Adriana Cassar

Executive Director

In summary, the ICT Circulars, inter alia, amended the various MFSA rulebooks and made compliance with the provisions of the MFSA ICT Guidance compulsory for all licence holders. In addition, over the last couple of months and at separate points in time, the MFSA sent the ICT Questionnaire to all MFSA licensed firms. Each Category was requested to complete and formally submit the ICT Questionnaire to the MFSA within a stipulated timeframe of either 2 months or six weeks of receipt.

For many MFSA regulated firms, the submission deadline for their completed ICT Questionnaire has either recently surpassed or is fast approaching which, unsurprisingly, created some degree of unease and anxiety.

This article provides you with an insight into the background of the ICT questionnaire itself, and of the overall regulatory context into which it was initially developed, and is currently being used by the regulator.

Background

European regulators have, for some time now, been increasingly looking at the way in which financial services firms use information and communication technologies (ICT) in their business operations, and their dependency on such systems. In today's fast-moving digital world, many traditional financial services providers (and not only) have moved away from traditional static banking business models to flexible, often referred to as agile, business structures relying heavily on ICTs. Unsurprisingly, many old-fashioned high-street banks have, these days, turned into IT-driven companies with banking licenses. Hence the coining of the term Fintech.

The increasing reliance on outsourced ICT Services and third-party products (often provided in the form of diverse packaged solutions) may likely result in heavy dependencies on such systems, and an inherent increase in concentration risks.

Adding to that, the continuous emergence of new cybersecurity risks and the increased potential for cybercrime and cyberterrorism have caused regulatory authorities to grow increasingly concerned about the operational risks to which such financial operators become exposed (referred to, in regulatory jargon, as ICT and Information Security Risks). The exposure to such risks can create a domino effect on a country's overall economy, resulting in potential non-negligible systemic risks. Acknowledging the increasing importance of ICT systems and, therefore, the increasing potential adverse prudential impact of failures on an institution and on the sector, European regulators have, over the last five years, developed regulatory tools to help them assess the potential risk levels to which FinTech firms might be or are exposed.

Whilst, initially ICT risk assessments and management models developed by the EU were aimed at assessing systemically important financial institutions or FinTech firms, ultimately these new ICT �rules of engagement� are being applied to substantially every regulated firm within the European Union space. Concurrently, EU regulators issued specific sets of rules aimed at the identification, assessment, and mitigation of ICT risks, documenting regulatory expectations, with which licensed firms must comply.

The ICT Questionnaire was developed, and is currently being employed by regulatory authorities as a tool to assess the ICT risk exposure of the firms they regulate, and the resulting potential systemic impact these may cause to the financial system in the respective jurisdiction. In the EU regulatory universe where EU super-regulators and national regulators alike, employ a common risk-based approach, it follows logically that, the higher the ICT risks faced by a firm (and the associated potential prudential impact) is, the closer the scrutiny and regulatory oversight that the respective firm will receive from its regulator.

The Facts

It is against such background that the MFSA (alongside all other financial regulatory authorities within the EU) had to come up with their own guidance on ICT-related matters, and make use of the standard ICT Questionnaire. In short, all MFSA licensed firms in Malta must comply with the provisions of the MFSA ICT Guidance, and must submit a completed ICT Questionnaire.

The roll-out of the EU's ICT risk management regulatory framework has been designed to happen in stages and, then again, Malta follows the same approach. The circulation by the MFSA of its ICT Questionnaire and the request for its completion and submission by licensed firms by the designated deadline forms part of what one could call phase one of the MFSA's framework implementation programme.

The subsequent stage of this process entails the assessment by the MFSA (based on the information disclosed in the submitted ICT Questionnaire) of the ICT Risk Profile of each firm it regulates. Depending on the outcome of the regulatory risk assessment and the risk profile assigned, the MFSA will likely decide the level of scrutiny and regulatory oversight that it needs to exercise over each firm, according to the, all-important, principle of proportionality.

Points to Note

The MFSA are highly likely to subsequently verify on the ground the veracity of the information submitted by each licence holder in its complete ICT Questionnaire.

Regardless of its subsequent ICT risk profiling assessment and classification (part of phase two of its implementation programme), the MFSA expects all regulated firms in Malta to comply with the requirements set out in the MFSA ICT Guidance. In substance, this means that MFSA licensed firms must set up and implement a formalised internal governance framework addressing the identification, assessment, monitoring, and mitigation of ICT and information security risks.

Aspida can assist licence holders in ensuring that they are in line with Regulatory expectations vis-a-vis cybersecurity and outsourcing arrangements.

Want to know more?

Please contact Ms Adriana Cassar at maltainfo@aspidagroup.com or call +356 20106167

Download as PDF

Download our Client Briefing Note

Aspida Insights is where we draw on our knowledge, experience, and expertise in key business areas such as compliance and risk management, regulation, and corporate governance to offer our thoughts, forecasts, and advice on a range of topical issues or areas of client concern.

```