ICT supervision at banks
Objective
As digital transformation progresses, information and communication technology (ICT) is becoming ever more important to the functioning of banks. At the same time, however, these technologies bear great risks and potential for abuse, both internal and external. Supervisors need to focus their attention on the risks associated with the use of information and communication technology.
This course gives an overview of current practices with regard to ICT supervision at banks from both a regulatory and practical perspective. The course content will cover the general EU framework and its transposition into German law and supervisory practices. The sessions will discuss typical ICT issues that banks face, shed light on the assessment techniques used by supervisors in their review and evaluation process (SREP) as well as in on-site inspections and highlight specific ICT problems.
Participants are expected to actively contribute during this course, e. g. by presenting and discussing typical challenges and experiences faced in their own national ICT national supervision.
Contents
- Overview of the European and German banking supervision systems, as well as laws and regulations for ICT supervision
- Introduction to ICT security and IT supervision
- Minimum requirements for risk management with a focus on ICT and third-party risk requirements
- Setting up an on-site inspection for ICT and typical findings in Germany
- Deep dive on selected topics (e.g. user access rights, application development, outsourcing management, penetration testing, DORA)
- Gathering off-site information for the supervisory review and evaluation process for ICT (ICT SREP)
- Group work, e. g. evaluating an on-site inspection report for ICT
Target group
Policymakers in banking supervision, on-site and off-site supervisors, ICT auditors. Participants should have at least an intermediate understanding of banking supervision and ICT and be prepared to share their knowledge with other participants in the group. Active participation, for example in the form of a short presentation on a national aspect of ICT supervision, is mandatory.
Please note
Active participation in the form of a short presentation on a national aspect of ICT supervision is mandatory.