Presentation on theme: "Oversight, PFMI and Business Continuity Management"— Presentation transcript:
1 Oversight, PFMI and Business Continuity Management Michiel van DoeverenSixth Macedonian Financial Sector Conference on Payments and Securities Settlement SystemsOhrid, 1-3 July 2013
2 Agenda What is Oversight? Standards and methodology Overlay services and access to bank accountsCPSS Principles for Financial Market InfrastructuresFramework for Business Continuity Planning2
3 DNB – Oversight: Mission Oversight aims to contribute to andmaintain financial stability byReducing systemic risksPromote adequate payment settlements in the NetherlandsCriterium for DNB Oversight: relevance for The Netherlands (both domestically and located abroad)
5 Oversight on Equens European Market Share: 10-15% 10 crossborder links with other Retail Payment SystemsRegular meetings with operator: every 6 weeksQuarterly meetings with CEO Equens and Head Oversight
7 Oversight standards (for payment schemes) Standard 1: The scheme should have a sound legal basis under all relevant jurisdictionsStandard 2: The scheme should ensure that comprehensive information , including appropriate information on financial risks, is available for all actorsStandard 3: The scheme should ensure an adequate degree of security, operational reliability and business continuityStandard 4: The scheme should implement effective, accountable and transparent governance arrangementsStandard 5: The scheme should manage and contain financial risks in relation to the clearing and settlement process
8 FMI FMI Venn diagram diagram ELMICorrespondent bankingPayment InstitutionsRetail payment instrumentsFinanciaIInfrastructureExchange MTFACHCSPOTC tradingFinancialMarket InfrastructuresTRCCPSSSCSDSIPSRest of EconomyEnd-investorsConsumersMerchants BanksCorporatesPension FundsInsurance companiesGovernment / Public sectorBanks as participant of FMIs
9 1st Large-value payments TRCCP2nd DerivativesFMI Warehouse (links)Exchange MTFCCPSSSCSD2nd SecuritiesOTCSystem-basedThree types of interdependenciesEnvironmentalInstitutions-basedIndirect participant of FMIBankEnd clientCorrespondent bankingSIPS1st Large-value paymentsACHGF Retail paymentsBankDirect participant of FMICSPMessaging (SWIFT) Datacom IT-processing
10 Fundamental risks financial infrastructure Three fundamental risks:Settlement risk (at level individual transactions anywhere)Infrastructural systemic risk (at the 1st and 2nd floor of warehouse)Social unrest (warehouse basement and ground floor)
11 Why Oversight on Financial Infrastructure? Improve safety and efficiency of financial infrastructure financial stabilityMitigate infrastructural systemic riskPrevent social unrestOversight assesses compliance with internationally agreed principles (standards) and induces change where compliance is not fully observedNo standards, no oversight
12 Features of the Oversight Principles Risk reduction standardsMinimum characterPrinciple-based, not rule-basedPrevention (ex ante)Design of systemsFeedback (cyclical)Assessment of operation of systems
13 Oversight scoring table Scoring per principle; no overall score
14 Example assessment outcome of a CCP European Multilateral Clearing Facility (EMCF)
15 How are the Oversight standards set? Committee on Payment and Settlement Systems (CPSS)International Organisation of Securities Commissions (IOSCO)Eurosystem (User Standards for SSS and standards for credit transfers, direct debit and cards)CPSS-IOSCO Principles for Financial Market Infrastructures (2012)
16 What are financial market infrastructures? Definition:An FMI is a multilateral system among participating financial institutions, including the operator of the system, used for the purposes of recording, clearing, or settling payments, securities, derivatives, or other financial transactions.In practice:Systemically Important Payment Systems (SIPS)Central Securities Depositories (CSD)Securities Settlement Systems (SSS)Central Counterparties (CCP)Trade Repositories (TR)
17 CPSS-IOSCO Principles for FMIs GovernanceLegal riskRisk management frameworkCredit riskEfficiencyGeneral organisation (3)CollateralCommunication standardsLiquidity riskCredit & liquidity risk management (4)Efficiency (2)MarginFinalityAccessPrinciples for Financial Market Infrastructures (24)Settlement (3)Access (3)Money settlementsTieringLinksPhysical deliveriesCSDs and exchange of value settlement systems (2)General business and operational risk management (3)Business riskCSDInvestment riskDefault management (2)Transparency (2)DVPOperational riskParticipant defaultSegregation & portabilityDisclosure system rulesDisclosure market dataLegend: completely new raising the bar basically unchanged
18 Dual consent: a new approach Integrated approachAccess to a bank account by a third party is only acceptable if account holder and bank agree contractually on the conditions.
19 Discussion pointsHow to stimulate innovations and security in the access to payment accounts?Is Dual Consent a good solution for access to payment acounts?Are there other elements to take care on in the further analysing of the approach?
20 Principles for Financial Market Infrastructures (FMI) Co-production of:BIS Committee on Payment and Settlement SystemsTechnical Committee of the International organization of Securities Commission (IOSCO)FMI Principles replaces all older separate principles for Systemically Important Payment Systems, Securities Settlement Systems and Retail Payment SystemsFinal report was publishes in 2012
21 FMI Principles General organisation Principle 1: Legal basis Principle 2: governancePrinciple 3: Framework for the comprehensive management of risks
23 What is Business Continuity? Business Continuity Management: a whole-of-business approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption.Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption Source: BIS 2005
24 Financial Core Infrastructure (FCI) The FCI is:A list of financial institutions and financial market infrastructures that form the critical parts of the Dutch payment and securities infrastructureCompiled by DNB in collaboration with Ministry of Finance and Authority for Financial Markets (AFM)
26 Financial Core Infrastructure Criteria:Disruption of the institution leads to large financial losses for the economy or leads to serious social upheaval.The institution is directly regulated in the Netherlands.Cumulative 80% of the total transaction volume or value.
27 Financial Core Infrastructure Requirements for FCI institutions:Comply with the DNB Business Continuity Assessment Framework.Participate in the sector crisismanagement organisationConnect to the terrorism alert system.Contribute to critical infrastructure programs and projects.
28 Tripartite Crisismanagement Organization The goal of this organisational structure is to perform sector crisis management in case of a major operational disruption of payment and / or securities systems and infrastructures.
31 DNB BCP Assessment Framework (1) Drafted in cooperation with the financial institutionsCommitment to use it on a high levelAssessment Framework consists of9 ‘principles’Guidance note Human FactorAgreement between DNB and the financial sector for joint BCP initiativesIn line with international principles such as BISUsed by supervisor and overseer to assess the institutionsof the financial core infrastructure against these principles
32 DNB BCP Assessment Framework (2) BCP should be approved by the EB/senior managementRisk analyses of critical systems and activities should be madeExplicit attention should be paid to the human factor
33 DNB BCP Assessment Framework (3) 4. Each institution should have a crisis organisation, including senior managementSingle points of failure (SPOFs) should be identifiedCritical processes and systems should be resumed as quickly as possible
34 DNB BCP Assessment Framework (4) 7. A back-up site/secondary site should be available8. Alternate systems and contingency procedures should be regularly tested and exercised9. Each institutions should have a communication plan for all stakeholders
35 DNB Assessment framework Why is the process unavailable?What is the cause?What controls / measures are available?What residual risks remain?(Partial) unavailability of (and/or)PeopleIT systemsCommunicationsBuildingsNatural calamities (fire, storm, earthquake, flood etc.)Technical failure (hardware / software malfunction, power cut etc.)Organisational failure (human error, sickness etc.)Wilful malice (sabotage, terrorism, cybercrime etc.)Measure / control categories:PreventiveDetectiveCorrectiveResponseList of accepted residual risks
36 Guidance Note Human factor Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factorDNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required (specific in the extreme, highly specific, specific, not very specific, not specific)Matrix with level of required knowledge and human factor strategy see – payments - BCP
37 red green Required level of knowledge of systems/business processes Ways of ensuring staff continuity1. double staffing at another location2. planned scheduling days off3. shift work4. use of staff from another location where a similar situation is operational5. use of staff from another location where a similar situation is not operationalRequired level of knowledge of systems/business processesspecific in the extreme (a)redhighly specific (b)specific (c)not very specific (d)greennot specific (e)
41 Players/documents – Professional bodies e.g.BCI (Business Continuity Institute)Good Practice GuidelineBCM AcademyBCM PocketbookENISA (European Network and Information Security Agency)Business and IT continuity: overview and implementation principlesInventory of business and IT continuity methods / tools4141
42 Players/documents – Standards bodies BSI (British Standards Institute)BS 25777: Information and communication technology continuity managementBS 25999: Business continuity managementISO (International Organization for Standardization)ISO / PAS 22399: Guidelines for incident preparedness and operational continuity managementISO / IEC 27031: ICT readiness for business continuityISO / IEC 24762: Guidelines for information and communication technology disaster recovery services
43 Players – Regulators (supervisors / overseers) GlobalBIS – BCBS / BIS – CPSS (Bank for International Settlement – Basel Committee for Banking Supervision / Committee on Payment and Settlement Systems)FSB (Financial Stability Board)IOSCO (International Organization of Securities Commissions)IAIS (International Association of Insurance Supervisors)Joint Forum (BCBS – IOSCO – IAIS)