Bank Indonesia Regulation Number 9/15/PBI/2007 Concerning Implementation of Risk Management in the Use of Information Technology by Commercial Banks
Summary : - PBI Number 9/15/PBI/2007 on
Implementation of Risk Management in the Use of Information Technology
by Commercial Banks is drafted as a guideline for risk management in the
use of IT which must be followed by Banks to mitigate the risks
involved in the use of IT. This is due to the fact that despite the
various benefits and advantages for the use of IT in the Banks
operational venture and customer service, there are several risks that
could impair the Bank and its services to customer, which include
operational risks, legal risks, and risks posed on the Banks
reputation, aside from other banking risks such as risks of liquidity
and credit risks.
- Main Items of the Regulation on Risk Management in the Use of Information Technology by Commercial Banks, are as follows:
- Scope of Risk Management
Effective risk management in the use of Information Technology must at least encompass: - active observation by the board of Commissioners and Directors;
- sufficient policies and procedures on the use of Information Technology;
- sufficiency of processes to identify, appraise, observe and control risks in the use of Information Technology; and
- internal control systems on the use of Information technology.
- Implementation of Risk Management in the Use of Information Technology
In
the implementation of risk management measures in the use of
Information Technology, Banks should pay attention to the following: - the
availability of an Information Technology Steering Committee which is
responsible to present recommendations to directors in relation to,
amongst others, ensuring that the Information Technology Strategic Plan
is in accordance with the Banks strategic business plans;
- the
availability of policies and procedures in the use of Information
Technology that at least encompasses managerial aspects, development and
establishment, Information Technology operations, communication
networks, information security, Business Continuity Plans, end user
computing, electronic banking, and the employment of Information
Technology service providers;
- the availability of Business Continuity Plans and Disaster Recovery Plans which are tested at least annually;
- the
carrying out of periodic internal IT audits. Should the Bank be limited
in its abilities to carry out such audits, the functions of internal IT
audit might be carried out by external auditors;
- Carrying Out of Information Technology by Information Technology Service Providers
- Information
Technology might be carried out by Banks themselves or through the
employment of Information Technology service providers, as long as the
following conditions are met:
- Banks are responsible for the application of risk management.
- Service
providers must be able to guarantee total information security
including Banks secrets and personal information of customers.
- Service providers must grant access for internal, external and Bank Indonesias auditors.
- Service providers must be prepared for early termination if deemed as causing obstruction of observation by Bank Indonesia.
- Data
Centers and/or Disaster Recovery Centers are to be established
domestically. Should any are to be established out of state, prior
approval should be obtained, while still conforming to requirements as
stated on point 1) above, and the following additional requirements:
- Statement
from surveillance authorities in the associated country that Bank
Indonesia can conduct inspections on the service provider;
- Benefit to the Bank outweighs the costs;
- Availability
of plans by the Bank to improve human resources capabilities related to
the carrying out of Information Technology and business transactions or
products offered.
- Processing of technology-based
transactions by out of state service providers can only be carried out
with prior approval from Bank Indonesia, while still conforming to
requirements as stated in points 1) and 2) above, and the following
additional requirements:
- Involved activities are not those of inherent banking functions;
- Financial
administration supporting documents on transactions carried out at the
Banks offices within Indonesia are to be maintained at an office of the
Bank within Indonesia;
- The Banks Business Plans demonstrate efforts to further the role of Banking in Indonesias economic development.
- Electronic Banking
Any
plan to publish Electronic Banking products which are transactional in
nature must be included in the Banks Business Plan and submitted to
Bank Indonesia 2 (two) months before said product(s) are published. The
report must be complemented with, amongst others, results of analysis
conducted by independent parties on the characteristics of the product
and sufficiency of Information Technology security. Banks must educate
customers on its Electronic Banking products and its security.
- Transition
Provisions. The following must be conformed to the directives contained
in this Regulation of Bank Indonesia, within 12 months since the
validation of this Regulation of Bank Indonesia:
- Policies
and procedures in the use of Information Technology and Guidelines for
Risk Management in the Use of Information Technology.
- Agreements on the employment of Information Technology service providers.
- Information Technology Steering Committee.
- Establishment
of Data Centers, Disaster Recovery Centers and the carrying out of
technology based processing by foreign or out of state Information
Technology service providers.
