Featured Product

    ECB Issues Opinion on Proposed Rule on Digital Operational Resilience

    June 04, 2021

    ECB published an opinion on the proposal for a regulation on digital operational resilience for the financial sector. The opinion has been published in response to requests from the European Council and Parliament. In the opinion, ECB welcomes the proposed regulation, which is intended to enhance cyber security and operational resilience of the financial sector in EU. ECB welcomes the aim of the proposed regulation to remove obstacles to, and improve the establishment and functioning of, the internal market for financial services by harmonizing the rules applicable in the area of information and communication technology (ICT) risk management, reporting, testing, and ICT third-party risk.

    ECB welcomes the aim of the proposed regulation to streamline and harmonize any overlapping regulatory requirements or supervisory expectations to which financial entities are currently subject under the EU law. ECB understands that the proposed regulation intends to set forth a prudential internal governance framework for the management of ICT risk, which will be integrated into the general internal governance framework under the Capital Requirements Directive. Moreover, given the prudential nature of the proposed framework, the competent authorities responsible for supervision of compliance with the obligations set out under the proposed framework, including ECB, will be the authorities responsible for banking supervision, in accordance with the Single Supervisory Mechanism (SSM) Regulation. 

    ECB supports the effort of the EU legislative bodies to promote harmonization and streamline the set of rules and obligations applicable to credit institutions on incident reporting. In view of this, ECB stands ready to amend (and potentially repeal) the Incident Reporting Framework, where necessary, in the light of the eventual adoption of the proposed regulation. In its opinion, ECB sets out the following specific observations on ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk:

    • ECB welcomes the introduction by the proposed regulation of a robust and comprehensive ICT risk management framework that encompasses the CPMI-IOSCO guidance on cyber resilience and is closely aligned to best practices, including the Eurosystem Cyber Resilience Oversight Expectations for financial market infrastructures. In relation to the identification and classification to be performed by financial entities under the proposed regulation, ECB would consider it prudent, for the purposes of the classification of assets, that the proposed regulation also require financial entities to consider the criticality of such assets (that is whether they support critical functions).
    • ECB welcomes the efforts outlined in the proposed regulation to harmonize the ICT incident reporting landscape in EU and work toward a centralized reporting of major ICT-related incidents. ECB emphasizes that the responsibility for, and ownership of, the remediation and the consequences of an incident should remain solely and clearly with the concerned financial entity. ECB would, therefore, propose to limit the feedback and guidance to high-level prudential feedback and guidance only.
    • ECB welcomes the requirements set out under the proposed regulation on digital operational resilience testing across financial entities and the need for each institution to have its own testing program. ECB proposes to remove, from the proposed regulation, any obligation for competent authorities regarding the validation of documents and the issuance of an attestation for a threat-led penetration testing.
    • ECB welcomes the introduction of a comprehensive set of key principles and a robust oversight framework to identify and manage ICT risks stemming from ICT third-party service providers, regardless of whether these belong to the same group of financial entities. Having said that, to achieve an effective ICT risk identification and management, it is important to correctly identify and classify the critical ICT third-party service providers. In this regard, while the introduction of delegated acts that will supplement the criteria to be used for classification purposes is welcome, ECB should be consulted prior to the adoption of such delegated acts.

     

    Related Link: Opinion (PDF)

     

    Keywords: Europe, EU, Banking, Operational Resilience, ICT Risk, Incident Reporting, Operational Risk, Third-Party Risk, SSM, CRD, Basel, Cyber Resilience, Cybersecurity, Fintech, Opinion, ECB

    Featured Experts
    Related Articles
    News

    US Agencies Issue Regulatory Updates, FDIC Launches Tech Sprint

    The Board of Governors of the Federal Reserve System (FED) published the final rule that amends Regulation I to reduce the quarterly reporting burden for member banks by automating the application process for adjusting their subscriptions to the Federal Reserve Bank capital stock, except in the context of mergers.

    January 13, 2022 WebPage Regulatory News
    News

    EBA Issues Guide on Bank Resolvability, Consults on Transferability

    The European Banking Authority (EBA) published its assessment of risks through the quarterly Risk Dashboard and the results of the Autumn edition of the Risk Assessment Questionnaire (RAQ).

    January 13, 2022 WebPage Regulatory News
    News

    MFSA Publishes CRD5 Updates and Supervisory Priorities for 2022

    The Malta Financial Services Authority (MFSA) updated the guidelines on supervisory reporting requirements under the reporting framework 3.0.

    January 13, 2022 WebPage Regulatory News
    News

    HKMA Extends Repayment for Trade Facilities, Consults on Crypto-Assets

    The Hong Kong Monetary Authority (HKMA) published a circular, along with the reporting form and instructions, for self-assessment, by authorized institutions, of compliance with the Code of Banking Practice 2021.

    January 12, 2022 WebPage Regulatory News
    News

    FCA Registers Securitization Repositories; PRA Issues 2022 Priorities

    The Financial Conduct Authority (FCA) decided to register European DataWarehouse Ltd and SecRep Limited as securitization repositories under the UK Securitization Regulation, with effect from January 17, 2022.

    January 12, 2022 WebPage Regulatory News
    News

    EC Regulation Sets Out Methods for Measuring K-Factors Under IFR

    The European Commission (EC) published the Delegated Regulation 2022/25, which supplements the Investment Firms Regulation (IFR or Regulation 2019/2033) with respect to the regulatory technical standards specifying the methods for measuring the K-factors referred to in Article 15 of the IFR.

    January 11, 2022 WebPage Regulatory News
    News

    BIS Studies How Platform Models Impact Financial Stability & Inclusion

    The Bank of International Settlements (BIS) published a paper that assesses the ways in which platform-based business models can affect financial inclusion, competition, financial stability and consumer protection.

    January 10, 2022 WebPage Regulatory News
    News

    CBE Issues Additional Measures to Ease Disruptions from Pandemic

    The Central Bank of Egypt (CBE) published a circular with instructions on emergency liquidity assistance to banks that are unable to meet their liquidity requirements.

    January 10, 2022 WebPage Regulatory News
    News

    ESAs Publish List of Financial Conglomerates for 2021

    The European Supervisory Authorities (ESAs) published the list of identified financial conglomerates for 2021.

    January 07, 2022 WebPage Regulatory News
    News

    APRA Licenses Two More Banks, Reduces Committed Liquidity Facility

    The Australian Prudential Regulation Authority (APRA) updated the list of authorized deposit-taking institutions, granting license to Barclays Bank PLC and Crédit Agricole Corporate and Investment Bank to operate as foreign authorized deposit-taking institutions under the Banking Act 1959.

    January 07, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 7866