Transcript Dia 1
Oversight, PFMI and Business Continuity Management Michiel van Doeveren Sixth Macedonian Financial Sector Conference on Payments and Securities Settlement Systems Ohrid, 1-3 July 2013 Agenda What is Oversight? Standards and methodology Overlay services and access to bank accounts CPSS Principles for Financial Market Infrastructures Framework for Business Continuity Planning DNB – Oversight: Mission Oversight aims to contribute to and maintain financial stability by • Reducing systemic risks • Promote adequate payment settlements in the Netherlands Criterium for DNB Oversight: relevance for The Netherlands (both domestically and located abroad) DNB – Oversight - Objects • • • • • Payment systems Wholesale retail Payment instruments Securities clearing and settlement • Risk-based approach, no scientific approach (so far) • Accountability (and explain) • Annual Oversight Report, http://www.dnb.nl/Oversight Oversight on Equens • European Market Share: 10-15% • 10 crossborder links with other Retail Payment Systems • Regular meetings with operator: every 6 weeks • Quarterly meetings with CEO Equens and Head Oversight Oversight (on payment schemes) Oversight framework: Standards Oversight methodology: Key issues Oversight guide: Key checkpoints Oversight standards (for payment schemes) Standard 1: The scheme should have a sound legal basis under all relevant jurisdictions Standard 2: The scheme should ensure that comprehensive information , including appropriate information on financial risks, is available for all actors Standard 3: The scheme should ensure an adequate degree of security, operational reliability and business continuity Standard 4: The scheme should implement effective, accountable and transparent governance arrangements Standard 5: The scheme should manage and contain financial risks in relation to the clearing and settlement process FMI FMI Venn diagram diagram Rest of Economy FinanciaI Infrastructure Retail payment instruments End-investors SIPS Correspondent banking OTC trading Consumers Financial Market Infrastructures TR CCP SSS CSD ACH ELMI Banks as participant of FMIs Merchants Banks Payment Institutions CSP Exchange MTF Corporates Insurance companies Pension Funds Government / Public sector 8 FMI Warehouse (links) TR CCP Three types of interdependenci End Systemes Institutionsclient based Environme based ntal Bank Exchange MTF Indirect participant of FMI CCP OTC SSS Correspondent banking CSD Bank Direct participant of FMI SIPS CSP ACH Messaging (SWIFT) Datacom IT-processing Fundamental risks financial infrastructure •Three fundamental risks: •Settlement risk (at level individual transactions anywhere) •Infrastructural systemic risk (at the 1st and 2nd floor of warehouse) • •Social unrest (warehouse basement and ground floor) Why Oversight on Financial Infrastructure? • Improve safety and efficiency of financial infrastructure financial stability • Mitigate infrastructural systemic risk • Prevent social unrest • Oversight assesses compliance with internationally agreed principles (standards) and induces change where compliance is not fully observed • No standards, no oversight Features of the Oversight Principles • • • • Risk reduction standards Minimum character Principle-based, not rule-based Prevention (ex ante) • Design of systems • Feedback (cyclical) • Assessment of operation of systems Oversight scoring table Scoring per principle; no overall score Colour Meaning Explanation Observed Meets all requirements Broadly observed Partly observed Not observed There are minor shortcomings, which have a limited impact on the security and efficiency of the system There are serious shortcomings for which measures are being taken in the short term There are serious shortcomings for which no measures are planned in the short term Not applicable Not assessed Initial assessment against this standard has not yet taken place Example assessment outcome of a CCP European Multilateral Clearing Facility (EMCF) Recommendations for Central Counterparties Legal basis Participation requirements Management of credit risks Collateral requirements Financial resources Default procedures Custody and investment risks Operational risk Money settlements Physical deliveries Risks in links between CCPs Efficiency Governance Transparency Regulation and oversight 2008 2009 2010 How are the Oversight standards set? • Committee on Payment and Settlement Systems (CPSS) • International Organisation of Securities Commissions (IOSCO) • Eurosystem (User Standards for SSS and standards for credit transfers, direct debit and cards) • CPSS-IOSCO Principles for Financial Market Infrastructures (2012) What are financial market infrastructures? • Definition: • An FMI is a multilateral system among participating financial institutions, including the operator of the system, used for the purposes of recording, clearing, or settling payments, securities, derivatives, or other financial transactions. • • • • • • In practice: Systemically Important Payment Systems (SIPS) Central Securities Depositories (CSD) Securities Settlement Systems (SSS) Central Counterparties (CCP) Trade Repositories (TR) CPSS-IOSCO Principles for FMIs Governance Legal risk Credit risk Efficiency Collateral Communication standards General organisation (3) Liquidity risk Margin Risk management framework Credit & liquidity risk management (4) Efficiency (2) Finality Money settlements Access Principles for Financial Market Infrastructures (24) Settlement (3) Physical deliveries CSDs and exchange of value settlement systems (2) CSD Access (3) Tiering Links General business and operational risk management (3) Business risk Investment risk Default management (2) DVP Participant default Segregation & portability Transparency (2) Disclosure market data Disclosure system rules Legend: completely new raising the bar basically unchanged Operational risk Dual consent: a new approach • Integrated approach • Access to a bank account by a third party is only acceptable if account holder and bank agree contractually on the conditions. Discussion points • How to stimulate innovations and security in the access to payment accounts? • Is Dual Consent a good solution for access to payment acounts? • Are there other elements to take care on in the further analysing of the approach? Principles for Financial Market Infrastructures (FMI) Co-production of: • BIS Committee on Payment and Settlement Systems • Technical Committee of the International organization of Securities Commission (IOSCO) • FMI Principles replaces all older separate principles for Systemically Important Payment Systems, Securities Settlement Systems and Retail Payment Systems • Final report was publishes in 2012 FMI Principles General organisation • Principle 1: Legal basis • Principle 2: governance • Principle 3: Framework for the comprehensive management of risks 22 Business Continuity Management What is Business Continuity? • Business Continuity Management: a whole-ofbusiness approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption. • Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption Source: BIS 2005 Financial Core Infrastructure (FCI) • The FCI is: • A list of financial institutions and financial market infrastructures that form the critical parts of the Dutch payment and securities infrastructure • Compiled by DNB in collaboration with Ministry of Finance and Authority for Financial Markets (AFM) 24 Financial Core Infrastructure Why: • Effective operational crisis management • Stricter requirements for crucial players concerning operational reliability Financial Core Infrastructure Criteria: • Disruption of the institution leads to large financial losses for the economy or leads to serious social upheaval. • The institution is directly regulated in the Netherlands. • Cumulative 80% of the total transaction volume or value. Financial Core Infrastructure Requirements for FCI institutions: • Comply with the DNB Business Continuity Assessment Framework. • Participate in the sector crisismanagement organisation • Connect to the terrorism alert system. • Contribute to critical infrastructure programs and projects. Tripartite Crisismanagement Organization • The goal of this organisational structure is to perform sector crisis management in case of a major operational disruption of payment and / or securities systems and infrastructures. Tripartite Crisismanagement Organization (inter)national crisismanagement DNB BCP Assessment Framework (1) • Drafted in cooperation with the financial institutions • Commitment to use it on a high level • Assessment Framework consists of • 9 ‘principles’ • Guidance note Human Factor • Agreement between DNB and the financial sector for joint BCP initiatives • In line with international principles such as BIS • Used by supervisor and overseer to assess the institutions of the financial core infrastructure against these principles DNB BCP Assessment Framework (2) 1. BCP should be approved by the EB/senior management 2. Risk analyses of critical systems and activities should be made 3. Explicit attention should be paid to the human factor DNB BCP Assessment Framework (3) 4. Each institution should have a crisis organisation, including senior management 5. Single points of failure (SPOFs) should be identified 6. Critical processes and systems should be resumed as quickly as possible DNB BCP Assessment Framework (4) 7. A back-up site/secondary site should be available 8. Alternate systems and contingency procedures should be regularly tested and exercised 9. Each institutions should have a communication plan for all stakeholders DNB Assessment framework Why is the process unavailable? What is the cause? What controls / What residual measures are risks remain? available? (Partial) unavailability of (and/or) People IT systems Communications Buildings Measure / control categories: Preventive Detective Corrective Response 35 Natural calamities (fire, storm, earthquake, flood etc.) Technical failure (hardware / software malfunction, power cut etc.) Organisational failure (human error, sickness etc.) Wilful malice (sabotage, terrorism, cybercrime etc.) List of accepted residual risks Guidance Note Human factor • Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor • DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required (specific in the extreme, highly specific, specific, not very specific, not specific) • Matrix with level of required knowledge and human factor strategy see www.dnb.nl – payments BCP Ways of ensuring staff continuity 1. double staffing at another location 2. planned scheduling days off 3. shift work 4. use of staff from another location where a similar situation is operational 5. use of staff from another location where a similar situation is not operational Required level of knowledge of systems/business processes specific in the extreme (a) red highly specific (b) specific (c) not very specific (d) not specific (e) green Standard(izing) human (factor) s: skills Standard(izing) human (factor) s: preparedness Standard(izing) human (factor) s: preparedness Players/documents – Professional bodies e.g. • BCI (Business Continuity Institute) • Good Practice Guideline • BCM Academy • BCM Pocketbook • ENISA (European Network and Information Security Agency) • Business and IT continuity: overview and implementation principles • Inventory of business and IT continuity methods / tools 41 Players/documents – Standards bodies • BSI (British Standards Institute) • BS 25777: Information and communication technology continuity management • BS 25999: Business continuity management • ISO (International Organization for Standardization) • ISO / PAS 22399: Guidelines for incident preparedness and operational continuity management • ISO / IEC 27031: ICT readiness for business continuity • ISO / IEC 24762: Guidelines for information and communication technology disaster recovery services 42 Players – Regulators (supervisors / overseers) • Global • BIS – BCBS / BIS – CPSS (Bank for International Settlement – Basel Committee for Banking Supervision / Committee on Payment and Settlement Systems) • FSB (Financial Stability Board) • IOSCO (International Organization of Securities Commissions) • IAIS (International Association of Insurance Supervisors) • Joint Forum (BCBS – IOSCO – IAIS) 43 Questions?