SBP issues draft guidelines for IT governance in banks

KARACHI: The State Bank of Pakistan (SBP) has framed draft guidelines for the financial institutions to manage risks associated with the use of information technology that is based on international standards for technology governance, the central bank said on Tuesday.

The SBP issued draft guidelines, recommending ways to enhance technology, security, operations, audit and related domains and to create overall safe and secure technology operations in banks.

“The SBP has developed the framework on information technology governance and risk management in financial institutions to keep abreast with the aggressive and widespread adoption of technology in the financial service industry and consequently strengthen existing regulatory framework for IT risk supervision,” it said.

“This framework shall be integrated with the financial institutions' overall enterprise risk management programme.” The banks are expected to assess and conduct a gap analysis between their current status and the guidelines and draw a time-bound action plan to address the gaps and comply with the guidelines.

The central bank also said that financial institutions will exercise sound judgement in determining applicable provisions relevant to their risk profile. The SBP asked all banks to upgrade their systems, controls and procedures to ensure compliance with these instructions latest by December 31, 2017.

The framework is based on international standards and recognised principles of international practice for technology governance and risk management and shall serve as SBP's baseline requirement for all banks.

The framework will apply to all financial institutions, which includes commercial banks (public and private sector banks), Islamic banks, Development Finance Institutions (DFIs), and Microfinance Banks (MFBs).

The financial institutions will ensure compliance with this framework, while introducing new products either all by themselves; or in the form of co-branding or in partnership with other entities.

The framework is not "one-size-fits-all" and implementation of the same need to be risk-based and commensurate with size, nature and types of products and services and complexity of IT operations of the individual financial institutions.

The comprehensive enterprise IT governance framework shall enable a financial institution to evaluate the current and future use of IT, direct the preparation and implementation of plans and policies to ensure that use of IT meets business objectives and monitor conformance to policies, and performance against the plans.

The framework entails an IT strategy, organisational structures, roles of the board and senior management and IT policy framework.

The SBP has invited the interested parties, institutions or individuals, from banking sector, IT industry, academia and other stakeholders to review the proposed draft framework and provide comments / feedback till March 31.