The payment industry and technology risks like cyber and resilience are evolving rapidly within the current era. Challenges that payment service providers may encounter more frequently center around Oversight of the outsourced services, General Data Protection Regulation (GDPR), Fraud, Resilience and of course Cybersecurity. Over the last years, cyber-attacks have become more the norm than an exception and the financial services sector is a well-known target for such attacks.
As part of their oversight, the National Bank of Belgium (NBB) is requesting their Payment Institutions (PIs) and Electronic Money Institutions (ELMIs) to submit an IT Risk Questionnaire. This will enable the NBB in gaining valuable insights into the IT maturity of the payment institutions and further to assist them in their oversight responsibilities.
General Data: The questionnaire requires a description of the Payment Institution or Electronic Money institution itself and covers topics such as obtaining insights on financial matters within the institution, information on staff, describing the IT environment (such as critical IT systems and if entities have experienced cyber incidents), and insights on the IT strategy and governance within the institution.
IT Risk Level (ITRL) Assessment: The second part of the questionnaire deep-dives into IT-risks in order to provide insights in the overall IT risk level of the institution. To what extent is your organization prone to disruption? How many outdated systems that support business critical processes are within your entity? How many changes caused incidents (including confidentiality, integrity and/or availability) within the production environment of your organization?
Getting thorough insights in these matters is not only advisable, it is also very valuable in steering the IT strategy and governance of the institution into the right direction.
IT Risk Control (ITRC) Assessment: The latter part of the questionnaire is designed to assess the maturity level of the IT key controls across 10 IT areas within the institution. Payment and Electronic Money Institutions are asked to rate their internal IT controls on maturity level across a broad range of IT topics, such as: IT governance, IT outsourcing, IT security management, IT operations, Data Quality Management and more. Institutions must rate their IT controls on a scale from 1 to 4 and must take into account both the design, implementation and effectiveness of the controls.
The National Bank of Belgium asks their partners to submit their IT Risk Questionnaire before the end of the first quarter of each year. We advise organizations to already reflect on their IT environment in advance in order to be adequately prepared.
Deloitte has thorough expertise within the financial industry sector. Our years of experience within IT Risk, IT Governance and IT Strategy can really help your organization in completing the IT Risk Questionnaire requested by the NBB. Our experience, next to our proven methodologies as well as our accelerators will contribute to an efficient, effective and insightful completion of the NBB request.
Based on your needs, Deloitte can provide you various types of deliverables related to the questionnaire and its content such as: