2018 Assessment of the Reserve Bank Information and Transfer System 3. Material Developments

This section draws out material developments relevant to RITS that have occurred since the 2017 Assessment. This Assessment covers the period from April 2017 to March 2018. Over this period, there have been material developments that are relevant to the Principles concerning operational risk (Principle 17), legal basis (Principle 1) and tiered participation arrangements (Principle 19). To complement this section, background information on how RITS operates, activity and participation in RITS, and the operational performance of RITS over the assessment period is set out in Appendix A. A detailed assessment of how RITS meets the Principles (incorporating developments discussed in this section) is presented in Appendix B.

3.1 Operational Risk Management

3.1.1 Cyber resilience

The Bank has continued work to further strengthen its cyber resilience over the assessment period. This builds on work in the previous assessment period to address cyber resilience-related recommendations made in 2015, including reviews of RITS's cyber-security controls, operational resilience, and options to improve the ability to detect and recover from a disruption of service in RITS, or loss of software or data integrity. The previous Assessment noted that Payments Policy Department would continue to monitor progress in two areas related to this work: the implementation of remaining recommendations from reviews of RITS's cyber security and cyber resilience; and evaluating the potential for further enhancements to the ability to recover RITS from cyber attacks in a timely manner. In addition, the Bank has carried out work to meet security standards established by SWIFT, and is considering how most effectively to take into account the recently released CPMI report on endpoint security in wholesale payments (Box A).

Implementation of additional security measures

The 2016 reviews conducted by the Bank included a stocktake of existing security controls, a program of penetration testing, and a review of recovery capabilities. The highest priority recommendations from these reviews were implemented in early 2017, with a number of the lower priority recommendations also since completed. The remainder of the lower priority recommendations are scheduled to be addressed in 2018, with the exception of a small number of recommendations that are being addressed via related projects that may extend beyond 2018.

SWIFT-related security controls

As a user of the SWIFT network, the Bank is required to meet the security obligations set by SWIFT. The SWIFT Customer Security Controls (CSC) Framework was introduced in March 2017, as a key component of SWIFT's broader Customer Security Programme (Box A). At the end of 2017, the Bank lodged its first annual attestation relating to compliance with the CSC Framework.

Box A: Endpoint Security

CPMI strategy for endpoint security

On 8 May 2018, CPMI released its report Reducing the Risk of Wholesale Payments Fraud Related to Endpoint Security.[10] The report was produced by a CPMI Task Force established in the light of cyber fraud incidents such as the theft of funds from Bangladesh Bank in February 2016. The scope of the report focuses on interactions between wholesale payment systems, messaging networks and their participants, where weaknesses in the security arrangements between any of these parties (‘endpoint security’) create the potential for fraud in the transmission of payment instructions. The report describes a strategy for reducing the risk of wholesale payments fraud related to endpoint security, intended to assist operators of wholesale payment systems and messaging networks, their participants and relevant regulatory authorities. The strategy consists of seven elements:

  1. Identifying and understanding the risks related to endpoint security.
  2. Establishing endpoint security requirements for participants.
  3. Promoting adherence to endpoint security requirements.
  4. Providing and using information and tools to improve the prevention and detection of attempted wholesale payments fraud.
  5. Responding in a timely way to potential fraud.
  6. Supporting ongoing education, awareness and information sharing.
  7. Monitoring evolving endpoint security risks and updating endpoint security practices accordingly, and coordination of endpoint security enhancements across different wholesale payments and messaging systems.

CPMI identifies that the successful execution of this strategy depends on the active engagement of operators, participants and other relevant stakeholders. The report also notes steps to be taken by CPMI and its member central banks (including the Bank) to support operationalisation of the endpoint security strategy within and across jurisdictions and systems. This includes monitoring how system operators, participants and other stakeholders are implementing elements of the strategy through to the end of 2019.

The endpoint security strategy is not intended to replace or supersede requirements in the Principles or related cyber resilience guidance. However, the strategy is designed to be taken into account by operators, participants and other relevant stakeholders in reducing wholesale payments fraud. The Bank is considering how it can most effectively take the strategy into account alongside its existing efforts in relation to cyber security.

SWIFT Customer Security Programme

The CPMI endpoint security work complements existing work in this area by SWIFT, which launched its own Customer Security Programme in May 2016. The programme consists of five strategic initiatives:

  1. Improving information sharing amongst the global community.
  2. Enhancing SWIFT-related security tools for customers.
  3. Enhancing guidelines and providing audit frameworks for customer security.
  4. Supporting increased use of pattern detection for fraudulent messages.
  5. Enhancing support by third-party providers of security-related services.

A key component of this programme was the establishment of the SWIFT CSC Framework, a set of mandatory and advisory controls for users of the SWIFT messaging infrastructure. It aims to provide a baseline security standard for the SWIFT network and an associated assurance framework for the global SWIFT community. SWIFT customers must attest annually to their compliance with the CSC Framework. The first annual attestation was due at the end of 2017, with 89 per cent of SWIFT users responsible for 99 per cent of messaging volumes worldwide completing this attestation on time, including the Bank. Users are expected to be fully compliant with the mandatory controls within the CSC Framework by the time of the next annual attestation. SWIFT has also established a system that allows its customers to request access to attestations lodged by their counterparties, and reserves the right to report users that are not compliant with attestation or control requirements to the relevant supervisory authority.

Resumption of operations

Consistent with cyber resilience guidance developed by CPMI and IOSCO, the Bank has undertaken to evaluate current and emerging technology options that may further enhance the capability of RITS to meet the CPMI-IOSCO two-hour recovery time objective; that is, to be able to safely resume critical operations within two hours of a cyber disruption. The first stage of this evaluation was completed in late 2017, with the Bank deciding to further explore a technology option that is ‘non-similar’ to RITS but could provide an additional recovery option.

3.1.2 Business continuity arrangements

The introduction of the FSS in late 2017 (see Box B) required a significant change to the operational arrangements for RITS, in order to support a 24/7 operating model. Although core operating hours for the existing RITS system (see section A.6) have not changed with the introduction of FSS, arrangements to support FSS have implications for RITS due to shared operational and technical resources across the two systems. In particular, to support the continuous operation of the FSS, the Bank now maintains permanent 24/7 operational and technical support staff for RITS and FSS at two geographically remote operating sites. Components of both RITS and FSS are monitored 24/7 to ensure that any issues are detected on a timely basis.

Recognising that the resilience and reliability of RITS and members is critical to the smooth functioning of the Australian payments system, the Bank has business continuity arrangements in place that focus on the continuity of RITS operations and the Bank's settlement activities, including business and IT support activities, during significant contingency events. Consistent with existing arrangements for RITS, the FSS has been designed with a high degree of technical redundancy, including automatic failover of components. If the FSS processor fails at the primary site, settlement processing will automatically switch to the alternative FSS processor at the primary site within two minutes. Similarly, the Bank has developed business continuity procedures for the FSS, and has included the new system in the programme of testing and review of its contingency procedures alongside RITS.

Box B: The New Payments Platform and the Fast Settlement Service

In 2012, the Payments System Board concluded a strategic review of innovation in the Australian payments system, which identified a number of gaps in Australia's retail payments system and called on the industry to determine the best way of addressing these gaps.[11] The gaps identified included the ability to: make real-time retail payments; send more complete remittance information with payments; address payments in a relatively simple way; and make and receive payments on a 24/7 basis. In response, 13 Australian financial institutions, including the Reserve Bank, formed NPP Australia Limited to oversee the development and operation of the NPP. The NPP, and the Bank's FSS, launched publicly on 13 February 2018, following a period of trial operation from 27 November 2017.

The NPP is a fast payments system that enables close-to-immediate funds availability to payment recipients on a 24/7 basis, even where the payer and payee use different financial institutions. The NPP also enables more information to be attached to a payment, and easier addressing of payments using the ‘PayID’ service, which can be used to link accounts to a phone number, email address or ABN. ‘Overlay services’ can also make use of the basic payments infrastructure to provide additional payment services on a commercial basis, with BPAY developing Osko as the first such service.

The NPP Basic Infrastructure, which includes the NPP network, switching capability (enabled by payment gateways) and addressing service, was designed and built by SWIFT, and utilises the SWIFT network to exchange payment and settlement instructions and confirmations (Figure B1). To facilitate the 24/7 settlement of individual payments made through the NPP, the Bank has developed the FSS. The FSS allows transactions to be settled individually on a 24/7 basis and in real time. It is used to settle obligations generated by NPP payments between customers of different banks.

Direct users of the FSS must be RITS members and the service is governed by the RITS Regulations. Although the FSS uses some of the pre-existing RITS infrastructure, the systems operate on separate platforms so that the RITS core settlement service and the FSS are able to process and settle payments independently of one another. While RITS members use a single Exchange Settlement Account (ESA) to settle payments in both RITS and the FSS, members divide their ESA balances between an ‘FSS balance’ and a ‘RITS balance’. FSS payments are only tested for settlement against the FSS balance, and payments sent to RITS's core settlement service are only tested for settlement against the RITS balance. FSS payments are tested for settlement on a settle-or-reject basis; if a member does not have enough funds in its FSS balance the payment will be rejected, and the member would need to resubmit the payment later if it wants the payment to be settled.

Members are able to manage the distribution of their ESA balances between their FSS and RITS balances during operating hours of the core RITS settlement service, including via automated tools to reallocate balances. For example, there is functionality allowing members to set criteria (upper, lower and reset point values) that will be used by RITS to automatically generate allocation transfers between members' FSS and RITS balances. The transfers are generated to return the FSS balance to a nominated FSS balance reset point. That is, if funds in the FSS balance fall below the lower trigger point value, RITS will automatically trigger an FSS top-up transfer from the member's RITS balance to bring the FSS balance up to the reset point. Conversely, if funds in the FSS balance rise above the upper trigger point value, RITS will automatically trigger an FSS withdrawal to return the FSS balance to the reset point (Figure B2). Outside of core RITS operating hours (see Appendix A.6), the entirety of a member's ESA balance is allocated to its FSS balance and available for settlement of FSS payments.

As a RITS service, the FSS has been designed to meet standards in relation to availability, capacity and security that are equivalent to, and in some cases even higher than, those of the core RITS service. The FSS is designed with the capacity to process at least 1,000 settlements per second, and adjusts its capacity target to meet projected volumes for at least five years in advance. The FSS is held to an availability target of 99.995 per cent (compared with 99.95 per cent for the core RITS service), equivalent to a tolerance for 26 minutes of downtime in a year. The system is monitored continuously, with a target of detecting any system problems within 30 seconds. The security standards for the FSS are equivalent to those of the core RITS service.

In order to support 24/7 operation of the FSS, the Bank has also extended operating hours of the RITS Help Desk to 24/7. The FSS is designed to allow maintenance and upgrades to be carried out while the system remains in operation, through the use of isolated components that can be upgraded independently. The FSS, like the core RITS system, can be operated from two geographically remote sites, with a target recovery time of less than two minutes in the event of a system disruption. In the event of a more extreme disruption, the NPP has contingency arrangements in place that ensure that clearing of payments can continue for up to 12 hours in case of an FSS outage, storing settlement requests until the FSS is available again.

Although settlement risks are mitigated by the real-time settlement of NPP transactions, the new system has liquidity implications for financial institutions participating in NPP and the FSS. Systems like the FSS that settle payments on a gross basis can be less liquidity efficient than systems that settle on a net basis. However, it is not considered likely that participants in the payments system will need to hold significantly larger balances to facilitate their NPP payment obligations. The NPP is primarily a payment system for retail transactions, with individual transactions expected to be relatively low in value. Wholesale interbank transactions are already typically settled individually and in real time via the core RITS service, so there will be a limited net impact on liquidity if some are made as NPP payments. Financial institutions also have access to funds through standing facilities to help manage their liquidity needs, and are able to utilise automated tools to allocate funds between their RITS and FSS balances as required.

3.2 Legal Basis

The RITS Regulations form the legal basis for all key aspects of RITS. The Bank seeks external legal advice on material amendments to the RITS Regulations and associated contractual agreements, including, where relevant, on the interaction of such amendments with Australian and New South Wales laws and regulations. The RITS Membership Agreement binds RITS members and the Bank to the RITS Regulations.

3.2.1 Revised RITS Regulations

The Bank has further amended the new set of RITS Regulations that came into effect in the previous assessment period, in order to incorporate changes supporting the FSS. The amendments to the RITS Regulations came into effect on 10 November 2017, before the commencement of live trial operation of the FSS.

The changes made to the RITS Regulations to incorporate the FSS and NPP recognise the NPP as a feeder system to RITS, and draw a distinction between the existing ‘core’ RITS system and the new FSS system. These include: defining ‘RITS Transactions’ and ‘FSS Transactions’ as separate sub-sets of transactions, the former tested for settlement on the RITS System Queue and the latter by the FSS settlement engine; reflecting that funds may be allocated across ESA balances between RITS and the FSS for settlement testing; and other amendments to reflect agency arrangements and the 24/7 functioning of the FSS. Changes have also been made to the Global Master Repurchase Agreement to provide for an alternative form of trade confirmation in cases of intraday repos that are entered into with the Bank under certain FSS contingency scenarios.

In addition to these changes related to the FSS, other amendments were introduced to govern outright securities transactions and securities lending transactions between the Bank and members (including Australian Office of Financial Management securities lending transactions).

3.2.2 Foreign RITS members

The Bank has a requirement that all overseas-domiciled RITS members provide an independent legal opinion that the RITS Membership Agreement is enforceable in their home jurisdiction. This has been required for all new foreign RITS members since 2011, but it was not required of members who joined before then. Following the signing of new RITS Membership Agreements in 2017, the Bank has been working with foreign members on the provision of legal opinions that meet the Bank's requirements, in cases where members had not provided a legal opinion previously or their previous opinion required updating. The Bank is currently reviewing legal opinions that it has received from foreign members.

3.3 Access and Participation

3.3.1 Tiered participation

As of 6 May 2018, the definition of bank in the Banking Act 1959 was changed to allow all authorised deposit-taking institutions (ADIs) to call themselves banks. The Australian Prudential Regulation Authority (APRA) is also developing a phased approach to authorising new ADIs, which is expected to facilitate entry into the banking industry. Under this phased approach, new entrants will be authorised as ‘restricted ADIs’ within around three months of applying, after which they will have up to two years to obtain a full ADI licence.

As these proposed changes make it no longer meaningful to set different requirements for different types of ADIs, the Bank reviewed the requirement in the ESA policy for indirect-settling banks to have an ESA for contingency purposes. Rather than extend this requirement to all ADIs, the Bank decided to make holding a dormant ESA for contingency purposes optional rather than mandatory. The current tiering threshold of 0.25 per cent of RITS RTGS transaction values has been maintained; ADIs with RITS RTGS transactions that are at or above this threshold are required to settle wholesale RTGS transactions using their own ESA.

3.3.2 Non-ADI Exchange Settlement Accounts

The Bank allows non-ADIs to hold ESAs for the purpose of settling payments on behalf of third parties, subject to meeting operational and liquidity standards, in order to ensure that non-traditional payment service providers are not at a competitive disadvantage by being dependent on an institution that would otherwise be a competitor (for details of participation in RITS see Appendix A, section A.1). Over the year to the end of March, the Bank has received applications from several non-ADI providers of third-party payment services to open ESAs at the Bank, in order to directly settle payments on behalf of their customers.

Adyen, a card acquirer for merchants, opened an ESA in July 2017 as a third-party payment services provider. Previously, the only non-ADI to hold an ESA for the purposes of providing third-party payments services was First Data Network Australia (previously known as Cashcard Australia). The Bank is also in discussion with several other third-party payment service providers, including firms that provide card acquiring and ATM processing services, about becoming ESA holders.

3.3.3 LCH PPS arrangements

LCH Limited (LCH) is a UK-based central counterparty (CCP) that offers central clearing for a range of products, including over-the-counter interest rate derivatives and inflation swaps. LCH settles Australian dollar transactions, typically variation margin payments, across its ESA in RITS. LCH also operates an Australian ‘Protected Payments System’ (PPS) that facilitates the settlement of Australian dollar obligations directly between ESAs held at the Bank.[12] During the assessment period, another three major Australian banks began to use the Australian PPS. As a result, all four major Australian banks now settle their Australian dollar obligations with LCH using the Australian PPS, rather than via correspondent banking arrangements. The volume of obligations settled using the Australian PPS could increase during the next assessment period, when LCH is expected to begin clearing deliverable foreign-exchange options.

3.3.4 eftpos Batch

On 30 August 2017 settlement of eftpos transactions moved into a separate multilateral net batch administered by eftpos Payments Australia Limited (ePAL). These transactions were previously settled as part of the LVSS batch. Under normal operations, ePAL submits one batch per RITS business day for settlement in the morning settlement session. ATM transactions processed by ePAL are currently not included in the eftpos Batch and are settled under the existing LVSS arrangements.

Footnotes

The report is available at <https://www.bis.org/cpmi/publ/d178.htm>. [10]

See ‘Conclusions of the Strategic Review of Innovation in the Payments Systems’. [11]

For more information on LCH's PPS, which is used to settle member margin and other obligations, see the 2017 Assessment of LCH Limited's SwapClear Service, available at: <https://www.rba.gov.au/payments-and-infrastructure/financial-market-infrastructure/clearing-and-settlement-facilities/assessments/lch/2017/pdf/lch-assess-2017-12.pdf>. [12]