Aspida Insights

Aspida Insights

Adriana Cassar

Executive Director

Demystifying the ICT Questionnaire

Following the publication by the Malta Financial Services Authority ( ‘MFSA’) in December 2020 of its Guidance on Technology Arrangements, ICT and Security Management, and Outsourcing Arrangements (the ‘MFSA ICT Guidance’), and the issuance of a number of related circulars (the ‘ICT Circulars’), more recently, the MFSA sent to all Maltese regulated firms a questionnaire (the ‘ICT Questionnaire).

In summary, the ICT Circulars, inter alia, amended the various MFSA rulebooks and made compliance with the provisions of the MFSA ICT Guidance compulsory for al licence holders. In addition, over the last couple of months and at separate points in time, the MFSA sent the ICT Questionnaire to all MFSA licensed firms. Each Category was requested to complete and formally submit the ICT Questionnaire to the MFSA within a stipulated timeframe of either 2 months or six weeks of receipt.

For many MFSA regulated firms, the submission deadline for their completed ICT Questionnaire has either recently surpassed  or is fast approaching which, unsurprisingly created/s some degree of unease and anxiety.

This article provides you with an insight into the background of the ICT questionnaire itself, and of the overall regulatory context into which it was initially developed, and is currently being used by the regulator.

Background

European regulators have, for some time now, been increasingly looking at the way in which financial services firms use information and communication technologies (ICT) in their business operations, and their dependency on such systems. In today’s fast moving digital world, many traditional financial services providers (and not only) have moved away from traditional static banking business models to flexible, often referred to as agile, business structures relying heavily on ICTs. Unsurprisingly, many old-fashioned high-streets banks have, these days, turned into IT-driven companies with banking licenses. Hence the coining of the term Fintech.

The increasing reliance on outsourced ICT Services and third party products (often provided in the form of diverse packaged solutions) may likely result in heavy dependencies on such systems, and an inherent increase in concentration risks.

Adding to that, the continuous emergence of new cybersecurity risks and the increased potential for cybercrime and cyberterrorism have caused regulatory authorities to grow increasingly concerned about the operational risks to which such financial operators become exposed (referred to, in regulatory jargon, as ICT and Information Security Risks). The exposure to such risks can create a domino on a country’s overall economy, resulting in potential non-negligible systemic risks. Acknowledging the increasing importance of ICT systems and, therefore, the increasing potential adverse prudential impact of failures on an institution and on the sector, European regulators have, over the last five years, developed regulatory tools to help them assess the potential risks levels to which FinTech firms might be or are exposed. 

Whilst, initially ICT risk assessments and management models developed by the EU were aimed at assessing systemically important financial institutions or FinTech firms, ultimately these new ICT “rules of engagement” are being applied to substantially every regulated firm within the European Union space,. Concurrently, EU regulators issued specific sets of rules aimed at the identification, assessment and mitigation of ICT risks, documenting regulatory expectations, with which licensed firms must comply.

The ICT Questionnaire was developed, and is currently being employed by regulatory authorities as a tool to assess the ICT risk exposure of the firms they regulate, and the resulting potential systemic impact these may cause to the financial system in the respective jurisdiction. In the EU regulatory universe where EU super-regulators and national regulators alike, employ a common risk based approach, it follows logically that, the higher the ICT risks faced by a firm (and the associated potential prudential impact) is, the closer the scrutiny and regulatory oversight that the respective firm will receive from its regulator.

The Facts

It is against such background that the MFSA (alongside all other financial regulatory authorities within the EU) had to come up with their own guidance on ICT related matters, and make use of the standard ICT Questionnaire. In short, all MFSA licensed firms in Malta must comply with the provisions of the MFSA ICT Guidance, and must submit competed ICT Questionnaire.

The roll-out of the EU’s ICT risk management regulatory framework has been designed to happen in stages and, then again, Malta follows the same approach. The circulation by the MFSA of its ICT Questionnaire and the request for its completion and submission by licenced firms by the designated deadline forms part of what one could call phase one of the MFSA’s framework implementation programme.

The subsequent stage of this process entails the assessment by the MFSA (based on the information disclosed in the submitted ICT Questionnaire) of the ICT Risk Profile of each firm it regulates. Depending on the outcome of the regulatory risk assessment and the risk profile assigned, the MFSA will likely decide the level of scrutiny and regulatory oversight that it needs to exercise over each firm, according to the, all important, principle of proportionality.

Points to Note

The MFSA are highly likely to subsequently verify on the ground the veracity of the information submitted by each licence holder in its complete ICT Questionnaire.

Regardless of its subsequent ICT risk profiling assessment and classification (part of phase two of its implementation programme), the MFSA expects all regulated firms in Malta to comply with the requirements set out in the MFSA ICT Guidance. In substance, this means that MFSA licensed firms must set up and implement a formalised internal governance framework addressing the identification, assessment, monitoring and mitigation of ICT and information security risks.

Aspida can assist licence holders in ensuring that they are in line with Regulatory expectations vis a vis cyber security and outsourcing arrangements.

Want to know more?

Please contact Ms Adriana Cassar on maltainfo@aspidagroup.com or call +356 20106167

Aspida Insights is where we draw on our knowledge, experience and expertise in key business areas such as compliance and risk management, regulation and corporate governance to offer our thoughts, forecasts and advice on a range of topical issues or areas of client concern.

Anti-money laundering, finding a better way

Not your average holiday read, but our Joint Chair, Wayne Bulpitt, took time during his recent holidays to read the Financial Intelligence Service (FIS) Annual Report 2020 and was struck by how little impact evidence is reported.

Read More »

Getting the right compliance culture

Culture is made up of values, beliefs and behaviours which are shared by a group of people and driven by leaders. Everyone in the Financial Services is concerned by it, from junior to senior employee, senior management, the Board of Directors, to shareholders and other key stakeholders. When the workplace is so driven by the bottom line, it is important that a good culture is deeply embedded within an organisation to motivate employees to do right even when no one is looking.

Read More »

Your partner in protecting and growing your business

Subscribe to receive our latest news, views and event information