LogoRegulatory Alerts
2018-03-02

Regulations Amending Operational Risk Management Guidelines (FFFS 2018:1)

Finansinspektionen amends its operational risk management regulations to update definitions, clarify applicability to financial institutions and clearing operators, and establish stricter continuity testing requirements. The revised rules mandate that covered undertakings determine the maximum allowable interruption times for critical processes and implement internal continuity management frameworks. Contingency, continuity, and recovery plans supporting these processes must be tested at least annually, with the amendments taking effect on 1 March 2018.

Finansinspektionen logo

Sweden

Finansinspektionen

Click to view thumbnail

Finansinspektionen’s Regulatory Code Publisher: Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 This translation is furnished for information purposes only and is not itself a legal document. 1 Regulations amending Finansinspektionen’s regulations and general guidelines (FFFS 2014:4) regarding the management of operational risks; decided on 23 January 2018. Finansinspektionen prescribes pursuant to Chapter 5, section 2, point 5 of the Banking and Financing Ordinance (2004:329) and Chapter 6, section 1, points 10– 12 and 54 of the Securities Market Ordinance (2007:572) that Chapter 1, sections 2, 3 and 5 and Chapter 5, sections 16 and 23 of Finansinspektionen’s regulations and general guidelines (FFFS 2014:4) regarding the management of operational risks shall have the following wording. Chapter 1 Section 2 These regulations apply to

  1. banking companies,

  2. savings banks,

  3. members’ banks,

  4. credit market companies,

  5. credit market associations,

  6. securities companies, and

  7. undertakings with authorisation to conduct clearing operations in accordance with Chapter 19 of the Securities Market Act (2007:528). The regulations, in accordance with Chapter 3, section 4 of the Special Supervision of Credit Institutions and Investment Firms Act (2014:968), shall be applied at group or subgroup level. For an undertaking referred to in the first paragraph, point 7, the regulations apply only to the undertaking’s organisation, processes and personnel for managing IT systems (IT operations). Section 3 For securities companies, Chapter 5, sections 15–23 and Chapter 6, section 4, point 1 do not apply. For undertakings with authorisation to conduct clearing operations in accordance with Chapter 19 of the Securities Market Act (2007:528), only Chapter 5, sections 15–23 apply. Section 5 The definitions used in these regulations and general guidelines are the same as those in Chapter 1, section 3 of Finansinspektionen’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and FFFS 2018:1 Published on 29 January 2018

FFFS 2018:1 2 control in credit institutions and Finansinspektionen’s regulations (FFFS 2017:2), unless otherwise specified. In addition, the following definitions apply

  1. contingency plan: a plan that describes the measures an undertaking shall take to manage serious and comprehensive interruptions, disruptions or crises,
  2. incident: an event that has, or may have, a negative impact on the undertaking’s operations, assets or confidence,
  3. continuity plan: a plan that describes how operations shall be maintained in the event of an interruption or major operational disturbance,
  4. operational risk: the same as in Article 4(1)(52) of Regulation (EU) No 575/213 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012,
  5. process: a chain of related activities that, following a certain resource input, produces a result, and
  6. recovery plan: a plan that describes the priorities and procedures in accordance with which an undertaking shall return to normal operations after an interruption or a major operational disruption. Chapter 5 Section 16 For each process in accordance with Chapter 5, section 1, an undertaking shall determine the longest allowable time for an interruption. An undertaking that is authorised to conduct clearing operations in accordance with Chapter 19 of the Securities Market Act (2007:528) shall establish the longest allowable time for an interruption to their processes of material significance instead of what is set out in the first paragraph. Section 23 An undertaking, in the internal rules regarding continuity management according to section 15, shall establish
  7. which types of tests it shall conduct in accordance with section 22, and
  8. how often the tests shall be conducted.   Contingency plans, continuity plans and recovery plans for processes in accordance with Chapter 5, section 1 and the IT systems that support these processes shall be tested at least annually.   An undertaking that is authorised to conduct clearing operations in accordance with Chapter 19 of the Securities Market Act (2007:528) shall test contingency plans, continuity plans and recovery plans for its processes of material significance at least annually instead of what is set out in the second paragraph.

These regulations shall enter into force on 1 March 2018.

FFFS 2018:1 3 ERIK THEDÉEN Thomas Holmestål

Share