Financial Crime World

Brunei Darussalam Central Bank (BDCB) Policy on Information Technology Risk Management

Introduction

The Brunei Darussalam Central Bank (BDCB) has issued this policy document to ensure that banks and financial institutions (FIs) in Brunei manage information technology (IT) risk effectively. This policy outlines the requirements for IT risk management, covering aspects such as operational risk, security risk, and compliance risk.

1. IT Risk Management Framework

Establishing an IT Risk Management Framework

  • Banks and FIs shall establish an IT Risk Management Framework that is aligned with BDCB’s guidelines.
  • The framework shall cover all aspects of IT risk, including operational risk, security risk, and compliance risk.

2. Critical Systems

Identifying and Submitting Critical Systems

  • Banks and FIs shall identify their critical systems and submit the list to BDCB annually, no later than three months after the end of every financial year.
  • Critical systems are those that have a significant impact on customer experience or business operations.

3. System Acquisition, Development, and Integration

Notifying BDCB Prior to Acquiring or Developing New Systems

  • Banks and FIs shall notify BDCB prior to acquiring or developing new critical systems or applications.
  • They shall furnish information to BDCB before engaging vendors or starting software development projects, including:
    • Rationale for the proposal
    • Details on improvements or changes to business operations
    • Checklist of responsibilities of vendors and banks/FIs
    • Information on due diligence assessment on vendors
    • Preliminary risk assessment and mitigation strategies

Testing Artificial Intelligence (AI) Systems

  • Banks and FIs shall test AI systems based on BDCB’s guidelines.

4. IT Third Party Arrangement

Notifying BDCB Prior to Signing Contracts with Third Parties

  • Banks and FIs shall notify BDCB prior to signing contracts with IT outsourcing service providers, cloud services or other third parties.
  • They shall furnish information to BDCB, including:
    • Details of third parties involved
    • Purpose, type of service, and service period
    • Checklist of responsibilities of third parties and banks/FIs
    • Information on due diligence assessment on third parties
    • Preliminary risk assessment and mitigation strategies

5. Self-Assessment on IT Risk Management

Performing an Annual Self-Assessment

  • Banks and FIs shall perform an annual self-assessment to evaluate their inherent risks and IT management maturity level based on BDCB’s Technology Risk Assessment Framework (T-RAF).
  • They shall review, and perform a gap analysis against BDCB’s guidelines, and establish action plans in addressing identified gaps and risks.

Conclusion

This policy document is a regulatory requirement for banks and financial institutions in Brunei Darussalam to ensure effective management of IT risk and compliance with relevant laws and regulations.