Here is QA Financial’s monthly review of new developments and initiatives in compliance and regulation that affect the management of software at financial firms.
MAS punishes DBS Bank for IT failures
The Monetary Authority of Singapore (MAS), the Singaporean central bank and financial regulator, has imposed a six-month ban on DBS Bank from undertaking any new business acquisitions. The decision comes in the wake of multiple service disruptions experienced by the bank this year. In addition to this, DBS Bank, which is Singapore’s largest lender, has been mandated to halt all non-essential IT modifications for the same duration.
Commenting on the announcement, MAS said: “This is to ensure that the bank dedicates the needed resources and attention to strengthen its technology risk management systems and controls.”
Full article available here.
Reserve Bank of India introduces operational resilience requirements
The Reserve Bank of India, India’s central bank and banking regulator, has released new policies detailing requirements for IT risk and resilience requirements for banks. The measures, which come into force from 1st April 2024, include prescriptive requirements for ensuring operational resilience.
Banks will be required to develop a business continuity plan and disaster recovery policy, which include semi-annual disaster recovery drills, regular scenario testing and the minimisation of system recovery times.
Full details available here.
Basel updates on OpRes progress at banks
The Basel Committee, the global banking regulator and part of the Bank for International Settlements, has published an update on the adoption and implementation of the Principles for Operational Resilience (POR) and the revised Principles for the Sound Management of Operational Risk (PSMOR) among banks.
Published in March 2021, these principles aim to enhance banks’ resilience against operational risks that could lead to significant failures or disruptions in financial markets.
Despite progress, full adoption may take until at least 2025 in some jurisdictions. The assessment underscores the importance of leveraging all aspects of operational risk management to achieve operational resilience, acknowledging that it goes beyond business continuity. The Committee emphasises the need for banks to establish and maintain accurate data on critical operations and stresses the foundational role of mapping interconnections for successful adoption of the principles. To strengthen banks’ operational resilience, the Committee encourages full adoption of POR and PSMOR into their operational risk management practices and regulatory frameworks, with new guidance and regulations by national authorities contributing to this effort.
Full article available here.
EC requests feedback on third-party regulations
The European Commission, the EU body responsible for implementing and monitoring EU law, has requested feedback on its draft regulations for the management of third-party ICT providers which are deemed as critical to the EU financial sector.
The draft regulations outline oversight fees that must be paid by critical third-party ICT providers to cover the costs of monitoring and oversight efforts by the European Supervisory Authorities (ESAs). These fees are set at €500,000 for the first year in which a third-party ICT provider is designated as critical. Fees are thereafter determined by the extent of supervisory work deemed necessary by the ESAs and the revenue of the company in question.
Further details available here.
EBA chair scopes regulatory plan for third-party providers
José Manuel Campa, chair of the European Banking Authority, discussed the increased dependence of EU financial firms on third-party ICT providers in a recent speech – and set out a roadmap for how regulators will mitigate the resulting increase in risk to digital resilience.
He outlined how the European Supervisory Authorities (ESAs) (the EU financial regulators composed of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)) will identify and monitor third-party ICT providers which are critical to the EU financial system.
Full article available here.
Australian regulator prioritises OpRes for 2024
The Australian Securities and Investment Commission (ASIC) has announced that technology and operational resilience in the Australian financial sector will be a key focus for its supervisory efforts in 2024.
Commenting on the announcement ASIC deputy chair, Sarah Court [pictured], said: “In 2024 we will specifically focus on technology and operational resilience for market operators and market participants, including compliance with the new market integrity rules.”
Full details available here.
ESMA enhances digital OpRes
The European Securities and Markets Authority (ESMA), the EU markets regulator, has redefined its Union Strategic Supervisory Priorities (USSPs) to focus on digital resilience and cyber risk, alongside Environmental, Social, and Governance (ESG) disclosures. This new USSP replaces the existing USSP on market data quality.
