The European Banking Authority (EBA) has published its final ‘Guidelines on ICT and security risk management’. These establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their ICT and security risks and aim to ensure a consistent and robust approach across the EU Single Market.
The guidelines will enter into force on 30th June 2020 and set out expectations on how all financial institutions should manage the internal and external ICT and security risks that they are exposed to. The guidance also provides financial institutions with a better understanding of supervisory expectations for the management of these risks, covering sound internal governance, information security requirements, ICT operations, project and change management and business continuity management.
The guidelines also cover the management of PSPs’ relationship with payment service users (PSUs) to ensure that users are made aware of the security risks linked to the payment services, and are provided with the tools to disable specific payment functionalities and monitor payment transactions.
