Oversight, PFMI and Business Continuity Management

Michiel van Doeveren

Sixth Macedonian Financial Sector Conference on Payments and Securities Settlement Systems

Ohrid, 1-3 July 2013

Agenda

What is Oversight? Standards and methodology Overlay services and access to bank accounts CPSS Principles for Financial Market

Infrastructures Framework for Business Continuity Planning

DNB – Oversight: Mission

Oversight aims to contribute to and maintain financial stability by• Reducing systemic risks • Promote adequate payment settlements in the

Netherlands

Criterium for DNB Oversight: relevance for The Netherlands (both domestically and located abroad)

DNB – Oversight - Objects

• Payment systems• Wholesale• retail• Payment instruments• Securities clearing and settlement

• Risk-based approach, no scientific approach (so far)

• Accountability (and explain)• Annual Oversight Report, http://www.dnb.nl/Oversight

Oversight on Equens

• European Market Share: 10-15%• 10 crossborder links with other Retail Payment

Systems

• Regular meetings with operator: every 6 weeks• Quarterly meetings with CEO Equens and Head

Oversight

Oversight (on payment schemes)

Oversight framework:Standards

Oversight methodology:Key issues

Oversight guide:Key checkpoints

Oversight standards(for payment schemes)

Standard 1: The scheme should have a sound legal basis under all relevant jurisdictions

Standard 2: The scheme should ensure that comprehensive information , including appropriate information on financial risks, is available for all actors

Standard 3: The scheme should ensure an adequate degree of security, operational reliability and business continuity

Standard 4: The scheme should implement effective, accountable and transparent governance arrangements

Standard 5: The scheme should manage and contain financial risks in relation to the clearing and settlement process

Rest of Economy

End-investors

Consumers

Merchants Banks

Corporates

Pension Funds

Insurance companies

Government / Public sector

FMI FMI Venn diagram diagram

8

ELMICorrespondent banking

Payment Institutions

Retail payment instruments

FinanciaIInfrastructure

Exchange MTF

ACH

CSP

OTC trading

FinancialMarket Infrastructures

TRCCP

SSS CSDSIPS

Banks as participant of FMIs

FMI Warehouse (links)

ACH

SIPS

ExchangeMTF

CCP

SSS

CSD

OTC

TRCCP

BankDirect participant of FMI

Indirect participantof FMI

Bank

End client

Correspondent banking

CSPMessaging (SWIFT)DatacomIT-processing

System-based

Three types of interdependencies

Environmental

Institutions-based

Fundamental risks financial infrastructure

•Three fundamental risks:

•Settlement risk (at level individual transactions anywhere)

•Infrastructural systemic risk (at the 1st and 2nd floor of warehouse)•

•Social unrest (warehouse basement and ground floor)

• Improve safety and efficiency of financial infrastructure financial stability

• Mitigate infrastructural systemic risk

• Prevent social unrest

• Oversight assesses compliance with internationally agreed principles (standards) and induces change where compliance is not fully observed

• No standards, no oversight

Why Oversight on Financial Infrastructure?

• Risk reduction standards• Minimum character• Principle-based, not rule-based• Prevention (ex ante)

• Design of systems• Feedback (cyclical)

• Assessment of operation of systems

Features of the Oversight Principles

Oversight scoring table

Observed

Broadly observed

Partly observed

Not observed

Not applicable

Not assessedInitial assessment against this standard has not yet taken place

There are serious shortcomings for which measures are being taken in the short term

There are minor shortcomings, which have a limited impact on the security and efficiency of the system

Meets all requirements

There are serious shortcomings for which no measures are planned in the short term

Colour Meaning Explanation

Scoring per principle; no overall score

Example assessment outcome of a CCP

Recommendations for Central Counterparties

2008 2009 2010

Legal basis

Participation requirements

Management of credit risks

Collateral requirements

Financial resources

Default procedures

Custody and investment risks

Operational risk

Money settlements

Physical deliveries

Risks in links between CCPs

Efficiency

Governance

Transparency

Regulation and oversight

European Multilateral Clearing Facility (EMCF)

How are the Oversight standards set?

• Committee on Payment and Settlement Systems (CPSS)

• International Organisation of Securities Commissions (IOSCO)

• Eurosystem (User Standards for SSS and standards for credit transfers, direct debit and cards)

• CPSS-IOSCO Principles for Financial Market Infrastructures (2012)

What are financial market infrastructures?

• Definition:• An FMI is a multilateral system among participating

financial institutions, including the operator of the system, used for the purposes of recording, clearing, or settling payments, securities, derivatives, or other financial transactions.

• In practice:• Systemically Important Payment Systems (SIPS)• Central Securities Depositories (CSD)• Securities Settlement Systems (SSS)• Central Counterparties (CCP)• Trade Repositories (TR)

Principles for Financial Market

Infrastructures (24)

General organisation (3)

Efficiency (2)Credit &

liquidity risk management (4)

Settlement (3)

CSDs and exchange of value

settlement systems (2)

Default management (2)

Transparency (2)

General business and operational risk

management (3)

Access (3)

Legal riskGovernanceCredit risk

Collateral

Liquidity risk

Margin

Finality

Physical deliveries

CSD

DVP

Participant default Segregation

& portabilityDisclosure

market data

Disclosure system rules

Operational risk

Investment risk

Links

Tiering

Access

Efficiency

Risk management framework

Communication standards

Money settlements

Business risk

CPSS-IOSCO Principles for FMIs

Legend: completely new raising the bar basically unchanged

Dual consent: a new approach

• Integrated approach

• Access to a bank account by a third party is only acceptable if account holder and bank agree contractually on the conditions.

Discussion points

• How to stimulate innovations and security in the access to payment accounts?

• Is Dual Consent a good solution for access to payment acounts?

• Are there other elements to take care on in the further analysing of the approach?

Principles for Financial Market Infrastructures (FMI)

Co-production of:• BIS Committee on Payment and Settlement

Systems• Technical Committee of the International

organization of Securities Commission (IOSCO)• FMI Principles replaces all older separate

principles for Systemically Important Payment Systems, Securities Settlement Systems and Retail Payment Systems

• Final report was publishes in 2012

FMI Principles

General organisation• Principle 1: Legal basis• Principle 2: governance• Principle 3: Framework for the comprehensive

management of risks

22

Business Continuity Management

What is Business Continuity?

• Business Continuity Management: a whole-of-business approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption.

• Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption

Source: BIS 2005

24

Financial Core Infrastructure (FCI)

• The FCI is:

• A list of financial institutions and financial market infrastructures that form the critical parts of the Dutch payment and securities infrastructure

• Compiled by DNB in collaboration with Ministry of Finance and Authority for Financial Markets (AFM)

Financial Core Infrastructure

Why:

• Effective operational crisis management

• Stricter requirements for crucial players concerning operational reliability

Financial Core Infrastructure

Criteria:• Disruption of the institution leads to large

financial losses for the economy or leads to serious social upheaval.

• The institution is directly regulated in the Netherlands.

• Cumulative 80% of the total transaction volume or value.

Financial Core Infrastructure

Requirements for FCI institutions: • Comply with the DNB Business Continuity

Assessment Framework.• Participate in the sector crisismanagement

organisation • Connect to the terrorism alert system.• Contribute to critical infrastructure programs and

projects.

Tripartite Crisismanagement Organization

• The goal of this organisational structure is to perform sector crisis management in case of a major operational disruption of payment and / or securities systems and infrastructures.

Tripartite Crisismanagement Organization

(inter)national crisismanagement

DNB BCP Assessment Framework (1)

• Drafted in cooperation with the financial institutions

• Commitment to use it on a high level

• Assessment Framework consists of

• 9 ‘principles’

• Guidance note Human Factor

• Agreement between DNB and the financial sector for joint BCP

initiatives

• In line with international principles such as BIS

• Used by supervisor and overseer to assess the institutions

of the financial core infrastructure against these principles

DNB BCP Assessment Framework (2)

1. BCP should be approved by the EB/senior

management

2. Risk analyses of critical systems and activities

should be made

3. Explicit attention should be paid to the human

factor

DNB BCP Assessment Framework (3)

4. Each institution should have a crisis

organisation, including senior management

5. Single points of failure (SPOFs) should be

identified

6. Critical processes and systems should be

resumed as quickly as possible

DNB BCP Assessment Framework (4)

7. A back-up site/secondary site should be

available

8. Alternate systems and contingency procedures

should be regularly tested and exercised

9. Each institutions should have a communication

plan for all stakeholders

DNB Assessment framework

Why is the process unavailable?

What is the cause? What controls / measures are available?

What residual risks remain?

(Partial) unavailability of (and/or)PeopleIT systemsCommunicationsBuildings  

Natural calamities (fire, storm, earthquake, flood etc.) Technical failure (hardware / software malfunction, power cut etc.) Organisational failure (human error, sickness etc.) Wilful malice (sabotage, terrorism, cybercrime etc.)

Measure / control categories:PreventiveDetectiveCorrectiveResponse

List of accepted residual risks

35

Guidance Note Human factor

• Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor

• DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required (specific in the extreme, highly specific, specific, not very specific, not specific)

• Matrix with level of required knowledge and human factor strategy see www.dnb.nl – payments - BCP

Ways of ensuring staff continuity

1. double staffing at another location

2. planned scheduling days off

3. shift work

4. use of staff from another location where a similar situation is operational

5. use of staff from another location where a similar situation is not operational

Required level of knowledge of systems/business processes

specific in the extreme (a)

red

highly specific (b)

specific (c)

not very specific (d) green

not specific (e)

Standard(izing) human (factor) s:skills

Standard(izing) human (factor) s: preparedness

Standard(izing) human (factor) s: preparedness

41

Players/documents – Professional bodies

e.g.• BCI (Business Continuity Institute)

• Good Practice Guideline• BCM Academy

• BCM Pocketbook• ENISA (European Network and Information Security

Agency)• Business and IT continuity: overview and

implementation principles• Inventory of business and IT continuity methods /

tools

42

Players/documents – Standards bodies

• BSI (British Standards Institute)• BS 25777: Information and communication

technology continuity management• BS 25999: Business continuity management

• ISO (International Organization for Standardization)• ISO / PAS 22399: Guidelines for incident

preparedness and operational continuity management• ISO / IEC 27031: ICT readiness for business continuity• ISO / IEC 24762: Guidelines for information and

communication technology disaster recovery services

43

Players – Regulators (supervisors / overseers)

• Global• BIS – BCBS / BIS – CPSS (Bank for International

Settlement – Basel Committee for Banking Supervision / Committee on Payment and Settlement Systems)

• FSB (Financial Stability Board)

• IOSCO (International Organization of Securities Commissions) • IAIS (International Association of Insurance

Supervisors) • Joint Forum (BCBS – IOSCO – IAIS)

Questions?