The potential vulnerabilities of the system require a regulatory and supervisory response that is both agile and proportionate. It is necessary to implement reasoned business continuity plans, especially in view of the surge in what is referred to as the “digitalisation” of the economy. This new trend requires regulators and supervisors to act to protect the pillars of the financial system, i.e. market integrity, investor protection and financial stability.
Business continuity plans (BCPs) are a strategic factor for companies, regardless of their nature, ensuring their survival in exceptional circumstances such as those that are currently occurring.
The most common risks today relate to cybersecurity, cyber attacks, data protection and financial stability. In the financial world, the specific role of trading venues and intermediaries requires a regulation that considers their close connection to systemic risk.
IOSCO has carried out a peer review on this topic among 33 members, as described below.
In November 2018, the board of IOSCO resolved to conduct an assessment of the implementation of these standards and recommendations in the different jurisdictions, and set up a review team for this task. The review team was made up of members from the supervisory bodies of New Zealand, Quebec, South Africa, Dubai, Spain (CNMV) and Turkey, among others. The CNMV played an active role in the assessment.
Structure of the Peer Review
In the report referred to in this article, “Thematic Review on Business Continuity Plans with respect to Trading Venues and Intermediaries”, a score is given to the level of compliance with the recommendations and standards contained in the two reports, approved by IOSCO in 2015, in relation to the BCPs of trading venues and intermediaries.
33 jurisdictions took part in the review. The exercise includes an assessment and classification of the extent to which the standards and recommendations set out in the regulation have been included in each individual jurisdiction.
Spain has “fully implemented” all recommendations and standards.
Content and assessment of the recommendations and standards
A) Trading venues
Recommendation 1: “Regulators should require Trading Venues to have in place mechanisms to help ensure the resiliency, reliability and integrity of critical systems”.
In regard to Recommendation 1, referring to trading venues, the report suggests the following:
- Regulators should ensure that their critical systems are duly guaranteed.
- Trading venues should ensure the resiliency, reliability and integrity of their critical systems.
- Regulatory regimes should provide sufficient clarity on governance and accountability of boards or senior management in relation to critical systems.
- Where activities can be outsourced, the resiliency, reliability and integrity of the system must be ensured by the service providers.
- Regulators must be able to establish additional requirements to ensure periodic reviews of critical systems, periodic capacity testing and periodic stress testing of critical systems.
In regard to Recommendation 2, referring to trading venues, the report suggests the following:
- The regulation should allow regulators to obtain a copy of the BCPs and require board or senior management responsibility for the establishment and maintenance of the BCPs.
- Where trading venues are permitted to outsource any functions that are required for business continuity, the regulators must consider whether they have the capacity to ensure that outsource providers have and maintain adequate BCPs.
- In some jurisdictions it is not mandatory to conduct periodic or formal reviews of the BCPs, and therefore the BCPs in these areas are treated in a non-standardised manner. Thus, the report establishes that the periodic reviews and unitary treatment of BCPs should be included in the recommendations.
Standard 1 “Regulators should require market intermediaries to create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption”.
In regard to Standard 1, referring to market intermediaries, the report suggests the following:
- The regulations should contain a definition of the content and concept of BCPs.
- In some jurisdictions specific obligations are established to deal with natural disasters and disruptions of technology but intermediaries are not required to approve permanent BCPs. The obligation must be explicit.
- The regulation should clearly define the role and the accountability of the board and management bodies of market intermediaries in relation to BCPs.
In regard to Standard 2, referring to market intermediaries, the report suggests the following:
- The regulation should establish an obligation for market intermediaries to periodically review their BCPs, in addition to their minimum execution periods.
- The regulation must explicitly require the adaptation of BCPs to changes and new requirements arising from the periodic reviews carried out.
- The recommendation above is in response to the fact that in some jurisdictions it is not obligatory to adjust business continuity plans to material unexpected and sudden changes.
Based on the review carried out, the report contains a series of general recommendations that can be summarised as follows:
- The regulations should provide the appropriate powers for the regulator to set and enforce compliance with BCP standards and recommendations, and require trading venues and market intermediaries to properly maintain and update their BCPs.
- Regulators should assess, for their jurisdictions, whether improvements should be made to the existing frameworks, regardless of the regulatory system used (rule-based or a principles-based approach).
- Regulators should assess the resiliency of the BCPs to extreme disruptive events, such as pandemics, earthquakes, or similar.
- Regulators should assess whether to their regulatory frameworks should require trading venues and market intermediaries to approve the BCPs on a permanent and stable basis, not only in extraordinary situations such as natural disasters and pandemics, but also in ordinary situations such as disruptions of IT systems, etc.
- The regulatory framework should allow the supervisory authorities to require market intermediaries to periodically review and update their BCPs.
- Regulators should assess whether to include in their regulations the obligation to carry out stress testing for BCPs.
- Jurisdictions with more than one supervisory authority should adopt cooperation agreements to ensure consistency in this matter.
a) Regulators should ensure that their respective national frameworks give them the powers necessary to require the establishment and maintenance of updated BCPs for trading venues and market intermediaries.
b) Regulators may consider the need to include in their regulatory framework specific and detailed guidelines in accordance with the structure and content of the thematic review referred to in this report.
c) Regulators should consider whether their regulations contain proper guidelines and directions to ensure that the BCPs are resilient in different situations (natural disasters, pandemics and health emergencies).
d) The regulatory framework should require intermediaries to conduct periodic and regular reviews and updates of their BCPs, at least annually. More specific requirements may also be made for intermediaries to update their BCPs based on the outcomes of the periodic reviews and in response to material changes.
COVID-19 and its effects on BCPs
The report also includes an anonymous summary of the measures adopted in the different jurisdictions as a result of the pandemic caused by COVID-19, among which the following considerations stand out:
- Remote working, with all its undoubted advantages, increases the risk of internal and external cyber attacks.
- BCPs require periodic testing and must be adjusted to permanent changes in the new financial ecosystem.
- The use of cloud services helps to diversify and mitigate risks arising from the different geographical locations of the installations, which most BCPs establish as a good practice.
- “Primary Data Centres” and “Disaster Recovery Sites” must be functionally and geographically separate to reduce problems relating to workforce mobility and ensure the normal operations of the structural units of the different organisations.
The new financial ecosystems require that the supervisory plans of the national authorities give special attention to the establishment, operation and maintenance of BCPs. This is to ensure financial stability and properly address systemic risk.
Ensuring the resiliency, reliability and adaptability of BCPs requires a clarification of the accountability of the regulatory bodies of trading venues and market intermediaries. The content of the BCPs must also be regularly updated and their supervision by the corresponding authorities must be a priority.
It is advisable for regulators to adopt policies and procedures to guarantee efficient cross-border collaboration, including the rapid and efficient exchange of information between national and international competent authorities.
COVID-19 is an opportunity to examine the operational resilience of trading venues and market intermediaries to deal with exceptional circumstances and business as usual, such as the challenges posed by remote working, cloud services, cyber security and the growing reliance on IT systems, among many others.
Following on from the thematic review referred to in this report, IOSCO committees 2 and 3 will undertake an assessment of operational resilience looking at whether the existing regulatory frameworks ensure the continuity of “critical operations” in the event of shocks or disruptive situations, such as the current pandemic.