Dieter REICHWEIN Directorate General Payment Systems and Market Infrastructure European Central Bank...
-
Upload
anissa-carson -
Category
Documents
-
view
214 -
download
1
Transcript of Dieter REICHWEIN Directorate General Payment Systems and Market Infrastructure European Central Bank...
Dieter REICHWEINDirectorate General Payment Systems
and Market InfrastructureEuropean Central Bank
Market infrastructures‘ business continuity: Eurosystem roles
and activities
The sixth international payment system conference, Budapest, 14 November 2007
I. Introduction
II. Standard setting
III. Fostering co-operation and information sharing
IV. Leading by example in the design of own systems
V. Simulation exercises
Outline
1. Introduction
Market infrastructures‘ business continuity: Eurosystem roles and activities
1. Introduction
What is business continuity?
• Guaranteeing the continued operation of all core business activities in the event of sustained and severe disruptions
• Dealing with unexpected and unpredictable events
• Process that requires permanent review and improvement
• Possible trade-off between costs of business arrangements of individual players and the expected benefits
1. Introduction
Why is business continuity of market infrastructures crucial?
• The smooth functioning of market infrastructures is crucial for the functioning of the entire financial system, including– The implementation of the monetary policy of the central bank
– Financial stability
• Through network effects and the backbone function of major infrastructures, shocks can be transmitted– From infrastructures to participants (and vice versa)
– Between different market segments (e.g. payments and securities)
1. Introduction
Why has the importance of business continuity increased?
• Changed operational conditions– Move towards real-time processing– Increased operational complexity (interdependencies within and
between market segments and geographical regions)
• New types of threats (e.g. terrorist attacks)
• Shortcomings of existing BC plans – continuous learning curve– Too narrow scope of scenarios considered– Lack of consideration of dependence on third-party service
providers– Lack of compatibility of individual plans
1. Introduction
Euro area specificities in the field of business continuity
• Complex and consolidating market infrastructure
– Role of investment cycles
– Bigger infrastructures may have the possibility to invest more in business continuity (e.g. TARGET1 vs. TARGET2)
• Up until now strong national dimension of existing policies, practices and plans
1. Introduction
Reasons for Eurosystem involvement in business continuity
• Statutory responsibilities
• Existing externalities (individual costs vs. benefit for society)
• Co-ordination needs due to system interdependencies and European / global dimension of the issue
Eurosystem objective in the field of business continuity
• Ensure the existence of adequate and co-ordinated business continuity strategies and plans of the various actors (central banks, market infrastructures, critical participants and third-party service providers)
Eurosystem measures / activities
• Ensure that existing standards and policies adequately reflect new threats and requirements
• Fostering co-operation and information sharing
• Leading by example
• Preparing and co-ordinating simulation exercises
1. Introduction
1I. Standard setting
Market infrastructures‘ business continuity: Eurosystem roles and activities
1I. Standard-setting
Euro area objectives
• Develop policies and standards, as far as possible in co-operation with the market (through round tables, public consultation etc.), that ensure an adequate level of infrastructure protection
• Consistent enforcement at national levels (also to ensure a level playing-field for market infrastructures across Europe)
Situation in different fields
• Payment systems: BC Oversight Expectations for SIPS, June 2006
• SWIFT: G10 High-level Expectations, June 2007
• Securities settlement systems: ESCB/CESR not yet finalised
1I. Standard-setting
Business Continuity Oversight Expectations for SIPS (I)
• Aimed at establishing a common framework in the euro area for the implementation of Core Principle VII that adequately reflects new threats and requirements in the field of business continuity
• Implementation of the Expectations:
– SIPS: by mid 2009
– Critical participants: by mid 2010
• Eurosystem to review implementation progress
Four main elements:
1. Definition of BC objectives and strategies
– To be reviewed and approved at board level
– Identification of critical functions (including outsourced functions)
– Recovery and resumption of critical functions within the same settlement day („good practice“: within 2 hours; settlement of a limited number of critical payments should be possible at any time)
Business Continuity Oversight Expectations for SIPS (II)
1I. Standard-setting
2. Developing business continuity plans
– Ensure continuity of the service in a variety of plausible scenarios including major disasters, outages or disruptions covering a wide area
– Consider scenarios where the primary site, critical functions and/or staff remain unavailable for more than a day
– Ensure a different risk profile of and an appropriate geographic separation between the primary and the secondary site
– Identify external dependencies and highlight any remaining single points of failure
– Critical participants should also have a second processing site and same recovery time objectives as SIPS
1I. Standard-setting
3. Communication and crisis management
– Clear procedures to respond to a crisis event
– Establishment of a multi-discipline and multi-skilled Crisis Management Team (CMT) responsible for maintaining the crisis management plan (CMP)
4. Testing and regular updating business continuity plans
– Update plans at least every 12 months
– Good practice: participation in industry-wide testing
1I. Standard-setting
– Reliability and resilience
High level expectations for SWIFT, June 2007:
1I. Standard-setting
SWIFT is expected to:(i) to ensure that its critical services are available, reliable and resilient by implementing appropriate policies and procedures, and devoting sufficient resources, and that (ii) business continuity management and disaster recovery plans support the timely resumption of its critical services in the event of an outage.
– Technology planning
– Communication with users
• Developed by G10 SWIFT Co-operative Oversight Group
• Primary focus on operational risk
• The five high level expectations cover:
– Risk identification and management
– Information security
• Currently no harmonised standards in the EU available due to blocking of the ESCB/CESR work that tried to adapt the existing CPSS/IOSCO Standards to the EU environment
• However, following initiatives of the ECB and the European Commission and discussion at the level of ECOFIN, the work is now being resumed with the objective to further clarify the scope, legal basis and content of the standards
• Proposal on the way forward to be made in spring 2008
Situation in the field of securities settlement
1I. Standard-setting
• Public authorities to take the lead in setting standards, but preferably in co-operation with the market
• Lack of knowledge in the market on existing standards and initiatives at national, euro area, EU and global levels
• Existing standards show significant differences in terms of:
– General approach (high-level vs. checklist; compulsary vs. “good practice” etc.)
– Scope, structure and level of detail
– Terminology and definitions (e.g. critical participant)
• Issue of multi-country players
Some general experience / feedback from the market
1I. Standard-setting
III. Fostering co-operation and information sharing
Market infrastructures‘ business continuity: Eurosystem roles and activities
• Ensure availability of all relevant (static) information to all parties concerned through the development of an effective information sharing network
• Ensure effective crisis communication between public authorities and with the market participants
• Cover all relevant market segments and geographical levels (euro area / EU; global)
Eurosystem objectives
III. Fostering co-operation and information sharing
• First step: compilation of the relevant information:– Collate existing standards, guidelines, best practices etc. at
national, EU and G10 level; including conducting a consistency check of terminology (list of critical terms) and content of the standards, not with the aim of harmonising but to explain national peculiarities
– Identify critical market infrastructures, service-providers / utilities and participants, including in particular those operating in various countries
– Collate business continuity related contact groups etc.
• Information dissemination approach: „need to know“ - basis
Development of an information sharing network (I)
III. Fostering co-operation and information sharing
• Development of a public BC domain on the websites of the ECB and the NCBs - for making non-confidential information on BC available to all relevant stakeholders, e.g.:– Explanation of the role of the Eurosystem/ESCB in BC
– National, EU and G10 standards and initiatives
– Glossary of major BC terms
– Links to the relevant BC public domains of the other NCBs/ECB
• Use of a restricted BC domain - for sharing information of more confidential nature among central banks / public authorities
Development of an information sharing network (II)
III. Fostering co-operation and information sharing
• Need to define procedures and mechanisms ensuring clear and accurate information flows, both internally and externally Who communicates with whom, in which situation, on what and
using which communication channels?
• Feedback from market participants at ECB conference on BC, September 2006:– At national level, market players generally know the contact
points at their national authorities
– Most infromation will flow via the existing national structures
– Public authorities to take care of cross-market and cross-country communication
Ensuring effective crisis communication (I)
III. Fostering co-operation and information sharing
• Crisis communication cascade at Eurosystem / ESCB level
Each central bank acts as contact point for other central banks as far as contacts with both other national authorities and with market infrastructures for which they act as (lead) overseer are concerned
• Similar communication network at G10 level
• Memorandum of Understanding for information sharing between overseers and banking supervisors
Ensuring effective crisis communication (II)
III. Fostering co-operation and information sharing
1V. Leading by example in the design of own systems
Market infrastructures‘ business continuity: Eurosystem roles and activities
• Development of TARGET2: significant improvement inter alia in business continuity terms due to new design concept
• Two regions / four sites
• Recovery and resumption objective– 2 hours for regional desaster
– < 1 hour for other scenarios
• Minimum service level through independent Contigency Module
• Requirements for (critical) participants regarding system security and business continuity
IV. Leading by example
V. Simulation exercises
Market infrastructures‘ business continuity: Eurosystem roles and activities
V. Simulation exercises
Activities at the level of individual infrastructures
• The BC Oversight Expectations for SIPS require regular testing of BC plans, inter alia to:
– Validate the effectiveness of the BC strategy
– Verify that arrangements are viable in practice
– Ensure continued readiness
– Familiarise staff with the operation of the plan and their responsibilities
– Evaluate co-ordination needs with external service providers
V. Simulation exercises
Activities at national levels in the EU (I)
• In 2006 – 2007, cross-system simulation exercises have been conducted in various EU countries
• Exercises have been organised by
– BC working groups, including the central banks, other public authorities and major market players
– The national central bank
– Other public authorities
V. Simulation exercises
Activities at national levels in the EU (II)
• Stated objectives of the exercises were, inter alia, to:– Test the national crisis communication infrastructure
– Optimise individual participants crisis management and BC organisation
– Test the interoperability of individual BC plans
– Test the availability of decision-makers and ensure their awareness of their roles
– Check availability of secondary site
• Frequency of tests depends on what is going to be tested
• Ideas in various countries to increase complexity, frequency and/or number of involved players etc. in future exercises
V. Simulation exercises
Activities at European level (I)
• No simulation exercises involving market participants have been conducted so far
• However, Eurosystem has started work on preparing such an exercise with the objectives of e.g.:– Checking the interoperability of BC plans on a wider scale
– Better understanding existing interdependencies across infrastructures and market segments
• To be based on current set up of existing BC arrangements and organisational and communication structures
V. Simulation exercises
Activities at European level (II)
• Possible start with a rather simple exercise and gradual widening of the scenarios to be considered in terms of• Impacted or failed parties
• Type of failure(s) (premeses, staff, IT, utility service)
• Time, duration and geographical reach
• Discussions started at Eurosystem level; subsequently market players to be involved
• First exercise involving market players possibly in 2008/2009• Significant time for planning and preparation needed
• Priorisation of the tests needs to consider national initiatives as well as major ESCB projects and events (e.g. TARGET2)