ECB published an opinion on the proposal for a regulation on digital operational resilience for the financial sector. The opinion has been published in response to requests from the European Council and Parliament. In the opinion, ECB welcomes the proposed regulation, which is intended to enhance cyber security and operational resilience of the financial sector in EU. ECB welcomes the aim of the proposed regulation to remove obstacles to, and improve the establishment and functioning of, the internal market for financial services by harmonizing the rules applicable in the area of information and communication technology (ICT) risk management, reporting, testing, and ICT third-party risk.
ECB welcomes the aim of the proposed regulation to streamline and harmonize any overlapping regulatory requirements or supervisory expectations to which financial entities are currently subject under the EU law. ECB understands that the proposed regulation intends to set forth a prudential internal governance framework for the management of ICT risk, which will be integrated into the general internal governance framework under the Capital Requirements Directive. Moreover, given the prudential nature of the proposed framework, the competent authorities responsible for supervision of compliance with the obligations set out under the proposed framework, including ECB, will be the authorities responsible for banking supervision, in accordance with the Single Supervisory Mechanism (SSM) Regulation.
ECB supports the effort of the EU legislative bodies to promote harmonization and streamline the set of rules and obligations applicable to credit institutions on incident reporting. In view of this, ECB stands ready to amend (and potentially repeal) the Incident Reporting Framework, where necessary, in the light of the eventual adoption of the proposed regulation. In its opinion, ECB sets out the following specific observations on ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk:
- ECB welcomes the introduction by the proposed regulation of a robust and comprehensive ICT risk management framework that encompasses the CPMI-IOSCO guidance on cyber resilience and is closely aligned to best practices, including the Eurosystem Cyber Resilience Oversight Expectations for financial market infrastructures. In relation to the identification and classification to be performed by financial entities under the proposed regulation, ECB would consider it prudent, for the purposes of the classification of assets, that the proposed regulation also require financial entities to consider the criticality of such assets (that is whether they support critical functions).
- ECB welcomes the efforts outlined in the proposed regulation to harmonize the ICT incident reporting landscape in EU and work toward a centralized reporting of major ICT-related incidents. ECB emphasizes that the responsibility for, and ownership of, the remediation and the consequences of an incident should remain solely and clearly with the concerned financial entity. ECB would, therefore, propose to limit the feedback and guidance to high-level prudential feedback and guidance only.
- ECB welcomes the requirements set out under the proposed regulation on digital operational resilience testing across financial entities and the need for each institution to have its own testing program. ECB proposes to remove, from the proposed regulation, any obligation for competent authorities regarding the validation of documents and the issuance of an attestation for a threat-led penetration testing.
- ECB welcomes the introduction of a comprehensive set of key principles and a robust oversight framework to identify and manage ICT risks stemming from ICT third-party service providers, regardless of whether these belong to the same group of financial entities. Having said that, to achieve an effective ICT risk identification and management, it is important to correctly identify and classify the critical ICT third-party service providers. In this regard, while the introduction of delegated acts that will supplement the criteria to be used for classification purposes is welcome, ECB should be consulted prior to the adoption of such delegated acts.
Related Link: Opinion (PDF)
Keywords: Europe, EU, Banking, Operational Resilience, ICT Risk, Incident Reporting, Operational Risk, Third-Party Risk, SSM, CRD, Basel, Cyber Resilience, Cybersecurity, Fintech, Opinion, ECB
ECB published Guideline 2021/975, which amends Guideline ECB/2014/31, on the additional temporary measures relating to Eurosystem refinancing operations and eligibility of collateral.
EIOPA published a report, from the Consultative Expert Group on Digital Ethics, that sets out artificial intelligence governance principles for an ethical and trustworthy artificial intelligence in the insurance sector in EU.
HKMA published the seventh and final issue of the Regtech Watch series, which outlines the three-year roadmap of HKMA to integrate supervisory technology, or suptech, into its processes.
EC launched a targeted consultation to improve transparency and efficiency in the secondary markets for nonperforming loans (NPLs).
BIS, Danmarks Nationalbank, Central Bank of Iceland, Norges Bank, and Sveriges Riksbank launched an Innovation Hub in Stockholm, making this the fifth BIS Innovation Hub Center to be opened in the past two years.
FDITECH, the technology lab of FDIC, announced a tech sprint that is designed to explore new technologies and techniques that would help expand the capabilities of community banks to meet the needs of unbanked individuals and households.
EC released the EU Taxonomy Compass, which visually represents the contents of the EU Taxonomy starting with the EU Taxonomy Climate Delegated Act.
FDIC is seeking comments on a rule to amend the interagency guidelines for real estate lending policies—also known as the Real Estate Lending Standards.
EIOPA published its annual report, which sets out the work done in 2020 and indicates the planned work areas for the coming months.
The ESRB paper that presents an analytical framework that assesses and quantifies the potential impact of a bank failure on the real economy through the lending function.