Memorandum of Understanding The Department of Home Affairs and
the Reserve Bank of Australia

Objective

1. This Memorandum of Understanding (MoU) between the Department of Home Affairs (DHA) and the Reserve Bank of Australia (RBA) is intended to assist each agency with the performance of its regulatory responsibilities under the Security of Critical Infrastructure Act 2018 (SOCI Act). The Cyber and Infrastructure Security Centre (CISC) will be the point of contact for DHA.
2. The purpose of this MoU is to promote the increased resilience against all hazards of assets that are used in connection with the operation of a payment system that is prescribed as being critical to the security and reliability of the financial services and markets sector (Critical Payment System Assets), through regulatory activities by the DHA and the RBA. The framework set out in this MoU is also intended to promote transparency, prevent unnecessary duplication of effort and minimise the regulatory burden on responsible entities for Critical Payment System Assets.
3. The DHA and the RBA do not intend this MoU to create any enforceable rights or legally binding obligations on them, and nothing in this MoU limits or otherwise affects the exercise of any legislative functions or responsibilities of the DHA or the RBA.

Responsibilities

4. The RBA is the principal regulator of the Australian payments system, with the RBA’s payments system policy determined by the Payments System Board (PSB). The payments system mandate, powers and responsibilities of the RBA and the PSB are set out in various pieces of legislation, including the Reserve Bank Act 1959, the Payment Systems (Regulation) Act 1998 and the Payment Systems and Netting Act 1998.
5. In accordance with the SOCI Act and the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023, the relevant Commonwealth regulator for a Critical Payment System Asset is the RBA. As the relevant Commonwealth regulator, the RBA has a number of functions in relation to Critical Payment System Assets, in particular in relation to a responsible entity’s obligation to have, adopt and comply with a critical infrastructure risk management program (SOCI Act Part 2A).
6. Under the SOCI Act, the Secretary of DHA and certain DHA officers appointed by the Secretary have various enforcement powers in relation to obligations that apply to a responsible entity for a Critical Payment System Asset. These include: the obligation to notify data service providers (SOCI Act subsection 12F(3)); obligation to give information and notify of events (SOCI Act Part 2); obligations to have, adopt and comply with a critical infrastructure risk management program (Part 2A) and the Mandatory Cyber Incident Reporting obligation (SOCI Act Part 2B). Responsible entities for assets that have been declared to be Systems of National Significance may have additional obligations such as Enhanced Cyber Security Obligations applied to them. Some of the above information gathering and enforcement powers may be delegated to RBA officers by the Secretary in accordance with the SOCI Act and following a consultation between both agencies.
7. In 2023, the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) commenced. As a result of the CIRMP Rules, require responsible entities for specific critical infrastructure asset classes to adopt, maintain and comply with a critical infrastructure risk management program (CIRMP) using an all-hazards approach managing the material risks pertaining to cyber and information security, personnel, physical and natural and supply chain hazards. A responsible entity’s board, council or other governing body must also submit an annual report certifying various matters relating to compliance with the CIRMP to the relevant Commonwealth regulator using the approved form. The first mandatory annual reports must be submitted within 90 days after the end of the 2023–2024 Australian financial year.
8. The DHA’s Cyber and Infrastructure Security Centre (CISC) drives an all-hazards regime for critical infrastructure based in Australia. The CISC works in partnership with government, industry and the Australian community. The CISC actively assists critical infrastructure owners and operators to understand and manage risks and hazards through the implementation of the SOCI Act regulatory requirements, including by having arrangements in place to enforce compliance with SOCI Act obligations.
9. DHA and the RBA agree to cooperate and collaborate to promote effective management of risks relating to Critical Payment System Assets, including by requiring responsible entities for Critical Payment Systems Assets to identify and manage risks relating to those assets in accordance with the SOCI Act’s critical infrastructure risk management program obligations (SOCI Act Part 2A).

Consultation

10. To promote effective and well-coordinated development of regulatory policy, DHA and the RBA will inform each other on significant issues with respect to Critical Payment System Assets or their responsible entities that may have an impact on, or may otherwise be relevant to, the regulatory responsibilities of the other agency. Each agency will, where appropriate, provide an opportunity for consultation on the issue (including the opportunity for private discussions and/or to provide written comments) prior to industry consultation, and prior to any finalised outcome. For the purposes of this clause 10, industry consultation includes any direct consultation with one or more responsible entities and any public consultation process.

Formal Requests and Use of Powers

11. Where DHA proposes to formally exercise any enforcement powers relating to SOCI Act obligations with respect to Critical Payment System Assets, and this exercise may have an impact on the regulatory responsibilities of the RBA, it will:
    • notify the RBA of the proposed use of powers;
    • consult with the RBA on the proposed use of powers;
    • notify the RBA when the power is formally exercised; and
    • subject to any restrictions imposed by law, provide to the RBA any relevant documentation.
12. DHA and the RBA will agree detailed protocols for the handling of activities under the SOCI Act and exchanges of information in relation to any formal exercise of power by DHA.
13. Under Part 2A of the SOCI Act, responsible entities for Critical Payment System Assets must provide an annual report relating to their CIRMP to the RBA as the relevant Commonwealth regulator. DHA will liaise with the RBA to ensure that a common approach to receipt and review of annual reports is adopted.

Notification and Information Sharing

14. Any information shared under this MoU will be disclosed and received on the basis that it will be handled in a manner that complies with Commonwealth legal and policy requirements for security, privacy and official disclosure. This includes compliance with the Commonwealth Protective Security Policy Framework (PSPF) as well as the Privacy Act 1988 (Cth), the Crimes Act 1914 (Cth) and the Freedom of Information Act 1982 (Cth).

    DHA and the RBA may disclose protected information (as defined under the SOCI Act) to each other as permitted under the SOCI Act in order to support the regulatory functions of each agency.

15. In addition to the exercise of formal powers and requests, DHA and the RBA will, subject to any restrictions imposed by law (whether under statute, contract, equity or otherwise), share information that the agency believes would be of assistance to the other agency in undertaking its responsibilities under the SOCI Act. Wherever possible, DHA and the RBA will avoid separate collection of the same information and data from the responsible entity for a Critical Payment System Asset.
16. DHA and RBA will work together to minimise the reporting burden on responsible entities for Critical Payment System Assets.

Annual Report to Parliament

17. Subject to any restrictions imposed by law, the RBA and DHA will share information for the purposes of the Secretary of DHA and the Minister reporting to Parliament under section 60 of the SOCI Act regarding the operation of the SOCI Act for a financial year, including information regarding use of SOCI Act powers and key regulatory activities that have been undertaken under the SOCI Act during that financial year.

Coordination Meetings and Liaison

18. DHA and the RBA will establish procedures to facilitate regular contact between officers of the agencies on routine operational matters. DHA and the RBA will hold meetings of senior officials at least every three months to discuss the coordination of matters relevant to the regulation of Critical Payment System Assets and the operation of this MoU.

Dated this day 15th October 2024