Credit institutions should have in place IT control and security measures that are appropriate to their activities, that are sufficiently robust to ensure the security and authentication of the means of transmission, to minimise the risk of data corruption and unauthorised access and to prevent information leakage by maintaining data confidentiality at all times.

In addition to areas such as outsourcing and business continuity, which are covered elsewhere in this manual, this also applies to financial services which are offered via the Internet. In this respect, Circular NBB_2009_17 makes a series of recommendations and provides guidance on the main provisions of the existing regulatory and prudential framework. These recommendations are inter alia inspired by a number of international risk management standards, which may serve as a frame of reference for the Belgian practice. The EBA Guidelines of 19 December 2014 on the security of internet payments, transposed into Circular NBB_2016_29, also offer useful guidance in this context.

Please also refer to the document entitled Principles for the Sound Management of Operational Risk, which was published by the Basel Committee on Banking Supervision at the end of 2011. In exercising its supervision, the NBB takes into account the guidelines contained in this reference document; see, in this respect, Communication NBB_2011_05.

In January 2013 the same Basel Committee published the document entitled Principles for effective risk data aggregation and risk reporting. The implementation of these principles should reinforce the risk management and decision-making processes in credit institutions.

In the payment services domain, Circulars NBB_2018_13 and NBB_2018_14 clarify the provisions that apply to the determination, implementation and supervision of the security measures to be taken by institutions to control operational and security risks in the context of provision of payment services and, where appropriate, report any major security incidents related thereto.