The evolving role of technology and automation in the banking/financial services sector is becoming increasingly complex. A growing number of Banks/DFIs/Microfinance Banks (hereinafter referred to as Financial Institutions or FIs) are leveraging technology to offer innovative products, efficient services and venture into new business models.

2. As technology becomes an integral part of the business and operations of FIs, such technology usage and dependence, if not properly managed, may heighten technology risks. With a vision to provide baseline technology governance and risk management principles to the FIs, State Bank of Pakistan has developed a framework on ‘Enterprise Technology Governance & Risk Management in Financial Institutions’.

3. This framework shall be integrated with the FIs' overall enterprise risk management program to identify, measure, monitor and control technology risks. The framework is not "one-size-fits-all" and its implementation needs to be risk-based and commensurate with the size, nature and types of products/services offered and complexity of technology operations of individual FI. Further, FIs shall exercise sound judgment in determining the applicable provisions relevant to their technology risk profile while implementing this framework. Senior management of the FIs shall ensure the implementation of this framework and Board of Directors shall review the implementation status on at least quarterly basis.

4. The FIs may follow a phased approach towards implementation of the framework starting with a gap analysis between their current status and this framework, development/update of the policy framework, on-the-ground implementation and compliance reporting. Accordingly, FI(s) are advised to upgrade their systems, controls and procedures to ensure compliance with this framework latest by June 30, 2018.

Please acknowledge receipt.

Encl: Enterprise Technology Governance & Risk Management Framework for Financial Institutions

.