Technology has never been more important to banks, both for supporting existing operations and developing new capabilities. So it's no surprise that supervisors' focus on Information and Communication Technology (ICT) risks has never been higher. In particular, January 2018 saw the European Central Bank (ECB) send a detailed Questionnaire to Significant Institutions in the Single Supervisory Mechanism. The aim of this exercise was to evaluate banks' own assessment of ICT risks, judged against the European Banking Authority (EBA)'s final Guidelines on ICT Risk Assessment under the SREP.
The Questionnaire represents a significant development in the ECB's approach to ICT risks due to its scope and exhaustive nature, and banks need to ensure they are responding appropriately since all answers given will be challenged by Joint Supervisory Teams (JSTs) through additional document requests or on-site inspections. The exercise will become a periodic activity, and so it will only increase in importance to both the banks and their supervisors.
To help banks better understand how they measure up against their peers, KPMG recently conducted a major Europe-wide benchmarking study of banks' ICT risks and their related supervisory expectations. Below is a snapshot of our overall findings, with the study highlighting physical security, IT internal audit, and security awareness as areas of strong bank performance:
Unfortunately, not all of our findings were so positive. In particular, weaknesses in data quality management emerged as a common theme from many of the responses. For example, nearly half of the banks we sampled have not yet defined and documented their data architecture, data models, data flows or data dictionaries. Several respondents have also not yet tested their IT controls over every different stage of the data life cycle. These are significant weaknesses, especially given the number of other supervisory processes and priorities that depend on good data quality. Banks should consider how improving their overall data quality management would benefit other initiatives, not only for their internal risk reporting processes but also for other external requirements, for example the financial statements, stress testing, EBA transparency exercises, BCBS 239. Or other supervisory and regulatory reporting such as FINREP, COREP, LCR, NSFR, recovery and resolution planning.
In particular, there are five dimensions used by the ECB to assess data quality in the supervisory reporting;
To ensure that banks are able to address any data quality weaknesses, they should take some key actions - if they have not already done so, such as:
Looking further ahead, banks should expect ICT risks to play an increasingly large role in on-site inspections, which includes being ready to justify their Questionnaire responses to JSTs because these will in turn have a direct impact on their SREP letter, which in turn could lead to significant remediation actions. In short, it's vital for banks to understand just what a significant development the Questionnaire represents in the ECB's approach to ICT risks, and to respond accordingly.