EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
Banks should prepare for the new FINMA Circular 2023/1 “Operational risks and resilience – banks”, including provisions on critical data.
In brief
What are the main requirements of the FINMA Circular 2023/1 “Operational risks and resilience – banks”, which enters into force on 1 January 2024?
What is critical data within the bank with respect to confidentiality, integrity and availability (CIA triad)?
How can banks identify critical data and comply with new requirements on time?
In the post-COVID world, accelerated digitalization presents a crucial challenge to the operating model of banks: operational resilience. Increased regulatory supervision and tighter regulation demand better controls for more automated and complex processes. Industry players may struggle to implement the changes needed to maintain compliance, improve operations, and meet requirements.
However, new regulations are also an exciting opportunity for banks to improve capabilities that support robust operations. The new FINMA Circular 2023/1 “Operational risks and resilience – banks”, due to enter into force on 1 June 2024, sets minimum risk management standards for the banking industry, and updates the previous circular in the following areas:
The circular contains general requirements for the management of operational risks. Within the first area covered by FINMA, additional requirements are added for independent assessment of design and operating effectiveness of key controls.
The new provisions include an additional requirement around ICT strategy and governance, ICT operations and change management.
The new circular contains additional requirements around scenario-based testing and a reporting obligation to FINMA of effective cyber-attacks within 24 hours.
The concept of critical data is extended, and covers all the information security objectives of confidentiality, integrity, and availability. In this article, we explore the topic of critical data in more detail.
There are now additional requirements around business continuity and recovery plans, crisis management, and comprehensive testing and training.
This area focuses on the institutional requirement to conduct a risk analysis on cross-border services to mitigate and ultimately eliminate risks.
The area highlights how major financial institutions should upscale their risk identification capability related to business-critical functions. Furthermore, banks are required to identify the processes related to critical functions and establish an appropriate plan to monitor, assess, and limit the related risks.
This area highlights the risk related to institutional cross border activities. Furthermore, if a financial institution provides transnational services, then it should take into consideration the risk arising from compliance as operational ones.
Future of Risk and Resilience
Find out more on how to ensure your organization’s resiliency capability for a fast pace and technology driven era.
EY carried out a risk matrix analysis to grade the impact of each of the changes within the new FINMA circular. FINMA demands stricter management of critical data, thereby asking banks to assure the highest standards around confidentiality, integrity, and availability. The word “critical” dominates the wording of the circular – not only for data provisions but also those on processes. Furthermore, the identification of critical processes is a crucial activity for managing risk within the organization.
Banks are required to understand what data assets are critical for business operations in the context of confidentiality, integrity, and availability
Philippe Oertli
Director, FSO Technology Consulting | EY Switzerland
The revised FINMA regulation will push the industry toward better data governance that addresses data integrity and availability to improve operational resilience. Banks are required to recognize what data assets are critical for business operations in the context of the CIA triad. This requires clear definitions, precise thresholds, and the right level of business awareness around critical data.
In the context of business decision-making, there are three data domains that need to be considered when identifying critical data:
Banks must follow numerous regulatory/compliance commitments. Reporting is a critical business process and is required to fulfill legal obligations. Supporting data must be scoped and protected appropriately. Otherwise, banks risk regulatory fines.
To fulfill financial reporting obligations such as balance sheet or PnL reporting, institutions need to ensure high quality and availability of their financial figures. Failure to do so can significantly damage the bank’s shareholder trust with regard to the financial statements.
Banks must identify the data, that is vital for daily operations. This implies the definition of precise thresholds for data availability and integrity affecting critical processes. Moreover, governance procedures on BCM should include critical data risk.
Any personal identifiable information (PII) of individuals or classified corporate information must be scoped and treated with special care. Any data leaks or disclosure of PII or confidential data can lead to reputational damage, losing clients’ trust or legal actions.
Data quality and integrity assurance for quantitative modeling avoids mismanaging risk that might have significant impact on future decisions.
When agreeing on investment or business plans, decision-makers should have smooth access to reliable data. Otherwise, management decision making processes can lead to suboptimal solutions affecting long term growth.
We believe banks should take a structured approach to data discovery, seeking external support where necessary. Organizations may like to consider the following six steps to achieve complete critical data classification.
Perform critical data domain discovery within the business organization, through surveys and interviews conducted in different entities.
Map critical functions within the organization and explore reporting obligations.
Define the confidentiality, integrity, and availability (CIA) threshold for critical data, in alignment with business, IT, security, and data strategy. This covers data loss prevention, information security, BCM and operational resilience.
Map functions, processes, and systems to data sources, required to maintain operations.
Build a data catalog to define data lineage across systems.
Use the CIA triad and factor rating model to categorize data assets as Critical Data Elements (CDEs).
Summary
The revised FINMA circular on operational risks and resilience requires significant change in the way banks manage their data. Institutions need to adopt and adapt their existing data strategy, BCM and operational resilience policies to protect their business-critical data. The most challenging aspect here is the increasing visibility on critical functions and classifying data criticality. A critical data discovery approach that considers legal, risk assurance and technology perspectives is an effective way to ensure compliance with new Swiss regulatory requirements
