Monetary Board approves the Enhanced Information Technology Risk Management Framework for BSP-Supervised Institutions

The Monetary Board, in its Resolution No. 1286 dated 1 August 2013, has approved the issuance of the enhanced Information Technology Risk Management (ITRM) framework which updates existing IT-related guidelines under Sections X176 and X705 of the Manual of Regulations for Banks (MORB).  It shall cover not only all types of banks but also non-bank financial institutions, electronic money issuers and other non-bank entities which, under existing BSP rules and regulations and special laws, are subject to BSP supervision and/or regulation.

Consistent with international standards and best practices, the enhanced ITRM framework is expected to strengthen management of risks, security of operations and governance on IT-related activities, as well as reinforce regulations on consumer protection on electronic products and service by tackling the growing number of new and sophisticated technological threats.  Some of the salient features of the enhanced framework include: (1) adoption of well-structured IT governance model and processes that ensure alignment of IT strategic plan with the institution’s business strategy, IT value delivery and effective IT risk management implementation; (2) maintenance of risk identification and assessment process to continuously evaluate IT environment and potential changes; and (3) establishment of overall IT risk mitigation strategy covering the areas of: a) information security; b) project management, acquisition and change management; c) IT operations; d) IT outsourcing/vendor management program; and e) electronic products and services.

To strengthen electronic retail payment network and protect against ATM and credit card fraud (i.e. skimming and cloning), the said regulation requires BSP-supervised institutions (BSIs) to adopt end-to-end Triple Data Encryption Standard (3DES) for the whole ATM network by 1 January 2015 and shift from magnetic stripe technology to more secure EMV chip-enabled cards by 1 January 2017.  A written and Board-approved EMV migration plan shall be submitted to the BSP within six (6) months from the date of the said circular.  Nevertheless, prior to the deadlines mentioned, BSIs are expected to employ practical measures provided to mitigate exposure from skimming attacks.

Seeing the inclination of banks, particularly rural and thrift banks, to use cloud computing technology to leap frog their financial services, the enhanced framework also provides direction on the adoption of cloud computing in the financial service industry.

Finally, recognizing that no single framework may be considered as “one-size-fits-all,” guidelines have been provided to classify BSIs as to having “simple” or “complex” IT risk profile.  Thus, the level of adopting relevant provisions of the framework may be made proportionate to their IT risk profile.

The enhanced ITRM framework will take effect fifteen (15) calendar days after publication of the appropriate Circular in the Official Gazette or a newspaper of general circulation in the Philippines.