Executive Director
In summary, the ICT Circulars, inter alia, amended the various MFSA rulebooks and made compliance with the provisions of the MFSA ICT Guidance compulsory for al licence holders. In addition, over the last couple of months and at separate points in time, the MFSA sent the ICT Questionnaire to all MFSA licensed firms. Each Category was requested to complete and formally submit the ICT Questionnaire to the MFSA within a stipulated timeframe of either 2 months or six weeks of receipt.
For many MFSA regulated firms, the submission deadline for their completed ICT Questionnaire has either recently surpassed or is fast approaching which, unsurprisingly created/s some degree of unease and anxiety.
This article provides you with an insight into the background of the ICT questionnaire itself, and of the overall regulatory context into which it was initially developed, and is currently being used by the regulator.
European regulators have, for some time now, been increasingly looking at the way in which financial services firms use information and communication technologies (ICT) in their business operations, and their dependency on such systems. In today’s fast moving digital world, many traditional financial services providers (and not only) have moved away from traditional static banking business models to flexible, often referred to as agile, business structures relying heavily on ICTs. Unsurprisingly, many old-fashioned high-streets banks have, these days, turned into IT-driven companies with banking licenses. Hence the coining of the term Fintech.
The increasing reliance on outsourced ICT Services and third party products (often provided in the form of diverse packaged solutions) may likely result in heavy dependencies on such systems, and an inherent increase in concentration risks.
Adding to that, the continuous emergence of new cybersecurity risks and the increased potential for cybercrime and cyberterrorism have caused regulatory authorities to grow increasingly concerned about the operational risks to which such financial operators become exposed (referred to, in regulatory jargon, as ICT and Information Security Risks). The exposure to such risks can create a domino on a country’s overall economy, resulting in potential non-negligible systemic risks. Acknowledging the increasing importance of ICT systems and, therefore, the increasing potential adverse prudential impact of failures on an institution and on the sector, European regulators have, over the last five years, developed regulatory tools to help them assess the potential risks levels to which FinTech firms might be or are exposed.
Whilst, initially ICT risk assessments and management models developed by the EU were aimed at assessing systemically important financial institutions or FinTech firms, ultimately these new ICT “rules of engagement” are being applied to substantially every regulated firm within the European Union space,. Concurrently, EU regulators issued specific sets of rules aimed at the identification, assessment and mitigation of ICT risks, documenting regulatory expectations, with which licensed firms must comply.
The ICT Questionnaire was developed, and is currently being employed by regulatory authorities as a tool to assess the ICT risk exposure of the firms they regulate, and the resulting potential systemic impact these may cause to the financial system in the respective jurisdiction. In the EU regulatory universe where EU super-regulators and national regulators alike, employ a common risk based approach, it follows logically that, the higher the ICT risks faced by a firm (and the associated potential prudential impact) is, the closer the scrutiny and regulatory oversight that the respective firm will receive from its regulator.
It is against such background that the MFSA (alongside all other financial regulatory authorities within the EU) had to come up with their own guidance on ICT related matters, and make use of the standard ICT Questionnaire. In short, all MFSA licensed firms in Malta must comply with the provisions of the MFSA ICT Guidance, and must submit competed ICT Questionnaire.
The roll-out of the EU’s ICT risk management regulatory framework has been designed to happen in stages and, then again, Malta follows the same approach. The circulation by the MFSA of its ICT Questionnaire and the request for its completion and submission by licenced firms by the designated deadline forms part of what one could call phase one of the MFSA’s framework implementation programme.
The subsequent stage of this process entails the assessment by the MFSA (based on the information disclosed in the submitted ICT Questionnaire) of the ICT Risk Profile of each firm it regulates. Depending on the outcome of the regulatory risk assessment and the risk profile assigned, the MFSA will likely decide the level of scrutiny and regulatory oversight that it needs to exercise over each firm, according to the, all important, principle of proportionality.
The MFSA are highly likely to subsequently verify on the ground the veracity of the information submitted by each licence holder in its complete ICT Questionnaire.
Regardless of its subsequent ICT risk profiling assessment and classification (part of phase two of its implementation programme), the MFSA expects all regulated firms in Malta to comply with the requirements set out in the MFSA ICT Guidance. In substance, this means that MFSA licensed firms must set up and implement a formalised internal governance framework addressing the identification, assessment, monitoring and mitigation of ICT and information security risks.
Aspida can assist licence holders in ensuring that they are in line with Regulatory expectations vis a vis cyber security and outsourcing arrangements.
Please contact Ms Adriana Cassar on maltainfo@aspidagroup.com or call +356 20106167
The Guernsey Finance Industry update on the 19th January gave a very loud and clear message that Guernsey is obtaining good international engagement and is very much ‘open for business’.
Aspida Group celebrate the graduation of the first trainees of our groundbreaking Advisory Trainee Programme as Blaine and Dan are busy planning for their 4 week sabbaticals. Bee McDaid and Dan Radford were the initial members of Aspida’s
The Guernsey branch of the Institute of Directors (IoD) continues its members-only director development series, sponsored by Aspida Advisory Services, for a second year. After a successful launch in 2022, the IoD will run three
