The FSCA and the Prudential Authority (PA) have published the finalised Joint Standard setting out the principles with which financial institutions must comply to achieve sound practices and processes when managing information technology (IT) risks.
Joint Standard 1 of 2023: Information Technology Governance and Risk Management commences on 15 November.
The Joint Standard applies to the following financial institutions:
- banks, including the branch of a foreign bank, registered under the Banks Act;
- mutual banks registered under the Mutual Banks Act;
- insurers and the controlling companies of insurance groups licensed under the Insurance Act;
- market infrastructures licensed under the Financial Markets Act;
- managers of collective investment schemes licensed under the Collective Investment Schemes Control Act;
- discretionary FSPs as defined in the Code of Conduct for Administrative and Discretionary FSPs; and
- administrative FSPs as contemplated in the Code of Conduct for Administrative and Discretionary FSPs.
The Statement of Need states that financial institutions are expected to implement IT controls that are commensurate with their risk appetite, based on the nature and size of the financial institution’s operations.
The FSCA and the PA will, as part of their supervisory programmes, review and assess the adequacy of the IT risk management policies, processes, and practices of financial institutions, both those covered by the Joint Standard and those that are not. Regulatory instruments and guidance on IT risk management will be developed for co-operative financial institutions, co-operative banks, and micro-insurers.
The Authorities published the draft Joint Standard in June 2021 for comment by 26 July 2021. They received more than 600 comments from 32 respondents. Immaterial amendments were made to the draft Joint Standard, according to the Consultation Report.
Commentators raised concerns that the cost of compliance with the Joint Standard may be relatively low to moderate, but, once aggregated with the overall cost of compliance and governance, may result in increased pressure on the economic viability of small to medium enterprises.
The Authorities’ view is that an inadequate IT risk management framework and strategy may have dire consequences for the entire operation of a financial institution.
They said an appropriate balance must be struck between regulatory requirements placing an undue compliance burden on, or creating barriers of entry for, smaller financial institutions and ensuring that regulations mitigate the relevant risks.
The FSCA and PA will adopt a risk-based approach to supervision of the Joint Standard, which means that regulatory interventions will be commensurate to the risks and impact that entities pose to the financial sector, the Statement of Need states.
In an attempt to strike the appropriate balance, the requirements facilitate the proportional application of the Joint Standard and provide that the requirements must be implemented in accordance with the risk appetite, nature, size, and complexity of a financial institution.
If there are still instances where a specific requirement is too onerous on a small financial institution despite the application of the principle of proportionality, an exemption from the specific requirement might be considered. However, the Authorities are mindful of not “regulating by exemption” and so this option may be used in limited circumstances.
The Authorities may also support compliance with the Joint Standard, helping smaller entities, in particular, to understand their regulatory obligations by providing additional regulatory guidance through, for example, a guidance notice.
Rationale for the Joint Standard
The Statement of Need sets out the reasons for creating “an appropriate and comprehensive” regulatory framework governing IT risk management from both a prudential perspective and a conduct perspective.
IT is at the centre of how many financial institutions conduct their business and deliver financial products and services to their customers. When critical systems fail and customers cannot access financial products and services, the business operations of a financial institution may immediately come to a standstill.
The impact on customers would be immediate, with significant consequences to the financial institution, including reputational damage, regulatory breaches, and revenue and business losses.
Also, given the role played by the financial sector in the economy, offering access to the payment system, transformation of assets, and managing risks, such disruptions can have additional consequences on the broader economy.
Considering the above, there is a need for financial institutions and supervisors to be vigilant and monitor practices and risks that might inhibit beneficial innovations in the financial sector. It is important that financial institutions put in place robust IT risk management frameworks to manage IT risks, ensuring they have effective governance structures and risk management processes that appropriately identify, manage, and monitor IT risks, the Statement of Need says.