2024 Assessment of the Reserve Bank Information and Transfer System 3. Material Developments

Download the complete Document 886KB

3.1 Payments Operation Program and Future Hub

In October 2022, the RBA experienced a major Bank-wide technology incident that affected services provided by RITS. In response to the incident, the RBA commissioned an independent review by Deloitte (2023 Deloitte Review), and Payments Policy Department undertook the 2023 Targeted Assessment of RITS. The RBA committed to implementing all recommendations from both reports.^[4] The RBA also committed to implementing the recommendations from a review of Information Technology (IT) technical controls undertaken by Capgemini in early 2023 and the findings of an internal IT review conducted immediately after the incident.

Most of these recommendations will be addressed via two multi-year work programs – the Payments Operations Program (POP) and the RBA Future Hub^[5]:

The primary focus of the POP is on uplifting the RITS operating model, the RBA’s IT controls framework, and its knowledge management. The POP is responsible for implementing the Information Technology and Payments Settlements Department related recommendations. It will also implement the recommendations from the Capgemini and internal IT review.
The primary focus of the RBA Future Hub is on implementing recommendations relating to people and culture, risk management and governance. The Future Hub addresses recommendations from the RBA Review, as well as from the RITS-specific 2023 Deloitte review where recommendations are Bank-wide in their potential reach.

Over the assessment period, the focus of both programs has been on scoping, planning, and resourcing. Specifically, the POP: completed a process of consultation across relevant departments to scope the remedial works; began work to design a project plan (expected to be in place by end May); and recruited/deployed subject matter experts to the program. The POP also began work to establish a best-practice operating model for RITS. The Future Hub began work to design the RBA’s target state 3LoA model. Effective implementation of POP and Future Hub programs will be important to drive material reinforcing improvements in resilience, operational effectiveness, governance and culture.

In addition, the RBA identified several recommendations that could be safely implemented in advance of the formal uplift programs. These include:

updating project prioritisation criteria
improving risk accountability in the RBA’s second-line function by adding the Chief Risk Officer to key management committees
lifting risk representation and accountability on major enterprise programs.

3.2 Head Office upgrade and core infrastructure modernisation

In 2022, work commenced to deliver necessary upgrades to the RBA’s Head Office building at 65 Martin Place (65MP project). During the assessment period, the 65MP time horizon was extended and arrangements for occupancy of the building during the construction works were revised.

These developments necessitate relocating one of the RBA’s data centres from 65MP to another facility. The datacentre relocation will be delivered as part of the RBA’s Core Infrastructure Modernisation program. This program is intended to transform the RBA’s IT infrastructure and technology landscape by establishing the new data centre, designing and deploying new core infrastructure to all data centres, and migrating the RBA’s application workloads to the new infrastructure. The expected completion date for this program is 2027, while the data centre supporting RITS operations is expected to be completed in late 2025.

A range of projects fall within the scope of the Core Infrastructure Modernisation program, including the migration of all RITS-related applications to the new infrastructure. There are significant dependencies between the Core Infrastructure Modernisation, RITS migration and business-as-usual activities such as RITS-related application refresh activities. Additional pressures and risks arise from the accelerated delivery timelines due to program interdependencies.

3.3 Management of change

The RBA is managing several large change programs across the dimensions of technology, people and culture, risk management, organisational management and governance. To deal with this breadth of change activities, their interdependencies and overall complexity, the number of management and oversight committees has increased. The sheer volume of change and need for rigorous prioritisation creates an environment of heightened risk for the operations of RITS. In response, the RBA has implemented a range of risk mitigations regarding program and project governance and execution, including:

Targeted use of cross-membership on program steering committees and on project working groups aimed at improving coordination across workstreams.
Increased representation of management from the RBA’s RITS and risk management functions on steering committees and working groups aimed at providing greater visibility and a faster response to potential risks.
Establishing a senior-level Change Coordination Committee to anticipate and mitigate unnecessary concentrations of deliverables or significant change that could impede the successful delivery of project outcomes or business-as-usual work.
Updated risk accountabilities for executives and senior management reflecting changes to the organisational structure and the expanded range of change programs.

The 2023 Deloitte Review found that the RBA’s management committees did not always operate as intended, and that this affected the effective oversight of risk. The mitigants noted above are consistent with 2023 Deloitte Review recommendations for uplift of the RBA’s management committees, which focused on the appropriateness of the committees’ remit and the effectiveness of communication between the committees.

At a general level, the remit and responsibilities of the change programs and steering committees were understood and consistently articulated across relevant departments. However, the effectiveness of cross-membership on steering committees as a mitigant relies on the participation of a small number of experienced staff on multiple committees. This increases key person risks for the duration of the change programs.

3.4 Staffing resources

Risks in the staffing levels for RITS operations identified in 2022 have largely been addressed. Recent trends suggest that there has been an improvement in staff retention and the filling of vacant positions, resulting in staff vacancies falling significantly.

Broader concerns remain about the staffing relevant for RITS operations, given the significant program of change currently underway. In particular, the volume of change and competing timelines for projects will continue to heighten key person risk for critical roles. Furthermore, it will be a challenge for staff to conduct their business-as-usual activities while contributing to, absorbing and embedding changes from across the wide range of change initiatives within the RBA.

Finally, the change program will place greater demands on staff with deep subject-matter expertise. The RBA has commenced a restructure of RITS staffing to better allow for the facilitation of any change proposals. Nonetheless, if not managed effectively, the impacts from the scope of the change program on staff may lead to an increase in the operational risk faced by RITS. An ongoing focus for RITS operations over the assessment period will be on ensuring appropriate resourcing of RITS for both business-as-usual work and the program of change.

3.5 Cyber security

Cyber threats represent a significant risk to the reliable and efficient operation of FMIs, including RITS. If not managed effectively, a cyber event has the potential to disrupt and undermine confidence in the payments system and could lead to broader instability in the financial system and substantial disruption to economic activity. The RBA’s Information Technology Department is responsible for maintaining the cyber security policies, threat assessments, and end-point security for systems that support RITS. Over the assessment period, the RBA continued its investment in cyber security and its close monitoring for emerging vulnerabilities and threats, noting an increase in cyber activity from key threat vectors.

Improvements in cyber incident response procedures

In March 2024, the RBA hosted an industry cyber-attack exercise to test industry-level coordination during a hypothetical cyber-attack on systems connecting to RITS. The exercise highlighted improvement opportunities related to cyber incident response procedures and communication protocols.

3.6 Communication procedures and standards

International Organization for Standardization (ISO) 20022 is a global messaging standard being adopted by market infrastructure operators worldwide. This standard provides both richer and more structured data in payment messages, allowing for improvements to screening capabilities and system interoperability. Migration to ISO 20022 in Australia supports the harmonising of message formats to enhance cross-border payments.

The RBA chaired a CPMI working group to define harmonised ISO 20022 requirements for end-to-end use in cross-border payment transactions, with the requirements published in October 2023.^[6] The intention is for these requirements to be implemented across jurisdictions by 2027.

In Australia, support for ISO 20022 (MX) Swift payment messages went live in March 2023 for all financial institutions in the High-value Clearing System (HVCS). A period of coexistence of using both the legacy Swift MT (message type) messages and the new MX ISO 20022 standard is currently in effect, with the legacy MT messages expected to be phased out by November 2024 for domestic payments, and by November 2025 for cross-border payments.

RITS members also currently exchange Swift MT messages with the RITS Automated Information Facility (AIF),^[7] and work is underway to migrate the AIF to use the ISO 20022 message standard.

Endnotes

See Strengthening the RBA’s Payments Infrastructure. [4]

The Future Hub Program has responsibility for leading and coordinating the RBA’s response to recommendations from the RBA Review, as well as responsibility for some recommendations contained in the 2023 Deloitte Review and the assessment of RITS against the PFMIs. [5]

CPMI (2023), ‘Harmonised ISO 20022 Data Requirements for Enhancing Cross-border Payments’, Report to the G20, October. [6]

The AIF is an enquiry and reporting service that enables participants to receive information about their Exchange Settlement Account (ESA) and transactions, to perform credit and liquidity management, and to receive ESA statements. [7]