Information and communication technology (ICT) risks are an integral part of today’s financial institutions risk spectrum. No matter whether financial institutions are early adopters in new technologies or have implemented non-complex technologies, they are nevertheless exposed to risks related to their respective ICT strategy and ICT operational implementation. Gone are the days when financial institutions were able to perform their day-to-day business without the use of information and communication technology.
It is therefore fundamental that financial institutions shall manage the ICT risks that they are exposed to, in order to avoid potential adverse impacts on the operational functioning of the financial institution, potentially even leading to compromising a financial institution’s viability.
The following chapters aim to provide financial institutions with guidance on various topics related to ICT risk.
For additional information related to new technologies, please consult the Financial innovation page.
ICT and Security Risk Management
The EBA has recently issued Guidelines on ICT and security risk management which are applicable as from 30 June 2020 and apply to credit institutions, investment firms and payment service providers as defined in Directive (EU) 2015/2366 on payment services in the internal market (PSD2).
Also, the Commission Delegated Regulation (EU) 2018/389 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the “RTS”) set key requirements to improve the security of payment services across the European Union. The payment service providers (“PSPs”) concerned by the new obligations are the ones defined in points (i), (ii), (iii) and (iv) of Article 1(37) of the Law of 10 November 2009 (as amended by the Law of 20 July 2018) on payment services and for which the CSSF is the designated competent authority for supervisory purposes under the law:
i) Credit institutions
ii) Electronic money institutions
iii) POST Luxembourg and
iv) Payment institutions.
The RTS also require all payment services providers who offer payment accounts accessible online to offer at least one access interface enabling secure communication with, and access, by account information and payment initiation service providers (AISPs and PISPs) to the payment service user’s payment account data. The PSPs that have opted to offer access via a dedicated interface are required to implement a contingency mechanism (also called fallback mechanism), unless they receive an exemption from the CSSF in accordance with the four conditions set out under Article 33(6) of the RTS.
All PSPs concerned that would like to obtain such an exemption are required to refer to the Circular CSSF 19/720 adopting the EBA Guidelines specifying further the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of the RTS and to fill in the form for exemption authorisation request available on the CSSF website. This form must be submitted via email to the address psd2‑firstname.lastname@example.org.
Other regulatory texts
In recent years, and nonetheless due to recent changes in regulation, financial institutions have taken the opportunity to outsource IT activities. They are taking advantage of economies of scale, grouping efforts with group entities or making use of external service providers providing solutions adapted to their business models and processes. Nevertheless, outsourcing IT activities can create challenges to the governance framework of financial institutions, particularly to internal controls, data management and protection, and may even lead to security issues.
Under Circulars CSSF 12/552 and CSSF 17/656 respectively, financial institutions shall obtain prior authorisation from the CSSF for the outsourcing of a material IT activity (seen as “critical or important functions” in the sense of EBA/GL/2019/02). In order to assist with the materiality assessment, an FAQ is provided. For the purpose of the authorisation, a template has been developed that must be submitted to the agent in charge of the supervision of the entity via the agreed communication channels, and as stated in the template. Should the outsourcing be towards a support PFS according to Articles 29-1 to 29-6 of the Law of 5 April 1993 relating to the financial sector (LFS), a notification stating that the conditions laid down in the respective circular are complied with is sufficient.
Please note that where an IT outsourcing, or a chain of outsourcing exclusively composed of IT outsourcing, relies on a cloud computing infrastructure as defined in Circular CSSF 17/654, the points of sub-chapter 7.4 of Circular CSSF 12/552 and Circular CSSF 17/656 shall not apply and the financial institution shall comply with the requirements of Circular CSSF 17/654. For more details refer to the following section.
Under Circular CSSF 18/698, investment fund managers must notify to the CSSF beforehand the use of a third party for consultancy, programming, maintenance or management of IT systems and such recourse must be formalised by a service contract. Furthermore, Circular CSSF 17/654 applies to investment fund managers if they use this infrastructure. For more details refer to the following section.
The EBA has recently issued its Guidelines on outsourcing arrangements which have become applicable as of 30 September 2019, apart from paragraph 63(b) which applies from 31 December 2021.
Specificities regarding IT outsourcing relying on a cloud computing infrastructure
IT outsourcing relying on a cloud computing infrastructure has become more and more attractive to financial institutions over the past years. The CSSF has been at the forefront of analysing solutions offered by cloud service providers (CSPs) in order to clarify and establish a concrete regulatory framework as regards IT outsourcing relying on cloud computing infrastructures.
The resulting Circular CSSF 17/654, as amended, has two essential features, namely:
- a definition of the cloud from reputable organisations, comprising the five essential characteristics, and supplemented by two specific requirements related to the exclusion of data access by the cloud service provider and the provision of automated resources without the need for human intervention;
- the definition of the roles of the actors involved in the outsourcing and their respective responsibilities.
Paragraph 26 of the circular describes in detail the necessity to inform the competent authority when making use of IT outsourcing relying on cloud computing infrastructure. In order to facilitate the filing of this information a series of 5 forms has been created (Form A – Form E) and a summary document (which can be found below in the section “Guidance”) describes which form is to be used in which case. Finally an FAQ and the template for the register are also provided.
Other regulatory texts
The increasing complexity of information and communication technology (ICT), paired with the rise in online services and interconnectedness of financial institutions renders the operations of financial institutions vulnerable to IT incidents and in particular external security attacks, including cyber-attacks.
Once IT incidents or external security attacks occur, they can have a significant operational, financial and/or reputational impact on the financial institutions concerned, and may even endanger the entire ecosystem or serve as an early warning for future incidents.
As such, a number of reporting obligations exist towards the supervisory authority (CSSF and/or ECB) as regards reporting IT and cyber incidents and attacks in order to keep the supervisory authority informed of such incidents.
Under Circular CSSF 11/504, all establishments subject to the supervision of the CSSF are required to report on frauds and incidents due to external computer attacks. This reporting shall allow the CSSF to closely follow the individual incident as well as anticipate, if possible, potential impact and consequences for the financial market and may lead to the issuance of recommendations for financial institutions based on the reported incidents. These incident reports are to be submitted to the respective agent in charge of the supervision of the entity via the agreed communication channels.
Furthermore, Circular CSSF 18/704, applicable to all payment service providers, transposes the requirements of the EBA guidelines on major incident reporting under the PSD2, requiring payment service providers to report major operational or security incidents to the CSSF without undue delay. These reports are to be submitted, as described in the annex to the circular, via the file channel system.