Subsequent to the final publication by the MFSA in December 2020 of its Guidance on Technology Arrangements, ICT and Security Management, and Outsourcing Arrangements (the ‘MFSA ICT Guidance’) and the issuance of a related circular (the ‘ICT Circular’), recently, the MFSA has circulated to a number of regulated firms an ICT questionnaire (the ‘ICT Questionnaire’). Whilst the ICT Circular amended various MFSA rulebooks and made compliance with the provisions of the MFSA ICT Guidance compulsory for all relevant firms, the MFSA ICT Questionnaire appears to be an aid used by the regulator to gauge market participants’ understanding of the MFSA ICT Guidance and their preparedness for and compliance with the regulatory requirements arising therefrom.

The MFSA ICT Guidance is aimed at all firms (large or small) operating in the financial services universe in Malta, is highly technical and a difficult read for those who do not have an IT background or familiarity with emerging computer based technologies.

The term ICT (which stands for Information and Communication Technology), refers generally and generically to all systems employed by firms to communicate internally and externally, promote and provide financial products and services to clients, report information to regulators, store and process data, etc.. The term Technology Arrangements refers to the particular ICT set-up a firm has in place which, naturally, varies from firm to firm depending on the type of financial products and services it offers to its existing or potential clients and the level of complexity of its systems and operations.

The risks arising from the malfunctioning or misuse of ICTs and the potential vulnerability of Technology Arrangements are seen by EU regulators and the MFSA alike as reasons for regulatory concern regarding the stability of the Maltese financial system and the protection of consumers. The broad use of the internet and the inherent Cybersecurity risks arising from its use add further complexity to the subject. In order to address such concerns, the MFSA have issued the ICT Guidance (which for all intents and purposes appear to be the new rules of engagement, rather than just guidance) which put the onus on regulated firms to identify their ICT and Cybersecurity risks and the vulnerabilities to which their Technology Arrangements may be exposed, and then develop and implement measures to mitigate such risks.

The MFSA ICT Guidance requires regulated firms to have in place a formalised ICT Governance and Strategy Framework, documented via ICT Policies and Procedures setting out the key processes to ensure the control and mitigation of risks arising from the use of ICT systems and the internet. The ICT and Cybersecurity risks to which a firm is exposed are defined as its ICT & Security Risks and the process of pro-actively managing and mitigating such risks is referred to as ICT & Security Risk Management, which must be a component of a firm’s corporate governance framework.

With many firms, these days, outsourcing their ICT functionality to third party service providers, the regulators see such outsourcing arrangements as an additional layer of operational risks to which such firms are exposed, which risks must also be mitigated appropriately. Consequently, the MFSA ICT Guidance contains an entire section (Title 5) of regulatory provisions covering the identification, assessment and mitigation of risks arising from ICT outsourcing arrangements.

Compliance with the provisions of the MFSA ICT Guidance is compulsory for all MFSA regulated firms (as per the ICT Circular), and your firm must make the necessary amendments to its governance framework, policies, procedures and compliance arrangements to address these matters adequately.

How can we help you?

• Provision of consultancy on the ICT Guidance
• Assistance with the completion of the ICT Questionnaire
• Perform a gap analysis of License Holders current Cyber Security and Outsourcing
  Policies or provide assistance with drafting or redrafting them

Should you have any questions on the above or seek guidance on any compliance matters, please contact Aspida Advisory Services (Malta) Ltd by calling us on +356 2010 6167 or emailing maltainfo@aspidagroup.com 

This client briefing note is intended merely to highlight issues and not to be comprehensive, nor to provide legal or
regulatory compliance advice. Should you have any questions on the matters outlined in this document, please contact
us on +356 2010 6167 or at maltainfo@aspidagroup.com