Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements

On the 11th December 2020, the Malta Financial Services Authority (the “MFSA”) issued cross-sectoral guidelines titled: Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements (the “Guidance”).

The MFSA has remarked that technology has become a fundamental asset to the financial services industry, driving innovation within customer experience, operational efficiency and regulatory compliance. Licence Holders have become increasingly reliant on technology to discharge critical or important business and operational functions. Many of these functions have in fact become software-based and are being managed remotely by third parties. While on the one hand technological sophistication delivers clear benefits to financial services firms and their customers, the MFSA have noted that technological integrations also alter the operational risk landscape of the licence holders.

By implementing the Guidance, the MFSA grasped the opportunity to harmonise the approach on technology arrangements, ICT and security risk Management, and outsourcing arrangements, by introducing a single guidance document for all the sectors authorised by the MFSA. The Guidance ensures that whenever licence holders outsource any important or critical function to a third party, such licence holders’ monitoring capabilities are maintained and regulatory compliance is ensured.

The Guidance establishes a number of basic mitigation factors for risks emanating from increased reliance on technological arrangements to be adequately mitigated including the establishment of comprehensive ICT governance frameworks. Furthermore, the Guidance requires that the management bodies of authorised entities are well aware of the extent of reliance their entities have on the service providers under their service. Licence holders will also have to take in consideration the risks arising from possible interruptions of the technological arrangements within their respective contingency plans.

We recommend that all authorised entities should go through the Guidance document while also inviting any interested entities to contact us should they wish to receive further assistance on the Guidance document.