FMI Standard 17: Operational Risk

FMI STANDARD 17: OPERATIONAL RISK FS17

Ref #20368278 v1.0 DOCUMENT VERSION HISTORY 1 March 2024 First issue date INTRODUCTION Application i. This standard applies to every operator of a designated FMI that was specified in its designation notice under section 29(2)(f) of the Financial Market Infrastructures Act 2021 (the Act) as falling within one or more of the following classes of designated FMIs: (a) a pure payment system; or (b) a securities settlement system; or (c) a central securities depository; or (d) a central counterparty. Legal powers ii. Under section 8 of the Act the regulator is defined as the RBNZ and the FMA acting jointly (or the RBNZ acting on its own in relation to pure payment systems). iii. Section 12 of the Act provides the regulator's functions. These include regulating designated FMIs, dealing with designated FMIs that are distressed, and other functions under the Act. iv. Subject to certain statutory prerequisites, section 31 of the Act empowers the regulator to make standards for designated FMIs. v. Section 34 sets out the matters that standards may deal with or otherwise relate to. Sections 34(1)(e)(i) and (ii) provides that a standard may deal with, or otherwise relate to, the management by operators of operational risk. Interpretation vi. The words and phrases used in this standard have the same meaning as in the Act. vii. Applicable auditing and assurance standards has the same meaning as in section 5(1) of the Financial Reporting Act 2013. viii. Essential services means: (a) for services provided by designated FMIs which are assessed as systemically important by the regulator under section 24 of the Act, all services contributing to the assessment that an FMI is systemically important; and (b) for services provided by designated FMIs that are not assessed as systemically important under section 24 of the Act, any services covered by the protections in subpart 5 of part 3 of the Act.

Ref #20368278 v1.0 ix. Internal systems means mechanisms within an FMI or operator to implement policies, procedures, or controls. x. Material incident means an event that: (a) causes: A. a slowdown in the operation of the FMI; or B. a restriction or partial availability of the FMI; or C. a security threat to the system; or D. an increase in the risk of an outage, slowdown, restriction, or security threat; or E. a potential or actual adverse impact on the future operation of the system; and (b) has a substantive adverse impact on the FMI's participants (or, for an overseas-equivalent FMI, the FMI’s New Zealand participants) or the New Zealand financial system. xi. Material outage means an outage that has a substantive adverse impact on the FMI's participants or the financial system. xii. Outage means an event that causes the system to be unavailable for use by any or all participants (or for an overseas-equivalent FMI, the FMI’s New Zealand participants), regardless of: (a) the cause; and (b) the length of time of the outage. xiii. Qualified auditor means any of the following: (a) a licensed auditor as defined in section 6(1) of the Auditor Regulation Act 2011; or (b) a registered audit firm as defined in section 6(1) of the Auditor Regulation Act 2011; or (c) the Auditor-General as defined in section 4 of the Public Audit Act 2001. Commencement xiv. This standard comes into force on 1 March 2024.

Ref #20368278 v1.0 REQUIREMENTS

1. An operator must: a) identify the reasonably foreseeable sources of operational risk for the FMI, both internal and external; and b) mitigate their impact through the use of appropriate policies, procedures, and internal systems on an ongoing basis.
2. An operator must ensure that the FMI’s internal systems are designed to ensure a high degree of security and operational reliability, and must have adequate capacity to continue to provide essential services.
3. Further to the requirements in clauses (1) and (2), an operator must: a) implement and maintain a robust operational risk management framework for the FMI, with appropriate policies, procedures, and internal systems to identify and manage operational risks; and b) ensure that the operational risk management framework, as well as compliance with such framework, is assessed by way of an external assurance engagement, undertaken in accordance with applicable auditing and assurance standards, by a qualified auditor– i) at least every two years; and ii) subject to clause (4), whenever a material incident or material outage occurs; and c) provide any report from an external assurance engagement to the regulator at the regulator’s request; and d) ensure the board of directors of the operator clearly defines the roles and responsibilities for addressing the FMI’s operational risk, and endorses the FMI’s operational risk management framework; and e) ensure that policies, procedures, and internal systems are reviewed and tested annually and after substantive changes to those policies, procedures or internal systems; and f) have clearly defined operational reliability objectives for the FMI, policies, and procedures in place that are designed to achieve those objectives; and g) ensure that the FMI has capacity adequate to handle increasing stress volumes and to achieve its service-level objectives; and h) have comprehensive physical and information security policies for the FMI that address all potential vulnerabilities and threats; and i) identify and manage the risks that key participants, other FMIs, and service and utility providers might pose to the FMI’s operations. In addition, an operator must identify and manage the risks the operations of the FMI might pose to other FMIs.
4. Clause (3)(b)(ii) does not apply if, in the opinion of the operator, it is not reasonably practicable to seek an external assessment following the material incident or material outage.
5. If clause (4) applies, the operator must provide reasons for its opinion to the regulator as soon as possible following a material incident or outage.

Ref #20368278 v1.0 (See Guidance for Standard 17: ‘Operational Risk’, in Guidance for the FMI Standards for more detail, also see Standard 17A ‘Contingency plans’, Standard 17B ‘Critical service providers’ and Standard 17C ‘Cyber risk management’ for further requirements).