The state of a country's banking sector affects the state of its economy. In order to provide services (account opening, ATM withdrawals, etc.), banks cannot do without an information system, commonly referred to as SIB (Bank Information System). Instead, they rely on them to improve performance and better meet customer needs.
There is no doubt that the introduction of new requirements by the West African Monetary Union (UMOA) and the Economic and Monetary Community of Central Africa (CEMAC) will affect the management of banks and credit institutions, but the following questions must be asked: what is the impact of IS on what we now know to be so valuable to banks? What effect does it have?
This is the question this article will attempt to answer.
Within the UMOA, the convergence of our systems towards international standards (IFRS for the PCB) and Basel for prudential systems has modified the regulatory landscape of our region. Thus, the Banking Commission issued a circular — which came into force in July 2018 — as an implementation model for banking supervision.
It should be noted that, compared to the previous 2011 circulars, circulars relating to risk management for credit institutions and financial companies have been introduced, as well as circulars relating to the management of compliance with standards established by credit institutions and financial companies. These are included in the Internal Control Circular.
More specifically, the implications related to information systems are intrinsically linked to the need to establish effective IT governance.
Most importantly, the agency must take into account all aspects of information security and business recovery and continuity mechanisms.
In addition to fulfilling its primary role of enabling banks to provide services, banking information systems must also guarantee the traceability of all operations carried out. These systems will also be of great assistance to agencies in designing automated controls and monitoring their effectiveness. Thus, to exercise this control, the internal audit function must possess competencies in infrastructure and information systems security. The banking information system must also enable institutions to assess in real time the severity of their risks and to guarantee the reliability, quality and integrity of their data.
Banks should also take into account mitigation measures in their operational risk management, considering the physical and logical security of their telecommunications infrastructure and information systems. These measures will limit operational losses that may result from damage to physical assets or system outages and failures.
These measures will limit operational losses that may result from damage to physical assets or system outages and failures.
If a bank or institution outsources, it must not forget that it cannot outsource its own responsibilities in the event of non-compliance. It must take measures to protect information security, including the personal data of its customers. To this end, the Banking Commission requires that IT servers storing data and hosting applications be located within the West African Economic and Monetary Union (WAEMU), and where this is not possible, a secondary server with all replicated data must be present in the region.
These requirements apply primarily to digital financial services (DFS), which have also been seeking to establish themselves in the region's financial ecosystem in recent years. In practice, operational security involves implementing an IS internal control system that meets a number of criteria. To support electronic money issuers (EMI), the BCEAO has established strict rules governing the conditions and procedures for the activities of electronic money issuers in member countries through Directive No. 008-05-2015 Union. These are designed to guarantee the authenticity of transactions, maintain the integrity of messages, ensure non-repudiation of transactions, maintain the confidentiality of information, and ensure high platform availability.
With regard to the CEMAC, it is worth noting an increase in the number of cyberattacks. These are increasingly complex, targeting credit, microfinance and payment institutions. In response, the Banking Commission published on 21 January circular LC-COB/04. This aims to implement a series of actions designed to strengthen the IT risk management and cybersecurity frameworks of reporting entities. Among these we can cite:
- - A security audit of the information system by an independent expert no later than 30 June 2022;
- - Formalisation and updating of risk maps, particularly those related to IS security;
- - Formalisation of IS security policies in compliance with best practices, standards and norms (ISO 2700X, PCI DSS, etc.);
- - Formalisation, updating and regular testing of business continuity systems.
Given that the effective date of this notice is approaching, the institutions concerned must understand the situation for themselves and take appropriate measures to comply with banking regulations.
In conclusion, with this dynamic evolution of the regulatory framework and the appropriate implementation of the prescribed measures, we can anticipate that the internal control systems of these reporting entities will strengthen over time. This will be driven by data security (confidentiality, integrity, and availability), business continuity, information reliability, and transaction traceability.
However, financial institutions that have been acting proactively without waiting for regulators to make any demands would find themselves in a better position. Indeed, many best practices have already proven their worth, but there are also lessons to be drawn to improve resilience.
Discover also: