Updated 25/12/2024
In force

Initial Legal Act
Amendments
Search within this legal act

Article 75 - IT infrastructure

Article 75

IT infrastructure

1.   When assessing the architecture of the IT systems, of relevance to the institution’s rating systems and to the application of the IRB Approach in accordance with Article 144 of Regulation (EU) No 575/2013, competent authorities shall evaluate all of the following:

(a)

the IT systems architecture including all applications, their interfaces and interactions;

(b)

a data flow diagram showing a map of the key applications, databases and IT components involved in the application of the IRB Approach and relating to rating systems;

(c)

the assignment of IT systems owners;

(d)

the capacity, scalability and efficiency of IT systems;

(e)

the manuals of the IT systems and databases.

2.   When assessing the soundness, safety and security of the IT infrastructure that is of relevance to the institution’s rating systems and to the application of the IRB Approach, competent authorities shall verify that:

(a)

the IT infrastructure can support the ordinary and extraordinary processes of an institution in a timely, automatic and flexible manner;

(b)

the risk of suspension of the abilities of the IT infrastructure (‘failures’), the risk of loss of data and the risk of incorrect evaluations (‘faults’) are appropriately addressed;

(c)

the IT infrastructure is adequately protected against theft, fraud, manipulation or sabotage of data or systems by malicious insiders or outsiders.

3.   When assessing the robustness of the IT infrastructure that is of relevance to the institution’s rating systems and to the application of the IRB Approach, competent authorities shall verify that:

(a)

the procedures to back up the IT systems, data and documentation are implemented and tested on a periodic basis;

(b)

continuity action plans are implemented for critical IT systems;

(c)

the recovery procedures of IT systems in case of failure are defined and tested on a periodic basis;

(d)

the management of IT systems users is compliant with the institution’s relevant policies and procedures;

(e)

audit trails are implemented for critical IT systems;

(f)

the management of changes of IT systems is adequate and the monitoring of changes covers all IT systems.

4.   When assessing whether the IT infrastructure that is of relevance to the institution’s rating systems and to the application of the IRB Approach is reviewed both regularly and on an ad hoc basis, competent authorities shall verify that:

(a)

regular monitoring and ad hoc reviews result in recommendations to address weaknesses or shortcomings, where detected;

(b)

the findings and the recommendations referred to in point (a) are communicated to the senior management and management body of the institution;

(c)

there is adequate evidence that the recommendations are properly addressed and implemented by the institution.