(This is Part 1 of a three part analysis to be continued in the forthcoming issues)
In June 200 the Malta Financial Services Authority released a publication that provided a clear indication of what sort of upgrading was expected of the financial services sector in the coming years. The publication, aptly titled “Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements” set out the principles and the frameworks within which these were to be implemented. It starts off by setting four high-level principles to guide the implementations:-
Proportionality – “the application of the principles should take into consideration the size, internal organisation and individual risk profile, as well as the nature, scope, complexity and riskiness of the Licence holder’s operation and of the services and products provided or intended to be provided” In other words the more sophisticated, the more complex the organisational structure and that of the products and services to be offered, the higher are the expectations for the relevant standards and effectiveness of structures, systems and procedures. IT infrastructures and systems need to be customised to allow for the introduction of scaleable and differentiated levels of checks and controls to ensure that as the products get more sophisticated so too do the control systems and mechanisms. This customisation is critical to allow for implementation of the proportionality principle.
Principles-based consistency of outcomes – “In view of technology dynamics from the perspective of continuous technology evolution and service models, the guidelines are principles-based and do not favour one type of technology or service model over another, as long as compliance obligations can be met. The principles-based approach also applies to ICT risk and security governance and control frameworks.” Emerging technologies, ICT risk, security governance and control frameworks must be focused on compliance obligations. The challenge to add value to customers and stakeholders through the introduction of new innovations in technology and product design, must be achieved without any infringement of compliance obligations. This calls for close collaboration between the compliance team and the software and product development teams at a very early stage of development and not in the final stages to uploading documentation!
Information Assurance (IA) in technology arrangements – within the EU context of control and processing of personal data of natural persons “communication and information systems must protect the data they handle in transit and at rest, and must only be accessible to authorised parties as and when needed. Confidentiality, Integrity, Availability, Authentication and Nonrepudiation should form the five pillars for IA25 in the design of any Technology Arrangement implemented by a Licence Holder.” Meeting the EU GDPR provisions is just the starting point for data protection and security! Systems need to provide clear audit trails that allow for unequivocal and undeniable correlation of “who did what?, how? when? and where?”
Approach to Cloud Computing – The approach to adoption of cloud computing resources and services should be based on sound governance and management, and should take into consideration the Guiding Principles for Cloud Computing Adoption and Use, issued by the global non-profit IT association ISACA, as outlined in clauses 2.4.2 to 2.4.7. These are defined as the Principles of Enablement; Cost/Benefit; Enterprise Risk; Capability; Accountability; and Trust. These principles established in 2012 have been widely adopted internationally and have proved to be effective in focusing attention on harvesting the benefits of Cloud but investing in the appropriate defence and security infrastructure to provide peace of mind to all key stakeholders.
Over the past months the MFSA has stepped up its efforts to make regulated entities aware of the critical importance of their continued investment in the upgrading and safeguarding of their ICT systems and processes which ultimately are the core of all their operations. The writing is on the wall, the guidelines have recommended what needs to be done, the next step is to have a mandatory adherence to the guidelines to ensure that this part of the business is suitably protected.
eBusiiness Systems has been involved in the development and implementation of investments management systems since 2010 and launched the first iteration of eB-IMS in 2021. The system design and development benefitted right from inception from the close collaboration of industry experts and forward looking practitioners who recognised that the next breed of fin-tech solutions need to be built around enhanced corporate governance and management control systems. This approach ensures that the web-based system can be integrated into on-site practices and processes that reflect this higher level of corporate governance and control. Yet again, technology without a top-down commitment to improved standards of accountability and control are meaningless. eB-IMS provides a whole range of charting and reporting tools that provide different levels of users in the organisation, as well as customers who can interact independently with the system, to get more detailed and accurate measures of the performance of the different portfolios and the teams driving that performance. For more information on eBusiness Systems and its Investments Management Systems SaaS platform, eB-IMS contact us on firstname.lastname@example.org