The topics addressed by regulation are manifold. Identifying applicable requirements, understanding how compliance can be achieved, implementing the necessary actions and monitoring such compliance on a continuous basis is proving to be a proper challenge for organisations. This challenge is further amplified by the fact that IT compliance does not only concern the CIO, but indeed has many internal stakeholders.
We support you to stay abreast of IT regulation by helping you to identify the matters which are relevant to you and to jointly define action plans to achieve and maintain compliance. Our expertise and ongoing exchange with the governing bodies which design these requirements will provide you with the comfort, that implemented actions will meet both internal and external expectations.
Having a clear picture of all regulation applicable to you can be more complex than one might assume. Furthermore, regulatory requirements are directly linked to the operational activities of an organisation, which can even lead to a potential redesign of the operating model based on applicable regulation.
Instead of merely highlighting potential compliance gaps, we will be challenging your current setup with the ambition to jointly establish a desired operating model in light of the practical implications from a regulatory perspective.
On-site inspections by regulatory authorities can be rather painful experiences, as they are often announced at short notice and put additional strain on those responsible for preparing the terrain for the fieldwork.
We will help you to be adequately prepared for such an exercise, as we are able to anticipate the focal points of attention during the on-site inspection by the regulators. Furthermore, we will outline for you those areas which require further actions to reduce the number and severity of potential findings. Finally, we will assist you in defining adequate remediation plans to address recommendations made by the regulators.
Our assistance in the following aspects:
IT governance framework (i.e. IT strategy);
IT risks management framework (i.e. risk assessment, risk appetite and tolerance);
IT outsourcing management and oversight (including cloud computing)
Outsourcing service provider management (i.e. SLA, register, Service KPIs);
Information security management system (i.e. information security policy, testing);
Business continuity and crisis management measures, process and documentation (i.e. Business impact analysis and risk analysis, BC&DR plans;
The implementation of IT projects which impact the ownership of responsibilities as well as the treatment of sensitive data such as client data often requires the interaction with the regulator. In specific cases, a prior approval is required before the organisation can implement the envisaged changes, for instance in case of outsourcing your main accounting system or utilisation of cloud-based solutions for material activities.
Based on our experience, we will be able to assist you in identifying the right type of communication with the regulatory authorities, both in terms of form and content. We will support you during the preparation of the communication as well as subsequent discussions with the regulator, so that you can concentrate on moving your internal projects forward.
Our assistance in the following CSSF applications:
The acquisition of a regulated status usually requires a detailed description of the organisations activities to be provided to the authorities. Such description also includes the IT landscape and related processes, including information about delegated activities. Depending on the chosen business model, these descriptions are often of a complex nature, also because internal controls will need to be described in detail to mitigate risks related to the utilisation of IT assets.
Our assistance is provided during the whole licence application process, from the initial identification of the most suitable license and related IT setup via the initial discussions with the regulator to the drafting of the application file and treatment of subsequent questions. Our IT specialists will directly interact with your key stakeholders to ensure that provided descriptions are sufficiently detailed and aligned with external expectations.
Regulatory & Compliance Advisory Services - Banking - Partner, PwC Luxembourg
Tel: +352 49 48 48 2245
Regulatory & Compliance Advisory Services - Banking - Managing Director, PwC Luxembourg
Tel: +352 49 49 48 4169