Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021

Ref #X204575 v1.1

Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 20 January 2022

1 1 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Contents Background____________________________________________________________________________________ 2 The Financial Market Infrastructures Act _____________________________________________________ 3 A Framework for Identifying Systemically Important Financial Market Infrastructures _____ 3 Framework design 3 Factors for determining systemic importance 4 Developing Standards for Designated Financial Market Infrastructures_____________________ 5 Purpose, scope, timing, and application of standards 5 Pillar II: Reflecting the PFMI in standards under the Act 5 Pillar III: Matters not sufficiently covered by the core PFMI 5 Annex A: Lists of consultation questions and Regulator response to questions ___________ 10

2 2 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Background The Financial Market Infrastructures Act (the Act) became law on 10 May 2021. The Act prescribes the Reserve Bank of New Zealand (Reserve Bank) - Te Pūtea Matua and Financial Markets Authority (FMA) - - Te Mana Tātai Hokohoko (together, the Regulator) as dual regulators of Financial Market Infrastructures (FMIs). The Regulator plans to implement the Act over approximately 18-months, and expects to complete transition to the new regime by early 2023. On 26 July 2021 we released two consultation papers and the FMI Act implementation plan. The two consultation papers were:

1. A framework for identifying systematically important financial markets infrastructures.
2. An approach to developing standards for financial market infrastructures. The first consultation paper provided the intended framework for the Regulator to make an assessment of whether an FMI should be considered systemically important in New Zealand. The second consultation paper provided the intended approach to developing the standards for FMIs. The approach to developing these standards was broken into three elements:
3. The treatment of existing conditions for FMIs already designated under Part 5C of the Reserve Bank of New Zealand Act 1989 (Pillar I).
4. Reflecting international standards — the Principles for Financial Market Infrastructures (PFMI) — in standards under the Act (Pillar II).
5. Matters not directly covered in depth by the core PFMI that need elaboration (Pillar III). Figure 1: Three pillar approach to developing standards for designated FMIs under the FMI Act 2021 We sought feedback on the two consultation papers by 20 September 2021. This gave industry and other stakeholders the opportunity to provide input on key elements of how the Act is implemented. We received submissions from eight submitters, including New Zealand and overseas based stakeholders.

3 3 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 This paper provides a summary of the submissions we received and our responses to these submissions. The table in Annex A provides a more detailed presentation of stakeholder feedback along with responses from the Regulator. The Financial Market Infrastructures Act The Act establishes a new and enhanced regulatory regime for FMIs that brings New Zealand in line with our peer jurisdictions and reflects international best practice. Further, the basic framework of the new regime was supported by the International Monetary Fund in its 2016/17 Financial Sector Assessment Programme review of New Zealand. The Act has three main components:  a set of information gathering and investigative powers to support ongoing oversight and monitoring of all FMIs;  the power to set regulatory requirements for designated FMIs, such as issuing standards, reviewing contingency plans, and overseeing system rules (including rules regarding netting and settlements); and  a set of powers to manage systemically important FMIs that are facing distress (i.e. crisis management powers). When exercising legal powers in the Act, the Regulator must do so for the specific purposes of the Act and is guided by a set of principles. These purposes include promoting a sound and efficient financial system and promoting fair, efficient, and transparent financial markets. The principles that guide the Regulator include for example, regulating in a way that is consistent with international standards and recognising the need to avoid unnecessary compliance costs and unnecessary constraints on innovation. A Framework for Identifying Systemically Important Financial Market Infrastructures Framework Design We proposed a framework that was high-level to allow for regulatory judgement and based on the purposes and principles set out in the Act. Most submitters supported a principles-based approach to determine whether an FMI is systemically important. Submitters agreed with aligning the framework to international best practice, including the PFMI developed by the Committee on Payments and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO). Submitters were generally supportive of the Regulator using its discretion instead of a formulaic approach to determining systemic importance. One submitter suggested a separate framework should be developed for identifying systemically important payment systems, owing to the different risks they face and because similar jurisdictions (including Australia) have developed a separate framework. We consider that our proposed framework and approach is sufficiently flexible to cater for the full range of observed FMIs. It follows other international approaches such as those in the United States and Canada. Where warranted, different risk profiles could be addressed through the tailoring of the standards to different classes of FMIs. We also note that the framework will be applied on a case by case basis.

4 4 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Ultimately the framework should help determine whether a particular FMI meets the systemic importance test set out in section 28 of the Act. Another submitter contended that retail payments systems are less systemically important than wholesale payment systems, and that a failure of a retail payment system would not threaten the solvency or liquidity of the financial system. However, it was also noted that international card systems are increasing their market share as the COVID-19 pandemic has changed consumer preferences. We recognise that the FMI sector is diverse and rapidly evolving, especially the market for payment services. Against this backdrop, we do not consider that it is appropriate to make any judgements as to systemic importance for an FMI or a class of FMIs without having carried out the necessary analysis. Factors for determining systemic importance Section 24 of the Act sets out the factors that the Regulator must consider when assessing systemic importance:  the FMI’s size, including the number of participants and the number of indirect participants;  the types of persons who are participants and indirect participants;  the nature and scope of the activities under the FMI, including the way in which, and the extent to which, ◦ the FMI interconnects (directly or indirectly) with other FMIs or other activities within the financial system; ◦ participants and indirect participants transact or otherwise interconnect with each other (directly or indirectly) under the FMI;  the way in which, and the extent to which, financial risks are concentrated within the FMI; and  whether another FMI could promptly and effectively take them over were activities under the FMI to be disrupted. One submitter requested clarity that the factors above for determining systemic importance would be considered in relation to the FMI’s activities in the New Zealand market, rather than its activities globally. We intend that the Regulator’s assessment will primarily focus on the role of the FMI in New Zealand, however we may evaluate the activities of the FMI more holistically where this is relevant and appropriate. In addition to the specified matters that must be considered, the systemic importance framework is sufficiently flexible to accommodate the differences in FMIs and we intend that systemic importance assessments will be conducted on a case-by-case basis that recognises this diversity. Another submission sought more guidance on how the Regulator would consider indirect participants. We will provide more guidance around indirect participants and interconnectedness when making systemic importance determinations. The framework is intended to be applied in a holistic manner with each factor being weighed and considered as part of an overall assessment as to whether the FMI is systemically important. Therefore, when conducting systemic importance assessments, the Regulator will consider how all of the factors in the framework, including interconnectedness and the different types of participants, might contribute to the ability of an FMI to trigger or transmit systemic disruptions and thereby threaten the stability of, or confidence in, the whole or a significant part of the financial system.

5 5 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Developing standards for designated financial market infrastructures Purpose, scope, timing, and application of standards We proposed that the standards should apply equally to designated FMIs, regardless of how each FMI becomes designated (for example, whether an FMI applies to be designated, or is called in to be designated by the Regulator due to the FMI being considered systemically important). This approach was generally supported by stakeholders. We proposed developing and enacting standards to support the implementation of the Act over an approximately 18-month period ending in late 2022 or early in 2023. A one-time transition approach will provide more certainty. Submitters raised concerns that the proposed time period might be too short because there may need to be sufficient time between finalising standards and the standards coming into effect. We intend to work with entities to help and, if necessary, provide extra time for additional standards to come into effect (under Pillar III). Before a proposed standard is issued there will be further consultation with stakeholders. We will request specific feedback on any areas where entities may require additional time to become compliant. Submitters generally supported the planned approach of incorporating the current regulatory requirements, as set out in conditions of designation, in a comprehensive set of standards, although some wanted flexibility to tailor standards to the particular requirements of an FMI. The Act provides the flexibility to apply standards to particular FMIs and for particular purposes (if needed). For this reason, we confirm our intention to make general standards and only impose specific requirements where we identify a clear need to do so (and only after consulting the FMI concerned). Pillar II: Reflecting the PFMI in standards under the Act The PFMI comprises 24 principles-based standards that reflect international best practice on how to mitigate the build-up and transmission of risk through FMIs, with the ultimate aim of promoting the efficiency and soundness of the financial system. There was broad support for the PFMI forming the basis of the standards with submitters raising the need to tailor standards to the size, scale, and scope of each FMI. Similar concerns were raised around how standards would apply to rule-making bodies that do not operate infrastructures. We will work with rule-making bodies to ensure any standards applying to such entities are appropriate. Pillar III: Matters not sufficiently covered by the core PFMI Contingency planning Disruption to an FMI’s operations could create serious problems for the financial system and the wider economy. It is therefore critical that designated FMIs can continue to provide essential services, even in times of distress. This is especially important where alternative providers of those services are not immediately available. For this reason, all designated FMIs are required to have contingency plans under section 47 of the Act.

6 6 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Submitters noted the need to take a holistic approach to contingency planning to ensure the obligations were sufficiently flexible to remain appropriate to different types of FMIs. They were supportive of the Regulator taking a principles-based and outcomes-focused approach to allow for tailoring contingency planning requirements to different circumstances. Submitters raised concerns about how this particular obligation would apply to overseas FMIs that are designated in New Zealand. We note that the substitute compliance regime will apply to contingency planning for overseas FMIs. However, overseas FMIs will be expected to follow any notification requirements (e.g. changes in practice or activation of their contingency plan in relation to their business in New Zealand). Breach and outage reporting Breach and outage reporting requirements are designed to ensure that the Regulator is aware of any contraventions or risks, and that those risks can be mitigated as much as possible. Submitters raised various concerns around breach reporting, including the need to align FMI breach reporting obligations to existing breach reporting processes. They also said that breach reports should be required ‘as soon as practicable’ instead of immediately. We intend to follow an approach similar to that contemplated in section 412 of the Financial Markets Conduct Act 2013, where an entity would need to send a report to the Regulator ‘as soon as practicable’ upon discovering a material breach of its obligations (whether this be under the Act or the standards). One submitter also asked us to consider applying the existing arrangements for breach reporting obligations and information sharing arrangements for overseas-based designated FMIs. Reporting to a regulatory college in which the Regulator takes part will be acceptable. Regardless of the cause, where an overseas FMI experiences an event that prevents it from performing its FMI activity in New Zealand, the overseas FMI will be required to notify the Regulator. We will provide guidance on overseas FMIs’ notification obligations in the next phases of our development of standards). In terms of outage reporting, several submitters suggested that they should only be required to report material outages. However, given that any outage to an FMI’s operations may have a wide￾reaching impact on New Zealand’s financial system, we consider that all outages are material and as such should be reported to the Regulator. Publication of material breaches Several submitters opposed our proposal to require FMIs to publish their material breaches and to publish all material breaches on our website. Our view was that this approach would allow for the provision of a centralised source of risk information for stakeholders. Transparency would assist participants and the general public to better understand the risk profiles of FMIs, and incentivise better risk management practices by FMIs. Submitters raised concerns that by requiring publication, this could delay the reporting of material breaches as entities would need to follow additional internal risk assessment processes to produce a report appropriate for publication. We note that the reporting of material breaches is a separate process from publication. It is our expectation therefore that there would be no delays in the reporting of material breaches. Additional concerns were raised regarding possible conflicts with overseas requirements, confidentiality, and security.

7 7 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Acknowledging the concerns raised by stakeholders, and the importance we place on market transparency, we have revised the proposed policy with respect to publication of material breaches. We have decided that the Regulator should have the discretion to publish material breaches taking into account factors such as market transparency, financial stability, the public interest and any other relevant factors. We will not require publication of outages. Management of cyber risk We proposed a separate cyber-security risk standard, aside from general and operational risk management standards. This standard would largely mirror the content of the RBNZ Cyber Resilience Guidance (i.e. governance, cyber capability building, information sharing, and third￾party management). Submitters were slightly more in favour of reliance on the PFMI general operational risk management standards (option 1), rather than a separate cyber standard (option 2). Three submitters supported option 1, two supported option 2, and three had no comment on this matter. Of the submitters who preferred option 1, the majority were overseas-based FMIs and therefore, as a result of the proposed substituted compliance approach, are unlikely to be subject to any New Zealand specific cyber security standards, but may be subject to equivalent overseas requirements instead. We therefore took this into account when assessing submitters’ views. There is a growing need internationally and nationally to become more proactive towards cyber matters in the financial sector. This is a trend which is only likely to grow. In recent years, there has been a heightened focus on this specific area in light of increased cyber-attacks, which led us to publish cyber guidance based on well-recognised international risk management frameworks. This work has already been done and is already based on the CPMI-IOSCO guidance regarding cyber resilience. It is therefore in line with our overarching approach and aligns with other prudential regulators’ greater focus on cyber. We therefore intend to proceed with option 2 and develop standards specific to cyber risk management. We also note that the two supporters of option 2 are more localised to New Zealand and those who preferred option 1 are likely to follow substitute compliance. Defining and identifying critical service providers FMIs often outsource parts of their day-to-day operations to third party service providers, which in turn can present a significant source of operational risk to FMIs. We proposed that the definition of critical service providers should be based on the high-level description in the PFMI, amended for the New Zealand context, being: A critical service provider is a provider of services without which the delivery of the FMI’s key business lines – related to its designation notice – would be significantly disrupted. This definition was largely supported by submitters, noting that further guidance would need to be provided around the interpretation of ‘key service lines’ and ‘significant disruption’. Submitters also noted that they would need further guidance regarding the proposed exclusion for basic telecommunication services. We note that further guidance will be provided regarding the content of the standards during the implementation of the Act.

8 8 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 There was some concern that the proposed two-step approach for identifying critical service providers would put additional burdens on the FMI, as the Regulator would make the final determinations. However, we consider this is a necessary step to provide the Regulator with sufficient oversight of which providers are considered critical. Contractual Terms with Critical Service Providers Our preference was to require principles-based contractual terms between FMI operators and their critical service providers that reflected the oversight expectations contained in Annex F of the PFMI (option 2). Most submitters supported option 1, which involves a voluntary requirement that the FMI ensures its critical services providers follow Annex F. There was no support for option 3, which would require FMIs to include specified contractual terms into contracts with critical service providers. The main concerns regarding option 2 largely revolved on an FMI’s ability to renegotiate existing contracts to comply with principles-based requirements, and those entities may not be in a position to negotiate terms into new contracts, which may result in an entity not being able to procure services from preferred providers. Two other approaches were proposed by submitters:

1. Requiring the PFMI Annex F principles to be met by critical service providers, but not necessarily by way of contractual terms; or
2. Alignment with the outsourcing requirement under the licence for managers of managed investment schemes where entities must be satisfied that providers are capable of performing services to the standard required for the entity to meet its obligations. We understand that entities may not be able to retrospectively amend contracts, and therefore we will only require contracts entered into after the commencement of the standards to comply with the requirements set out in Annex F of the PFMI. We understand there may be situations where it may be difficult to negotiate a contract so that it meets the requirements in Annex F, but consider that these principles could be met in alternative ways. Therefore we have revised the approach so that a designated FMI would be required to ensure that future contracts with critical service providers meet the principles set out in Annex F of the PFMI, or where that is impractical, the designated FMI could apply to the Regulator for an exemption, so long as the designated FMI could demonstrate to the Regulator that the relationship with the critical service provider satisfies the principles in Annex F of the PFMI in another way. This approach will meet the objectives of ensuring that FMIs are able to operate reliably, even where services have been outsourced to third parties. Stakeholders will have further opportunities to provide feedback during the consultation on the exposure draft of the standards. Overseas equivalence Option 2 was preferred by nearly all submitters that commented on this section (namely, providing substitute compliance for overseas FMIs). In addition, several requests were made:  Adopting a proportionate supervisory approach once the FMI is designated.

9 9 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1  Delivering clarity around the assessment of equivalence in the designation process and adopting a risk-based approach to designation.  Ensuring that the framework is equitable for both local and overseas FMIs so that substitute compliance does not provide a competitive advantage. One submitter highlighted that equivalence assessments can take a long time and need to be done accurately to ensure substitute compliance works effectively. We will clarify the equivalence assessment approach as part of the guidance we will provide later in the transition scheme. Reporting to a regulatory college where the Regulator takes part will be acceptable. Rule change notification requirements will also be considered to be proportionate but still in line with section 44 of the Act. We will confirm our approach when we consult on the exposure draft of standards and provide clarification on how substitute compliance will work in practice. For the avoidance of doubt, overseas FMIs will be required to meet the New Zealand requirements, but can meet the requirements in a different manner as long as the equivalent requirements are met. If there are areas in the New Zealand framework that are not covered by the home jurisdiction, the overseas FMI will need to meet those requirements in the same way as that FMIs incorporated in New Zealand are expected to. Consistency with CPMI-IOSCO disclosure framework Submitters generally supported disclosure standards being consistent with the CPMI-IOSCO disclosure framework, although one submitter preferred self-assessments. We confirm our approach to include disclosure standards in alignment with the CPMI-IOSCO disclosure frameworks. We will tailor the status quo where required - for example, there may need to be categories in the disclosure framework for rule setting bodies. Incorporating the PFMIs directly or by reference Under the Act the Regulator has the power to make standards, but there are no explicit powers to incorporate international standards by reference. One respondent supported the proposed approach to incorporate the PFMI directly. One submitter raised concerns about incorporating the PFMI directly, rather than by reference, due to the risk of fragmentation or conflicting regulatory requirements if there is a departure from the PFMI. For the purposes of legal certainty it is preferable to incorporate the PFMI directly and where necessary, we will adapt certain aspects of the PFMI to the New Zealand market. This approach will provide legal certainty while also allowing a customised approach for the local market.

10 10 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Annex A: Lists of Consultation Questions and Regulator Response to Questions Table 1 List of questions included in consultation papers S1: Do you have any comments on the design of the Framework (noting that it is based on the FMI Act, aligned with PFMI and balanced regulatory discretion with transparency and clarity)? S2: Do you have any comments on the factors we suggest for assessing the size of FMIs? What other factors do you consider we should include in this category? S3: Do you have any comments on the factors we suggest for assessing the types of person who are participants of FMIs? What other factors do you consider that we should include in this category? S4: Do you have any comments on the factors we suggest for assessing the nature and scope of activities of FMIs? What other factors do you consider we should include in this category? S5: Do you have any comments on the factors we suggest for assessing the interconnectedness of FMIs? What other factors do you consider we should include in this category? S6: Do you have any comments on the factors we suggest for assessing the interconnectedness among participants of FMIs? What other factors do you consider we should include in this category? S7: Do you have any comments on the factors we suggest for assessing the concentration of financial risk of FMIs? What other factors do you consider we should include in this category? S8: Do you have any comments on the factors we suggest for assessing the substitutability of FMIs? What other factors do you consider we should include in this category? DS1 a: Do you have any comments on the proposed one-time transition approach to developing and issuing standards? b: Do you have any comments on the proposed approach to not differentiate standards based on how FMIs become designated? DS2: Do you have any comments on the planned approach to incorporate existing regulatory requirements (i.e. conditions of designation) into standards under the new regime? DS3: Do you have any comment on the PFMI forming the basis of standards for designated FMIs operating in New Zealand? DS4 a: Do you have any comments on whether the scale and scope of an FMI’s operations may require standards to be tailored to their particular circumstances? b: What other factors do you think may influence the need for tailoring? c: Which standards do you think will require tailoring and what tailoring is required? DS5: Do you have any comments on the approach for FMI contingency planning in the standards? DS6: Do you have any comment on our plan to apply breach reporting requirements to designated FMIs like those in section 412 of the Financial Markets Conduct Act 2013? DS7: Do you have any comment on our plan to carry over outage reporting requirements for FMIs currently designated under the RBNZ Act 1989 to all FMIs designated under the Act? DS8: Do you agree with our preferred option to publish material breaches by FMIs on both the Operator’s and the Regulator’s official website(s)?

11 11 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 DS9: Do you have any comments on the proposed approach of making the RBNZ Guidance on cyber resilience the basis for regulatory requirements for designated FMIs and supplementing this with relevant content from CPMI-IOSCO Guidance to address any areas where cyber risk management is unique to FMIs? DS10: What are your views on the two options that have been identified? Are there additional factors that should be considered when setting regulatory requirements around cyber resilience? DS11: What factors should be considered when identifying service providers as critical? Do you see value in clarifying the interpretation of what a critical service provider is from the very high-level description provided in the PFMI? DS12: Do you have any comments on the proposed two-stage process to identifying critical service providers? DS13: Do you have any comments on our preferred option to require the contractual terms between the FMI operators and their critical service providers to reflect our expectations at a principle-based level? DS14: Do you have any comments on the preferred option of allowing substitute compliance for overseas FMIs, subject to meeting equivalence and cooperation conditions? Are there any significant issues regarding the treatment of overseas FMIs that you would like to draw to our attention? DS15: Do you have any comments on the proposal for having disclosure standards consistent with the CPMI-IOSCO Disclosure Framework for FMIs? DS16: Do you have any comments on incorporating the PFMI into standards directly rather than by reference? Do you have comments on incorporating particular elements of the PFMI into legally binding standards?

12 12 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Table 2: Summary of responses to consultation questions and Regulator responses Questions Theme Summary of responses received Regulator analysis Regulator response SI1 - SI8 Systemic importance framework Most submitters were supportive of the framework and the need for Regulator discretion. One submitter thought that size should be the determining factor for systemic importance. Another submitter considered that a separate systemic importance framework is needed for payment systems. Submitters wanted clarity that the measures the Regulator would consider when assessing systemic importance would be considered relative to the New Zealand market rather than the worldwide market. One entity wanted clarity on how the Regulator would assess factors like indirect participants and interconnectedness. We consider it is important that the framework remains principles-based and flexible to ensure the framework is applicable to accommodate a broad range of FMIs and remains appropriate in the future. The framework is intended to be applied in a holistic manner. The Regulator will consider and weigh each of the factors differently depending on their relevance to the specific circumstances of the FMI determining whether an FMI meets the systemically important test outlined in section 28 of the Act. We confirm all aspects of the proposed framework to identify systemically important FMIs with a few minor modifications. For instance, we clarify that the focus of our considerations will be on the New Zealand market, unless international market considerations are relevant. We will also modify some of the proposed metrics in the framework to ensure that the information provided will adequately support systemic importance assessments. For example, the timeframe for historical volume and value data, should be five years rather than ‘longer than one year’ as indicated in paragraph 26 of the consultation paper. A longer timeframe for this data will provide a better indication of the underlying trend of business activity. Similarly, when assessing concentration of financial risk, the proportion of transaction by the FMI’s largest five participant is more relevant than its two largest participants (as indicated in paragraph 53 of the consultation paper). DS1a and DS1b Approach to developing standards The majority of submitters were supportive of a one-time transition for the implementation of standards. Submitters generally supported the standards applying equally to all FMIs, regardless of the method of designation. We consider FMIs should largely be able to meet the pillar 1 and 2 standards in time given they are based on existing requirements in the PFMI and designation conditions. However, we understand that During consultation on the draft standards we will consult on where entities may need extra time to reach a state of compliance, particularly regarding pillar three standards. We will take a flexible approach to compliance and work with FMIs.

13 13 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Questions Theme Summary of responses received Regulator analysis Regulator response Concerns were raised around the timing for implementation of the standards, particularly for pillar three standards, and whether an additional transition period would be necessary. pillar three standards may require additional consultation and time. DS2 Incorporating conditions Submitters supported the planned approach, of incorporating the current regulatory requirements, as set out in conditions of designation, in a comprehensive set of standards. We confirm it is our intention to endeavour to standardise regulatory requirements and only impose more targeted requirements where there is a clear need to do so and only after consulting the FMI concerned. DS3 PFMI forming the basis of standards There was broad support for the PFMI forming the basis of standards. Submitters requested clarification on the supervisory approach to guidance (that is, whether following guidance is necessary for compliance with the standards). We confirm our approach of having some elements of the PFMI as standards and some elements as guidance. We will not require guidance to be followed for the purpose of compliance, as guidance is not a legal requirement but is issued by the Regulator to assist entities to understand their legal requirements. DS4a-4c Tailoring of standards Some overseas stakeholders raised concerns with how the requirements in NZ would apply to them. Submitters raised the need to tailor standards for rule-making bodies (not operators). As we will allow substitute compliance for overseas FMIS, the standards applicable to FMIs designated in New Zealand will not need to be tailored for overseas FMIs. We are open to tailoring for rule-making bodies where needed, and overseas based FMIs where necessary (although this is unlikely given the proposed substitute compliance regime for overseas FMIs). DS5 Contingency planning Submitters supported a principles-based approach to contingency planning. One submitter raised concerns about their ability to implement a contingency plan. We note that the Act requires designated FMIs to meet certain obligations in relation to contingency planning, and that the standards will need to be consistent with the Act. We intend that the substitute compliance regime for overseas designated FMIs should also apply to contingency planning, noting that overseas FMIs would be

14 14 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Questions Theme Summary of responses received Regulator analysis Regulator response We note the need to ensure that the approach is principles-based, and allows us to take into account the circumstances of particular designated FMIs. We note that overseas FMIs are not subject to section 50 of the Act, and that overseas FMIs will be subject to substitute compliance as long as they have met the equivalence and cooperation requirements. However, overseas FMIs will be expected to follow notification requirements under section 48 of the Act. expected to follow the notification requirements. We will take a principles-based approach so that contingency planning requirements will be appropriate to different circumstances. DS6-7 Breach and outage reporting Overseas-based FMIs raised the issue of whether they can satisfy breach reporting requirements through notifying overseas regulators (i.e. a regulatory college). One submitter thought that breach outage reporting should be aligned with section 412 of the Financial Markets Conduct Act 2013 (for breach reporting by market services licences). Submitters raised issues of whether the requirement to report should be ‘as soon as reasonably practical’, rather than ‘immediately’, and the need for guidance on materiality. We intend to accept reporting to a regulatory college where the Regulator is a member. Guidance on overseas FMIs’ notification requirements will be provided, but is likely to include outage reports, for example. We will aim to minimise uncertainty and regulatory burden to the extent possible. We consider that all outages are material, in line with the description in the Act. We will follow the approach adopted in section 412 of the Financial Markets Conduct Act 2013, where a designated FMI would need to send a report to the Regulator ‘as soon as practicable’ when discovering a contravention or possible contravention of standards in a material respect. We confirm that outage reporting does not need a materiality threshold. DS8 Publishing of material breaches Submitters were not supportive of the publication of material breaches. Submitters said it could raise legal, We note the importance of participants and potential participants of having a transparent understanding of the risks and We will consider an approach where the Regulator will have discretion on whether to publish a material breach, depending on

15 15 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Questions Theme Summary of responses received Regulator analysis Regulator response confidentiality and security concerns. Another said it should only be used sparingly and could increase cost to FMIs. Another submitter raised concerns with delays to reporting. Overseas FMIs raised concerns about potential conflicts between publishing breaches in New Zealand and overseas requirements. activities of designated FMIs. We consider that the publication breaches promote transparency and market discipline. However we note there may be situations where there are compelling reasons not to publish a material breach. factors such as market transparency, financial stability, the public interest and any other relevant factors. DS9 and DS10 Cyber Guidance Submitters were slightly more in favour of reliance on the PFMI alone (option 1), rather than a separate cyber risk management standard which was our preferred approach (option 2). One submitter also commented that a two hour recovery time objective might not always be appropriate, particularly in ransomware situations A suggestion was made to require independent assurance reports. Some of the submitters that prefer option 1 will be subject to overseas equivalence, and therefore are unlikely to be affected by whether there is a separate cyber standard, and their preference for option 1 should be considered with this in mind. Independent assurance reports represent a further step and an additional compliance burden which is unlikely to enhance the proposed process. We intend to proceed with option 2 – a specific cyber risk management standard. This is appropriate given the greater focus on cyber matters by prudential regulators, and the existing RBNZ cyber guidance. DS11, DS12 and DS13 Critical Service Providers Most submitters supported option 1 – principles-based terms that apply to the FMI/critical service provider relationship. However, they expressed concerns about having to renegotiate contracts to fit any approach requiring specific contractual terms. Two other approaches were proposed: (1) require certain principles to be met by critical service providers, but not We understand there may be situations where it may be difficult to negotiate a contract so that it meets the requirements in Annex F, but that these principles could be met in alternative ways. We will consider an approach for contract terms that is flexible and does not require entities to do anything commercially prejudicial or impractical The revised approach will require a designated FMI to ensure that future contracts with critical service providers meet the principles set out in Annex F of the PFMI, or where that is impractical, the designated FMI could apply to the Regulator for an exemption, so long as the

16 16 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Questions Theme Summary of responses received Regulator analysis Regulator response necessarily by way of contractual obligations; or (2) align with outsourcing requirements for managers of managed investment scheme under standard licence condition 3. There was no support for requiring specific clauses in contracts with critical service providers (option 3). One respondent noted that the Regulator having the final say on identifying critical service providers would put added burdens on the entity. Entities requested further guidance on the nature of the proposed exclusion for basic telecommunications services. designated FMI could demonstrate to the Regulator that the relationship with the critical service provider satisfied the principles in Annex F of the PFMI in another way. DS14 Overseas equivalence Option 2 was preferred by nearly all submitters (our preferred option that would permit substitute compliance). There were also several requests, namely:  A proportionate supervisory approach after designation;  Clarity around assessment of equivalence and application of a risk-based approach in the designation process  Not to make the substitute compliance framework inherently We will confirm our approach when we consult on the exposure draft of standards and provide clarification on how substitute compliance will work. We will provide more clarity around the equivalence assessment approach. We will ensure that rule change notification requirements will be proportionate but still in line with the section 44 of the Act. Notifying a regulatory college where the Regulator is a member will be acceptable.

17 17 Response to Submissions: Approach to Implementing the Financial Market Infrastructures Act 2021 Ref #X204575 v1.1 Questions Theme Summary of responses received Regulator analysis Regulator response favourable to overseas FMIs and provide a competitive advantage. DS15 Disclosure Submitters generally supported this (except one rules-making body who preferred self-assessments). Most preferred incorporation of the PFMI by reference or verbatim duplication. We note that there may need to be categories in the disclosure framework for rule setting bodies. We confirm our approach to include disclosure standards in alignment with the CPMI-IOSCO disclosure frameworks and similar approach to incorporating the PFMI standards (directly, rather than by reference). We will tailor where required. DS16 Incorporation of PFMI by reference A submitter raised concerns with incorporating the PFMI directly, with the risk of fragmentation or conflicting regulatory requirements if there is a departure from the PFMI. Under the Act the Regulator has the power to make standards, but there are no powers to incorporate international standards by reference. We consider for the purposes of legal clarity and certainty it is better to incorporate the PFMI directly. We will continue with our proposed approach of incorporating directly and adapting aspects to the New Zealand market. This will provide certainty while also allowing a customised approach for FMIs based in our jurisdiction.