LogoRegulatory Alerts
2022-01-01

Instructions No. (5) of 2022 Concerning Business Continuity Management

The Palestine Monetary Authority issued Instructions No. 5 of 2022 to mandate comprehensive business continuity management frameworks for all licensed banks in Palestine. The regulations require banks to establish robust governance structures, conduct periodic business impact analyses, and maintain documented business continuity, disaster recovery, and crisis management plans aligned with strict recovery time and point objectives. Furthermore, the directive enforces mandatory periodic testing, independent audit reviews, and strict reporting deadlines to ensure operational resilience, cybersecurity integration, and a maximum allowable system downtime of 99.95% availability.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

Instructions No. (5) of 2022 Concerning Business Continuity Management

Based on the provisions of Decision-Law No. (9) of 2010 concerning Banks, particularly Articles (43) and (72) thereof, and in accordance with the powers delegated to us, and to achieve the public interest, we have issued the following Instructions:

Article (1) Definitions

The following words and phrases shall have the meanings specified below wherever they appear in these Instructions, unless the context indicates otherwise:

  • Business Continuity Management: A comprehensive and ongoing business management process that includes policies, procedures, and plans used to maintain the continuity and resilience of operations and to restore them in a timely manner upon exposure to any emergency or threat, with the aim of reducing the level of risks and operational, financial, legal, and reputational damages resulting from business disruption.
  • Business Continuity Plan: A detailed, documented guideline plan that outlines the necessary procedures to guide the bank to ensure response, recovery, and restoration of systems and processes after an interruption.
  • Business Impact Analysis (BIA): The measurement and analysis of the consequences resulting from the interruption of activities and processes, with the aim of developing necessary recovery strategies by identifying priorities, resources, and requirements needed in the restoration process.
  • Recovery Time Objective (RTO): The acceptable time period to restore critical activities, processes, and services after an incident occurs.
  • Recovery Point Objective (RPO): The maximum permissible amount of data loss for the purpose of resuming critical operations upon service restoration.
  • Maximum Acceptable Outage (MAO): The maximum time period for the stoppage of operations, services, or products that the bank can withstand.
  • Incident: The condition that may lead to a malfunction, emergency, crisis, or loss.
  • Critical Operations: Operations whose stoppage cannot be tolerated for a period determined based on the Business Impact Analysis.

1

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

  • Disaster Recovery Plan (DRP): An action plan to restore systems, data, applications, and others upon the occurrence of an incident in order to return to normal operations.
  • Crisis Management Plan (CMP): An action plan that determines how to handle a risk or threat when it occurs, and the procedures required from the bank and service providers to deal with those risks.
  • Critical Systems: Systems whose stoppage or malfunction leads to the disruption of critical operations.

Article (2) Objective and Scope of Application

  1. The provisions of these Instructions aim to specify the procedures the bank must take to confront threats and business interruption risks, ensure recovery from their impacts with minimal losses, and build resilience into its critical operational processes during exposure to an incident.
  2. The provisions of these Instructions apply to all banks licensed by the Palestine Monetary Authority to conduct banking business in Palestine.

Article (3) Governance of Business Continuity Management

  1. The bank's Board of Directors shall do the following: أ. Approve the business continuity strategy and policy, and any amendments thereto, which shall include long-term strategic objectives, action plans, and timelines to achieve these objectives. ب. Allocate the necessary resources to implement the business continuity plan, including qualified financial and human resources. ت. Form a steering committee for business continuity management authorized by the Board of Directors, comprising members of senior management and the business continuity management officer. ث. Approve a specific charter for the business continuity committee, including the committee's objectives, roles and responsibilities, number of participants in meetings, and meeting frequency. ج. Ensure the existence, development, and continuous updating of an operational risk management policy and verify its implementation. ح. Receive reports on the progress of the business continuity plan, including the results of plan testing. خ. Ensure that policies and plans are reviewed by an independent body, such as internal or external auditors, annually or upon making any fundamental change.

  2. The bank's business continuity management committee shall do the following: أ. Prepare policies and develop necessary plans for the continuity of critical operations and systems, oversee their implementation, and review them at least once annually or upon making any fundamental change, which shall include objectives, scope, roles, and responsibilities.

2

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

ب. Determine the standards and guidelines used in the business continuity program.
ت. Identify the necessary resources to implement the business continuity plan from all relevant departments.
ث. Provide a business continuity management function within the risk department, ensuring that the incumbent possesses the qualifications, experience, competence, and skills appropriate to manage and implement business continuity programs and plans.
ج. Form and assign all business continuity management functions, and clearly define the roles and responsibilities of each member.
ح. Oversee the design and implementation of awareness programs regarding business continuity for all administrative levels in the bank, ensuring that all relevant parties are aware of their roles and responsibilities during an incident.
خ. Oversee the design of periodic tests and regularly review test results and measure the effectiveness of plan implementation.

Article (4) Business Impact Analysis

The bank shall comply with the following:

  1. Prepare and approve a methodology for assessing business impact and risk assessment, ensure its implementation, and review it periodically.
  2. Identify activities and operations and prioritize them by conducting a business impact assessment periodically or upon the occurrence of any fundamental changes to business, products, services, or systems used, provided that the assessment includes the following: أ. The potential impact on critical operations for each prioritized function or operation, such as: financial, operational, legal, regulatory, and reputational impacts. ب. Determining the target recovery time and point, and defining the maximum acceptable outage. ت. Identifying internal and external parties and entities associated with the execution of critical operations. ث. Identifying the necessary resources to provide support and ensure the timely recovery of operations. ج. Identifying the required controls to manage potential risks and mitigate their impact. ح. Identifying the response and remediation plan.
  3. The business continuity management committee shall approve the results of the business impact assessment.
  4. Determine the recovery time objective for payment systems and customer-related services, ensuring that procedures are established to provide high availability for them.
  5. Periodically evaluate the capability of suppliers and service providers to maintain the level of services they provide during incidents.

3

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

Article (5) Business Continuity Plan

The bank shall comply with the following:

  1. Prepare comprehensive business continuity plans based on the business impact analysis and risk assessment, and update them periodically or upon making any fundamental change.
  2. Prepare and approve incident response procedures, provided they ensure the following: أ. Key requirements and resources such as personnel, equipment, facilities, technologies, etc. ب. Roles, responsibilities, and authorities of stakeholders. ت. Procedures for managing the consequences of the incident. ث. Procedures necessary to continue critical operations in accordance with the target recovery time and point, and the maximum acceptable outage. ج. Communication procedures with employees and relevant external parties in emergency situations. ح. Relevant cybersecurity requirements.
  3. Document business continuity management plans to clearly show the change log, versions, and updates, in addition to a list of reviewers and responsibilities for plan retention, distribution, and approval.
  4. Monitor compliance with business continuity plan requirements.
  5. Periodically measure the effectiveness of business continuity plans and evaluate them.
  6. Provide an alternative business management site upon obtaining prior written approval from the Palestine Monetary Authority, equipped with the necessary resources to continue critical operations in case working from the main site is impossible, in accordance with the target recovery time and point, and the maximum acceptable outage.
  7. Ensure the application of adequate security controls at the alternative business management site in accordance with the security controls applied at the main site.
  8. Ensure that service providers and relevant external parties associated with critical operations have plans for business continuity management related to these operations.

4

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

Article (6) Information Technology Disaster Recovery Plan

The bank shall comply with the following:

  1. Prepare and approve an information technology disaster recovery plan to restore and recover critical operations in accordance with the business impact analysis, and update it periodically or upon making any fundamental change.
  2. Establish a disaster recovery data center, provided compliance with the following: أ. Assess site risks and choose a suitable location in terms of the likelihood of exposure to the same threats. ب. Obtain prior written approval from the Palestine Monetary Authority.
  3. The disaster recovery data center's facilities, in terms of systems, network, applications, procedures, and security controls, shall be commensurate with those of the main data center.
  4. Prepare and approve backup and recovery procedures and ensure their implementation.
  5. Provide a backup copy and store it in a secure location outside the main data center.
  6. Contracts with providers and external parties shall include provisions for technical support for software, hardware, and systems within agreed timeframes in disaster situations, in accordance with the business continuity plan.
  7. Provide the necessary procedures and tools to measure the effectiveness of the disaster recovery plan and evaluate it periodically.
  8. Provide oversight and auditing of compliance with the disaster recovery plan.
  9. Take all necessary measures in the event of critical system stoppage so that the target time to restart systems does not exceed two hours at a time, provided the bank maintains a system availability rate of no less than 99.95% (this period does not include planned disaster recovery tests or routine maintenance). (1)
  10. Take all necessary measures to ensure there is no loss or data loss in critical systems, with a maximum of (30) thirty minutes.
  1. SLA level of 99.95 % uptime/availability results in the following periods of allowed downtime/unavailability:
  • Daily: 43s
  • Weekly: 5m 2s
  • Monthly: 21m 54s
  • Quarterly: 1h 5m 44s
  • Yearly: 4h 22m 58s Direct link to page with these results: uptime.is/99.95

5

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

Article (7) Cyber Resilience

The bank shall comply with the following:

  1. Apply and adopt cybersecurity requirements in business continuity management.
  2. The security controls applied in the disaster recovery center shall be compatible with the security controls applied in the main data center.

Article (8) Crisis Management Plan

The bank shall comply with the following:

  1. Prepare and adopt a crisis management plan that determines the procedures to be taken during and after the occurrence of a crisis.
  2. Provide a mechanism to measure the effectiveness of the crisis management plan within the business continuity program and evaluate it periodically.
  3. The crisis management plan shall include the following: أ. Standards and procedures for declaring a crisis. ب. Forming a crisis management team comprising representatives from various functions and critical operations in the bank. ت. Providing a dedicated location for the crisis management team within the alternative business management site. ث. Documenting contact information for the crisis management team, including external parties and entities.
  4. Report all incidents to the Palestine Monetary Authority in accordance with established protocols through approved communication channels, and send a detailed report on the incident after its conclusion and the resumption of normal operations and functions.
  5. Coordinate with the Palestine Monetary Authority before communicating with the media in the event of an incident.

Article (9) Testing

  1. The bank shall periodically execute tests of business continuity plans and disaster recovery plans, provided compliance with the following: أ. Obtain prior approval from the Palestine Monetary Authority. ب. Test scenarios shall include all risks the bank may be exposed to, including cybersecurity risks. ت. The crisis management team shall participate in test scenarios. ث. Test results shall include an evaluation and recommendations for plan development, if any.

6

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

  1. The bank shall document the results of business continuity plan tests, and in case of test failure, the test shall be repeated within a timeframe agreed upon with the Palestine Monetary Authority.
  2. Internal and external audit tasks at the bank shall include reviewing business continuity plan and disaster recovery plan testing activities as an independent party.
  3. Submit reports on the results of business continuity plan tests to the business continuity management committee.

Article (10) Reports

The bank shall comply with providing the Palestine Monetary Authority with the following, provided this is done within a maximum period of September 30 of each year:

  1. Results of business continuity and disaster recovery tests within a maximum of 7 days from the date of test execution.
  2. Updated business continuity plans.
  3. A list of systems and applications located in the main data center and the disaster recovery center.

Article (11) Repeal

  1. Instructions No. (2) of 2009 concerning business continuity management in banks are hereby repealed.
  2. Anything inconsistent with the provisions of these Instructions is hereby repealed.

Article (12) Implementation and Enactment

All competent authorities shall implement the provisions of these Instructions, each within their respective purview, and they shall apply from the date of their issuance.

Issued in Ramallah, on 28/04/2022.

Dr. Fares Malham Governor

[Signature]

7

Share