Article 19 Supervisory assessment of IT infrastructure

  1. (1)

    Competent authorities shall assess the degree to which an institution ensures the soundness, robustness and performance of the IT infrastructure used for AMA purposes by confirming at least the following:

    1. (a)

      that the IT systems and infrastructure of the institution for AMA purposes are sound and resilient and that these features can be maintained on a continuous basis;

    2. (b)

      that the SDLC for AMA purposes is sound and proper with reference to:

      1. (i)

        project management, risk management, and governance;

      2. (ii)

        engineering, quality assurance and test planning;

      3. (iii)

        systems' modelling and development;

      4. (iv)

        quality assurance in all activities, including code reviews and where appropriate, code verification;

      5. (v)

        testing, including user acceptance.

    3. (c)

      that the institution's IT infrastructure implemented for AMA purposes is subject to configuration management, change management and release management processes;

    4. (d)

      that SDLC and contingency plans for AMA purposes are approved by the institution's management body or senior management and that the management body and senior management are periodically informed about the IT infrastructure performance for AMA purposes.

  2. (2)

    Where the institution outsources parts of the IT infrastructure maintenance for AMA purposes, the institution shall ensure that the provisions in this Article are satisfied.