EBA Guidelines on ICT and Security Risk Management

On 28 November 2019, the European Banking Authority (EBA) published final Guidelines on ICT and security risk management for credit institutions, Capital Requirements Regulation (CRR) investment firms and payment service providers (PSPs) ('the Guidelines'). The FCA has notified the EBA that it intends to comply with these Guidelines.

All credit institutions, investment firms and PSPs will be expected to make every effort to comply with the Guidelines from 30 June 2020 when they enter into force. Firms should also refer to the EBA’s further guidance on the use of flexibility in relation to Covid-19 and the implementation of the Guidelines.

Consistent with this further guidance, the FCA will apply reasonable supervisory flexibility when assessing the implementation of the Guidelines given the ongoing Covid-19 crisis. In line with previous FCA guidance to firms in the current situation, we encourage firms to particularly focus on the provisions within the Guidelines relating to information security, ICT operations and business continuity to maximise their ability to provide services on an ongoing basis and to limit losses in the event of severe business disruption.

The FCA is currently consulting on new requirements for operational resilience and we expect to publish our final rules in Q1 2021, including providing further information on the links between our operational resilience policy and the EBA Guidelines. We welcome feedback from firms to our consultation and their experiences in embedding the requirements of the Guidelines.