as anything of
worth to an organization that can be damaged,compromised,or destroyed by
an accidental or deliberate action. 5 19
AR bridges the digital and physical worlds, providing a digital overly to the
physical world e.g., through Google Glass. VR is a fully computer rendered 3D
immersive experience 9 14

Ensuring that information and associated services are available to authorised

users whenever and wherever required 3 12
Plans to prevent loss of the organization's information and IT infrastructure in
an adverse event, such as disaster, and to restore business IT functions 3 11
An international committee with 45 members, comprising central banks and
regulators from 28 jurisdictions. It sets global standards and guidelines for
banking regulation and cooperation on supervisory matters. 1 20
Provides 10 principles to guide sound practices for compliance in banks. States
specific responsibilities of bank’s board of directors, senior management, and
the compliance function. 2 14
BCBS-d328 (2015) is an update of BCBS 113, providing 13 principles for good
corporate governance of banks 2 15
Refers to high volume, velocity and variety information/data assets that require
cost-effective and innovative forms of processing for gaining better insights and
decision making. 6 5
Biometrics are body measurements and calculations related to human
characteristics. Biometric authentication is a form of identification and access
control e.g., through fingerprints, iris, face recognition 8 22

AI is often seen as a black box system whose inputs and outputs are visible, but
without any knowledge of its internal workings. Hence, difficult to explain how
it works. 9 11
Blockchain is a decentralized ledger of all transactions across a peer-to-peer
(P2P) network. It allows participants to transact with each other securely and
transparently without the need for a central authority. 8, 9 23, 12
A bow-tie diagram is a means to assess risk interactions. It combines a fault tree
and an event tree and takes its name from its shape. Fault trees are used for
analyzing events or combinations of events that might lead to a negative event.
Event trees are used for modeling sequences of events arising from a single risk
occurrence. 5 25

One of COBIT process domains, which deals with the definition, acquisition and
implementation of I&T solutions and their integration in business processes. 4 33

Business Process Model and Notation (BPMN) is a standard for business process
modeling that provides graphical notation for representing steps in a business
process e.g., business process for detecting ML Tutorial A3 6
Capital adequacy requirements from regulators (e.g., MAS) ensure the efficiency
and stability of a nation's financial system by lowering the risk of banks
becoming insolvent. Generally, a bank with adequate capital (resources to
absorb
The CSDBpossible losses) is
is a reference considered
database thatsafe to meet
contains itson
data financial obligations.
instruments, issuers and 3 14
prices for debt securities, equity instruments and investment fund shares
issued worldwide. For instance more than 13 million of such securities were
covered by the CSDB for the reporting month June 2020. The objective of the
CSDB is to cover all securities relevant for statistical purposes of the European Tutorial A5 4

Industry professional certifications for GRC 1 35

The officer primarily responsible for overseeing and managing regulatory
compliance within an organization. Typically reports to the CEO and must also
inform the Board about important issues 2 30
A model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, 6 10
A new digital platform introduced by MAS to enable FIs to securely share
information on customers or transactions, in order to prevent ML and FT 4 3
A joint initiative of 5 professional associations dedicated to help organizations
improve performance by developing frameworks that enhance internal
controls, risk management, governance and fraud deterrence. COSO is the de
facto framework to meet internal control requirements for SOX. 4 25
This is a set of rules which informs employees of the company's expectations of
how they are supposed to behave. Sometimes called code of ethics 4, Tutorial A8 8, 9
The organization’s adherence to applicable laws and regulations 1 16
The risk posed to an organization’s financial, organizational, or reputational
value resulting from its/employees' violations of laws, regulations, codes of
conduct, or organizational policies. 5 6, 31
Computing technology to help regulated organizations follow applicable
laws/rules e.g., banks use of systems to detect money laundering. 1, 8 32, 6
Culture refers to the shared values, attitudes, behaviour and norms in an
organisation. It is a key driver of employee conduct. A sound organisational
culture is therefore an effective way to prevent potential misconduct. 8, Tutorial A4 13, 2

Risk of losses to an organization arising from inappropriate supply of products

or services (to customers), including cases of wilful or negligent misconduct. Tutorial A4 3
The CRDS is a software application that builds on the CRM to enable internal
supervision of conduct culture. It achieves this through a systematic
assessment of the organization's conduct risk. Tutorial A4 1
The model provides a common conceptualisation and vocabulary for conduct
risk. Tutorial A4 1
Protecting information from unauthorised access and disclosure 3 12
Well-known model to guide development of information security policies of an
organization i.e., they need to ensure CIA of their information 3 12
Consumer protection implies safeguarding buyers of goods and services, and
the public, against unfair practices in the marketplace. Consumer protection
measures are often established by laws, which aim to prevent businesses from
engaging in fraud or unfair practices to mislead consumers. Tutorial A4 10
FCs are well-defined special-purpose legal contracts—also called financial
instruments or securities—that control the cash flows exchanged between
counterparties. Examples are stocks, bonds, futures, swaps, and options Tutorial A5 3
An internationally recognized framework created by ISACA for information
technology (IT) management and IT governance. Proposes controls over IT and
organizes them in a framework of: 1 ) IT processes , 2) IT resources, and 3)
business requirements. These 3 levels are listed under 4 domains - APO, BAI,
DSS, EDM. COBIT 5 is established, now moving towards COBIT 2019 4 32
Published in 2013, this framework established a definition for internal control
and proposed principles which organizations can use to assess and improve
their controls. Consists of 5 inter-related components, and 17 principles. These
voluntary guidelines are intended to help public companies become self-
regulating, and thus reduce the need for government regulation. 4 26
Combating the Financing of Terrorism (CFT) refers to a set of government
regulations and organizational controls intended to restrict access to funding
and financial services for individuals/groups designated as terrorists 3, 8 31, 11
Credit risk is risk of default on a debt that may happen if a borrower fails to
make required payments. Tutorial A5 7
Refers to computer systems directly involved in the provision of essential
services. Singapore has designated 11 CII sectors: Energy, Water, Banking and
Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation),
Infocomm, Media, Security and Emergency Services, and Government. CII are
to be protected as per the Cybersecurity Act 7 31
A pattern-based graphical compliance language, which allows for the
specification of compliance constraints e.g., for AML. CRL is grounded on
Linear Temporal Logic (LTL). Therefore, from CRL expressions capturing SBVR
statements, corresponding LTL formulas are generated for automated
verification by model checkers. Tutorial A3 5
Crowdsourcing involves a large group of dispersed participants (crowd)
contributing or producing services—including ideas, voting, micro-tasks, and
finances—for payment or as volunteers 8 26

The Culture and Conduct Steering Group (CCSG) was established in May 2019
to promote sound organizational culture and raise conduct standards among
banks in Singapore. The CCSG comprises members from 14 banks in Singapore 8 13
Customer due diligence (CDD) involves performing background checks and
other screening to verify customers' identity and nature of business
relationship before being onboarded (e.g., opening a bank account). It also
involves monitoring their transactions during the relationship. CDD is at the
heart of Anti-Money Laundering (AML) and Know Your Customer (KYC)
initiatives. 3, 8 32, 12
A fundamental principle by which organizations need to establish routine
measures to minimize the risks from cyber threats. MAS 2019 Notice on Cyber
Hygiene sets out the measures that FIs must take to mitigate the growing risk of
cyber threats 6 29
Organization's ability to ensure IT availability, backup, recoverability, even in
the face of adverse events. 6 29
The Cybersecurity Act of 2018 is a law for the oversight and maintenance of
national cybersecurity in Singapore. Its objectives are to: 1) Strengthen the
protection of Critical Information Infrastructure (CII) against cyber-attacks; 2)
Authorise CSA to prevent and respond to cybersecurity threats and incidents;
3) Establish a framework for sharing cybersecurity information; and 4) Establish
a light-touch licensing framework for cybersecurity service providers 7 31
The process of removing/masking personally identifiable information from data
sets, so that the people whom the data describes remain anonymous. The
purpose is for privacy protection. Common methods include k-anonymity and
differential privacy Tutorial A6 2
Rather than splitting the tasks, this kind of parallelism splits the data and
distributes it among the compute nodes in the computer cluster. This is a type
of parallel processing Tutorial A5 14
Tools that enable organisations to generate basic data protection template
notices to inform stakeholders how their personal data is being managed. 7 19
A DPO ensures, in an independent manner, that an organization applies the
laws protecting individuals' personal data. As per PDPA, each organization
must designate at least one DPO 7 8
One of the 2 main provisions of PDPA. Private organizations have 10 main
obligations with respect to individual's personal data i.e., consent, purpose
limitation, notification, access and correction, accuracy, protection, retention
limitation, transfer limitation, data breach, accountability 7 12
A voluntary enterprise-wide certification awarded to organisations that
demonstrate accountable data protection practices. Checked by an IMDA
approved assessment body 7 20

Data localization or residency regulations require data of a country's citizens or

residents to be collected, processed, and stored inside the country. Particularly
strict in the EU. Often applies to cloud or other outsourcing arrangements 6, 9 15, 8
Deep learning is part of a broader family of machine learning methods that uses
artificial neural networks with 3 or more layers. It can ingest and process
unstructured data (like text and images) and automates feature extraction -
unlike other machine learning methods. Tutorial A8 8

Processes used to prevent people's identity from being revealed. For example,
data from individuals could be deidentified using data anonymization
methods, such as k-anonymity, in order to comply with privacy laws. Tutorial A6 6
One of COBIT process domains, which addresses the operational delivery and
support of IT services, including security. 4 33
A common form of data analysis where historical data is analyzed to produce
summary statistics (e.g., averages) that describe or visualize what happened 9 11
Controls used to identify/discover/record the problem after a negative event
has happened. e.g., Intrusion Dectection System (IDS), audit 3, 4 8, 5
A method to add calculated noise to the data before release, thus producing
synthetic dataset. This differential privacy protected data can then be used by
companies for statistical and machine learning tasks. Tutorial A6 9
A digital identity is an unique identifier to verify a person in the digital space
e.g., Singpass, digital signature. Unlike physical identifiers e.g., passport, IC 8 21
Digital transformation is the process of using digital technologies to create new
— or modify existing — business processes, culture, and customer experiences
to meet changing business and market requirements. This reimagining of
business in the digital age is digital transformation. 9 7
One of the 2 main provisions of PDPA. Consumers who do not wish to receive
telemarketing messages via phone call, SMS or fax, can register their Singapore
telephone numbers in the DNC Registry. Organisations must check with the
DNC Registry to ensure that the Singapore telephone numbers that they are
sending telemarketing messages to, are not listed in the Registry 7 13
Drones are unmanned aerial vehicles, which can be equipped with a ground
based controller and on-board cameras. Can be used for aiding compliance in
construction monitoring, shipping, stocktaking, maintenance. Drones in turn
need to be regulated 9 9
End-user computing (EUC) refers to systems in which non-programmers can
create working applications. 9 10

COSO original ERM framework of 2004. Defines ERM as a process, effected by an

entity’s board of directors, management, and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential events
that may affect the entity, manage risk to be within its risk appetite, and to
provide reasonable assurance regarding the achievement of entity objectives. 5 9
COSO updated ERM framework of 2017. Defines ERM as culture, capabilities
and practices integrated into strategy and execution that organizations rely on
to manage risk and in creating, preserving and realizing value. 5 9
All firms using AIDA should operate in line with their ethical standards (moral
principles). These ethical standards are expressed through multiple ways,
including company values, codes of conduct and mission statements, and may
vary across firms and geographies. Tutorial A8 9
The European System of Central Banks (ESCB) consists of the European Central
Bank (ECB) and the national central banks (NCBs) of all 27 member states of the
European Union (EU). Tutorial A5 7
An EU regulation on data protection and privacy that sets guidelines for the
collection and processing of personal information from individuals who live in
the EU 7 6
One of COBIT process domains, which addresses performance monitoring and
conformance of IT with internal performance targets, internal control
objectives and external requirements. 4 33
Explainable AI (XAI), or Interpretable AI, is the use of AI techniques in which the
reasoning behind its decisions can be understood by humans. It contrasts with
the concept of the "black box" in machine learning, where even its designers
may not be able to explain why an AI arrived at a specific decision. 9 11
A freely available and global notation for exchanging business information
based on XML. 8 9
Involves an external auditor examining and auditing the company's
controls/processes/ financial statements, in accordance with applicable laws
or rules. 6 27
Fairness implies ensuring that AIDA-driven decisions do not disadvantage any
particular individual or groups of individuals without justification. The
principles of Fairness focus on two key aspects: 1) the justifiability; and 2) the
accuracy and bias of AIDA-driven decisions. Tutorial A8 6
A set of principles for the use of artificial intelligence and data analytics
(“AIDA”) in decision-making in the provision of financial products and services
in Singapore. The four principles are: Fairness, Ethics, Accountability, and
Transparency Tutorial A8 6
Federated learning is a machine learning technique that trains an algorithm
across multiple decentralized edge devices or servers holding local data
samples, without exchanging them. Helps in complying with privacy laws Tutorial A6 11
An intergovernmental organisation (currently with 39 members across the
globe) that develops policies to combat money laundering and terrorism
financing Tutorial A3 3
FCA is a financial regulatory body in the UK. They are the conduct regulator for
around 51,000 financial services firms and financial markets in the UK Tutorial A1 1
FinCEN is agency of the US Department of the Treasury that collects and
analyzes information about financial transactions in order to combat money
laundering, terrorist financing, and other financial crimes. Tutorial A3 6
FIBO is an ontology for the financial industry developed in the Web Ontology
Language (OWL) . It defines the sets of concepts that are of interest in financial
business applications and the ways that those concepts relate to one another.
Used by financial applications. Tutorial A3 3
FIRO is an ontology model composed of relevant and interlinked ontologies in
the financial industry regulatory domain. Used by financial regtech
applications. Tutorial A3 3

Includes organizations providing a wide variety of deposit, lending, and

investment products to individuals, businesses, or both. FIs encompass a broad
range of business operations within the financial sector including banks, trust
companies, insurance companies, brokerage firms, and investment dealers. 6 20
Terrorism involves the use or threat of violence and seeks to create fear among a
wide audience, for political reasons. Terrorism financing involves the seeking,
collection or provision of funds to support terrorist acts or organizations.
Funds may come from both legal and illicit sources. 3, 8 31, 11
FATCA is an US law to ensure that US persons using non-US accounts comply
with US tax laws. For this purpose, FATCA requires Financial Institutions (FIs)
outside the US to report on the assets held by their US account holders. 1 19
Basel Committee identifies global systemically important banks (G-SIBs) based
on the size, interconnectedness, lack of readily available substitutes or financial
institution infrastructure, global (cross-jurisdictional) activity, and
complexity. G-SIBs are subject to higher capital requirements and other
regulatory measures to reduce the probability and impact of their failure. Tutorial A2 18
Goals, policies, structures, processes to execute the company strategy, while
considering risk (and compliance) 2 6
A management model that promotes the unification of criteria for Governance,
Risk Management, and Compliance, as well as communication and
collaboration between different stakeholders in the management and control
of the organization 2 6
The Gramm-Leach-Bliley Act requires financial institutions in the US to explain
their information-sharing practices to their customers and to safeguard
sensitive data. i.e., has a privacy rule for FIs 7 6
A graphical user interface allows users to interact with electronic devices
through graphical icons as the primary notation, instead of purely text-based
user interfaces that rely on typed commands or text navigation. 9 10
Guidelines set out principles or "best practice standards" that govern the
conduct of specified institutions or persons. Violating guidelines is not a
criminal offence and does not attract civil penalties, but may impact MAS's risk
assessment of the FI or person. e.g., MAS Outsourcing, TRM, etc. 6 13
HIPAA is a US law to protect sensitive patient health information from being
disclosed without the patient's consent or knowledge. It includes a privacy rule
and a security rule for healthcare providers and their associates 7 6

A method for risk prioritization. Risks were plotted on a heat map (where colors
are used to indicated different levels of risk) to perform an initial prioritization. 5 27
Homomorphic encryption is a form of encryption that permits users to
perform computations on the encrypted data without first decrypting it. Tutorial A6 7
IMDA is a statutory board under the Singapore Ministry of Communications
and Information (MCI), whose main functions are to develop and regulate the
converging infocomm and media industry sectors Tutorial A8 6
Information silos occur when business units keep information within their unit
e.g., siloed databases. The lack of information sharing among silos prevents the
organization from having (and using) an integrated view of the information e.g.,
for risk assessment. Tutorial A1 4
An international professional association focused on IT governance, control,
risk, security, audit/assurance. Developed standards such as COBIT and helps
build the skills of cybersecurity professionals; 2 25
An industry framework designed to standardize the selection, planning,
delivery, maintenance, and overall lifecycle of IT (information technology)
services within a business 1 31
IaaS is a type of cloud computing service where the vendor provides essential
compute, storage, and networking resources on demand, on a pay-as-you-go
basis 6 11, 16
ISCA is the national professional body for accountants in Singapore. It aims to
develop, support and enhance the integrity, status and interests of the
accountancy profession in Singapore. 3 24
Preventing unauthorised modification or deletion of information. A related
term, data integrity refers to the maintenance of data accuracy and consistency
over its entire life-cycle and is a critical aspect for design, implementation, and
use of systems that store, process, or retrieve data. 3, Tutorial A7 12, 10
Internal audits involve audit staff/dept. of the business evaluating its internal
controls, including its corporate governance and accounting processes. These
audits help to ensure compliance with laws/regulations and maintaining
accurate/ timely financial reporting and data collection. 4 11
Policies, procedures and processes (include tools, techniques, physical
measures) established by the board and senior management for: 1) reasonable
assurance on the safety, effectiveness and efficiency of the company’s
operations, 2) their reliability of financial and managerial reporting, and 3)
their compliance with regulatory requirements. 3, 4 7, 6

An internationally recognized system of identifying bank accounts to facilitate

the communication and processing of cross-border bank transactions 8 11
An international standard-setting body composed of representatives from
various national standards organizations 1 31
Controls that apply to all systems, components, processes, and data for a given
organization or information technology (IT) environment. Includes 6 major
types of IT controls 3 21
K-anonymity is a property of data that has been processed to remove
identifiers. The idea is that among k records, no individual can be singled out
based on the data Tutorial A6 8
Checks carried out at the start of and during a customer relationship (e.g.,
account creation) to identify and verify that they are who they say they are. 3, 8 32, 12
A legacy system is an outdated IT system or software that is still in use in the
organization. The system still meets the original needs, but doesn't allow for
update and integration with newer technologies. Tutorial A2 8
The Legal Entity Identifier (LEI) is a unique global identifier for legal entities
participating in financial transactions. Tutorial A2, A5 20, 19
Linear temporal logic (LTL) is a formal representation to specify properties of
programs, and reason about them. It is used alongwith CRL for verification of
compliance rules against business processes of an organization. Tutorial A3 5
Liquidity is a measure of the cash and other assets banks have available to
quickly pay bills and fund cash outflows. Regulators like MAS impose liquidity
requirements on FIs so that they can meet their short-term business and
financial obligations. 3 14
Market abuse occurs when investors have been disadvantaged by others who:
1) have used information which is not publicly available (insider dealing); 2)
have distorted the price-setting mechanism of financial instruments; 3) have
disseminated false or misleading information. 3 25
Market risk is the risk of losses in positions of FIs arising from movements in
market variables like commodity prices, equity prices, interest rates, foreign
exchange rates. 3 14
Materiality refers to the importance of an issue for a company or a business
sector. For example, an outsourcing arrangment is material (of importance) to
the company, if it greatly impacts the earnings, reputation, customers, costs,
risks etc. 6, Tutorial A8 18, 6
The central bank and financial regulatory authority of Singapore. Develops
guidelines, notices, and regulates financial institutions (FIs) operating in
Singapore 2 22
Money laundering is a process that aims to hide the benefits obtained from
criminal activity so that they appear to have originated from legitimate
sources. In this process, money obtained through criminal activity or other
criminal property are mixed with or exchanged for money originating from
legitimate sources or assets. 3, 8 30, 11
A simulation method. It is used for risk analysis by building models of possible
results by substituting a range of values—a probability distribution—for any
factor (e.g., value of an investment) that has inherent uncertainty. It then
calculates results over and over, each time using a different set of random
values from the probability functions. Tutorial A5 4
The world’s first cloud security standard that covers multiple tiers of cloud
security. It is developed under the Information Technology Standards
Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore. 6 11
Alongwith the MTCS Standard, this scheme was established to: a) encourage
adoption of sound risk management and security practices by Cloud Service
Providers(CSPs) through MTCS certification; and b) promote the adoption of
the MTCS standard 6 11
US body that has been responsible for developing standards and guidelines in
many areas over the years and, more recently, on IT-related domains, e.g., NIST
Cybersecurity Framework 7 37
Natural language processing (NLP) refers to a branch of computer
science—more specifically AI—concerned with giving computers the ability to
understand text and spoken words, in particular by processing and analyzing
large amounts of natural language data. Tutorial A2 12
Notices primarily impose legally binding requirements on a specified class of
financial institutions or persons e.g., MAS Notice 655 on Cyber Hygiene 6 13
Nudging is a concept in behavioral sciences that proposes positive
reinforcement and indirect suggestions as ways to influence people's behavior
and decision-making. Nudging differs from other ways to achieve compliance,
such as education, legislation or enforcement. 8 26
The Object Management Group (OMG) is a computer industry standards
consortium. OMG Task Forces develop enterprise integration standards for a
range of technologies. e.g., FIBO, FIRO, SBVR Tutorial A3 3
Refers to the risks a company faces in the course of conducting its daily business
activities, products, processes, and systems. e.g., server down. 2 19
An arrangement in which a service provider provides the institution with a
service that may currently or potentially be performed by the institution itself
e.g., cloud services 6 15
A type of computation in which many calculations or processes are carried out
simultaneously. The aim is to reduce the processing time i.e., gain efficiency,
expecially when the dataset is large and/or the processing is complex. Data and
task parallelism are 2 common methods for this. Tutorial A5 14
A tool that enables organisations to conduct a self-evaluation to identify key
gaps or areas of improvement in their data protection policies and practices 7 18
A penetration test, also known as a pen test, is a simulated cyber attack against
your computer system to check for vulnerabilities 7 32
Data about an individual, who can be identified: 1) from that data; or 2) from
that data and other information to which the organisation has or is likely to
have access. e.g., NRIC number on its own 7 9

The Personal Data Protection Act is a law in Singapore that governs the
collection, use and disclosure of individuals’ personal data by private
organizations. It contains 2 main sets of provisions, which organisationsmust
comply with: 1) Data protection, and 2) Do Not Call registry 7 6
PDPC is established under PDPA with 2 main functions: 1) to promote
awareness of data protection in Singapore, and 2) administering and enforcing
the PDPA. 7 8
Physical implementations of controls e.g., security guards and locked doors. 3, 4 8, 5

A type of cloud computing where the service provider offers access to a cloud-
based environment/platform in which users can build and deliver applications. 6 16
In financial regulation, a politically exposed person (PEP) is one who has been
entrusted with a prominent public function e.g., a minister. A PEP generally
presents a higher risk for potential involvement in bribery and corruption, by
virtue of their position and the influence that they may hold. Tutorial A7 8
Predictive analytics includes a variety of statistical techniques that analyze
current and historical facts to make predictions about future states or events
e.g., future sales 9 11
Prescriptive analytics is the process of using data to determine a future course
of action. Prescriptive Analytics extends beyond predictive analytics by
suggesting the actions necessary to achieve predicted outcomes, 9 11
Controls put in place to avert/stop a negative event from occurring e.g., guard,
firewall 3, 4 8, 5
The expectation that confidential personal information shared will not be
disclosed to third parties without consent. Broadly refers to having control
over the sharing and use of one's personal data 7 6
Quasi-identifiers are pieces of information that are not by themselves unique
identifiers of people, but are sufficiently well correlated that they can be
combined with other quasi-identifiers to create a unique identifier of the
person. e.g., gender, age, residential area Tutorial A6 5
Controls put in place to correct the problem after it has been detected, which
is why they are sometimes called corrective controls 3, 4 8, 5
Computing technology used to enhance regulatory and compliance processes.
Comprises Comptech and Suptech 1, 8 32, 6
A framework that enables firms to experiment with innovative products or
services in a live environment but within a well-defined space and duration.
Regulatory support is provided by relaxing specific requirements (e.g., capital
adequacy) in that period. The sandbox will include appropriate safeguards to
contain any consequences of failure. e.g., MAS Fintech Sandbox 9 18
The residual risk is the amount of risk remaining after the natural risk of a
negative event has been reduced by internal controls. 5 35
The probability that an event will occur that has negative consequences e.g.,
data breach. For a negative event occuring when a threat (e.g., cybercriminal)
harms an asset (e.g., customer database,) by exploiting a vulnerability (e.g.,
weak protection of the database), risk is computed by multiplying the asset
value, threat, and vulnerability 5 6
If the financial value of a risk is smaller than the cost of mitigating or
transferring it, the most reasonable option is to accept the risk. This means
doing nothing in response to the risk 5 29
A risk interaction map is the simplest form of graphical representation of risks,
in which the same list of risks form the x and y axes. Risk interactions are then
indicated by an X or other qualitative indicator. 5 24
A framework for organizations to deal with and react to uncertainty by
identifying, assessing, prioritizing, handling, and monitoring the areas of the
business exposed to risks 2 6
This is a risk response approach where attempt is made to reduce the risk by
applying appropriate controls. Cost-benefit analysis is undertaken to assess if it
is worth to put in the controls 5 29
When a risk has a significant financial value, it could be appropriate to transfer
the risk rather then accept it. In this approach, some or all aspects of a risk are
transferred to another party via insurance or via contractual obligations (e.g.,
outsourcing) 5 30
RPA software is a powerful tool to perform manual, time-consuming, rules-
based office tasks that can save time and costs. RPA replicates end user
activities, typically through a Graphical User Interface (GUI) that sits on top of
other front-end and back-end applications. 9 10
SOX was enacted in the US in reponse to major corporate accounting scandals,
such as Enron. It aims to protect investors by making the board and senior
management accountable/punishable for the accuracy of the company's
financial statements. Requires more oversight by external auditors 3 15
Scenario analysis is used as a quantitative risk assessment method. It involves
defining one or more risk scenarios, detailing the key assumptions (conditions
or drivers) that determine the severity of impact, and estimating the impact on
a key objective. 5 21
An information security operations center is a facility where enterprise
information systems (web sites, applications, databases, data centers and
servers, networks, desktops and other endpoints) are monitored, assessed, and
defended. It is sometimes outsourced to a third party 7 32
A software engineering term, which means that software products and
capabilities have been designed to be secure. 6 34
An SDLC approach which addresses cyber protection considerations
throughout a system’s lifecycle. It is one of the key components of the
Cybersecurity Code of Practice for Critical Information Infrastructure (CII) in
Singapore 7 34
SBVR - a standard of the Object Management Group (OMG) - is a structured
natural language to describe business rules, such that the information can be
shared across businesses and applications. SBVR has been used to interpret and
represent compliance requirements (e.g, for AML), such that they can be
verified against the related business processes. Tutorial A3 2
Separation of duties implies assigning different people to complete different
parts of key accounting and other tasks. It is an administrative control intended
to prevent errors or fraud, by ensuring that no single employee carries out the
task (e.g., claims processing) whereby he or she can both create and hide errors
or fraud 4 5
A service-level agreement (SLA) is a contract between a service provider and a
client. Particular aspects of the service – quality, availability, responsibilities –
are agreed between the service provider and the client. Tutorial A2 15
Small and medium-sized enterprises (SMEs) or small and medium-sized
businesses (SMBs) are businesses whose empoyee numbers fall below certain
limits. SME Singapore definition is a company that has annual turnover of less
than $100 million and also employs less than 200 workers. Tutorial A6 1
A member-owned cooperative providing secure messaging for international
transfers of money between participating banks. 8 11
Controls that a company uses to document, identify, and authorize changes to
its software systems. It reduces the chances of unauthorized alterations,
disruption and errors in the systems. 3 11
The systematic steps for software development that include planning, analysis,
design, development, testing, implementation, and maintenance. 7, 9 34, 10
A type of cloud computing where the service provider delivers software and
applications through the internet. Users subscribe to the software and access it
via the web or vendor APIs. 6 16
The degree to which the current assets of an individual or business entity
exceed the current liabilities of that individual or entity. 6, Tutorial A5 18, 8
Stress testing is a computer-simulated technique to analyze how banks and
investment portfolios fare in drastic economic scenarios. Stress testing helps
gauge investment risk and the adequacy of assets, as well as helps to evaluate
internal processes and controls. 8, Tutorial A2, A5 10
A subject-matter expert (SME) is a person who is an authority in a particular
area or topic. e.g., legal or business expert Tutorial A3 2
Computing technology for regulators to supervise/monitor organizations'
compliance with laws/rules e.g., MAS uses digitized reporting 1, 8 32, 6
STR is a report made by a financial institution to the Suspicious Transaction
Report Office about suspicious or potentially suspicious transactions e.g.,
suspected ML, TF, and other serious financial crimes. Tutorial A7 14
Synthetic data is any data produced artificially, that is not obtained by direct
measurement. Tutorial A6 10
One of the Parallel Computing paradigms. This approach splits a task into
subtasks and executes each subtask on a different compute node of the
computer cluster. This allows greater efficiency of computation for large
datasets and/or complex tasks Tutorial A5 14
Tax avoidance is any legal method used by a taxpayer to minimize the amount
of income tax owed. Opposite of tax compliance Tutorial A2 9
Policy actions and individual behaviour aimed at ensuring that taxpayers are
paying the right amount of tax at the right time and securing the correct tax
allowances and tax reliefs. Tutorial A2 9
Tax evasion is the illegal non-payment or under-payment of taxes, usually by
deliberately making a false declaration or no declaration to tax authorities e.g.,
IRAS. Differs from tax avoidance, which is legal 3 14
Technical implementations of controls are tools and software that logically
enforce controls, e.g. passwords 3, 4 8, 5

MAS set out technology risk management principles and best practices for the
financial sector, to guide FIs in the following: a) Establish Sound and Robust
Technology Risk Governance and Oversight; and b) Maintain Cyber Resilience 6 31

IIF is the global association for the financial industry. Its mission is to support
the industry in the management of risks; to develop sound industry practices;
and to advocate for regulatory, financial and economic policies that are in the
interests of its members and foster global financial stability and sustainable
economic growth. This includes reports on the use of regtech in this industry. Tutorial A2 1
IoT describes physical objects embedded with sensors, software, connectivity,
and computing ability. This allows them to collect, act on and exchange data
with other devices and systems over the Internet or other communications
networks. e.g., traffic rules violation cameras 9 14
A potential event e.g., cyberattack, that, if realized,would cause an undesirable
impact. Threat is calculated by multiplying exposure factor (the extent it
damages the asset) by the likelihood of occurence of the threat. 5 19
A well-established model for organizational risk governance by having 3 lines of
defence against risk: L ine 1 - business units (functions that own and manage
risks); Line 2 - independent compliance and risk management functions, and
Line 3 - an independent audit function. 2 18
The absence of a “common language” in the financial industry, and the
existence of heterogeneous terms and concepts to describe similar business
objects, processes, and products. Tutorial A1 2
TM is a key control in FI's AML and CFT procedures. An effective TM system
enables FIs to detect and assess whether customers’ transactions pose
suspicion. TM systems also facilitate the holistic reviews of customer
transactions over periods of time, in order to monitor for any unusual or
suspicious trends, patterns or activities Tutorial A7 3
One of the principles for AIDA. It includes the disclosure of use of AIDA to data
subjects, clear explanations on what data is used to make AIDA-driven decisions
about the data subject, and how the data affects the decision. Tutorial A8 6
An authentication method in which a user is granted access only after
successfully presenting 2 pieces of evidence (or factors) e.g., password and
fingerprint. 7 27
Unified Compliance is the integration of processes and tools to aggregate and
harmonize all compliance requirements applicable to an organization. It
involves extracting mandates from laws/notices, mapping them to common
controls accurately, and standardizing audit of the controls. 3 37
Defined as the absence or weakness of controls protecting a particular asset
e.g., lack of strong password 5 19
External Source
(if any) External Link

https://www.acra.gov.sg/
https://www.bis.org/bcbs/index.htm?m=2625

https://www.bis.org/publ/bcbs113.htm

https://www.bis.org/bcbs/publ/d328.htm

https://www.bpmn.org/

https://www.bundesbank.de/en/bundesbank/research/rdsc/research-data/csdb-769890
https://abs.org.sg/docs/library/abs-cloud-computing-implementation-guide.pdf

https://www.mas.gov.sg/news/media-releases/2021/mas-and-financial-industry-to-use-new-digital-platform-to-fight-money

https://www.coso.org/Pages/default.aspx

https://www.mas.gov.sg/publications/monographs-or-information-paper/2020/information-paper-on-culture-and-conduct

https://www.isaca.org/resources/cobit
https://abs.org.sg/industry-guidelines/culture-and-conduct-steering-group

https://www.mas.gov.sg/regulation/notices/notice-655
https://sso.agc.gov.sg/Acts-Supp/9-2018/

https://apps.pdpc.gov.sg/dp-notice-generator
https://www.dnc.gov.sg/index.html

https://www.coso.org/pages/erm.aspx
https://www.xbrl.org/

https://www.fatf-gafi.org/

https://www.fca.org.uk/

https://www.fincen.gov/

https://spec.edmcouncil.org/fibo/

https://github.com/GRCTC/FIRO
https://www.iras.gov.sg/taxes/international-tax/foreign-account-tax-compliance-act-(fatca)/fatca-overview-and-latest-develo

https://www.bis.org/bcbs/gsib/

https://www.isaca.org/

https://wiki.en.it-processmaps.com/index.php/Main_Page
https://isca.org.sg/

https://www.iso.org/home.html
https://www.mas.gov.sg/

https://abs.org.sg/docs/library/abs-cloud-computing-implementation-guide.pdf

https://abs.org.sg/docs/library/abs-cloud-computing-implementation-guide.pdf

https://www.nist.gov/cyberframework
https://apps.pdpc.gov.sg/resources/pato
https://www.mas.gov.sg/development/fintech/regulatory-sandbox
https://www.omg.org/spec/SBVR/1.5/About-SBVR/

https://www.swift.com/
https://www.iif.com/
gital-platform-to-fight-money-laundering

aper-on-culture-and-conduct-practices-of-financial-institutions
tca-overview-and-latest-developments