According to the BCL regulation of 15 January 2016, the BCL’s oversight is applied to:
- the system or the instrument, itself;
- the operators, the issuers or the governance authorities;
- the participants according to the risk assessment of their participation in the system;
- the services (in particular of operational and IT nature) provided by technical agents or third-party entities;
- the operating rules;
- the contracts related to the systems or the instruments.
The operators of systems and the issuers of payment instruments shall put in place a risk management framework based on an organization, procedures and internal rules enabling efficient management, monitoring and control of the security and/or efficiency of the system or the instrument.
The oversight performed by the BCL is based on regular reportings from relevant actors comprising quantitative and qualitative information, completed by regular contacts and specific on-site inspections. The actors are required to conduct regular self assessments of the degree of compliance of their infrastructure with regard to applicable recommendations, standards and principles, as defined by the Eurosystem for the different types of systems and payment instruments and adopted by the Governing Council of the ECB.
In the context of its oversight, the BCL cooperates with other central banks, in particular with the Eurosystem and the European System of Central Banks (ESCB), as well as with prudential supervisory authorities.