LogoRegulatory Alerts
2018-01-01

Instructions No. 04 of 2018 Regarding the Regulation of the Information Technology Environment in Specialized Lending Institutions

The Palestine Monetary Authority issued Instructions No. 04 of 2018 to regulate the information technology environment for specialized lending institutions operating in Palestine. The directives mandate that boards of directors approve IT strategies, organizational structures, and annual budgets, while executive IT management must implement these plans, establish clear job descriptions, and maintain comprehensive operational manuals. Furthermore, the regulations enforce strict controls on IT outsourcing, business continuity and disaster recovery planning, data center infrastructure standards, backup procedures, and information security policies aligned with international benchmarks.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

Palestine Monetary Authority

PALESTINE MONETARY AUTHORITY

Instructions No. (04) of 2018

Regarding the Regulation of the Information Technology Environment

in Specialized Lending Institutions

After reviewing Legislative Decree No. (9) of 2010 concerning Banks, particularly Article (72) thereof, and based on the provisions of Decision No. (132) of 2011 on the Licensing and Supervision of Specialized Lending Institutions, particularly Article (35) thereof, and in accordance with the authorities vested in us, and in pursuit of the public interest, we have issued the following Instructions:

Article (1)

Definitions

The words and phrases contained in these Instructions shall have the meanings specified below, unless the context indicates otherwise:

TermDefinition
Monetary AuthorityThe Palestine Monetary Authority.
Specialized Lending InstitutionAny institution or corporate entity engaged in lending or financing activities, registered and licensed in Palestine in accordance with the provisions of Decision No. (132) of 2011 on the Licensing and Supervision of Specialized Lending Institutions.
Board of DirectorsThe Board of Directors of the Specialized Lending Institution.
IT GovernanceThe set of relationships, rules, procedures, and principles that ensure the management of information technology to achieve optimal performance of information systems and manage potential and resulting risks, while providing appropriate and documented information to its users.

Outsourcing

Any assignment by a Specialized Lending Institution to any natural or legal person outside the institution's management to perform the main tasks executed by the institution's IT department, excluding purchase, supply, construction contracts, and technical support provided by system vendors.

Article (2)

Scope of Application

The provisions of these Instructions shall apply to Specialized Lending Institutions operating in Palestine and licensed to conduct their business in accordance with the provisions of Decision No. (132) of 2011 on the Licensing and Supervision of Specialized Lending Institutions.

Article (3)

Role of the Board of Directors

The Board of Directors shall perform the following:

  1. Approve appropriate strategies and policies to develop the IT environment in the Specialized Lending Institution, ensuring alignment with the institution's overall strategies and policies and considering them an integral part thereof.
  2. Approve an appropriate organizational structure that contributes to achieving IT governance in the Specialized Lending Institution.
  3. Approve annual plans specific to the IT environment that achieve the objectives and strategies of the Specialized Lending Institution.
  4. Approve sufficient financial budgets to implement the plans and strategies of the Specialized Lending Institution regarding the IT environment.
  5. Review the pillars of IT governance at least once a year by the Governance Committee established under the Board of Directors as part of the annual governance assessment of the Specialized Lending Institution, and submit related reports to the Board of Directors.

Article (4)

Role of the IT Executive Management

The IT Executive Management of the Specialized Lending Institution shall perform the following:

  1. Implement the annual plans approved by the Board of Directors related to information technology.
  2. Prepare a dedicated IT policy and strategy that must align with the institution's overall policy and encompass all aspects of IT activities.
  3. Prepare an appropriate organizational structure for the IT department, subject to periodic review, which forms part of the institution's overall structure, covers functional contributions, and ensures segregation of duties.
  4. Prepare job descriptions for all positions in the organizational structure, inform employees thereof, and have them sign to acknowledge receipt and commitment to compliance. Job descriptions must include, at a minimum: (job title, brief description of the nature of the job, administrative reporting line, subordinates, duties and responsibilities, relationship of the job to other jobs, and required academic and professional qualifications for the job holder).
  5. Prepare a comprehensive operations manual containing specific and sequential steps for performing work. These procedures must be clear and flexible, maximize resource efficiency, be subject to control, ensure segregation of duties, and guarantee the absence of duplication.

Article (5)

IT Environment Auditing

The Board of Directors shall ensure the existence of an internal IT auditing function within the Internal Audit Department's scope, titled "IT Auditor," responsible for auditing all aspects of IT continuously throughout the year and according to approved annual plans.

  1. The IT auditing task may be partially outsourced to an external party until qualified internal personnel are available.

Article (6)

Business Continuity

The Board of Directors shall approve a business continuity and crisis management plan to avoid any losses that the Specialized Lending Institution may suffer, as follows:

  1. A disaster recovery plan must be prepared to handle emergency situations that may cause system and network disruptions.
  2. The disaster recovery plan must be reviewed by an independent external party, such as external auditors.
  3. The plan must be tested at least once a year, and the results of the inspection/testing must be reported to the Monetary Authority.
  4. All critical IT environment equipment must be configured according to High Availability principles, ensuring a backup for each main component in the IT environment, excluding branch equipment that does not receive cash payments from customers.
  5. Main data centers must be established and equipped according to best practices and specifications.
  6. Human resources for the IT team must be strengthened to enhance the ability to manage IT functions effectively, through hiring and continuous training to ensure skill availability.

Article (7)

Outsourcing

The Specialized Lending Institution must adhere to the following controls regarding IT outsourcing:

  1. Prepare a dedicated policy for IT operations outsourcing that forms part of the institution's overall IT policy.
  2. Submit all outsourcing agreements to the Board of Directors for approval.

Article (8)

Institution's Responsibilities Regarding Outsourcing Operations

The Specialized Lending Institution remains fully responsible for IT tasks, and outsourcing any IT tasks does not relieve it of its responsibilities to the Monetary Authority, its customers, or other stakeholders. In this regard, the institution must:

  1. Subject all outsourced IT operations to the institution's risk analysis and all internal control and audit procedures, and ensure that outsourcing these operations to third parties will not prevent the institution from fulfilling its obligations to all stakeholders.
  2. Subject all outsourced IT operations to external auditing.
  3. Verify the experience and capability of the parties to whom tasks will be outsourced regarding their ability to execute tasks and operations, ensure proper execution, and continuously monitor the status of these parties.
  4. Develop plans and arrangements that ensure the institution's ability to provide immediate alternatives if contracted parties cease performing their assigned tasks for any reason. Providing these plans and arrangements is a fundamental condition for obtaining the Monetary Authority's approval.

Article (9)

Contractual Terms

The relationship with parties handling outsourcing operations must be governed by contracts that comply with the laws in force in Palestine. These contracts must include, at a minimum, the following:

  1. Competent Palestinian courts shall be the dispute resolution authority between the parties, unless otherwise agreed.
  2. The service provider company must maintain the confidentiality of data and information related to it by virtue of executing the institution's operations resulting from their contract, and must not disclose or reveal them to any party without prior approval from the institution and within the limits permitted by the laws and instructions in force in Palestine. The contracts must include clear penalty clauses regarding this matter.
  3. The contracted party must directly notify the Specialized Lending Institution of any circumstances or events that may affect its ability to fulfill its contractual obligations.
  4. The contracted party must prepare plans and arrangements to address any emergency circumstances and plans to ensure business continuity on their end, and provide a copy to the Specialized Lending Institution.
  5. The contracted party must provide the Monetary Authority, upon request and without delay, with any information or data regarding the operations performed on behalf of the institution or any institution-related information held by those parties, without referring back to the Specialized Lending Institution.
  6. The contracted party must execute the tasks assigned by the institution under the outsourcing agreement without subcontracting to any third party. The contracts must include clear penalty clauses regarding this matter.
  7. The institution's right to terminate the contract if the service provider fails to comply with contractual terms, exposes the Specialized Lending Institution to risk, or if the Monetary Authority requests it based on authorities vested in it by law.

Article (10)

Infrastructure Equipment

The Specialized Lending Institution must adhere to preparing IT infrastructure equipment at a minimum as follows:

  1. Main Data Center (Data Center) equipment as follows:

    a. The space must be sufficient for devices, equipment, and staff. b. Provide appropriate cooling systems for the data center room. c. The room floor must be raised and insulated from the ground, and walls, ceilings, and floors must be made of fire-resistant materials. d. Provide a backup electrical generator for the premises, sized according to expected electrical loads. e. Provide sufficient fuel tanks for the generator. f. Provide a central UPS capable of powering electrical loads on-site until the electrical generator starts.

  2. General security and safety equipment as follows:

    a. The main Data Center room must be sufficiently secured, with an access control and logging system provided. b. Install high-specification internal surveillance cameras and recording devices for a period of no less than one year.

Article (11)

Backup Equipment

The backup process is crucial for ensuring business continuity and data preservation. The institution must adhere to the following:

  1. Provide a suitable backup system, which must be capable of running backups.
  2. Provide daily system backups stored inside and outside the building under specific procedures with dual control and in a secure location.
  3. Provide clear mechanisms and operational procedures regarding the number of copies, backup method, storage location for backups, and access permissions.
  4. Provide clear operational procedures for restoring data from backups and conducting tests on them.
  5. Provide a fire-resistant backup vault for storing backups, equipped with a dual control mechanism.

Article (12)

Information Security

The Specialized Lending Institution must prepare an information security policy approved by the Board of Directors in accordance with relevant international standards.

Share