Bank of Portugal has issued the Circular Letter no. CC/2023/00000025 on 21 June 2023, providing a set of recommendations aimed at minimising the impacts associated with phishing events on customers. The Circular Letter is addressed to Credit Institutions, Electronic Money Institutions and Payment Institutions with head office in Portugal and to branches of these types of institutions authorised to carry on business in Portugal with head offices in third countries.
This Circular Letter provides a set of recommendations aimed at ensuring the minimisation of the impacts associated with phishing, namely within the scope of reporting duties to the Bank of Portugal, in compliance with Instructions no. 21/2019 and 1/2019, as well as to other competent judicial, data protection or cybersecurity entities.
The internal control and risk management functions must record, monitor, evaluate and act on the risks that such incidents may cause. As for operating losses directly related to this type of incidents, the institutions must have methods to safeguard compliance with the applicable accounting rules, reporting obligations for supervisory purposes and requirements for self-assessment of internal capital.
The Circular Letter is available here.
