Submissions on FMI Framework Consultation by NZX and LSEG

NZX Limited Level 1, NZX Centre 11 Cable Street PO Box 2959 Wellington 6140 New Zealand Tel +64 4 472 7599 www.nzx.com 20 September 2021 FMI Consultation Team Financial System Policy and Analysis Department Reserve Bank of New Zealand PO Box 2498 Wellington 6140 By Email: fmiconsultation@rbnz.govt.nz NZX Clearing - Submission on Consultation Paper: Developing Standards for Designated Financial Market Infrastructures Introduction

1. Thank you for the opportunity to submit feedback on the Financial Markets Authority (FMA) and Reserve Bank of New Zealand’s (RBNZ, and together the Regulator) proposed framework for developing standards under the Financial Markets Infrastructures Act 2021 (Act) as set out in the consultation paper ‘Developing Standards for Designated Financial Market Infrastructures’ (Consultation Paper). We appreciate you meeting with us on 24 August, and the open and constructive engagement in relation to the matters set out in the Consultation Paper.
2. NZX Limited (NZX), New Zealand Clearing and Depository Corporation Limited (NZCDC) and other wholly owned NZX subsidiary companies (NZX Clearing or We) are currently operators of the NZCDC settlement system (System), which is a designated settlement system under Part 5C of the Reserve Bank of New Zealand Act 1989 (RBNZ Act). NZX Clearing will therefore be affected by the changes to the regulatory framework relevant to FMIs.
3. We set out below our submissions in response to the Consultation Paper. We have sequentially addressed each question in the Consultation Paper in our submission. General
4. We note that the feedback we have provided in this submission is focused on the impact of standards on NZX Clearing as an operator of a CCP, CSD and SSS. Any feedback we have provided may therefore not be suitable for systems that are not similar, such as pure payment systems.
5. NZX Clearing currently self-assesses its compliance with the principles in the Committee on Payment and Market Infrastructures and Technical Committee of the International Organization of Securities Commission’s ‘Principles for Financial Markets Infrastructures’ (PFMI). As nearly all of the principles are applicable to the System, the majority of our submission is focused on the proposed standards in Pillar 3 of the framework, as well as the timeline for implementation of the standards.

Question 1a: Do you have any comments on the proposed one-time transition approach to developing and issuing standards? 6. While we are supportive of the proposal to implement a holistic set of standards to enable a one-time approach to transition, we are concerned with the short amount of time between the finalisation of the standards and their effective date. In recognition of the time required by operators to ensure compliance with the new requirements, which may not be finalised until Q3 2022, we expect that the requirements contained in some standards (particularly those containing content within Pillar 3) may need to be phased in later than Q4 2022. 7. In this regard, we suggest that the Regulator consider whether an additional transitional period for compliance extending into 2023 may be appropriate in relation to the proposed new cyber resilience requirements, and contractual requirements for critical service providers which are foreshadowed in the Consultation Paper. We note that this will depend on the nature of the requirements that are to be included in those standards which will be the subject of a separate consultation. A longer transition period for these requirements may be appropriate because these requirements go beyond the obligations outlined in the PFMI and our current designation order, and may impose greater requirements than the other areas of the proposed framework. Question 1b: Do you have any comments on the proposed approach to not differentiate standards based on how FMIs become designated? 8. NZX Clearing agrees that the application of standards should not be determined by the manner in which an FMI is designated. Question 2: Do you have any comments on the planned approach to incorporate existing regulatory requirements (i.e. conditions of designation) into standards under the new Regime? 9. We are supportive of a set of requirements being incorporated into a standard, that effectively sets licensing conditions for all FMI, similar to the approach taken in relation to other licenses granted by the FMA under the Financial Markets Conduct Act 2013 (FMC Act). 10. We understand that for existing operators such as NZX Clearing, that Schedule 1 of the Act requires only that the Regulator makes an assessment of the operator’s systemic importance. We would not expect additional conditions to be imposed on NZX Clearing beyond those that currently apply under the RBNZ Act or those that are to be applied to FMIs generally as a standard licensing condition. Question 3: Do you have any comment on the PFMI forming the basis of standards for designated FMIs operating in New Zealand? 11. NZX Clearing is supportive of the PFMI principles forming the basis of standards for designated FMIs operating in New Zealand. 12. We note the intention of the Regulator to include the explanatory notes accompanying each PFMI principle as guidance material accompanying each standard. We would like clarification as to the status and enforceability of this guidance material, and whether any action would be taken by the Regulator if an FMI acted in a manner inconsistent with this guidance.

Question 4a: Do you have any comments on whether the scale and scope of an FMI’s operations may require standards to be tailored to their particular circumstances? 13. We believe that the Regulator should tailor certain standards based on scale and scope of an FMI’s operations. It is appropriate for the standards to impose differential requirements on operators, in recognition of the risk that they pose to the broader financial system. We believe that this would achieve the purposes of the Act as set out in section 3(1), by promoting the maintenance of a sound and efficient financial system as such an approach would prevent FMI from being subject to unnecessary requirements that are disproportionate to their risk. Question 4b: What other factors do you think may influence the need for tailoring? 14. We believe that the Regulator should take into account the 6 factors referred to in paragraph 17 of its Consultation Paper on the Framework for Identifying Systemically Important Financial Market Infrastructures. Question 4c: Which standards (see Annex B) do you think will require tailoring and what tailoring is required? 15. We do not believe that any standards introduced under Pillar 2 require tailoring. This is because we operate a CCP, CSD, and SSS, and so almost all Principles of the PFMI are relevant. We do note that this may not be appropriate for other FMIs in New Zealand, such as pure payment systems. Question 5: Do you have any comments on the approach for FMI contingency planning in the standards? 16. As the Regulator is aware, NZX Clearing is currently undertaking consultation on the introduction of a suite of additional recovery and resolution tools. We understand the Regulator considers that the proposed tools would comply with any requirements that it is likely to impose in a standard for contingency plans. As we discussed with you on 24 August, if the Regulator has specific requirements for contingency plans, it would be helpful for operators to have regulatory certainty to ensure that their arrangements are fit for purpose well in advance of those requirements becoming effective. 17. We note that the proposed content of the contingency plan standard is broadly in line with the PFMI, with the addition of procedures to allow for a change in operator, and mechanisms to allocate/recover costs of resolving the FMI from Participants. We believe that a principles based approach to setting contingency plan requirements is appropriate to provide the Regulator with appropriate flexibility when reviewing contingency plans. Question 6: Do you have any comment on our plan to apply breach reporting requirements to designated FMIs like those in section 412 of the Financial Markets Conduct Act 2013? 18. We suggest that this requirement is tailored so that the requirement is to report as soon as reasonably practicable, rather than immediately. This approach is consistent with that adopted in various provisions of the FMC Act, including section 412, and will improve the utility of the reports provided to the Regulator.

Question 7: Do you have any comment on our plan to carry over outage reporting requirements for FMIs currently designated under the RBNZ Act 1989 to all FMIs designated under the Act? 19. We note that the current requirement for the CLS system is to notify if a notification trigger ‘has occurred, or is likely to occur’, in contrast to the designation orders of other FMIs, where notification is required if a trigger ‘has occurred, or may occur’. We suggest that the reporting requirement is triggered when an operator has reasonable grounds to believe that a matter is likely to occur, consistent with the approach taken in the FMC Act. We suggest that the reporting requirement is changed so that FMIs must report ‘material outages and material incidents’ rather than ‘outages and material incidents’. Question 8: Do you agree with our preferred option to publish material breaches by FMIs on both the operator’s and the Regulator’s official website(s)? 20. NZX Clearing recognises that public disclosure is a regulatory tool through which the Regulator can encourage compliance with the Act. We suggest that public disclosure is a tool that is used sparingly and is required by the Regulator on an ad-hoc basis where necessary, after the Regulator has considered the materiality of the breach and the risk to the stability of the FMI. 21. If the Regulator wishes to adopt a public disclosure requirement, we recommend that any required public disclosure is not required to be as comprehensive as the disclosure provided to the Regulator. We consider that complex technical detail is not necessary for public disclosure, as relevant parties are likely to already have the necessary information, and detailed disclosure could increase the risk to FMIs. Question 9: Do you have any comments on the proposed approach of making the RBNZ Guidance on cyber resilience the basis for regulatory requirements for designated FMIs and supplementing this with relevant content from CPMI-IOSCO Guidance to address any areas where cyber risk management is unique to FMIs? 22. NZX Clearing supports the introduction of cyber risk management standards, and recognises that these are an important factor in risk mitigation, although we suggest an extended timeframe for compliance beyond Q4 2022. We are comfortable with the Regulator issuing standards in line with the RBNZ’s Guidance on Cyber Resilience, however, we recommend that the Regulator determines whether particular FMIs should be subject to the enhanced guidance in light of the risk they pose to the broader financial system. Question 10: What are your views on the 2 options that have been identified? Are there additional factors that should be considered when setting regulatory requirements around cyber resilience? 23. We would note that within FMIs, different teams may be responsible for managing operational and cyber risk. As such, the adoption of a separate standard for cyber risk could be beneficial by practically making it simpler for an operator to ensure compliance with the requirements. Question 11: What factors should be considered when identifying service providers as critical? Do you see value in clarifying the interpretation of what a critical service provider is from the very high-level description provided in the PFMI? 24. We are comfortable with the definition of ‘critical service provider’ proposed by the Regulator, noting that delivering appropriate regulatory outcomes will depend on the Regulator’s approach to the specific elements of the definition, including the interpretation of ‘key business lines’ and ‘significant disruption’.

25. We suggest that where a critical service provider is easily substitutable, it should not fall within the definition. We consider that if a provider can be quickly substituted for another, even if the service they provide is ‘critical’, they should not be considered a critical service provider.
26. We agree with the Regulator’s proposal to exclude utilities from the definition of critical service provider, but suggest that further clarification is provided as to the approach to the exclusion of telecommunications providers. Question 12: Do you have any comments on the proposed two-stage process to identifying critical service providers?
27. We have no comments on the proposed two-stage process. Question 13: Do you have any comments on our preferred option to require the contractual terms between the FMI operators and their critical service providers to reflect our expectations at a principle-based level?
28. We understand that the standard relating to critical service providers will be the subject of a separate consultation, and will provide further clarity of the Regulator’s proposed approach to the inclusion of key contract terms in critical service providers’ contracts.
29. The Regulator’s preference is for critical service providers’ contracts to contain principles-based contractual terms. We note that even principles-based requirements may require FMIs to renegotiate contracts that are already in place with critical service providers and may be difficult to implement, as doing so would depend on the nature of the terms and conditions in each individual contract.
30. As an alternate approach, we suggest a standard that is similar to the outsourcing conditions imposed on Managed Investment Scheme Managers by the FMA under Section 403 of the FMC Act. The Regulator could require that an FMI is satisfied the critical service provider is capable of performing the service to the standard required to enable the FMI to meet its conditions of designation, and require the FMI to have a legally binding agreement with the provider. We consider that this approach would achieve the aims of the Regulator, while not being unduly burdensome. Question 14: Do you have any comments on the preferred option of allowing substitute compliance for overseas FMIs, subject to meeting equivalence and cooperation conditions? Are there any significant issues regarding the treatment of overseas FMIs that you would like to draw to our attention?
31. We believe that the implementation of a substitute compliance system is an effective way to regulate overseas FMIs. We note, however, that as the proposed standards in New Zealand go beyond the PFMI, there is potential for overseas FMIs to gain competitive advantage if they are not held to the same requirements. In respect of Pillar 3 standards that go beyond the PFMI, we recommend that the Regulator either ensure there is an equivalent requirement in the FMI’s home jurisdiction, or create a bespoke standard for them.

Question 15: Do you have any comments on the proposal for having disclosure standards consistent with the CPMI-IOSCO Disclosure Framework for FMIs? 32. NZX Clearing supports replacing the existing disclosure requirement with one that is in line with the CPMI-IOSCO Disclosure Framework for FMIs. Question 16: Do you have any comments on incorporating the PFMI into standards directly rather than by reference? Do you have comments on incorporating particular elements of the PFMI into legally binding standards? 33. We believe that the Regulator should proceed with the first option of incorporating the PFMI by reference, rather than directly into legislation. While we are aware that the Reserve Bank of Australia has chosen to incorporate the PFMI directly, we consider that incorporation by reference will allow greater flexibility and ensure that the standards are always up to date and in line with the PFMI. General 34. We would like to thank the RBNZ and FMA for the opportunity to provide this submission, and the constructive engagement we have had in relation to the development of the standards framework. We are happy to discuss any of the points raised with you further. We look forward to working with both the RBNZ and FMA on the upcoming consultations in relation to the standards. Yours sincerely, Roger Bayly Kristin Brandon General Manager, Market Operations Head of Policy and Regulatory Affairs

Consultation on implementing the Financial Market Infrastructures Act LSEG RESPONSE TO THE RESERVE BANK OF NEW ZEALAND AND FINANCIAL MARKETS AUTHORITY CONSULTATION September 2021

Consultation on implementing the Financial Market Infrastructures Act, September 2021 2 Introduction The London Stock Exchange Group (“LSEG”) is a financial market infrastructure provider, headquartered in London, with significant operations in Europe, North America and Asia. Its diversified global business focuses on capital formation, intellectual property and risk and balance sheet management. LSEG operates an open access model, offering choice and partnership to customers across all of its businesses. LSEG operates multiple clearing houses. It has majority ownership of the multi-asset global CCP operator, LCH Group (“LCH”). LCH has two licensed CCP subsidiaries – LCH Ltd in the UK and LCH S.A. in France. Both are leading multi-asset class and international clearing houses, serving major international exchanges and platforms as well as a range of OTC markets. They clear a broad range of asset classes, including securities, exchange-traded derivatives, commodities, foreign exchange derivatives, interest rate swaps, credit default swaps and euro, sterling and US dollar denominated bonds and repos. LSEG welcomes the opportunity to respond to the Reserve Bank of New Zealand (“RBNZ”) and the Financial Markets Authority’s (“FMA”) consultation papers on implementing the Financial Market Infrastructure Act.

Executive summary We welcome the publication of the RBNZ and FMA’s overview of the plan to implement the Financial Market Infrastructure Act and the two consultation papers on (1) a framework for identifying systemically important financial market infrastructure (“FMI”); and (2) approach to developing standards for FMIs. LSEG supports the overall approach taken to implement the FMI Act which establishes a new and robust regime for FMIs. We appreciate the transparent and consultative nature of the process and the approach of the regulators to thoroughly engage with affected stakeholders. We strongly support the distinction between domestic and overseas FMIs, including the proposal to allow substitute compliance subject to meeting equivalence and cooperation conditions. We also support the alignment with the CPMI-IOSCO Principles for Financial Market Infrastructures (“PFMIs”) as the appropriate international standard in this area of regulation. Our response focuses on LCH Ltd and in particular the SwapClear service, which has members and clients in New Zealand and has been previously identified by the New Zealand regulators as an FMI that is potentially systemically important.

Consultation on implementing the Financial Market Infrastructures Act, September 2021 4 Questions Consultation Paper 1: A Framework for Identifying Systemically Important Financial Market Infrastructure

1. Do you have any comments on the design of the Framework (noting that it is based on the FMI Act, aligned with the PFMI, and balanced regulatory discretion with transparency and clarity)? LSEG appreciates the transparency that the RBNZ and FMA (together the “Regulators”) have provided throughout this process, and strongly support the alignment with the PFMIs as the appropriate international standard for the financial market infrastructures (“FMIs”) regulation. We understand that the Regulators will need to exercise a level of regulatory discretion in applying the provisions of the FMI Act and we look forward to continuing our engagement in relation to LCH Ltd.
2. Do you have any comments on the factors we suggest for assessing the size of FMIs? What other factors do you consider we should include in this category? LSEG agrees with the factors but suggest that in considering the systemic importance of overseas FMIs to New Zealand, the factors for assessing the FMI’s size should be focused on New Zealand participants, e.g. the number of direct and indirect New Zealand participants.
3. Do you have any comments on the factors we suggest for assessing the types of persons who are participants of FMIs? What other factors do you consider that we should include in this category? Similar to our response to Question 2 above, in considering the systemic importance of overseas FMIs, the factors for assessing the type of participants should focus on New Zealand persons, e.g. if direct or indirect participants include New Zealand central banks, other New Zealand FMIs, New Zealand registered banks or large corporates.
4. Do you have any comments on the factors we suggest for assessing the nature and scope of activities of FMIs? What other factors do you consider we should include in this category? In considering the systemic importance of overseas FMIs, LSEG suggests that the factors be focused on the nature and scope of activities, including interconnectedness, within the New Zealand market. However, we recognise that wider information would be of interest to the Regulators to understand the FMI’s activities more generally.
5. Do you have any comments on the factors we suggest for assessing the interconnectedness of FMIs? What other factors do you consider we should include in this category? See our response to Question 4 above.
6. Do you have any comments on the factors we suggest for assessing the interconnectedness among participants of FMIs? What other factors do you consider we should include in this category? See our response to Question 4 above.
7. Do you have any comments on the factors we suggest for assessing the concentration of financial risk of FMIs? What other factors do you consider we should include in this category? LSEG agrees with these factors, noting that they are very broad. In considering the systemic importance of overseas FMIs, we suggest that the focus be on New Zealand market, e.g. exposures of New Zealand entities to LCH.

Consultation on implementing the Financial Market Infrastructures Act, September 2021 5 8. Do you have any comments on the factors we suggest for assessing the substitutability of FMIs? What other factors do you consider we should include in this category? LSEG agrees with the factors suggested. Consultation Paper 2: Developing Standards for Designated Financial Market Infrastructures Purpose, scope, timing and application of standards

1. a) Do you have any comments on the proposed one-time transition approach to developing and issuing standards? LSEG agrees with the proposed one-time transition approach as it will provide greater clarity on the regulatory requirements that designated FMIs will need to comply with. b) Do you have any comments on the proposed approach to not differentiate standards based on how FMIs become designated? LSEG agrees with the proposed approach that the standards should be the same for all designated FMIs, regardless of whether the FMI is identified as systemically important and those that apply for designation status on their own accord. The overall approach in the consultation paper to develop standards based on the PFMIs would bring New Zealand in line with many other international jurisdictions and provide a sound basis for effective risk management for FMIs. Pillar I: Treatment of regulatory requirements for FMIs under Part 5C of the RBNZ Act
2. Do you have any comments on the planned approach to incorporate existing regulatory requirements (i.e. conditions of designation) into standards under the new regime? Not applicable, as LSEG is not currently designated under the RBNZ Act. Pillar II: Reflecting the PFMI in standards under the Act
3. Do you have any comment on the PFMI forming the basis of standards for designated FMIs operating in New Zealand? LSEG strongly supports the approach of using the PFMIs as the basis for the standards as it represents international best practice for FMI regulation. We note that LCH Ltd’s primary regulator, the Bank of England, has stated that the PFMIs form a “key foundation stone” for its supervisory approach of FMIs and that the UK regulatory framework will be consistent with the minimum standards in the PFMIs, but also will go beyond if it judges this necessary to address systemic risk1 .
4. a) Do you have any comments on whether the scale and scope of an FMI’s operations may require standards to be tailored to their particular circumstances? LSEG strongly supports the tailoring of standards for the New Zealand market, and particularly in respect of overseas FMIs where that FMI’s home jurisdiction applies the PFMIs. We elaborate on our response in Question 14 below with deals with the treatment of overseas FMIs. 1 The Bank of England’s approach to the supervision of financial market infrastructures, April 2013: https://www.bankofengland.co.uk/- /media/boe/files/financial-stability/financial-market-infrastructure-supervision/the-boe-approach-to-the-supervision-of￾fmi.pdf?la=en&hash=CD95F6E8C2093172F4EA183E0A552D815FAAB5C5

Consultation on implementing the Financial Market Infrastructures Act, September 2021 6 b) What other factors do you think may influence the need for tailoring? See our response to 4(a) above. c) Which standards (see Annex B:) do you think will require tailoring and what tailoring is required? See our response to 4(a) above. Pillar III: Matters not sufficiently covered by the core PFMI Contingency plans 5. Do you have any comments on the approach for FMI contingency planning in the standards? LSEG supports the supports the proposed approach that standard on FMI contingency planning should not apply to overseas FMIs based in jurisdictions assessed as equivalent. Breach and outage reporting 6. Do you have any comment on our plan to apply breach reporting requirements to designated FMIs like those in section 412 of the Financial Markets Conduct Act 2013? LSEG notes that the requirement to notify the relevant regulator as soon as practicable upon discovering a contravention of standards in a material respect, is common across many jurisdictions. However, we note that the requirement to notify of a possible contravention could be difficult to apply in practice. 7. Do you have any comment on our plan to carry over outage reporting requirements for FMIs currently designated under the RBNZ Act 1989 to all FMIs designated under the Act? The proposal is a requirement to immediately notify the Regulators after the FMI becomes aware of an outage of material incident. LSEG strongly suggests that this requirement be tailored for overseas FMIs in terms of both the timeframe (as soon as practicable) and the threshold (material outages or material incidents that impact New Zealand participants). This would assist in providing the FMI with critical time to initially assess and respond to the incident, and to ensure the incidents reported are relevant to New Zealand. We note that LCH Ltd maintains a detailed ‘Incident Materiality Matrix’ that sets out the criteria for raising and escalating ‘Major’ or ‘High’ incidents. Only Major or High incidents are reported as soon as practicable to the relevant regulators, including the Bank of England. For example, based on the matrix, an incident that resulted in LCH’s SwapClear service being unable to register trades for more than 90 minutes would be reportable. 8. Do you agree with our preferred option to publish material breaches by FMIs on both the operator’s and the Regulator’s official website(s)? While LSEG agrees that material breaches should be reported, we do not think that it should be publicly disclosed on the Regulators’ official website(s) as well as the FMI’s website. This approach could discourage open communication with FMIs on smaller issues or incidents as well as for material breaches. In other jurisdictions, such public disclosure would be the equivalent of a regulatory sanction. LSEG, and we assume most other FMIs, take their regulatory obligations very seriously and we think that the threat of penalties and/or inability to operate in New Zealand would be sufficient to encourage disclosure and remediation of any material breaches. We note that LCH is not subject to such a requirement in its home jurisdiction, the United Kingdom, and it would be unusual outcome if a material breach were to be disclosed on another regulator’s website but not by the Bank of England. We expect other overseas FMIs would be in a similar situation.

Consultation on implementing the Financial Market Infrastructures Act, September 2021 7 Management of Cyber risk 9. Do you have any comments on the proposed approach of making the RBNZ Guidance on cyber resilience the basis for regulatory requirements for designated FMIs and supplementing this with relevant content from CPMI-IOSCO Guidance to address any areas where cyber risk management is unique to FMIs? For designated overseas FMIs, LSEG strongly supports that any standards on critical service providers be within the scope of any equivalence assessment of the FMI’s home regulatory regime to allow for substituted compliance (subject to meeting equivalence and cooperation conditions). LSEG strongly supports alignment with the PFMIs and the supplementary guidance provided in the CPMI-IOSCO ‘Guidance on cyber resilience for financial market infrastructures’ in developing standards on cyber risks. This represents international best practice to enhance the operational resilience of FMIs. 10. What are your views on the 2 options that have been identified? Are there additional factors that should be considered when setting regulatory requirements around cyber resilience? LSEG considers that both options have merit and does not have a preference, provided the standards are based on the PFMIs and the CPMI-IOSCO cyber guidance. Treatment of critical service providers 11. What factors should be considered when identifying service providers as critical? Do you see value in clarifying the interpretation of what a critical service provider is from the very high-level description provided in the PFMI? LSEG agrees with the approach to start with the description from the PFMI and then to provide a supplementary explanation, particularly as it links the services to the designation notice. This provides greater clarity for FMIs. 12. Do you have any comments on the proposed two-stage process to identifying critical service providers? LSEG supports this approach to collect information from the FMI operator and to confirm the list of critical service providers for that designated FMI. We think this provides greater clarity to FMIs as to which providers the standards will apply to, as well providing greater information to the Regulators as to the FMI’s activities. 13. Do you have any comments on our preferred option to require the contractual terms between the FMI operators and their critical service providers to reflect our expectations at a principle-based level? For designated overseas FMIs, LSEG strongly supports that any standards on critical service providers are included within the scope of any equivalence assessment of the FMI’s home regulatory regime to allow for substituted compliance. In the absence of any equivalence finding, we would strongly suggest Option 1 (Set out general principles or expectations around the relationship of FMI operators and their critical service providers) as the appropriate option for overseas FMIs.

Consultation on implementing the Financial Market Infrastructures Act, September 2021 8 Treatment of overseas FMIs 14. Do you have any comments on the preferred option of allowing substitute compliance for overseas FMIs, subject to meeting equivalence and cooperation conditions? Are there any significant issues regarding the treatment of overseas FMIs that you would like to draw to our attention? LSEG strongly agrees with the preferred option, i.e. Option 2 to allow substitute compliance subject to meeting equivalence and cooperation conditions. We think that this is a sensible approach which achieves the desired outcome of a robust regulatory framework and supervision over systemically important FMIs, but which minimises unnecessary regulatory burden on overseas FMIs and maximises the effective use of regulator resources. As mentioned in the consultation paper, any requirements that are not satisfied by the overseas FMI’s home regulatory regime could be applied directly. We would highlight that an equivalence assessment of an FMI’s home jurisdiction can be a lengthy process in some cases and clear guidance from the Regulators as to the scope and content of the analysis required to be provided by the FMI, is crucial. The Regulators should factor in sufficient time for the FMIs to prepare the analysis and for the Regulators to consider the analysis and ask further questions as necessary. As you are aware, LCH Ltd is a CCP based in the United Kingdom and the Bank of England is its primary regulator. LCH Ltd is regulated in a number of jurisdictions globally, predominantly under similar substitute compliance/ deference CCP regulatory regimes but nevertheless maintains direct communication with individual local regulators. The Bank of England chairs a global college for LCH Ltd, of which the RBNZ is already a member. We also note the memorandum of understanding in respect of central counterparties between the RBNZ and FMA, with the Bank of England dated November 2015 which provides a formal basis for cooperation in relation to FMI supervision. Disclosure of information by FMIs 15. Do you have any comments on the proposal for having disclosure standards consistent with the CPMI-IOSCO Disclosure Framework for FMIs? LSEG supports this proposal. We note that LCH Ltd already publishes these disclosures on its website: https://www.lch.com/resources/ccp-disclosures . Format of adopting the PFMI in standards under the Act 16. Do you have any comments on incorporating the PFMI into standards directly rather than by reference? Do you have comments on incorporating particular elements of the PFMI into legally binding standards? LSEG agrees with the Regulators’ preferred approach to incorporate the PFMIs into standards especially if there will be some changes to tailor to the New Zealand system. This will provide greater clarity. We note that it would be useful and much appreciated if the Regulators could publish a document comparing the text of New Zealand requirements against the PFMIs to highlight where the local requirements have diverged from the international standards. Contact info: Julian Oliver : Julian.Oliver@lseg.com Juliet Lee : Juliet.Lee@lseg.com

NON-CONFIDENTIAL VERSION – PAYMARK LIMITED 20 September 2021 Submission: Framework for Identifying Systemically Important Financial Market Infrastructures

1. Paymark Limited (Paymark) is pleased to submit to the Reserve Bank of New Zealand (RBNZ) and Financial Markets Authority (FMA) together the “Regulators” on two consultation documents: i) framework for identifying systemically important financial market infrastructures (FMIs) 1; and ii) developing standards for designated FMIs2.
2. Paymark has made three submissions previously on this topic: 2.1. in 2013 on the draft policy entitled "Strengthening Statutory Payment Oversight Powers"; 2.2. in response to the revisions made to the “Designation and Oversight of Designated Settlement Systems” in 2014; and 2.3. on the proposed FMI Bill in 2019.
3. All our submissions, including this one, are on the same theme: no risk has been identified regarding Paymark’s electronic messaging system that would be mitigated by designation as a systemically important FMI and there is no need to designate Paymark as a systemically important FMI.
4. Paymark was established in 1984 to enable low-cost Eftpos transaction processing, as a way of enabling banks and merchants to remove cash from the payment system and avoid the costs of cash-handling. Eftpos cards decreased the use of cash in our system and allowed banks and merchants to save money associated with the management and handling of cash. Eftpos transaction processing also delivered effective competition (to cheques and cash) and innovation in New Zealand. Since Paymark’s inception, it has played a key role in providing safe and secure payment processing services for New Zealanders. We have evolved over time and, whilst we continue to provide payment processing for Eftpos transactions, we also process transactions that are routed out to the global card schemes, such as Visa and Mastercard (the schemes), provide payment gateway solutions to ecommerce platforms and directly to ecommerce merchants, and we have embraced API-based technology.
5. Paymark is already under the general oversight of the RBNZ, and Government has indicated that Paymark may be subject to two further designation regimes that are currently progressing through the legislative process. Paymark considers three designation regimes (with potentially three different regulators) disproportionate when no clear problem with Paymark’s system has been identified.
6. Our key comments are as follows: 1 https://www.rbnz.govt.nz/-/media/ReserveBank/Files/regulation-and-supervision/financial-market-infrastructure￾oversight/regulatory%20developments/A-framework-for-identifying-systemically-important-financial-market￾infrastructures.pdf?revision=45327a48-9b3f-481f-a16d-8ce0ed2c7c22&la=en 2 https://www.rbnz.govt.nz/-/media/ReserveBank/Files/regulation-and-supervision/financial-market-infrastructure￾oversight/regulatory%20developments/Approach-to-developing-standards-for-financial-market￾infrastructures.pdf?revision=bddd0d5d-84eb-4734-be5c-b174503dd2ed&la=en

PAYMARK LIMITED – NON-CONFIDENTIAL VERSION 2 6.1. Paymark does not fall within the definition of an FMI in the FMI Act 2021: The definition refers to "multilateral system for the clearing, settling, or recording …"3. Paymark’s System is a bilateral system that records the authorisation of payment transactions, but not the payments themselves. The entities using the Paymark System have individual service contracts with Paymark. They are not “participants”. The Paymark System prepares the files that are used for settlement but does not itself perform clearing or settling functions. 6.2. Paymark should not be designated as systemically important: Should Paymark be considered an FMI, many of the risks identified are neither relevant nor applicable to the electronic messaging system operated by Paymark. No clear problem statement has been identified in respect of retail payment systems (RPSs) generally or of Paymark specifically. If Paymark were to be designated it would likely incur significant compliance costs, yet it would not directly benefit from the statutory guarantee for finality of settlement and netting. Further, there is no practical benefit to society or the payments environment of Paymark being designated over and above Paymark’s current obligation to supply the Reserve Bank with information. Paymark’s system is safe, secure and reliable, and Paymark manages its operational risks effectively. In fact, an increased regulatory burden on RPSs could result in increased fees to merchants and consumers to recover the costs associated with regulatory compliance with no apparent increase in protection or benefit for consumers. Responding to new regulatory requirements is likely to result in a redirection of resources away from developing new products and services. This change in focus would limit Paymark’s ability to respond quickly to changing market dynamics and lead to barriers to innovation. Paymark would much rather prioritise spending its time and resources innovating to develop better products and services for consumers and merchants rather than on compliance, reporting and monitoring when the perceived benefits of designation are not applicable to Paymark. Furthermore, designation could create a competitive disadvantage for Paymark and accelerate the introduction of global payments processors resulting in a loss of a local payment processor, increased costs for merchants and enhanced risk for the New Zealand retail payment system. 6.3. Facilitation of electronic messaging should not be designated: The Regulators have indicated that they will follow international best practice and that New Zealand has followed the US and Canadian approach to identifying systemic importance. RPSs are not designated as systemically important FMIs in these jurisdictions and this should be the same for New Zealand. They are still subject to oversight but with less stringent standards as compared to systemically important FMIs. Paymark proposes that the Reserve Bank continues to look to other jurisdictions and focus on including only those systems that perform interbank clearing and settlement facilities and/or that involve the transfer of funds. The risks and issues associated with funds transfer and settlement are likely to be far greater than those that arise from the processing of authorisation messages and preparation of files. If Paymark is to be designated, then it so follows that other New Zealand-based retail payment systems (such as Verifone and Windcave) and the international card payment schemes (Visa, Mastercard, Amex and UPI) would also be assessed. There must be a level playing field. 6.4. Other designations are in the pipeline: The Government has confirmed that it will legislate for a Consumer Data Right (CDR) which will encompass a designation regime. Markets will be identified during the consultation and certain sectors will go first with others following. The financial services sector, telecommunications and energy sectors 3 Financial Market Infrastructures Act 2021, section 5

PAYMARK LIMITED – NON-CONFIDENTIAL VERSION 3 are all referred to specifically in both the Cabinet Paper4 and the Regulatory Impact Statement5. It is highly likely that Paymark would be designated under the CDR as part of the financial services sector given the payments products it has developed and the data it holds for merchants and banks. Further, the Government has announced that RPS and merchant service fees will be regulated via the RPS regulation6, and the RPSs involved will be designated. It is highly likely that Paymark will be designated under this regime also. If you include the FMI regime, that’s three designation regimes for Paymark under at least three different regulators: New Zealand Commerce Commission (for RPS regulation); the RBNZ; the FMA; and potentially a new regulator for the CDR. These designation regimes seem to be the preferred mode of regulation, yet there’s little evidence they fix the perceived problems. The potential for conflict and overlap is significant. Determining which regime takes precedence in the case of conflict would be challenging, onerous and dangerous. 6.5. Paymark continues to be reliable and secure: The Ingenico Group purchased Paymark Limited in January 2019 and in November of 2020, Worldline SA purchased Ingenico Group. Worldline’s core business is in acquirer transaction processing and it understands the importance of Paymark’s electronic payments messaging system and its infrastructure. Worldline does not intend to make any significant changes to Paymark’s operations and intends to invest in both the existing processing infrastructure and as well as Paymark’s innovative new payments platform that utilises API connections called OPEN. Worldline is incentivised to ensure that the Paymark System remains safe, reliable, stable and secure. If Paymark’s electronic payments messaging system fails or if Paymark is not able to process transactions, there would be disruption to consumers and businesses as well as material loss of revenue for Worldline. However, if Paymark’s system does fail then consumers can still use cash and money transfers to make payments. The RBNZ has recently become a steward for money and cash and acknowledges that many New Zealanders have and use cash on a regular basis7. 6.6. Any failure likely to result from areas outside the Regulators oversight: The most likely causes of failure of our transaction processing facilities would include 4 https://www.mbie.govt.nz/dmsdocument/15536-establishing-a-consumer-data-right-proactiverelease-pdf 5 https://www.mbie.govt.nz/dmsdocument/15545-regulatory-impact-statement-establishing-a-consumer-data-right￾proactiverelease-pdf 6 https://www.mbie.govt.nz/business-and-employment/business/competition-regulation-and-policy/retail-payment￾systems/ 7 https://www.rbnz.govt.nz/notes-and-coins/future-of-cash/money-and-cash-department

PAYMARK LIMITED – NON-CONFIDENTIAL VERSION 4 telecommunications failures, power outages, or breakdowns in internet security, none of which are likely to be under the Regulators supervision or mitigated by designation. Furthermore, the step-in rights would be unlikely provide any more security to the payments environment in practice than that which is already in place. The technology that runs the Paymark System is understood by few technology specialists; those people are costly to obtain and globally there are insufficient numbers. Paymark suggests that the Regulators could find it challenging to employ the necessary resources, and practical capacities, to run the Paymark System effectively. Moreover, in the case of a crisis, there is unlikely to be any world expert readily available to the Regulators. Any regulatory proposition should be carefully specified to avoid promising more than it can deliver, while ensuring that it does deliver what it promises. 6.7. Rapid decline in Eftpos, increase in contactless and ecommerce: Covid-19 has changed the way consumers pay. This behaviour has been brought on by Level 3 and Level 4 lockdowns but has had an overall impact on consumer behaviour. Consumers would rather pay by contactless methods when they are instore. Furthermore, consumers have embraced ecommerce for shopping normally done instore (such as the groceries) both when in and out of lockdowns. This changes the dynamic (processing and pricing) of retail payments. Both online and contactless transactions are routed to the acquirer, who passes it to the international scheme, who passes it to the issuer for authorisation. Whereas Eftpos transactions go straight to the issuer for authorisation. This difference in routing makes Eftpos transactions significantly cheaper for merchants to accept. All switch-to-acquirer transactions (contactless and online) are made using international card scheme products (such as Visa and Mastercard). The popularity of these scheme products means that Eftpos is no longer a ‘must have’ for merchants thus removing any competitive constraint provided by Eftpos on the Mastercard/Visa duopoly. Contactless transactions are rapidly becoming the dominant instore transaction type. This will be further realised and cemented when the Retail Payments System Regulation comes into effect. This move to scheme products from proprietary Eftpos will open New Zealand up to the large international acquirers, such as Adyen and Stripe. Acquiring will become very competitive and merchants can contract with these large acquirers for all their payment needs both online and instore. Merchant reliance on these entities will increase as Eftpos declines. Windcave, which is dominant in New Zealand’s ecommerce market, is also a switch and an acquirer, and it will be best placed to take advantage of this change in consumer behaviour. Paymark suggests that the RBNZ might want to assess how this change in payment type impacts merchant and consumer reliance on acquirers and ecommerce gateways with large market shares, and the international card schemes. 6.8. Collaborate and cooperative processes would be beneficial: To provide insights on what might be genuinely useful to consumers and merchants when it comes to retail payments perhaps it would be beneficial if the Regulators were to facilitate an industry wide consultation on the problem definition with an intention to define how the industry and government can best work together, rather than through top-down regulation. Paymark would welcome the opportunity to work with the Reserve Bank to provide the level of assurance it needs through collaborative and cooperative processes. 6.9. Rules and standards are managed by others: The rules for payments are managed by parties other than Paymark, such as Payments NZ for Eftpos and the international scheme rules for their payment products. Paymark itself does not have rules nor does it have participants as described in the documents. Paymark supports Payments NZ’s submission as regards rules and standards. If rules are to be designated, then they need a specific framework and, any standards should be tailored to each system and not require infrastructure operators to do something that they cannot do. Existing standards should only be used where it makes sense to do so, and they must be proportionate to the size, nature, scope and risk profile of the RPS. Paymark itself is held to a high standard

PAYMARK LIMITED – NON-CONFIDENTIAL VERSION 5 via its bilateral contracts with its bank customers and industry requirements, such as PCI DSS8. 6.10. Cyber resilience is a manageable operational risk: Paymark supports option 1 and the RBNZ should continue to rely on the general and operational risk management standards to manage cybersecurity risks. There are existing frameworks (such as NIST CSF and Mitre Att&ck) that provide sufficient guidance for FMIs and there are certification standards (PCI DSS, ISO 27000) that can be used to provide evidence that a FMI's cybersecurity posture is appropriate. If a specific standard is developed for FMIs then Paymark would recommend that the scheme allows for independent assessors to attest to the level at which a FMI adheres to the standard, like the independent audits for PCI DSS and ISO 2700 certification. Without this ability, FMIs who provide services to other FMIs will incur substantial costs in providing evidence of compliance to the new standard and these resources could be better used to implement and maintain effective cybersecurity controls. The increasingly competitive landscape also ensures Paymark is incentivised to continue to invest in security. Perceived security vulnerability would likely result in merchants and banks moving to other systems. Conclusion Paymark is grateful for the opportunity to submit on the proposed framework for identifying systemically important financial market infrastructures. It was not obvious in the consultation documents whether or not RPSs were to be designated as systemically important. It would be useful, for entities such as Paymark, to understand the Regulators intentions as regards RPSs and the real risks it seeks to mitigate by way of designation. Should you wish to discuss any of the points raised in this submission, please do not hesitate to contact us. 8 https://www.pcisecuritystandards.org/

Implementation of Financial Market Infrastructures Act 2021 – Payments NZ submission to Reserve Bank (on a framework for identifying SIFMIs, on developing standards for designated FMIs) September 2021

Submission to Reserve Bank Page 2 of 14 Introduction

1. This submission is made by Payments NZ Limited (Payments NZ). It is made in response to the two consultation papers released by the Reserve Bank on 26 July 2021, namely: • A Framework for Identifying Systemically Important Financial Market Infrastructures, • Developing Standards for Designated Financial Market Infrastructures. Both consultations are for the purposes of implementing the Financial Market Infrastructures Act 2021 (the FMI Act) which came into effect on 10 May 2021. An implementation plan for the new law is set out in a covering paper to the consultations mentioned. This is to take place over an 18-month transition period and is expected to be completed at the end of 2022.
2. The Reserve Bank has previously indicated that the High Value Clearing System (HVCS) and Settlement Before Interchange (SBI) governed by Payments NZ are likely to be designated as systemically important financial market infrastructures (FMIs). Although the consultation papers appear to exclude retail systems, it is understood that the term retail is aimed at switches and schemes, and SBI will be a potential candidate for designation (notwithstanding its retail nature). Payments NZ accordingly proceeds on this basis.
3. The submission takes the form of general commentary, in the paragraphs that follow. Answers to the specific questions that are raised in the two consultations are attached. Overview
4. Payments NZ supports the proposed approach of using the CPSS/IOSCO1 Principles for financial market infrastructures (the PFMI) as a basis for both: • determining systemically important financial market infrastructures; and • the development of standards for these financial market infrastructures.
5. This will enable New Zealand to benefit from the considerable work that has been done globally on FMI regulation, and will enhance the credibility of our regime internationally. This is important for participants and new participants.
6. We note that, in terms of a framework for identifying systemically important FMIs, New Zealand is following the approach of United States and Canada and adopting a single framework which applies to all FMIs. We believe that it is better to have two different frameworks – one for identifying (systemically important) payment systems and one for other FMIs. This is because the risks and issues between the two types of infrastructure are very different and as such should be managed quite differently. This is the approach adopted in a number of overseas jurisdictions, many of which have a closer affinity to 1 Committee on Payment and Settlement Systems (now called the Committee on Payments and Market Infrastructures) and the Technical Committee of the International Organisation of Securities Commissions. The PFMI were published in

Submission to Reserve Bank Page 3 of 14 New Zealand. In particular, this is the case with Australia where there are closer economic considerations and obligations (as has been emphasised for the purposes of a consumer data right). 7. The regulatory approach to payments systems in Australia is considerably simpler than its regulatory approach to securities settlement systems and trade repositories. This is because of the critical roles that these FMIs have in the markets they serve, the credit risk dimension in the system, the data being stored and because they actually own and operate the infrastructure used to clear and settle transactions. We also note that there is a difference in how the PFMI are applied in Australia. In the case of payment systems, this is done by conducting self-assessments against the PFMI. In the case of securities settlement systems and trade repositories, it is done by the incorporation of standards which follow the PFMI (adapted to Australian circumstances). To date, the Reserve Bank Information and Transfer System (RITS) is the only domestically focused payment system that is regarded as systemically important by the Reserve Bank of Australia. 8. While we endorse the use of the PFMI for New Zealand, we do note the misalignment between the PFMI and the approach in the FMI Act in relation to the regulation of payment systems. The PFMI define a payments system as a: “set of instruments, procedures, and rules for the transfer of funds between or among participants; the system includes the participants and the entity operating the arrangement” Annex D of the PFMI makes it clear that the payment system operator is an entity that runs the infrastructure. A rule-making body does not appear to be contemplated in this regard (per footnote 188). Payments NZ is a rule-making body and does not own or operate payments infrastructure. However, the definition of operator in the FMI Act includes a person that maintains or administers rules which seems somewhat unusual and artificial. Framework for assessing systemically important payment systems 9. Systemically important is defined in section 28 of the FMI Act. Section 24 sets out the matters that must be taken into account in deciding whether an FMI is systemically important. These matters are consistent with the PFMI and we endorse conformity with international best practice. 10. We do not, however, believe that the matters that are set out in section 24 should be ranked equally. In our view, the size of the payment system should be the most important factor in determining whether an FMI is systemically important. In this regard, size should not be applied as absolute volumes of transactions processed or the value of transactions undertaken. Instead it should be a percentage of the system that they represent. Size needs to be dynamic and capable of catering for adjustments (upwards or downwards) relative to the size of the payment system.

Submission to Reserve Bank Page 4 of 14 11. The other factors are the types of participants, the nature and scope of activities, interconnectedness, the concentration of financial risk, and substitutability. In our view these should largely be used as weighting factors when it is not clear that a payment system should be included or not because of its size (being the prime determinant). Designation of rules 12. The focus of the first consultation is on the framework for identifying systemically important financial market infrastructures and the criteria in this regard. Section 29 requires the designation notice to specify the documents that set out the FMI’s rules and, as a result of that, making the rules subject to the law. The consultation does not endeavour to deal with the designation of rules which is an omission so far as Payments NZ is concerned, when it is purely a rule-making body. We are very much of the view that a framework is also needed for the designation of rules, in particular, to determine what rules should be caught and what rules should not. 13. It is a relatively straightforward matter to determine what needs to be designated for such systems as the Exchange Settlement Account System (ESAS), which have standard terms and conditions. It is significantly more problematic when it comes to the rules of Payments NZ which cover a range of payment instruments with a great deal of operational detail which changes frequently. As we have mentioned previously, our rules are voluminous. They run to some 1550 pages and we are close to issuing the 50th version of the rules (averaging roughly five consolidated updates each year). This differs dramatically from the frequency of the changes that occur with the other FMIs which do not tend to evolve nearly as much as payment rules. The payment ecosystem is fast changing and dynamic. The rules need to keep pace with the developments that take place. Standards 14. Payments NZ broadly supports the pillar approach that is contemplated in the second consultation paper. We note that Pillar I will not be relevant to Payments NZ as it is concerned with settlement systems that are currently designated under Part 5C of the Reserve Bank of New Zealand Act 1989. 15. Payments NZ endorses the approach of using the PFMI as the basis for the standards. As the Reserve Bank is aware, we have always assessed our rules against the PFMI (including all changes in the rules). We have done this continuously since Payments NZ was established, in line with our constitutional objective to promote interoperable, innovative, safe, open and efficient payment systems (which in fact mirrors the safety and efficiency objectives of the PFMI). We have always endeavoured to make sure that our rules conform with the PFMI and there is already a strong alignment with the PFMI in terms of our rules, governance structures and how we operate. This should be taken into account in determining what is needed or expected by way of compliance i.e. regard must be had to what is already in place and what is already being done by a designated FMI.

Submission to Reserve Bank Page 5 of 14 16. Contravention of a standard by an operator gives rise to liability for a pecuniary penalty pursuant to section 33. Subpart 2 of Part 5 then spells out matters that are relevant to the imposition of a pecuniary penalty. As understood, the standards under Pillar II will take the form of the PFMI, by reciting the principle in each case followed by the key considerations. This does seem a somewhat interesting way to base the liability that arises under the law, in particular, when regard is had to how the PFMI are expressed. They do not take the form of hard and fast requirements but are somewhat aspirational in nature with room for flexibility of application. In the circumstances, we consider that self-assessment is really the only way to back-up or support oversight. This indeed is the position in Australia, as mentioned. 17. We note the following matters that are to be covered under Pillar III:  contingency plans;  breach and outage reporting requirements;  management of cyber risk;  the treatment of critical service providers;  the treatment of overseas FMIs; and  the disclosure of information by FMIs. In our view, these matters are already covered (in some detail) in the PFMI and we are not convinced that the Reserve Bank needs to go beyond the core PFMI when developing standards. We would like to better understand the need for these special treatments given the wide scope of the PFMI which will be operating for the purposes of Pillar II. 18. We note the narrative in the consultation on the tailoring that needs to be done where the operator controls the rules of the FMI but not the underlying infrastructure. We strongly support the first principle espoused when it comes to this, namely, that standards should not require operators of these FMIs to do something they cannot do. This is something we have emphasised in previous submissions and we are pleased that it has been given the recognition that it has in the latest consultation. 19. As mentioned previously, Payments NZ is a rules body only and is only brought into the regime by virtue of the definition of operator (and which is somewhat at odds with the PFMI). As such, a number of the PFMI will simply not apply to Payments NZ as it does not own or operate any infrastructure. Other PFMI will only have partial application if Payments NZ is going to be specified as an operator for the purposes of the law. Payments NZ has undertaken an assessment of those PFMI which it considers apply to it and, in this regard, how Payments NZ complies with those PFMI. We would welcome the opportunity to meet with the Reserve Bank to discuss our conclusions with you. 20. The principle of not requiring parties to do things that they cannot do has been expressed in the context of Pillar II. It does however have equal relevance and validity in the context of Pillar III, in particular, in the following respects: • Contingency plans: Payments NZ does not own infrastructure and does not have any contracts with critical service providers in relation to the provision of infrastructure. Therefore, while it can identify events that pose a significant risk

Submission to Reserve Bank Page 6 of 14 of disrupting the operation of HVCS or SBI, including events that could cause widespread or major disruption, it may not be able to deliver a contingency plan as it cannot enforce standards over critical service providers; • Breach and outage reporting: for Payments NZ, breach and outage reporting will be limited to information that is made available to it. It is noted that Payments NZ’s rules already cover incident reporting and we believe that this is adequately covered by Principle 17 of the PFMI which require an FMI to identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. We do not see any value, for ourselves, in public disclosure of material breaches relating to standards. If public reporting is required, we would like to understand what would be defined as material (e.g. public reporting should not cover matters such as an event that materially increases the risk to a designated system); • Management of cyber risk: the Reserve Bank notes that cyber resilience is crucial for FMIs to promote a safe and efficient financial system and that there is a heightened risk to the wider financial system from cyber incidents that impact FMIs. Payments NZ, in principle, supports the Reserve Bank’s view that standards should be developed to address cyber risk management for designated FMIs (under Principle 17 of the PFMI). However, these must be proportionate to the size, structure and operational environment of an entity, as well as the nature, scope, complexity, and riskiness of its products and services; • Treatment of critical service providers: The Reserve Bank notes that it could set requirements directly on critical service providers or set requirements on how FMIs use critical services providers (as explicitly provided for by the PFMIs). Payments NZ does not have any contractual relationships with critical service providers in relation to the provision of critical services. Therefore, the Reserve Bank would need to set requirements directly itself on critical service providers. Payments NZ does not support the Reserve Bank’s preferred option to regulate critical service providers indirectly by requiring the contractual terms between the FMI operators and their critical service providers to reflect the Reserve Bank’s expectations at a principle-based level. This is because of the risk, identified by the Reserve Bank, that an FMI would not be able to negotiate the appropriate terms with a critical service provider which may hinder the ability of the FMI to obtain the critical service; • Disclosure of information: the Reserve Bank proposes using the CPMI-IOSCO Disclosure Framework with FMIs reviewing their disclosures at a minimum of every 2 years to ensure they remain accurate. We are unclear as to the benefit of this for Payments NZ, noting that it will involve a considerable amount of time and overhead. Payments NZ already assesses itself and its rules against the PFMI and we believe this is sufficient in our circumstances.

Submission to Reserve Bank Page 7 of 14 Overall, there are limitations on how much Payments NZ can do in the circumstances. Ideally this could have been made clearer in the proposals under Pillar III when a rule￾making body is brought into the picture and is to be designated under the regime. Implementation timetable 21. In our view the timetable for implementation of the law is unrealistic, and we believe that extra time should be built into the plan, particularly in light of the disruption caused by COVID-19. There is a great deal of work that has to be done by affected parties and indeed by the Reserve Bank itself, in particular: • the Reserve Bank has to finalise the framework for identifying systemically important FMIs. This may differ between the types of FMI. Then assessments of those FMIs have to be carried out and the affected FMIs consulted; • the policy around the development of standards has to be finalised and the standards drafted. There is then publication of an exposure draft for consultation. Actual application of the standards will involve tailoring dependent on the circumstances and type of the individual FMI. This may well involve further consultation and drafting especially when there is partial application of the PFMIs; • the designation notice must also specify the documents that set out the FMI’s rules. This is going to represent significant time and effort should Payments NZ be designated, in particular, given the nature and extent of our rule book (with the restructuring and redrafting of the rule book that is likely to arise). In the circumstances, we believe a transitional period of 18 months will just not be adequate, if it is to be worthwhile (in general terms, given the time needed for the finalisation of policies and the consultation that will have to occur). 22. Payments NZ is grateful for the opportunity to make this submission on the two consultations. We hope what we have said will be carefully considered by the Reserve Bank and taken into account when finalising the oversight arrangements under the FMI Act, and in terms of the ongoing operation of the law. It is our wish to be as constructive as possible in the interests of the payments sector and doing what is best for all stakeholders. Steve Wiggins Chief Executive Payments NZ Limited

Submission to Reserve Bank Page 8 of 14 A Framework for Identifying Systemically Important Financial Market Infrastructures We are broadly in agreement with this approach. Transparency and clarity are certainly important when exercising the statutory powers, given the significance and impact of designation. As set out in our submission, Payments NZ believes that size should be the prime determinant. While the factors suggested by the Reserve Bank to assess the size of FMIs are relevant, Payments NZ prefers assessing the size based on the percentage of the system that they represent so that adjustments (upwards or downwards) relative to the size of the payment system can be accommodated. The other matters in section 24 should only become important if size is not decisive. Payments NZ does not have any comments on the factors suggested by the Reserve Bank for assessing the types of persons who are participants of an FMI. However, Payments NZ would like to understand the relevance of indirect participants to this assessment. Payments NZ does not have any comments on the factors suggested by the Reserve Bank for assessing the nature and scope of activities of FMIs. Annex A: Consultation questions Question 1: Do you have any comments on the design of the Framework (noting that it is based on the FMI Act, aligned with the PFMI, and balanced regulatory discretion with transparency and clarity)? Question 2: Do you have any comments on the factors we suggest for assessing the size of FMIs? What other factors do you consider we should include in this category? Question 3: Do you have any comments on the factors we suggest for assessing the types of persons who are participants of FMIs? What other factors do you consider that we should include in this category? Question 4: Do you have any comments on the factors we suggest for assessing the natureand scope of activities of FMIs? What other factors do you consider we should include in this category?

Submission to Reserve Bank Page 9 of 14 Payments NZ would like to understand the extent to which indirect interconnectedness will be taken into account by the Reserve Bank in assessing the interconnectedness of FMIs. Payments NZ does not own or operate any infrastructure and, while it is reliant on, for example, ESAS to settle transactions, it has no direct relationship in relation to the provision of services by ESAS, and has no indirect connection which would allow it to take any action in the event of any disruption or failure of such an FMI. Payments NZ has no comment on the factors suggested by the Reserve Bank for assessing the interconnectedness among participants of FMIs. Payments NZ manages the rules for what is, in effect, a decentralised bilateral model that uses SWIFT messaging and ESAS settlement services. There is no concentration of financial risk, and credit risk and liquidity risk do not have relevance in the circumstances of Payments NZ. Payments NZ therefore has no comment on the factors suggested by the Reserve Bank for assessing concentration of financial risks for FMIs. Payments NZ agrees in principle with the Reserve Bank that the systemic importance of an FMI will, all other things equal, be reduced where its critical services are substitutable and readily available elsewhere in the market. However, in the case of a failure for Payments NZ, which is a rule making body, there may not need to be an immediate substitute available if all parties were to agree to continue to use the rules until such time as a new organisation or method is found for managing the rules. Question 5: Do you have any comments on the factors we suggest for assessing the interconnectedness of FMIs? What other factors do you consider we should include in this category? Question 6: Do you have any comments on the factors we suggest for assessing the interconnectedness among participants of FMIs? What other factors do you consider we should include in this category? Question 7: Do you have any comments on the factors we suggest for assessing the concentration of financial risk of FMIs? What other factors do you consider we should include in this category? Question 8: Do you have any comments on the factors we suggest for assessing the substitutability of FMIs? What other factors do you consider we should include in this category?

Submission to Reserve Bank Page 10 of 14 Developing Standards for Designated Financial Market Infrastructures Annex A: Consultation questions Question 1a: Do you have any comments on the proposed one-time transition approach to developing and issuing standards? Payments NZ supports the one-time transition approach favoured by the Reserve Bank to developing and issuing standards. We believe that this will provide greater clarity about what the regulatory requirements will look like and ensure a more cohesive and sensible outcome. However, we note the Reserve Bank’s concerns in relation to the time constraints for the standards development process and, as set out in our submission, we do not think an 18 month time frame is achievable and will be very challenging for everyone concerned. Covid 19 also needs to be taken into account. Question 1b: Do you have any comments on the proposed approach to not differentiate standards based on how FMIs become designated? We have no comments to make on this. Question 2: Do you have any comments on the planned approach to incorporate existing regulatory requirements (i.e. conditions of designation) into standards under the new regime? We have no comments to make on this. Question 3: Do you have any comment on the PFMI forming the basis of standards for designated FMIs operating in New Zealand? We support the use of the PFMI for the purposes of the standards but note that there will be challenges when it comes to setting standards that reflect the realities faced by FMIs operating in New Zealand. For example, some of the principles which the Reserve Bank identifies as relating to payment systems will not be applicable to Payments NZ because it is a rules making body and does not own or operate infrastructure. Therefore, the PFMI should only be used as a basis for standards where it makes sense to do so and any standards must be proportionate to the size, nature, scope, and risk profile of the FMI. We draw attention to how they are applied in Australia in respect of their domestic payment system, by using self-assessments. Question 4a: Do you have any comments on whether the scale and scope of an FMI’s operations may require standards to be tailored to their particular circumstances?

Submission to Reserve Bank Page 11 of 14 Payments NZ endorses the Reserve Bank’s overarching approach to tailoring standards for FMIs where the operator controls the rules of the FMI but not the underlying infrastructure, namely that standards should not require operators of these FMIs to do something they cannot do. We agree with the principle that any tailoring of standards should aim to avoid overlap with regulatory requirements imposed elsewhere (for example, if the FMI relies upon infrastructure provided by another designated FMI, substantial reliance can be placed upon the fact that the other FMI will already be complying with applicable standards relating to that infrastructure). However, we do not understand where such an overlap could occur or how standards could be imposed on Payments NZ in relation to infrastructure providers with whom it has no direct relationship for the provision of such services. We support the approach outlined by the Reserve Bank that standards applying to these types of FMIs could potentially be divided into 3 categories: • standards that should fully apply to these FMIs; • standards that should apply to these FMIs in part; and, • standards that should not apply to these FMIs. Question 4b: What other factors do you think may influence the need for tailoring? As set out in our submission, standards need to take into account the size, nature, scope, and risk profile of the FMI, in particular, when it merely controls the rules and not the underlying infrastructure. Question 4c: Which standards (see Annex B) do you think will require tailoring and what tailoring is required? Payments NZ notes that there will be a number of PFMI which will not be relevant at all to its activities and there are also other PFMI that will only have partial relevance to it. As noted in our submission, Payments NZ has undertaken an assessment of those PFMI which it considers apply to it and how Payments NZ complies with those PFMI. We would welcome the opportunity to meet with the Reserve Bank to discuss our conclusions with you. Question 5: Do you have any comments on the approach for FMI contingency planning in the standards? We note that the FMI Act requires contingency plans to be: • comprehensive, adequate and credible, taking into account the type of FMI concerned and the activities carried out under it; and • capable of being activated and implemented effectively when appropriate.

Submission to Reserve Bank Page 12 of 14 While the Reserve Bank has proposed a largely high-level approach to issuing standards for the content of contingency plans, it has indicated that the standard will likely require contingency plans to, inter alia: • identify the FMI’s essential services. • identify events that pose a significant risk of disrupting the FMI’s operations, including events that could cause widespread or major disruption (such as the failure of a critical service provider or linked FMI, or a natural disaster). • identify events that have a significant risk of placing the operator under financial stress that could affect the ability of the FMI to continue to provide essential services (e.g. credit losses or liquidity shortfalls caused by participant default, general business losses, realisation of investment losses). • set out what constitutes an acceptable degree of recovery and within what timeframes, and if recovery within 2 hours is not possible, the reasons why. • set out policies and procedures (including management procedures) designed to respond to identified operational and financial risk events. Payments NZ can develop a contingency plan which identifies essential services and risk events. However, it is unable to develop a credible plan in relation to policies and procedures designed to respond to these risks (because it has no direct or indirect relationship with the essential services) which are capable of being activated and implemented effectively when appropriate. Question 6: Do you have any comment on our plan to apply breach reporting requirements to designated FMIs like those in section 412 of the Financial Markets Conduct Act 2013? Payments NZ understands the need for breach reporting requirements but does not see value in public disclosure of material breaches in standards in respect of a rules making body and therefore does not support this. Question 7: Do you have any comment on our plan to carry over outage reporting requirements for FMIs currently designated under the RBNZ Act 1989 to all FMIs designated under the Act? This seems appropriate for FMIs that own or operate infrastructure, but would not make sense for Payments NZ as a rule-making body because it will not have direct access to such information. Question 8: Do you agree with our preferred option to publish material breaches by FMIs on both the operator’s and the Regulator’s official website(s)? See our comment in relation to question 6.

Submission to Reserve Bank Page 13 of 14 Question 9: Do you have any comments on the proposed approach of making the RBNZ Guidance on cyber resilience the basis for regulatory requirements for designated FMIs and supplementing this with relevant content from CPMI-IOSCO Guidance to address any areas where cyber risk management is unique to FMIs? Payments NZ acknowledges the work that RBNZ has done on cyber resilience. It appears to be a sound basis for use in the regulation of FMIs. As set out in our submission, Payments NZ supports the development of standards to address cyber risk management for designated FMIs which operate infrastructure (but suggests that this can be done under Principle 17 of the PFMI). However, these must be proportionate to the size, structure and operational environment of an entity, as well as the nature, scope, complexity, and riskiness of its products and services. Question 10: What are your views on the 2 options that have been identified? Are there additional factors that should be considered when setting regulatory requirements around cyber resilience? As noted above, Payments NZ supports option 1, where the Reserve Bank relies on general and operational risk management standards to address cybersecurity risk. It needs to be understood, however, that Payments NZ can only do what it is able to do, in particular, when it does not own or operate payments infrastructure. It is in a different position to its participants. Its participants too are (in the main) directly regulated by the Reserve Bank and will be subject to their own cyber risk requirements in that context. Question 11: What factors should be considered when identifying service providers as critical? Do you see value in clarifying the interpretation of what a critical service provider is from the very high-level description provided in the PFMI? The Reserve Bank proposes defining a critical service provider as “a provider of services without which the delivery of the FMI’s key business lines - related to its designation notice - would be significantly disrupted”. The Reserve Bank supports imposing standards on FMIs that influence aspects of the relationship between FMI operators and critical service providers to hold an FMI’s critical service providers to the same standard as if the FMI were to provide the service itself. While Payments NZ supports clarifying the interpretation of what a critical service provider is, we believe that consideration also needs to be given to whether there is a direct (or indirect) contractual relationship between the FMI and the critical service provider which could allow the FMI to impose requirements on the critical service provider. However, as set out below, Payments NZ believes that it makes a lot more sense for any requirements to be imposed directly by the Reserve Bank.

Submission to Reserve Bank Page 14 of 14 Question 12: Do you have any comments on the proposed two-stage process to identifying critical service providers? Payments NZ supports the two-stage process for identifying critical service providers but believes that the first stage should include information on whether the FMI has a relationship with the critical service provider. Question 13: Do you have any comments on our preferred option to require the contractual terms between the FMI operators and their critical service providers to reflect our expectations at a principle-based level? Payments NZ does not support the Reserve Bank’s preferred option to regulate critical service providers indirectly by requiring the contractual terms between the FMI operators and their critical service providers to reflect the Reserve Bank’s expectations at a principle-based level. This is because of the risk, identified by the Reserve Bank, that an FMI would not be able to negotiate appropriate terms with a critical service provider which may hinder the ability of the FMI to obtain the critical service. It is noted that Payments NZ does not have any contractual relationships with critical service providers in relation to the provision of critical services. Therefore, it would make more sense for the Reserve Bank to set requirements directly on critical service providers. Question 14: Do you have any comments on the preferred option of allowing substitute compliance for overseas FMIs, subject to meeting equivalence and cooperation conditions? Are there any significant issues regarding the treatment of overseas FMIs that you would like to draw to our attention? We have no comments to make on this. Question 15: Do you have any comments on the proposal for having disclosure standards consistent with the CPMI-IOSCO Disclosure Framework for FMIs? Alignment with the CPMI-IOSCO Disclosure Framework may be appropriate for an infrastructure provider but it will be onerous in our circumstances when we are purely a rules body. Our preference is a self-assessment per our current approach. Question 16: Do you have any comments on incorporating the PFMI into standards directly rather than by reference? Do you have comments on incorporating particular elements of the PFMI into legally binding standards? We do not have a strong view about the method used. Incorporation needs to be limited to the PFMI that apply to the FMI or the particular elements of a PFMI that apply to the FMI. Please note that Australia uses self-assessments when it comes to payment systems. Incorporation of the PFMI into standards is only done in respect of central counterparties and securities settlement facilities.

Page 1 of 3 Visa Worldwide (New Zealand) Ltd Level 16, Jarden House 21 Queen Street Auckland 1010 New Zealand www.visa.co.nz 20 September 2021 Via: fmiconsultation@rbnz.govt.nz Dear Sir/Madam, Consultation on Financial Market Infrastructure Act Visa welcomes the opportunity to respond to the Reserve Bank of New Zealand’s (RBNZ) and Financial Markets Authority’s (FMA) consultation on the Financial Market Infrastructure (FMI) Act, specifically with reference to the FMI Act Implementation Plan and the following consultation papers: • A framework for identifying systematically important financial market infrastructures; and • Developing standards for designated financial market infrastructures. Visa shares the New Zealand Government’s vision to ensure the country’s economic prosperity, including for its citizens, through a payments system that benefits all participants. More specifically, the ongoing development of a secure, efficient, competitive and innovative electronic payments system is essential to the growth, stability and resilience of the New Zealand economy. As a global payments technology company, we support strong and stable payment systems not only in New Zealand, but also around the world. The strength of our partnership with governments and regulators worldwide rests on the following principles: • Payments system oversight which is proportional to the risk posed by individual players in the payments ecosystem. • Regulatory frameworks operate most effectively and efficiently when they recognise the oversight requirements already in place for international payment networks that meet best practices and compliance standards under other competent authorities. • Principles-based and technology-neutral regulation which helps ensure that countries are able to keep pace with market developments and fosters an environment that supports innovation. • Regulation which ensures a level playing field and fair competition. Visa provides transaction processing services (primarily authorisation, clearing and settlement) to our financial institution and merchant clients through VisaNet, our global processing platform. We are primarily a business-to-business organisation that serves highly regulated financial institutions. Visa is not a financial institution, and we do not issue cards, extend credit

Page 2 of 3 Visa Worldwide (New Zealand) Ltd Level 16, Jarden House 21 Queen Street Auckland 1010 New Zealand www.visa.co.nz or set rates and fees for consumers. In most cases, accountholder and merchant relationships belong to, and are managed by our clients, who are generally financial institutions. Risk management is necessarily a core aspect of Visa’s business, from product and service design to security and operations. For this reason, regulators view Visa as a credible and capable partner in controlling systemic risk and expanding market access and innovation. The commercial realities of Visa’s business model are inherently aligned with the RBNZ’s and FMA’s risk and efficiency objectives. At the outset, we commend the RBNZ and FMA on taking a risk-based approach to regulation, both in terms of (i) recognising that wholesale payment systems pose a greater risk to the financial system and (ii) recognising the existing oversight of overseas FMIs. First, we agree with the RBNZ’s and FMA’s view that payment systems primarily used to facilitate retail transactions are less likely to meet systemic importance thresholds. We also agree with the view that wholesale interbank payment systems are generally regarded as systemically important, as expressed in the FMI Act Implementation Plan and the “Framework for identifying systematically important financial markets infrastructures” consultation paper.1 As Visa has noted in previous submissions on this topic, we support stable and efficient payments oversight frameworks that account for differences that exist among different kinds of payment systems (retail vs. wholesale payment systems).2 We note that retail payment systems like Visa usually involve small-value transactions between two consumers, between a consumer and a business, or between two businesses and involve deferred settlement. In contrast, wholesale payment systems deal with inter-bank, inter-country, large-value, and large-volume real-time payments and related clearing and settlement systems. Unlike wholesale payment systems, retail payment systems do not pose systemic risk because their failure would not threaten the solvency or liquidity of the overall system. Oversight frameworks that take into account this key distinction will be more efficient and ultimately more successful in both meeting the needs, and managing the risks, of a country’s payments ecosystem. For these reasons, we support the RBNZ’s and FMA’s acknowledgement of these differences in wholesale and retail payment systems. Second, we note that the RBNZ and FMA express a preference for Option 2 on the treatment of overseas FMIs in the consultation paper on “Developing standards for designated financial market infrastructures”, which recognises the existing oversight of overseas FMIs. 3 This preference is on the grounds that it would help regulators “minimise the regulatory burden on 1 Reserve Bank of New Zealand and Financial Markets Authority (2021), “The Financial Market Infrastructures Act Implementation Plan”, page 3, paragraph 12; Reserve Bank of New Zealand and Financial Markets Authority (2021), “A Framework for Identifying Systemically Important Financial Market Infrastructures,” page 9, paragraphs 38-39. 2 As Visa noted in its submissions on the draft FMI Act: https://www.rbnz.govt.nz/-/media/ReserveBank/Files/regulation-and￾supervision/financial-market-infrastructure-oversight/regulatory%20developments/Visa-submission-FMI￾bill.pdf?revision=f10299e3-6eea-4839-9b51-d2ad45503030&la=en and https://www.parliament.nz/resource/en-NZ/52SCFE_EVI_93550_FE25885/e793a4506ab610dbbbb6b22e5d9c853ed33eaa52 3 Reserve Bank of New Zealand and Financial Markets Authority (2021), “Approach to developing standards for financial market infrastructures”, page 22, paragraph 95.

Page 3 of 3 Visa Worldwide (New Zealand) Ltd Level 16, Jarden House 21 Queen Street Auckland 1010 New Zealand www.visa.co.nz overseas FMIs which are already regulated under an equivalent regulatory framework and maximise the effective use of Regulator resources in New Zealand”4 Visa commends the RBNZ and FMA on taking a risk-based approach to regulation, which recognises the existing oversight of overseas FMIs. We believe that regulatory frameworks should account for oversight requirements already in place for overseas FMIs, such as international payment networks, that meet best-practices or comparable risk and compliance standards under another competent authority. In Visa’s case, we are subject to robust regulatory oversight in our home country by the US Federal Financial Institutions Examinations Council, an interagency body that contains multiple US authorities including the US Federal Reserve Board. The RBNZ’s and FMA’s support for Option 2 also takes account of the possibility that duplicative regulation can lead to confusion, regulatory inefficiency and unnecessary costs. Duplicative regulation is inefficient for central banks, potentially leaving them with fewer resources to devote to emerging payment services that often times require much more focus on, for example, risk management processes. In addition, RBNZ’s and FMA’s support for Option 2 recognises that not providing for equivalency places an additional regulatory requirement on international payment service providers. An uneven playing field not only negatively impacts providers like Visa, but also leads to economic distortions in the larger payments ecosystem. Visa appreciates the opportunity to contribute to this consultation process, and we would welcome discussing the FMI Act with the RBNZ and FMA. Yours sincerely, Anthony Watson Country Manager, New Zealand & South Pacific 4 ibid.