EBA publishes guidelines to assess Information and Communication Technology risk

UPDATED: May 11, 2017

The European Banking Authority (EBA) published today its final Guidelines on the assessment of the Information and Communication Technology (ICT) risk in the context of the Supervisory Review and Evaluation Process (SREP). These Guidelines are addressed to competent authorities and aim at promoting common procedures and methodologies for the assessment of ICT risk.

The growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions, as well as the increasing potential adverse prudential impact from this risk on an institution and on the sector as a whole have prompted the EBA to develop these Guidelines on its own initiative to assist competent authorities in their assessment of ICT risk as part of the SREP. These Guidelines should, therefore, be read in conjunction with the EBA SREP Guidelines, which continue to remain applicable as appropriate.

The Guidelines are structured around 3 main parts: (i) the general provisions for applying these Guidelines; (ii) the assessment of the institution’s ICT governance and strategy; (iii) the assessment of ICT risk and the controls in place in the context of risks to capital, which reflects the same structure as the EBA SREP Guidelines on the assessment of Operational risk.

These Guidelines are complemented by an ICT risk taxonomy, which includes a list of 5 ICT risk categories and a non-exhaustive list of examples of material ICT risks, which competent authorities should reflect on as part of the assessment.

The Guidelines do not introduce any additional reporting obligation. However, competent authorities should be able to request, if necessary, additional information from the institution.

These Guidelines are applicable from 01 January 2018.

Legal basis

These final Guidelines have been developed on the EBA’s own initiative in accordance with Article 16 of Regulation (EU) No 1093/2010, which envisages that the Authority shall issue guidelines with a view to ensuring the common, uniform and consistent application of Union law and to establish consistent, efficient and effective supervisory practices within the European System of Financial Supervision.

These Guidelines supplement the EBA Guidelines on common procedures and methodologies for SREP (EBA/GL/2014/13).

The EBA statement and related information can be found here.

Lavanya Rathnam

Lavanya Rathnam is an experienced technology, finance, and compliance writer. She combines her keen understanding of regulatory frameworks and industry best practices with exemplary writing skills to communicate complex concepts of Governance, Risk, and Compliance (GRC) in clear and accessible language. Lavanya specializes in creating informative and engaging content that educates and empowers readers to make informed decisions. She also works with different companies in the Web 3.0, blockchain, fintech, and EV industries to assess their products’ compliance with evolving regulations and standards.

Posted in UncategorizedTagged ,

Leave a Reply

Your email address will not be published. Required fields are marked *