Region

Jurisdiction

Regulator

2023-12-29

Instruction No. 80/AMF-UMOA/2023 on Information System Requirements for the Central Securities Depository / Settlement Bank

The Authority for Financial Markets of the West African Monetary Union (AMF-UMOA) issued Instruction No. 80/2023 to mandate comprehensive information system security, governance, and risk management standards for Central Securities Depositories and Settlement Banks. The regulation establishes strict technical controls, including mandatory audit trails, robust password policies, segregated testing and production environments, and defined Recovery Time and Point Objectives of 24 hours and two hours, respectively. It further requires continuous risk identification, biannual internal control reporting, triennial security audits, and immediate notification of major incidents to the regulator within 24 hours.

Senegal

Autorite des Marches Financiers de l'UMOA

[AMF-UMOA Logo] AMF-UMOA AUTHORITY FOR FINANCIAL MARKETS OF THE WEST AFRICAN MONETARY UNION

INSTRUCTION NO. 80/AMF-UMOA/2023

ON THE INFORMATION SYSTEM REQUIREMENTS FOR THE CENTRAL SECURITIES DEPOSITORY / SETTLEMENT BANK (CSD/SB)

The Authority for Financial Markets of the West African Monetary Union,

Having regard to the Revised Treaty of the West African Monetary Union (UMOA) of 12 July 2019, which entered into force on 1 October 2022, modifying the name of the Regional Council for Public Savings and Financial Markets (CREPMF) to the Authority for Financial Markets of the UMOA (AMF-UMOA);

Having regard to the Convention of 3 July 1996 establishing the Regional Council for Public Savings and Financial Markets, particularly its Annex on the composition, organization, functioning, and powers of the Regional Council for Public Savings and Financial Markets;

Having regard to the General Regulation on the organization, functioning, and supervision of the UMOA regional financial market;

Having regard to Instruction No. 3/97 of 29 November 1997 on the authorization of the Central Depository/Settlement Bank;

Having regard to Decision No. 004 of 29/04/2021/CM/UMOA appointing the Chairman of the Regional Council for Public Savings and Financial Markets;

Having regard to the deliberations of the AMF-UMOA at its 98th ordinary session on 23 December 2023, held in Cotonou, Republic of Benin;

H E R E B Y A D O P T S :

2/12 Instruction No. 80/2023/AMF-UMOA

TITLE 1. GENERAL PROVISIONS AND OBLIGATIONS

Article 01: Definitions

For the purposes of this Instruction, the following terms shall mean:

a) Computer Incident: Any event that is not part of the standard operation of a service and causes, or may cause, an interruption or a reduction in the quality of that service.

b) Software Platform: Business software used by the CSD/SB, notably the depository software.

c) Audit Trail: Chronological recording of system activities showing all additions, deletions, and changes made to the system, enabling the reconstruction and control of an operation from its origin to its completion.

d) Business Continuity Plan: A formalized strategic document, regularly updated, for disaster or major incident response planning. Its objective is to minimize the impacts of a crisis or natural, technological, or social disaster on business operations (and thus the sustainability) of an enterprise.

e) User Profile: A description of a user showing the rights they are granted within the business software.

f) RPO (Recovery Point Objective): The RPO quantifies the data that an Information System may lose as a result of an incident. Typically, the RPO expresses a duration between the incident causing data loss and the date of the most recent data that will be used to replace the lost data.

g) RTO (Recovery Time Objective): The RTO represents the maximum acceptable duration of interruption during which a resource (computer, system, network, software) may be non-functional following a failure or disaster.

Article 02: Purpose

This Instruction sets forth the rules regarding the security and risk management of the Information System of the Central Depository / Settlement Bank (CSD/SB).

Article 03: Scope

This Instruction applies to the Central Depository / Settlement Bank.

3/12 Instruction No. 80/2023/AMF-UMOA

TITLE 2: CSD/SB INFORMATION SYSTEM SECURITY FRAMEWORK

Article 04: Audit Trail

An audit trail must be configured on all business software platforms to ensure the recording of actions performed by users of that platform, thereby guaranteeing their traceability. Furthermore, access to this audit trail must be restricted so that it is not accessible to data administrators.

Article 05: Logging and Access Rights to the Audit Trail

The business software, Databases, and Operating Systems of the CSD/SB must possess security features that allow logging of performed actions, thereby enabling the detection and analysis of any irregularity.

This logging (activation of the audit trail) must be effective on business software.

The audit trail of business software must be secured (protected against any modification) and archived adequately to guarantee its integrity and its quality as evidence. It must be accessible only to the Internal Audit or Internal Control Department.

The audit trail of business software, as well as the logs of databases and operating systems, must be retained for at least five (5) years to serve later in potential disputes or for analytical purposes.

Article 06: User ID and Password for User Authentication

Access to business software must be via user authentication (combination of identification and password) so as to authorize only authorized users. Furthermore, each user's identity must be unique so as to link each activity on the software to a specific user.

Article 07: Prohibition of Simultaneous Access with the Same User Account

Business software should not allow the same user to open multiple sessions from a single or multiple machines.

Article 08: User Profiles

Each business software must have user profile management functionality. User profiles must prevent the accumulation of incompatible functions and guarantee that users' roles or access rights to each business software are consistent with the users' assignments within the CSD/SB.

4/12 Instruction No. 80/2023/AMF-UMOA

Article 09: Password Change at First Login

Generally, each new user of business software is created with a generic password. Therefore, changing this password at first login must be mandatory to reduce the risk of identity theft.

Article 10: Automatic User Disconnection After Inactivity

Business software must offer the option to configure user disconnection from their session in case of inactivity in the software for a maximum duration of ten (10) minutes.

Article 11: Password Configuration (length, complexity, duration, history, locking)

Business software passwords must be configurable to define the values of the following parameters:

the minimum password length must be eight (08) characters;
password complexity (at least one uppercase letter, at least one lowercase letter, at least one special character, at least one alphanumeric character);
the maximum password duration cannot exceed ninety (90) days;
account locking after a number of login attempts not exceeding three (03).

Article 12: Encryption or Hashing of Password Files/Tables

The password files or tables of business software must be encrypted or hashed so that passwords are not readable by business software or Database administrators.

Article 13: Monitoring and Conducting Security Reviews

The CSD/SB must closely monitor personnel with high-level access privileges to its systems, as they possess the knowledge and resources necessary to bypass the controls implemented in these systems and security procedures. The CSD/SB must mandatorily conduct a security audit once every three (03) years, the results of which must be transmitted to the AMF-UMOA no later than 15 May of the year following the triennial period.

It must adopt the following controls and practices:

implement strong authentication mechanisms for privileged users, particularly for remote access;
limit the number of privileged users;
grant privileged access on a strict functional needs basis;
record activities performed on systems by privileged users by activating audit logs;

5/12 Instruction No. 80/2023/AMF-UMOA

prohibit privileged users from accessing system logs in which their activities and those of other users are recorded;
review privileged user activities in a timely manner;
prohibit the sharing of privileged accounts;
prohibit vendors from benefiting from privileged access to systems without close monitoring.

The internal control department of the CSD/SB must perform checks (reviews of profiles, system access, audit log reviews) to identify any irregularity related to the use of information systems. Periodically and at least every semester (January and July months), reports from these controls must be transmitted to the AMF-UMOA and retained by the CSD/SB.

TITLE 3: GOVERNANCE AND RISK MANAGEMENT

Article 14: Security Framework

In the context of managing risks inherent to information systems, the CSD/SB must implement a framework enabling, on a continuous basis, the identification and assessment of risks, with a view to reducing or managing them. To this end, it develops its risk management strategy approved by its governing bodies.

It must use the following non-exhaustive best practices:

ensure that a robust framework for technological risk management is established and maintained;
ensure that effective internal controls and risk management practices are implemented to ensure system security, reliability, resilience, and business recovery;
establish IT policies, standards, and procedures, which are essential components of the technological risk management framework. Due to rapid changes in the environment and IT security, policies, standards, and procedures should be regularly reviewed and updated;
implement compliance processes to verify that IT security standards and procedures are applied. Monitoring processes should be implemented so that compliance deviations are known and corrected in a timely manner;
implement an employee IT security awareness program. This program should be regularly updated to ensure its content remains relevant, considering technological evolution and associated risks;
conduct a triennial audit of its information system.

6/12 Instruction No. 80/2023/AMF-UMOA

Article 15: IT Security Policy

The CSD/SB develops an IT security policy tailored to its activity and its own IT infrastructure, compliant with the most widespread security requirements on the market, notably the ISO 27001 standard.

This policy must be approved by the CSD/SB Board of Directors and communicated to all Information System users (employees, service providers). It is updated regularly, at least every three years, to account for the evolution of the internal and external environment.

Article 16: Business Continuity Plan

The CSD/SB must ensure that its organization, systems, and procedures are designed to maintain their critical functions or restore them as quickly as possible in order to fulfill its obligations towards the regulatory authority and market users.

To this end, the development of a business continuity plan including an IT contingency plan is mandatory. The business continuity plan must be approved by the Board of Directors. This plan must provide, among other things, at minimum the following aspects:

an identification of the enterprise's strategically important processes that are critical and necessary for its survival, and a minimum system information configuration capable of supporting said processes;
an assessment of risks, vulnerabilities, and impacts that will lead to the identification of indispensable human resources, important data for the CSD/SB, and the efficiency of mitigation controls for existing risks;
a definition of the business continuity strategy, including plan trigger criteria, a recovery site with its description, a presentation of the crisis team with persons authorized to trigger the plan, the acceptable recovery time (RTO: Recovery Time Objective), and the acceptable amount of data loss (RPO: Recovery Point Objective);
training and awareness programs for the plan;
the plan update and testing program.

The CSD/SB must have a fallback site.

The CSD/SB's fallback site must be established in at least one other UMOA member State to mitigate the risk that the same disaster affects both sites.

The acceptable full recovery time (RTO: Recovery Time Objective) after a disaster is 24 hours.

The acceptable amount of data loss (RPO) is set at two (02) hours of data.

Periodically and at least once a year, the plan must be tested to verify its effectiveness.

The plan effectiveness evaluation exercise must cover, in a non-exhaustive manner, verifiable aspects: (i) the alert procedure, (ii) the functioning of the crisis unit, (iii) the

7/12 Instruction No. 80/2023/AMF-UMOA

technical failover procedures in backup mode, (iv) the coordination of different stakeholders during a simulated serious incident response exercise, (v) targeted training of personnel on technical procedures, (vi) the degree of plan ownership by CSD/SB personnel, (vii) testing of critical plan elements at least once a year, and (viii) regular testing of the backup recovery procedure to verify its adequacy to the organization's needs.

The test report must indicate the test results, identified weaknesses, and an execution plan to correct these weaknesses.

Article 17: Data Backup and Restoration

The CSD/SB ensures that its information security policy guarantees the integrity of data backups on appropriate media, the regular execution of restoration tests, and the offsite relocation of backup media to a remote site.

Article 18: Access to IT Infrastructure

Access to the CSD/SB's IT infrastructure must rely on strong authentication solutions that allow, with a very high degree of assurance, the verification of user identities. To this end, the CSD/SB must use controlled gateways between the internet and its own IT infrastructure, such as firewalls, proxy servers, antivirus scanners, and content scanners, or other similar up-to-date security solutions. It must ensure that these gateways are properly designed, configured, and secured, and that they are subject to professional daily management and rigorous monitoring.

Article 19: Incident Management

The CSD/SB establishes an information security incident management framework to address them and contain their impact. It must have an incident management procedure validated by the General Management, which must:

specify which types of incidents it applies to;
establish the roles and responsibilities of personnel involved in the incident management process;
define a method for reporting incidents after their detection;
specify incident priority based on urgency and impact;
define the strategy for assigning incidents to personnel responsible for their resolution, taking escalations into account;
enable tracking and supervision of incident management (traceability of any incident) to know at all times the resolution level of an incident and to close resolved incidents;
explain tasks and responsibilities regarding internal and external communication concerning major incidents.

8/12 Instruction No. 80/2023/AMF-UMOA

An incident report taking into account the incident's status and impact, corrective measures adopted, recommendations, and an implementation plan must be transmitted annually, in January, to the AMF-UMOA.

Finally, any major incident must be systematically communicated to the AMF-UMOA within a 24-hour deadline.

TITLE 4: CHANGE MANAGEMENT

Article 20: Application Maintenance

The CSD/SB must implement a formalized application maintenance environment. This must include a testing (staging) environment and a production environment. These two environments must be clearly separated and allow the application maintenance process through correction, acceptance testing, and validation phases before production deployment.

Periodically, the staging environment must be updated at the configuration level to efficiently and objectively respond to the tests to be performed there.

Article 21: Change Management Process for Production Systems

The CSD/SB must establish a change management process to ensure that modifications made to production systems are appropriately evaluated, approved, implemented, and reviewed. The change management process must apply to modifications related to software changes and updates, as well as system and security configurations.

This process must be governed by a change management procedure. This procedure, validated by the Board of Directors, must include the following main steps:

initiation of the change;
risk and impact analysis of the change;
authorization of the change;
prioritization of the change;
quality assurance testing, user acceptance testing (UAT);
rollback plan;
decision to deploy the change to production;
production deployment of the change while respecting the principle of segregation of duties;
documentation of the change, user training, and distribution of training materials to users;
post-implementation monitoring of the change.

9/12 Instruction No. 80/2023/AMF-UMOA

TITLE 5: INFORMATION SYSTEM-RELATED RISK MANAGEMENT

Article 22: Information System-Related Risk Management Process

In the context of managing risks inherent to information systems, the CSD/SB implements a framework enabling, on a continuous basis, the identification and assessment of risks, with a view to reducing or managing them. To this end, it develops its risk management strategy approved by its Board of Directors. The CSD/SB conducts or has conducted, at its expense if necessary, the necessary controls for the security of facilities and other equipment. It forwards the minutes of these controls to the AMF-UMOA upon its express request. The CSD/SB implements the necessary human and material resources for security and safety, for the operation of the facilities at its disposal.

Article 23: Protection Against Malware and Cyberattacks

The CSD/SB implements prevention, detection, and correction measures to protect its information system against malware and cyberattacks.

The CSD/SB General Management must integrate into its annual management report to the Board of Directors a status of major incidents that occurred during the previous year.

Article 24: Securing Networks, Terminals, and Information

The CSD/SB takes appropriate security measures to protect information transiting through its network, as well as through its connections with users, data providers, and the AMF-UMOA. It ensures that terminals accessing its system have the necessary authorizations. Furthermore, it implements adequate configuration to manage risks inherent to the connection of external users to its information system.

Article 25: Management of Identities and Logical Access to Information Systems

The CSD/SB ensures that each user, data provider, or staff member is identified and authenticated before any access to information systems, and that they have adequate access rights. Each action must be traceable to its author.

Article 26: Physical and Environmental Security Framework

The CSD/SB equips itself with a framework for managing physical access by its personnel and third parties to its secure premises. The premises hosting its data center must be equipped with appropriate environmental protection devices, notably smoke and water detectors, automatic fire suppression systems, as well as temperature probes.

10/12 Instruction No. 80/2023/AMF-UMOA

Article 27: Management of IT Service Providers

IT service providers play an important role in the management of the CSD/SB's systems and processes. A meticulous selection and control of service providers