Regulatory Alerts2015-06-15
Instruction No. 010-06-2015 of June 15, 2015 on the Business Continuity Plan for Credit Information Bureaus
The Governor of the Central Bank of West African States (BCEAO) issued this Instruction to mandate Credit Information Bureaus across UEMOA member states to develop, validate, and annually update a comprehensive Business Continuity Plan. The plan must identify essential resources, assess risks, maintain hot IT backup infrastructure within the region, and include a disaster recovery protocol ensuring operational transfer within twenty-four hours of an incident. Furthermore, bureaus must establish a crisis management unit with clearly defined roles, implement robust data protection policies, and report plan updates to the BCEAO through their annual compliance reports.
Instruction No. 010-06-2015 on the Business Continuity Plan for Credit Information Bureaus
The Governor of the Central Bank of West African States (BCEAO), Having regard to the Treaty of the West African Monetary Union (UEMOA) dated January 20, 2007, particularly Article 34; Having regard to the Statutes of the Central Bank of West African States (BCEAO), annexed to the UEMOA Treaty dated January 20, 2007, particularly Articles 30 and 59; Having regard to the Uniform Act regulating Credit Information Bureaus in the member states of UEMOA, particularly Articles 24, 27, 28, 29, 35, 37, 41, 64 and 76, DECIDES
Article 1: Subject Matter This Instruction specifies the rules regarding the development and implementation of the Business Continuity Plan for Credit Information Bureaus in the UEMOA member states.
Article 2: Development and Implementation of a Business Continuity Plan Credit Information Bureaus develop and update at least once a year a Business Continuity Plan to ensure the continuation of their activities, particularly in cases of loss, crisis, or force majeure. The Business Continuity Plan identifies all resources and assets required to maintain the essential activities of the Credit Information Bureau and to minimize the impacts of service interruptions caused particularly by a loss, crisis, or force majeure. It is validated by the deliberative body of the Credit Information Bureau. The Business Continuity Plan is verified at least once a year by the internal control body of the Credit Information Bureau. Any recommendations arising from these reviews must be subject to an action plan for their implementation. Emergency, fallback, and recovery procedures are developed, tested, and regularly adapted to ensure the maintenance or execution of activities. They are appropriately stored and protected against unauthorized access.
Article 3: Risk Assessment The Business Continuity Plan for Credit Information Bureaus is based on a risk assessment enabling: – to identify human resources, data, and infrastructure elements supporting essential activities; – to establish a list of potential vulnerabilities and threats; – to estimate the probability of threat occurrence; – to measure the effectiveness and efficiency of the risk control mechanism.
Article 4: IT Backup Plan The Business Continuity Plan must include an IT Backup Plan specifying the data protection strategy essential to the activities of Credit Information Bureaus. IT backup infrastructure must be kept hot (fully operational) within the UEMOA.
Article 5: Data Protection Credit Information Bureaus adopt an appropriate backup policy to prevent the loss, alteration, theft, or unwanted modification of data essential to their activities. Data backup is performed on media stored within the UEMOA, outside the state of the main operating site. Measures are taken to protect backup media against any risk of accidental or intentional destruction.
Article 6: Disaster Recovery Plan The Business Continuity Plan for Credit Information Bureaus includes a disaster recovery plan that formalizes the transfer of essential activities to their backup site established within the UEMOA, within twenty-four hours following the occurrence of the disaster.
Article 7: Establishment of a Crisis Management Unit Credit Information Bureaus establish a crisis management unit involving their General Management. The roles and responsibilities of the unit members must be known to all staff.
Article 8: Activation Procedures for the Business Continuity Plan The activation procedures for the Business Continuity Plan must be clearly defined and known by the members of the Credit Information Bureau's crisis management unit.
Article 9: Reporting to the Central Bank Credit Information Bureaus prepare, within the compliance report submitted to the BCEAO at the end of each year, a status update on the Business Continuity Plan.
Article 10: Compliance with Rules and Sanctions Non-compliance with the rules set out in this Instruction is sanctioned, in accordance with the provisions of the Uniform Act regulating Credit Information Bureaus in UEMOA member states, without prejudice to the legislative and regulatory provisions in force in the Union's member state of establishment.
Article 11: Entry into Force This Instruction enters into force on the date of its signature. It shall be published where necessary. Done in Dakar, on June 15, 2015 Tiémoko Meyliet KONE