CBSL issues directive on regulatory framework on technology risk management and resilience for banks

The Central Bank (CBSL) has issued a new directive on banks on regulatory framework on technology risk management and resilience. These directions will be applicable to all licensed banks, including operations conducted through agents and third-party service providers. The new directive requires all banks to ensure compliance with the requirements imposed.

Requirements in the regulatory framework will be applicable to the entire operations of licensed banks, including operations conducted through agents and third-party service providers.

The Board of Directors of licensed banks need to establish adequate oversight measures to ensure implementation of the technology risk management and resilience requirements specified in the regulatory framework by the licensed banks.

Licensed banks are also directed to establish an effective governance framework approved by the Board of Directors of the licensed bank in compliance with the requirements specified in Section 4 of the regulatory framework, to ensure prudent management of technology risks.

Licensed banks should ensure technology risk is assessed as a part of the comprehensive assessment of risks in the bank›s Internal Capital Adequacy Assessment Process (ICAAP) and an adequate level of capital is held to meet any potential technology risk.

“The internal audit function of the licensed banks shall ensure that compliance with regulatory requirements on technology risk management is assessed and reported to the Board of Directors of the licensed bank through the Board Audit Committee, at least annually,” according to the CBSL’s directive issued last week.

Licensed banks need to ensure all new technology initiatives comply with Section 9 of the regulatory framework on requirements based on information system infrastructure ownership, management, and location from the date of these directions. They also need to ensure compliance with all other requirements of the regulatory framework as per the timelines set out in Section 10 of the regulatory framework on implementation and transitional arrangements.

Licensed banks designated as Domestic Systemically Important Banks (D-SIBs) must ensure compliance with the requirements specifically applicable to D-SIBs within 12 months from the date of notification of being designated as a D-SIB or as per Section 10 of the regulatory framework, whichever falls later.

The full text of the Banking Act Directions No. 16 of 2021 Regulatory Framework on Technology Risk Management and Resilience for Licensed Banks is available online at cbsl.gov.lk/sites/default/files/cbslweb_documents/laws/cdg/Banking_Act_Directions_No_16_of_2021.pdf.