IT compliance for the financial sector

Operational resilience is becoming increasingly important for financial institutions as well as for national and EU regulators. There is a consensus that companies should create appropriate cyber security for themselves and strengthen their resilience against threats.

In order to protect themselves appropriately, companies need an overview of potential risks. This includes not only the threat to individual IT systems, but also all relationships in the value chain. The regulators have addressed this in the Digital Operational Resilience Act (DORA). As part of the EU Commission's strategy for the digitalisation of the financial sector, it is intended to make companies more resilient to cyber threats. DORA came into force in January 2023. For financial companies, implementing DORA within the specified two-year period will be a test of endurance. New requirements include the creation of a digital resilience strategy, the extended testing of emergency plans and the performance of threat-based penetration tests. In this context, the importance of harmonised interaction between the disciplines involved, such as IRM, BCM and outsourcing, is growing.

Many companies have already carried out a gap analysis or are starting to do so in order to obtain early transparency about the necessary measures and their location in existing projects or line structures. We have experts, the appropriate tool and various benchmarks for categorising and submitting implementation options.

The ECB is conducting a cyber resilience stress test at ECB-regulated banks for the first time in 2024. The aim is to assess the operational resilience of an institution's core banking systems against a serious but plausible cyber security event. The test has a two-stage structure. In the simplified approach, all institutions must complete a questionnaire within two months, provide appropriate evidence and submit a cyber incident report to the ECB. In the more in-depth approach, which affects 20 selected institutions, a recovery test for the cyber scenario must be demonstrated and a two-month on-site validation of the evidence takes place.

The ECB communicated its supervisory expectations to the banks for consultation in a workshop on 3 July 2023. Banks can submit their feedback to the ECB by 15 August 2023. The cyber resilience stress test begins on 2 January 2024 and ends for the simplified approach on 29 February 2024 with the submission of the questionnaire and evidence. The subsequent in-depth on-site validation ends on 30 April 2024.

Passing the ECB Cyber Resilience Stress Test requires cross-functional cooperation between various 1st, 2nd and 3rd LoD units in the areas of IT SCM, BCM, IT, information security, outsourcing management and in the business units. The Cyber Resilience Stress Test is designed end-to-end and requires the assessment of the economic loss as well as the involvement of (IT) service providers. The evidence goes beyond the requirement for a written policy and includes, for example, plans and tests for business continuity, response and recovery as well as internal control processes and results for ICT and security risks.

The Payment Services Supervisory Requirements for IT (ZAIT) for e-money institutions, fintechs in payment transactions, providers of instalment purchase financing and experts for innovative payment solutions have been in force since mid-August 2021. The publication of the ZAIT expands the existing compliance requirements for the security of payment and e-money institutions. An important focus here is on the establishment of comprehensive risk management as well as the documentation and implementation of corresponding processes. The supervisors are also focussing on ensuring that service providers and sub-service providers of ZAIT-regulated companies comply with the requirements.

We are one of the leading companies in the field of compliance and are happy to support you in the implementation of ZAIT with a specially developed ZAIT compliance analysis and our many years of experience in the preparation and monitoring of supervisory audits as well as the definition and implementation of measures. Our method of defining ambition levels has proven its worth for the measures.

The supervisory focus continues to be on cyber risks and risks from potentially inadequate modernisation and implementation of digitalisation projects - both at national and EU level (BaFin, ESAs). In addition to current requirements, it is also important to be prepared for new requirements and their implementation across all areas - from in-house services to those of sub-service providers (e.g. from the BAIT/VAIT amendment or from the EU DORA). New BaFin requirements focus in particular on the operational implementation of IT security measures, emergency management and physical security. Not only financial institutions must prepare for audits of their outsourcing and on-site inspections, but critical IT and cloud service providers must also prepare for targeted audits.

We bring the right tools to the table and prepare our clients for IT regulatory audits, as well as supporting them during a regulatory audit and in the follow-up. Our approach, including methods and templates, is based on our expertise from numerous regulatory audit projects at insurance companies, banks and asset managers.

Targeted IT governance forms the backbone for the effective and secure digital transformation of companies. It supports the appropriate organisational advancement of digitalisation without forgetting to protect the customers and information of financial companies. Other typical questions relating to IT governance include How can necessary resources be secured now and in the future? How is it possible to work efficiently and without overlaps? How can existing processes be integrated efficiently? What contribution must IT governance make to the company's overarching ESG strategy?

We develop suitable control mechanisms using IT or IS governance models (including COBIT, NIST CSF, ISO) and the necessary policy framework for their implementation. The aim is to ensure the necessary compliance with regulatory requirements without losing sight of efficiency and pragmatism.

A shortage of skilled labour and increased pressure to be efficient are combined with extended regulatory requirements in information security (e.g. BAIT/VAIT amendment or DORA), putting increasing pressure on companies. Although they are aware of the importance of a functioning ISMS (Information Security Management System), many are still limiting themselves to merely fulfilling minimum regulatory requirements. Due to an increasingly digital and complex business world, a realistic representation of the risk situation in information security is not possible in a resource-efficient manner with the solutions currently in use. Instead, process automation and the use of tools must be used to ensure that companies are once again in control of their individual threat situation.

We advise our customers on advanced and future-orientated solutions and methods. We work with you to select the tools that are right for you in order to implement them securely, efficiently and, above all, with a view to the future.

The correct handling of digital identities forms the basis of a successful digital transformation. The challenges of the customer journey and employee journey as well as the constantly increasing regulatory requirements require modern, integrated solutions.

We advise our customers on individual issues as well as in long-term projects, from the functional to the technical implementation of IAM, CIAM and PAM solutions, aligned with the business objective and the relevant regulatory requirements.

Effective business continuity management supports companies in identifying potential threats and their impact on business processes. This enables a company to derive suitable measures against current threats. Critical business processes and resources are identified on a regular basis and an appropriate response can be made with the help of emergency concepts that are subjected to tests.

BCM/ITSCM is therefore a key cornerstone in achieving the objectives of DORA. Proven emergency plans and effective integration into corporate risk management ensure, among other things, that a company achieves the required operational resilience.

Our conceptual and methodological range of services is characterised by our many years of experience in the implementation and operation of management systems for BCM and ITSCM and their integration into overarching risk management systems. In addition to the methods and with our relevant tool expertise, we support our clients in the efficient implementation of processes.

More and more financial institutions are migrating to the cloud. An important criterion when choosing a cloud provider is how they deal with compliance and security requirements. Providers who have set up their services securely and compliantly can make the difference for financial organisations. Current regulations are increasing the pressure on cloud and other IT service providers, as IT supervisory audits are increasingly focussing on relocations. It is important to recognise specific threats and risks, create transparency across the outsourcing chain and manage it efficiently.

We accompany our clients on their journey to the cloud and other IT service providers right from the start and ensure that they do not stumble over regulations and legislation along the way.

For financial institutions, IT compliance primarily means increased expenditure. In addition to the use of tools (e.g. in the GRC environment), banks, insurance companies and asset managers are increasingly seeing the benefits of taking regulatory requirements into account right at the start of new IT projects instead of only addressing them in the course of an upcoming IT supervisory or other audit or in relation to an individual finding. Awareness of the benefits of a sustainable and proactive IT compliance strategy is constantly increasing.

Compliance and security by design means thinking about the security of information assets from the outset and designing systems and processes in such a way that they are legally compliant and secure.

One important task is IT compliance monitoring - identifying and evaluating new legal and regulatory requirements. The aim is to identify new and changed regulations, assess the risk of possible non-compliance, carry out an impact analysis for implementation and ensure compliant implementation in the policy framework as well as in the organisation, processes and/or tools.

We at KPMG have also set up a function for this purpose: Our Regulatory Hub for IT Compliance & Cyber Security. In this way, we ensure that our employees always have the latest expertise and can advise our clients not only on the latest innovations, but also on their impact.

The responsible use of artificial intelligence in financial services requires clear rules, reliable processes and seamless integration into existing governance and compliance structures. This is the only way to exploit the opportunities offered by AI technologies safely and sustainably without jeopardising compliance with regulatory requirements. With our AI Governance & Compliance offering, we create the basis for the legally compliant, transparent and controlled use of AI in financial organisations - from the introduction and ongoing operation through to continuous monitoring.

The core of our approach is an end-to-end AI governance & compliance lifecycle that covers the entire lifecycle of AI applications: from identification and registration to classification and regular compliance checks - supported by smart, AI-based automation. A central component of this is the fundamental rights impact assessment (GRFA), which will be mandatory for the use of high-risk AI from 2026. It includes documenting the use of AI, analysing the time frame, frequency of use, affected groups and risks, and deriving effective supervisory and governance measures. All steps are tool-supported: An integrated GRFA toolkit with digital templates, questionnaires, risk matrix, decision-making aids and reporting templates ensures efficiency, standardisation and clear evidence for regulators and internal audit.