Developing Standards for Designated Financial Market Infrastructures

Ref #9883267 v1.9 Developing Standards for Designated Financial Market Infrastructures July 2021 The Financial Market Infrastructures Act Implementation Plan Submission contact details We invite submissions on this Consultation Paper by 20 September 2021. Please note the disclosure on the publication of submissions below. Address submissions and enquiries to: fmiconsultation@rbnz.govt.nz Subject line: FMI Standards Consultation [Date] (Hard copy) FMI Consultation Team Financial System Policy and Analysis Department Reserve Bank of New Zealand PO Box 2498 Wellington 6140 Publication of submissions All information in submissions will be made public unless you indicate you would like all or part of your submission to remain confidential. Respondents who would like part of their submission to remain confidential should provide both a confidential and public version of their submission. Apart from redactions of the information to be withheld (i.e. blacking out of text) the 2 versions should be identical. Respondents should ensure that redacted information is not able to be recovered electronically from the document (the redacted version will be published as received). Respondents who request that all or part of their submission be treated as confidential should provide reasons why this information should be withheld if a request is made for it under the Official Information Act 1982 (OIA). These reasons should refer to section 142, 144, and 145 of the Financial Market Infrastructures Act 2021, section 59 & 60 of the Financial Markets Authority Act 2011; or the grounds for withholding information under the OIA. If an OIA request for redacted information is made, the Reserve Bank and Financial Markets Authority will make their own assessment of what must be released taking into account the respondent’s views. The Reserve Bank and the Financial Markets Authority may also publish an anonymised summary of the responses received in respect of this Consultation Paper.

2 2 The Financial Market Infrastructures Act Implementation Plan Contents Introduction ___________________________________________________________________________________ 3 Overall approach to developing standards for designated FMIs_____________________________ 3 Purpose, scope, timing and application of standards ________________________________________ 5 Pillar I: Treatment of regulatory requirements for FMIs under Part 5C of the RBNZ Act (i.e. conditions of designation) ____________________________________________________________________ 6 Pillar II: Reflecting the PFMI in standards under the Act _____________________________________ 7 The need to tailor standards to New Zealand circumstances 9 Pillar III: Matters not sufficiently covered by the core PFMI_________________________________ 10 Contingency plans 10 Breach and outage reporting 13 Management of cyber risk 15 Treatment of critical service providers 17 Treatment of overseas FMIs 20 Disclosure of information by FMIs 22 Format of adopting the PFMI in standards under the Act 23 Annex A: Consultation questions ________________________________________________________24 Annex B: Scope of adopting the PFMI in standards under the Act ____________________26 Annex C: Considerations on the incorporating the PFMI into standards by reference_47 Further requirements in the Legislation Act 2012 47 Annex D: Comparison of CPMI-IOSCO Guidance and RBNZ Guidance on Cyber Resilience _________________________________________________________________________________49 Contents of CPMI-IOSCO Guidance not covered by RBNZ Guidance 49 Contents of RBNZ Guidance not covered by CPMI-IOSCO Guidance 50

3 3 The Financial Market Infrastructures Act Implementation Plan Introduction

1. The Financial Market Infrastructures Act 2021 (the Act) establishes a comprehensive framework for the oversight and regulation of financial markets infrastructures (FMIs). The purposes of the Act include promoting the maintenance of a sound and efficient financial system and promoting and facilitating the development of fair, efficient and transparent financial markets. The Reserve Bank of New Zealand and Financial Markets Authority (together the Regulator) are working to implement the new regulatory regime established by the Act over an approximately 18-month period. We expect this to be completed towards the end of 2022. Our implementation plan outlines the key work streams that are involved and provides some background about FMIs and the Act.1
2. This consultation paper sets out how we plan to develop regulatory requirements for designated FMIs in the form of legally binding standards. Designated FMIs include those who are determined to be systemically important and those who apply for designation to gain access to the Act’s legal protections. These protections include certainty around netting, settlement finality and the enforceability of FMI rules. Separately, we are also consulting on a framework for identifying systemically important FMIs. There are important interdependencies between these 2 work-streams and stakeholder feedback will help us finalise our approach to both of these important aspects of the regime.
3. We invite interested parties to provide their views on this consultation paper by emailing a written submission to fmiconsultation@rbnz.govt.nz. The deadline for submissions is 5pm on 20 September 2021.
4. Following our analysis of submissions on this consultation, we plan to finalise and publish policy decisions on our approach to develop the content of standards in the second half of
5. We anticipate that the actual drafting of standards will begin in early 2022 and plan to publish an exposure draft for consultation in mid-2022. The ultimate aim is to finalise the standards by the end of 2022. Overall approach to developing standards for designated FMIs
6. Our approach to developing standards for designated FMIs, includes 3 elements: the treatment of regulatory requirement for FMIs under Part 5C of the Reserve Bank of New Zealand Act 1989 (Pillar I), reflecting international standards — the PFMI — in standards under the Act (Pillar II) and matters not directly covered in depth by the core PFMI that need elaboration (Pillar III). See Figure 1 below.

---

1 FMIs are multilateral systems that provide clearing, settlement and reporting services in relation to payments, securities, derivatives and other financial transactions. There are several types of FMIs, they include payment systems, securities settlement systems, central securities depositories, central counterparties and trade repositories.

4 4 The Financial Market Infrastructures Act Implementation Plan Figure 1: 3 pillar approach to developing standards for designated FMIs under the FMI Act 2021 6. There are currently 5 settlement systems that are designated under Part 5C of the Reserve Bank of New Zealand Act 1989 (the RBNZ Act). These 5 systems are automatically designated under the new regime, and are subject to the special transitional arrangements set out in Schedule 1 of the Act. The section below entitled ‘Pillar I’ discusses how existing conditions of designation applying to these 5 systems will be integrated into standards under the Act. 7. Other FMIs will be designated if they are found to be systemically important or if they voluntarily seek designation. As mentioned, there is a separate consultation underway on the framework that we propose to use to make systemic importance assessments. Once the framework is finalised, we will conduct a process to identify and assess FMIs that may be systemically important.2 8. The cornerstone of our planned approach to setting standards under the Act is to adopt relevant international standards – especially the Principles for Financial Market Infrastructures (“PFMI”). The importance we place on the PFMI is consistent with the approach taken in peer jurisdictions, many of which use the PFMI as the basis for FMI standards. This approach is also consistent with section 13(2)(d) of the Act, which requires us to take account of “the importance of regulating FMIs in a way that is consistent with international standards for their regulation where those standards are appropriate for conditions in New Zealand” when exercising our powers. In addition, we believe the most effective way to set standards for FMIs is to use a principles-based approach, rather than being prescriptive, and using the PFMI as a guide will allow us to do this. 9. The section entitled ‘Pillar II’ elaborates on how we plan to reflect the PFMI in standards, and why we may need to tailor standards further to the New Zealand circumstances of particular FMIs. 10. The PFMI are comprehensive, flexible and are intended to be applied holistically. However, they are not exhaustive and there are certain areas where we may need to go beyond the core PFMI when developing standards. These areas include:  contingency plans;  breach and outage reporting requirements;

---

2 It is worth noting that although the Reserve Bank had previously identified a list of 9 FMIs that are potentially systemically important (see Appendix Two of the 2015 consultation paper for details) new formal assessments will need to be done for the purposes of designation under the Act. Pillar I: Treatment of regulatory requirement for FMIs under Part 5C of the RBNZ Act • Conditions of designation Pillar II: Reflecting international standards — the PFMI — in standards under the FMI Act • Governance • Credit risk • Liquidity risk Pillar III: Matters not directly covered in depth by the core PFMI that need elaboration • Contingency plan • Breach and outage reporting • Cyber risk • Critical service providers • Overseas FMIs • Disclosures

5 5 The Financial Market Infrastructures Act Implementation Plan  management of cyber risk;  the treatment of critical service providers;  the treatment of overseas FMIs; and  the disclosure of information by FMIs. 11. Proposed standards relating to these areas are covered in the ‘Pillar III’ section of this consultation paper. We note that a greater focus on these areas does not mean that they are more important than others. However, they may be of particular interest to stakeholders given that standards in these areas may go beyond the content of the PFMI. 12. Under the 3 pillar approach, the full set of standards that designated FMIs will be subject to is effectively the core PFMI — Pillar II — in addition to the matters outlined in Pillar III. We note that there are also a few limited areas where standards will be developed at a later stage. These areas include, for example, any restrictions or prohibitions on activities of the FMI operator. We intend to develop these as needed and on a case-by-case basis. Purpose, scope, timing and application of standards 13. The purpose of standards is to ensure that FMIs are well managed and have the necessary arrangements in place to help prevent and mitigate the harm that the disruption or failure of an FMI can have on the financial system and the wider economy. 14. The Regulator’s powers to set standards covers a broad range of matters as detailed in section 34 of the Act. When setting standards, the Regulator must exercise powers for the purposes of the Act and take into account certain principles (section 13). There are legal tests and procedural requirements the Regulator must comply with before issuing a standard (sections 31 and 32). Importantly, these include a requirement for the Regulator to consult with persons who may be substantially affected by the proposed standard. 15. We consider that a complete set of legally binding standards should be developed and issued by the end of the 18 month transition period (i.e. towards the end of 2022), rather than taking a phased approach. We see the main advantages of this approach being: Pillar I: Treatment of regulatory requirement for FMIs under Part 5C of the RBNZ Act 1989 Pillar II: Reflecting international standards - the PFMI - in standards under the FMI Act Pillar III: Matters not directly covered in depth by the core PFMI that need elaboration Full set of FMI standards Current conditions of designation will be embedded into new standards

6 6 The Financial Market Infrastructures Act Implementation Plan  more clarity about what the regulatory requirements will look like over the long term;  minimising long term compliance costs for designated FMIs from a one-time transition; and  bringing the standards into force at an earlier stage. 16. The main disadvantage that we see in taking a one-time transition approach for standards – rather than a phased approach - is that it places some time constraints around the standards development process. 17. The Act provides considerable flexibility with regard to setting and applying standards to designated FMIs. In particular, the Regulator can set standards that apply to a particular FMI or class of FMIs. We recognise the need for the tailoring of standards to accommodate the range of different types of FMIs and their New Zealand circumstances and we reflect this in our proposed approach (specifically the discussion in the ‘Pillar II’ section). However, we propose that standards do not distinguish between FMIs that are identified as systemically important and those that apply for designation status on their own accord. This is based on our view that the set of standards outlined in this paper constitute a sound basis for effective risk management for all FMIs. Question 1a: Do you have any comments on the proposed one-time transition approach to developing and issuing standards? Question 1b: Do you have any comments on the proposed approach to not differentiate standards based on how FMIs become designated? Pillar I: Treatment of regulatory requirements for FMIs under Part 5C of the RBNZ Act (i.e. conditions of designation) 18. FMIs that are designated settlement systems under the RBNZ Act are automatically designated under the Act. Under the RBNZ Act, regulatory requirements are set by an Order in Council that prescribes various conditions on the designated FMIs (i.e. conditions of designation). When the existing designated FMIs transition to the new regulatory regime, these conditions will be superseded by standards made under the Act. 19. In determining what standards will apply to the existing systems, we will review each of the current conditions and determine whether to:  Replace conditions that apply to more than one designated system with similar standards applicable generally to designated FMIs. For example, conditions covering notification of outages and material incidents, as well as of changes to key aspects of the system (such as risk management frameworks, financial resources policies, or senior managers and directors), could be replaced by the same requirements in the form of a standard. These standards are also likely to include existing requirements around disclosure of information and reporting to the Regulator.  Replace a condition relevant to a single designated settlement system with a more general standard that achieves the same, or a similar, outcome.

7 7 The Financial Market Infrastructures Act Implementation Plan  Replace a condition with a similar bespoke standard, applying only to the particular FMI. This option would be adopted when the Regulator determines that a regulatory requirement needs to reflect the individual risk profile of a particular FMI.  Remove the regulatory requirement. If the condition is no longer relevant, the Regulator may determine not to replace the condition with a standard. This option may apply particularly in the case of overseas FMIs. Question 2: Do you have any comments on the planned approach to incorporate existing regulatory requirements (i.e. conditions of designation) into standards under the new regime? Pillar II: Reflecting the PFMI in standards under the Act 20. The PFMI comprises 24 principles-based standards that reflect international best practice on how to mitigate the build-up and transmission of risks through FMIs, with the ultimate aim of promoting the efficiency and soundness of the financial system. The PFMI were developed and are maintained by 2 international standards setting bodies: the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO). 21. The principles-based nature of the PFMI reflects the need for considerable flexibility to accommodate a range of different types of FMIs that operate in many different institutional settings. Table 1 (which is copied directly from the PFMI) lists all 24 principles and indicates how they are intended to apply to the 5 basic types of FMIs. The PFMI are configurable in the sense that the principles that apply to a particular FMI will depend on the actual functions that the FMI performs. An FMI that performs multiple functions - for example a securities settlement system that also functions as a securities depository - will be subject to all relevant principles for securities settlement systems plus Principle 11 which is only relevant to securities depositories. 22. The PFMI are closely followed by FMI regulators in our peer jurisdictions including Australia, Canada, the UK and the USA. In most cases, the PFMI text is reflected directly in legally binding standards with little or no modification. Close adherence to the PFMI by peer FMI regulators further legitimises the suitability of the PFMI and its ability to accommodate diverse institutional and operational settings. Because of this, we consider it appropriate to take a similar approach in New Zealand. 23. We consider that reflecting the PFMI in standards will help achieve the purposes of the Act, which are  promoting the maintenance of a sound and efficient financial system;  avoiding significant damage to the financial system that could result from problems in an FMI, its operator, or its participants;  promoting the confident and informed participation of businesses, investors and consumers in financial markets; and  promoting and facilitating the development of fair, efficient, and transparent financial markets.

8 8 The Financial Market Infrastructures Act Implementation Plan 24. More specifically, it also has the following benefits:  the inherent flexibility and efficiency of adopting a principles-based approach to develop standards for designated FMIs;  minimising compliance costs for FMIs already following or familiar with the PFMI;  preserving and enhancing the benefits of the PFMI self-assessments process;  facilitating oversight and supervision of FMIs operating in multiple jurisdictions;  providing transparency and clarity to FMIs on how the Act will be implemented;  building on and promoting continuity of the existing PFMI regulatory expertise and assessment methodologies;  meeting the IMF’s 2017 Financial Sector Assessment Program recommendation that the PFMI be explicitly adopted in New Zealand’s legal framework; and  ensuring consistency with the expectation associated with New Zealand’s membership in IOSCO, the global standard setter for the securities sector. Table 1 copied from the PFMI: General applicability of principles to specific types of FMIs* Principle PSs CSDs SSSs CCPs TRs

1. Legal basis ● ● ● ● ●
2. Governance ● ● ● ● ●
3. Framework for the comprehensive management of risks ● ● ● ● ●
4. Credit risk ● ● ●
5. Collateral ● ● ●
6. Margin ●
7. Liquidity risk ● ● ●
8. Settlement finality ● ● ●
9. Money settlements ● ● ●
10. Physical deliveries ● ● ●
11. Central securities depositories ●
12. Exchange-of-value settlement systems ● ● ●
13. Participant-default rules and procedures ● ● ● ●
14. Segregation and portability ●

9 9 The Financial Market Infrastructures Act Implementation Plan Principle PSs CSDs SSSs CCPs TRs 15. General business risk ● ● ● ● ● 16. Custody and investment risks ● ● ● ● 17. Operational risk ● ● ● ● ● 18. Access and participation requirements ● ● ● ● ● 19. Tiered participation arrangements ● ● ● ● ● 20. FMI links ● ● ● ● 21. Efficiency and effectiveness ● ● ● ● ● 22. Communication procedures and standards ● ● ● ● ● 23. Disclosure of rules, key procedures, and market data ● ● ● ● ● 24. Disclosure of market data by trade repositories ● *The specific types of FMIs are payment systems (PSs), central securities depositories (CSDs), securities settlement systems (SSSs), central counterparties (CCPs), and trade repositories (TRs). 25. One trade-off of closely following established international practice is that it may pose challenges when it comes to setting standards that reflect the realities faced by FMIs operating in New Zealand. However, this risk is offset to some degree by the principles-based nature of the PFMI and flexibility in the Act to tailor standards to different FMIs. 26. Annex B: provides stakeholders with a clear sense of how we intend to incorporate the PFMI in standards that will be issued under the Act. It includes the 24 principles along with their key considerations and indicates how each of these is intended to apply to the different types of FMIs. Annex B: also shows how each of the principles maps to the standard setting power in the Act. Importantly, other aspects of the PFMI, such as the explanatory notes that accompany each of the principles, will be treated as guidance material which will accompany the relevant standards. Question 3: Do you have any comment on the PFMI forming the basis of standards for designated FMIs operating in New Zealand? The need to tailor standards to New Zealand circumstances 27. Based on our previous consultation with stakeholders to establish the Act, we are aware that factors like the scale and scope of an FMI’s operations may drive the need to tailor some regulatory requirements. We are interested in further feedback on this in light of our proposed approach to closely follow the PFMI. Our initial thoughts on the need for tailoring are set out below.

10 10 The Financial Market Infrastructures Act Implementation Plan Tailoring standards to FMIs operated by central banks 28. We propose to follow the approach set out in the CPMI-IOSCO document, Application of the Principles for Financial Market Infrastructures to central bank FMIs. For example, this will mean that certain parts of the PFMI relating to governance and financial management would not apply to these FMIs. Tailoring standards to overseas FMIs 29. We discuss the treatment of overseas FMIs below on page 18. Tailoring to FMIs where the operator controls the rules of the FMI but not the underlying infrastructure 30. Our overarching approach in this case is guided by 2 principles. First, that standards should not require operators of these FMIs to do something they cannot do. Second, any tailoring of standards should aim to avoid overlap with regulatory requirements imposed elsewhere (for example, if the FMI relies upon infrastructure provided by another designated FMI, substantial reliance can be placed upon the fact that the other FMI will already be complying with applicable standards relating to that infrastructure). 31. With these 2 principles in mind, we think that the normal standards applying to these types of FMIs could potentially be divided into 3 categories:  standards that should fully apply to these FMIs;  standards that should apply to these FMIs in part; and,  standards that should not apply to these FMIs. Question 4a: Do you have any comments on whether the scale and scope of an FMI’s operations may require standards to be tailored to their particular circumstances? Question 4b: What other factors do you think may influence the need for tailoring? Question 4c: Which standards (see Annex B:) do you think will require tailoring and what tailoring is required? Pillar III: Matters not sufficiently covered by the core PFMI 32. This section discusses the content of standards that need elaboration beyond the core PFMI. Contingency plans Contingency plans: Problem identification and regulatory powers 33. Disruption to an FMI’s operations could create serious problems for the financial system and the wider economy. It is therefore critical that designated FMIs can continue to provide essential services, even in times of distress. This is especially important where alternative providers of those services are not immediately available.

11 11 The Financial Market Infrastructures Act Implementation Plan 34. For this reason, all designated FMIs are required to have contingency plans under section 47 of the Act. FMI Contingency Plans are defined in section 5 of the Act as: “…..a plan for 1 or more of the following purposes: a) doing 1 or more of the following in relation to activities under the FMI: i. maintaining their continuity where events that could result in their disruption occur; ii. mitigating, or otherwise managing, disruption to them; iii. restoring their continuity following their disruption; iv. restoring the FMI’s financial resources following events that cause them to be depleted; b) applying the provisions of the FMI’s rules relating to 1 or more of the following: c) participant default; v. indirect participant default; vi. the allocation of losses among operators, participants, or other persons; vii. if the FMI were to be wound down, ensuring that the winding-down is orderly.” 35. The required content of contingency plans is partly set out in the Act. In particular, section 47 of the Act requires contingency plans to be:  comprehensive, adequate and credible, taking into account the type of FMI concerned and the activities carried out under it; and  capable of being activated and implemented effectively when appropriate. 36. In addition, the Act provides the Regulator with the power to review contingency plans (section 49), and to require changes to contingency plans to address deficiencies (sections 50- 51). 37. The importance of contingency plans (and their role as the first line of defence in a crisis management situation) is also reflected in Part 4 of the Act (Dealing with systemically important FMIs that are distressed etc). The Regulator may only exercise their statutory crisis management powers where contingency plans are ineffective or inadequate to deal with the distress situation. 38. Section 34(1)(f) of the Act also allows the Regulator to issue standards relating to FMI contingency plans, including (without limitation) any of the following matters:  the purpose for which designated FMIs must have contingency plans;

12 12 The Financial Market Infrastructures Act Implementation Plan  the content of those plans, for example: ◦ the scenarios the plans must cover; and ◦ strategies and methods that must be included in the plans for dealing with those scenarios;  the interaction of those plans with the designated FMI’s rules;  the persons responsible for maintaining, activating, or implementing those plans;  arrangements for obtaining the financial resources needed to activate and implement those plans; and  the arrangements for reviewing, updating and testing those plans. 39. As noted in paragraph 10 above, while the PFMI are comprehensive, they are not exhaustive and do not fully address the requirements for contingency plans envisioned by the Act. 40. There are a variety of sources that we consider relevant to guiding our approach to developing standards for contingency plans. For example, the RBNZ 2016 consultation paper Crisis management powers for Systemically Important Financial Market Infrastructures discusses the appropriate content of business continuity plans, and recovery and orderly wind down plans. These are 2 concepts that are merged into the single concept of a contingency plan under the Act. There are also several publications by CPMI-IOSCO and the Financial Stability Board (FSB) that provide additional guidance (see for example the PFMI themselves, and CPMI-IOSCO’s 2014 report Recovery of Financial Market Infrastructures). Contingency plans: Proposed approach, options, and analysis 41. Given the diverse functions and structures of different FMIs, we propose a largely high-level approach to issuing standards for the content of contingency plans. This approach will elaborate on what is necessary to meet the requirements for contingency plans in section 47 of the Act, while still being sufficiently generic to apply to the contingency plans of all designated FMIs. Specifically, we propose that the standard requires that contingency plans:  identify the FMI’s essential services.  identify events that pose a significant risk of disrupting the FMI’s operations, including events that could cause widespread or major disruption (such as the failure of a critical service provider or linked FMI, or a natural disaster).  identify events that have a significant risk of placing the operator under financial stress that could affect the ability of the FMI to continue to provide essential services (e.g. credit losses or liquidity shortfalls caused by participant default, general business losses, realisation of investment losses).  set out what constitutes an acceptable degree of recovery and within what timeframes, and if recovery within 2 hours is not possible, the reasons why.  set out policies and procedures (including management procedures) designed to respond to identified operational and financial risk events.

13 13 The Financial Market Infrastructures Act Implementation Plan  include a set of financial recovery tools that are reliable, timely, effective, legally robust and enforceable.3  include procedures to allow for a change to the operator of the FMI.4  set out how an FMI would be wound down in an orderly manner if essential services cannot be provided on an ongoing basis despite the availability of recovery tools and if an alternative operator is not available.  set out arrangements for regular testing and review of the contingency plan. 42. We note that this approach also assumes that the Regulator will assess compliance with these requirements in the specific context of each individual designated FMI and that these assessments will be supported by the Regulator’s powers to review and, if necessary, require changes to contingency plans. 43. In addition, overseas FMIs that are designated will generally be subject to comparable contingency plan requirements within their home jurisdiction (see paragraph 92 for more details about the proposed approach to overseas FMIs). Where the home jurisdiction of an FMI is assessed as equivalent, we would expect that most or all of the requirements in our proposed standard would already be addressed in their existing contingency plans (or equivalent risk management framework/policies). We therefore do not consider that this standard should apply to overseas FMIs based in jurisdictions assessed as equivalent. 44. Our proposed approach also helps to ensure a consistent high-level framework for the required content of contingency plans, while allowing compliance with this framework to be assessed on a case-by-case basis by the Regulator (taking into account the circumstances of a particular designated FMI). 45. The alternative is a more detailed standard for classes of designated FMIs (or a particular designated FMI). This is likely to require more prescription around the content of contingency plans and we consider this to be less practical because the different circumstances of designated FMIs would make it difficult to capture all the nuances of each business model. Question 5: Do you have any comments on the approach for FMI contingency planning in the standards? Breach and outage reporting Breach and outage reporting: Problem identification and regulatory powers 46. It is an offence for an operator of an FMI to contravene a standard and such contravention may carry a pecuniary penalty. The Regulator must be informed of any such contravention (i.e. breach of a standard) so that risks can be identified and mitigations to those risks can be recommended. Other stakeholders such as direct and indirect participants also have a strong

---

3 In respect of FMIs taking on credit risk, the tools should also set out mechanisms for allocating the costs of resolving the FMI to the operator and participants. These mechanisms should be transparent and allow those who bear losses and liquidity shortfalls to measure, manage and control their potential exposure. In these circumstances, these mechanisms should also be designed to support appropriate incentives for operators and participants to operate and oversee the FMI in a prudent manner (e.g. by ensuring that operators and participants have appropriate “skin in the game”). 4 This is to facilitate the sale of the FMI, or transfer of the FMI to a new operator under a New Operator Scheme (section 102-107 of the Act).

14 14 The Financial Market Infrastructures Act Implementation Plan interest in being informed of any event that may adversely affect the operation of a designated FMI. 47. Section 34(3) of the Act empowers the Regulator to make standards to require operators to give to the Regulator reports relating to any of the following matters:  disruption to activities under a designated FMI (i.e. an outage);  contraventions of requirements imposed by or under this Act (i.e. a breach); or  any other matter prescribed in the regulations. 48. Outage and breach reporting requirements are also part of the existing designation notices under Part 5C of the RBNZ Act. The operators of designated payment and settlement systems are required to notify the Regulator “immediately” upon becoming aware that any of the following have occurred, or may occur:  a material non-compliance with their risk management framework or a law or any regulatory requirements relating to the operation of a designated system;  an event that materially increases the risk to a designated system; or  an outage or other material incidents relating to a designated system. 49. We consider that the existing reporting requirements remain relevant. The next section discusses how the existing reporting requirements will apply in the new regulatory framework under the Act. Breach and outage reporting: Proposed approach, options, and analysis 50. For outage reporting requirements, we propose to follow the approach currently set out in the designation notices for FMIs under the under the RBNZ Act. This means the timeframe (“immediately” after the FMI operators become aware of an outage) and the threshold (“outages or material incidents”) applies to all designated FMIs under the new regulatory regime. 51. For breach reporting requirements, we propose to follow the approach in section 412 of the Financial Markets Conduct Act 2013, where a designated FMI would need to send a report to the Regulator “as soon as practicable” upon discovering a contravention or possible contravention of standards in a material respect. 52. To support transparency and encourage market discipline in the FMI sector, there may be merits to disclosing material breaches to the public. The 2 options here are:  Option 1: Compulsory requirement for material breach reporting to the Regulator without a public disclosure requirement.  Option 2: Compulsory requirement for material breach reporting to the Regulator and a public disclosure requirement (preferably in a prominent place like Regulator’s official website(s) as well as the operator’s website). 53. We prefer Option 2 because publishing material breaches on our official website(s) will provide a centralised source of risk information for stakeholders about all designated FMIs. This transparency will assist participants and the general public to better understand the risk

15 15 The Financial Market Infrastructures Act Implementation Plan profiles of FMIs, and risk awareness by stakeholders is expected to contribute to better risk management practices by FMIs. 54. For FMIs, we acknowledge that public disclosure of material breaches to standards may be a somewhat less effective tool to encourage compliance compared to other financial institutions, such as banks and insurers. This is because FMI participants and other stakeholders often face limited alternatives for certain FMI services. However, we still consider that there are meaningful benefits to supporting market transparency and we also consider that public disclosure of material breaches incentivises FMIs to prudentially manage their risks. For these reasons, Option 2 remains the preferred option. Question 6: Do you have any comment on our plan to apply breach reporting requirements to designated FMIs like those in section 412 of the Financial Markets Conduct Act 2013? Question 7: Do you have any comment on our plan to carry over outage reporting requirements for FMIs currently designated under the RBNZ Act to all FMIs designated under the Act? Question 8: Do you agree with our preferred option to publish material breaches by FMIs on both the operator’s and the Regulator’s official website(s)? Management of cyber risk Management of cyber risk: Problem identification and regulatory powers 55. Building cyber resilience is crucial for FMIs to promote a safe and efficient financial system and to support the broader economy. FMIs are heavily reliant on technology for their daily operations and, due to their close and complex interconnections with banks and other financial sector entities, there is a heightened risk to the wider financial system from cyber incidents that impact FMIs. 56. Traditionally, cybersecurity risk has been considered as a part of operational risk. However, as the financial sector’s reliance on information technology has grown considerably over time, so have cybersecurity risks. IOSCO and the FSB now recognise that regulatory interventions can play a useful role alongside the continued efforts of regulated entities to collectively improve cyber resilience. This is because of:  the growing level of cyber risk as digitalisation of the economy gains pace;  the constantly evolving nature of cyber threats; and  the contagion effect of cyber-attacks targeting common points of weakness.

16 16 The Financial Market Infrastructures Act Implementation Plan Management of cyber risk: Proposed approach 57. We consider that standards should be developed to address cyber risk management for designated FMIs and note that there is considerable guidance material available for regulators to draw on when doing so.5 Guidance from the CPMI-IOSCO has been specifically tailored to the circumstances of cyber risks for FMIs, while the RBNZ Cyber Resilience Guidance (the RBNZ Guidance) applies more generally to banks, insurers and FMIs in New Zealand. Annex D: provides a detailed comparison between these 2 sets of guidance. 58. We propose developing standards based on the RBNZ Guidance. The RBNZ Guidance provides 2 levels of recommendations for regulated entities: a baseline and an enhanced level. Considering their critical roles in the financial system, designated FMIs will be expected to meet both the baseline and the enhanced-level recommendations alongside the requirements outlined in the relevant standard(s). 59. We acknowledge that the RBNZ Guidance has been developed for all RBNZ regulated entities, rather than for FMIs in particular. Nevertheless, the RBNZ Guidance is closely aligned with the CPMI-IOSCO Guidance on cyber resilience for FMIs. FMIs that follow the CPMI-IOSCO Guidance will likely find that their cyber risk management practices are also in line with the recommendations in the RBNZ Guidance. 60. We propose to add some content from the CPMI-IOSCO Guidance that is relevant to FMIs into the RBNZ Guidance. This includes guidance around the interconnectedness of FMIs and identifying certain performance targets (such as a recovery time objective). Management of cyber risk: Options considered 61. The options under consideration are:  Option 1: Rely on general and operational risk management standards to address cybersecurity risk.  Option 2: Develop standards that specifically deal with cybersecurity risk. 62. Note that for either option, we would use the same set of supporting guidance materials – as discussed above. 63. For Option 2, the cybersecurity risk standard would be framed as a set of high-level principles and outcomes-focused requirements. The content of the standard are yet to be developed but would largely mirror the topics covered by the RBNZ Guidance (i.e. governance, cyber capability building, and information sharing and third party management). Note that stakeholders will have the opportunity to provide feedback on the details once they are available and should this option be selected.

---

5 In 2016, CPMI-IOSCO published Guidance on cyber resilience for financial market infrastructures. This guidance is supplemental to the PFMI about how FMIs should enhance their cyber resilience. In 2019, the FMA published Guidance: Cyber-resilience in FMA-regulated financial services. The guidance noted the use of the services provided by the National Cyber Security Centre (NCSC) and the Computer Emergency Response Team New Zealand (CERT NZ). It also encourages FMA regulated financial services to use a recognised cybersecurity framework to assist with planning, prioritising and managing their cyber resilience. In April 2021, the RBNZ published its Guidance on Cyber Resilience as a first step towards taking a more proactive role in promoting cyber resilience. This guidance is drawn from a range of well recognised frameworks (such as the NIST framework) and adapted to the financial sector setting with practices from jurisdictions that have relatively mature cybersecurity frameworks in place (such as Europe, the UK and Australia).

17 17 The Financial Market Infrastructures Act Implementation Plan Management of cyber risk: Analysis of options 64. The main advantage of Option 1 is that it may provide some additional (although limited) flexibility – relative to Option 2 - for designated FMIs on how to manage their cyber resilience. Since we intend to issue operational risk standards consistent with Principle 17 of the PFMI, the cyber risk management guidance under Option 1 will effectively help clarify how cyber risk should be addressed as part of general risk management requirements. Option 1 is also consistent with the Reserve Bank’s current approach to promoting better cyber resilience among regulated banks and insurance companies. Our main concern with Option 1 is that it may not set sufficiently clear expectations for designated FMIs on how to manage the increasingly serious harms that can result from cyber incidents. 65. The main advantage of Option 2 (publishing a set of specific and enforceable standards) is that we expect it to help drive a positive change in behaviour (relative to Option 1). It will do this by providing a clear indication of our expectations, backed by a calibrated set of enforcement tools. Based on recent discussions with the Australian Prudential Regulation Authority (APRA), this approach will be more likely to drive positive behavioural change. A possible concern with Option 2 is that it may draw attention to a particular cyber risk over and above other types of operational risks. However, we consider that cyber risk warrants particular attention in light of expectations that cyber threats will continue to escalate. 66. We recognise that developing a specific and enforceable standard for cyber risk management is a step further than the Reserve Bank’s approach to its other regulated entities (of relying on the non-binding RBNZ Guidance) but also consider that a specific standard is warranted at this time due to the critical role that FMIs play in the financial system and the wider economy. 67. We consider that there is merit in both options but prefer Option 2. Question 9: Do you have any comments on the proposed approach of making the RBNZ Guidance on cyber resilience the basis for regulatory requirements for designated FMIs and supplementing this with relevant content from CPMI-IOSCO Guidance to address any areas where cyber risk management is unique to FMIs? Question 10: What are your views on the 2 options that have been identified? Are there additional factors that should be considered when setting regulatory requirements around cyber resilience? Treatment of critical service providers Treatment of critical service providers: Problem identification and regulatory powers 68. FMIs often rely on, or outsource, parts of their day-to-day operations to third party service providers. These service providers can be a source of significant operational risk for FMIs, especially if disruptions to third-party services could adversely affect the FMI’s ability to operate. 69. Section 34(1)(b) of the Act allows the Regulator to make standards that guide the relationship between operators and persons who provide services to those operators. For example, it may impose requirements relating to the terms and conditions of contracts between operators and those persons.

18 18 The Financial Market Infrastructures Act Implementation Plan 70. Additionally, Principle 17 (operational risk) of the PFMI recognises the need to identify, monitor, and manage the risks emanating from reliance on service and utility providers through the use of appropriate systems, policies, procedures, and controls.6 Annex F of the PFMI further discusses 5 risk mitigating oversight expectations for critical service providers that we think are also relevant for FMIs operating in New Zealand. 71. We consider standards that influence aspects of the relationship between FMI operators and critical service providers are necessary to hold an FMI’s critical service providers to the same standard as if the FMI were to provide the service itself. Treatment of critical service providers: Proposed approach Identifying critical service providers 72. The PFMI notes that an FMI may be dependent on “the continuous and adequate functioning of service providers that are critical to an FMI’s operations, such as information technology and messaging providers.”7 This high-level description is a good starting point for FMIs and the Regulator to identify critical service providers. Additional guidance may however be useful. 73. To further assist FMIs identify service providers that are critical to them, we propose to add a supplementary explanation to clarify the meaning of a critical service provider in the New Zealand context. The definition we propose is: “A critical service provider is a provider of services without which the delivery of the FMI’s key business lines - related to its designation notice - would be significantly disrupted.” 74. The Assessment Methodology8 supporting the PFMI outlines that “unless otherwise indicated by relevant authorities, activities not directly related to essential operations of the FMI and utilities (such as basic telecommunication services, water, electricity and gas) are out-of-scope when identifying critical service providers.” Therefore, we propose to exclude utilities from the scope of identifying critical service providers. 75. We propose a two-step approach to identifying critical service providers. The Regulator will: a. collect information from the FMI operator about which service providers the FMI considers critical to its operations; and b. analyse the collected information so it can confirm the list of critical service provider(s) for that designated FMI. Regulatory requirements 76. The PFMI outline 2 channels to address risks posed to FMIs by critical service providers:9  the regulator can set requirements directly on critical service providers; or  the regulator can set requirements on how FMIs use critical services providers.

---

6 CPMI-IOSCO, Principles for financial market infrastructures, April 2012, page 94. 7 CPMI-IOSCO, Principles for financial market infrastructures, April 2012, Annex F Oversight expectations applicable to critical service providers, page 170. 8 CPMI-IOSCO, Assessment Methodology for the oversight expectations applicable to critical service providers, December 2014, page 1. 9 CPMI-IOSCO, Principles for financial market infrastructures, April 2012, page 100.

19 19 The Financial Market Infrastructures Act Implementation Plan 77. We consider that it is appropriate to regulate critical service providers indirectly by setting requirements on how FMIs manage their critical services providers. Our preferred approach is to require the contractual terms between the FMI and its critical service providers to reflect general principles or expectations around the relationship of FMI operators and their critical service providers. The options considered and our analysis are described further in the following sections. Treatment of critical service providers: Options considered 78. The following policy options have been designed to indirectly regulate critical service providers.  Option 1: Set out general principles or expectations around the relationship of FMI operators and their critical service providers.  Option 2: Require principle based contractual terms between the FMI operators and their critical service providers to reflect the Regulator’s expectations as detailed in Annex F, including to require contractual terms to include requirements on mandatory self￾assessment and reporting against expectations.  Option 3: Require specific contractual terms between the FMI operators and their critical service providers to reflect the Regulator’s expectations as detailed in Annex F, including to require contractual terms to include requirements on mandatory self-assessment and reporting against expectations. The precise, specific contractual requirements must detail how the critical service provider will meet the expectations. Treatment of critical service providers: Analysis of options 79. Option 1 would be a voluntary requirement that the FMI ensures that the critical service provider follows Annex F. We would expect the FMI to regularly report to us about how the expectations in Annex F are being met by its critical service providers. Under this option, there would be no basis for the Regulator to enforce compliance with the standard. 80. Option 2 would require an FMI to include the principles in Annex F in its contract with its critical service providers. The Regulator would set a standard to this effect. This option offers some flexibility if it is difficult to negotiate specific terms with a critical service provider. The FMI would again need to regularly report to us about how the expectations in Annex F are being met by its critical service providers. 81. Option 3 would require an FMI to include specific contractual terms in contracts with its critical service provides. The Regulator would set a standard to this effect. The contractual terms would largely reflect the expectations of Annex F of the PFMI and could include terms that:10  enable the FMI and Regulator to obtain full access to necessary information;  ensure that the FMI’s approval is mandatory before the critical service provider can itself outsource material elements of the service provided to the FMI, and that in the event of such an arrangement, full access to the necessary information is preserved;

---

10 CPMI-IOSCO, Principles for financial market infrastructures, April 2012, pages 99 and 100.

20 20 The Financial Market Infrastructures Act Implementation Plan  ensure that clear lines of communication are established between the FMI and the critical service provider to facilitate the flow of functions and information between parties in both ordinary and exceptional circumstances;  provide for direct contacts between the critical service provider and the Regulator, and the relevant authority can obtain specific reports from the critical service provider (or the FMI may provide full information to the Regulator); and  enable the FMI to obtain assurances from its critical service providers that they comply with the expectations in Annex F, which can be provided on to the Regulator. 82. There may be some cases where the FMI is not able to negotiate these terms when setting the parameters of the relationship with a critical service provider. Accordingly, in such a case, a requirement to have certain expectations prescribed as contractual terms and conditions may hinder the ability of the FMI to obtain the critical service, which could also present risks to the financial system. 83. Our preferred option is Option 2. That is, require the contractual terms between the FMI operators and their critical service providers to reflect our expectations at a principle-based level. We consider this would provide the appropriate level of flexibility for parties setting the parameters of their contractual relationships. This would also ensure that we have a degree of oversight of the relationship between an FMI and its critical service providers. Question 11: What factors should be considered when identifying service providers as critical? Do you see value in clarifying the interpretation of what a critical service provider is from the very high-level description provided in the PFMI? Question 12: Do you have any comments on the proposed two-stage process to identifying critical service providers? Question 13: Do you have any comments on our preferred option to require the contractual terms between the FMI operators and their critical service providers to reflect our expectations at a principle-based level? Treatment of overseas FMIs Treatment of overseas FMIs: Problem identification and regulatory powers 84. Section 32 requires that in setting standards, the Regulator must consider relevant overseas standards. The purpose of this is to ensure standards we set make sense for overseas FMIs who may need to comply with the requirements of a home-jurisdiction regulator. The Act assumes that the Regulator can rely substantially on the supervisory and regulatory arrangements for overseas FMIs in their home jurisdiction. Some of the requirements applicable to designated FMIs, as well as the measures to be taken when systemically important FMIs are distressed, are not applicable to overseas FMIs. The Act expects the Regulator to cooperate with the home jurisdiction regulators, even though overseas FMIs will be supervised by the Regulator in New Zealand. The importance of effective collaboration among regulators is also recognised in the PFMI.

21 21 The Financial Market Infrastructures Act Implementation Plan Treatment of overseas FMIs: Options considered 85. For the treatment of overseas FMIs, we have considered 3 options.  Option 1: Apply the same standards in the same manner as we would for a New Zealand based FMI.  Option 2: Allow substitute compliance subject to meeting equivalence and cooperation conditions. Without meeting the conditions, the same standards would apply to the overseas FMI like it would for a New Zealand based FMI.  Option 3: Set standards specifically for overseas FMIs. 86. Option 1 requires that we apply the same standards in the same manner to overseas FMIs as we do to domestic FMIs. This does not recognise the Act’s assumption that, in certain circumstances, the Regulator can rely substantially on the home jurisdiction’s supervisory and regulatory arrangements for overseas FMIs. Option 1 also presents the risk that New Zealand standards might apply in an unreasonable way to overseas FMIs, which is not desirable. 87. Option 2 means that if we are satisfied that equivalence and cooperation conditions have been met, and the overseas FMI follows the rules in its home jurisdiction, it will have complied with the standards in New Zealand (“substitute compliance”). If it does not meet the specified equivalence and cooperation conditions, an overseas FMI will be expected to comply with the same standards as an FMI incorporated in New Zealand. 88. We may have regard to any relevant laws and practices in the overseas FMI’s home jurisdiction, and the rules and practices of the overseas FMI when assessing equivalence. This may include an assessment of the regulatory framework of the home jurisdiction such as ensuring complete and consistent implementation of the PFMI under the CPMI-IOSCO Level 2 Peer Assessment. The equivalence and cooperation conditions could state that:  New Zealand’s financial system be afforded the same protection as if overseas FMIs were required to comply with the same requirements as locally incorporated FMIs;  there are adequate processes and procedures in place with the overseas FMI and its home jurisdiction to deal with, for example, (i) a distressed situation of the overseas FMI, (ii) an insolvency event in relation to an operator of an overseas FMI; and  the overseas FMI is willing and able to cooperate with the Regulator by sharing of information (and in other ways). 89. As Regulator, we will need adequate cooperation arrangements with the home regulator. We will seek reassurance about the FMI’s compliance with its home jurisdiction through the regulatory cooperation arrangement (e.g., obtaining a good standing letter and/or an ongoing dialogue with the home regulator). 90. An overseas FMI would be expected to demonstrate equivalence, not only based on its home regulatory framework and the FMI’s rules, but also on its practical implementation. If an overseas FMI demonstrates that it has a more efficient way to achieve the same outcome expected under the standards in New Zealand, we may accept it under this substitute compliance framework.

22 22 The Financial Market Infrastructures Act Implementation Plan 91. A designated overseas FMI would be expected to regularly notify us of any events that are likely to affect our assessment about its designated status under a substitute compliance framework. Examples of events likely to affect our assessment include significant changes to the overseas FMI’s internal organisation or structure or significant changes to the rules and practice applicable to its FMI activities carried out in New Zealand. 92. Events that require immediate notification would include an event where the designated overseas FMI’s licence, permission or authorisation for its FMI activity in its home jurisdiction has been revoked. Other events may include an incident that is likely to have a material impact on the overseas FMI performing its FMI activities in New Zealand. These notification requirements would help us effectively supervise overseas FMIs under the substitute compliance framework. 93. Option 3 would require us to set out a separate set of standards applicable to overseas FMIs. Overseas FMIs would then be expected to comply with a separate set of standards, different to those followed by the rest of the NZ based FMIs. The content of these overseas FMI standards is currently undetermined. Treatment of overseas FMIs: Analysis of options 94. An advantage of Options 1 and 3 is that they would enable us to directly regulate and supervise overseas FMIs, rather than rely on another jurisdiction’s rules and regulations. A key risk of Options 1 and 3 is that they might create inconsistent or repetitive requirements for overseas FMIs, which may result in higher costs for New Zealanders to access overseas FMIs. In an extreme case, overseas FMIs may be prompted to cease operating in New Zealand due to onerous regulatory requirements. These risks can largely be avoided under Option 2. 95. Option 2 would help us minimise the regulatory burden on overseas FMIs which are already regulated under an equivalent regulatory framework and maximise the effective use of Regulator resources in New Zealand. We believe that we can mitigate the risk of less direct supervision of overseas FMIs by cultivating a working relationship with their home regulators. Option 2 is our preferred option. Question 14: Do you have any comments on the preferred option of allowing substitute compliance for overseas FMIs, subject to meeting equivalence and cooperation conditions? Are there any significant issues regarding the treatment of overseas FMIs that you would like to draw to our attention? Disclosure of information by FMIs Disclosure of information by FMIs: Problem identification and regulatory powers 96. Section 34(1)(i) of the Act gives the Regulator the legal power to develop a standard that deals with the public disclosure of information relating to operators of designated FMIs. Additionally, the PFMI require FMIs to disclose relevant information about their operations to participants, relevant authorities, and the public to allow an accurate understanding of the risks and costs of participating in the FMI.

23 23 The Financial Market Infrastructures Act Implementation Plan 97. Currently, designated settlement systems are expected to make information available by publishing a self-assessment against the PFMI at least every 3 years or more frequently when there are material changes to the system. This requirement will be replaced by a standard under section 34(1)(i) of the Act. Disclosure of information by FMIs: Proposed approach, options, and analysis 98. As part of the initial set of standards to be brought into effect, we propose replacing the existing requirement of disclosure with a standard applying to all designated FMIs, consistent with the CPMI-IOSCO Disclosure Framework for FMIs. 99. The CPMI-IOSCO Disclosure Framework sets out the form and content of the disclosures expected of FMIs that adopt the PFMI and states that FMIs should review their disclosures at a minimum of every 2 years to ensure they remain accurate. Adoption of the international standard of publication every 2 years would mean that information available would be reasonably up to date. 100. Being aligned with international practices - regarding both the format and the frequency of disclosure - has several advantages compared to any self-defined disclosure framework or longer time frames for FMIs to publish self-assessment again standards. It will reduce the burden on FMIs by using a common framework for disclosure and assessment. It will also allow relevant information to be available on a more regular basis to facilitate our oversight of FMIs. 101. The CPMI-IOSCO Disclosure Framework also includes an expectation that FMIs publish a separate set of quantitative information. We intend to develop requirements for any such disclosures over a longer time frame. Question 15: Do you have any comments on the proposal for having disclosure standards consistent with the CPMI-IOSCO Disclosure Framework for FMIs? Format of adopting the PFMI in standards under the Act 102. There are 2 formatting approaches for how the PFMI can be reflected in standards. They could be incorporated by reference to the PFMI or incorporated into the PFMI text directly into standards. There are advantages and disadvantages of each option and, on balance, our preferred approach is to directly incorporate the PFMI text into standards where relevant. Annex C: outlines some of the considerations around the alternative approach. 103. We propose that for each principle of the PFMI where we intend to develop a standard, ‘principles’ and ‘key considerations’ will be incorporated directly into legally binding standards and the associated ‘explanatory notes’ will form the basis of guidance to facilitate monitoring and compliance assessments. This is the approach taken by the Australian FMI regulators (see Annex B:) Question 16: Do you have any comments on incorporating the PFMI into standards directly rather than by reference? Do you have comments on incorporating particular elements of the PFMI into legally binding standards?

24 24 The Financial Market Infrastructures Act Implementation Plan Annex A: Consultation questions Question 1a: Do you have any comments on the proposed one-time transition approach to developing and issuing standards? Question 1b: Do you have any comments on the proposed approach to not differentiate standards based on how FMIs become designated? Question 2: Do you have any comments on the planned approach to incorporate existing regulatory requirements (i.e. conditions of designation) into standards under the new regime? Question 3: Do you have any comment on the PFMI forming the basis of standards for designated FMIs operating in New Zealand? Question 4a: Do you have any comments on whether the scale and scope of an FMI’s operations may require standards to be tailored to their particular circumstances? Question 4b: What other factors do you think may influence the need for tailoring? Question 4c: Which standards (see Annex B) do you think will require tailoring and what tailoring is required? Question 5: Do you have any comments on the approach for FMI contingency planning in the standards? Question 6: Do you have any comment on our plan to apply breach reporting requirements to designated FMIs like those in section 412 of the Financial Markets Conduct Act 2013? Question 7: Do you have any comment on our plan to carry over outage reporting requirements for FMIs currently designated under the RBNZ Act 1989 to all FMIs designated under the Act? Question 8: Do you agree with our preferred option to publish material breaches by FMIs on both the operator’s and the Regulator’s official website(s)? Question 9: Do you have any comments on the proposed approach of making the RBNZ Guidance on cyber resilience the basis for regulatory requirements for designated FMIs and supplementing this with relevant content from CPMI-IOSCO Guidance to address any areas where cyber risk management is unique to FMIs? Question 10: What are your views on the 2 options that have been identified? Are there additional factors that should be considered when setting regulatory requirements around cyber resilience? Question 11: What factors should be considered when identifying service providers as critical? Do you see value in clarifying the interpretation of what a critical service provider is from the very high-level description provided in the PFMI?

25 25 The Financial Market Infrastructures Act Implementation Plan Question 12: Do you have any comments on the proposed two-stage process to identifying critical service providers? Question 13: Do you have any comments on our preferred option to require the contractual terms between the FMI operators and their critical service providers to reflect our expectations at a principle-based level? Question 14: Do you have any comments on the preferred option of allowing substitute compliance for overseas FMIs, subject to meeting equivalence and cooperation conditions? Are there any significant issues regarding the treatment of overseas FMIs that you would like to draw to our attention? Question 15: Do you have any comments on the proposal for having disclosure standards consistent with the CPMI-IOSCO Disclosure Framework for FMIs? Question 16: Do you have any comments on incorporating the PFMI into standards directly rather than by reference? Do you have comments on incorporating particular elements of the PFMI into legally binding standards?

26 26 The Financial Market Infrastructures Act Implementation Plan Annex B: Scope of adopting the PFMI in standards under the Act PFMI Key considerations PSs CSDs SSSs CCPs TRs Principle 1: Legal basis - FMI Act 2021 reference s34(1)(e)(vi)) “An FMI should have a well-founded, clear, transparent, and enforceable legal basis for each material aspect of its activities in all relevant jurisdictions.” ● ● ● ● ●

1. The legal basis should provide a high degree of certainty for each material aspect of an FMI’s activities in all relevant jurisdictions. ● ● ● ● ●
2. An FMI should have rules, procedures, and contracts that are clear, understandable, and consistent with relevant laws and regulations. ● ● ● ● ●
3. An FMI should be able to articulate the legal basis for its activities to relevant authorities, participants, and, where relevant, participants’ customers, in a clear and understandable way. ● ● ● ● ●
4. An FMI should have rules, procedures, and contracts that are enforceable in all relevant jurisdictions. There should be a high degree of certainty that actions taken by the FMI under such rules and procedures will not be voided, reversed, or subject to stays. ● ● ● ● ●
5. An FMI conducting business in multiple jurisdictions should identify and mitigate the risks arising from any potential conflict of laws across jurisdictions. ● ● ● ● ● Principle 2: Governance - FMI Act 2021 reference s34(1)(a) “An FMI should have governance arrangements that are clear and transparent, promote the safety and efficiency of the FMI, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders.” ● ● ● ● ●
6. An FMI should have objectives that place a high priority on the safety and efficiency of the FMI and explicitly support financial stability and other relevant public interest considerations. ● ● ● ● ●
7. An FMI should have documented governance arrangements that provide clear and direct lines of responsibility and accountability. These arrangements should be disclosed to owners, relevant authorities, participants, and, at a more general level, the public. ● ● ● ● ●

27 27 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 3. The roles and responsibilities of an FMI’s board of directors (or equivalent) should be clearly specified, and there should be documented procedures for its functioning, including procedures to identify, address, and manage member conflicts of interest. The board should review both its overall performance and the performance of its individual board members regularly. ● ● ● ● ● 4. The board should contain suitable members with the appropriate skills and incentives to fulfil its multiple roles. This typically requires the inclusion of non-executive board member(s). ● ● ● ● ● 5. The roles and responsibilities of management should be clearly specified. An FMI’s management should have the appropriate experience, a mix of skills, and the integrity necessary to discharge their responsibilities for the operation and risk management of the FMI. ● ● ● ● ● 6. The board should establish a clear, documented risk-management framework that includes the FMI’s risk-tolerance policy, assigns responsibilities and accountability for risk decisions, and addresses decision making in crises and emergencies. Governance arrangements should ensure that the risk-management and internal control functions have sufficient authority, independence, resources, and access to the board. ● ● ● ● ● 7. The board should ensure that the FMI’s design, rules, overall strategy, and major decisions reflect appropriately the legitimate interests of its direct and indirect participants and other relevant stakeholders. Major decisions should be clearly disclosed to relevant stakeholders and, where there is a broad market impact, the public. ● ● ● ● ● Principle 3: Framework for the comprehensive management of risks - FMI Act 2021 reference s34(1)(e) “An FMI should have a sound risk-management framework for comprehensively managing legal, credit, liquidity, operational, and other risks.” ● ● ● ● ●

1. An FMI should have risk-management policies, procedures, and systems that enable it to identify, measure, monitor, and manage the range of risks that arise in or are borne by the FMI. Risk￾management frameworks should be subject to periodic review. ● ● ● ● ●
2. An FMI should provide incentives to participants and, where relevant, their customers to manage and contain the risks they pose to the FMI. ● ● ● ● ●

28 28 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 3. An FMI should regularly review the material risks it bears from and poses to other entities (such as other FMIs, settlement banks, liquidity providers, and service providers) as a result of interdependencies and develop appropriate risk-management tools to address these risks. ● ● ● ● ● 4. An FMI should identify scenarios that may potentially prevent it from being able to provide its critical operations and services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-down. An FMI should prepare appropriate plans for its recovery or orderly wind-down based on the results of that assessment. Where applicable, an FMI should also provide relevant authorities with the information needed for purposes of resolution planning. ● ● ● ● ● Principle 4: Credit risk - FMA Act 2021 reference s34(1)(d) & s34(1)(e) (iii) (Credit Risk Management) “An FMI should effectively measure, monitor, and manage its credit exposures to participants and those arising from its payment, clearing, and settlement processes. An FMI should maintain sufficient financial resources to cover its credit exposure to each participant fully with a high degree of confidence. In addition, a CCP that is involved in activities with a more complex risk profile or that is systemically important in multiple jurisdictions should maintain additional financial resources sufficient to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the two participants and their affiliates that would potentially cause the largest aggregate credit exposure to the CCP in extreme but plausible market conditions. All other CCPs should maintain additional financial resources sufficient to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would potentially cause the largest aggregate credit exposure to the CCP in extreme but plausible market conditions.” ● ● ●

1. An FMI should establish a robust framework to manage its credit exposures to its participants and the credit risks arising from its payment, clearing, and settlement processes. Credit exposure may arise from current exposures, potential future exposures, or both. ● ● ●
2. An FMI should identify sources of credit risk, routinely measure and monitor credit exposures, and use appropriate risk￾management tools to control these risks. ● ● ●

29 29 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 3. A payment system or SSS should cover its current and, where they exist, potential future exposures to each participant fully with a high degree of confidence using collateral and other equivalent financial resources (see Principle 5 on collateral). In the case of a DNS payment system or DNS SSS in which there is no settlement guarantee but where its participants face credit exposures arising from its payment, clearing, and settlement processes, such an FMI should maintain, at a minimum, sufficient resources to cover the exposures of the two participants and their affiliates that would create the largest aggregate credit exposure in the system ● ● 4. A CCP should cover its current and potential future exposures to each participant fully with a high degree of confidence using margin and other prefunded financial resources (see Principle 5 on collateral and Principle 6 on margin). In addition, a CCP that is involved in activities with a more-complex risk profile or that is systemically important in multiple jurisdictions should maintain additional financial resources to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the two participants and their affiliates that would potentially cause the largest aggregate credit exposure for the CCP in extreme but plausible market conditions. All other CCPs should maintain additional financial resources sufficient to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would potentially cause the largest aggregate credit exposure for the CCP in extreme but plausible market conditions. In all cases, a CCP should document its supporting rationale for, and should have appropriate governance arrangements relating to, the amount of total financial resources it maintains. ●

30 30 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 5. A CCP should determine the amount and regularly test the sufficiency of its total financial resources available in the event of a default or multiple defaults in extreme but plausible market conditions through rigorous stress testing. A CCP should have clear procedures to report the results of its stress tests to appropriate decision makers at the CCP and to use these results to evaluate the adequacy of and adjust its total financial resources. Stress tests should be performed daily using standard and predetermined parameters and assumptions. On at least a monthly basis, a CCP should perform a comprehensive and thorough analysis of stress testing scenarios, models, and underlying parameters and assumptions used to ensure they are appropriate for determining the CCP’s required level of default protection in light of current and evolving market conditions. A CCP should perform this analysis of stress testing more frequently when the products cleared or markets served display high volatility, become less liquid, or when the size or concentration of positions held by a CCP’s participants increases significantly. A full validation of a CCP’s risk-management model should be performed at least annually. ● 6. In conducting stress testing, a CCP should consider the effect of a wide range of relevant stress scenarios in terms of both defaulters’ positions and possible price changes in liquidation periods. Scenarios should include relevant peak historic price volatilities, shifts in other market factors such as price determinants and yield curves, multiple defaults over various time horizons, simultaneous pressures in funding and asset markets, and a spectrum of forward-looking stress scenarios in a variety of extreme but plausible market conditions. ● 7. An FMI should establish explicit rules and procedures that address fully any credit losses it may face as a result of any individual or combined default among its participants with respect to any of their obligations to the FMI. These rules and procedures should address how potentially uncovered credit losses would be allocated, including the repayment of any funds an FMI may borrow from liquidity providers. These rules and procedures should also indicate the FMI’s process to replenish any financial resources that the FMI may employ during a stress event, so that the FMI can continue to operate in a safe and sound manner. ● ● ●

31 31 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs Principle 5: Collateral - FMI Act 2021 reference s34(1)(d) (Capital & Liquidity Requirements), s34(1)(e)(iii) (Credit Risk Management) & s34(1)(e) (Liquidity Risk Management). “An FMI that requires collateral to manage its or its participants’ credit exposure should accept collateral with low credit, liquidity, and market risks. An FMI should also set and enforce appropriately conservative haircuts and concentration limits” ● ● ●

1. An FMI should generally limit the assets it (routinely) accepts as collateral to those with low credit, liquidity, and market risks. ● ● ●
2. An FMI should establish prudent valuation practices and develop haircuts that are regularly tested and take into account stressed market conditions. ● ● ●
3. In order to reduce the need for procyclical adjustments, an FMI should establish stable and conservative haircuts that are calibrated to include periods of stressed market conditions, to the extent practicable and prudent. ● ● ●
4. An FMI should avoid concentrated holdings of certain assets where this would significantly impair the ability to liquidate such assets quickly without significant adverse price effects. ● ● ●
5. An FMI that accepts cross-border collateral should mitigate the risks associated with its use and ensure that the collateral can be used in a timely manner. ● ● ●
6. An FMI should use a collateral management system that is well￾designed and operationally flexible. ● ● ● Principle 6: Margin – FMI Act 2021 s34(1)(e)(iii) (Credit Risk Management) & s34(1)(e)(iv) (Liquidity Risk Management). “A CCP should cover its credit exposures to its participants for all products through an effective margin system that is risk-based and regularly reviewed” ●
7. A CCP should have a margin system that establishes margin levels commensurate with the risks and particular attributes of each product, portfolio, and market it serves. ●
8. A CCP should have a reliable source of timely price data for its margin system. A CCP should also have procedures and sound valuation models for addressing circumstances in which pricing data are not readily available or reliable. ●

32 32 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 3. A CCP should adopt initial margin models and parameters that are risk-based and generate margin requirements sufficient to cover its potential future exposure to participants in the interval between the last margin collection and the close out of positions following a participant default. Initial margin should meet an established single- tailed confidence level of at least 99 percent with respect to the estimated distribution of future exposure. For a CCP that calculates margin at the portfolio level, this requirement applies to each portfolio’s distribution of future exposure. For a CCP that calculates margin at more-granular levels, such as at the subportfolio level or by product, the requirement must be met for the corresponding distributions of future exposure. The model should (a) use a conservative estimate of the time horizons for the effective hedging or close out of the particular types of products cleared by the CCP (including in stressed market conditions), (b) have an appropriate method for measuring credit exposure that accounts for relevant product risk factors and portfolio effects across products, and (c) to the extent practicable and prudent, limit the need for destabilising, procyclical changes. ● 4. A CCP should mark participant positions to market and collect variation margin at least daily to limit the build-up of current exposures. A CCP should have the authority and operational capacity to make intraday margin calls and payments, both scheduled and unscheduled, to participants. ● 5. In calculating margin requirements, a CCP may allow offsets or reductions in required margin across products that it clears or between products that it and another CCP clear, if the risk of one product is significantly and reliably correlated with the risk of the other product. Where two or more CCPs are authorised to offer cross-margining, they must have appropriate safeguards and harmonised overall risk- management systems. ● 6. A CCP should analyse and monitor its model performance and overall margin coverage by conducting rigorous daily backtesting and at least monthly, and more-frequent where appropriate, sensitivity analysis. A CCP should regularly conduct an assessment of the theoretical and empirical properties of its margin model for all products it clears. In conducting sensitivity analysis of the model’s coverage, a CCP should take into account a wide range of parameters and assumptions that reflect possible market conditions, including the most-volatile periods that have been experienced by the markets it serves and extreme changes in the correlations between prices. ● 7. A CCP should regularly review and validate its margin system. ●

33 33 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs Principle 7: Liquidity risk – FMI Act 2021 reference s34(1)(e)(iv) (Credit and liquidity requirements & Liquidity Risk Management). “An FMI should effectively measure, monitor, and manage its liquidity risk. An FMI should maintain sufficient liquid resources in all relevant currencies to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate liquidity obligation for the FMI in extreme but plausible market conditions.” ● ● ●

1. An FMI should have a robust framework to manage its liquidity risks from its participants, settlement banks, nostro agents, custodian banks, liquidity providers, and other entities. ● ● ●
2. An FMI should have effective operational and analytical tools to identify, measure, and monitor its settlement and funding flows on an ongoing and timely basis, including its use of intraday liquidity. ● ● ●
3. A payment system or SSS, including one employing a DNS mechanism, should maintain sufficient liquid resources in all relevant currencies to effect same-day settlement, and where appropriate intraday or multiday settlement, of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate payment obligation in extreme but plausible market conditions. ● ●
4. A CCP should maintain sufficient liquid resources in all relevant currencies to settle securities-related payments, make required variation margin payments, and meet other payment obligations on time with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate payment obligation to the CCP in extreme but plausible market conditions. In addition, a CCP that is involved in activities with a more-complex risk profile or that is systemically important in multiple jurisdictions should consider maintaining additional liquidity resources sufficient to cover a wider range of potential stress scenarios that should include, but not be limited to, the default of the two participants and their affiliates that would generate the largest aggregate payment obligation to the CCP in extreme but plausible market conditions. ●

34 34 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 5. For the purpose of meeting its minimum liquid resource requirement, an FMI’s qualifying liquid resources in each currency include cash at the central bank of issue and at creditworthy commercial banks, committed lines of credit, committed foreign exchange swaps, and committed repos, as well as highly marketable collateral held in custody and investments that are readily available and convertible into cash with prearranged and highly reliable funding arrangements, even in extreme but plausible market conditions. If an FMI has access to routine credit at the central bank of issue, the FMI may count such access as part of the minimum requirement to the extent it has collateral that is eligible for pledging to (or for conducting other appropriate forms of transactions with) the relevant central bank. All such resources should be available when needed. ● ● ● 6. An FMI may supplement its qualifying liquid resources with other forms of liquid resources. If the FMI does so, then these liquid resources should be in the form of assets that are likely to be saleable or acceptable as collateral for lines of credit, swaps, or repos on an ad hoc basis following a default, even if this cannot be reliably prearranged or guaranteed in extreme market conditions. Even if an FMI does not have access to routine central bank credit, it should still take account of what collateral is typically accepted by the relevant central bank, as such assets may be more likely to be liquid in stressed circumstances. An FMI should not assume the availability of emergency central bank credit as a part of its liquidity plan. ● ● ● 7. An FMI should obtain a high degree of confidence, through rigorous due diligence, that each provider of its minimum required qualifying liquid resources, whether a participant of the FMI or an external party, has sufficient information to understand and to manage its associated liquidity risks, and that it has the capacity to perform as required under its commitment. Where relevant to assessing a liquidity provider’s performance reliability with respect to a particular currency, a liquidity provider’s potential access to credit from the central bank of issue may be taken into account. An FMI should regularly test its procedures for accessing its liquid resources at a liquidity provider. ● ● ● 8. An FMI with access to central bank accounts, payment services, or securities services should use these services, where practical, to enhance its management of liquidity risk. ● ● ●

35 35 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 9. An FMI should determine the amount and regularly test the sufficiency of its liquid resources through rigorous stress testing. An FMI should have clear procedures to report the results of its stress tests to appropriate decision makers at the FMI and to use these results to evaluate the adequacy of and adjust its liquidity risk-management framework. In conducting stress testing, an FMI should consider a wide range of relevant scenarios. Scenarios should include relevant peak historic price volatilities, shifts in other market factors such as price determinants and yield curves, multiple defaults over various time horizons, simultaneous pressures in funding and asset markets, and a spectrum of forward-looking stress scenarios in a variety of extreme but plausible market conditions. Scenarios should also take into account the design and operation of the FMI, include all entities that might pose material liquidity risks to the FMI (such as settlement banks, nostro agents, custodian banks, liquidity providers, and linked FMIs), and where appropriate, cover a multiday period. In all cases, an FMI should document its supporting rationale for, and should have appropriate governance arrangements relating to, the amount and form of total liquid resources it maintains. ● ● ● 10. An FMI should establish explicit rules and procedures that enable the FMI to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations on time following any individual or combined default among its participants. These rules and procedures should address unforeseen and potentially uncovered liquidity shortfalls and should aim to avoid unwinding, revoking, or delaying the same-day settlement of payment obligations. These rules and procedures should also indicate the FMI’s process to replenish any liquidity resources it may employ during a stress event, so that it can continue to operate in a safe and sound manner. ● ● ● Principle 8: Settlement finality – FMI Act 2021 reference s 34(2) (Provision in Rules). “An FMI should provide clear and certain final settlement, at a minimum by the end of the value date. Where necessary or preferable, an FMI should provide final settlement intraday or in real time.” ● ● ●

1. An FMI’s rules and procedures should clearly define the point at which settlement is final. ● ● ●
2. An FMI should complete final settlement no later than the end of the value date, and preferably intraday or in real time, to reduce settlement risk. An LVPS or SSS should consider adopting RTGS or multiple-batch processing during the settlement day. ● ● ●

36 36 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 3. An FMI should clearly define the point after which unsettled payments, transfer instructions, or other obligations may not be revoked by a participant. ● ● ● Principle 9: Money settlements – FMI Act 2021 reference s34(1)(e)(iii) & s34(1)(e)(iv) (Credit Risk Management and Liquidity Risk Management). “An FMI should conduct its money settlements in central bank money where practical and available. If central bank money is not used, an FMI should minimise and strictly control the credit and liquidity risk arising from the use of commercial bank money.” ● ● ●

1. An FMI should conduct its money settlements in central bank money, where practical and available, to avoid credit and liquidity risks. ● ● ●
2. If central bank money is not used, an FMI should conduct its money settlements using a settlement asset with little or no credit or liquidity risk. ● ● ●
3. If an FMI settles in commercial bank money, it should monitor, manage, and limit its credit and liquidity risks arising from the commercial settlement banks. In particular, an FMI should establish and monitor adherence to strict criteria for its settlement banks that take account of, among other things, their regulation and supervision, creditworthiness, capitalisation, access to liquidity, and operational reliability. An FMI should also monitor and manage the concentration of credit and liquidity exposures to its commercial settlement banks. ● ● ●
4. If an FMI conducts money settlements on its own books, it should minimise and strictly control its credit and liquidity risks. ● ● ●
5. An FMI’s legal agreements with any settlement banks should state clearly when transfers on the books of individual settlement banks are expected to occur, that transfers are to be final when effected, and that funds received should be transferable as soon as possible, at a minimum by the end of the day and ideally intraday, in order to enable the FMI and its participants to manage credit and liquidity risks. ● ● ●

37 37 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs Principle 10: Physical deliveries – FMI Act 2021 reference s34(2) and s 34(1)(g) (Provision in rules and monitoring of activities by FMI operator) “An FMI should clearly state its obligations with respect to the delivery of physical instruments or commodities and should identify, monitor, and manage the risks associated with such physical deliveries.” ● ● ●

1. An FMI’s rules should clearly state its obligations with respect to the delivery of physical instruments or commodities. ● ● ●
2. An FMI should identify, monitor, and manage the risks and costs associated with the storage and delivery of physical instruments or commodities. ● ● ● Principle 11: Central securities depositories – FMI Act 2021 reference s34(2) (Monitoring of activities by FMI operator) “A CSD should have appropriate rules and procedures to help ensure the integrity of securities issues and minimise and manage the risks associated with the safekeeping and transfer of securities. A CSD should maintain securities in an immobilised or dematerialised form for their transfer by book entry.” ●
3. A CSD should have appropriate rules, procedures, and controls, including robust accounting practices, to safeguard the rights of securities issuers and holders, prevent the unauthorised creation or deletion of securities, and conduct periodic and at least daily reconciliation of securities issues it maintains. ●
4. A CSD should prohibit overdrafts and debit balances in securities accounts. ●
5. A CSD should maintain securities in an immobilised or dematerialised form for their transfer by book entry. Where appropriate, a CSD should provide incentives to immobilise or dematerialise securities. ●
6. A CSD should protect assets against custody risk through appropriate rules and procedures consistent with its legal framework. ●
7. A CSD should employ a robust system that ensures segregation between the CSD’s own assets and the securities of its participants and segregation among the securities of participants. Where supported by the legal framework, the CSD should also support operationally the segregation of securities belonging to a participant’s customers on the participant’s books and facilitate the transfer of customer holdings. ●

38 38 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 6. A CSD should identify, measure, monitor, and manage its risks from other activities that it may perform; additional tools may be necessary in order to address these risks. ● Principle 12: Exchange-of-value settlement systems – FMI Act 2021 reference s34(2) (Provisions in rules) “If an FMI settles transactions that involve the settlement of two linked obligations (for example, securities or foreign exchange transactions), it should eliminate principal risk by conditioning the final settlement of one obligation upon the final settlement of the other.” ● ● ● 7. An FMI that is an exchange-of-value settlement system should eliminate principal risk by ensuring that the final settlement of one obligation occurs if and only if the final settlement of the linked obligation also occurs, regardless of whether the FMI settles on a gross or net basis and when finality occurs. ● ● ● Principle 13: Participant-default rules and procedures – FMI Act 2021 reference s34(1)(h) (rules for participant default) “An FMI should have effective and clearly defined rules and procedures to manage a participant default. These rules and procedures should be designed to ensure that the FMI can take timely action to contain losses and liquidity pressures and continue to meet its obligations.” ● ● ● ●

1. An FMI should have default rules and procedures that enable the FMI to continue to meet its obligations in the event of a participant default and that address the replenishment of resources following a default. ● ● ● ●
2. An FMI should be well prepared to implement its default rules and procedures, including any appropriate discretionary procedures provided for in its rules. ● ● ● ●
3. An FMI should publicly disclose key aspects of its default rules and procedures. ● ● ● ●
4. An FMI should involve its participants and other stakeholders in the testing and review of the FMI’s default procedures, including any close-out procedures. Such testing and review should be conducted at least annually or following material changes to the rules and procedures to ensure that they are practical and effective. ● ● ● ●

39 39 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs Principle 14: Segregation and portability – FMI Act 2021 reference s34(1)(f) (Contingency plans) “A CCP should have rules and procedures that enable the segregation and portability of positions of a participant’s customers and the collateral provided to the CCP with respect to those positions.” ●

1. A CCP should, at a minimum, have segregation and portability arrangements that effectively protect a participant’s customers’ positions and related collateral from the default or insolvency of that participant. If the CCP additionally offers protection of such customer positions and collateral against the concurrent default of the participant and a fellow customer, the CCP should take steps to ensure that such protection is effective. ●
2. A CCP should employ an account structure that enables it readily to identify positions of a participant’s customers and to segregate related collateral. A CCP should maintain customer positions and collateral in individual customer accounts or in omnibus customer accounts. ●
3. A CCP should structure its portability arrangements in a way that makes it highly likely that the positions and collateral of a defaulting participant’s customers will be transferred to one or more other participants. ●
4. A CCP should disclose its rules, policies, and procedures relating to the segregation and portability of a participant’s customers’ positions and related collateral. In particular, the CCP should disclose whether customer collateral is protected on an individual or omnibus basis. In addition, a CCP should disclose any constraints, such as legal or operational constraints, that may impair its ability to segregate or port a participant’s customers’ positions and related collateral. ● Principle 15: General business risk – FMI Act 2021 reference s34(1)(e)(i) “An FMI should identify, monitor, and manage its general business risk and hold sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialise. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind￾down of critical operations and services.” ● ● ● ● ●
5. An FMI should have robust management and control systems to identify, monitor, and manage general business risks, including losses from poor execution of business strategy, negative cash flows, or unexpected and excessively large operating expenses. ● ● ● ● ●

40 40 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 2. An FMI should hold liquid net assets funded by equity (such as common stock, disclosed reserves, or other retained earnings) so that it can continue operations and services as a going concern if it incurs general business losses. The amount of liquid net assets funded by equity an FMI should hold should be determined by its general business risk profile and the length of time required to achieve a recovery or orderly wind-down, as appropriate, of its critical operations and services if such action is taken. ● ● ● ● ● 3. An FMI should maintain a viable recovery or orderly wind-down plan and should hold sufficient liquid net assets funded by equity to implement this plan. At a minimum, an FMI should hold liquid net assets funded by equity equal to at least six months of current operating expenses. These assets are in addition to resources held to cover participant defaults or other risks covered under the financial resources principles. However, equity held under international risk- based capital standards can be included where relevant and appropriate to avoid duplicate capital requirements. ● ● ● ● ● 4. Assets held to cover general business risk should be of high quality and sufficiently liquid in order to allow the FMI to meet its current and projected operating expenses under a range of scenarios, including in adverse market conditions. ● ● ● ● ● 5. An FMI should maintain a viable plan for raising additional equity should its equity fall close to or below the amount needed. This plan should be approved by the board of directors and updated regularly. ● ● ● ● ● Principle 16: Custody and investment risks – FMI Act 2021 reference s34(1)(e) (v). “An FMI should safeguard its own and its participants’ assets and minimise the risk of loss on and delay in access to these assets. An FMI’s investments should be in instruments with minimal credit, market, and liquidity risks.” ● ● ● ●

1. An FMI should hold its own and its participants’ assets at supervised and regulated entities that have robust accounting practices, safekeeping procedures, and internal controls that fully protect these assets. ● ● ● ●
2. An FMI should have prompt access to its assets and the assets provided by participants, when required. ● ● ● ●
3. An FMI should evaluate and understand its exposures to its custodian banks, taking into account the full scope of its relationships with each. ● ● ● ●

41 41 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 4. An FMI’s investment strategy should be consistent with its overall risk- management strategy and fully disclosed to its participants, and investments should be secured by, or be claims on, high￾quality obligors. These investments should allow for quick liquidation with little, if any, adverse price effect. ● ● ● ● Principle 17: Operational risk – FMI Act 2021 s34(1)(e)(ii) (operational risk management) s34(1)(e)(vii) (cybersecurity risk management) and s34(1)(f) (contingency plans). Other materials include the CPMI-IOSCO guidance, the CPMI-IOSCO report and the RBNZ Cyber Guidance. “An FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide￾scale or major disruption.” ● ● ● ● ●

1. An FMI should establish a robust operational risk-management framework with appropriate systems, policies, procedures, and controls to identify, monitor, and manage operational risks. ● ● ● ● ●
2. An FMI’s board of directors should clearly define the roles and responsibilities for addressing operational risk and should endorse the FMI’s operational risk-management framework. Systems, operational policies, procedures, and controls should be reviewed, audited, and tested periodically and after significant changes. ● ● ● ● ●
3. An FMI should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives. ● ● ● ● ●
4. An FMI should ensure that it has scalable capacity adequate to handle increasing stress volumes and to achieve its service-level objectives. ● ● ● ● ●
5. An FMI should have comprehensive physical and information security policies that address all potential vulnerabilities and threats. ● ● ● ● ●

42 42 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 6. An FMI should have a business continuity plan that addresses events posing a significant risk of disrupting operations, including events that could cause a wide-scale or major disruption. The plan should incorporate the use of a secondary site and should be designed to ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events. The plan should be designed to enable the FMI to complete settlement by the end of the day of the disruption, even in case of extreme circumstances. The FMI should regularly test these arrangements. ● ● ● ● ● 7. An FMI should identify, monitor, and manage the risks that key participants, other FMIs, and service and utility providers might pose to its operations. In addition, an FMI should identify, monitor, and manage the risks its operations might pose to other FMIs. ● ● ● ● ● Principle 18: Access and participation requirements – FMI Act 2021 reference s34(1)(c) (access and participation) “An FMI should have objective, risk-based, and publicly disclosed criteria for participation, which permit fair and open access” ● ● ● ● ●

1. An FMI should allow for fair and open access to its services, including by direct and, where relevant, indirect participants and other FMIs, based on reasonable risk-related participation requirements. ● ● ● ● ●
2. An FMI’s participation requirements should be justified in terms of the safety and efficiency of the FMI and the markets it serves, be tailored to and commensurate with the FMI’s specific risks, and be publicly disclosed. Subject to maintaining acceptable risk control standards, an FMI should endeavour to set requirements that have the least- restrictive impact on access that circumstances permit. ● ● ● ● ●
3. An FMI should monitor compliance with its participation requirements on an ongoing basis and have clearly defined and publicly disclosed procedures for facilitating the suspension and orderly exit of a participant that breaches, or no longer meets, the participation requirements. ● ● ● ● ● Principle 19: Tiered participation arrangements – FMI Act 2021 reference s34(1)(c) (general business risk management). “An FMI should identify, monitor, and manage the material risks to the FMI arising from tiered participation arrangements.” ● ● ● ● ●
4. An FMI should ensure that its rules, procedures, and agreements allow it to gather basic information about indirect participation in order to identify, monitor, and manage any material risks to the FMI arising from such tiered participation arrangements. ● ● ● ● ●

43 43 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 2. An FMI should identify material dependencies between direct and indirect participants that might affect the FMI. ● ● ● ● ● 3. An FMI should identify indirect participants responsible for a significant proportion of transactions processed by the FMI and indirect participants whose transaction volumes or values are large relative to the capacity of the direct participants through which they access the FMI in order to manage the risks arising from these transactions. ● ● ● ● ● 4. An FMI should regularly review risks arising from tiered participation arrangements and should take mitigating action when appropriate. ● ● ● ● ● Principle 20: FMI links – FMI Act 2021 reference 34(1)(e) (viii),(ix) (interconnection risk management) and s34(1)(g) (monitoring of activities by FMI operators). “An FMI that establishes a link with one or more FMIs should identify, monitor, and manage link-related risks.” ● ● ● ●

1. Before entering into a link arrangement and on an ongoing basis once the link is established, an FMI should identify, monitor, and manage all potential sources of risk arising from the link arrangement. Link arrangements should be designed such that each FMI is able to observe the other principles in this report. ● ● ● ●
2. A link should have a well-founded legal basis, in all relevant jurisdictions, that supports its design and provides adequate protection to the FMIs involved in the link. ● ● ● ●
3. Linked CSDs should measure, monitor, and manage the credit and liquidity risks arising from each other. Any credit extensions between CSDs should be covered fully with high-quality collateral and be subject to limits. ● ●
4. Provisional transfers of securities between linked CSDs should be prohibited or, at a minimum, the retransfer of provisionally transferred securities should be prohibited prior to the transfer becoming final. ● ●
5. An investor CSD should only establish a link with an issuer CSD if the arrangement provides a high-level of protection for the rights of the investor CSD’s participants. ● ●
6. An investor CSD that uses an intermediary to operate a link with an issuer CSD should measure, monitor, and manage the additional risks (including custody, credit, legal, and operational risks) arising from the use of the intermediary. ● ●

44 44 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 7. Before entering into a link with another CCP, a CCP should identify and manage the potential spill-over effects from the default of the linked CCP. If a link has three or more CCPs, each CCP should identify, assess, and manage the risks of the collective link arrangement. ● 8. Each CCP in a CCP link arrangement should be able to cover, at least on a daily basis, its current and potential future exposures to the linked CCP and its participants, if any, fully with a high degree of confidence without reducing the CCP’s ability to fulfil its obligations to its own participants at any time. ● 9. A TR should carefully assess the additional operational risks related to its links to ensure the scalability and reliability of IT and related resources. ● Principle 21: Efficiency and effectiveness – FMI Act 2021 reference 34(1) (a), (e), (i) and (k) (governance, risk management, disclosure, and relevant international standards). “An FMI should be efficient and effective in meeting the requirements of its participants and the markets it serves.” ● ● ● ● ●

1. An FMI should be designed to meet the needs of its participants and the markets it serves, in particular, with regard to choice of a clearing and settlement arrangement; operating structure; scope of products cleared, settled, or recorded; and use of technology and procedures. ● ● ● ● ●
2. An FMI should have clearly defined goals and objectives that are measurable and achievable, such as in the areas of minimum service levels, risk-management expectations, and business priorities. ● ● ● ● ●
3. An FMI should have established mechanisms for the regular review of its efficiency and effectiveness. ● ● ● ● ● Principle 22: Communication procedures and standards – FMI Act 2021 reference 34(1) (e) and (i) (risk management and disclosure). “An FMI should use, or at a minimum accommodate, relevant internationally accepted communication procedures and standards in order to facilitate efficient payment, clearing, settlement, and recording.” ● ● ● ● ●
4. An FMI should use, or at a minimum accommodate, internationally accepted communication procedures and standards. ● ● ● ● ●

45 45 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs Principle 23: Disclosure of rules, key procedures, and market data – FMI Act 2021 reference s34(1)(i) (Monitoring of activities by FMI operator). “An FMI should have clear and comprehensive rules and procedures and should provide sufficient information to enable participants to have an accurate understanding of the risks, fees, and other material costs they incur by participating in the FMI. All relevant rules and key procedures should be publicly disclosed.” ● ● ● ● ●

1. An FMI should adopt clear and comprehensive rules and procedures that are fully disclosed to participants. Relevant rules and key procedures should also be publicly disclosed. ● ● ● ● ●
2. An FMI should disclose clear descriptions of the system’s design and operations, as well as the FMI’s and participants’ rights and obligations, so that participants can assess the risks they would incur by participating in the FMI. ● ● ● ● ●
3. FMI should provide all necessary and appropriate documentation and training to facilitate participants’ understanding of the FMI’s rules and procedures and the risks they face from participating in the FMI. ● ● ● ● ●
4. An FMI should publicly disclose its fees at the level of individual services it offers as well as its policies on any available discounts. The FMI should provide clear descriptions of priced services for comparability purposes. ● ● ● ● ●
5. An FMI should complete regularly and disclose publicly responses to the CPSS-IOSCO Disclosure framework for financial market infrastructures. An FMI also should, at a minimum, disclose basic data on transaction volumes and values. ● ● ● ● ● Principle 24: Disclosure of market data by trade repositories – FMI Act 2021 reference s34(1)(i) (information disclosure) “A TR should provide timely and accurate data to relevant authorities and the public in line with their respective needs.” ●
6. A TR should provide data in line with regulatory and industry expectations to relevant authorities and the public, respectively, that is comprehensive and at a level of detail sufficient to enhance market transparency and support other public policy objectives. ●
7. A TR should have effective processes and procedures to provide data to relevant authorities in a timely and appropriate manner to enable them to meet their respective regulatory mandates and legal responsibilities. ●

46 46 The Financial Market Infrastructures Act Implementation Plan PFMI Key considerations PSs CSDs SSSs CCPs TRs 3. A TR should have robust information systems that provide accurate current and historical data. Data should be provided in a timely manner and in a format that permits it to be easily analysed. ●

47 47 The Financial Market Infrastructures Act Implementation Plan Annex C: Considerations on the incorporating the PFMI into standards by reference Considerations set out in the Legislation Guidelines Applicability to PFMI and FMI standards Quality: There is a risk that the incorporated material is not sufficiently certain or understandable to be appropriate for legislation. This is particularly important if the material is the basis for offences and is a common problem if the material incorporated was developed for another purpose (for example, guidance). The PFMI are well-drafted and understandable. They are slightly more high-level than binding standards should be, so we may wish to add more detail or use more precise language in drafting the FMI standards to provide certainty. The material is not the basis for offences (rather, pecuniary penalties) and was developed for a similar purpose. Accessibility: Legislation should be easy to find and use. Incorporated material should be as accessible as the legislation that incorporates it. The PFMI are easy to find and use – available online, free of charge. The PFMI are accessible to the same extent as the FMI standards we set will be. Legitimacy: If it is possible for changes to incorporated material to automatically flow through into the legislation, Parliament or the other law maker does not have control over the content of the secondary legislation. Sub-delegation of this kind needs to be carefully considered and authorised. IOSCO could change the PFMI, however, section 53 of the Legislation Act sets out the following safeguard: “Amendments made by the originator of the material have no legal effect as part of the instrument unless they are specifically incorporated by a later instrument…” Good process: An appropriate process should be followed in making the law. If incorporation by reference enables the usual process to be bypassed, this can be problematic. Incorporating the PFMI into the FMI standards by reference would not enable the usual process to be bypassed as we would still be consulting on the standards so they would be subject to scrutiny. Simplicity and consistency: Incorporation by reference can enable the law to be shorter, simpler, and more consistent. It can remove significant technical detail that undermines the ease of finding and using the core requirements. It can simplify compliance by allowing users to rely on material they are already complying with in another context. While incorporating the PFMI in the FMI standards by reference would make the standards shorter, it would not make them easier to use compared to if the material were to be incorporated in full. Also, although FMIs are (voluntarily) complying with the PFMI already, we would likely want to tailor the standards and add more detailed requirements. Further requirements in the Legislation Act 2012 Requirement to consult on the proposal to incorporate material by reference (section 51): Before an instrument incorporating material by reference is made, the chief executive of the administering department must:  make copies of the material proposed to be incorporated by reference available;  state where copies of the proposed material are available (for purchase or free of charge);  give notice in the Gazette that the proposed material is available; and  allow a reasonable opportunity for persons to comment on the proposal.

48 48 The Financial Market Infrastructures Act Implementation Plan Access to incorporated material must be provided (section 52): This section imposes similar requirements on the chief executive to provide access to the material once it has been incorporated by reference. The chief executive must also:  make copies of the material available on its internet unless to do so would infringe copyright; and  publish a notice in the Gazette specifying a number of matters (the fact material has been incorporated, the date the instrument is made and how the material can be accessed). Proof of material incorporated by reference (section 54): The chief executive must retain a copy of the material that is incorporated by reference and certify it as a correct copy.

49 49 The Financial Market Infrastructures Act Implementation Plan Annex D: Comparison of CPMI-IOSCO Guidance and RBNZ Guidance on Cyber Resilience Contents of CPMI-IOSCO Guidance not covered by RBNZ Guidance Interconnectedness (2.2.4, 3.3, 4.3.1, 6.4.2-6.4.4, 7.3) 2 hour recovery time objective (6.2.2) Other minor differences Given the extensive interconnections in the financial system, the cyber resilience of an FMI is in part dependent on that of interconnected FMIs, of service providers and of the participants. The CMPI-IOSCO Guidance (C-I Guidance) suggests that FMIs should identify the cyber risks that it bears from and poses to entities in its ecosystem. It should work with them to coordinate and design resilience efforts. The RBNZ Guidance (RB Guidance) is drafted for a pan-sector purpose (banking, insurance, and FMIs), while the IOSCO guidance is developed to reflect the unique nature and importance of FMIs. The RBNZ Guidance is largely consistent with the C-I Guidance. Both are principles-based so are technology-agnostic and future￾proofed by providing a set of high-level recommendations. The RB Guidance does include a section about “third-party management”. However, the focus is on managing cyber risk associated with third-party service providers, rather than explicitly emphasising the interconnectedness between FMIs and their participants. The C-I Guidance suggests a 2 hour recovery time objective for designated FMIs. The RBNZ considers that it is appropriate considering the crucial role of FMIs in the financial system. There is a much lower risk tolerance towards FMIs compared to other financial institutions. We are interested to know whether this timeframe is reasonable from an operational perspective, and deserves any further consideration. By comparison, the pan-sector guidance developed by the RBNZ does not pose any compulsory requirement on the recovery timeframe on its regulated entities, leaving space for different types of regulated entities to choose their own desired recovery timeframe according to their risk appetite. Under the C-I Guidance, continuous monitoring should be undertaken (in real-time, or near real-time) and FMIs should detect anomalous activities and events. An FMI should monitor relevant internal and external factors (5.2.1 and 5.2.2.). By contrast, the RB Guidance does not specify ‘continuous’ monitoring.

50 50 The Financial Market Infrastructures Act Implementation Plan Contents of RBNZ Guidance not covered by CPMI-IOSCO Guidance Information reporting requirement (Part C) Outsourcing Cloud Computing Service Providers (D8) C1.2 of the RB guidance states that “the entity should meet relevant regulatory requirements for reporting information regarding cyber incidents and cyber resilience preparedness.” The RBNZ plans to develop an information gathering and sharing plan with the FMA, CERT NZ and NCSC and publish the plan in 2021 for public consultation. The information gathering and sharing plan will cover 2 aspects: surveys on cyber resilience capability and reporting on cyber incidents. The survey on cyber resilience will be carried out infrequently (annually or every 2 years) while the reporting requirements on cyber incidents will be on an on-going basis. The information collection plan will include the definition of material cyber incidents (based on a pre-defined threshold) and periodic statistics about all types of cyber incidents experienced by FMIs. An FMI will need to notify us immediately if it becomes aware of a material cyber incident or outage. The RBNZ Guidance includes a subsection about outsourcing to cloud computing service providers. However, cloud-specific content has not been mentioned in C-I guidance.