Regulatory Alerts2023-06-28 | NDMC-24Technical Standards on Requirements for Information Systems of Securities Market Entities
The Central Reserve Bank of El Salvador issued Technical Standards CNBCR-04/2023 to establish minimum requirements for information systems used by securities market entities. The regulation mandates that entities submit detailed system descriptions, security policies, and undergo rigorous testing phases to ensure operational efficiency and transparency. These standards apply to various financial intermediaries and replace previous guidelines effective July 14, 2023.
CNBCR-04/2023 NDMC-24 TECHNICAL STANDARDS ON REQUIREMENTS FOR INFORMATION SYSTEMS OF SECURITIES MARKET ENTITIES Approval: 06/28/2023 Validity: 07/14/2023 Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 1 of 7
THE COMMITTEE OF STANDARDS OF THE CENTRAL RESERVE BANK OF EL SALVADOR,
CONSIDERING:
I. That Article 2, second paragraph, of the Law on Supervision and Regulation of the Financial System, establishes that the proper functioning of the Financial Supervision and Regulation System requires, from the members of the financial system and other supervised entities, compliance with current regulations and the adoption of the highest standards of conduct in the development of their business, acts, and operations, in accordance with what is established in the aforementioned Law, in other applicable laws, regulations, and technical standards issued for such effect.
II. That Article 3, letter b), of the Law on Supervision and Regulation of the Financial System, establishes that it is the competence of the Superintendence of the Financial System to authorize the constitution, operation, start of operations, suspension of operations, modification, revocation of authorization, closure, and other acts of the members of the financial system, in accordance with legal, regulatory, or technical normative provisions established regarding the matter. In the case of closure, it will coordinate the actions established by laws with other involved institutions.
III. That Article 15, letter d), of the Law on Supervision and Regulation of the Financial System, establishes that it is the faculty of the Superintendence of the Financial System to authorize the public promotion, constitution, operation, start of operations, modification of social agreements and statutes if applicable, merger, and other acts of similar nature of the members of the financial system, in accordance with the legal, regulatory, or technical normative provisions established regarding the matter.
IV. That Article 35, letter g), of the Law on Supervision and Regulation of the Financial System, establishes that the members of the financial system are obligated to comply and ensure that the efficient functioning of the systems for recording, processing, storage, transmission, production, security, and control of information flows is fulfilled within the institution.
V. That Article 37 of the Law on Supervision and Regulation of the Financial System, establishes that supervised entities must facilitate, upon request of the Superintendence, by the means it considers convenient, without opposing confidentiality or reserve of any kind, the examination of their business, acts, operations, assets, books, accounts, files, documents, correspondence, databases, and information systems, in all that is pertinent to the supervision activity.
CNBCR-04/2023 NDMC-24 TECHNICAL STANDARDS ON REQUIREMENTS FOR INFORMATION SYSTEMS OF SECURITIES MARKET ENTITIES Approval: 06/28/2023 Validity: 07/14/2023 Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 2 of 7
THEREFORE,
by virtue of the normative powers conferred by Article 99 of the Law on Supervision and Regulation of the Financial System, AGREES to issue the following:
TECHNICAL STANDARDS ON REQUIREMENTS FOR INFORMATION SYSTEMS OF SECURITIES MARKET ENTITIES
CHAPTER I OBJECTIVE, SUBJECTS, AND TERMS
Objective Art. 1.- These Standards aim to establish the minimum requirements that the information system or systems acquired or developed by entities operating in the securities market must comply with, for the authorization of the start of their operations by the Superintendence of the Financial System.
Subjects Art. 2.- The subjects obligated to comply with the provisions established in these Standards are: a) Specialized Agents in Securities Valuation; b) General Warehouses of Deposit; c) Product and Service Exchanges; d) Securities Exchanges; e) Brokerage Houses; f) Societies specialized in the Deposit and Custody of Securities; and g) Securitizers and the funds they manage.
Terms Art. 3.- For the purposes of these Standards, the terms indicated below have the following meaning: a) Application, program, or computer system: any software used by the entity for the collection, storage, processing, visualization, or transmission of information related to the financial products or services that such entity offers to its clients; b) Central Bank: Central Reserve Bank of El Salvador; c) Entity/entities: Subjects obligated to comply with these Standards, detailed in Article 2 thereof; and d) Superintendence: Superintendence of the Financial System.
CNBCR-04/2023 NDMC-24 TECHNICAL STANDARDS ON REQUIREMENTS FOR INFORMATION SYSTEMS OF SECURITIES MARKET ENTITIES Approval: 06/28/2023 Validity: 07/14/2023 Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 3 of 7
CHAPTER II ON THE REQUIREMENTS OF INFORMATION SYSTEMS
Information Systems Art. 4.- In the case where the Laws and Technical Standards applicable to each of the entities require the use of information systems, for the start of their operations, they must include in their application the detail and description of said systems that substitute or simplify manual processes, as well as their improvements, all with the aim of guaranteeing the efficiency and transparency of systematized operations, this without prejudice to other requirements that must be met before the Superintendence.
Art. 5.- The entity must have the inventory and description of the computer systems and databases that it develops or acquires and uses in the execution of its operations, as well as the description of the computer platform on which they have been developed, presenting, in addition, the backup procedures manual and description of security policies and controls applied to computer systems and databases in accordance with Annex No. 1 of these Standards.
Outsourcing of application development or computer developments Art. 6.- In the event that entities decide to carry out the development of information systems or applications referred to in Article 5 of these Standards to (-23) approved by the Central Bank through its Committee of Standards, insofar as applicable. The quality of contracted services is the responsibility of the entity, which will respond to third parties as if it had carried them out. For such purposes, the entity must have policies and procedures regarding the contracting of services.
CHAPTER III OTHER PROVISIONS AND VALIDITY
Art. 7.- Entities that, at the time of entry into force of these Standards, already have authorization from the Superintendence to start operations, do not need to present their information systems again.
Sanctions Art. 8.- Non-compliance with the provisions contained in these Standards will be sanctioned in accordance with what is established in the Law on Supervision and Regulation of the Financial System.
CNBCR-04/2023 NDMC-24 TECHNICAL STANDARDS ON REQUIREMENTS FOR INFORMATION SYSTEMS OF SECURITIES MARKET ENTITIES Approval: 06/28/2023 Validity: 07/14/2023 Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 4 of 7
Repeal Art. 9.- These Standards repeal the Guide on Requirements for the Approval of Information Systems (RS-MV.0010/98) approved on June 24, 1998, by the Superintendence of Securities, whose Organic Law was repealed by Legislative Decree No. 592 which contains the Law on Supervision and Regulation of the Financial System, published in the Official Diary No. 23, Volume No. 390, dated February 2, 2011.
Transitory Art. 10.- Applications presented in accordance with what is established in the Guide on Requirements for the Approval of Information Systems (RS-MV.0010/98) and which were pending at the time these Standards entered into force, will be continued and concluded in accordance with said Guide.
Unforeseen Aspects Art. 11.- Aspects not provided for in regulatory matters in these Standards will be resolved by the Central Bank through its Committee of Standards.
Validity Art. 12.- These Standards will enter into force from the fourteenth of July of two thousand twenty-three.
CNBCR-04/2023 NDMC-24 TECHNICAL STANDARDS ON REQUIREMENTS FOR INFORMATION SYSTEMS OF SECURITIES MARKET ENTITIES Approval: 06/28/2023 Validity: 07/14/2023 Annex No. 1 Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 5 of 7
INFORMATION SYSTEMS
STAGE I Generalities Financial institutions interested in being authorized to begin operating in the Securities Market must present the computer system or systems with which they expect to manage the service. They must also inform about any changes that subsequently occur in said system.
Information Systems Area a) General description of the application: i. Generalities; and ii. Objectives. b) Data dictionary, when applicable; c) Online or batch process and justification; d) Security measures; e) Estimated frequency and volume of operations; f) Analyst manual (in the case of internal developments and outsourcing maintenance, when applicable): guide for system (application) maintenance, which includes aspects such as: standards used in the coding of the referred system, definitions or conventions of the data structure; g) User manual of the application; h) Work plan for the application implementation stage: i. Timelines; and ii. Activities. i) Detail of main modules, including: i. Module name; ii. Objective; iii. Main functions; and iv. Flowchart of processing and data capture of critical processes. j) Description of reports issued by the system, including: i. Report name; ii. Objective; iii. Issuance periodicity; and iv. Printed copy of the report.
Communications Area a) Basic diagram of the communications equipment; b) Graphic scheme of the application distribution method; c) Specification of the main and contingency communications provider; d) Indicate the type of link available; e) Security and controls to be implemented during online processes with remote users; and f) Access to the database used in the exchange of information with the Superintendence.
CNBCR-04/2023 NDMC-24 TECHNICAL STANDARDS ON REQUIREMENTS FOR INFORMATION SYSTEMS OF SECURITIES MARKET ENTITIES Approval: 06/28/2023 Validity: 07/14/2023 Annex No. 1 Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 6 of 7
Information Resources Area Presentation of Technological Platform a) Servers: basic description of the server where the application will reside; b) Details of client equipment (antivirus, antimalware, if the equipment is within the Administrator Institution's domain); c) Description of data backup procedures for the application; d) Description of the database software employed; e) Description of development tools used, in the case of internal developments; and f) Description of the server operating system, the database it uses, and client equipment.
Application Testing It is indispensable that before the start of operations or execution of the various applications, the functionality and accuracy of information processing are verified. It is the responsibility of the financial institution to prepare a work area that simulates real execution conditions, including decentralized modules to work online. The points to be evaluated are: a) Inputs; b) Outputs; c) Processes; d) Data specifications; e) Process specifications; f) Access methods; g) Operations; h) Data manipulation (before and after the electronic data processing); i) Reports generated by the application; j) File identification, field and record sizes; k) Online process or batch processes to feed the information to be generated in the reports and their justification; l) Frequency and volumes of operation to generate reports; m) Security systems; n) User access levels (roles); o) Control systems; p) Responsible parties; q) Number of users registered in the application; r) Review of the user training plan; s) Review of the application implementation plan; and t) Testing of calculation routines.
STAGE II Generalities This stage allows verifying the actual functioning of the application, as it reviews the functionality and efficiency of systematized processes. It consists of making a visit to the company and validating the information based on the specifications and controls established in the
CNBCR-04/2023 NDMC-24 TECHNICAL STANDARDS ON REQUIREMENTS FOR INFORMATION SYSTEMS OF SECURITIES MARKET ENTITIES Approval: 06/28/2023 Validity: 07/14/2023 Annex No. 1 Alameda Juan Pablo II, between 15 and 17 Norte Ave, San Salvador, El Salvador. Tel. (503) 2281-8000 www.bcr.gob.sv Page 7 of 7 application. Unlike the previous stage, the creation of a test area is not requested, as the review of inputs and outputs is performed with real data. The points to be evaluated are: a) Transfer and integration of Information, for decentralized applications; b) Operations; c) Integrity and consistency of data; d) System acceptance by users (user interviews); e) Security system; f) Control systems; and g) Data manipulation.