380 likes | 552 Views
De Nederlandsche Bank. Business Continuity Planning and Crisis Management & Principles for Financial Market Infrastructures Michael van Doeveren 4th Conference on Payments and Securities Settlement Ohrid, Republic of Macedonia 22 June 2011. Introduction
E N D
De Nederlandsche Bank Business Continuity Planning and Crisis Management & Principles for Financial Market Infrastructures Michael van Doeveren 4th Conference on Payments and Securities Settlement Ohrid, Republic of Macedonia 22 June 2011
Introduction DNB Assessment Framework Business Continuity Planning Concepts of Crisis Management Arrangements and initiatives in the Netherlands Concluding remarks BCP FMI Principles Contents
What is Business Continuity? • Business Continuity Management: a whole-of-business approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption. • Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruptionSource: BIS 2005
BCP in an international context • The American White Paper on Sound Practises to strengthen the Resilience of the US Financial System • The Tripartite Standing Committee on Financial Stability • Bank of Japan resilience plans • Initiatives of the Eurosystem • Joint Forum/Financial Stability Forum/BIS/CPSS’ work
The Dutch situation • Small country, few large banks • DNB is both central bank and prudential supervisor for banks, pension funds and insurance companies • Financial core infrastructure for Payments and Securities, in NL defined as: • Central bank • CSD • CCP • Stock exchange • ACH • Major banks
DNB BCP Assessment Framework (1) • First version in 2004, current version of 2007; • Drafted in cooperation with the financial institutions • Commitment to use it on a high level • Assessment Framework consists of • 9 ‘principles’ based on international standards • Guidance note Human Factor • Agreement between DNB and the financial sector for joint BCP initiatives • In line with international principles such as BIS • Used by supervisor and overseer to assess the institutions of the financial core infrastructure against these principles
DNB BCP Assessment Framework (2) • BCP should be approved by the EB/senior management • Risk analyses of critical systems and activities should be made • Explicit attention should be paid to the human factor
DNB BCP Assessment Framework (3) 4. Each institution should have a crisis organisation, including senior management • Single points of failure (SPOFs) should be identified • Critical processes and systems should be resumed as quickly as possible
DNB BCP Assessment Framework (4) 7. A back-up site/secondary site should be available 8. Alternate systems and contingency procedures should be regularly tested and exercised 9. Each institutions should have a communication plan for all stakeholders
Guidance Note Human factor • Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor • DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required: specific in the extreme, highly specific, specific, not very specific, not specific • Matrix with level of required knowledge and human factor strategy see www.dnb.nl
Required Knowledge • Specific in the extreme. • Highly specific. • Specific. • Not very specific. • Not specific.
Concepts of crisis managementfor the payment system (1) Basic assumption • Payments can be regarded as what oil is for an engine • Continuity of payments is essential for both the public and the financial system. Consequences • Measures should be implemented that guarantee business continuity of the payment system • Implementation of a crisis management structure to prevent contagion and limitation the risks as for as possible
Concepts of crisis managementfor the payment system (2) Crisis management preconditions • Involvement required of critical participants of the whole payment system • Focus the continuation of the operation of the whole payment chain. Implementation • Formation of crises management team • Prepare organisation. Discuss objectives, define concept crisis management, investigate objects, invest existing measures, define effectiveness measures, investigate alternatives • Prepare and perform tests. Both internal and sector wide.
Tripartite Crisis Management in the Netherlands • Tripartite Crisis Management: Ministry of Finance, AFM, DNB • Consultation Group (Board level) • Advisory Groups: - Retail - Wholesale - Securities
Crisis Management – What Crisis management • Respond to payments and securities sector-wide • Operational crises: procedures regarding communication, decision making etc. ´Sector BCM´ • ´Peace time´ preparation for times of crises; plans, good overview of critical processes for the sector, alternatives and possibilities in case of a crisis, communication, knowing each other
Crisis Management – How “Red Booklet” contains information about: • Crisis management, communication and decision making procedures • Wholesale, retail, securities alternatives However, not many viable alternatives: Possible alternatives based on rerouting of key processes: • CLS, TARGET2, EBA, correspondents • Cash/ATM´s, mass payments, one-off direct debit • Bilateral accounts for OTC etc. • In practice: combination of emergency procedures of the different parts of the chain • At the moment no viable alternative for SWIFT • Communication and trust is key!
Example – Wholesale (2) The following were regarded as the most important wholesale payments (per bank): • CLS incoming (and outgoing) payments • MM and FX transactions • Liquidity transfers to/from offices/agents abroad • EBA settlement payments and liquidity swaps • Payments for the clearing and settlement of securities • Critical payments for clients (corporates, pension funds) • ´Margin calls´ (collateral for securities clearing) Broadly speaking, around 20-30 critical payments per bank per day In case of one bank’s failure, this can be processed manually In case of TARGET2 failure, strict rules apply; only ‘very critical payments’ can be processed
CIP in the Netherlands • Government project on critical infrastructure protection started in 2004 • In cooperation with the private sector, the government defined 12 infrastructures as critical: airports, public transport, energy, health care, etc. • Payments and securities processing is one of them • Follow up of the project in 2004, among others: Counterterrorism Alert System
Dutch Counterterrorism Alert System (1) • Set up by the government in 2005 to ‘alert’ critical infrastructures in the event of heightened terrorist threat • Measures to be taken quickly in order to minimise the risk and to limit the potential impact of terrorist acts. • Cooperation between the government and private sectors • More than 10 sectors are currently connected (a.o. airports, harbours, public transport, oil and gas, etc.) • Financial core infrastructure connected as of May 1, 2006
Dutch Counterterrorism Alert System (2) • Four levels of threat: standard, low, moderate, high • Each level comes with its own set of (additional) security measures, both for the sector and for the government • Government and sector agree together on the measures to be taken • Contacts with local authorities very important • Workshops, tests and exercises are organised per sector
Experiences Counterterrorism Alert System • Formalised (communication) procedures to inform the sector about threats • Increased cooperation and information sharing within the financial sector in the area of security and with other sectors • Improved contacts and cooperation with local authorities and other stakeholders (police, community, fire brigade, neighbour companies etc.)
Exercising experienceThink BIG, start SMALL For Crisis Management exercises increase in complexity and depth: • Connectivity/communication tests: several times a year • Crisis management workshops: Discussion, based on scenario • Table top exercises: simulation with ‘real play’ • Large scale government exercise regarding ICT and cybercrime • Operational exercise where security measures are taken for real • Market wide exercises
International context for business continuity in payments and securities • “Dutch” market infrastructure is hardly Dutch anymore • This is due to the consolidation trend and the battle for efficiency • Not only for commercial institutions, but also for central banks • An operational crisis in Brussels/Frankfurt/Paris may impact the Dutch market more than a local crisis in Amsterdam
Increasing (need for) interaction & cooperation • Linked to ESCB crisis management • Co-ordinated communication with market infrastructures en major participants • Possible international solutions to “domestic” problems • Central banks can help each other • Solving problems in cooperation
Concluding remarks BCP • Regular assessments work! • Increase your level of resilience by • Control – Top level commitment • Coordination – Central bank/regulator role • Cooperation – Financial core infrastructure • Communication – All stakeholders, both national and international • Exercising keeps BCP alive • Human factor is key for everything
Principles for Financial Market Infrastructures (FMI) Co-production of: • BIS Committee on Payment and Settlement Systems • Technical Committee of the International organization of Securities Commission (IOSCO) • FMI Principles replaces all older separate principles for Systemically Important Payment Systems, Securities Settlement Systems and Retail Payment Systems • Report is for public market consultation until 29 July 2011 • Final report will be publishes in 2012
FMI Principles (1) General organisation • Principle 1: Legal basis • Principle 2: governance • Principle 3: Framework for the comprehensive management of risks
FMI Principles (2) Credit and liquidity risk management • Principle 4: Credit risk • Principle 5: Collateral • Principle 6: Margin • Principle 7: Liquidity risk • Principle 8: Settlement finality • Principle 9: Money settlements • Principle 10: Physical deliveries
FMI Principles (3) Central securities depositories and exchange-of-value settlement systems • Principle 11: Central securities depositories • Principle 12: Exchange-of-value settlement systems
FMI Principles (4) Default management • Principle 13: Participant-default rules and procedures • Principle 14: Segregation and portability
FMI Principles (5) General business and operational risk management • Principle 15: General business risk • Principle 16: Custody and investment risk • Principle 17: Operational risk
FMI Principles (6) Access • Principle 18: Access and participantion requirements • Principle 19: Tiered participation arrangements • Principle 20: FMI links
FMI Principles (7) Efficiency • Principle 21: Efficiency and effectiveness • Principle 22: Communication procedures and standards
FMI Principles (8) Transparancy • Principle 23: Disclosure of rules and procedures • Principle 22: Disclosure of market data
Responsibilities of central banks, market regulators and other authorities • Responsibility A: Regulation, supervision and oversight of FMIs • Responsibility B: Regulatory, supervisory, and oversight powers and resources • Responsibility C: Disclosure of objectives and policies with respect to FMIs • Responsibility D: Application of principles for FMIs • Responsibility E: Cooperation with other authorities