Featured Product

    EBA Publishes Guidelines on ICT and Security Risk Management

    November 28, 2019

    EBA published the final guidelines on the mitigation and management of information and communication technology (ICT) and security risks for banks in EU. The guidelines set out expectations on the way in which all financial institutions should manage their internal and external ICT and security risks. The guidelines provide financial institutions with a better understanding of supervisory expectations for the management of these risks, covering sound internal governance, information security requirements, ICT operations, project and change management, and business continuity management. The guidelines, which apply to credit institutions, investment firms, and payment service providers, enter into force on June 30, 2020.

    These guidelines respond to the EC's FinTech Action plan request for EBA to develop guidelines on ICT risk management and mitigation requirements in the financial sector in EU. The guidelines:

    • Focus on the management and mitigation of ICT and security risks by establishing sound internal governance and an internal control framework that sets clear responsibilities for the staff of financial institutions, including for the management bodies
    • Require financial institutions to maintain up-to-date inventories of their business functions, supporting processes and information assets and to classify them in terms of criticality, based on the confidentiality, integrity, and availability of data
    • Remind financial institutions to ensure the effectiveness of the risk-mitigating measures, as defined by their risk management framework, when outsourcing or using third-party providers
    • Specify high-level principles on how ICT operations should be managed, including requirements to improve, when possible, the efficiency of ICT operations; implement logging and monitoring procedures for critical ICT operations; maintain an up-to-date inventory of their ICT assets; monitor and manage the life cycle of ICT assets; and implement backup plans and recovery procedures
    • Specify expectations on business continuity management and developing response and recovery plans, including testing, and their consequent updating based on the test results
    • Cover the management of relationship of payment service providers with payment service users to ensure that users are made aware of the security risks linked to the payment services and are provided with the tools to disable specific payment functionalities and monitor payment transactions

    In implementing these guidelines, financial institutions should refer to the existing standards and leading best practices. These guidelines intend to be technology and methodology agnostic. The implementation of these guidelines should be done in accordance with the principle of proportionality, taking into account the scale and complexity of operations, the nature of the activity engaged in, the types of services provided, and the corresponding ICT and security risks related to the processes and services of financial institutions. These guidelines complement, and should be read in conjunction with, the supervisory assessment to the applicable institutions in EBA guidelines on ICT risk assessment under the Supervisory Review and Evaluation Process (EBA/GL/2017/05) and other relevant guidelines such as EBA guidelines on outsourcing arrangements (EBA/GL/2019/02). 

     

    Related Links

    Effective Date: June 30, 2020

    Keywords: Europe, EU, Banking, CRD, PSD 2, ICT Risk, Cyber Risk, Proportionality, Operational Risk, Outsourcing Arrangements, Third-Party Arrangements, Fintech, EBA

    Featured Experts
    Related Articles
    News

    HKMA Announces Repayment Deferment Under Payment Holiday Scheme

    HKMA, together with the Banking Sector Small and Medium-Size Enterprise (SME) Lending Coordination Mechanism, announced a ninety-day repayment deferment for trade facilities under the Pre-approved Principal Payment Holiday Scheme.

    August 05, 2020 WebPage Regulatory News
    News

    ESRB Paper Presents Alternative Approach to EBA Stress Test Proposal

    The Advisory Scientific Committee of ESRB published a response, in the form of an Insights Paper, to the EBA proposals for reforms to the stress testing framework in EU.

    August 05, 2020 WebPage Regulatory News
    News

    MAS Announces Key Initiatives to Support Adoption of SORA

    MAS announced several initiatives to support adoption of the Singapore Overnight Rate Average (SORA), which is administered by MAS.

    August 05, 2020 WebPage Regulatory News
    News

    BoE Updates Template and Definitions for Form ER

    BoE updated the reporting template for Form ER as well as the Form ER definitions, which contain guidance on the methodology to be used in calculating annualized interest rates.

    August 05, 2020 WebPage Regulatory News
    News

    PRA to Extend Temporary High Balance Coverage Amid COVID Crisis

    PRA published the policy statement PS19/20 on the final policy for extending coverage under the Financial Services Compensation Scheme (FSCS) for Temporary High Balance.

    August 04, 2020 WebPage Regulatory News
    News

    EBA Publishes Standards on Disclosure and Reporting of MREL and TLAC

    EBA published the final draft implementing technical standards for disclosures and reporting on the minimum requirements for own funds and eligible liabilities (MREL) and the total loss-absorbing capacity (TLAC) requirements in EU.

    August 03, 2020 WebPage Regulatory News
    News

    EBA Releases Erratum for Phase 2 Package on Reporting Framework 2.10

    EBA published an erratum for the phase 2 of technical package on the reporting framework 2.10.

    August 03, 2020 WebPage Regulatory News
    News

    EC Sets Out Updated Technical Information for Solvency II Calculations

    EC published the Implementing Regulation 2020/1145, which lays down technical information for calculation of technical provisions and basic own funds.

    August 03, 2020 WebPage Regulatory News
    News

    US Agencies Issue Statement on Additional COVID-19 Loan Accommodations

    FFIEC, on behalf of its members that include US Agencies such as CFPB, FDIC, FED, NCUA, and OCC, issued a joint statement that sets out prudent risk management and consumer protection principles for financial institutions to consider while working with borrowers.

    August 03, 2020 WebPage Regulatory News
    News

    PRA Consults on Implementation of Certain Provisions of CRD5

    PRA, via the consultation paper CP12/20, proposed changes to its rules, supervisory statements, and statements of policy to implement certain elements of the Capital Requirements Directive (CRD5).

    July 31, 2020 WebPage Regulatory News
    RESULTS 1 - 10 OF 5622