In a newly published guide to the assessment of fintech credit institution licence applications, the ECB said that increased reliance on outsourcing, including cloud computing, and the potential for cyber crime are two of the "most common and significant IT risks".
Fintech banks tend to make greater use of outsourcing and cloud services than other banks, the ECB said, and applicants should ensure that they and the supervisors are able to audit all outsourced activities.
"They should also consider assessing dependencies on suppliers, in particular, vulnerabilities owing to contractual lock-in clauses which may pose risks related to business continuity," it said.
When a fintech applicant is using any outsourcing arrangement, the ECB and National Competent Authorities (NCAs) will look at whether it has performed due diligence checks to assess the risks associated with the arrangements, the ECB said. These checks can, however, be done by a third party.
The ECB will also check that the applicant has given consideration to "factors including the financial situation of the service provider, its position in the market, the quality and turnover of its managers and staff, and its ability to manage business continuity and provide accurate and timely management reports", it said.
For cloud outsourcing, the ECB will also expect an applicant to have made a "comprehensive assessment" of the nature, scope and complexity of the cloud contractual arrangement and technical set-up.
This should involve an assessment of the roles and responsibilities of the cloud service provider, including its obligation to cooperate and implement controls, and whether adequate internal expertise and resources are available to mitigate the cloud computing risk.
The ECB will look at the fintech applicant's level of dependence on cloud service providers and its ability to minimise dependence on a single provider, relative to the potential costs of seeking multiple cloud service providers.
The compliance of the cloud service provider with legal and regulatory requirements, the actions it will take in the event of a failure of its systems to continue to support the applicant, and the level of protection for personal and confidential data established in the service level agreement, will also be taken into account, the ECB said.
"Furthermore, the applicant should assess the risk entailed in the cloud contractual arrangement, which should provide information on the aggregate exposure to cloud provider risk and the impact on the applicant in the event of defects, weaknesses or the failure of the cloud service provider to perform the activity," it said.
The ECB has also laid out details of its expectations on data governance. Fintech bank applicants should ensure that information is protected against disclosure to unauthorised users, improper modification and inaccessibility when needed, it said.
Fintech expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com said: "It is disappointing that the ECB has included the idea that outsourcing by its nature, rather than as a result of the soundness or preparedness of outsourcing providers, leads to greater technology risk."
"The reality is that providing a short guide with language which is similar, but not the same as that provided in other overarching and applicable outsourcing guidance only creates more discussion and administrative work in understanding what is required of banks to ensure that they have risk control frameworks in place which are acceptable to regulators when relying on a cloud provider," Scanlon said.