Nov 03, 2021

Experience, compliance, and certification. What should a financial institution know when choosing an IT supplier?

The information systems operated in financial institutions collect and store particularly sensitive data, this is why supervising authorities pay special attention to their reliability and security. Quite often, financial institutions not daring to deal with the compliance challenges alone rely on third parties providing IT services. Rūta Šiaučiulytė, Head of the Division of Legal Counsel and Compliance in the Forbis Company operating in the field of banking technology for almost 30 years, advises on how to choose a reliable information technology and software supplier that would facilitate routine operations and simplify the compliance processes.

The business activities of the Lithuanian financial institutions are defined by a wide range of legal acts – starting with the resolutions of the European Central Bank or the Bank of Lithuania and ending with the GDPR (General Data Protection Regulation) and the documents defining the AML (anti-money laundering) requirements. In order to achieve the overall sustainability and reliability of the financial system, not only the direct activities of banks, credit unions or other financial service suppliers are regulated, but also there are set requirements for IT systems and management thereof, i.e. for the tools used by financial institutions in their day-to-day operations. Then again, regulatory legal acts do not usually define specific technical requirements, but identify good industry practices that should help the institution to ensure the required level of security, regardless of the scope of activities, the technologies used, and the functions delegated to third parties.

According to Rūta Šiaučiulytė, Head of the Division of Legal Counsel and Compliance at Forbis, formal compliance with legal requirements is an important, but not the only criterion for a financial institution when choosing an IT supplier. “The third parties, from which the financial institutions acquire core IT systems, are considered critical suppliers, and it is therefore necessary to comply with the legal acts that specify how to choose IT suppliers and manage the services they provide. However, our many years' experience shows that not just formal compliance is important for success: the higher the ambition of the financial institution, the higher the requirements it should have for the experience of the future partner. IT provides can prove their competence with conformity certificates issued by recognised institutions and with the customer feedback,” said R. Šiaučiulytė.

Similar to companies operating in other fields, the IT system vendors can obtain ISO (International Organization for Standardization) certificates, confirming that the companies apply good business management practices as defined by the international standards. “When working with the financial institutions of various sizes – from banks to financial technology start-ups – we are convinced that one of the main criteria when choosing an IT supplier is confirmation obtained from independent certification bodies that the company pays due attention to the service quality, risk management, and information security. Therefore, both Forbis, developing IT banking software, and Fininbox, another company of our group, providing software rental (SaaS) solutions to financial institutions, have ISO/IEC 27001 certificates regarding the international information security management. Besides, the management systems that meet the requirements of ISO/IEC 20000 service management and ISO/IEC 9001 quality management standards also help to manage Forbis business processes. Moreover, specific market standards are very important when developing IT solutions – IT developers must follow the requirements of OWASP and other IT security standards, guidelines of NIST and other organizations, constantly check the security of the developed products, and allocate sufficient resources for staff training. Only the day-to-day application of good practices and a holistic approach to the development of IT systems can make one sure that the product being created is of the highest quality and security,” commented R. Šiaučiulytė.

It is also important that the IT systems supplier not only would manufacture and implement the product, but also would guarantee that its errors are eliminated, and the product is upgraded, as regulatory or financial institution needs change. “The reliability of IT suppliers and business continuity are essential for the customers to receive all the necessary services smoothly and on time. International standards oblige us to constantly monitor and improve business processes – in our opinion, they show and establish the trend for fair, clear, and efficient activities. The market and the requirements are changing very quickly, thus, a lot of effort needs to be put into maintaining of a high level of the processes’ quality and into constant update of the certificates,” said R. Šiaučiulytė.

The compliance expert encourages financial institutions that are now considering what supplier to choose, to pay attention to the company's history: duration of the activity, the implemented large-scale or complex projects, and the customer feedback, which will best reflect how the supplier's customer service team will work after entering into the agreement, whether deficiencies will be eliminated promptly, and what solutions the company will be able to offer in non-routine situations.