FMI Standards: Legal Basis, Governance, Risk Management, Credit Risk, Collateral, and Margin

FMI STANDARD 1: LEGAL BASIS FS1

1 Ref #20368232 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(vi) provides that a standard may deal with, or otherwise relate to, the management of legal risk, while section 34(1)(a) provides that a standard may deal with, or otherwise relate to, the governance of operators of designated FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Essential services means: (a) for services provided by designated FMIs which are assessed as systemically important by the regulator under section 24 of the Act, all services contributing to the assessment that an FMI is systemically important; and (b) for services provided by designated FMIs that are not assessed as systemically important under section 24 of the Act, any services covered by the protections in subpart 5 of part 3 of the Act. viii. Material aspects of an FMI’s activities means those activities that relate to the provision of essential services by the FMI.

2 Ref #20368232 v1.0 ix. Relevant jurisdiction means any jurisdiction in which the FMI operates, and will always include New Zealand. Commencement x. This standard comes into force on 1 March 2024. REQUIREMENTS

1. An operator must ensure that the FMI has rules and contracts that are legally enforceable in respect of all material aspects of the FMI’s activities in all relevant jurisdictions.
2. Further to the requirements in clause (1) an operator must ensure that: a) in operating the FMI, it: i) provides a high degree of certainty for each of the material aspects of the FMI’s activities in all relevant jurisdictions; and ii) is supported by a legal opinion that demonstrates the enforceability of the FMI’s rules and contracts across all relevant jurisdictions; and iii) this legal opinion should be reviewed and updated where required at least every two years or whenever there are material changes that may have an impact on the opinion; and b) it has rules and contracts in relation to the FMI that are clear, enforceable, and consistent with relevant laws and regulations in all relevant jurisdictions in which the FMI operates, including New Zealand; and c) it can demonstrate the enforceability of all material aspects of the FMI’s activities to the regulator, participants, and, where relevant, participants’ customers, in a clear and understandable way; and d) there is a high degree of certainty that actions taken by an operator under the rules will not be voided, reversed, or subject to stays; and e) where the FMI operates in multiple jurisdictions, an operator identifies and mitigates the risks arising from any potential conflict of laws across those jurisdictions. (See Guidance for Standard 1: ‘Legal Basis’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 2: GOVERNANCE FS2

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Markets Infrastructure Act (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(a) provides that a standard may deal with, or otherwise relate to, the governance of operators or of designated FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. Commencement vii. This standard comes into force on 1 March 2024.

REQUIREMENTS

1. An operator must ensure that governance arrangements pertaining to the operation of the FMI: a) are clear and transparent; and b) promote the safety and efficiency of the FMI; and c) support the stability of the broader financial system and other relevant public interest considerations, and the objectives of relevant stakeholders.
2. Further to the requirements in clause (1) an operator must also ensure that: a) there are documented objectives for the FMI that place a high priority on the safety and efficiency of the FMI, and that explicitly support financial stability and other relevant public interest considerations; and b) the FMI has documented governance arrangements that: i) provide clear and direct lines of responsibility and accountability; and ii) are disclosed in an appropriate manner to owners, the regulator, participants, and the public; and c) the roles and responsibilities of its board of directors are clearly specified, and there must be documented procedures for its functioning, including policies and procedures to identify, address, and manage member conflicts of interest; and d) the board of directors consistently reviews both the board’s overall performance and the performance of its individual directors in relation to the FMI; and e) the board of directors contains suitable members with the appropriate skills and incentives to fulfil its roles as operator of the FMI (including non-executive directors); and f) in relation to the FMI’s management, that: i) the roles and responsibilities of management are clearly set out and delineated from the roles of the board of directors, and documented; and ii) management has the appropriate experience, a mix of skills, and the integrity necessary to discharge its responsibilities for the operation and risk management of the FMI; and g) there is a clear, documented risk management framework for the FMI that includes the FMI’s risk tolerance policy, assigns responsibilities and accountability for risk decisions, and addresses decision making in crises and emergencies; and h) there are governance arrangements for the FMI that ensure the risk management and internal control functions have sufficient authority, independence, resources, and access to the board of directors; and i) its board of directors takes responsibility for ensuring that: i) the design, rules, overall strategy, and major decisions appropriately reflect the legitimate interests of the FMI’s direct and indirect participants, and other relevant stakeholders; and ii) major decisions are clearly disclosed in a reasonable timeframe after the decision is taken to relevant stakeholders and, where there is a broad market impact, the public. (See Guidance for Standard 2: ‘Governance’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 3: FRAMEWORK FOR THE COMPREHENSIVE MANAGEMENT OF RISKS FS3

1 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator’s functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(i) to (ix) provides that a standard may deal with, or otherwise relate to, the management by operators of one or more of: (a) general business risk; or (b) operational risk; or (c) credit risk; or (d) liquidity risks; or (e) custody and investment risk; or (f) legal risk; or (g) cybersecurity risk; or (h) risks arising out of interconnections (direct or indirect) between a designated FMI and other designated FMIs; or (i) risks arising out of interconnections (direct or indirect) between a designated FMI and other designated FMIs and activities in the financial system that are not activities under designated FMIs.

2 Interpretation vi. The words and phrases used in this standard have the same meaning as in the Act. vii. Internal systems means mechanisms within an FMI or operator to implement policies, procedures, or controls. Commencement viii. This standard comes into force on 1 March 2024. REQUIREMENTS

1. An operator must have a sound risk management framework pertaining to the FMI that sets out how the operator comprehensively manages legal, credit, liquidity, operational, and other relevant and material risks.
2. Further to clause (1) an operator must ensure that: a) it has, in relation to the FMI, risk management policies, procedures, and internal systems that enable the operator to identify, measure, monitor, and manage all risks that arise in, or are borne by, the FMI; and b) it reviews the risk management framework relating to the FMI on at least an annual basis, and whenever the risk to the FMI materially changes; and c) it provides incentives to FMI participants and, where relevant, their customers, to manage and contain the risks they pose to the FMI; and d) it reviews the material risks the FMI bears from and poses to other parties (such as other FMIs, settlement banks, liquidity providers, and service providers) as a result of interdependencies with other parties annually, or whenever the material risk changes, and develops appropriate risk management tools to address these risks. (See Standard 17A: ‘Contingency plans’ for further requirements and Guidance for Standard 3: ‘Framework for the comprehensive management of risks’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 4: CREDIT RISK FS4

Ref #20368294 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(iii) and (h) provides that a standard may deal with, or otherwise relate to, the management by operators of credit risk. Interpretation vi. The words and phrases used in this standard have the same meaning as in the Act. vii. Complex central counterparty activities means central counterparty activities that have a more complex risk profile, including activities such as clearing financial instruments that are characterised by discrete jump-to-default price changes, or that are highly correlated with potential participant defaults. viii. Simple central counterparty activities means central counterparty activities that are not complex central counterparty activities. Commencement ix. This standard comes into force on 1 March 2024.

Ref #20368294 v1.0 REQUIREMENTS

1. An operator must effectively measure, monitor, and manage the FMI’s credit exposures to participants, and those arising from the FMI’s payment, clearing, and settlement processes. The operator must maintain sufficient financial resources to cover the FMI’s credit exposure to each participant fully and with a high degree of confidence.
2. An operator must ensure that: a) the FMI has a robust framework to manage its credit exposures to its participants, and the credit risks arising from its payment, clearing, and settlement processes. This includes credit exposures arising from both current exposures and potential future exposures; and b) in relation to the FMI, it identifies sources of credit risk, routinely measures and monitors credit exposures, and that it uses appropriate risk management tools to control these risks. Rules and procedures addressing credit risk
3. Further to the requirements in clauses (1) and (2) and in accordance with the requirement to have contingency plans in section 47 of the Act and Standard 17A ‘Contingency plans’, an operator (where it bears credit risk) must establish explicit rules, policies, and procedures that fully address any credit losses it may face as a result of any individual or combined default among participants, with respect to any of their obligations under the rules of the FMI. These rules, policies, and procedures must: a) address how potentially uncovered credit losses would be allocated, including the repayment of any funds that an operator or FMI may borrow from liquidity providers; and b) indicate the process to replenish any financial resources that it may employ during a stress event, so that the FMI can continue to operate in a safe and sound manner. Payment systems and securities settlement system
4. Further to the requirements in clauses (1) and (2), either an operator of a pure payment system or an operator of a securities settlement system must ensure that: a) it covers current and, where they exist, potential future exposures to each participant fully with a high degree of confidence using collateral and other equivalent financial resources (see Standard 5: ‘Collateral’); and b) the FMI maintains sufficient resources to cover the exposures of the two participants and their affiliates, who create the largest aggregate credit exposure in the system.
5. Clause (4) applies in a situation where the FMI operates with deferred net settlement in which there is no settlement guarantee, but where the FMI participants face credit exposures arising from its payment, clearing, and settlement processes.

Ref #20368294 v1.0 Central counterparties 6) Further to the requirements in clauses (1) and (2), an operator of a central counterparty must ensure that: a) it covers current and potential future exposures to each participant fully with a high degree of confidence using margin and other prefunded financial resources (see Standard 5: ‘Collateral’ and Standard 6: ‘Margin’); and b) it maintains additional financial resources to cover a wide range of potential stress scenarios that must include, but are not limited to: i) where the operator is an operator of an FMI engaging in simple central counterparty activities, or the FMI is not systemically important in multiple jurisdictions (including in New Zealand), the default of the participant and its affiliates that would potentially cause the largest aggregate credit exposure in extreme but plausible market conditions; and ii) where the operator is an operator of an FMI engaging in complex central counterparty activities, or the FMI is systemically important in multiple jurisdictions (including in New Zealand), the default of the two participants and their affiliates that would potentially cause the largest aggregate credit exposure in extreme but plausible market conditions; and c) it determines the amount, and tests on a monthly basis, the sufficiency of the FMI’s total financial resources available in the event of a default, or multiple defaults, in extreme but plausible market conditions through rigorous stress testing; and 7) Further to the requirements in clauses (1) and (2), an operator of a central counterparty must ensure that the results of all its stress tests are reported to the board of directors or senior managers of the operator or FMI and to use these results to evaluate the adequacy of, and adjust, the FMI’s total financial resources. In addition, the operator must: a) on a daily basis, perform stress tests using standard and predetermined parameters and assumptions; and b) on a monthly basis, perform a comprehensive and thorough analysis of stress testing scenarios, models, and underlying parameters and assumptions used to ensure that they are appropriate for determining the FMI’s required level of default protection in light of current and evolving market conditions; and c) on an annual basis, perform a full validation of a central counterparty’s FMI’s risk management model; and d) in conducting stress testing, consider the effect of a wide range of relevant stress scenarios in terms of both defaulters’ positions and possible price changes in liquidation periods. Scenarios must include: i) relevant peak historic price volatilities; and ii) shifts in other market factors such as price determinants and yield curves; and iii) multiple defaults over various time horizons, simultaneous pressures in funding and asset markets; and iv) a spectrum of forward-looking stress scenarios in a variety of extreme but plausible market conditions.

Ref #20368294 v1.0 8) The analysis of stress testing in clause 7(b) should be done more frequently when the products cleared or markets served display high volatility, become less liquid, or when the size or concentration of positions held by a FMI’s participants significantly increases. (See Guidance for Standard 4: ‘Credit Risk’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 5: COLLATERAL FS5

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in respect of pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(iii) provides that a standard may deal with, or otherwise relate to, the management by operators of credit risk. The use of collateral is one way to manage credit risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Internal systems means mechanisms within an FMI or operator to implement policies, procedures, or controls. viii. Haircut is defined as a risk control measure applied to underlying assets where the value of those underlying assets is calculated as the market value of the assets reduced by a certain percentage. Commencement ix. This standard comes into force on 1 March 2024.

REQUIREMENTS

1. An operator that requires collateral for the purposes of operating the FMI, to manage the FMI’s or its participants’ credit exposure, must ensure it only accepts collateral with low credit, liquidity, and market risks. An operator must also set, and enforce appropriately, conservative haircuts and concentration limits.
2. Further to the requirements in clause (1) an operator must ensure that: a) it establishes prudent valuation practices and develops haircuts that are tested at least annually, and that take into account stressed market conditions; and b) stable and conservative haircuts for collateral are established, and that these haircuts are calibrated to include periods of stressed market conditions, to the extent practicable and prudent, to reduce the need for procyclical adjustments; and c) it avoids concentrated holdings of any assets where this would significantly impair its ability to liquidate such assets quickly without significant adverse price effects; and d) where an operator accepts cross-border collateral for the FMI, it mitigates the risks associated with the use of that collateral, and ensures the collateral can be used in a timely manner; and e) it uses an internal system that is well-designed and operationally flexible for managing collateral. (See Guidance for Standard 5: ‘Collateral’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 6: MARGIN FS6

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that has been specified in its designation notice under section 29(2)(f) of Financial Market Infrastructures Act 2021 (the Act) as falling within the central counterparty class of designated FMI. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly. iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 s sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(iii) provides that a standard may deal with, or otherwise relate to, the management by operators of credit risk. Margin can be used as a way of managing credit risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Close out means terminating or liquidating a contract, or net position under multiple contracts (including through the acceleration or termination of obligations under one or more contracts, or exercising rights to set-off or net financial exposures created under one or more contracts). viii. Margin means collateral that is collected to protect against current or potential future exposures resulting from market price changes or in the event of a counterparty default. ix. Margin model means an economic model used for calculating the amount of margin needed. x. Margin system means a system for managing transferring and holding margin, and includes the margin model. Commencement xi. This standard comes into force on 1 March 2024.

REQUIREMENTS

1. An operator of a central counterparty must cover credit exposures to the central counterparty’s participants for all products through an effective margin system that is risk￾based and regularly reviewed. Margin system
2. Further to the requirements in clause (1), an operator must have: a) a margin system for the central counterparty that establishes margin levels commensurate with the risks and particular attributes of each product, portfolio, and market that it serves; and b) a reliable source of timely price data for the central counterparty’s margin system. An operator must also have policies and sound valuation models for the central counterparty that address circumstances in which pricing data are not readily available or reliable. Initial Margin
3. Further to the requirements in clause (1), an operator must: a) adopt initial margin models and parameters for the central counterparty that are risk-based and generate margin requirements sufficient to cover the operator’s potential future exposure to participants in the interval between the last margin collection and the close out of positions following a participant default; and b) subject to clause (4), ensure that initial margin meets an established single￾tailed confidence level of at least 99 percent with respect to the estimated distribution of future exposure; and c) ensure that the initial margin models: i) use a conservative estimate of the time horizons for the effective hedging or close out of the particular types of products cleared by the central counterparty (including in stressed market conditions); and ii) have an appropriate method for measuring credit exposure that accounts for relevant product risk factors and portfolio effects across products; and iii) to the extent practicable and prudent, limit the need for destabilising and procyclical changes.
4. In respect of the requirement in clause 3(b) the operator must ensure: a) if margin is calculated at the portfolio level, the requirement is applied to each portfolio’s distribution of future exposure; or b) if margin is calculated at more granular levels, such as at the subportfolio level or by product, the requirement is applied to the corresponding distributions of future exposure. Variation margin
5. Further to the requirements in clause (1) an operator must mark participant positions to market, and collect variation margin at least daily to limit the build-up of current exposures.

Margin call ability 6) Further to the requirements in clause (1), an operator must ensure that the central counterparty has the authority and operational capacity to make intraday margin calls and payments, both scheduled and unscheduled, to participants. Margin calculation 7) Further to the requirements in clause (1), an operator must: a) only allow offsets or reductions in required margin across cleared products (including products cleared by the central counterparty or the central counterparty and a linked FMI) where the risk of one product is significantly correlated with the risk of the other product; and b) if a central counterparty offers cross-margining, ensure the central counterparty has appropriate safeguards and harmonised overall risk management systems. Review of the margin model and system 8) Further to the requirements in clause (1), an operator must: a) on a daily basis, conduct rigorous back testing of the central counterparty margin model performance and overall margin coverage; and b) on at least a monthly basis, conduct sensitivity analysis of the central counterparty margin model; and c) on at least an annual basis, conduct an assessment of the theoretical and empirical properties of the margin model for all products that the central counterparty clears; and d) in conducting sensitivity analysis of the model’s coverage, take into account a wide range of parameters and assumptions that reflect possible market conditions, including the most volatile periods that have been experienced by the markets it serves, and extreme changes in the correlations between prices; and e) review the central counterparty’s margin system annually. (See Guidance for Standard 6: ‘Margin’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 7: LIQUIDITY RISK FS7

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) securities settlement system; or (c) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(iv) provides that a standard may deal with, or otherwise relate to, the management by operators of liquidity risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Complex central counterparty activities means central counterparty activities that have a more complex risk profile, including activities such as clearing financial instruments that are characterised by discrete jump-to￾default price changes, or that are highly correlated with potential participant defaults. viii. A deferred net settlement mechanism means a settlement mechanism which settles on a net basis at the end of a predefined settlement cycle. ix. Margin means collateral that is collected to protect against current or potential future exposures resulting from market price changes or in the event of a counterparty default. x. Nostro agent means a bank or other financial institution in a jurisdiction other than the one the FMI operates in holding an account on behalf of an operator that is denominated in the currency of that other jurisdiction and used for the purposes of settlement.

xi. Simple central counterparty activities means central counterparty activities that are not complex central counterparty activities. Commencement xii. This standard comes into force on [1 March 2024]. REQUIREMENTS

1. An operator must measure, monitor, and manage the FMI’s liquidity risk. An operator must ensure there are sufficient liquid resources available in all relevant currencies to effect same day and, where appropriate, intraday and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios.
2. An operator’s qualifying liquid resources for the purposes of clause (1) include the following liquid resources: a) cash at the central bank of issue and at creditworthy commercial banks; and b) committed lines of credit; and c) committed foreign exchange swaps; and d) repos; and e) highly marketable collateral held in custody and investments that are readily available and convertible into cash with prearranged and highly reliable funding arrangements, even in extreme but reasonably foreseeable market conditions; and f) access to routine credit at a central bank of issue to the extent that the relevant FMI has collateral that is eligible for pledging to (or for conducting other appropriate forms of transactions with) the central bank.
3. Further to requirements in clause (1), an operator must: a) not assume the availability of emergency central bank credit as a part of the FMI’s liquidity plan; and b) have a robust framework to manage liquidity risks for the FMI from its participants, settlement banks, nostro agents, custodian, liquidity providers, and other entities; and c) have effective operational and analytical tools to identify, measure, and monitor the FMI’s settlement and funding flows on an ongoing and timely basis, including its use of intraday liquidity. Liquidity providers
4. Further to the requirements in clauses (1) and (3), an operator must obtain a high degree of confidence, through rigorous due diligence, that each provider of the FMI’s minimum required qualifying liquid resources, whether a participant of the FMI or an external party, has sufficient information to understand and to manage the provider’s associated liquidity risks, and that the provider has the capacity to perform its commitment as required. If relevant to assessing a provider’s performance reliability with respect to a particular

currency, a provider’s potential access to credit from the central bank of issue may be taken into account. 5) An operator must annually test the procedures for accessing liquid resources from the provider. Stress testing 6) Further to the requirements in clause (1), an operator must determine the amount of, and annually test the sufficiency of, the FMI’s liquid resources through rigorous stress testing. This includes that: a) an operator must have clear policies and procedures in place for it to report the results of its stress tests to the board of directors, and to use these results to evaluate the adequacy of, and then adjust, its liquidity risk management framework. b) in conducting stress testing, an operator must consider a wide range of relevant scenarios, including: i) relevant peak historic price volatilities; and ii) shifts in other market factors such as price determinants and yield curves; and iii) multiple defaults over various time horizons; and iv) simultaneous pressures in funding and asset markets; and v) a spectrum of forward-looking stress scenarios in a variety of extreme but reasonably foreseeable market conditions; and c) scenarios must also take into account the design and operation of the FMI, including all entities that might pose material liquidity risks to the FMI, and where reasonable, cover a multiday period; and d) an operator must appropriately document its supporting rationale for, and have appropriate governance arrangements relating to, the amount and form of total liquid resources that the FMI maintains. Procedures for settlement following participant default 7) Further to the requirements in clause (1)), an operator must establish explicit rules and have clear policies and procedures that enable the FMI to effect same-day and, where reasonable, intraday and multiday settlement of payment obligations on time, following any individual or combined default among its participants. These rules and procedures must: a) address unforeseen and potentially uncovered liquidity shortfalls and must aim to avoid unwinding, revoking, or delaying the same-day settlement of payment obligations; and b) indicate the process to replenish any liquidity resources an operator may employ during a stress event, so that the FMI can continue to operate in a safe manner.

Pure payment systems and securities settlement systems 8) An operator of a pure payment system or securities settlement system, including one employing a deferred net settlement mechanism, must maintain sufficient liquid resources for the FMI in all relevant currencies to effect same-day settlement, and where appropriate intraday or multiday settlement, of payment obligations with a high degree of confidence under a wide range of potential stress scenarios. 9) The scenarios in clause (8) must include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate payment obligation in extreme but reasonably foreseeable market conditions. Central counterparties 10) Further to the requirements in clause (1), an operator of a central counterparty must maintain sufficient liquid resources in all relevant currencies for the central counterparty to: a) settle securities-related payments; and b) make required variation margin payments as per Standard 6; and c) meet other payment obligations on time with a high degree of confidence under a wide range of potential stress scenarios that must include, but not be limited to: i) where the operator is an operator of an FMI engaging in simple central counterparty activities, and the FMI is not systemically important in multiple jurisdictions (including New Zealand), the default of the largest participant and its affiliates that would generate the largest aggregate payment obligation to the FMI in extreme, but reasonably foreseeable, market conditions; or ii) where the operator is an operator of an FMI engaging in complex central counterparty activities, or where the FMI is systemically important in multiple jurisdictions (including New Zealand), the default of the two largest participants and their affiliates that would generate the largest aggregate payment obligation to the FMI in extreme, but reasonably foreseeable, market conditions. (See Guidance for Standard 7: ‘Liquidity’, in Guidance for the FMI Standards for more detail).

Ref #20368300 v1.0 FMI STANDARD 8: SETTLEMENT FINALITY FS8

Ref #20368300 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(vi) provides that the regulator may make standards that deal with or relate to a variety of specific risks, including legal risk. Ensuring settlement finality is one way of managing legal risk. Section 34(1)(h) also allows the regulator to make standards dealing with, or otherwise relating to, rules and procedures for managing a participant defaulting on its obligations under the rules of the FMI. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Value date means the day on which the payment, transfer instruction, or other obligation is due. viii. High value payment system means a funds transfer system that typically handles large-value and high-priority payments. Commencement ix. This standard comes into force on 1 March 2024.

Ref #20368300 v1.0 REQUIREMENTS

1. An operator must ensure that the FMI provides clear and certain final settlement, at a minimum by the end of the value date.
2. Further to clause (1), an operator must ensure that: a) the rules and procedures for the FMI clearly define the point at which settlement is final; and b) the FMI (unless it is a high value payment system or securities settlement system) completes final settlement no later than the end of the value date to reduce settlement risk; and c) where it is the operator of an FMI that is a high value payment system or securities settlement system, it adopts real time gross settlement or multiple￾batch processing during the settlement day; and d) it clearly defines the point after which unsettled payments, transfer instructions, or other obligations may not be revoked by a participant. (See Guidance for Standard 8: ‘Settlement Finality’, in Guidance for the FMI Standards for more detail).

Ref #20368301 v1.0 FMI STANDARD 9: MONEY SETTLEMENTS FS9

Ref #20368301 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(iii) and (iv) provides that the regulator may make standards that deal with, or otherwise relate to, credit and liquidity risks. Conducting money settlements in central bank currency is one way of managing credit and liquidity risks. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Central bank money means a liability of a central bank, in the form of deposits held at the central bank, which can be used for settlement purposes. viii. Commercial bank money means a liability of a commercial bank, in the form of deposits held at the commercial bank, which can be used for settlement purposes. Commencement ix. This standard comes into force on 1 March 2024.

Ref #20368301 v1.0 REQUIREMENTS

1. An operator must conduct the FMI’s money settlements in central bank money where reasonable and available, to avoid credit and liquidity risks. If central bank money is not available, or cannot be reasonably used, the operator must minimise and strictly control the credit and liquidity risk arising from the use of commercial bank money.
2. Further to the requirements in clause (1) an operator must: a) if central bank money is not used, ensure that the FMI conducts money settlements using a settlement asset with little or no credit or liquidity risk; and b) if an FMI settles in commercial bank money, it must monitor, manage, and limit the credit and liquidity risks for the FMI arising from the commercial settlement banks; and c) establish and monitor adherence to strict criteria for commercial settlement banks that take account of, among other things, their regulation and supervision, creditworthiness, capitalisation, access to liquidity, and operational reliability; and d) monitor and manage the concentration of credit and liquidity exposures to the FMI’s commercial settlement banks; and e) if an FMI conducts money settlements on the operator’s or FMI’s books, minimise and control credit and liquidity risks in the FMI; and f) ensure that contracts with settlement banks clearly state when transfers on the books of individual settlement banks are expected to occur, that transfers are final when effected, and that funds received are transferable as soon as possible, to enable the operator and the participants to manage credit and liquidity risks. (See Guidance for Standard 9: ‘Money Settlements’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 10: PHYSICAL DELIVERIES FS10

Ref #20368233 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a securities settlement system; or (b) a central securities depository; or (c) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly. iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(i), (ii) and (v) provides that the regulator may make standards that deal with, or otherwise relate to, general business risk, operational risk and custody risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. Commencement vii. This standard comes into force on 1 March 2024.

Ref #20368233 v1.0 REQUIREMENTS

1. An operator must clearly state its, and the FMI’s, obligations under the FMI’s rules, policies, and procedures with respect to the delivery of physical instruments or commodities for settlement.
2. An operator must identify, monitor, and manage the risks associated with the delivery of physical instruments or commodities for settlement. (See Guidance for Standard 10: ‘Physical Deliveries’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 11: CENTRAL SECURITIES DEPOSITORIES FS11

Ref #20368234 v2.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within the central securities depository class of designated FMI. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly. iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(i), (ii), and (v) provides that the regulator may make standards that deal with, or otherwise relate to, general business risk, operational risk and custody risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Custody risk means the risk of loss of assets held in custody in the event of an operator's insolvency, negligence, fraud, poor administration or inadequate recordkeeping. viii. Internal systems means mechanisms within an FMI or operator to implement policies, procedures, or controls. Commencement ix. This standard comes into force on 1 March 2024.

Ref #20368234 v2.0 REQUIREMENTS

1. An operator of a central securities depository must have appropriate rules, policies, and procedures in place to help ensure the integrity of the issue of securities, and minimise and manage the risks associated with the safekeeping and transfer of securities.
2. Further to the requirements in clause (1) an operator must have appropriate rules, policies, procedures, and internal systems in place, including robust accounting practices for the central securities depository to safeguard the rights of securities issuers and holders, including by ensuring that it: a) prevents the unauthorised creation or deletion of securities, and conducts periodic reconciliation of securities issued by participants and held by the central securities depository, at least once a day; and b) prohibits overdrafts and debit balances in securities accounts with the central securities depository; and c) maintains securities in an immobilised or dematerialised form for their transfer by book entry; and d) protects assets against custody risk through appropriate rules, policies, and procedures; and e) employs a robust internal system for the central securities depository that ensures: i) segregation between the central securities depository’s own assets and the securities of its participants; and ii) segregation among the securities of participants.
3. An operator must also ensure that it operationally supports the segregation of securities belonging to a participant’s customers on the participant’s books, and facilitates the transfer of customer holdings.
4. An operator must identify and manage the risks from other activities that the central securities depository may perform. (See Guidance for Standard 11: ‘Central Securities Depositories’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 12: EXCHANGE OF VALUE SETTLEMENT SYSTEMS FS12

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that provides exchange of value settlement services and was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(vi) provides that a standard may deal with, or otherwise relate to, the management of legal risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Exchange of value settlement system means a system that settles transactions that involve the settlement of two linked obligations (for example, securities or foreign exchange transactions). viii. Principal risk means the risk arising where one of two linked obligations is settled but the other obligation is not. Commencement ix. This standard comes into force on1 March 2024.

REQUIREMENTS

1. An operator settling transactions involving the settlement of two linked obligations must ensure that it eliminates principal risk for the FMI by making the final settlement of one obligation contingent upon the final settlement of the other obligation.
2. Clause (1) applies regardless of whether the FMI settles on a gross or net basis and regardless of when finality occurs. (See Guidance for Standard 12: ‘Exchange of Value Settlement Systems’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 13: PARTICIPANT-DEFAULT RULES AND PROCEDURES FS13

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a central securities depository; or (c) a securities settlement system; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(h) provides that a standard may deal with, or otherwise relate to, rules and procedures for managing a participant defaulting on its obligations under the rules of the FMI. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Close out rights means contractual rights that enable a party to terminate or liquidate a contract, or net position under multiple contracts (including through the acceleration or termination of obligations under one or more contracts, or exercising rights to set-off or net financial exposures created under one or more contracts). viii. Close out rules means any rules of the FMI designed to facilitate the exercise of close out rights. Commencement ix. This standard comes into force on 1 March 2024.

REQUIREMENTS

1. An operator must have effective and clearly defined rules, policies and procedures to manage a participant default. The rules, policies, and procedures must ensure that the operator can take timely action which will enable the FMI to continue to meet its obligations when facing potential losses and liquidity pressures.
2. Further to the requirements in clause (1) an operator must have default rules, policies, and procedures for the FMI that: a) enable the FMI to continue to meet the FMI and/or operator’s obligations in the event of a participant default; and b) address the replenishment of resources following a default where the FMI is exposed to credit or liquidity risk; and c) be prepared to implement the FMI’s rules, policies, and procedures for default, including any appropriate discretionary procedures provided for in the FMI rules; and d) publicly disclose key aspects of the FMI’s rules, policies, and procedures for default; and e) include participants and other stakeholders in the testing and review of the FMI’s default rules, policies, and procedures, including any rules, policies, and procedures relating to close-out rights; and f) conduct the testing and review referred to in clause (2)(e) ,following material changes to the rules, policies, and procedures and on an annual basis ensure that the rules, policies, and procedures for participant default are practical and effective. (See Standard 17A: ‘Contingency plans’ for further requirements and see Guidance for Standard 13: ‘Participant-Default Rules and Procedures’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 14: SEGREGATION AND PORTABILITY FS14

Ref #20368275 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within the central counterparty class of designated FMI. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly. iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(v) provides that a standard may deal with, or otherwise relate to, the management of custody and investment risk. Segregating and porting participant assets is one way of managing custody and investment risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Segregation means the protection of customer collateral and contractual positions by holding or accounting for them separately from those of the direct participant. viii. Portability means the ability to transfer contractual positions, funds, or securities from one party to another party. ix. Internal systems means mechanisms within an FMI or operator to implement policies, procedures, or controls. Commencement x. This standard comes into force on 1 March 2024.

Ref #20368275 v1.0 REQUIREMENTS

1. An operator must have rules and procedures for the FMI that enable the segregation and portability of positions of a participant’s customers, and the collateral provided to the FMI with respect to those positions.
2. Further to the requirements in clause (1), an operator must: a) have segregation and portability arrangements for the FMI to effectively protect the positions of an FMI’s participant’s customers and related collateral from the default or insolvency of that participant; and b) if the FMI offers protection of customer positions and collateral against the concurrent default of the participant and a fellow customer, take steps to ensure that such protection is effective; and c) ensure that there is an account structure that enables the operator to readily identify positions of a participant’s customers and to segregate related collateral. The operator must maintain participant customer positions and collateral in individual customer accounts or in omnibus customer accounts; and d) structure the FMI’s portability arrangements in a way that ensures there is a high probability that the positions and collateral of a defaulting participant’s customers will be transferred to one or more other participants; and e) disclose publicly the FMI’s rules, policies, procedures, and internal systems relating to the segregation and portability of positions of participant’s customers and related collateral; and f) disclose whether participant customer collateral is protected on an individual or omnibus basis; and g) disclose any constraints, such as legal or operational constraints, that may impair its ability to segregate or port a participant’s customers’ positions and related collateral. (See Guidance for Standard 14: ‘Segregation and Portability’, in Guidance for the FMI Standards for more detail).

Ref #20368276 v1.0 FMI STANDARD 15: GENERAL BUSINESS RISK Document FS15

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a central securities depository; or (c) a securities settlement system; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(i) provides that a standard may deal with, or otherwise relate to, the management by operators of general business risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Essential services means: (a) for services provided by designated FMIs which are assessed as systemically important by the regulator under section 24 of the Act, all services contributing to the assessment that an FMI is systemically important; and (b) for services provided by designated FMIs that are not assessed as systemically important under section 24 of the Act, any services covered by the protections in subpart 5 of part 3 of the Act. Commencement viii. This standard comes into force on 1 March 2024.

REQUIREMENTS

1. An operator must identify, monitor, and manage general business risk, including losses from poor execution of business strategy, negative cash flows, or unexpected and excessively large operating expenses.
2. An operator must hold sufficient liquid net assets funded by equity, such as common stock, disclosed reserves, and/or retained earnings, to cover potential general business losses so that the FMI can continue operations and essential services if those losses materialise.
3. An operator (except where it is a central bank) must ensure that liquid net assets funded by equity are at all times sufficient to ensure a recovery or orderly wind-down of the FMI’s operations and essential services. For the purposes of this clause an operator may include equity held under international risk-based capital standards, where relevant and appropriate.
4. An operator must ensure that it maintains a viable recovery or orderly wind-down plan for the FMI (see Standard 17A: ‘Contingency plans’), and ensure (except where the operator is a central bank) that it holds sufficient liquid net assets funded by equity to implement this plan.
5. An operator (except where it is a central bank) must hold liquid net assets funded by equity equal to at least six months of current operating expenses (see also requirement in Standard 17A: ‘Contingency plans’). These assets must be held in addition to resources held to cover participant defaults or other risks covered under Standard 4: ‘Credit Risk’ and Standard 7: ‘Liquidity Risk’.
6. An operator must ensure that: a) assets held to cover general business risk are of high quality and sufficiently liquid so that the operator can meet the FMI’s current and projected operating expenses under a range of scenarios, including in adverse market conditions; and b) it maintains a viable plan for raising additional equity should the operator’s equity fall close to, or below, the amount needed, except where the operator is a central bank.
7. In relation to the plan referred to in clause (6)(b) an operator must: a) review the plan annually; and b) ensure that the outcome of the review is approved by the operator’s board of directors. (See Guidance for Standard 15: ‘General Business Risk’, in Guidance for the FMI Standards for more detail).

Ref #20368277 v1.0 FMI STANDARD 16: CUSTODY AND INVESTMENT RISKS FS16

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following categories of designated FMIs: (a) a pure payment system; or (b) a central securities depository; or (c) a securities settlement system; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(v) provides that a standard may deal with, or otherwise relate to, the management by operators of custody and investment risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Custodian means an entity that safe keeps and administers securities or other assets for its customers, such as a licensed deposit taker or regulated trustee company. viii. Internal systems means mechanisms within an FMI or operator to implement policies, procedures or controls. Commencement ix. This standard comes into force on 1 March 2024.

REQUIREMENTS

1. An operator must safeguard assets held for FMI operations, including participant assets held for this purpose, and minimise the risk of loss on, and delay in access to, these assets. These assets must be invested in instruments with minimal credit, market, and liquidity risks.
2. Further to the requirements in clause (1), an operator must: a) ensure that assets described in clause (1) are held by custodians with robust accounting practices, safekeeping procedures, and internal systems that fully protect these assets, and who comply with all legal and regulatory obligations; and b) have prompt access to the assets described in clause (1); and c) evaluate its exposures to its custodians, considering the full scope of its relationships with each custodian; and d) have an investment strategy which is consistent with its overall risk management strategy and fully disclosed to the FMI’s participants.
3. For the purposes of clause 2(d), the investments must be secured by, or be claims on, high-quality debtors. These investments must allow for quick liquidation with minimal adverse price effect. (See Guidance for Standard 16: ‘Custody and Investment Risks’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 17: OPERATIONAL RISK FS17

Ref #20368278 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Sections 34(1)(e)(i) and (ii) provides that a standard may deal with, or otherwise relate to, the management by operators of operational risk. Interpretation vi. The words and phrases used in this standard have the same meaning as in the Act. vii. Applicable auditing and assurance standards has the same meaning as in section 5(1) of the Financial Reporting Act 2013. viii. Essential services means: (a) for services provided by designated FMIs which are assessed as systemically important by the regulator under section 24 of the Act, all services contributing to the assessment that an FMI is systemically important; and (b) for services provided by designated FMIs that are not assessed as systemically important under section 24 of the Act, any services covered by the protections in subpart 5 of part 3 of the Act.

Ref #20368278 v1.0 ix. Internal systems means mechanisms within an FMI or operator to implement policies, procedures, or controls. x. Material incident means an event that: (a) causes: A. a slowdown in the operation of the FMI; or B. a restriction or partial availability of the FMI; or C. a security threat to the system; or D. an increase in the risk of an outage, slowdown, restriction, or security threat; or E. a potential or actual adverse impact on the future operation of the system; and (b) has a substantive adverse impact on the FMI's participants (or, for an overseas-equivalent FMI, the FMI’s New Zealand participants) or the New Zealand financial system. xi. Material outage means an outage that has a substantive adverse impact on the FMI's participants or the financial system. xii. Outage means an event that causes the system to be unavailable for use by any or all participants (or for an overseas-equivalent FMI, the FMI’s New Zealand participants), regardless of: (a) the cause; and (b) the length of time of the outage. xiii. Qualified auditor means any of the following: (a) a licensed auditor as defined in section 6(1) of the Auditor Regulation Act 2011; or (b) a registered audit firm as defined in section 6(1) of the Auditor Regulation Act 2011; or (c) the Auditor-General as defined in section 4 of the Public Audit Act 2001. Commencement xiv. This standard comes into force on 1 March 2024.

Ref #20368278 v1.0 REQUIREMENTS

1. An operator must: a) identify the reasonably foreseeable sources of operational risk for the FMI, both internal and external; and b) mitigate their impact through the use of appropriate policies, procedures, and internal systems on an ongoing basis.
2. An operator must ensure that the FMI’s internal systems are designed to ensure a high degree of security and operational reliability, and must have adequate capacity to continue to provide essential services.
3. Further to the requirements in clauses (1) and (2), an operator must: a) implement and maintain a robust operational risk management framework for the FMI, with appropriate policies, procedures, and internal systems to identify and manage operational risks; and b) ensure that the operational risk management framework, as well as compliance with such framework, is assessed by way of an external assurance engagement, undertaken in accordance with applicable auditing and assurance standards, by a qualified auditor– i) at least every two years; and ii) subject to clause (4), whenever a material incident or material outage occurs; and c) provide any report from an external assurance engagement to the regulator at the regulator’s request; and d) ensure the board of directors of the operator clearly defines the roles and responsibilities for addressing the FMI’s operational risk, and endorses the FMI’s operational risk management framework; and e) ensure that policies, procedures, and internal systems are reviewed and tested annually and after substantive changes to those policies, procedures or internal systems; and f) have clearly defined operational reliability objectives for the FMI, policies, and procedures in place that are designed to achieve those objectives; and g) ensure that the FMI has capacity adequate to handle increasing stress volumes and to achieve its service-level objectives; and h) have comprehensive physical and information security policies for the FMI that address all potential vulnerabilities and threats; and i) identify and manage the risks that key participants, other FMIs, and service and utility providers might pose to the FMI’s operations. In addition, an operator must identify and manage the risks the operations of the FMI might pose to other FMIs.
4. Clause (3)(b)(ii) does not apply if, in the opinion of the operator, it is not reasonably practicable to seek an external assessment following the material incident or material outage.
5. If clause (4) applies, the operator must provide reasons for its opinion to the regulator as soon as possible following a material incident or outage.

Ref #20368278 v1.0 (See Guidance for Standard 17: ‘Operational Risk’, in Guidance for the FMI Standards for more detail, also see Standard 17A ‘Contingency plans’, Standard 17B ‘Critical service providers’ and Standard 17C ‘Cyber risk management’ for further requirements).

FMI STANDARD 17A: CONTINGENCY PLANS 17A

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(f) provides that a standard may deal with, or otherwise relate to, FMI contingency plans. vi. Section 47 of the Act requires each operator of a designated FMI to ensure that the designated FMI has FMI contingency plans that are: (a) comprehensive, adequate, and credible, taking into account the type of FMI concerned and the activities carried out under it; and (b) capable of being activated and implemented effectively when appropriate. vii. Sections 48 to 51 of the Act govern the operator’s obligations in relation to an FMI contingency plan and the regulator’s powers in relation to FMI contingency plans. Interpretation viii. The words and phrases used in this standard have the same meaning as in the Act. ix. Essential services means: (a) for services provided by designated FMIs which are assessed as

systemically important by the regulator under section 24 of the Act, all services contributing to the assessment that an FMI is systemically important; and (b) for services provided by designated FMIs that are not assessed as systemically important under section 24 of the Act, any services covered by the protections in subpart 5 of Part 3 of the Act. Commencement x. This standard comes into force on 1 March 2024. REQUIREMENTS

1. An operator must ensure that the FMI contingency plans for the designated FMI: a) identify the FMI’s essential services; and b) identify scenarios that pose a significant risk of disrupting the FMI’s activities, including events that could cause widespread or major disruption; and c) identify scenarios that have a significant risk of placing the operator under financial stress and could affect the ability of the FMI to continue to provide essential services; and d) set out the interaction between the FMI contingency plans and the FMI’s rules; and e) set out what constitutes an acceptable degree of recovery following a scenario described above in (b) and within what timeframes, and if recovery within 2 hours is not possible, the reasons why; and f) set out how the FMI, following a scenario described in (b), will complete settlement by the end of day; and g) set out policies and procedures, including management procedures, designed to respond to identified operational and financial risk events; and h) include a set of financial recovery tools that are reliable, timely, effective, legally robust, and enforceable, taking into account the nature of the FMI’s operations; and i) include procedures to allow for a change to the operator of the relevant FMI (except where the operator is a central bank); and j) set out how an FMI would be wound down in an orderly manner if essential services cannot be provided on an ongoing basis and an alternative operator is not available (except where the operator is a central bank); and k) set out arrangements for testing and reviewing of the contingency plans on at least an annual basis; and l) set out the persons responsible for maintaining, activating, and implementing the plans; and m) set out the procedure for activating the FMI contingency plans. (See Guidance for Standard 17A: ‘Contingency Plans’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 17B: CRITICAL SERVICE PROVIDERS 17B

Ref #20368280 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a central securities depository; or (c) a securities settlement system; or (d) central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act allows the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(b) provides that the regulator may make standards that deal with, or otherwise relate to, the relationship between operators and persons who provide services to those operators for the purposes of designated FMIs. Interpretation vi. The words and phrases used in this standard have the same meaning as in the Act. vii. Critical service provider means a person or entity that provides critical services to the operator of an FMI. viii. Critical services means services that are necessary for an FMI to provide essential services without material disruption. ix. Essential services means: (a) for services provided by designated FMIs which are assessed as systemically important by the regulator under section 24 of the Act, all services contributing to the assessment that an FMI is systemically important; and (b) for services provided by designated FMIs that are not assessed as systemically important under section 24 of the Act, any services covered by the protections in subpart 5 of Part 3 of the Act.

Ref #20368280 v1.0 Commencement x. This standard comes into force on 1 March 2024. REQUIREMENTS

1. An operator must take all reasonable steps to ensure the continued provision of critical services by managing the relationship with its critical service providers.
2. Further to the requirements in clause (1), an operator must take reasonable steps to ensure that a FMI’s critical service provider: a) identifies and manages relevant operational and financial risks to the provider’s ability to provide critical services to the FMI. This includes ensuring that: i) the provider implements and maintains appropriate policies and procedures for the continued provision of critical services; and ii) the provider has effective risk management processes; and iii) the provider’s critical services are available, reliable, and resilient; and iv) the provider has robust business continuity management plans and disaster recovery plans to support the timely resumption of its critical services in the event of an outage, so that the provider fulfils the terms of its agreement with the operator or FMI, as appropriate; and b) devotes sufficient resources to ensuring the confidentiality and integrity of information relating to the operator and the FMI; and c) has in place robust methods to plan for the entire lifecycle of the use of its technologies and the selection of technological standards; and d) provides the operator with sufficient information to enable the operator to clearly understand the provider’s roles and responsibilities in managing risks related to the FMI’s use of the provider.
3. An operator must identify the FMI’s critical service providers and disclose the FMI’s dependency on those providers to the regulator and, where appropriate, its participants. (See Guidance for Standard 17B: ‘Critical Service Providers’, in Guidance for the FMI Standards for more detail).

Ref #20368281 v1.0 FMI STANDARD 17C: CYBER RESILIENCE 17C

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a central securities depository; or (c) a securities settlement system; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated systemically important FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(vii) provides that a standard may deal with, or otherwise relate to, the management by operators of cybersecurity risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Applicable auditing and assurance standards has the same meaning as in section 5(1) of the Financial Reporting Act 2013. viii. Cyber means relating to, within, or through the medium of the interconnected information infrastructure of interactions among persons, processes, data, and information systems. ix. Cyber event means any observable occurrence in an information system. Cyber events sometimes provide an indication that a cyber incident is occurring. x. Cyber incident means a cyber event that: (a) jeopardises the cybersecurity of an information system or the information the system processes, stores, or transmits; or (b) violates the security policies, security procedures, or acceptable use

policies, whether resulting from malicious activity or not. xi. Cyber resilience means the ability of an entity to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing, and rapidly recovering from cyber incidents. xii. Cyber resilience framework means the policies, procedures, and internal systems an entity has established to identify, protect, detect, respond to, and recover from the plausible sources of cyber risks it faces. xiii. Cyber resilience strategy means an entity’s high-level principles and medium￾term plans to achieve its objective of managing cyber risk. xiv. Cyber risk means the combination of the probability of cyber incidents occurring and their impact. xv. Cyber risk appetite means the level of tolerance that an entity has for cyber risk. It includes how much cyber risk an entity is willing to tolerate, and how much an entity is willing to invest or spend to manage the risk. xvi. Cyber risk tolerance means the level of cyber risk an entity is willing to assume. xvii. Internal systems means mechanisms within an FMI or operator to implement policies, procedures, or controls. xviii. Qualified auditor means any of the following: (a) a licensed auditor as defined in section 6(1) of the Auditor Regulation Act 2011; or (b) a registered audit firm as defined in section 6(1) of the Auditor Regulation Act 2011; or (c) the Auditor-General as defined in section 4 of the Public Audit Act 2001. Commencement xix. This standard comes into force on 1 March 2024.

REQUIREMENTS

1. An operator must ensure that the FMI maintains cyber resilience in a manner that is commensurate with the FMI’s exposure to cyber risk, and enables the FMI to remain sound and efficient. Cyber resilience strategy and framework
2. Further to the requirements in clause (1), an operator must ensure that the FMI has a cyber resilience strategy and cyber resilience framework that is comprehensive, adequate, and credible. The operator must ensure that the cyber resilience strategy and cyber resilience framework: a) are based on internationally and nationally recognised frameworks and guidelines; and b) align with the FMI’s business objectives, stakeholder requirements, corporate strategy, risk management framework, and other related strategies and frameworks; and c) are commensurate with the FMI’s cyber risk tolerance, cyber risk appetite, and the operational reliability objectives required under Standard 17: ‘Operational risk’; and d) identify and assess the cyber risk associated with the use of third-party service providers, and outline how this risk will be managed, including through compliance with the requirements in Standard 17B: ‘Critical service providers’; and e) set out how information on cyber incidents and threats will be securely shared with relevant external stakeholders, including the regulator and participants; and f) provide for cyber resilience training to staff members (the content of which will depend on the nature of the role) during the entire employment lifecycle; and g) are reviewed annually, and updated when required, to ensure that any changes in the cyber risk environment are adequately managed. Governance of cyber risk management
3. Further to the requirements in clause (1) an operator must ensure that its board of directors is ultimately responsible for the cyber resilience of the FMI. An operator must take reasonable steps to ensure that its board of directors understands the cyber risk environment that the FMI operates in, including ensuring that its board of directors: a) appoints a senior manager with the appropriate skills, knowledge, and experience to be accountable for the FMI’s cyber resilience strategy and cyber resilience framework; and b) ensures that senior management updates the board of directors on any significant changes to the FMI’s vulnerabilities or the wider cyber risk environment; and c) reviews and approves the FMI’s cyber resilience strategy and cyber resilience framework and monitors the implementation of such strategy and framework, including any policies, procedures, and internal systems that support this implementation; and

d) takes responsibility for determining the FMI’s cyber risk tolerance and cyber risk appetite. Review of compliance with the cyber resilience strategy and framework 4) An operator must ensure that the cyber resilience strategy and the cyber resilience framework, and the subsequent compliance with them, are assessed by way of an external assurance engagement by a qualified auditor in accordance with applicable auditing and assurance standards: a) at least every two years; and b) subject to clause (6), whenever a cyber incident occurs that materially impacts, or could materially impact, the FMI’s continuing operations, 5) An operator must provide any report from an external assurance engagement to the regulator at the regulator’s request. 6) Clause 4(b) does not apply if, in the opinion of the operator, it is not reasonably practicable to seek an external assessment following a cyber incident that materially impacts, or could materially impact, the FMI’s continuing operations. 7) If clause (6) applies, the operator must provide reasons for its opinion to the regulator as soon as possible following the cyber incident. (See Guidance for Standard 17C: ‘Cyber resilience’, in Guidance for the FMI Standards for more detail).

Ref #20368282 v1.0 FMI STANDARD 18: ACCESS AND PARTICIPATION REQUIREMENTS FS18

Ref #20368282 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a central securities depository; or (c) a securities settlement system; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(c) provides that a standard may deal with, or otherwise relate, to how operators must provide access to services under designated FMIs, including how persons may become participants of designated FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. Commencement vii. This standard comes into force on 1 March 2024.

Ref #20368282 v1.0 REQUIREMENTS

1. An operator must have objective, risk-based, and publicly disclosed criteria for participation in the FMI, which permit fair and open access to the FMI.
2. Further to the requirements in clause (1) an operator must: a) allow fair and open access to the FMI’s services, including by direct and, where relevant, indirect participants and other FMIs; and b) ensure that access requirements are: i) based on reasonable risk-related participation requirements; and ii) justified in terms of the safety and efficiency of the FMI and the markets that the FMI serves; and iii) tailored to, and commensurate with, the FMI’s specific risks; and iv) publicly disclosed; and c) set requirements that have the least restrictive impact on access to the FMI that circumstances permit, subject to the maintenance of acceptable risk standards; and d) monitor compliance with participation requirements for the FMI on an ongoing basis and have clearly defined and publicly disclosed procedures for facilitating the suspension and orderly exit of a participant that breaches, or no longer meets, the participation requirements. (See Guidance for Standard 18: ‘Access and Participation Requirements’, in Guidance for the FMI Standards for more detail).

Ref #20368285 v1.0 FMI STANDARD 19: TIERED PARTICIPATION ARRANGEMENTS FS19

Ref #20368285 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a central securities depository; or (c) a securities settlement system; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(c) provides that a standard may deal with, or otherwise relate to, how operators must provide access to services under designated FMIs, including how persons may become participants of designated FMIs. Section 34(1)(e)(ix) provides that a standard may deal with, or otherwise relate to, risks arising out of interconnections (direct or indirect) between a designated FMI and activities in the financial system that are not activities under designated FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Tiered participation arrangement means an arrangement that occurs when indirect participants rely on the services provided by direct participants to use the FMI's central payment, clearing, or settlement systems. Commencement viii. This standard comes into force on 1 March 2024.

Ref #20368285 v1.0 REQUIREMENTS

1. The operator must identify, monitor, and manage the material risks to the FMI arising from tiered participation arrangements.
2. Further to the requirements in clause (1), the operator must: a) ensure that the FMI’s rules, procedures, and contracts allow the operator to gather basic information about indirect participation in order to identify, monitor, and manage any material risks to the FMI arising from such tiered participation arrangements; and b) identify material dependencies between direct and indirect participants that might affect the FMI; and c) identify: i) indirect participants responsible for a significant proportion of transactions processed by the relevant FMI; and ii) indirect participants whose transaction volumes or values are large relative to the operational and financial capacity of the direct participants through which they access the FMI; and d) review risks arising from tiered participation arrangements on at least an annual basis and taking action to mitigate all material risks following this review. (See Guidance for Standard 19: ‘Tiered Participation Arrangements’, in Guidance for the FMI Standards for more detail).

Ref #20368287 v1.0 FMI STANDARD 20: FMI LINKS FS20

1 Ref #20368287 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 s sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(e)(viii) and (ix) provide that a standard may deal with, or otherwise relate to, risks arising out of interconnections (direct or indirect) between a designated FMI and other designated FMIs, and risks arising out of interconnections between a designated FMI and activities in the financial system that are not activities under designated FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Central counterparty means a designated FMI that is classed in a designation notice under section 29 of the Act as a central counterparty. viii. Central securities depository means a designated FMI that is classed in a designation notice under section 29 of the Act as a central securities depository. ix. Issuer central securities depository means a central securities depository where securities are issued or immobilised. x. Investor central securities depository means a central securities depository that opens an account with an issuer central securities depository to enable

2 Ref #20368287 v1.0 the cross-system settlement of securities transactions. xi. Link means a set of arrangements, which may be contractual or operational, or both, between two or more FMIs that connect the FMIs directly or through an intermediary. xii. Relevant jurisdiction means any jurisdiction in which the FMI operates, and will always include New Zealand. xiii. FMI Standards means the standards issued under section 31 of the Act. Commencement xiv. This standard comes into force on 1 March 2024. REQUIREMENTS

1. An operator of an FMI that establishes a link with one or more FMIs must identify, monitor, and manage link-related risks.
2. An operator must ensure that before entering into a link, and on an ongoing basis once the link is established, the operator identifies, monitors, and manages all potential sources of risk arising from the link. Designing links to manage operational, legal and financial risk
3. Further to the requirements in clause (1), an operator must: a) design links such that each FMI is able to observe the other FMI’s compliance with the applicable FMI Standards or relevant overseas standards; and b) ensure that the link has a well-founded legal basis, in all relevant jurisdictions, that supports the link’s design and manages operational, legal, and financial risk to the FMIs involved in the link. Central securities depositories
4. Further to the requirements in clause (1), an operator of a central securities depository that is part of a link must: a) measure, and manage, the credit and liquidity risks arising from other linked central securities depositories; and b) ensure that any credit extensions between the central securities depository and another central securities depository are covered fully with high-quality collateral, and are subject to size limits.
5. Further to the requirements in clause (1), an operator of a central securities depository must prohibit provisional transfers of securities between the central securities depository and any linked central securities depository.

3 Ref #20368287 v1.0 Investor central securities depositories 6) Further to the requirements in clause (1), an operator of an investor central securities depository must: a) only establish a link between the investor central securities depository and an issuer central securities depository if the arrangement provides a high level of protection for the rights of participants; and b) if the operator uses an intermediary to operate a link with an issuer central securities depository, measure and manage the additional risks (including custody, credit, legal, and operational risks) arising from the use of the intermediary. Central counterparties 7) Further to the requirements in clause (1), an operator of a central counterparty must: a) identify and manage the potential spill-over effects on the other central counterparty, participants of the central counterparties, and the wider financial system from the default of the linked central counterparty; and b) ensure that the FMI can fully cover, on a daily basis, its current and potential future exposures to the linked central counterparty and any participants, without reducing the ability to fulfil its obligations to its own FMI participants at any time. (See Guidance for Standard 20: FMI Links, in Guidance for the FMI Standards for more detail).

FMI STANDARD 21: EFFICIENCY AND EFFECTIVENESS FS21

Ref #20368288 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Subject to certain conditions, section 34(1)(k) provides that a standard may deal with, or otherwise relate to, requirements relating to one or more standards issued by international organisations that impose requirements or provide for recommended practices in relation to FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. Commencement vii. This standard comes into force on 1 March 2024.

Ref #20368288 v1.0 REQUIREMENTS

1. An operator of an FMI must ensure that the FMI is operated efficiently and effectively in meeting the requirements of the FMI’s participants and the markets the FMI serves.
2. Further to the requirements in clause (1), an operator must: a) ensure that the FMI is designed to meet the needs of the FMI’s participants and the markets the FMI serves, including: i) the choice of a clearing and settlement arrangement; and ii) the operating structure; and iii) the scope of products cleared, settled, or recorded; and iv) the use of technology and procedures; and b) have clearly defined goals and objectives for the FMI that are measurable and achievable, including in the areas of minimum service levels, risk management expectations, and business priorities. (See Guidance for Standard 21: ‘Efficiency and Effectiveness’, in Guidance for the FMI Standards for more detail).

Ref #20368289 v1.0 FMI STANDARD 22: COMMUNICATION PROCEDURES AND STANDARDS FS22

Ref #20368289 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(k) provides that a standard may deal with, or otherwise relate to, requirements relating to one or more standards issued by international organisations that impose requirements or provide for recommended practices in relation to FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. Commencement vii. This standard comes into force on 1 March 2024.

Ref #20368289 v1.0 REQUIREMENTS

1. The operator must ensure that the FMI uses relevant internationally accepted communication procedures and standards. (See Guidance for Standard 22: ‘Communication’, in Guidance for the FMI Standards for more detail).

FMI STANDARD 23: DISCLOSURE OF RULES, KEY PROCEDURES, AND MARKET DATA FS23

DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(i) provides that a standard may deal with, or otherwise relate to, the public disclosure of information relating to operators or designated FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. Commencement vii. This standard comes into force on1 March 2024.

REQUIREMENTS

1. An operator must have, and publicly disclose, rules and procedures for the FMI that give participants and future participants sufficient information to have a reasonable understanding of the risks, fees, and other material costs they incur by participating in the FMI.
2. Further to the requirements in clause (1), an operator must: a) publicly disclose, on an internet website maintained by, or on behalf of, the operator, clear descriptions of the system’s design and operations, as well as the FMI’s and participants’ rights and obligations; and b) provide all necessary and appropriate documentation and training to facilitate participants’ understanding of the FMI’s rules and procedures, and the risks they face from participating in the FMI; and c) publicly disclose the FMI’s fees at the level of individual services the FMI offers, the FMI’s policies on any available discounts, and clear descriptions of priced services for comparability purposes; and d) publicly disclose basic data on transaction volumes and values. (See Guidance for Standard 23: ‘Disclosure of rules, key procedures, and market data’, in Guidance for the FMI Standards for more detail).

Ref #20368291 v1.0 FMI STANDARD 23A: DISCLOSING COMPLIANCE WITH THE FMI STANDARDS FS23A

1 Ref #20368291 v1.0 DOCUMENT VERSION HISTORY 1 March 2025 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(1)(i) provides that the regulator may make standards that deal with, or otherwise relate to, the public disclosure of information relating to operators or designated FMIs. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. Commencement vii. This standard comes into force on 1 March 2025.

2 Ref #20368291 v1.0 REQUIREMENTS

1. An operator must: a) complete a disclosure document that contains all the information specified in the disclosure template contained in Annex A that is applicable; and b) ensure that the disclosure document is prominently published on an internet website maintained by, or on behalf of, the operator at all times in a way that ensures that members of the public can easily access the disclosure document.
2. An operator must update the disclosure document as outlined in clause (1): a) following any material changes to the FMI or its environment; and b) in any case, at least every two years. (See Guidance for Standard 23A: ‘Disclosing compliance with the FMI Standards’, in Guidance for the FMI Standards for more detail).

3 Ref #20368291 v1.0 ANNEX A: FMI DISCLOSURE TEMPLATE Responding institution: [operator name] Jurisdiction(s) in which the designated FMI operates: [list jurisdictions] The date of this disclosure is [date]. This disclosure can also be found at [website address].For further information, please contact [contact details]. I. Executive summary This section must summarise the key points from the disclosure, including:  a brief overview of the operator; and  the designated FMI, its participants, its legal and regulatory framework, its primary risks, and its key risk management and other relevant practices. II. Summary of major changes since the last update of the disclosure This section must summarise the major changes to the operator and FMI’s organisation, design, rules, markets served and regulatory environment since its last disclosure. The operator must note the sections in its disclosure where the changes are reflected. III. General background on the FMI General description of the FMI and the markets it serves This section must:  provide basic and concise descriptions of the services offered, and functions performed, by the FMI; and  provide an overview of the markets that the FMI serves and the role that it fulfils within those markets; and  include basic data and performance statistics on its services and operations. The operator must provide, for example, basic volume and value statistics by product type, average aggregate intraday exposures of the FMI to its participants, and statistics on the FMI’s operational reliability. General organisation of the FMI This section must provide an overview of the organisational and governance structure of the operator, including a description of the operator’s governance policies, governance structure, and management structure. Legal and regulatory framework This section must provide:  an overview of the operator of the FMI’s legal and regulatory framework; and

4 Ref #20368291 v1.0  the legal and ownership structure of the operator and the FMI; and  the legal basis for each material aspect of the FMI’s activities; and  the regulatory, supervisory, and oversight framework for the operator and the FMI. System design and operations This section must:  explain the FMI’s design and operations; and  include a clear description of the typical lifecycle of the transaction process. The information in this section must highlight how the FMI processes a transaction, including the timeline of events, the validation and checks to which a transaction is subjected, and the responsibilities of the parties involved. IV. Standard-by-standard summary narrative disclosure This section must provide a summary narrative disclosure for each applicable standard with sufficient detail and context to enable a reader to understand the operator’s approach to complying with each applicable standard. Standard-by-standard summary narrative disclosure Standard X Text of the standard Summary narrative This section must provide a summary narrative disclosure with sufficient detail and context, as well as any other appropriate supplementary information, to enable readers to understand the operator’s approach to or method for complying with the standard. Cross references to publicly available documents should be included, where relevant, to supplement the disclosure.

5 Ref #20368291 v1.0 V. List of publicly available resources This section must list publicly available resources, including those referenced in the disclosure that may help a reader understand the operator, the FMI, and their approach to complying with each applicable standard.

Ref #20368292 v1.0 FMI STANDARD 23B: NOTIFYING THE REGULATOR FS23B

1 Ref #20368292 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty; or (e) an overseas-equivalent FMI. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator’s functions include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Section 34(3) provides that the regulator may make standards that require operators to give to the regulator reports relating to the disruption to activities under designated FMIs, or contraventions of requirements imposed by or under the Act. Further, section 34(1)(e)€(ii) provides that a standard may deal with, or otherwise relate to, operational risk, while section 34(1)(e)(vi) provides that a standard may deal with or otherwise relate to legal risk. Interpretation vi. Words and phrases used in this standard have the same meaning as in the Act. vii. Essential services means services provided by the FMI: (a) for designated FMIs which are assessed as systemically important by the regulator under section 24 of the Act, all services contributing to the assessment that an FMI is systemically important; and (b) for designated FMIs that are not assessed as systemically important under section 24 of the Act, any services covered by the protections in subpart 5 of Part 3 of the Act.

2 Ref #20368292 v1.0 viii. Overseas-equivalent FMI means a designated FMI that is specified in its designation notice under section 29(2)(f) of the Act as falling within the class of an overseas-equivalent FMI. ix. Material incident means an event that: (a) causes the FMI: A. a slowdown in the operation of the system; or B. a restriction or partial availability of the system; or C. a security threat to the system; or D. an increase in the risk of an outage, slowdown, restriction, or security threat, or E. a potential or actual adverse impact on the future operation of the system; and (b) has a substantive adverse impact on the FMI's participants (or for an overseas-equivalent FMI, the FMI’s New Zealand participants) or the New Zealand financial system. x. Outage means an event that causes the system to be unavailable for use by any or all participants (or for an overseas-equivalent FMI, the FMI’s New Zealand participants), regardless of: (a) the cause; and (b) the length of time of the outage. Commencement xi. This standard comes into force on 1 March 2024.

3 Ref #20368292 v1.0 REQUIREMENTS

1. An operator must report to the regulator material incidents or contraventions of obligations imposed on the operator by or under the Act, and other regulatory requirements imposed by or under the law of their home jurisdiction.
2. An operator must put in place effective methods for monitoring: a) compliance with obligations imposed on the operator by or under the Act (and in respect of an overseas-equivalent FMI, compliance with requirements imposed under the regulatory regime for the FMI in the operator’s home jurisdiction); and b) material incidents or outages of essential services provided by the FMI (and in respect of an overseas-equivalent FMI, essential services provided directly or indirectly to New Zealand participants).
3. An operator must send a report to the regulator as soon as possible if the operator reasonably believes that it has, may have, or is likely to contravene, in a material respect, an obligation imposed on the operator by or under the Act (or in the case of an overseas￾equivalent FMI, an obligation imposed by or under the regulatory regime for the FMI in the operator’s home jurisdiction).
4. An operator must report to the regulator as soon as possible if the operator reasonably believes there has been, or there is likely to be, a material incident, or an outage of essential services provided by the FMI, and where an operator is the operator of an overseas-equivalent FMI, essential services provided directly or indirectly to New Zealand participants.
5. For an operator of an overseas-equivalent FMI, any report required to be sent to the regulator under this standard is treated to have been sent to the regulator if it has been provided to an international regulatory or supervisory college whose members include the RBNZ and/or the FMA. (See Guidance for Standard 23B: ‘Notifying the Regulator’, in Guidance for the FMI Standards for more detail).