Skip to content

Is your investment or payment services firm up to date on ICT and security risk management?

What has happened?

On 28 November 2019, the European Banking Authority (the EBA) published final guidelines on Information and communications technology (ICT) and security risk management for credit institutions, investment firms and payment service providers (PSPs). The FCA has notified the EBA that it intends to comply with these guidelines.

All credit institutions, investment firms and PSPs will be expected by the FCA to make every effort to comply with the guidelines from 30 June 2020, when they enter into force. However, the FCA will apply reasonable supervisory flexibility when assessing the implementation of the guidelines given the Covid-19 crisis.

The FCA is currently consulting on new requirements for operational resilience and it expects to publish final rules in Q1 2021, including further information on the links between its operational resilience policy and the EBA guidelines.

What do you need to do?

Firms may be well advised to consider how well they will be able to comply with some sample extracts from the guidelines, reproduced below.

The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees.

The ICT strategy should be aligned with financial institutions’ overall business strategy and should define:

    1. how financial institutions’ ICT should evolve to effectively support and participate in their business strategy, including the evolution of the organisational structure, ICT system changes and key dependencies with third parties,
    2. the planned strategy and evolution of the architecture of ICT, including third-party dependencies,
    3. clear information security objectives, focusing on ICT systems and ICT services, staff and processes.

Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the financial institution’s risk appetite and that the projects and systems they deliver and the activities they perform are in compliance with external and internal requirements.

How can we help you?

If you’d like to know more about how we can help with your risk management or operational resilience processes or any other aspect of FCA compliance, our expert team is here to help. Contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.