Governance: Statutory requirements with respect to management of IT risks
Question:
What are the legal requirements for the management of IT risks?
Published: 15 May 2015
Answer:
Pursuant to the Financial Supervision Act (Wet op het financieel toezicht - Wft) and the Pensions Act (Pensioenwet), DNB holds that financial institutions must have adequate procedures and measures in place to control IT risks. "Adequate" is taken to mean that the procedures must be in line with the nature of the financial institution and the complexity of its organisational structure.
Pursuant to Section 3:17(1) of the Wft, financial institutions must organise their operations in such a way as to safeguard sound and ethical business operations. To do so, Section 3:17(2), opening words and under (a), stipulates that financial institutions must ensure adequate management of business processes and business risks in accordance with rules laid down by or pursuant to a general administrative order.
To implement these provisions, Section 20(2) of the Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels Wft) stipulates that a financial institution – defined as a payment institution, a clearing institution, a special purpose reinsurance vehicle, a credit institution, a premium pension institution, an insurer or a branch as referred to in Section 17 of the Decree – must have in place procedures and measures to safeguard the integrity, continuous availability and security of electronic data.
Subject to Section 143(1) of the Pensions Act or Section 138(1) of the Mandatory Occupational Pension Scheme Act (Wet verplichte beroepspensioenregeling), pension funds and occupational pension funds must ensure that their organisational structure ensures sound and ethical operational management. The second subsection of the Sections referred to, opening words and under (a), stipulates that to do so, pension funds and occupational pension funds must ensure adequate management of business processes and business risks in accordance with rules laid down by or pursuant to a general administrative order.
Where pension funds and occupational pension funds are concerned, the requirement of sound and ethical business operations has not been worked out in any greater detail in rules regarding the control of business processes and business risks in pursuance of Section 20(2) of the Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels Wft). There is only a provision to the effect that sound administrative and accounting procedures and adequate internal control mechanisms and policies must be in place for controlling risks (Section 18 of the Pension Fund (Financial Assessment Framework) Decree (Besluit financieel toetsingskader pensioenfondsen).
This does not change the fact that DNB holds that the corresponding applicability to pension funds and occupational pension funds of the general standard to have an organisational structure in place that ensures sound and ethical business operations entails that where applicable and with due observance of the principle of proportionality these institutions must also have in place procedures and measures to ensure the integrity, continuous availability and security of electronic data processing.
Discover related articles
DNB uses cookies
We use cookies to optimise the user-friendliness of our website.
Read more about the cookies we use and the data they collect in our cookie notice.