Following the publication by the Malta Financial Services Authority ( ‘MFSA’) in December 2020 of its Guidance on Technology Arrangements, ICT and Security Management, and Outsourcing Arrangements (the ‘MFSA ICT Guidance’), and the issuance of a number of related circulars (the ‘ICT Circulars’), more recently, the MFSA sent to all Maltese regulated firms a questionnaire (the ‘ICT Questionnaire).
European regulators have, for some time now, been increasingly looking at the way in which financial services firms use information and communication technologies (ICT) in their business operations, and their dependency on such systems. In today’s fast moving digital world, many traditional financial services providers (and not only) have moved away from traditional static banking business models to flexible, often referred to as agile, business structures relying heavily on ICTs. Unsurprisingly, many old-fashioned high-streets banks have, these days, turned into IT-driven companies with banking licenses. Hence the coining of the term Fintech.
The increasing reliance on outsourced ICT Services and third party products (often provided in the form of diverse packaged solutions) may likely result in heavy dependencies on such systems, and an inherent increase in concentration risks.
Adding to that, the continuous emergence of new cybersecurity risks and the increased potential for cybercrime and cyberterrorism have caused regulatory authorities to grow increasingly concerned about the operational risks to which such financial operators become exposed (referred to, in regulatory jargon, as ICT and Information Security Risks). The exposure to such risks can create a domino on a country’s overall economy, resulting in potential non-negligible systemic risks. Acknowledging the increasing importance of ICT systems and, therefore, the increasing potential adverse prudential impact of failures on an institution and on the sector, European regulators have, over the last five years, developed regulatory tools to help them assess the potential risks levels to which FinTech firms might be or are exposed.
Whilst, initially ICT risk assessments and management models developed by the EU were aimed at assessing systemically important financial institutions or FinTech firms, ultimately these new ICT “rules of engagement” are being applied to substantially every regulated firm within the European Union space,. Concurrently, EU regulators issued specific sets of rules aimed at the identification, assessment and mitigation of ICT risks, documenting regulatory expectations, with which licensed firms must comply.
The ICT Questionnaire was developed, and is currently being employed by regulatory authorities as a tool to assess the ICT risk exposure of the firms they regulate, and the resulting potential systemic impact these may cause to the financial system in the respective jurisdiction. In the EU regulatory universe where EU super-regulators and national regulators alike, employ a common risk based approach, it follows logically that, the higher the ICT risks faced by a firm (and the associated potential prudential impact) is, the closer the scrutiny and regulatory oversight that the respective firm will receive from its regulator.