The FSCA and the Prudential Authority (jointly referred to as the Authorities) have recently published the final version of Joint Standard 1 of 2023: Information Technology (IT) Governance and Risk Management (Joint Standard), which sets out the principles for IT governance and risk management that financial institutions must comply with to achieve sound practices and processes in managing IT risk.
Consultation process
The Joint Standard has been through a long consultation process starting on 9 June 2021 when the draft version of the Joint Standard was released for public comments with feedback due by 26 July 2021. The Authorities received over 600 comments from 32 respondents, including commentary from Masthead. Masthead members can access Masthead’s feedback on behalf of members through Masthead Connect.
Following the public consultation process, certain comments resulted in amendments being made to the draft Joint Standard by the Authorities. During July and August 2022, the Authorities consulted further on the amended draft Joint Standard with commentators from the previous consultation round. The Joint Standard was thereafter tabled in Parliament on 23 May 2023. The final version of the Joint Standard was signed by the Authorities on 6 and 10 November 2023.
To read the full consultation report, click here.
Commencement date
The commencement date of the Joint Standard was initially proposed as 1 January 2022 and thereafter in the last draft version was proposed as 1 January 2024, however requests were made by commentators, including Masthead, to make requirements more appropriate for smaller entities and requesting that more time be afforded to financial institutions in order to prepare for compliance with and implementation of the Joint Standard.
Therefore, although the final version was signed and published in November 2023, the Authorities have afforded an additional 12 months for commencement after the date of publication, meaning that the Joint Standard will commence on 15 November 2024, and financial institutions to which the Joint Standard applies must be fully compliant by this date.
Application
- The Joint Standard applies to the following financial institutions:
- A discretionary FSP as contemplated in the Code of Conduct for Administrative and Discretionary FSPS;
- An administrative FSP as contemplated in the Code of Conduct for Administrative and Discretionary FSPS;
- Banks and their branches (including a branch of a foreign institution) as registered under the Banks Act;
- Mutual banks registered under the Mutual Banks Act;
- Insurers and controlling companies of insurance groups (insurers) licensed under the Insurance Act;
- Market infrastructures licensed under the Financial Markets Act; and
- Managers of collective investment schemes licensed under the Collective Investment Scheme Control Act.
Need and Objectives
The Statement of Need explains that Information Technology is at the centre of many financial institutions concerning how they conduct their business and deliver financial products and services to their customers. When critical systems fail and customers cannot access financial products and services, the business operations of a financial institution may immediately come to a standstill resulting in significant consequences such as reputational damage, regulatory breaches, revenue and business losses – and can also have additional consequences on the broader economy.
Accordingly, there is a need for financial institutions and supervisors to be vigilant and monitor practices and risks that might inhibit beneficial innovations in the financial sector. The Authorities highlight that it is important that financial institutions put in place robust IT risk management frameworks to manage IT risks ensuring that they have effective governance structures and risk management processes that appropriately identify, manage and monitor IT risks. It is for this reason that the Joint Standard has been developed.
The Joint Standard seeks to address the following:
- ensure that financial institutions have established a sound and robust IT risk management framework;
- assist financial institutions in integrating technology risk management into their overall management system; and
- ensure that oversight of IT risk management is incorporated into the governance and risk management structures, processes and procedures of a financial institution.
Financial institutions are expected to implement IT controls that are commensurate with their risk appetite, based on the nature, size, and complexity of the financial institution’s operations. The Authorities are of the view that it is critical to ensure that regulatory requirements do not place an undue regulatory burden and/or barriers to entry in respect of smaller financial institutions. However, it is equally critical to ensure that regulatory requirements mitigate the relevant risks and an appropriate balance in this regard must be struck.
Concerns regarding the cost of compliance were also raised during the consultation process. This was considered by the Authorities however they remain of the view that the risk of inadequate IT Risk Management framework and strategy may have dire consequences on the entire operation of the financial institution especially as the financial sector operates in a highly digitalised environment.
In practice, the Authorities will adopt a risk-based approach to supervision of the Joint Standard, meaning that focus and regulatory interventions will be commensurate to the risks and impact that entities pose to the financial sector.
In our view, smaller entities will require additional support to ensure a clear understanding of their regulatory obligations through additional guidance when undertaking the implementation of the requirements of the Joint Standard.
The Authorities have stated that as an additional mechanism to facilitate proportionality, for example, if there are still instances where a specific requirement is too onerous on a small financial institution despite the application of proportionality, an exemption from a specific requirement of the Joint Standard might be considered. However, the Authorities are mindful of not “regulating by exemption” and this option may only be used in limited circumstances.
Masthead has already begun assisting our financial institutions with compliance and implementation of the Joint Standard, during which a Gap Analysis review was completed in the latter part of 2023. To contact a Masthead regional office closest to you, click here.