For Establishment and Maintenance of an IT System of a Pension Company

Financial Supervision Commission

REQUIREMENTS

for establishment and maintenance of an IT system of a pension company

adopted with decision No 568 – PIC from Dec. 30, 2003 of the deputy-chairperson of the FSC responsible for the SISD

I. General Provisions

1. Pension companies shall be obliged to comply with the basic requirements to their IT system with respect to their reliability, security, unauthorized access protection and disaster recovery.

2. Pension companies shall choose their own hardware suppliers, software developers and the amount of funds for development of an IT system and security policy implementation.

3. The system software and the applications utilized for the purpose of designing and exploitation of the IT system shall ensure good security and reliability.

4. The IT system shall enable the preparation of individual account statements at any moment, as well as the preparation of the reports required by the Financial Supervision Commission on a daily, monthly, quarterly, semiannual and annual basis and upon request. The file format of the reports and statements shall be defined by the regulator.

5. The system shall ensure the online real time access to information about the individual account status for a period of three years backdated, and the full detailed history of the individual account shall be accessible through a query to the records and should be presented within three hours.

6. The IT system should allow the adding up of supplementary components and modules in accordance with the regulatory requirements, as well as additional modules as defined by the pension company.

7. The pension companies shall have sufficient well qualified and experienced staff who can effectively perform their duties related to the maintenance of the IT system.

8. The pension companies shall adopt and comply with internal rules on the protection of the IT resources (security management policy). All users of the IT system shall be aware of this policy and shall certify this by placing their signature.

II. Requirements to the hardware and software

1. The installed equipment – server/-s and workstations, shall be reliable enough and failure proof and shall have a capacity to maintain information about the maximum possible clients.
2. The installed structural cables (incl. passive and active equipment) shall be reliable and failure proof and shall be highly secured against unauthorized external access.
3. Supplementary equipment (air conditioning, heating appliances, humidity control, smoke and temperature detectors, alarm devices, power supply, UPS, location of the server) shall be in place.
4. Detailed inventory list of the hardware, software and communication equipment in use shall be maintained. There shall be a hardware maintenance program and a development strategy.
5. The development and exploitation of the IT system, other systems and software applications on behalf of the pension companies shall be performed in compliance with the Copyright Act as well as other Bulgarian and international laws related to intellectual property.

III. Functional requirements to the IT system

The IT system for administering the pension funds managed by a pension company shall contain and maintain up-to-date information for each supplementary pension fund under management:

1. Registers of:

1. pension insurance contracts – incl. by types for the voluntary pension fund (contract for personal contributions, contributions paid by the employer or by another entity under art. 230, paragraph 3, item 3 of the Social Insurance Code /SIC/ as well as contributions by a third-party insurer).
2. the administratively distributed pension fund members and the date of their administrative distribution;
3. pension contracts;
4. contracts for programmed withdrawal of the individual account accumulations;

1. A register of the individual accounts of the pension fund participants and pensioners that contains the data pursuant to art. 24 and 25 of Regulation No 10 from November 26, 2003 of the Financial Supervision Commission (FSC) as well as the account of the reserve for guaranteeing the minimum rate of return pursuant to art. 193, paragraph 7 of SIC.
2. A register of all applications for withdrawal or pay out of individual account accumulations separately for each fund under management.
3. A register pursuant to art. 20 of Regulation No 3 from September 24, 2003 of the FSC.
4. A register of the applications for transferring the accumulations from one account to another of the same pension fund in the name of a spouse or other direct relatives up to the second degree.
5. A register of the assets held by each pension fund correspondent to the register maintained by the custodian bank and containing supplementary entries as to the valuation of each asset.

IV. Requirements to Information Security and Reliability

The IT system shall have a multiple layer security architecture and shall comply with the following requirements:

1. hardware and software protection from unauthorized access to the data, detailed auditing (procedures for registration, analysis and control of each activity within the system), controlled access through user authorization and authentication. The pension company shall have an official contact e-mail and a mail server maintaining the volumes of its official correspondence. The e-mail address and the mail server shall be entered in the public register of the Financial Supervision Commission.
2. Physical control of the access to the IT resources, incl. security guards, security alarm, identification control devices at the entrance of the building and of the computer (server) halls, surveillance and control system.
3. The system shall be protected against breakdowns through hardware solutions, reliable UPS systems, back-up of devices, connections and power supply of the local network.
4. Improved reliability through data back-ups. Back-up system and procedures. Storage of information at other premises that are physically situated outside the headquarters where the IT system is placed (in another building or city).
5. Disaster recovery plan (natural disasters, accidents, etc.). Recovering data and procedures. Educating the staff about the disaster recovery plan. The recovery of the system shall take place within 72 hours.
6. Training of the IT system users. Educating system users about the security policy and procedures.

1