Technology has never been more important to banks, both for supporting existing operations and developing new capabilities. So it's no surprise that supervisors' focus on Information and Communication Technology (ICT) risks has never been higher. In particular, January 2018 saw the European Central Bank (ECB) send a detailed Questionnaire to Significant Institutions in the Single Supervisory Mechanism. The aim of this exercise was to evaluate banks' own assessment of ICT risks, judged against the European Banking Authority (EBA)'s final Guidelines on ICT Risk Assessment under the SREP.
The Questionnaire represents a significant development in the ECB's approach to ICT risks due to its scope and exhaustive nature, and banks need to ensure they are responding appropriately since all answers given will be challenged by Joint Supervisory Teams (JSTs) through additional document requests or on-site inspections. The exercise will become a periodic activity, and so it will only increase in importance to both the banks and their supervisors.
To help banks better understand how they measure up against their peers, KPMG recently conducted a major Europe-wide benchmarking study of banks' ICT risks and their related supervisory expectations. Below is a snapshot of our overall findings, with the study highlighting physical security, IT internal audit, and security awareness as areas of strong bank performance:
- Most of the banks we spoke to appear to have strong IT internal auditing capabilities including suitable training, adequate budgets and experienced staff. In addition, most banks report critical IT audit findings to Management Bodies, with a process in place regarding the follow up of actions.
- The majority of respondents have physical security controls in place that are in line with the criticality of the area to be protected (e.g. biometric checks, floor pressure sensors, CCTVs, 24/7 watches).
- Mandatory security awareness programs are in place and cover current cyber threats as well as emerging risks. Such programs include workshops, security talks, awareness videos on specific topics (social engineering, malwares, data leakage through internet social networks, phishing).
Unfortunately, not all of our findings were so positive. In particular, weaknesses in data quality management emerged as a common theme from many of the responses. For example, nearly half of the banks we sampled have not yet defined and documented their data architecture, data models, data flows or data dictionaries. Several respondents have also not yet tested their IT controls over every different stage of the data life cycle. These are significant weaknesses, especially given the number of other supervisory processes and priorities that depend on good data quality. Banks should consider how improving their overall data quality management would benefit other initiatives, not only for their internal risk reporting processes but also for other external requirements, for example the financial statements, stress testing, EBA transparency exercises, BCBS 239. Or other supervisory and regulatory reporting such as FINREP, COREP, LCR, NSFR, recovery and resolution planning.
In particular, there are five dimensions used by the ECB to assess data quality in the supervisory reporting;
- Punctuality: Is there a time lag between the remittance date and the date on which the data was actually submitted to ECB?
- Completeness: Does the bank have the expected information available in the defined set of modules, templates and data points?
- Accuracy and consistency: What is the total number of validation rules that have failed for a specific submission? And how consistent are the various subsets of the data?
- Stability: Are there variations in the values submitted by a bank during a reporting cycle?
- Plausibility: Will the ECB detect outliers in the reported data such as unusually extreme values?
To ensure that banks are able to address any data quality weaknesses, they should take some key actions - if they have not already done so, such as:
- To define, document and test data quality management procedures.
- To clearly define key roles and responsibilities relating to data quality (data architect, data officers, data custodians, data owners/stewards…).
- To ensure the institution's human and technical resources provide a sufficient level of support for data quality.
- To maintain proper ICT controls - covering areas such as input validation, data transfer and reconciliations - across every stage of the data life cycle. This includes designing data architecture, building data models and dictionaries, verifying inputs, controlling data extractions or transfers.
- To formalise the processes for resolving identified data quality issues.
Looking further ahead, banks should expect ICT risks to play an increasingly larger role in on-site inspections, which includes being ready to justify their Questionnaire responses to JSTs since these will directly impact their SREP results, which in turn could lead to significant remediation actions. In short, it's vital for banks to understand just what a significant development the Questionnaire represents in the ECB's approach to ICT risks, and to respond accordingly.