FINMA Circular 2023/1 "Operational risks and resilience - banks" came into force at the beginning of January 2024 and the detailed audit points were published. What does this mean for financial institutions and their ICT providers?
More technology, more risk?
From private companies, universities and the media to the government and administration - they were all affected by hacker attacks in 2023; external service providers and third parties often served as a gateway. According to the latest risk monitor from the Swiss Financial Market Supervisory Authority (FINMA), the outsourcing of IT services to third parties is an important driver of operational risks - and FINMA has significantly increased the cyber security requirements for banks. This means that their IT providers must also ensure the necessary security measures regarding cyber risks.
FINMA Circular 2023/1 "Operational risks and resilience - banks", which came into force at the beginning of January 2024, builds on earlier circulars and requires adjustments to be made in dealing with information and communication technology risks (ICT risks). In addition to the legal basis, reference is also made to FINMA Circulars 2017/1 "Corporate Governance - Banks" and 2018/3 "Outsourcing".
Banks and other financial institutions outsource business processes such as payment transactions (two thirds of banks), securities processing or the IT infrastructure including the cloud (80 per cent of banks, 60 per cent of insurers) in whole or in part (FINMA, Risk Monitor 2023, p. 21).They are heavily dependent on external IT providers to provide their services and must ensure that these service providers implement suitable and sufficient security measures. The fact that one in three cyberattacks on financial companies is carried via these external partners adds to the problem. According to FINMA, the risks associated with extensive outsourcing are often insufficiently recognised, monitored and controlled.
Trust is good, control is better
Banks are therefore obliged to fulfil the regulatory requirements for cyber security and must demonstrate this as part of the regulatory audits. However, due to the outsourcing of IT processes, they do not always have all the necessary information - they have to rely on the assurance reports of their IT service providers and are dependent on their support. The FINMA Circular therefore also has a direct influence on the specifications of IT service providers. The topics or audit points for which banks are dependent on the support of external technology providers include:
In light of FINMA's extensive catalogue of requirements, IT providers must step up their efforts to support banks during the regulatory audit. However, not all technology providers themselves yet have a comprehensive assurance report that covers all relevant requirements. The aim is not to develop individual solutions for each customer, but rather to pursue a standardised approach that can be used for all banking customers with the same requirements and ensures compliance with regulatory requirements.
How PwC can help IT service providers
The new regulations are already in force: banks need to know whether their IT providers fulfil the regulatory requirements; IT service providers must enable FINMA compliance.
PwC supports banks and ICT providers in dealing with the requirements of FINMA Circular 2023/1 and has extensive experience, market presence and a multidisciplinary network of experts. We already work closely with the main ICT providers and understand the complexity associated with outsourcing IT and cloud services. By developing specific solutions and assurance reports, we help to manage cyber risks and improve compliance. Our standardised approaches to assurance reports enable technology service providers to offer consistent, efficient and scalable solutions that help reduce the overall cost of compliance. In doing so, PwC also ensures that the defined processes and controls are adhered to through appropriate audits and that this can be communicated to their clients through assurance reports from ICT providers.
