Overview of Information System (IS) regulatory requirements for financial sector actors in the WAMU and CEMAC regions

The state of the banking sector of a country or region affects the state of its economy. In order to deliver their services (account opening, ATM withdrawals, etc.), banks cannot do without the information systems known in this case as the Banking Information System (BIS). On the contrary, they rely on them to increase their performance and better meet their customers' needs.

While it goes without saying that the introduction of new requirements in the West African Monetary Union (WAMU) and the Economic and Monetary Community of Central Africa (CEMAC) have an impact on the management of banks and credit institutions, it is appropriate to assess the impact this has on the information systems that are now known to be so valuable to banks. This blog provides key insights into this dynamic.

Within WAMU, the convergence of our systems towards international standards [eg. International Financial Reporting Standards (IFRS) for the Chart of Accounts] and BASEL Agreements for the prudential framework, have modified the regulatory aspect of our space. The Banking Commission issued circulars[1] - which came into force in July 2018 - to serve as a modality of application for the banking regulations.

Compared to the previous circulars of 2011, it is worth noting that the introduction of circulars related to risk management in credit institutions and financial companies and one related to the management of compliance with the standards in force by credit institutions and financial companies in the Union, which were included in the circular on internal control.

More specifically, the impacts related to information systems are mainly linked to the need to set up an efficient Information Systems (IS) governance system. More importantly, this system will have to take into account information security aspects and business continuity and recovery mechanisms.

In addition to fulfilling its primary role of enabling the bank to deliver its services, the BIS must ensure traceability for all operations performed. These systems will also be of great help to the institution in designing automated controls and monitoring their effectiveness. In order to carry out this monitoring, the Internal Audit function must therefore be equipped with skills in the field of information systems infrastructure and security. The banking IS must also enable the institution to assess the criticality of its risks in real time and to guarantee the reliability, quality and integrity of its data.

The bank should also include in the management of its operational risk, mitigation measures considering the physical and logical security of its telecommunication infrastructures and its IS. These measures will make it possible to control operational losses that may result from damage to physical assets or from system interruptions and failures.

In case the bank or institution outsources its operations, it is needful to reckon that such outsourcing institution cannot outsource its responsibility in case of non-compliance. To do so, measures to preserve the security of information, including the personal data of its customers, must be taken. To this end, the Banking Commission requires that the computer servers storing data and hosting applications be stored within the West African Economic and Monetary Union (WAEMU). If this cannot be done, the secondary servers with all the replicated data must be present within the WAEMU

These requirements apply for the most part to digital financial services (DFS), which for some years now have also been seeking to make their mark in the region's financial ecosystem. Indeed, securing operations implies the implementation of an IS internal control system that meets a number of criteria. To support electronic money issuers (EMEs), BCEAO has issued strict rules through Instruction n°008-05-2015 governing the conditions and modalities for the exercise of activities of electronic money issuers in the member states of the Union. The purpose of these rules is to: (i) guarantee the authenticity of transactions, (ii) preserve the integrity of messages, (iii) ensure the non-repudiation of transactions, (iv) maintain the confidentiality of information, and (v) ensure a high availability of the platform.

In the CEMAC region, there has been an increase in the number of cyberattacks. These attacks are becoming more and more sophisticated, against credit, microfinance and payment institutions. In response, the Banking Commission published CIRCULAR LC-COB/04 on January 21, 2022. This circular aims to implement a series of actions to strengthen IT risk management and cybersecurity systems of the institutions subject to the law. Among the actions include:

• The conduct of an IS security audit by independent experts no later than June 30, 2022;
• The formalization and updating of risk maps, in particular those related to IS security;
• The formalization of IS security policies, in compliance with best practices, norms and standards (ISO 2700X, PCI DSS, etc.);
• Formalizing, updating and regularly testing the business continuity plan.

Given the release of this circular, it is imperative for the targeted institutions to learn about it in order to take the appropriate measures to comply with the banking regulations.

In conclusion, we can - with the maintenance of this dynamic of evolution of the regulatory framework, and an appropriate implementation of the measures enacted - foresee a strengthening of the internal control system of these entities over time. This would be based on (i) data security (confidentiality, integrity and availability); (ii) business continuity; (iii) information reliability; and (iv) transaction traceability.

Financial institutions that are forward-thinking and do not wait for any requirement from the regulator before adopting good practices will be a step forward. Indeed, many good practices have already been tried and tested, and lessons learned can be capitalized on for greater resilience.