《《金融科技合作指南》英-23正式版.doc》由会员分享,可在线阅读,更多相关《《金融科技合作指南》英-23正式版.doc(22页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、ICC FintechCollaboration GuidelinesMay 2022PURPOSE AND SCOPEThe trade finance industry is witnessing an unprecedented drive towards digitalisation. There is an increasing momentum across the trade finance ecosystem to utilise technology and widen collaboration in order to swiftly address the limitat
2、ions of paper-based trade finance. Technologies including Distributed Ledger Technology (DLT) (encompassing Blockchain), Machine Learning, Artificial Intelligence, Application Programming Interfaces (APIs) as well as technology agnostic digital networks are witnessing increasing interest from financ
3、ial institutions and corporates alike.Following this industry trend, it is evident that digitalisation of trade finance will require an increasing number of players in the industry to connect with each other and use services/ information/data provided by third parties (Fintechs). At present most pla
4、yers in the industry have their own set of standards to conduct due diligence, exchange trade information and on-board third-party vendors. These standards are rarely consistent and continue to evolve. This makes it difficult for third parties to expediently commercialise their solutions.This paper
5、aims to bring together a set of common standards that parties in the trade finance digital ecosystem can use to connect with each other digitally. It is a living document which will be expanded over time. These standards capture the common areas of consideration for third-party collaboration and see
6、k to bring about a degree of standardisation in such engagements to ensure a faster, efficient and more effective collaboration between service providers and users. Trade finance is subject to many regulatory constraints which require fulfilment by internal departments of banks (compliance, legal, r
7、isk, security, etc.), mainly due to evolutions around GDPR, regulatory requirements, audits, certifications companies, etc. Banks integrate such aspects, which was not the case 2-5 years previously. Banks have to handle those aspects with their clients.There are three main themes of standards that a
8、re generally considered before or during a third-party engagement. These are:1. Information Security (Infosec) Standards,2. Commercial Standards, and,3. Technology Standards.The paper sets out the common considerations and standards used under each of these themes. It is important to note that these
9、 standards are for reference purposes only, and may not be considered as legal recommendations or advice, nor should they be seen as necessarily all-inclusive. Recipients of such third-party services should have regard for their particular circumstances and seek their own independent financial, lega
10、l, tax and other relevant advice.Note: A glossary can be found towards the end of this documentSTANDARDS1. Information Security (Infosec) StandardsThese standards apply to either the technology vendor or service provider; whomever is responsible for providing the platform and related services to the
11、 customers (*customer may be the financial services provider and/or corporate end users). See annex 1 for more information.May 2022 | ICC Fintech Collaboration Guidelines | 2THEMEDataclassificationData hostingDataManagementRECOMMENDED STANDARD Classification of information or data based on type of i
12、nformation. For examplePublic/Internal/Restricted/ Highly Restricted/Classified/ Confidential information etc. Restricting access to data Location of data services Secure Data at Rest Controls around Data transfer Controls on data access Regulatory requirements Data loss prevention Security patch ma
13、nagement Data reversibility and deletion procedures Data retention standard subject to local regulationsEXPLANATIONData classification is broadly defined as the process of organising data by relevant categories so that it may be used and protected more efficiently.Data hosting is the process of depl
14、oying and hosting a data centre on a third-party or external service providers infrastructure.Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventoryof business-critical assets located at all sites and/or g
15、eographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities.Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception d
16、esks, and security patrols) shall be implemented to safeguard sensitive data and information systems.Physical access to information assets and functions by users and support personnel shall be restricted.Be aware of regulatory environment and customer requirements with respect to hosting certain dat
17、a/information, for exampleFATCA.Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network.Security patch management is the ongoing process of applying updates that help resolve code vulnerabilities or errors fo
18、r applications across your system.Policies and procedures shall be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.Data reten
19、tion policies should take into consideration any regulatory requirements on how long any particular clarification of data must be retained.May 2022 | ICC Fintech Collaboration Guidelines | 3THEMERECOMMENDED STANDARDCyber securityLevel of backupNetwork penetration tests Preventive, detective and reco
20、verycontrols Periodicity of reviews to meetevolving threats Disaster recovery in differentlocationsApplicationManaging the development processSecurityof applicationsUser TestingAuthentication/Identification of usersEXPLANATIONProcess should be in place to allow full reversibility of the data to the
21、client and to ensure complete deletion of the data at the Service Provider side, once reversibility is complete. A timing of the actual deletion date should be agreed between the vendor and the bank.Data related to electronic commerce (e-commerce) that traverses public networks shall be appropriatel
22、y classified and protected from fraudulent activity, unauthorised disclosure,or modification in such a manner to prevent contract dispute and compromise of data.Production data shall not be replicated or used in non-production environments. Any use of customer data in non-production environments req
23、uires explicit, documented approval fromall customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements. This should be time-based (or occurence) and/or contractually binding. In the case of Personal Accounts, such should be t
24、ime-based explicit consent”Example of Cyber Security StandardsSWIFT has launched the Customer Security Program (CSP) to drive industry wide collaboration in the battle against cyber threats. This includes a set of core security controls. This is one example of an industry standard when it comes to c
25、yber security.ICC has not checked nor verified if these standards are directly applicable to your business. This has been included as example only. customer-security-programme-cspRelated-processes should exist with Fintechs for them to identify and communicate to their clients.Applications and progr
26、amming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards and adhere to applicable legal, statutory, or regulatory compliance obligations.May 2022 | ICC Fintech Collaboration Guidelines | 4THEMERECOMMENDED STANDARDMalware Anti-malware p
27、rograms that areIdentificationinstalled locally or cloud basedand Capability to rapidly patchremediationvulnerabilities within agreed timelinesactivitiesand based on priorities Applications developed for MobileDevicesIntrusion Implementation of File integrityPrevention(host) and network intrusiondet
28、ection (IDS) toolsAccess Control Management of user ids and(Conditionalpasswordsaccess) Segregation of duties Removal of access controls when nolonger required (Such can include,but not limited to, user ids andpasswords) Restrict, access to informationsecurity management systems (e.g.,hypervisors, f
29、irewalls, vulnerabilityscanners, network sniffers, APIs, etc.). Log, and monitor access of user levelactivityEXPLANATIONA list of such legal, statutory or regulatory compliance requirements shall be documented and presented to inform customers.Prior to granting customers access to data, assets, and
30、information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed.Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for application interfaces and databases to prevent manual or systematic proc
31、essing errors, corruption of data, or misuse.Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organisationally-owned or managed user end-point devices (i.e., issued workstations, laptops, and mo
32、bile devices) and IT infrastructure network and systems components.Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory, or regulatory compliance obligations and providing unique user access accountability
33、to detect potentially suspicious network behaviours and/or file integrity anomalies, and to support forensic investigative capabilities in the event of a security breach.Access control is a security technique that regulates who or what can view or use resources in a computing environment.Access to,
34、and use of, audit tools that interact with the organisations information systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data.User access policies and procedures shall be established, and supporting business processes and technical measures implemented
35、, for ensuringMay 2022 | ICC Fintech Collaboration Guidelines | 5THEMERECOMMENDED STANDARD Auditabilitywho had done what,date, time stamp, build should beable to audited by internal andexternal auditorsRegulatory Compliance with Data Privacy laws, for example GDPR and SingaporePDPA Engagement with r
36、egulators on where the data is hosted. There will be country regulations around hosting data on cloud, sharing data across borders and access of data on demand Regulatory engagement with use of third-party channels for communicating with customers. Is this regarded as a new distribution channel? KYC
37、/on-boarding requirements of the third party Programming Language interoperability Transparency, sanctions, AML screening Cross border licences Fintech should be prepared to share subcontracter detailsEXPLANATIONappropriate identity, entitlement, and access management for all internal corporate and
38、customer (tenant) users with access to data and organisationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. User log to include the capability to identify users log in times and activities performed.Such logs should be readily av
39、ailable, in a reasonable machine readable format and/or be convertible to human readable format.Data compliance is the practice of ensuring that sensitive data is organised and managed in such a way as to enable organisations to meet enterprise business rules along with legal and governmental regula
40、tions.May 2022 | ICC Fintech Collaboration Guidelines | 62. Commercial StandardsDOMAINRiskManagementRiskManagementBusinessContinuityRECOMMENDED STANDARDBusiness policiesin addition to data and technology related policies, service providers should have appropriate business policies. Examples include:
41、 AML/Terrorism and Sanctions policies; anti-bribery and corruption, fraud, environmental/social governance Dividends Operational risk control Where the Fintech has majority shareholdings, including by government or major corporates/banks, this should be declared to manage potential anti-trust or con
42、flicts of interest Employee policies. Including: Incentives, if applicable Ensure roles are clearly segregated Any background verification requirements Meeting local statutory requirements on employing workforce Any sub-contracting Documented exit policies upon employee termination Health and safety
43、Furtherif the service provider is established by Banks, then additional policies may need to be in place: Antitrust Conflicts of InterestThere are two aspects of Business Continuity Planning (BCP):1. Consider adequate BCP and relevant policies are employed by the service provider (technology provide
44、r) and2. Appropriate planning and fall-back measures in place at the receivers end (e.g. FI or Corporate).Key areas of consideration for BCP policy includes: Impact analysis for disruption in critical service areas Recovery plan/ Redundancy Established tolerable disruption periods Regular Review of
45、BCP plans The Fintech should declare where are their BCP locations and no. of critical employees available at recovery site.RATIONALESupplierdemonstratesappropriategovernanceandmanagementof risks.May 2022 | ICC Fintech Collaboration Guidelines | 7DOMAINRECOMMENDED STANDARDLiabilityResponsibilities and LiabilitiesEstablish clear liabilities between the parties.