International Monetary Fund. Monetary and Capital Markets Department
This paper explores a technical note on cyber risk and financial stability as part of Financial Sector Assessment Program (FSAP) in Spain. Technology risk and cyber resilience of the financial sector has become a focus area of the authorities, within the broader context of operational risk and resilience. This intensified focus by authorities is timely and important from the perspective of the continuity of financial service provision and the stability of the Spanish financial system. The FSAP found cyber risk supervisory practices of the authorities with regard to less significant institutions and financial market infrastructures in scope to be materially in line with applicable regulations and guidance and prevailing international good practice. Resource constraints are the most prominent challenge that the authorities are confronted with. A number of further weaknesses have a negative impact notwithstanding the overall strength of cyber risk supervision.
International Monetary Fund. Monetary and Capital Markets Department
This Technical Note focuses on Cyber Resilience and Financial Stability for the Japan Financial Sector Assessment Program. The cyber ecosystem is mature in Japan, with a range of stakeholders involved in ensuring the cybersecurity of the financial sector. The Financial Services Agency (FSA) is responsible for developing and operationalizing the cyber strategy for the financial sector. Cyber risk regulation and supervisory practice need further improvements. The Bank of Japan (BOJ) should strengthen the cyber risk oversight of financial market infrastructures. The FSA would benefit from deepening its analysis of the operational interconnectedness of the financial system. Further improvements in the response and recovery capabilities are recommended. The FSA and BOJ should keep upgrading, as necessary, a range of extreme but plausible cyber scenarios along with their existing Business Continuity Plans and/or Cyber Incident Response and Recovery Plans, for the financial sector. The authorities currently have strong cyber incident reporting regimes in place, with clear definitions, taxonomies, thresholds, and communication channels.
International Monetary Fund. Western Hemisphere Dept.
This Selected Issues paper studies renewable energy and attempts to estimate the gross domestic product (GDP) impact and assesses the role of policies in Chile. Chile has a comparative advantage in renewable energy. IMF estimates show that replacing coal power with solar and wind power, as announced by the government, could boost the long-term GDP level by at least 1 percentage point. The analysis indicates that the benefits of having targeted support for the transmission of electricity exceed costs. An additional benefit is the greater economic resilience to abrupt increases in coal and fuel prices that can have large negative impacts on the economy. A key constraint for the renewable energy sector is currently the transmission from where it is produced to where it is used. A cost-benefit analysis shows that state support industries, such as electricity transmission, may have economic benefits that outweigh the costs.
International Monetary Fund. Monetary and Capital Markets Department
This technical note focuses on cyber and operational resilience, supervision and oversight in Iceland. The Icelandic financial sector has not experienced seriously disruptive cyber-attacks or operational issues in recent years, but threats are growing. Iceland’s dependence on international connectivity for both debit and credit card systems introduces a significant vulnerability into the payment system. There is no dedicated cyber security strategy for the finance sector. Operational risk experts in the Central Bank of Iceland (CBI) are experienced and well regarded by financial institutions, but more resources are needed to provide adequate coverage of this increasingly important area. The supervision of financial institutions’ cybersecurity is highly dependent on self-assessments by the regulated entities themselves and independent reviews carried out by third parties. CBI should regularly revise the list of critical operations and critical service providers for internal use and for presentation to the Financial Stability Committee and Financial Stability Council. CBI is encouraged to enhance its incident dashboard by summarizing cyber incidents and examining trends.
International Monetary Fund. Monetary and Capital Markets Department
This technical note evaluates strengthening cybersecurity in financial institutions of Trinidad and Tobago. The deliverables included a capacity-building seminar on regulation of cyber risk. The Central Bank of Trinidad and Tobago identified the need for filling regulatory gaps and desires to issue a focused guideline on cybersecurity covering governance, risk management, incident reporting, and cyber hygiene, and intends to develop a draft guideline for consultation with its regulated institutions in the first quarter of 2023. Supervisory arrangements for Information and Communication Technology/cyber risks need further improvements and resource constraints within Financial Institutions Supervision Department need to be addressed urgently. The Identity and Access Management project has been formally set up and is now in Phase 1, which is considered preparatory. The governance of the project, the high-level roadmap, and the deliverables for Phase 1 are generally in line with good practices. It is recommended to establish regular cybersecurity meetings and reporting regime at the Board level with the participation of the Head of IT Security.
International Monetary Fund. Monetary and Capital Markets Department
This technical assistance report discusses Cybersecurity Risk Supervision and Oversight in Sweden. Sweden’s financial sector is highly digitized and interconnected, and the related technological developments heighten cyber threats and vulnerabilities. Sweden is well-served with agencies engaged with cybersecurity, but the roles and responsibilities of each in respect to the cyber security of the financial sector should be clarified and barriers to sharing information resolved. It is important that the financial sector engages with and helps to shape the activities of the National Cyber Security Centre. Cyber incident reporting frameworks are in place, as are some, limited, information sharing for a, but there is still an appetite from financial institutions to receive more information on threats and incidents. Contingency plans and crisis protocols should be established for large-scale cyber-attacks affecting the Swedish financial sector. The Swedish authorities are advised to identify and address the barriers to information sharing between government agencies, the financial authorities, and the private sector.
International Monetary Fund. Monetary and Capital Markets Department
Mexico’s financial system is digitalizing rapidly, increasing exposure to cyber risk. As in other jurisdictions, internet and mobile banking users in Mexico have increased substantially, but cyber incidents have also surged in recent years. The tight interdependencies within its financial system, and beyond, make Mexico vulnerable to evolving cyber threats. Thus, the Financial System Stability Council (CESF) has recognized cyber as a risk with potential to impact financial stability.
International Monetary Fund. Monetary and Capital Markets Department
This Technical Note on Oversight of Fintech explains that Ireland’s fintech sector is growing in importance through the entry of innovative new players and digital transformation of incumbents’ business models and products. This note seeks to identify risks arising from fintech as well as policy responses by authorities. The Irish Government has adopted a Strategy implemented by annual action plans for the development of Ireland’s international financial services sector that includes several initiatives of relevance to fintech. The Central Bank has an Innovation Hub that provides a single point of contact for stakeholders on fintech-related issues. Under the EU’s passporting framework host regulators receive limited information on the activities that passporting entities carry out in their jurisdiction. Incumbent retail banks in Ireland are dedicating significant resources to digital transformation, while fintechs are enlarging consumer choice through innovative new services. The Central Bank should further intensify its efforts to monitor developments on crypto-assets through systematic data collection within the scope of its powers and, where unacceptable risks remain, issue carefully targeted warnings and investor communications.
International Monetary Fund. Monetary and Capital Markets Department
Cybersecurity risk continues to grow both in complexity and severity and is a function of an increasingly open and interconnected cyber and financial ecosystem. The South African financial system has a long history of incorporating technology and as for many financial systems across the globe, digitalization has become a strategic priority. For risk management to keep pace with the dynamic nature of cyber threats and threat agents, systemically important financial institutions (SIFIs) have made substantial investments in cyber resilience programs (e.g., establishing cyber strategies, frameworks, and governance structures). Consistent with many jurisdictions, and partly a result of widespread remote working arrangements implemented in response to the global pandemic, cybersecurity threats to financial stability increased. However, high standards of risk management meant threats did not materialize into significant losses and/or disruptions.
International Monetary Fund. Monetary and Capital Markets Department
The United Kingdom faces significant money laundering threats from foreign criminal proceeds, owing to its status as a global financial center, but the authorities have a strong understanding of these risks. The authorities estimated the realistic possibility of hundreds of billions of pounds of illicit proceeds being laundered in their jurisdiction. The money laundering risks facing the United Kingdom include illicit proceeds from foreign crimes such as transnational organized crime, overseas corruption, and tax crimes. Financial services, trust, and company service providers (TCSPs), accountancy and legal sectors are high-risk for money laundering, with also significant emerging risks coming from cryptoassets. Some Crown Dependencies (CDs) and British Overseas Territories (BOTs) have featured in U.K. money laundering investigations. Brexit and COVID pandemic have an impact upon the money laundering risks in the United Kingdom. The authorities nevertheless have demonstrated a deep and robust experience in assessing and understanding their ML/TF risks. Leveraging technology tools such as big data and machine learning to analyze cross-border payments may add further dimension to their risk assessments. This technical note (TN) will focus on key aspects of the United Kingdom’s anti-money laundering and countering the financing of terrorism (AML/CFT) regime: risk-based AML/CFT supervision, entity transparency and international cooperation.