Dia 1

1
Oversight, PFMI and Business Continuity
Management Michiel van Doeveren Sixth
Macedonian Financial Sector Conference on
Payments and Securities Settlement Systems Ohrid,
1-3 July 2013
2
Agenda

• What is Oversight?
• Standards and methodology
• Overlay services and access to bank accounts
• CPSS Principles for Financial Market
  Infrastructures
• Framework for Business Continuity Planning

3
DNB Oversight Mission

• Oversight aims to contribute to and
• maintain financial stability by
• Reducing systemic risks
• Promote adequate payment settlements in the
  Netherlands
• Criterium for DNB Oversight relevance for The
  Netherlands (both domestically and located
  abroad)

4
DNB Oversight - Objects

• Payment systems
• Wholesale
• retail
• Payment instruments
• Securities clearing and settlement
• Risk-based approach, no scientific approach (so
  far)
• Accountability (and explain)
• Annual Oversight Report,
• http//www.dnb.nl/Oversight

5
Oversight on Equens

• European Market Share 10-15
• 10 crossborder links with other Retail Payment
  Systems
• Regular meetings with operator every 6 weeks
• Quarterly meetings with CEO Equens and Head
  Oversight

6
Oversight (on payment schemes)

• Oversight framework Standards
• Oversight methodology Key issues
• Oversight guide Key checkpoints

7
Oversight standards(for payment schemes)

• Standard 1 The scheme should have a sound legal
  basis under all relevant jurisdictions
• Standard 2 The scheme should ensure that
  comprehensive information , including appropriate
  information on financial risks, is available for
  all actors
• Standard 3 The scheme should ensure an adequate
  degree of security, operational reliability and
  business continuity
• Standard 4 The scheme should implement
  effective, accountable and transparent governance
  arrangements
• Standard 5 The scheme should manage and contain
  financial risks in relation to the clearing and
  settlement process

8
FMI FMI Venn diagram diagram
Banks as participant of FMIs
9
FMI Warehouse (links)
10
Fundamental risks financial infrastructure

• Three fundamental risks
• Settlement risk (at level individual transactions
  anywhere)
• Infrastructural systemic risk (at the 1st and
  2nd floor of warehouse)
• Social unrest (warehouse basement and ground
  floor)

11

Why Oversight on Financial Infrastructure?

• Improve safety and efficiency of financial
  infrastructure ? financial stability
• Mitigate infrastructural systemic risk
• Prevent social unrest
• Oversight assesses compliance with
  internationally agreed principles (standards) and
  induces change where compliance is not fully
  observed
• No standards, no oversight

12

Features of the Oversight Principles

• Risk reduction standards
• Minimum character
• Principle-based, not rule-based
• Prevention (ex ante)
• Design of systems
• Feedback (cyclical)
• Assessment of operation of systems

13
Oversight scoring table
Scoring per principle no overall score
14
Example assessment outcome of a CCP
European Multilateral Clearing Facility (EMCF)
15
How are the Oversight standards set?

• Committee on Payment and Settlement Systems
  (CPSS)
• International Organisation of Securities
  Commissions (IOSCO)
• Eurosystem (User Standards for SSS and standards
  for credit transfers, direct debit and cards)
• CPSS-IOSCO Principles for Financial Market
  Infrastructures (2012)

16
What are financial market infrastructures?

• Definition
• An FMI is a multilateral system among
  participating financial institutions, including
  the operator of the system, used for the purposes
  of recording, clearing, or settling payments,
  securities, derivatives, or other financial
  transactions.
• In practice
• Systemically Important Payment Systems (SIPS)
• Central Securities Depositories (CSD)
• Securities Settlement Systems (SSS)
• Central Counterparties (CCP)
• Trade Repositories (TR)

17
CPSS-IOSCO Principles for FMIs
Legal risk
Governance
Risk management framework
Credit risk
Efficiency
General organisation (3)
Collateral
Communication standards
Liquidity risk
Efficiency (2)
Credit liquidity risk management (4)
Margin
Finality
Access
Principles for Financial Market Infrastructures
(24)
Access (3)
Settlement (3)
Money settlements
Tiering
Links
Physical deliveries
General business and operational risk management
(3)
CSDs and exchange of value settlement systems (2)
Business risk
CSD
Investment risk
Default management (2)
Transparency (2)
Operational risk
DVP
Participant default
Segregation portability
Disclosure system rules
Disclosure market data
Legend completely new raising the bar
basically unchanged
18
Dual consent a new approach

• Integrated approach
• Access to a bank account by a third party is only
  acceptable if account holder and bank agree
  contractually on the conditions.

19
Discussion points

• How to stimulate innovations and security in the
  access to payment accounts?
• Is Dual Consent a good solution for access to
  payment acounts?
• Are there other elements to take care on in the
  further analysing of the approach?

20
Principles for Financial Market Infrastructures
(FMI)

• Co-production of
• BIS Committee on Payment and Settlement Systems
• Technical Committee of the International
  organization of Securities Commission (IOSCO)
• FMI Principles replaces all older separate
  principles for Systemically Important Payment
  Systems, Securities Settlement Systems and Retail
  Payment Systems
• Final report was publishes in 2012

21
FMI Principles

• General organisation
• Principle 1 Legal basis
• Principle 2 governance
• Principle 3 Framework for the comprehensive
  management of risks

22

23
What is Business Continuity?

• Business Continuity Management a
  whole-of-business approach, that includes
  policies, standards, and procedures, to ensure
  (critical) operations can be maintained, or
  restored in a timely fashion, in the event of a
  disruption.
• Its purpose is to minimise the financial, legal,
  reputational and other material consequences
  arising from disruptionSource BIS 2005

24
Financial Core Infrastructure (FCI)

• The FCI is
• A list of financial institutions and financial
  market infrastructures that form the critical
  parts of the Dutch payment and securities
  infrastructure
• Compiled by DNB in collaboration with Ministry of
  Finance and Authority for Financial Markets (AFM)

25
Financial Core Infrastructure

• Why
• Effective operational crisis management
• Stricter requirements for crucial players
  concerning operational reliability

26
Financial Core Infrastructure

• Criteria
• Disruption of the institution leads to large
  financial losses for the economy or leads to
  serious social upheaval.
• The institution is directly regulated in the
  Netherlands.
• Cumulative 80 of the total transaction volume or
  value.

27
Financial Core Infrastructure

• Requirements for FCI institutions
• Comply with the DNB Business Continuity
  Assessment Framework.
• Participate in the sector crisismanagement
  organisation
• Connect to the terrorism alert system.
• Contribute to critical infrastructure programs
  and projects.

28
Tripartite Crisismanagement Organization

• The goal of this organisational structure is to
  perform sector crisis management in case of a
  major operational disruption of payment and / or
  securities systems and infrastructures.

29
Tripartite Crisismanagement Organization
30
(inter)national crisismanagement
31
DNB BCP Assessment Framework (1)

• Drafted in cooperation with the financial
  institutions
• Commitment to use it on a high level
• Assessment Framework consists of
• 9 principles
• Guidance note Human Factor
• Agreement between DNB and the financial sector
  for joint BCP initiatives
• In line with international principles such as BIS
  
• Used by supervisor and overseer to assess the
  institutions
• of the financial core infrastructure against
  these principles

32
DNB BCP Assessment Framework (2)

1. BCP should be approved by the EB/senior
   management
2. Risk analyses of critical systems and activities
   should be made
3. Explicit attention should be paid to the human
   factor

33
DNB BCP Assessment Framework (3)

• 4. Each institution should have a crisis
  organisation, including senior management
• Single points of failure (SPOFs) should be
  identified
• Critical processes and systems should be resumed
  as quickly as possible

34
DNB BCP Assessment Framework (4)

• 7. A back-up site/secondary site should be
  available
• 8. Alternate systems and contingency procedures
  should be regularly tested and exercised
• 9. Each institutions should have a
  communication plan for all stakeholders

35
DNB Assessment framework
Why is the process unavailable? What is the cause? What controls / measures are available? What residual risks remain?
(Partial) unavailability of (and/or) People IT systems Communications Buildings   Natural calamities (fire, storm, earthquake, flood etc.) Technical failure (hardware / software malfunction, power cut etc.) Organisational failure (human error, sickness etc.) Wilful malice (sabotage, terrorism, cybercrime etc.) Measure / control categories Preventive Detective Corrective Response List of accepted residual risks
36
Guidance Note Human factor

• Assessment showed that institutions have problems
  with principle 3, paying explicit attention to
  the human factor
• DNB developed a Guidance note human factor to
  assess the human factor aspect for critical
  systems and business processes, depending on the
  level of knowledge that is required (specific in
  the extreme, highly specific, specific, not very
  specific, not specific)
• Matrix with level of required knowledge and human
  factor strategy ? see www.dnb.nl payments - BCP

37
Ways of ensuring staff continuity 1. double staffing at another location 2. planned scheduling days off 3. shift work 4. use of staff from another location where a similar situation is operational 5. use of staff from another location where a similar situation is not operational
Required level of knowledge of systems/business processes

specific in the extreme (a) red
highly specific (b)
specific (c)
not very specific (d) green
not specific (e)
38
Standard(izing) human (factor) sskills
39
Standard(izing) human (factor) s preparedness
40
Standard(izing) human (factor) s preparedness
41
Players/documents Professional bodies

• e.g.
• BCI (Business Continuity Institute)
• Good Practice Guideline
• BCM Academy
• BCM Pocketbook
• ENISA (European Network and Information Security
  Agency)
• Business and IT continuity overview and
  implementation principles
• Inventory of business and IT continuity methods /
  tools

41
42
Players/documents Standards bodies

• BSI (British Standards Institute)
• BS 25777 Information and communication
  technology continuity management
• BS 25999 Business continuity management
• ISO (International Organization for
  Standardization)
• ISO / PAS 22399 Guidelines for incident
  preparedness and operational continuity
  management
• ISO / IEC 27031 ICT readiness for business
  continuity
• ISO / IEC 24762 Guidelines for information and
  communication technology disaster recovery
  services

43
Players Regulators (supervisors / overseers)

• Global
• BIS BCBS / BIS CPSS (Bank for International
  Settlement Basel Committee for Banking
  Supervision / Committee on Payment and Settlement
  Systems)
• FSB (Financial Stability Board)
• IOSCO (International Organization of Securities
  Commissions)
• IAIS (International Association of Insurance
  Supervisors)
• Joint Forum (BCBS IOSCO IAIS)

44
Questions?