2021 Assessment of the Reserve Bank Information and Transfer System 3. Material Developments

This section discusses material developments relevant to RITS that have occurred since last year's Assessment (March 2020) through to end-March 2021. Over this period there were material developments relevant to the Principles concerning: legal basis (Principle 1); participant-default rules and procedures (Principle 13); operational risk (Principle 17); and communication procedures and standards (Principles 22).

To complement this section, background information on how RITS operates, activity and participation in RITS, and the operational performance of RITS is set out in Appendix A. A detailed assessment of how RITS meets the Principles (incorporating developments discussed in this section) is presented in Appendix B.

3.1 Operational Risk Management

3.1.1 IT operational stability review

In 2019, the Bank completed a review of its IT operational practices, with the aim of ensuring the reliability of technology services supporting key Bank systems (including RITS). The review did not identify any significant concerns with the operational stability of RITS itself, but did identify a number of improvement opportunities in relation to the operational stability of some key systems that support RITS. The TSIP was established to address the recommendations that came out of the review, including initiatives relevant to the continued operational stability of RITS such as additional resourcing and training for IT roles supporting RITS and improvements to software patching processes.[10]

The 2020 Assessment of RITS recommended that the Bank complete the implementation of initiatives to support the continued operational stability of RITS as part of the TSIP. During the assessment period there was progress across all relevant deliverables, this included:

  • increased resourcing of the Bank's IT infrastructure services section, which plays a key role in supporting RITS
  • completion of the pilot for a workload management tool to monitor IT staff utilisation rates and reduce the risk of excessive workloads for critical functions
  • development of a series of bespoke training modules
  • establishing a central knowledge repository to consolidate and collate relevant procedural documentation.

Over the coming period, the Bank expects to close out the TSIP, including initiatives of relevance for the operational stability of RITS. In particular, the Bank will continue the rollout of a new workload management tool to improve capacity planning and of new training programs aimed at uplifting the IT Certification Framework.

In addition, the Bank is progressing a number of initiatives that are related to TSIP workstreams but sit outside the program, such as improvements to processes and controls for the patching of software supporting RITS. This work encompasses efforts to review and update RITS-relevant procedures and work on a proof of concept for greater automation in the deployment of patching. Once the changes introduced by TSIP and these related initiatives have been embedded into business-as-usual practices, Payments Policy Department will consider whether they have been effective in addressing the findings of the 2019 review.

Recommendation. The Bank should complete implementation of all initiatives related to the Bank's TSIP that are material to the continued operational stability of RITS.

3.1.2 RITS incidents and responses

On 6 July 2020, RITS was affected by a power outage to the data centre at the Bank's Business Resumption Site (BRS). The power supply to the BRS data centre hosting RITS infrastructure was inadvertently shut off during fire control system maintenance. Although payment and settlement systems were operating from the primary data centre at the time, the abrupt power disruption at the BRS caused a network disruption that extended to some services at the Bank's primary site.

The incident took place at 7.30am. The majority of RITS services were re-established and fully operational from the Bank's primary site around 9am, within the two-hour recovery time objective set by the Principles for the resumption of operations by FMIs following a disruption to critical IT systems. The opening of the RITS Daily Settlement Session was delayed from 9.15am to 9.30am, with all transactions able to settle as expected from that time.

While the incident affected the availability of RITS, RITS still achieved an average system availability of 99.958 per cent in 2020, consistent with the Bank's key operational availability target for RITS to be available to its members in excess of 99.95 per cent of the time.

Following the incident, the Bank undertook an internal review to identify key lessons. Similarities between this incident and the power outage which impacted the Bank in August 2018 (resulting in RITS being unavailable for several hours) were identified and taken into consideration.[11] The internal review identified that a legacy switchboard design issue and a maintenance contractor failing to fully comply with documented procedures were the contributing causes of the 2020 outage.

In response to the July 2020 outage the Bank has: upgraded the switchboard involved in the incident; implemented enhanced contractor induction arrangements; and improved oversight of compliance with procedures by contractors. The Bank is also establishing new service delivery arrangements for its facilities, which aim to improve the approach to planning, risk assessment and oversight of these sorts of maintenance activities over the long term. This includes an increased role for staff with relevant engineering expertise to review changes as part of an enhanced internal engineering and advisory function. The switchboard upgrade was delivered as part of the Bank's broader Data Centre Improvement Program (DCIP) (see section 3.1.3).

In a separate incident during the assessment period, the Bank identified that software supporting certain backup processes was mistakenly removed in the process of a broader system update. The removal of this software did not have any direct operational impacts on RITS, and the software was reinstated once the error was detected. To mitigate the risk of this type of incident reoccurring, the Bank implemented improvements to its system update procedures involving external contractors. The Bank also implemented enhancements to the monitoring of RITS database back-up activities, which included the introduction of an additional second-line risk monitoring process for these activities.

Recommendation. The Bank should complete implementation of proposals to improve oversight of maintenance activities conducted by external contractors on the Bank's critical infrastructure, including establishing an enhanced internal engineering review and advisory function.

3.1.3 Operational resilience initiatives

Under Principle 17 (Operational Risk), FMIs are expected to proactively identify and mitigate plausible sources of operational risk. In this regard, over the assessment period the Bank implemented upgrades to the RITS infrastructure and also progressed projects to upgrade its data centres and the head office building.

The upgrades to the RITS infrastructure refreshed core network and application infrastructure and related systems, including the Bank's SWIFT infrastructure. These upgrades aim to enhance the security and resilience of RITS, while also improving processing speeds. For example, they are intended to improve the resilience of site failover in situations where one site becomes non-operational, as happened in the July outage. Implementation of the new infrastructure was finished in early 2021, although residual work relating to improving patching controls and uplifting patch automation capability is still being completed.

The DCIP was established to improve the operational resilience of the Bank's data centres and address potential capacity constraints over the longer term. During the assessment period electrical reconfiguration work at both data centres was completed. Work to increase the capacity of the BRS data centre is currently underway and expected to be completed by the end of the year.

As a separate project, the Bank has also initiated a major renewal of its head office building. The upgrade is expected to be completed in 2024.

Payments Policy Department has identified these planned upgrades to the Bank's physical infrastructure as an area of oversight focus.

Area of oversight focus. Payments Policy Department will monitor the impact of planned upgrades to the Bank's physical infrastructure on the operational stability and resilience of RITS.

3.1.4 Response to the COVID-19 Pandemic

The key focus of the Bank's contingency arrangements in response to the COVID-19 pandemic has been to safeguard the health of Bank staff and the reliability of Bank operations, including the operation of RITS. Over the assessment period RITS continued to operate with work-from-home arrangements in place, while also maintaining an on-site presence. Staff with critical responsibilities for the operation and support of RITS were separated between the Bank's head office and BRS for most of the past year. While this requirement was removed shortly after the end of the assessment period, the Bank remains able to reinstate it if necessary. In response to the pandemic the Bank also developed a pool of alternate staff that could be rotated into critical roles in circumstances where a large number of critical staff were simultaneously unable to work.[12]

In addition to the Bank-specific arrangements, the Bank also continued its engagement with members and the operators of major feeder systems into RITS, to understand if they remained well-placed to implement contingency arrangements to manage the pandemic and the potential impact on the operations of RITS.

3.1.5 Contingency arrangements for high-value feeder systems into RITS

One of the learnings from the August 2018 outage was that not all industry participants were adequately prepared to activate relevant contingency arrangements. To address this, the Bank initiated a process to review arrangements and identify whether refinements were needed to ensure that clearing and settlement operations could continue if RITS or its connection to the wholesale RTGS feeder systems were unexpectedly unavailable. These include the contingency arrangements for SWIFT payments managed by the High-Value Clearing System (HVCS), and for the Austraclear feeder managed by ASX.

In relation to the SWIFT Payment Delivery System (PDS) feeder, an industry committee is working to address the challenges identified with the HVCS fall-back arrangements. During the assessment period, the industry group put forward a proposal to enhance arrangements, which was approved by the HVCS Management Committee and will become effective this year. Under the enhanced arrangements, if a protracted RITS outage were to occur and a same-day recovery of normal operations was not possible, the SWIFT PDS would change to a mode that enables participants to continue exchanging payment messages via SWIFT. Participants would aim to post funds to customer accounts on the same day and settlement in RITS would take place as part of a multilateral batch the next day.

For the Austraclear feeder, ASX is working to improve the readiness of Austraclear participants to use the Assured Mode fall-back in the event that RITS is unavailable. Under this arrangement, securities settlement transactions would continue to be processed in real-time within the day and the resulting multilateral obligations arising between banks would be settled in RITS the next day. During the assessment period, ASX hosted information sessions for Austraclear participants and began planning for an industry-wide contingency exercise to test the arrangements in practice. The exercise is scheduled to occur in the current assessment period.

Separately, the Bank is also exploring options to improve the fall-back arrangements in very extreme scenarios where RITS is unavailable for more than one day, including the possibility of developing a simple deferred net settlement solution that can settle HVCS and Austraclear contingency batches in a separate system.

3.1.6 Cyber resilience

SWIFT-related security controls

As a user of the SWIFT messaging network, the Bank is required to meet security standards set out in SWIFT's Customer Security Controls Framework (CSCF). The CSCF is a set of mandatory and advisory controls for SWIFT users, establishing a baseline security standard across the network. All customers are required to annually attest to their compliance with these controls.

During the assessment period, the Bank commissioned an independent assessment of its compliance with the SWIFT controls. The assessment found the Bank to be fully compliant with the mandatory controls.

Evaluating current and emerging technologies to improve recovery times

Consistent with cyber resilience guidance developed by CPMI and IOSCO, the Bank continues to monitor current and emerging technology options that may further enhance the capability of RITS to safely resume critical operations within two hours of a cyber disruption.[13] During the assessment period, the Bank commenced a project to establish a third-site data bunker for holding data from the Bank's most critical systems, including RITS and FSS. The purpose of the data bunker is to enhance data resilience in the event of data corruption or loss caused by an operational incident, cyber-security event, or the extended loss of one of the two primary data centres. It is expected that the data bunker will become operational over the coming year.

Industry table-top exercise

In December 2019, the Bank conducted an exercise with a range of industry participants in which participants were asked to respond to a hypothetical cyber scenario. The exercise tested contingency procedures in the event of an attack on a HVCS participant's system that impacts its ability to send HVCS payments to other participants. A focus area for the exercise was communication and collaboration arrangements following such an attack.

During the assessment period, the Bank and the Australian Payments Network (AusPayNet) established two industry working groups to implement the recommendations from the exercise. One group will address recommendations related to cyber incident response procedures, and the other will address those related to the treatment of fraudulent payments submitted via the HVCS. Commencement of the groups was deferred to April 2021 as a result of the pandemic. This work is expected to be completed towards the end of the year.

End-point security

Through its existing security arrangements and the requirements it sets for participation in RITS, the Bank already meets elements of the strategy described in the CPMI's 2018 report on reducing the risk of wholesale payments fraud related to end-point security.[14] The Bank's expectation is that further enhancements to endpoint security will be implemented as part of an ongoing process of continuous improvement.

During the assessment period, the Bank engaged an external party to conduct an assessment of the Bank's end-point security standards for RITS members and feeder systems and recommend enhancements to strengthen the standards where necessary. The Bank is developing updated security standards based on the recommendations from the review, which will be implemented over the coming year.

Area of oversight focus. Payments Policy Department will continue to monitor developments designed to ensure that RITS remains resilient in the face of evolving cyber-security threats, including progress in the continued exploration of enhancements to the ability to limit exposure to cyber risk and recover RITS from cyber-attacks in a timely manner.

3.2 Participant-Default Rules and Procedures

Under Principle 13 (Participant-Default Rules and Procedures) of the Principles, FMIs are required to have effective and clearly defined rules and procedures to manage a participant default. There is an expectation under the Principles that these default rules and procedures should: facilitate a timely response in order to contain losses and liquidity pressures; explain clearly what circumstances constitute a participant default; set out the method(s) for identifying a default; and, if the declaration of a default is discretionary, indicate which person or group should exercise that discretion.

Payments Policy Department has identified that while the steps for managing such an event and communicating with key stakeholders are understood by the relevant decision-makers, there is no documented framework that sets out how the Bank would come to a policy decision on whether to suspend or terminate a RITS membership or that defines the roles of relevant executives. Communication arrangements with other regulatory authorities and broader crisis management and communication considerations are also not explicitly set out, including the coordination of communication with industry.

Recommendation. The Bank should formally document its decision-making and crisis-management arrangements in the event of a RITS member default, including consultation arrangements with other authorities and communication with industry.

3.3 Legal Basis

The Bank has a requirement that all overseas-domiciled RITS members provide an independent legal opinion confirming that the RITS Membership Agreement and RITS Regulations are enforceable in their home jurisdiction. Following the signing of new RITS Membership Agreements in 2017, the Bank has engaged with foreign members on the provision of legal opinions to meet the Bank's requirements where members had not already provided a legal opinion, or their previous opinion needed to be updated. During the assessment period, the Bank completed this work and has now accepted legal opinions from all foreign members.

3.4 Communication Procedures and Standards

3.4.1 Strategy for ISO 20022 payment messaging migration

In the previous assessment period, the Bank and the Australian Payments Council (APC) consulted with industry on the key strategic decisions required before the Australian high-value payments system could migrate to the ISO 20022 message standard.[15] In February 2020, the Bank and APC published the ISO 20022 Migration for the Australian Payments System – Conclusions Paper. [16] This document sets out the project scope, migration strategy, governance arrangements and timeline for migration to the new message standard. A 20022 Industry Migration Steering Committee has also been established by AusPayNet to coordinate the migration.

In March 2020, SWIFT decided to defer the deadline for migration to ISO 20022 for cross-border payments. As a result, the decision was taken to defer the start of Australia's domestic migration until November 2022. This delay is not expected to impact the November 2024 completion date.

In addition to the industry-wide program, the Bank has commenced planning work to migrate its proprietary Automated Information Facility (AIF) message formats to ISO 20022 and has been engaging with RITS Batch Administrators to discuss plans to migrate batch settlement messaging to ISO 20022.[17]

Footnotes

Further information on these initiatives can be found in section 3.3.1 of the 2020 RITS assessment, available at: <https://www.rba.gov.au/payments-and-infrastructure/rits/self-assessments/>. [10]

The 2018 incident is outlined in section 3.1 of the 2019 RITS Assessment, available at: <https://www.rba.gov.au/payments-and-infrastructure/rits/self-assessments/2019/material-developments.html>. [11]

More detail on the Bank's pandemic response is available in Section 3.1 of the 2020 RITS assessment, available at: <https://www.rba.gov.au/payments-and-infrastructure/rits/self-assessments/2020/material-developments.html>. [12]

The CPMI and IOSCO cyber resilience guidance can be found here <https://www.bis.org/cpmi/publ/d146.pdf>. [13]

The report can be found here <https://www.bis.org/cpmi/publ/d178.pdf>. [14]

Further information can be found in section 3.4.1 of the 2020 RITS assessment, <https://www.rba.gov.au/payments-and-infrastructure/rits/self-assessments/2020/pdf/2020-assessment-rits.pdf>. [15]

Available at: <https://www.rba.gov.au/publications/consultations/202002-iso-20022-migration-for-the-australian-payments-system/pdf/iso-20022-migration-for-the-australian-payments-system-conclusions-paper.pdf>. [16]

This excludes reservation batch settlement messaging; e.g. the PEXA Batch and the ASX Financial Settlements (ASXF) Batch. [17]