Table of contents
Financial Market Infrastructures (FMIs) are important contributors to the removal of financial risks, but must ensure that they do not themselves become sources of unacceptable risk in the financial system, particularly in severe stress conditions. As FMIs often rely on the services of third-parties for essential aspects of their service, Critical Service Providers (CSPs) play an important role in the mitigation of FMIs’ operational risks.
To foster effective risk management, strong governance and oversight of FMIs, CPSS and IOSCO have issued new Principles for FMIs (“Principles”): a set of broad governance, business and operational standards that significantly raise the bar on compliance expectations for FMIs and their CSPs.
These expectations establish a standard of use by setting a minimum baseline in the areas of risk identification and management; information security, reliability and resilience; technology planning and communication with users. They apply to all SWIFT’s FMI customers, including RTGS, ACH, CSD and CCPs. The 24 principles of CPSS-IOSCO, which were published in 2012, upgrade and extend existing FMI principles.
The principles give guidance to FMIs and authorities on how to identify, monitor, mitigate and manage risks, in order to facilitate cross-border recognition and make FMIs more stable and more resilient to financial crises in the future.
How FMIs can comply with these principles is described in terms of what needs to be achieved. How the principles should be applied is left up to national and regional authorities, as well as to institutions.
It is important to note that the principles are not mandatory, only strongly recommended, and that there is no timeline defined by which FMIs need to comply. However, the principles are taken very seriously by the market, and most FMIs in major economies have performed assessments and have started projects to progressively comply with the principles.
Implementation of the principles is further encouraged by key regulations, such as EMIR, Dodd-Frank and CSD-R.
In June 2016, as a response to the growing concerns around the threat posed by cyber activity to financial stability, CPMI-IOSCO issued a paper providing supplemental guidance on cyber resilience.
Impact on SWIFT
In 2007, the G-10 central bank overseers of SWIFT introduced the High Level Expectations (HLEs) to structure the oversight of SWIFT.
The HLEs cover the same aspects as the expectations for CSPs. Since 2007, SWIFT has provided its overseers an annual self-assessment against these HLEs. Given the similarities between the two frameworks and a long history of self-assessment, SWIFT is confident that it already complies with the oversight expectations for critical service providers.
In December 2013, CPSS-IOSCO published recommendations on assessing CSPs, which are expected to become the future guidelines that will be used to control the quality of a CSP.
The CPSS-IOSCO CSP requirements set standards that are already used by SWIFT: multiple worldwide networks, high security levels and robust technology plans, 24/7 global customer support service, strict contingency plans – these all enable SWIFT to be highly resilient and able to cover in its operations a broad spectrum of potential disaster scenarios, including such extreme situations as natural disasters or terrorist attacks.