EBA issues new regulatory guidelines on ICT Risk Assessment and report on Payment Services Directive

On 11 May 2017, the European Banking Authority ("EBA") issued new Guidelines on ICT Risk Assessment by competent authorities or regulators (the "Guidelines"). The Guidelines were produced "in view of the growing importance and increasing complexity of ICT risk within the banking industry and individual institutions". They are intended to take effect from 1 January 2018 and apply in parallel to the current guidance that regulators already follow to determine the operational risk to which banks are exposed. Financial institutions are expected to be subject to assessment of their operational risk, including in respect of their security, business continuity and data integrity among other areas.

In particular, the Guidelines introduce some common terms to be used by all regulators in the EEA when conducting the assessment. while there are a range of options, to date there has been no broadly adopted global standard for ICT risk terminology in financial services. The EBA's definitions do not solve the problem at a global level, but they at least offer some consistency within in the EEA area.

These new guidelines follow the EBA also publishing a final report on its draft Regulatory Technical Standards ("RTS") in February 2017, which form part of the Payment Services Directive (known as "PSD 2" – a revised version of the previous directive to account for technological updates in retail payments services). The RTS, which are designed to ensure appropriate levels of security for consumers, maintain fair competition between payment service providers and allow for the development of innovative payment solutions, specify the requirements of strong customer authentication ("SCA") , exemptions from the application of SCA, the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials, and the requirements for common and secure open standards of communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers. The RTS will apply from November 2018 at the earliest.

Click here to read the EBA's Guidelines on ICT Risk Assessment.

Click here to read the EBA's final report on its draft Regulatory Technical Standards.