Please see attached Standard Chartered’s response to the European Banking Authority’s (EBA) Consultation Paper on draft Guidelines on ICT and security risk management (EBA/CP/2018/15).
Standard Chartered invests significant sums to maintain the security and effectiveness of our existing ICT estate. We are continuously overseeing our information security policy as well as our risk control framework, training procedures and ICT governance in general.
We strongly support efforts to align the requirements applicable to ICT and security risks across existing EU regulations. Ensuring a level playing field with consistent requirements applicable to credit institutions and payment services institutions with those of investment firms will provide certainty on the regulatory environment that institutions operate within.
As an international bank with operations across several continents we also believe it is of fundamental importance to as far as possible strive for international harmonization of stringent rules in the ICT area, not only within the European Union but globally as well. Diverging regulatory requirements will significantly increase operating costs as well as introduce risks of regulatory arbitrage.
Technological development in the ICT area is rapid and we believe it is important that guidelines be principles based and sufficiently flexible to accommodate innovation.
We thus recommend that the EBA gives further consideration to the following aspects which we believe to be of importance:
Principles Based: SCB welcomes that the guidelines are, in general, principles based. We believe that this is essential and should be maintained as far as possible. A focus on outcomes and how firms can demonstrate capabilities increases consistency and alignment between jurisdictions and ensures that the guidelines can be implemented with proportionality in mind. In addition, the principles based approach should incorporate the notion of materiality. To illustrate: Only information assets, which when not available would cause a significant business loss, should be required to be mapped.
Alignment across jurisdictions: Departure from existing recognized standards increases regulatory complexity and requires resources to be diverted from other activities. This inhibits firms to focus efforts on the identification and protection against technological risks, thus increasing firms’ resources focusing on compliance rather than technological security.
We hope these comments are helpful, and we would be pleased to discuss our views with you in greater detail.