Nigeria Financial Services Shared IT Infrastructure & IT Standards Programme

S/N

Feedback from the Banks

Response

1

Will CBN certify Banks that are compliant with respect to the IT Standards?

The Council will not certify banks. Certification will be left for the Certificate Authorities

2

Who will determine the acceptability of local variations of standards and how would this be achieved?

Standards Review Committee is responsible for the review and evaluation of IT Standards on an annual basis to determine their continued relevance to the local industry. Where these standards are found to require a local context, this will be recommended to the IT Standards Council after a thorough review by the committee.

3

Will Implementation Guidelines suffice (in the interim) for Banks towards full compliance?

Implementation guidelines from certification authorities will suffice. However, a minimum of maturity 3 is required for all FS Organisations.

4

Can a phased maturity plan be adopted by Banks to attain maturity level 3

Phased maturity plans can be adopted by Banks. However, Banks will be expected to meet the minimum acceptable maturity level on or before the deadline for such standards.

5

How many Standards per capability area are required by the Banks to implement?

Banks are required to implement only one standard per area of IT concern.  Banks that want to implement more than one standard are welcomed.

6

Who would be responsible for ensuring compliance for services/ IT Standards provided by the Service provider?

All organisations that would be responsible for providing services to the industry will be subject to the industry IT standards. However, the existence of service providers does not preclude Banks from implementing the IT standards.

7

Can the Banks extend the scope of new and already implemented standards?

Banks can extend the current standards as long as the minimum features / requirements of the standards defined for the Industry are met

8

Are Banks with foreign affiliation required to adopt the se IT Standards?

Yes. Standards defined for the local industry are expected to be adopted by every Bank irrespective of affiliation or parentage.

9

Will self-audit/assessment by a Bank’s internal compliance audit sufficient?

Internal audits / checks may be performed to ensure Bank's own compliance. However only reports from the Compliance Management Committee and Independent Assessors will be used for compliance purposes by the IT Standards Council.

10

Will there be exemptions for some Banks with regards to adopted IT Standards?

There will no exemptions. All banks will be required to implement  all agreed  IT standards

11

Will partial implementation of standards such as CMMI be accepted?

No. Banks are at liberty to determine how they approach standards implementation. However, the minimum features/ requirements of the standards defined for the Industry as well as maturity level must be met.

12

How would new, excluded or obsolete IT Standards e.g. risk management, PA-DSS etc. be reviewed?

All new/ additional standards will be reviewed during the annual IT standards review and recommendations made to the IT standards Council

13

Will the implementation of IFRS taxonomy as part of the mandatory migration to IFRS based reporting suffice for XBRL compliance?

For financial reporting, implementation of the IFRS taxonomy suffices for XBRL compliance. However, it does not cater to other forms of business information reporting