The Financial Supervisory Authority of Norway has published a supervisory report on an ICT inspection of Santander Consumer Bank AS, finding weaknesses in the bank’s governance and control of ICT activities. The main issues concerned how second-line roles and responsibilities are allocated for monitoring compliance with the Digital Operational Resilience Act, how the board documents its assessments and decisions on ICT risk, the further development of data governance and data management, independent controls and audits of outsourced ICT services, and vulnerability and patch management. The report says the bank placed responsibility for DORA compliance follow-up within the risk control function, and the supervisor questioned whether that division of labor with the compliance function was consistent with the bank’s own policies and job descriptions. It also found that board minutes on ICT-related matters in 2024 and 2025 often did not record the board’s discussions and reasoning in a way that could be reviewed later. On data quality, the supervisor said existing controls appeared appropriate but stressed that data governance and stewardship still require continued improvement. For outsourced ICT services, it said the 2026 second-line control plan did not sufficiently specify the scope, methodology or providers covered by independent reviews. On patching, it found the bank’s routine did not clearly distinguish which hardware and software are subject to automated updates and which require manual handling, nor did it set out adequate verification that updates are completed and prioritized based on criticality and risk. The board said it would consider adjusting the division of responsibilities between the risk and compliance functions, add risk-based ICT compliance activities to the compliance function’s 2026 annual plan, strengthen board minute-taking on ICT risk, revise the second-line control plan with more detail on scope, method and suppliers in the second quarter of 2026, and update patching procedures to document automated and manual processes more clearly. The supervisor took these responses into account and asked the bank to send a copy of the report to its external auditor.
Norwegian Finanstilsynet2026-07-01
Financial Supervisory Authority of Norway identifies ICT governance and DORA compliance shortcomings at Santander Consumer Bank
The Financial Supervisory Authority of Norway’s ICT inspection report on Santander Consumer Bank found shortcomings in ICT governance, especially around DORA compliance oversight, board documentation, outsourced ICT controls, data governance, and vulnerability and patch management. The bank said it would clarify second-line responsibilities, strengthen its 2026 control and compliance plans, improve board minutes, and update patching procedures.