Financial market infrastructures often contract out a number of their operations, such as IT and telecommunications, to third-party service providers. Their reliance on these third-party service providers makes the contracted services critical for the smooth functioning of the financial markets and hence they are often called ‘critical service providers’.
In April 2012 the Committee on Payments and Markets Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO) published ‘Principles for financial market infrastructures’ (the Principles). In Annex F of the Principals the two bodies have outlined five oversight expectations for critical service providers in order to benefit the FMI’s overall safety efficiency.
On 23 December 2014 the CPMI and IOSCO jointly published a document which establishes an assessment methodology and provides guidance for regulators, supervisors and overseers in assessing an FMIs critical service providers against the oversight expectations in Annex F of the Principles. The same approach is used in the assessment methodology as the one used in the Principles.
The emphasis on critical service providers is due to the operational reliability of FMIs on their services. Critical service providers often include companies such as information technology and messaging providers. An example is SWIFT, a worldwide provider of secure messaging services to the financial industry (also see International Financial Data Services). The continuous, secure and efficient delivery of services by these service providers may be crucial for the operations and functioning of FMIs as failures of critical IT infrastructures or telecommunications services could lead to disruptions of the financial markets. Therefore, although the FMIs are ultimately responsible for their operations, the regulator, supervisor or overseer of FMIs may use Annex F to establish expectations specifically targeted at critical service providers.
Below are the five oversight expectations along with a summarized explanation of the appropriate assessment methodology.
- Risk identification and management
“A critical service provider is expected to identify and manage relevant operational and financial risks to its critical services and ensure that its risk-management processes are effective.”
Critical service providers should have effective processes and systems in place for identifying and documenting risks, implementing controls to manage risks, and making decisions to accept certain risks.
- Information security
“A critical service provider is expected to implement and maintain appropriate policies and procedures, and devote sufficient resources to ensure the confidentiality and integrity of information and the availability of its critical services in order to fulfil the terms of its relationship with an FMI.”
Critical service providers should have robust information security frameworks that appropriately manage their information security risks. The frameworks should include sound policies and procedures to protect information from unauthorised disclosure, ensure data integrity, and guarantee the availability of their services.”
- Reliability and resilience
“A critical service provider is expected to implement appropriate policies and procedures, and devote sufficient resources to ensure that its critical services are available, reliable, and resilient. Its business continuity management and disaster recovery plans should therefore support the timely resumption of its critical services in the event of an outage so that the service provided fulfils the terms of its agreement with an FMI.”
Critical service providers should ensure that they provide reliable and resilient operations to their users, whether these operations are provided to an FMI directly or to both an FMI and its participants. Critical service providers should also have robust operations that meet or exceed the needs of FMIs. Any operational incidents should be recorded and reported to the FMI and the FMI’s regulator, supervisor, or overseer.
- Technology planning
“The critical service provider is expected to have in place robust methods to plan for the entire lifecycle of the use of technologies and the selection of technological standards.”
Critical service providers should have effective technology planning that minimises overall operational risks and enhances operational performance. Planning entails a comprehensive information technology strategy that considers the entire lifecycle for the use of technologies and a process for selecting standards when deploying and managing a service.
“A critical service provider is expected to be transparent to its users and provide them sufficient information to enable users to understand clearly their roles and responsibilities in managing risks related to their use of a critical service provider.”
Critical service providers should have effective customer communication procedures and processes. In particular, critical service providers should provide FMIs and, where appropriate, their participants with sufficient information so that users clearly understand their roles and responsibilities, enabling them to manage adequately their risks related to their use of the services provided. Useful information for users would typically include, but is not limited to, information concerning a critical service provider’s management processes, controls, and independent reviews of the effectiveness of these processes and controls.
To view the full “Assessment methodology for the oversight expectations applicable to critical service providers” paper please click here.
Should you require any further advice or information on the above, Cleveland & Co, your external in-house counsel, are here to help.