Financial Crime World

Banks and FIs Must Strengthen IT Risk Management to Ensure Efficient Service Delivery

The Brunei Darussalam Central Bank (BDCB) has issued new guidelines for banks and financial institutions (FIs) to enhance their information technology (IT) risk management practices. The guidelines aim to ensure that banks and FIs deliver efficient services while minimizing the risks associated with IT.

Preliminary Risk Assessment and Analysis

Before integrating third-party systems, banks and FIs must conduct a preliminary risk assessment and analysis to identify potential concerns. This involves:

  • Outlining action plans to address these concerns
  • Ensuring due diligence in selecting vendors or suppliers

Proposed End-to-End Process Flow

Banks and FIs must also propose critical end-to-end process flows between their systems and those of third-party providers, ensuring seamless integration and minimizing risks.

Technology and Methodology Used for Integration

The guidelines require banks and FIs to provide details on the technology and methodology used for system integration, including:

  • Data migration or cleansing processes
  • Any other relevant information

Due Diligence and Assessment

Banks and FIs must conduct due diligence assessments on third-party providers and their vendors or suppliers, including:

  • Identifying potential risks
  • Outlining mitigation strategies

Exit Strategy

In the event of a failed integration or unforeseen circumstances, banks and FIs must have a preliminary exit strategy in place to ensure minimal disruption to services.

Annual Reporting Requirements

Banks and FIs are required to submit an annual report on their IT risk management practices, including:

  • Details on system integration
  • Third-party arrangements
  • Any open items from user acceptance testing (UAT) or vulnerability assessments

Artificial Intelligence Integration

The guidelines also require banks and FIs to notify BDCB prior to implementing or adding artificial intelligence (AI) systems, which must be tested according to set parameters. AI systems must also be supervised during the testing period to allow for intervention and corrective actions if necessary.

IT Third-Party Arrangements

Banks and FIs must notify BDCB prior to signing contracts with IT outsourcing service providers or cloud services that involve critical systems. The guidelines require banks and FIs to provide detailed information on third-party arrangements, including:

  • Purpose of the arrangement
  • Type of service
  • Service period

Self-Assessment on IT Risk Management

Annual self-assessments are also required for banks and FIs to evaluate their inherent risks and IT management maturity levels based on BDCB’s Technology Risk Assessment Framework (T-RAF). The assessments must be submitted to BDCB by June 30 of every year.

Compliance with Laws and Regulations

Finally, banks and FIs must review and comply with new and existing laws and regulations related to IT, information security, and personal data protection. Failure to comply may result in penalties or other regulatory actions.

The guidelines aim to ensure that banks and FIs maintain efficient IT risk management practices, minimizing the risks associated with system integration and third-party arrangements while ensuring the integrity of their services.