Article

ICT Oversight on the Payment Industry

Gaining Valuable Insights into the IT Maturity of your Payment Institution

The payment industry and cyber security risks are evolving rapidly within the current era. Challenges that payment service providers may encounter more frequently center around Outsourcing, General Data Protection Regulation (GDPR), Fraud, and of course Cybersecurity. Over the last years, cyber-attacks have become more the norm than an exception and the financial services sector is a well-known target for such attacks. Deloitte has thorough expertise within the financial industry sector and can assist your organization in their oversight responsibilities and in gaining valuable IT insights.

As part of Circular NBB_2021_26, the National Bank of Belgium (NBB) is requesting their Payment Institutions (PIs) and Electronic Money Institutions (ELMIs) to submit an IT Risk Questionnaire. This will enable the NBB in gaining valuable insights into the IT maturity of the payment institutions and further to assist them in their oversight responsibilities.  

Preparing the IT Risk Questionnaire

The IT Risk Questionnaire contains several domains:

  • General DataThe questionnaire requires a description of the Payment Institution or Electronic Money institution itself and covers topics such as obtaining insights on financial matters within the institution, information on staff, describing the IT environment (such as critical IT systems and if entities have experienced cyber incidents), and insights on the IT strategy and governance within the institution. 

  • IT Risk Level (ITRL) AssessmentThe second part of the questionnaire deep-dives into IT-risks in order to provide insights in the overall IT risk level of the institution. To what extent is your organization prone to disruption? How many outdated systems that support business critical processes are within your entity? How many changes caused incidents (including confidentiality, integrity and/or availability) within the production environment of your organization?Getting thorough insights in these matters is not only advisable, it is also very valuable in steering the IT strategy and governance of the institution into the right direction. 

  • IT Risk Control (ITRC) Assessment The latter part of the questionnaire is designed to assess the maturity level of the IT key controls across 10 IT areas within the institution. Payment and Electronic Money Institutions are asked to rate their internal IT controls on maturity level across a broad range of IT topics, such as: IT governance, IT outsourcing, IT security management, IT operations, Data Quality Management and more. Institutions must rate their IT controls on a scale from 1 to 4 and must take into account both the design, implementation and effectiveness of the controls.

The National Bank of Belgium asks their partners to submit their IT Risk Questionnaire before the end of Q1 (31st of March 2022). We advise organizations to already reflect on their IT environment in advance in order to be adequately prepared.  

How Deloitte Can Help

The IT Risk Questionnaire covers broadly the IT Risk, IT Strategy and IT Governance within your organization. To gain good insights within your organization and its IT governance, it is critical to deep-dive into your IT landscape and assess adequately. 

What can we offer?

Additionally, Deloitte Belgium can offer a range of various other services such as:

  • Gap Analysis vs Industry Best PracticesThrough our years of experience within the payments industry locally and globally, we are well-aware of the best standards and practices across the industry and can provide your institution with extensive insights.  
  • Identification of ‘Pain’ Points – including a draft Remediation PlanWe can help in shaping the digital strategy and in rethinking and optimizing your architecture by identifying points of improvement within your organization. To complement our insights, we can offer a draft Remediation Plan with hands-on strategy guidelines to optimize your security and governance architecture.

Why organizations choose Deloitte

Deloitte has thorough expertise within the financial industry sector. Our years of experience within IT Risk, IT Governance and IT Strategy can really help your organization in completing IT Risk Questionnaire requested by the NBB. Our experience, next to our proven methodologies as well as our accelerators will contribute to an efficient, effective and insightful completion of the NBB request. 

We at Deloitte, are uniquely positioned with strong credentials that allows us to bring you valuable insights related to your IT infrastructure. Do not hesitate to contact our subject matter experts for further information via our website or personally by reaching out to Bert TruymanMelissa Naidoo or Michal Zavodny.

Did you find this useful?