Central Bank issues regulatory framework for banks to manage technology risks

• Banks required to incorporate technology risk as part of capital adequacy test in line with other risks 

In what appears to be an attempt to ensure that banks are taking adequate internal controls and safeguards against potential technology risks during their general course of business, the Central Bank recently issued a fresh regulatory framework stipulating minimum set of requirements banks must follow. 
In a Banking Act direction titled ‘Regulatory framework on technology risk management and resilience for licensed banks’ issued last week, banks were asked to establish an, ‘Information Security Committee,’ chaired by the Chief Executive Officer to review the management of the strategic and operational aspects of the technology risk. 
The committee should meet at least once in two months and report to the Board of Directors through the Board Integrated Risk Management Committee on a quarterly basis as the Central Bank assigned the responsibility with the Board to establish adequate oversight measures over the implementation of technology risk management and resilience requirements specified in the regulatory framework. The fresh guidelines come at a time when the banking business has rapidly shifted to digital platforms since the onset of the pandemic last year when restrictions on mobility and other physical activities came in to effect.
A record number of people and businesses signed up with digital banking platforms to ensure seamless banking activities, bringing at least five years of digital transformation in the banking sector into a single year.   
While that brought cost efficiencies and convenience to all stakeholders, the rapid digitalisation also exposed these parties to cyber security risks, privacy violations and theft of confidential data and funds. 
Hence mitigation of these risks by the banking sector and the associated parties remains a key priority.
“Requirements in the regulatory framework shall be applicable to the entire operations of licensed banks including operations conducted through agents and third party service providers,” the Directive stated stipulating the scope of the regulation. 
Meanwhile, to reflect the extremely high significance attached to the technology risk in banks by the regulator, banks were also asked to assess the technology risk, “as a part of comprehensive assessment of risks in the banks’ Internal Capital Adequacy Process (ICAAP)”. 
The Central Bank further added that when assessing the technology risk, a bank must ensure that, “adequate level of capital is held to meet any potential technology risk.”