Copyright Page
© 2021 International Monetary Fund
WP/21/105
IMF Working Paper
Monetary and Capital Markets Department and Information Technology Department
Central Bank Risk Management, Fintech, and Cybersecurity Prepared by Ashraf Khan and Majid Malaika
Authorized for distribution by Jihad Alwazir and Herve Tourpe
April 2021
IMF Working Papers describe research in progress by the author(s) and are published to elicit comments and to encourage debate. The views expressed in IMF Working Papers are those of the author(s) and do not necessarily represent the views of the IMF, its Executive Board, or IMF management.
Abstract
Based on technical assistance to central banks by the IMF’s Monetary and Capital Markets Department and Information Technology Department, this paper examines fintech and the related area of cybersecurity from the perspective of central bank risk management. The paper draws on findings from the IMF Article IV Database, selected FSAP and country cases, and gives examples of central bank risks related to fintech and cybersecurity. The paper highlights that fintech- and cybersecurity-related risks for central banks should be addressed by operationalizing sound internal risk management by establishing and strengthening an integrated risk management approach throughout the organization, including a dedicated risk management unit, ongoing sensitizing and training of Board members and staff, clear reporting lines, assessing cyber resilience and security posture, and tying risk management into strategic planning.. Given the fast-evolving nature of such risks, central banks could make use of timely and regular inputs from external experts.
JEL Classification Numbers: G32, G34, G38, E50, E58, K23, O30.
Keywords: fintech, cybersecurity, central banking, financial supervision, law, technical assistance
Authors’ Email Addresses: AKhan4@imf.org, MMalaika@imf.org
READING GUIDE for IMF Working Paper on Central Bank Risk Management, Fintech, and Cybersecurity
| If you are interested in: | (Sub)section(s) | Pages | |
|---|---|---|---|
| 1 | General discussion of fintech and (central bank) risk management | I, II | 6–9 |
| 2 | Specific recommendations for central banks | V | 51–55 |
| 3 | Operational findings from technical assistance on central bank risk management, fintech, and cybersecurity | III.A | 9–19 |
| 4 | Findings from IMF surveillance (FSAP/AIV) on (central bank) risk management, fintech, and cybersecurity | III.B, III.C | 19–25 |
| 5 | Concrete fintech/cybersecurity risk examples for central bank policies, functions, and organization | IV | 25–51 |
| 6 | Selected central bank case examples of fintech developments and risk management | Appendix II | 60–71 |
| If you are interested in: | (Sub)section(s) | Pages | |
|---|---|---|---|
| 1 | General discussion of fintech and (central bank) risk management | I, II | 6–9 |
| 2 | Specific recommendations for central banks | V | 51–55 |
| 3 | Operational findings from technical assistance on central bank risk management, fintech, and cybersecurity | III.A | 9–19 |
| 4 | Findings from IMF surveillance (FSAP/AIV) on (central bank) risk management, fintech, and cybersecurity | III.B, III.C | 19–25 |
| 5 | Concrete fintech/cybersecurity risk examples for central bank policies, functions, and organization | IV | 25–51 |
| 6 | Selected central bank case examples of fintech developments and risk management | Appendix II | 60–71 |
Contents
Glossary
I. Introduction
II. Fintech—Definition, Principles, and Risk Management
III. The IMF’s Involvement with “Fintech” and Risk Management
A. Technical Assistance: Advice on Fintech in the Context of Risk Management
B. IMF AIV: Fintech, Cybersecurity, and Risk Management References
C. IMF FSAP
IV. Fintech and Central Bank Risk Management—Examples
A. Monetary Policy & Operations
B. Financial Market Infrastructures
C. Reserve Management
D. Financial Inclusion
E. Financial Supervision
F. Financial Integrity
G. Cash Currency Management
H. Digital Risks and Central Bank Information Technology
I. Central Bank Internal Organization
V. Conclusion
References
Boxes
1. Fintech and Payment and Settlement Systems
2. Cloud Computing
Figures
1. Major Technologies Transforming Financial Services
2. Central Bank Risk Management, Fintech, and Cybersecurity
3. Main Fintech Issues Discussed in the Context of IMF Risk Management TA
4. IMF Article IV References to
5. IMF Surveillance and Fintech
6. Google Search Interest for “Fintech”
7. IMF Article IV References to Technology
8. Selected IMF FSAP References to Fintech
9. Central Bank Risk Landscape
10. Areas of Financial Supervision in which Suptech Applications are Used
11. National Bank of Georgia: Outline of OpenRegulation
12. National Bank of Georgia: OpenRegulation—Legal Updating Process
13. Cash Currency and CBDC—Transfer of Possession
14. Countries Where Retail CBDC is Being Explored
15. Digital Risks to IT Systems
16. Fintech and Central Bank Operational Resilience
17. Cyber Risk Management
18. Fintech and Central Bank Risk Management—Example of a Risk Matrix
Tables
1. Example: IMF TA Recommendations on Central Bank Risk Management,
2. Example: IMF TA Recommendations on Central Bank Strategic Planning, Risk Management and Cybersecurity
3. Example: IMF TA Recommendations on Central Bank Strategic Planning,
Appendices
I. Bali Fintech Agenda
II. Case Examples
Glossary
| AI | Artificial Intelligence |
| AIV | IMF Article IV surveillance |
| AML/CFT | Anti-Money Laundering/Combatting the Financing of Terrorism |
| API | Application Programming Interface |
| BCBS | Basel Committee on Banking Supervision |
| BCL | Banque Centrale du Luxembourg |
| BCM | Business Continuity Management |
| BFA | Bali Fintech Agenda |
| BI | Bank Indonesia |
| BIS | Bank for International Settlements |
| BSL | Bank of Sierra Leone |
| CBDC | Central Bank Digital Currencies |
| CBLD | Central Bank Legislation Database |
| CER | Committee on Emerging Risks (of IOSCO) |
| DeFi | Decentralized Finance |
| DLT | Distributed Ledger Technology |
| ECB | European Central Bank |
| ELA | Emergency Liquidity Assistance |
| ERM | Enterprise-wide Risk Management |
| FATF | Financial Action Task Force |
| FIU | Financial Intelligence Unit |
| FMI | Financial Market Infrastructure |
| FSAP | Financial Sector Assessment Program |
| FSB | Financial Stability Board |
| FSI | Financial Stability Institute |
| GFC | Global Financial Crisis |
| GRC | Governance, Risk, and Compliance |
| GSC | Global Stablecoin |
| HR | Human Resources |
| IMF | International Monetary Fund |
| IOSCO | International Organization of Securities Commissions |
| IT | Information Technology |
| ITD | Information Technology Department |
| LIC | Low-Income Countries |
| LOLR | Lender of Last Resort |
| MCM | Monetary and Capital Markets Department, IMF |
| ML | Machine-Learning |
| NBG | National Bank of Georgia |
| NBU | National Bank of Ukraine |
| OECD | Organisation for Economic Co-operation and Development |
| ORM | Operational Risk Management |
| PF | Proliferation Financing |
| PFMI | Principles for Financial Markets Infrastructures |
| RBI | Reserve Bank of India |
| RCSA | Risk Control Self-Assessment |
| RMD | Risk Management Department |
| RTGS | Real-Time Gross Settlement |
| SME | Small and Medium Enterprises |
| SOC | Security Operation Center |
| SRA | Strategic Risk Assessment |
| TA | Technical Assistance |
| UMP | Unconventional Monetary Policies |