Finantsinspektsioon mapped the payment institutions under supervision, and one point of assessment was their management of IT risks. The conclusion of the review was that payment institutions have relatively few of their own IT staff and are heavily dependent on IT services bought in from outside providers.
The mapping by Finantsinspektsioon makes clear that the self-assessment by payment institutions of the IT capacity of their organisations is generally high. The initial assessment by Finantsinspektsioon is that one possible risk is the widespread outsourcing of IT and the lack of in-house knowledge about IT at smaller payment institutions. Several payment institutions also had some shortcomings in their risk control frameworks.
Member of the Finantsinspektsioon management board Andres Kurgpõld considered that given the constant technological development in the financial sector, it is very important for IT risks to be minimised and for payment services to operate securely. “The mapping by Finantsinspektsioon revealed the very high dependence of payment institutions on IT service providers, and underlined that minimising possible risks better needs those service providers to be chosen very carefully, and the risks from them to be well managed”, he noted. He added that if the services are used from a limited group of suppliers, the risk of concentration needs to be considered.
Finantsinspektsioon uses the mapping in planning its upcoming supervisory activities. Supervision is risk-based, and not all the procedures used in supervision are made public.
The mapping by Finantsinspektsioon is based on the Payment Institutions and E-money Institutions Act 63-5 (2), and is used to assess the operating risks of payment institutions, including their security and the sufficiency of the security measures and control mechanisms applied to react to those risks.