2017 Assessment of the Reserve Bank Information and Transfer System 3. Material Developments

This section draws out material developments relevant to RITS that have occurred since the 2015 Assessment. This Assessment covers the period from November 2015 to March 2017. Over this period, there have been material developments that are relevant to the Principles concerning legal basis (Principle 1) and operational risk (Principle 17). To complement this section, background information on how RITS operates, activity and participation in RITS, and the operational performance of RITS over the assessment period is set out in Appendix A. A detailed assessment of how RITS meets the Principles (incorporating developments discussed in this section) is presented in Appendix B.

3.1 Legal Basis

The RITS Regulations form the legal basis for all material aspects of RITS. The Bank seeks external legal advice on material amendments to the RITS Regulations and associated contractual agreements, including, where relevant, on the interaction of such amendments with Australian and New South Wales laws and regulations. The RITS Membership Agreement binds RITS members and the Bank to the RITS Regulations.

3.1.1 Revised RITS Regulations

A new set of RITS Regulations has been implemented, fully addressing a recommendation made in the 2015 Assessment. This work was initiated in 2014 and, while taking longer than originally expected, the new version came into effect on 27 March 2017.[7] Changes to functionality and activity in RITS since its launch as an RTGS system in 1998 had resulted in an increasingly complex set of documents and so a major restructure and rewrite was undertaken to improve their clarity. In particular, the Regulations have been streamlined from the existing two documents (the main body of regulations, and a separate ‘Conditions of Operation’) into a single document, redundant concepts have been removed and terminology simplified. A new, simpler Membership Agreement, which consolidates the existing Membership Agreement and Participating Bank Facilities Agreement (and Supplementary Membership Agreement, for some members) into a single agreement has been implemented as part of this update. The new Regulations are also designed to make it easier to amend them to incorporate new services.

The development of the new Regulations provided an opportunity to move to the 2011 Global Master Repurchase Agreement (GMRA) from the 2000 GMRA. The 2011 GMRA simplifies the calling of an event of default, gives the non-defaulting party more flexibility in determining the value of securities as part of the close-out procedure, and allows the close-out amount to be set off against any other amounts payable by the non-defaulting party to the defaulting party. The 2011 GMRA also broadens the definition of ‘act of insolvency’, which provides increased flexibility to deal with insolvency events in a wide range of jurisdictions.

A key consideration in rewriting the RITS Regulations was to ensure that RITS's existing legal basis remains sound and the finality of settlement of payments settled in RITS remains certain. The Bank therefore worked with a law firm to draft the new Regulations. The Bank also gave RITS members the opportunity to comment on an exposure draft of the new Regulations. The Bank considered members' feedback and incorporated amendments which were deemed necessary. As part of migration to the new Regulations, RITS members were required to sign new RITS Membership agreements in early 2017, after which the new RITS Regulations became operative in March.

3.1.2 Foreign RITS members

The Bank has a requirement that all overseas-domiciled RITS members provide an independent legal opinion that the RITS Membership Agreement is enforceable in their home jurisdiction. This has been required for all new foreign RITS members since 2011, but it was not required of members who joined before then. The Bank has communicated to foreign members that they may be required to provide a legal opinion subsequent to executing the new RITS Membership Agreement. The Bank anticipates that most overseas-domiciled members will be required to provide this legal opinion.

3.1.3 Settlement finality

The irrevocability of payments settled in RITS is protected by RITS's approval as an RTGS system under Part 2 of the PSNA. With this approval, a payment executed in RITS at any time on the day on which a RITS member enters external administration has the same standing as if the member had gone into external administration on the next day. Accordingly, in the event that a member was wound up, all transactions settled on that day cannot be unwound simply because of the event of external administration (i.e. they are protected from the application of the ‘zero-hour’ rule).

In May 2016, changes to the PSNA were introduced to deal with circumstances in which a member goes into resolution, and the RITS member enters non-terminal administration with a statutory manager or judicial manager. The changes to the PSNA clarify that a payment executed in RITS when a member is in non-terminal administration has the same effect it would have had if the participant had not gone into non-terminal administration. In the absence of this change, there was a risk that protection from the application of the zero-hour rule to payments made in the days after the member entered resolution may not have been certain, which would have complicated resolution of the member. This change facilitates the ongoing participation in RITS by members in resolution, but it does not limit the ability of the Bank to suspend a member from RITS.

3.2 Operational Risk Management

3.2.1 Cyber resilience

Recognising the growing systemic threat originating from cyber attacks, the previous Assessment recommended that: (i) analysis and testing of the mechanisms in place to prevent a cyber-related incident should be completed and consideration should be given to whether additional measures need to be put in place; and (ii) the project to review and consider options to improve the ability to detect and recover from a disruption of service in RITS or loss of software or data integrity should be completed. Consistent with this recommendation, the Bank completed a series of reviews of its cyber resilience arrangements during the assessment period. These included:

  • A comprehensive review of RITS's cyber security controls. This included: an exercise to identify the points of attack, cyber threats and attack scenarios faced by RITS and a stocktake of existing governance arrangements and controls to protect RITS; an external review of whether alternative international cyber security frameworks could be adopted to supplement the existing framework used by the Bank; and an external gap analysis of existing cyber security controls and practices against key frameworks.
  • A series of layered penetration tests. These tests involved simulations of attack scenarios identified during the review of RITS's cyber security controls. A consulting firm was engaged to conduct the tests, which included simulated attacks on RITS's internet-facing infrastructure, targeted cyber attacks on Bank staff in an attempt to gain credentials to access RITS systems and simulated attacks carried out by a hypothetical malicious insider.
  • A review of RITS's operational resilience and recovery capabilities. This review evaluated the Bank's ability to detect and investigate potential cyber incidents, and its procedures for recovering critical functions following a cyber attack.

The reviews concluded that RITS has strong cyber defences. A number of recommendations were made to further strengthen RITS's cyber resilience. These recommendations were consolidated with recommendations from additional reviews of security controls for SWIFT-related systems. All high priority recommendations, representing findings that identified issues requiring prompt clarification or where material risk had been identified, have been implemented. Work is underway to complete lower priority recommendations and Payments Policy Department will review progress through its ongoing oversight of RITS.

Separate work has also been undertaken in relation to the Bank's broader IT environment within which RITS is operated. As part of this, independent assessments have found that the Bank complies with the Australian Signals Directorate Top 35 Strategies to Mitigate Cyber Security Incidents, and that it is certified as meeting ISO 27001 Information Security Management System.

CPMI and IOSCO published guidance on cyber resilience for FMIs in June 2016 (see Box A). Consistent with a recommendation made in the 2015 Assessment, the Bank reviewed its cyber-risk management arrangements in light of the Cyber Resilience Guidance, during the assessment period. This took the form of a self-assessment by Payments Settlements Department, which drew, in part, from the external reviews of RITS against key industry frameworks (discussed above). The Bank's Payments Policy Department also conducted its own assessment of the RITS governance arrangements for cyber risk. No significant issues were identified through these reviews.

Box A: CPMI-IOSCO Guidance on Cyber Resilience

Recognising the growing threat that cyber attacks have posed to FMIs' operational resilience, CPMI and IOSCO have made the resilience of FMIs to cyber threats a strategic priority.[1] As part of their work in this area, in June 2016, CPMI and IOSCO released guidance in the area of cyber resilience to support relevant requirements in the Principles. The Cyber Resilience Guidance is intended to help FMIs enhance their cyber resilience and provide a framework for supervisory dialogue. Key themes of the guidance include:

  • board and senior management attention is critical
  • the ability to resume operations quickly and safely after a successful cyber attack is paramount
  • FMIs should make use of high-quality threat intelligence and rigorous testing
  • cyber resilience requires a process of continuous improvement
  • cyber resilience cannot be achieved by an FMI alone; it is a collective endeavour of the whole ‘ecosystem’.

The guidance comprises eight chapters. The first five address key risk management categories: governance; identification; protection; detection; and response and recovery. The guidance also includes three chapters that cover overarching components relevant to an FMI's cyber security framework: testing; situational awareness; and learning and evolving.

The guidance is principles based. This recognises that measures to mitigate cyber threats would need to continuously evolve given the dynamic nature of the threats. FMIs are also encouraged to adopt a risk-based approach in applying the guidance and it is noted that FMIs will need to implement the guidance consistent with applicable laws and regulations.

Given the systemic importance of FMIs and the increasing risk arising from cyber threats, FMIs are expected to apply the guidance immediately. CPMI and IOSCO nevertheless recognise that it may take time for FMIs to meet the expectation that they be able to recover critical operations within two hours following an extreme cyber attack. Accordingly, in respect of this particular expectation, the guidance encourages FMIs to develop, within 12 months, concrete plans to improve their capabilities for timely recovery, rather than immediately to develop such capabilities.

While most of the Cyber Resilience Guidance applies with immediate effect, the guidance recognises that it may take time for FMIs, including payment systems such as RITS, to meet the expectation that they are able to recover critical operations safely within two hours following an extreme cyber attack. To assist FMIs to make progress in developing concrete plans for improving capabilities in order to meet a recovery time objective of two hours by June 2017 (as specified in the Cyber Resilience Guidance), the Bank's Payments Policy Department has set an expectation that an FMI should at a minimum have plans in place that are documented, resourced and appropriately governed to:

  1. identify potential attack vectors
  2. identify consequences for its critical operations that may arise from successful cyber attack
  3. assess its ability to detect, respond and recover from possible cyber attack
  4. based on the findings of the above, identify and implement any enhancements to the FMI's existing systems and processes that would materially improve the FMI's capability to meet the two-hour recovery time objective (2hRTO).

On the basis of the significant work undertaken to review and enhance the cyber resilience of RITS over the past few years, the Bank's Payments Policy Department has concluded that RITS meets the requirement of developing concrete plans for improving the ability of RITS to achieve the 2hRTO. In particular, there are concrete plans to implement enhanced monitoring capacities to identify cyber attacks and enhancements to systems and processes to enable recovery of accurate data following a breach, both of which will improve RITS's capability to meet the 2hRTO.

Beyond June 2017, FMIs are expected to execute their plans in a timely manner. FMIs, including RITS, are also expected to evaluate current and emerging technology on an ongoing basis that could lead to further enhancements to its abilities to recover from cyber attacks in a timely manner. Through its ongoing oversight of RITS, Payments Policy Department will continue to engage with Payments Settlements Department to monitor progress in:

  • implementing recommendations arising out of the completed reviews of RITS's cyber security and cyber resilience
  • evaluating current and emerging technology that could lead to further enhancements to the ability of RITS to recover from cyber attacks in a timely manner.

3.3 Other Developments

3.3.1 New Payments Platform

Over the assessment period, the Bank has continued to contribute to industry efforts to develop the New Payments Platform (NPP). Background information on the NPP is presented in section A.10.

The NPP will operate on a 24/7 basis, meaning payments may be initiated, cleared and settled outside normal RITS operating hours. At these times authorised deposit-taking institutions (ADIs) will not have access to liquidity from wholesale funding sources, such as the capacity to settle securities transactions in Austraclear. ADIs will therefore be expected to pre-position adequate liquidity to meet ‘out of hours’ payment obligations. It is expected that most will make use of an ‘open repurchase agreement (repo)’ under the Bank's Standing Facilities for this purpose.[8] When the NPP goes live (currently scheduled for Q4 2017), NPP participants will be expected to establish a sufficiently large open repo position with the Bank to meet projected payment flows, including in peak transaction scenarios. Participants may request a temporary increase to their open repo limits when they are expecting unusually large customer payment flows or to cover extended holiday periods.

3.3.2 Non-ADI Exchange Settlement Accounts

The Bank has received applications from several non-ADI providers of third-party payment services to open Exchange Settlement Accounts (ESAs) at the Bank, in order to directly settle payments on behalf of their customers. The Bank allows non-ADIs to hold ESAs for the purpose of settling payments on behalf of third parties, subject to meeting operational and liquidity standards, in order to ensure that non-traditional payment service providers are not at a competitive disadvantage by being dependent on an institution that would otherwise be a competitor. Prior to 2017, the only non-ADI to hold an ESA for the purposes of providing third-party payments services was First Data Network Australia (previously known as CashCard Australia).

In 2017, the Bank granted in-principle approval for Adyen, a card acquirer for merchants, to open an ESA as a third-party payment services provider. The Bank is also in discussion with several other third-party payment service providers, including firms that provide card acquiring and ATM processing services, about becoming ESA holders.

3.3.3 LCH PPS arrangements

LCH.Clearnet Limited (LCH), a London-based central counterparty (CCP) that offers a clearing service for OTC interest rate swaps in Australia, operates a ‘Protected Payments System’ (PPS) whereby LCH clearing participants hold accounts at designated PPS banks that settle obligations with LCH on behalf of the clearing participants. LCH settles Australian dollar transactions, typically variation margin payments, across its ESA in RITS. During the assessment period, LCH established one of the four major Australian banks as a PPS bank for Australian dollar-denominated payments, with the others expected to follow later in 2017. Once this migration is complete, Australian dollar obligations of the major banks as clearing members will be settled by them directly with LCH, rather than via other PPS banks and their Australian correspondent banks.

Footnotes

The RITS Regulations are available on the RBA website https://www.rba.gov.au/payments-and-infrastructure/rits/user-doc/pdf/regulations.pdf. [7]

Refer to section A7 for more information about the use of repos in RITS. [8]

Footnote Box A

The Cyber Resilience Guidance is available at <http://www.bis.org/cpmi/publ/d146.htm>. [1]