2022 Assessment of the Reserve Bank Information and Transfer System 3. Material Developments

This section discusses material developments relevant to RITS that have occurred since last year's assessment (March 2021) through to end-March 2022. Over this period there were material developments relevant to the Principles concerning: participant-default rules and procedures (Principle 13); operational risk (Principle 17); and communication procedures and standards (Principle 22).

To complement this section, background information on how RITS operates, activity and participation in RITS, and the operational performance of RITS is set out in Appendix A. A detailed assessment of how RITS meets the Principles (incorporating developments discussed in this section) is presented in Appendix B.

3.1 Operational Risk Management

3.1.1 RITS incidents and responses

On Saturday 25 September, the Bank experienced an operational incident that caused RITS to incorrectly open the 27 September settlement session during the weekend. There was no effect on settlement processing. The settlement session was closed without any inter-member transactions taking place and RITS resumed normal operations on the Monday morning.

While no funds were transferred between members as a result of the incident, the unscheduled opening triggered an automatic process under which funds were moved from members' FSS allocations within their Exchange Settlement Accounts (ESAs) to their RITS allocations.[5] This reduced the funds available to settle NPP payments via the FSS. The issue was quickly identified and the Bank took steps to ensure sufficient funds were available in FSS ES balances over the weekend.

The incident also resulted in a delay in the delivery of RITS End-of-Day ESA statements to six RITS members. Affected members received their statements for the Monday and Tuesday a day later than usual. Member access to detailed SWIFT transaction data was also subject to delay. All of these issues were fully resolved by the Wednesday evening.

Following the incident, the Bank undertook an internal review to identify key lessons and improvement opportunities. The scope of the review included system controls, system recovery, IT incident escalation protocols, operational procedures, staff training and certification. All actions arising from the review have been completed. In particular, a system control to prevent RITS processes being started at the wrong time has been implemented and work to identify any potential additional system controls has been completed.

The Bank has continued work to address lessons learned from the 6 July 2020 power outage at the Bank's business resumption site (BRS) which disrupted RITS. While the outage did not impact the Bank's primary site, the power disruption at the BRS caused a network disruption that extended to some services at the primary site. In response to the incident the Bank undertook an internal review and began work to implement its findings.

A number of the initiatives, such as upgrading of the electrical switchboard involved in the incident, were fully addressed in the last assessment period. Implementation of other initiatives continued into the current assessment period: the enhanced contractor induction arrangements were fully implemented; improved oversight of compliance with procedures by contractors were embedded into BAU; and new service delivery arrangements for the Bank's facilities were established.

The new service delivery arrangements were intended to improve the approach to planning, risk assessment and oversight of these sorts of maintenance activities. For example, there is an increased role for staff with relevant engineering expertise to review changes as part of an enhanced internal engineering and advisory function. All of the initiatives identified by the Bank's internal review have now been fully implemented and are operating as expected.

3.1.2 IT operational stability

In 2019, the Bank completed a review of its IT operational practices, with the aim of ensuring the reliability of technology services supporting key Bank systems (including RITS). While the review did not raise any significant concerns, it identified some opportunities for improvement. TSIP, which was established by the Bank to address the recommendations, was closed last June. The program's initiatives have now been implemented, including the initiatives relevant to the continued operational stability of RITS.

Although the TSIP has closed, work to progress several initiatives related to TSIP work streams, which were not formally part of the program, continued into 2022. These included improvements to processes and controls for the patching of software supporting RITS and the rollout of a revised certification framework for IT roles supporting RITS. As at 31 March 2022, the IT certification framework had been fully implemented and automation of patching jobs is expected to be completed by end June 2022.

While the TSIP delivered strengthened processes and improvements to staff knowledge of processes and systems, it takes time to embed these changes and to assess whether they have delivered the desired resilience improvements in practice. Progress with embedding the new initiatives has also been affected by the difficulty of recruiting and retaining staff in a tight labour market (see section 3.1.4 below).

It is too early to judge if the TSIP has delivered the outcome of reducing risks to the stability of RITS to the desired level. To facilitate this assessment, a program of work to improve and refine the metrics used to measure the operational resilience and stability of IT systems supporting RITS is underway. The revised metrics have been developed and are in the process of being rolled out.

Recommendation. The Bank should complete the program of work to implement revised metrics to measure the operational resilience and stability of IT systems supporting RITS.

3.1.3 Technology and cyber security

Cyber threats represent a significant risk to the reliable and efficient operation of systemically important payment systems, including RITS. If not managed effectively, a cyber event has the potential to disrupt and undermine confidence in the payment system and could lead to broader instability in the financial system and substantial disruption to economic activity. Over the assessment period the Bank continued its close monitoring for emerging vulnerabilities and threats.

Current and emerging technologies to improve recovery times

Consistent with cyber resilience guidance developed by CPMI and IOSCO, the Bank continues to monitor current and emerging technology options that may further enhance the capability of RITS to safely resume critical operations within two hours of a cyber disruption.[6] In March, the Bank completed a project to establish a third-site data bunker for holding data from the Bank's most critical systems, including RITS and the FSS. The purpose of the data bunker is to enhance data resilience in the event of data loss caused by an operational incident, cyber-security event, or the extended loss of one of the two primary data centres.

Area of oversight focus. Payments Policy Department will monitor if and how the data bunker is used in recovery. It will also monitor progress on the continued exploration of enhancements to the ability to limit exposure to cyber risk and recover RITS from extreme cyber-attacks in a timely manner.

Enhanced security standards for RITS members

Through its existing security arrangements and the requirements it sets for participation in RITS, the Bank already meets the elements set out in the CPMI's 2018 report on reducing the risk of wholesale payments fraud related to end-point security.[7] The report highlights the importance of monitoring evolving endpoint security risks and risk controls, and reviewing and updating endpoint security requirements, procedures, practices and resources accordingly. Consistent with this approach, the Bank engaged an external party to conduct an assessment of the Bank's end-point security standards for RITS members and feeder systems in 2020.

Following this assessment, the Bank developed enhanced security standards for RITS members, which were included in the Business Continuity and Security Standards for RITS Members. The new security standards are intended to support members in maintaining best practice security arrangements so RITS-related cyber risks are effectively managed and controlled; for example, by setting out standards for the use of remote access to RITS to require members to adopt a consistent, secure approach.

The Bank consulted with RITS members on the new security standards over the course of October and November last year. The final standards were circulated to RITS members in December. RITS members have begun work to implement the new standards, with a target date for full implementation of the mandatory standards by February 2023. The Bank will be confirming members' progress and current compliance status against the different elements of the standards at various points over the coming year.

SWIFT-related security controls

As a user of the SWIFT messaging network, the Bank is required to meet security standards set out in SWIFT's Customer Security Controls Framework (CSCF). The CSCF is a set of mandatory and advisory controls for SWIFT users, establishing a baseline security standard across the network. All customers are required to annually attest to their compliance with these controls. In 2021 the Bank completed its annual self-review and attested to being fully compliant with the mandatory controls. The Bank's self-review was independently assessed by Internal Audit.

Improvements in cyber incident response procedures

In late 2019, the Bank hosted an industry cyber-attack exercise to test industry-level coordination during a hypothetical cyber-attack on a participant of the High Value Clearing System (HVCS). This highlighted some improvement opportunities related to cyber incident and fraud response procedures. In April 2021, the Bank and the Australian Payments Network (AusPayNet) established two industry working groups to implement the associated recommendations. Over the assessment period the working groups delivered enhancements to the procedures for reporting and escalating cyber incidents affecting the HVCS and the instructions for dealing with fraudulent payments arising from a cyber incident. These enhancements help strengthen the industry's readiness to respond to a material cyber incident.

Council of Financial Regulators (CFR) – cyber security initiatives

In 2021, the CFR undertook a pilot exercise of its new framework for intelligence-led testing of financial institutions' cyber defences, the Cyber Operational Resilience Intelligence-led Exercises (CORIE).[8] The CFR developed the framework to test the cyber maturity and resilience of institutions within the Australian financial services industry and to identify actions to uplift the cyber resilience of financial institutions. The Bank participated in the pilot exercise, which confirmed the strength of the Bank's current security protocols (including for RITS), while highlighting some areas for further improvement. Moving forward, the CFR has agreed to roll-out of the CORIE testing program more broadly. The Bank plans to participate in CORIE on an ongoing basis.

3.1.4 Staffing resources

Over the past year, there was an unusually high level of staff turnover in IT and related RITS operational roles. This has resulted in a loss of corporate knowledge and reduced capacity to implement and manage change. Filling vacant positions has become increasingly difficult, which reflects the scarcity of people with specialist IT, operational and technical skills in the current tight labour market. Staff resourcing challenges can generate higher levels of operational risk. While the Bank is investigating options to improve the retention and recruitment of staff as a matter of priority, the challenge of maintaining experienced staffing resource for RITS is likely to continue at least until the end of the current assessment period.

Area of oversight focus. Payments Policy Department will monitor the impact of staff resourcing challenges on RITS. This will include a focus on how potential operational risks associated with higher turnover and vacancy rates are being identified and mitigated.

3.1.5 Facility upgrades

Under Principle 17 (Operational risk), FMIs are expected to proactively identify and mitigate plausible sources of operational risk. In recent years the Bank has embarked on two key projects to improve the resilience of the infrastructure supporting RITS:

  • The Bank established a Data Centre Improvement Program (DCIP) to improve the operational resilience of the Bank's data centres and address potential capacity constraints over the longer term. Over the assessment period, work to increase the capacity of the secondary data centre was completed, together with works to replace aging plant, upgrade infrastructure resilience, enhance operational efficiencies and provide more granular monitoring. The DCIP was formally completed in March 2022.
  • The Bank has begun the renewal of its head office building. While this will result in necessary upgrades to the Bank's facilities that will support the long-term operational resilience of RITS once the renewal is completed in 2024, the Bank is managing operational risks associated with carrying out these ongoing works.

Area of oversight focus. Payments Policy Department will continue to monitor the impact of planned upgrades to the Bank's physical infrastructure on the operational stability and resilience of RITS. This will include a focus on how any potential risks associated with the changes are being mitigated.

3.1.6 Contingency arrangements for high-value feeder systems into RITS

The Bank is continuing to engage with industry on work to improve contingency arrangements designed to ensure that clearing and settlement operations can continue if RITS, or its connection to the wholesale RTGS feeder systems, were unexpectedly unavailable. These include the contingency arrangements for SWIFT payments managed by the High-Value Clearing System (HVCS) and for the Austraclear feeder managed by Australian Securities Exchange (ASX).

During the assessment period, enhanced HVCS contingency arrangements became effective. Under the enhanced arrangements, if a protracted RITS outage were to occur and a same-day recovery of normal operations was not possible, the SWIFT Payment Delivery System would change to a mode that enables participants to continue exchanging payment messages via SWIFT. Participants would aim to post funds to customer accounts on the same day and settlement in RITS would take place as part of a multilateral batch the next day.

For the Austraclear feeder, ASX is working to improve participant readiness on the use of the Assured Mode contingency arrangements in the event that RITS is unavailable. Under this arrangement, securities settlement transactions would continue to be processed in real-time within the day and the resulting multilateral obligations arising between banks would be settled in RITS the next day. During the assessment period, ASX conducted an initial test exercise with the top 12 participants to further develop the arrangements.

3.1.7 Contingency arrangements in response to COVID-19

The key focus of the Bank's contingency arrangements in response to the COVID-19 pandemic has been to safeguard the health of Bank staff and the reliability of Bank operations, including the operations of RITS. Work-from-home arrangements were reintroduced during the assessment period, although critical staff remained on-site. Staff with critical responsibilities for the operation and support of RITS were separated across the Bank's two operational sites as required over the assessment period.

The Bank also continued its engagement with members and the operators of major feeder systems into RITS, to understand if they remained well-placed to implement contingency arrangements to manage the pandemic and the potential impact on the operations of RITS. While staffing arrangements had reverted to normal by the end of the assessment period, the Bank retains the capability of reintroducing such arrangements at short notice, should the need arise.

3.2 Participant-Default Rules and Procedures

Under Principle 13 (Participant-default rules and procedures), FMIs are required to have effective and clearly defined rules and procedures to manage a participant default. There is an expectation under the Principles that these default rules and procedures should: facilitate a timely response in order to contain losses and liquidity pressures; explain clearly what circumstances constitute a participant default; set out the method(s) for identifying a default; and, if the declaration of a default is discretionary, indicate which person or group should exercise that discretion. The 2021 Assessment recommended that the Bank formally document its decision-making and crisis-management arrangements in the event of a RITS member default.

In March 2022, the Bank's Executive Committee approved the RITS Suspension and Termination Decision-Making Framework. The Framework sets out high-level arrangements for decision-making and crisis-management in the event of a RITS member default. It confirms the Governor as the primary decision-maker for termination or suspension of a member, other than by consent. The framework also addresses: broader roles, responsibilities and delegations; the circumstances that might constitute a participant default; methods for identifying a default; and consultation arrangements with other authorities and relevant industry stakeholders.

The Framework complements the pre-existing detailed procedures that document the operational steps to be taken in response to an insolvency event affecting a RITS member.

3.3 Communication Procedures and Standards

In 2020, the Bank and the Australian Payments Council published the ISO 20022 Migration for the Australian Payments System – Conclusions Paper. The paper sets out the strategy for the migration across the industry to the ISO 20022 message standard.[9] Work to ensure that industry is ready to begin migrating by November 2022 has been ongoing and is being coordinated by AusPayNet's 20022 Program Management Office and overseen by an Industry Migration Steering Committee.

Endnotes

See Appendix A, section A.4 for further information on ESA fund allocation transfers between FSS and RITS balances. [5]

The report is available at <https://www.bis.org/cpmi/publ/d146.pdf>. [6]

The report is available at <https://www.bis.org/cpmi/publ/d178.pdf>. [7]

See <https://www.cfr.gov.au/news/2020/mr-20-06.html>. The CFR is the coordinating body for Australia's main financial regulatory agencies – the Australian Prudential Regulation Authority (APRA), the Australian Securities and Investments Commission (ASIC), the Reserve Bank of Australia (RBA) and the Treasury. [8]

Available at <https://www.rba.gov.au/publications/consultations/202002-iso-20022-migration-for-the-australian-payments-system/pdf/iso-20022-migration-for-the-australian-payments-system-conclusions-paper.pdf>. [9]