Dieter REICHWEIN Directorate General Payment Systems and Market Infrastructure European Central Bank...

Dieter REICHWEINDirectorate General Payment Systems

and Market InfrastructureEuropean Central Bank

Market infrastructures‘ business continuity: Eurosystem roles

and activities

The sixth international payment system conference, Budapest, 14 November 2007

I. Introduction

II. Standard setting

III. Fostering co-operation and information sharing

IV. Leading by example in the design of own systems

V. Simulation exercises

Outline

1. Introduction

Market infrastructures‘ business continuity: Eurosystem roles and activities

1. Introduction

What is business continuity?

• Guaranteeing the continued operation of all core business activities in the event of sustained and severe disruptions

• Dealing with unexpected and unpredictable events

• Process that requires permanent review and improvement

• Possible trade-off between costs of business arrangements of individual players and the expected benefits

1. Introduction

Why is business continuity of market infrastructures crucial?

• The smooth functioning of market infrastructures is crucial for the functioning of the entire financial system, including– The implementation of the monetary policy of the central bank

– Financial stability

• Through network effects and the backbone function of major infrastructures, shocks can be transmitted– From infrastructures to participants (and vice versa)

– Between different market segments (e.g. payments and securities)

1. Introduction

Why has the importance of business continuity increased?

• Changed operational conditions– Move towards real-time processing– Increased operational complexity (interdependencies within and

between market segments and geographical regions)

• New types of threats (e.g. terrorist attacks)

• Shortcomings of existing BC plans – continuous learning curve– Too narrow scope of scenarios considered– Lack of consideration of dependence on third-party service

providers– Lack of compatibility of individual plans

1. Introduction

Euro area specificities in the field of business continuity

• Complex and consolidating market infrastructure

– Role of investment cycles

– Bigger infrastructures may have the possibility to invest more in business continuity (e.g. TARGET1 vs. TARGET2)

• Up until now strong national dimension of existing policies, practices and plans

1. Introduction

Reasons for Eurosystem involvement in business continuity

• Statutory responsibilities

• Existing externalities (individual costs vs. benefit for society)

• Co-ordination needs due to system interdependencies and European / global dimension of the issue

Eurosystem objective in the field of business continuity

• Ensure the existence of adequate and co-ordinated business continuity strategies and plans of the various actors (central banks, market infrastructures, critical participants and third-party service providers)

Eurosystem measures / activities

• Ensure that existing standards and policies adequately reflect new threats and requirements

• Fostering co-operation and information sharing

• Leading by example

• Preparing and co-ordinating simulation exercises

1. Introduction

1I. Standard setting


1I. Standard-setting

Euro area objectives

• Develop policies and standards, as far as possible in co-operation with the market (through round tables, public consultation etc.), that ensure an adequate level of infrastructure protection

• Consistent enforcement at national levels (also to ensure a level playing-field for market infrastructures across Europe)

Situation in different fields

• Payment systems: BC Oversight Expectations for SIPS, June 2006

• SWIFT: G10 High-level Expectations, June 2007

• Securities settlement systems: ESCB/CESR not yet finalised


Business Continuity Oversight Expectations for SIPS (I)

• Aimed at establishing a common framework in the euro area for the implementation of Core Principle VII that adequately reflects new threats and requirements in the field of business continuity

• Implementation of the Expectations:

– SIPS: by mid 2009

– Critical participants: by mid 2010

• Eurosystem to review implementation progress

Four main elements:

1. Definition of BC objectives and strategies

– To be reviewed and approved at board level

– Identification of critical functions (including outsourced functions)

– Recovery and resumption of critical functions within the same settlement day („good practice“: within 2 hours; settlement of a limited number of critical payments should be possible at any time)

Business Continuity Oversight Expectations for SIPS (II)


2. Developing business continuity plans

– Ensure continuity of the service in a variety of plausible scenarios including major disasters, outages or disruptions covering a wide area

– Consider scenarios where the primary site, critical functions and/or staff remain unavailable for more than a day

– Ensure a different risk profile of and an appropriate geographic separation between the primary and the secondary site

– Identify external dependencies and highlight any remaining single points of failure

– Critical participants should also have a second processing site and same recovery time objectives as SIPS


3. Communication and crisis management

– Clear procedures to respond to a crisis event

– Establishment of a multi-discipline and multi-skilled Crisis Management Team (CMT) responsible for maintaining the crisis management plan (CMP)

4. Testing and regular updating business continuity plans

– Update plans at least every 12 months

– Good practice: participation in industry-wide testing


– Reliability and resilience

High level expectations for SWIFT, June 2007:


SWIFT is expected to:(i) to ensure that its critical services are available, reliable and resilient by implementing appropriate policies and procedures, and devoting sufficient resources, and that (ii) business continuity management and disaster recovery plans support the timely resumption of its critical services in the event of an outage.

– Technology planning

– Communication with users

• Developed by G10 SWIFT Co-operative Oversight Group

• Primary focus on operational risk

• The five high level expectations cover:

– Risk identification and management

– Information security

• Currently no harmonised standards in the EU available due to blocking of the ESCB/CESR work that tried to adapt the existing CPSS/IOSCO Standards to the EU environment

• However, following initiatives of the ECB and the European Commission and discussion at the level of ECOFIN, the work is now being resumed with the objective to further clarify the scope, legal basis and content of the standards

• Proposal on the way forward to be made in spring 2008

Situation in the field of securities settlement


• Public authorities to take the lead in setting standards, but preferably in co-operation with the market

• Lack of knowledge in the market on existing standards and initiatives at national, euro area, EU and global levels

• Existing standards show significant differences in terms of:

– General approach (high-level vs. checklist; compulsary vs. “good practice” etc.)

– Scope, structure and level of detail

– Terminology and definitions (e.g. critical participant)

• Issue of multi-country players

Some general experience / feedback from the market


• Ensure availability of all relevant (static) information to all parties concerned through the development of an effective information sharing network

• Ensure effective crisis communication between public authorities and with the market participants

• Cover all relevant market segments and geographical levels (euro area / EU; global)

Eurosystem objectives


• First step: compilation of the relevant information:– Collate existing standards, guidelines, best practices etc. at

national, EU and G10 level; including conducting a consistency check of terminology (list of critical terms) and content of the standards, not with the aim of harmonising but to explain national peculiarities

– Identify critical market infrastructures, service-providers / utilities and participants, including in particular those operating in various countries

– Collate business continuity related contact groups etc.

• Information dissemination approach: „need to know“ - basis

Development of an information sharing network (I)


• Development of a public BC domain on the websites of the ECB and the NCBs - for making non-confidential information on BC available to all relevant stakeholders, e.g.:– Explanation of the role of the Eurosystem/ESCB in BC

– National, EU and G10 standards and initiatives

– Glossary of major BC terms

– Links to the relevant BC public domains of the other NCBs/ECB

• Use of a restricted BC domain - for sharing information of more confidential nature among central banks / public authorities

Development of an information sharing network (II)


• Need to define procedures and mechanisms ensuring clear and accurate information flows, both internally and externally Who communicates with whom, in which situation, on what and

using which communication channels?

• Feedback from market participants at ECB conference on BC, September 2006:– At national level, market players generally know the contact

points at their national authorities

– Most infromation will flow via the existing national structures

– Public authorities to take care of cross-market and cross-country communication

Ensuring effective crisis communication (I)


• Crisis communication cascade at Eurosystem / ESCB level

Each central bank acts as contact point for other central banks as far as contacts with both other national authorities and with market infrastructures for which they act as (lead) overseer are concerned

• Similar communication network at G10 level

• Memorandum of Understanding for information sharing between overseers and banking supervisors

Ensuring effective crisis communication (II)


1V. Leading by example in the design of own systems


• Development of TARGET2: significant improvement inter alia in business continuity terms due to new design concept

• Two regions / four sites

• Recovery and resumption objective– 2 hours for regional desaster

– < 1 hour for other scenarios

• Minimum service level through independent Contigency Module

• Requirements for (critical) participants regarding system security and business continuity

IV. Leading by example


Activities at the level of individual infrastructures

• The BC Oversight Expectations for SIPS require regular testing of BC plans, inter alia to:

– Validate the effectiveness of the BC strategy

– Verify that arrangements are viable in practice

– Ensure continued readiness

– Familiarise staff with the operation of the plan and their responsibilities

– Evaluate co-ordination needs with external service providers


Activities at national levels in the EU (I)

• In 2006 – 2007, cross-system simulation exercises have been conducted in various EU countries

• Exercises have been organised by

– BC working groups, including the central banks, other public authorities and major market players

– The national central bank

– Other public authorities


Activities at national levels in the EU (II)

• Stated objectives of the exercises were, inter alia, to:– Test the national crisis communication infrastructure

– Optimise individual participants crisis management and BC organisation

– Test the interoperability of individual BC plans

– Test the availability of decision-makers and ensure their awareness of their roles

– Check availability of secondary site

• Frequency of tests depends on what is going to be tested

• Ideas in various countries to increase complexity, frequency and/or number of involved players etc. in future exercises


Activities at European level (I)

• No simulation exercises involving market participants have been conducted so far

• However, Eurosystem has started work on preparing such an exercise with the objectives of e.g.:– Checking the interoperability of BC plans on a wider scale

– Better understanding existing interdependencies across infrastructures and market segments

• To be based on current set up of existing BC arrangements and organisational and communication structures


Activities at European level (II)

• Possible start with a rather simple exercise and gradual widening of the scenarios to be considered in terms of• Impacted or failed parties

• Type of failure(s) (premeses, staff, IT, utility service)

• Time, duration and geographical reach

• Discussions started at Eurosystem level; subsequently market players to be involved

• First exercise involving market players possibly in 2008/2009• Significant time for planning and preparation needed

• Priorisation of the tests needs to consider national initiatives as well as major ESCB projects and events (e.g. TARGET2)

Dieter REICHWEIN Directorate General Payment Systems and Market Infrastructure European Central Bank...

Documents

Transcript of Dieter REICHWEIN Directorate General Payment Systems and Market Infrastructure European Central Bank...