On 11 May 2017, the European Banking Authority (“EBA“) issued new Guidelines on ICT Risk Assessment by competent authorities or regulators (the “Guidelines“). The Guidelines were produced “in view of the growing importance and increasing complexity of ICT risk within the banking industry and individual institutions”. They are intended to take effect from 1 January 2018 and apply in parallel to the current guidance that regulators already follow to determine the operational risk to which banks are exposed. Financial institutions are expected to be subject to assessment of their operational risk, including in respect of their security, business continuity and data integrity among other areas.

In particular, the Guidelines introduce some common terms to be used by all regulators in the EEA when conducting the assessment. while there are a range of options, to date there has been no broadly adopted global standard for ICT risk terminology in financial services. The EBA’s definitions do not solve the problem at a global level, but they at least offer some consistency within in the EEA area.

These new guidelines follow the EBA also publishing a final report on its draft Regulatory Technical Standards (“RTS“) in February 2017, which form part of the Payment Services Directive (known as “PSD 2” – a revised version of the previous directive to account for technological updates in retail payments services). The RTS, which are designed to ensure appropriate levels of security for consumers, maintain fair competition between payment service providers and allow for the development of innovative payment solutions, specify the requirements of strong customer authentication (“SCA“) , exemptions from the application of SCA, the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials, and the requirements for common and secure open standards of communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers. The RTS will apply from November 2018 at the earliest.

Click here to read the EBA’s Guidelines on ICT Risk Assessment.

Click here to read the EBA’s final report on its draft Regulatory Technical Standards.

Miriam Everett
Miriam Everett
Head of Data Protection and Privacy, London
+44 20 7466 2378
Nick Pantlin
Nick Pantlin
Partner, Head of Digital TMT and Sourcing, London
+44 20 7466 2570
Andrew Moir
Andrew Moir
Partner, Global Head of Cyber Security, London
+44 20 7466 2773
Claire Wiseman
Claire Wiseman
Senior Associate and Professional Support Lawyer, Digital TMT and Sourcing, London
+44 20 7466 2267