ARTICLE
17 May 2017

Bank IT Risks Subject To Greater Regulatory Scrutiny Under New EBA Guidelines

PM
Pinsent Masons

Contributor

Pinsent Masons logo
Pinsent Masons – ‘Law Firm of the Year’ at the Legal Business Awards 2019 – is a full service international law firm with 25 offices spanning the UK, Europe, the Middle East, Africa and Asia. Our track record of awards success reflects the great pride we take in thinking differently.
Explore
Banks can expect financial regulators to take a deeper interest in the IT risks they are exposed to, and the measures they have put in place to address those risks, under new guidelines issued by the European Banking Authority (EBA).
UK Finance and Banking
Photo of Marc Dautlich
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Banks can expect financial regulators to take a deeper interest in the IT risks they are exposed to, and the measures they have put in place to address those risks, under new guidelines issued by the European Banking Authority (EBA).

The EBA said it had set out the guidelines "in view of the growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions".

According to the guidelines (78-page / 808KB PDF), which will take effect on 1 January 2018, banks can expect national regulators to scrutinise their exposure to risks such as to their system security, business continuity and data integrity, as well as their potential to disrupt the financial system as a whole.

Factors such as the age and complexity of banks' IT systems, whether or not the banks use "innovative ICT solutions", and whether or not they are in the process of updating their IT infrastructure, including as part of merger and acquisition deals, could be relevant to the regulators' assessment.

The guidelines suggested that banks' IT strategies and governance arrangements will also be subject to regulators' scrutiny, and that the firms should have business resilience and continuity plans, ICT security policies and a documented security incident management and escalation process in place, amongst other things.

Regulators should also assess whether banks have measures in place to protect "unauthorised changes" being made to software code they have developed, as well as "an effective framework in place for identifying, understanding and measuring ICT outsourcing risk", it said.

The EBA's guidelines are designed to sit alongside existing guidance that regulators are supposed to follow to assess the operational risk banks are exposed to.

"The growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions, as well as the increasing potential adverse prudential impact from this risk on an institution and on the sector as a whole have prompted the EBA to develop these guidelines on its own initiative to assist competent authorities in their assessment of ICT risk as part of the SREP (Supervisory Review and Evaluation process)," the EBA said.

Useful Links

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances,

Authors
Photo of Marc Dautlich
Marc Dautlich
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More