Lithuania’s central bank has warned e-money and payment institutions over how they manage third-party information and communication technologies (ICT) risks, pushing for stronger supervision.
Analysis by the Bank of Lithuania has weaknesses in the ICT strategy of payments and e-money firms.
"These representatives of the licensed fintech sector often purchase ICT services from third parties in order to achieve business efficiency,” says Renata Bagdonienė, director of the banking and insurance supervision department of the Bank of Lithuania.
“However, the responsibility for risk management in this area rests with the institutions themselves and they must monitor, evaluate and control how third parties provide these services,” she said, adding that it is also important that institutions practically test how their providers would act in the event of a crisis.
As part of its intervention, the Bank of Lithuania has warned that not all e-money and payment institutions manage to perform tests of their business continuity plans or describe them properly.
The Bank of Lithuania further notes that this happens more often to institutions that use third parties for ICT services, advising that business continuity plans should be reviewed and updated at least once a year to include not only infrastructure failure scenarios but also cyberattack scenarios.
In addition, the regulator has said that institutions should check how third parties that provide ICT services would fulfil their obligations in a crisis situation, adding that only ongoing practical testing of plans can reduce the damage of incidents and ensure that the institution will be properly prepared for an emergency.
Among the weaknesses raised by the central bank is that senior managers’ involvement in ICT issues is “insufficient”.
The central bank said not all management bodies — supervisory board, board or manager — pay sufficient attention to the management of information security, business continuity and other ICT risks.
For example, they are mostly limited to approving risk assessment reports and analysing incident information.
Meanwhile, other ICT issues, such as how third parties comply with obligations, business continuity plan verification, security training, or ICT project progress reports, are rarely or not considered at all by the institution's management bodies.
“This weakens the cyber resilience of institutions and may lead to non-compliance with legal requirements,” the Bank of Lithuania warns.
The regulator also said that it found most of the payments and e-money institutions that were analysed do not have a clear strategy for ICT services in the medium and long term.
These firms should define the architecture of this field, its development and changes and clear information security goals, the Bank of Lithuania has recommended, adding that ICT strategies should also include analysis of the dependency on third parties providing ICT services.
The Bank of Lithuania’s study of this area comes as firms prepare to comply with the EU’s Digital Operational Resilience Act (DORA), which will include changes in compliance for payments and e-money firms.
Experts have told žž previously that payments firms will need to review and increase the resilience level of their current ICT landscape, and will also need to review and update their internal policies, procedures and governance before enforcement begins.
Additionally, management bodies have to be involved to define, approve, oversee and ultimately take ownership of the regulation.