On March 25 2021, the Financial Market Supervisory Authority (Central Bank of Lithuania) organized a seminar for financial market representatives on the topic “Information and Communication Technologies and Security Risk Management Requirements”. During the meeting, the Central Bank of Lithuania presented new requirements for financial market participants on information and communication technology and security risk management, including cybersecurity, which were based on the Bank of Lithuania’s resolutions introduced on November 26, 2020. The presentation also included the measures that should be taken by financial market participants to manage information and communication technology (ICT) and security risks, the requirements for the storage, processing and transfer of information by ICT systems, and the cybersecurity of systems.

What EU directive is this Description based on?

The Description has been prepared taking into account the guidelines of the European Banking Authority (EBA) on ICT and security risk management under the EU Directive. The mentioned Guidelines have been drafted in accordance with another EU Directive on payment services in the internal market (PSD2), which mandates the EBA to issue guidelines for the purpose of managing ICT and security risks and with regard to the establishment, implementation, and monitoring of the security measures, including certification processes, where relevant. 

In the light of other regulations, such as PSD2, GDPR, and other – requirements for payment service providers have never been more complicated and interdisciplinary. All due to a need to provide more open and simplified payment and financial services for the end-users. For this reason, The Bank of Lithuania has been strengthening ICT and security risks for the payment service providers for some time now.

Illustration by Peter Pimentel

The risk of non-compliance with the Description

The supervisory authority (the Bank of Lithuania / BoL) has the right to organize and carry out inspections to determine compliance with the requirements of legal acts. If the supervisory authority (BoL) determines that the requirements have not been complied with, under the Law on Payments of the Republic of Lithuania it may apply the following sanctions:

  1. publicly announce the violation of the legal act and the person who committed it;
  2. warn regarding the violation of the legal act and instruct to terminate the violation of the legal act within the established term;
  3. impose the fines established in this Law (for legal entities – up to 10 percent of the total annual income; for managers of other legal entities and other natural persons – up to 50,000 euros).

The supervisory authority may also issue mandatory instructions set forth in the laws, as well as apply more than one sanction. It is important to mention that the imposition of a sanction does not relieve the person of the obligation for which the sanction has been imposed. The supervisory authority has also the right to suspend the validity of licenses, as well as revoke the license.

Briefly speaking, failure to implement an operational risk management framework may cause unnecessary disciplinary action, bad reputation and loss of trust among media or stakeholders as well as may lead to direct financial losses.

The main problem for payment service providers under this Description

ICT and security risk management for financial institutions is one of the key aspects of conducting business. The requirements set out in the Description are complex and there are a great many of them. Whereas traditional financial institutions may be well-equipped with entire risk teams devoted to keeping them compliant, smaller FinTech companies often have fewer resources and risk management may come down to a single team member or a small team. Thus, one of the main problems becomes proper and timely implementation of the complex requirements of the Description.

Moreover, as a part of compliance, ICT security and risk management sometimes is entrusted to the legal team. Other startups try to solve it as a cybersecurity problem. Both are equally wrong and right. As our BCCS Cluster’s experience tells us, the best result can be achieved by using a seamless interdisciplinary approach of legal, technology, and risk management experts.

BCCS Cluster’s team of experts is ready to help financial organizations at every stage. Due to closely coordinated action, we have achieved excellent results for both operational companies and those applying for the license. Both approaches come with different challenges that require a tailored approach. An early-stage partnership can save a lot of resources when integrating risk management and security principles into daily life and company culture. On the other hand, our wide expertise enables us to implement tailored security and risk management systems in accordance with both applicable requirements and your business model.

Illustration by ShortShots

The minimum requirements that have to be implemented

During an early stage of development, every business seeks to stay dynamic, fast-moving, and agile when it comes to products, compliance, and technology. Unfortunately, when avoiding an overkill at compliance, there is no bare minimum to do. ICT and security risk management is a process that involves not only customer relations but everyday office life and even supplier relations. And it all comes to individual risk appetite. However, it is possible to single out the most important requirements. The Risk management framework should:

  • include a comprehensive security policy document with a detailed risk assessment of the payment services provided and a description of the security controls and risk mitigation measures taken to protect payment service users;
  • have an effective, fully integrated into overall risk management processes ICT and security risk management system that must be approved by the relevant management body and reviewed at least once a year. 

Important obligatory requirements under the Description, i.e.Payment Service Providers (PSPs) are:

  • implement the requirements set out in the Description in a proportionate manner, taking into account its size, organizational structure, and the nature, scale, complexity, and riskiness of the activities. PSPs should also ensure the effectiveness of the security measures when operational functions of payment services, including IT systems, are outsourced;
  • identify and regularly update the list of operational functions, responsible positions (employees), and supportive measures that are relevant and related to ICT and security  risk;
  • identify and regularly update a list of information resources such as ICT systems, their configuration, other infrastructures, and interfaces with other internal and external systems;
  • set criteria and limits that shall be applied when determining if the relevant incident shall be considered as operational or security incident, as well as set early warning indicators that warn about identified ICT and security  incident;
  • ICT and security risks shall be audited on a periodic basis by independent internal or external auditors with sufficient knowledge, skills, and expertise in ICT and security risks and in payments to provide independent assurance of their effectiveness to the PSPs. This requirement becomes obligatory after one year of getting the PSP license. 
  • PSPs shall establish and implement an information security testing framework that validates the robustness and effectiveness of its information security measures and ensure that this framework considers threats and vulnerabilities, identified through threat monitoring and the ICT and security risk assessment process.
  • PSPs information security testing framework shall ensure that tests:
    •  are carried out by independent testers with sufficient knowledge, skills, and expertise in testing information security measures and who are not involved in the development of the information security measures;
    • include vulnerability scans and penetration tests (including threat-led penetration testing where necessary and appropriate) commensurate to the level of risk identified with the business processes and systems.
  • PSPs shall perform ongoing and repeated tests of the security measures. For all critical ICT systems, these tests shall be performed at least on an annual basis. Non-critical systems shall be tested regularly using a risk-based approach, but at least every three years.

Meet regulatory compliance requirements

By bringing together a broad community of Compliance, Legal, Cybersecurity, and related domain experts, the BCCS Cluster can offer integrated services addressing issues related to this Regulation. 

For more information please contact BCCS Cluster at https://bccs.tech/contact-us/