ORION) Policy Document
Total Page:16
File Type:pdf, Size:1020Kb
Operational Risk Integrated Online Network (ORION) Policy Document Applicable to: 1. Licensed banks 2. Licensed Investment banks 3. Licensed Islamic banks 4. Licensed International Islamic banks 5. Licensed insurers 6. Licensed takaful operators 7. Licensed international takaful operators 8. Prescribed development financial institutions 9. Approved issuers of a designated payment instrument 10. Approved issuers of a designated Islamic payment instrument Issued on: 25 February 2021 Page 2 of 94 TABLE OF CONTENTS PART A: OVERVIEW ...................................................................................... 4 1. Introduction ............................................................................................... 4 2. Applicability ............................................................................................... 4 3. Legal provisions ........................................................................................ 4 4. Effective date ............................................................................................ 4 5. Interpretation ............................................................................................. 4 6. Policy document superseded..................................................................... 6 7. Enquiries and correspondence .................................................................. 7 PART B: POLICY REQUIREMENTS .............................................................. 8 8. Overview of the responsibilities of reporting entities .................................. 8 9. Roles and responsibilities of ORION users ................................................ 8 10. Access to ORION ...................................................................................... 9 11. Registration of ORION users ..................................................................... 9 PART C: REPORTING REQUIREMENTS .................................................... 10 12. ORION reporting requirements ................................................................ 10 13. Scope of reporting ................................................................................... 11 14. Reporting currency .................................................................................. 11 15. Classification and quantification .............................................................. 11 16. Additional reporting requirements ............................................................ 14 17. Key risk indicators ................................................................................... 14 18. Scenario analysis .................................................................................... 14 APPENDICES................................................................................................ 16 APPENDIX 1 ORION user guide and technical specifications ...................... 16 APPENDIX 2 Operational risk event reporting requirements ........................ 16 APPENDIX 3 Cyber threat reporting requirements ....................................... 20 APPENDIX 4 BDSF event reporting requirements ....................................... 26 APPENDIX 5 Boundary event reporting requirements .................................. 27 APPENDIX 6 Customer information breaches reporting requirements ......... 28 APPENDIX 7 Insurance-related event reporting requirements ..................... 33 APPENDIX 8 SNC event reporting requirements ......................................... 38 APPENDIX 9 Payment-related fraud event reporting requirements .............. 45 APPENDIX 10 Aggregate reporting requirements ........................................... 58 APPENDIX 11 Overseas loss event reporting requirements ........................... 67 APPENDIX 12 Business lines taxonomy ......................................................... 70 APPENDIX 13 Event types taxonomy ............................................................. 76 APPENDIX 14 Causal categories taxonomy ................................................... 84 APPENDIX 15 Key risk indicators taxonomy ................................................... 86 Issued on: 25 February 2021 Page 3 of 94 LIST OF TABLES Table 1 ORION reporting requirements…………………………….…… 10 Table 2 ORION Reporting types and timelines…..………………....….. 13 Table 3 Timeline for KRI reporting to ORION……………………….….. 14 Table 4 Data fields for operational risk event reporting ………………. 16 Table 5 Types of cyber threats…………………………………………… 20 Table 6 BDSF event reporting types …………………………………..... 26 Table 7 SNC specific data fields…………………………………………. 40 Table 8 Payment-related fraud types ………………………………....... 45 Table 9 Card-related fraud MO…………….…………………………….. 46 Table 10 Network based e-money scheme MO …….…………………... 47 Table 11 Cheque fraud MO …………………….……….………………… 47 Table 12 Internet banking fraud MO ……………………………………… 48 Table 13 Mobile banking fraud MO ………………………………………. 49 Table 14 Aggregate reporting types and threshold …………………….. 58 Table 15 Overseas loss event reporting requirements.………………… 67 Issued on: 25 February 2021 Page 4 of 94 PART A: OVERVIEW 1. Introduction 1.1 The sound operational risk management requires a comprehensive identification and assessment of Operational Risk as well as monitoring of Operational Risk exposures through indicators such as Loss Event Data, Key Risk Indicators and Scenario Analysis. 1.2 The objective of this policy document is to require reporting entities (REs) to submit information to the Bank with regard to operational risk exposure. 1.3 This policy document sets out the requirements for the reporting of Loss Event Data, Key Risk Indicators and Scenario Analysis to the Bank through the ORION. 2. Applicability 2.1 This policy document is applicable to REs as defined in paragraph 5.2. 3. Legal provisions 3.1 This policy document is issued pursuant to: (a) sections 47(1) and 143(2) of the Financial Services Act 2013 (FSA); (b) sections 57(1) and 155(2) of the Islamic Financial Services Act 2013 (IFSA); and (c) section 41(1) and constitutes a notice under section 116(1) of the Development Financial Institutions Act 2002 (DFIA). 3.2 The guidance in this policy document is issued pursuant to section 266 of the FSA, section 277 of the IFSA and section 126 of the DFIA. 4. Effective date 4.1 This policy document comes into effect on 1 March 2021. 5. Interpretation 5.1 The terms and expressions used in this policy document shall have the same meanings assigned to them in the FSA, IFSA or DFIA, as the case may be, unless otherwise defined in this policy document. 5.2 For the purpose of this policy document: “S” denotes a standard, an obligation, a requirement, specification, direction, condition and any interpretative, supplemental and transitional provisions that must be complied with. Non-compliance may result in enforcement action; Issued on: 25 February 2021 Page 5 of 94 “G” denotes guidance which may consist of statements or information intended to promote common understanding and advice or recommendations that are encouraged to be adopted; “BDSF” refers to business disruption and system failure; “CRO” means the Chief Risk Officer of a RE; “Financial group” refers to a financial holding company approved by the Bank or a licensed institution, and a group of related corporations under such financial holding company or licensed institution primarily engaged in financial services or other services which are in connection with or for the purposes of such financial services which includes at least one licensed person; “Financial institutions” or “FIs” means: (a) licensed banks, licensed investment banks and licensed insurers under the FSA; (b) licensed Islamic banks which includes licensed international Islamic banks, and licensed takaful operators which includes licensed international takaful operators under the IFSA; and (c) prescribed institutions under the DFIA; “GCRO” means the Group Chief Risk Officer of a RE; “Loss Event Data” or “LED” refers to information required for assessing an entity’s exposure to operational risk and the effectiveness of its internal controls. The purpose of the analysis of LED is to provide insight into the causes for large losses and whether control failures are isolated or systematic in nature. Identifying how operational risk may lead to credit risk and market risk-related losses also provides a more holistic view of the operational risk exposure; “Key Risk Indicators” or “KRIs” refer to information that will provide insight into the operational risk exposure and are used to monitor the main drivers of exposure associated with the key risks; “Operational Risk” has the same meaning assigned to it under the Policy Document on Operational Risk issued by the Bank on 10 May 20161and includes any amendments made thereof from time to time. For ease of reference, Operational Risk refers to the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Operational risk is inherent in all activities, products and services of financial institutions and can transverse multiple activities and business lines within the financial institutions. It includes a wide spectrum of heterogeneous risks such as fraud, physical damage, business disruption, transaction failures, legal and regulatory breaches2 as well as employee health and safety hazards. Operational risk may result in direct 1 Paragraph 1.1 of the Policy Document on Operational Risk. 2 Including fiduciary breaches and Shariah non-compliance by Islamic financial institutions. Issued