2015/16 Assessment of ASX Clearing and Settlement Facilities A2.2 Austraclear Standard 14: Operational risk

A securities settlement facility should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the securities settlement facility's obligations, including in the event of a wide-scale or major disruption.

Austraclear's key operating system is EXIGO.

Austraclear manages its operational risks in the context of its group-wide Enterprise Risk Management Framework (SSF Standard 14.1). Responsibility for approving and reviewing operational risk management policy is shared between the ASX Limited and CS Boards, the Audit and Risk Committee and individual departments. The management of each department is responsible for implementing operational risk controls in their respective areas (SSF Standard 14.2). Austraclear sets clear operational reliability objectives and pursues policies designed to achieve those objectives. Key objectives for EXIGO, such as minimum availability of 99.9 per cent and peak capacity utilisation of 50 per cent, were met during the Assessment period. Austraclear maintains physical and information security policies based on relevant domestic and international standards (SSF Standard 14.3). Austraclear considers that it has sufficient well-trained and competent personnel and other resources to operate EXIGO. Austraclear prioritises its projects to ensure that business development work does not risk the availability of these resources for key systems (SSF Standard 14.4).

Austraclear manages operational interdependencies with participants, and with ASX Clear and ASX Clear (Futures), through its participant monitoring processes and group-wide risk management framework, respectively (SSF Standard 14.5). Its dependencies on service providers and utilities are subject to ongoing monitoring and contingency arrangements where appropriate. Austraclear's legal agreements with key outsourcing and critical service providers impose operational requirements on those providers equivalent to those under the FSS, provide for access to information for the Bank, and require that providers give notice to the Bank in the case of termination (SSF Standards 14.9, 14.10, 14.11).

Austraclear also maintains business continuity arrangements that provide a high degree of redundancy and, through the use of dual sites, target the resumption of operations within two hours following disruptive events. These arrangements are regularly tested in real time during live operations (SSF Standard 14.7). Participants are required to maintain appropriate operational and business continuity arrangements that complement Austraclear's own arrangements and are appropriate to the nature and scale of their business. Austraclear monitors participants' compliance with these requirements, and broader operational performance, on an ongoing basis (SSF Standards 14.6, 14.8).

Austraclear's arrangements for managing operational risks are described in further detail under the following sub-standards.

Identifying and managing operational risk

14.1 A securities settlement facility should establish a robust operational risk management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.

ASX's operational risk policies and controls have been developed in accordance with ASX's group-wide Enterprise Risk Management Framework (see SSF Standard 3.1). Under this framework, the ASX Limited Board is responsible for reviewing and overseeing the group's risk management systems (see SSF Standard 2.6). The Board delegates review of the Enterprise Risk Management Framework to its Audit and Risk Committee. An ERMC, comprising executives from across ASX's departments, is responsible for approving enterprise risk policies and reviewing controls, processes and procedures to identify and manage risks, as well as the formal approval of significant operational risk policies prepared by individual departments (see SSF Standard 14.2). Under the Enterprise Risk Management Framework, individual departments are also responsible for: identifying business-specific risks; applying controls; maintaining risk management systems; reporting on the effectiveness of risk controls; and implementing enhancements and taking remedial action.

Dedicated security teams have responsibility for assessing both physical and cyber security risks, and are overseen by the ERMC (see SSF Standard 14.3).

14.2 A securities settlement facility's board of directors should clearly define the roles and responsibilities for addressing operational risk and should endorse the securities settlement facility's operational risk management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.

The roles and responsibilities for addressing operational risk are clearly defined in the CS Boards' Charter, the Audit and Risk Committee Charter, and the Enterprise Risk Management Framework. As described above, risk responsibilities are shared between the ASX Limited Board, the CS Boards, the Audit and Risk Committee, the ERMC and individual departments.

Ultimate responsibility for the management of ASX's cyber-related risks lies with the ASX Limited Board, reflecting that different business areas share common vulnerabilities to cyber threats and that the response to such threats may require group-wide coordination. In practice, however, the Board delegates its ongoing oversight of cyber resilience to the ASX Limited Audit and Risk Committee, subject to the Board's stated very low tolerance for residual operational risks. The Board remains informed of significant cyber-related developments or issues, including where cyber incidents could threaten the availability or integrity of ASX systems, and in considering cyber risks in the approval of major projects. The Audit and Risk Committee receives regular updates on information security matters and oversees the cyber resilience activities of ASX management and staff.

Policies and procedures are the subject of internal and external review. ASX's Internal Audit department routinely monitors compliance with operational policy, reporting to the Audit and Risk Committee on a quarterly basis. Scheduled reviews carried out by Internal Audit include business process and operational audits and information technology reviews. Internal Audit also reviews major projects and carries out special investigations as required (e.g. following a major operational incident). Audit findings may prompt a review of policy, which would be conducted in consultation with key stakeholders. Technology-related security processes are considered by external auditors annually.

EXIGO is subject to an annual independent audit, the results of which are published on the ASX website. The audit covers the information processing facilities and internal controls of the EXIGO system, as well as the integrity and accuracy of information gathered by the system. The 2015/16 audit was published in August 2016.

ASX benchmarks its operational risk policy against relevant international standards. For example:

ISO 31000 – Risk Management Principles and Guidelines is used to benchmark ASX's overarching framework for operational risk management.
The business continuity framework is benchmarked against the Business Continuity Institute's Good Practice Guidelines 2013, and the international standard ISO 22301:2012 Business Continuity Management Systems.
The technology risk management framework is benchmarked against ISO 17799 (which covers principles for information security management) and ISO 27001 (requirements for information security management systems). Cyber security strategies are further benchmarked against the Australian Signals Directorate's Strategies to Mitigate Targeted Cyber Intrusions.
The compliance framework is benchmarked to the AS 3806-2006: Compliance Programs.
The ASX Fraud Control Policy is benchmarked against AS 8001-2008: Fraud and Corruption Control.

In addition, Austraclear's operational risk controls and reliability objectives are designed to meet operational standards set by the Bank as part of its ‘Step-in and Service Agreement’. As a feeder system to RITS, and as a systemically important system, Austraclear's system architecture is required under these standards to be equivalently operationally robust to that of RITS.

The risk framework defines a variety of control procedures to support the core operational systems. These include audit logs, segregation of duties controls such as dual input checks and approval, management sign-off and processing checklists as the primary preventative controls, supported by reconciliations and management reviews of activity.

Change management and project management

Austraclear operates a separate test environment for its core system (EXIGO), and has a formal change management process which is documented in the ASX Technology Change Management Policy and Guideline. The Policy and Guideline covers the requirements for the notification, risk assessment, testing and implementation of technology changes for all ASX CS facilities, as well as the key roles and responsibilities in relation to technology change management. There are also defined procedures for communicating details of technology upgrade releases with participants and vendors, which include regular notices to participants of upcoming changes. Aspects of the change management process are reviewed each year by an external auditor.

Major projects are overseen by the EPSC, which is comprised of representatives of the Group Executive. The EPSC is responsible for determining project priorities across the ASX Group, and overseeing the quality of project execution and resourcing. Project management of major projects is undertaken by the PMO. Projects incorporate testing processes, which verify that systems or services meet benchmarks set prior to implementation. Testing addresses both technical and operational aspects of projects. The project management process includes engagement with customers and third-party vendors of supporting systems where appropriate, particularly in customer testing. Project plans also include formal checkpoints which are intended to ensure that all appropriate risk management controls are in place prior to live use of a new or updated system or service.

In February 2015, ASX announced a technology transformation program to upgrade all of its major trading and post-trading systems over the next three to four years (see Section 3.5.7). The program is intended to rationalise ASX's core technology onto a single services platform, removing interdependencies that currently exist between unrelated systems. The first phase of the program will upgrade ASX's trading, risk management and market monitoring systems. A subsequent phase of the technology transformation program will focus on ASX's clearing and settlement platforms. This includes the consolidation of derivatives clearing onto a common platform and the replacement of the CHESS clearing and settlement system for cash equities.

Given the significance of the technology transformation program for ASX's critical trading, clearing, settlement and risk management systems, the ASX Limited Board and CS Boards will receive regular status updates throughout the life of the project, with executive-level oversight of project management provided by the EPSC. ASX's Audit and Risk Committee, together with the ERMC, oversees the management of operational and strategic risks associated with execution of the program, with internal and external audit providing review of key elements. ASX has formally adopted an ‘Agile project management’ approach for its technology transformation. This seeks to streamline decision making by bringing together the human and technological resources that support the design, development and testing processes, and delivering project outputs in a series of incremental stages (so-called ‘sprints’).

The Bank is receiving detailed quarterly updates on the progress of the technology transformation program. These updates also provide an opportunity for the Bank to examine interdependencies with day-to-day business-as-usual processes and potential change-management issues.

14.3 A securities settlement facility should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives. These policies include, but are not limited to, having: exacting targets for system availability; scalable capacity adequate to handle increasing stress volumes; and comprehensive physical and information security policies that address all potential vulnerabilities and threats.

Operational reliability and availability

Availability targets are documented and defined formally for critical services. EXIGO is required under its Step-in and Service Agreement with the Bank to meet a minimum availability target of 99.9 per cent; during the 2015/16 Assessment period EXIGO was available 99.9 per cent of the time.

Operational capacity

System capacity is monitored on an ongoing basis, with monthly reviews of current and projected capacity requirements. The results are reviewed against established guidance for capacity headroom over peak recorded values for all critical systems; that is, to maintain capacity 50 per cent over peak recorded daily volumes, with the ability to increase to 100 per cent over peak within six months. Capacity data are reported to the CRO, CFO, CIO and GE, Operations on a monthly basis and to the Audit and Risk Committee on a quarterly basis. Average capacity utilisation of EXIGO during the Assessment period was 24 per cent, while peak utilisation was 35 per cent. Austraclear considers that it has sufficient technical and human resources to operate EXIGO during peak periods, including in the event of operational incidents or system failure.

Information and physical security

ASX's cyber resilience approach is defined by the Information Security Strategy approved by the Security Steering Committee, and more granular policies and standards set out in ASX's Information Security Policy Framework. The Information Security Strategy sets out six high-level objectives for ASX's information security approach:

ensuring that information security supports enterprise-wide strategy and governance, safeguarding the confidentiality, integrity and availability of critical data and systems
ensuring that information security is implemented using a risk-based approach
ensuring that information security considers interdependencies with external stakeholders (including participants and regulators)
supporting the development of a culture of security and the acceptance of information security responsibilities throughout the organisation
ensuring information security is flexible enough to adjust to changing market demands
pursuing continual improvement in the effective and efficient deployment of information security controls.

The Information Security Strategy and Policy Framework are reviewed on a regular basis by the IT Security Team, with formal review by the Security Steering Committee carried out on an ad hoc basis in response to material changes to the security environment. The last such review was in October 2014.

Information security policy is tested at a number of levels. This includes penetration testing against the ASX perimeter and vulnerability testing within the perimeter. Austraclear performs EXIGO security testing on a quarterly basis. ASX operates a suite of controls designed to prevent and detect cyber attacks on its systems, such as denial of service or malware threats. These controls include continuous monitoring of its network for cyber intrusions and malicious code, steps to monitor suspicious internet traffic, regular scans to ensure that both the network perimeter and system assets remain secure, and the maintenance of spare capacity to manage legitimate or malicious surges in internet traffic, as well as steps to regulate access to ASX systems (described below).

User access for the key systems is restricted to prevent inappropriate or unauthorised access to application software, operating systems and underlying data. User activities are uniquely identifiable and can be tracked via audit trail reports. The level of access is authorised by the system owner with users granted the minimum level of access to systems necessary to perform their roles effectively. External access to ASX systems must pass through multiple layers of firewalls and intrusion prevention, and individual networks are segregated. ASX's system architecture is designed to minimise the risk of a cyber threat spreading, via the segregation of critical systems. In 2015/16, ASX also implemented a new identity management application to enhance the identity management capability and automate many of the set-up, maintenance and removal processes associated with user access administration.

Application testing is carried out in test environments (see SSF Standard 14.2). Testing reports are documented, with identified problems escalated to management and tracked through to remediation. Similarly, any significant technology-based operational incidents are reported to senior management and issues are tracked through to resolution via regular updates to management.

Physical access is controlled at both an enterprise and departmental level. The key systems supporting ASX's clearing and settlement processes are operated within secure buildings. Settlement operations are separated from general office areas with permitted access determined at a senior manager level and records of access maintained. Physical security arrangements for the primary and backup data centres are broadly equivalent.

14.4 A securities settlement facility should ensure that it can reliably access and utilise well-trained and competent personnel, as well as technical and other resources. These arrangements should be designed to ensure that all key systems are operated securely and reliably in all circumstances, including where a related body becomes subject to external administration.

Access to resources

Austraclear has arrangements in place which aim to ensure that it has well-trained and competent personnel operating EXIGO. Staff are provided with relevant policies and guidelines from commencement of employment, with weekly communications thereafter. Staff are evaluated with reference to each defined operational process and broader skills matrices, with training provided for identified areas of weakness. Austraclear has a formal succession planning and management process in place for key staff. ASX has sought to automate routine operational processes and reporting over recent years, freeing up additional staff resources that would otherwise be devoted to these tasks.

ASX has established a customer support centre within ASX's Australian Liquidity Centre.^[9] The customer support centre brings together operations, technology and market surveillance staff in a single location, which is ASX's primary operations base and primary data centre.^[10] To facilitate rapid recovery in the event of an operational disruption, around 20 per cent of ASX's operational staff are now based at its secondary operations site (formerly the primary operations site). In case of a disruption to staffing arrangements at the primary site for staff, the secondary operations centre has capacity to house 65 per cent of all operational staff.

ASX also has a Customer Experience team led by an Executive General Manager. This team brings together the main customer-facing functions from across ASX and is responsible for the development and delivery of the ASX customer experience.

Resources shared with a related body

Within the ASX group structure, most operational resources are provided by ASX Operations Pty Limited, a subsidiary of ASX Limited (see ‘ASX Group Structure’ in Appendix A), under a contractual Support Agreement. ASX Operations is also required under the Support Agreement to provide the Bank with reasonable rights of access in respect of information relating to its operation of critical functions provided to Austraclear (see SSF Standard 14.10 in respect of broader rights of access provided to the Bank by Austraclear's critical service providers).

In the event that ASX Operations became subject to external administration, to the extent permissible by law, provisions within the Support Agreement provide for Austraclear and the other clearing and settlement corporate entities to retain the use of operational resources. Under proposals currently under consideration by the government in the context of establishing of a special resolution regime for CS facilities (see SSF Standard 14.11), the Bank would have the power to issue directions in day-to-day oversight, recovery and resolution to related entities such as ASX Operations that provide critical services to a CS facility under ex ante legal agreements. This proposed directions power would further safeguard Austraclear's access to critical services provided by ASX Operations.

Resourcing of major projects

The EPSC is tasked with ensuring that ASX has sufficient well-qualified personnel to cope with periods in which it is simultaneously undertaking a number of projects, including those resulting in significant changes to business (see SSF Standard 14.2). In managing projects affecting core systems (including EXIGO), the PMO rates projects to ensure that they receive appropriate access to resources.

For example, in its oversight of ASX's technology transformation program (see SSF Standard 14.2), the EPSC determines the prioritisation of resourcing for the different project phases. The Bank is receiving detailed quarterly updates on the progress of the technology transformation program. These updates also provide an opportunity for the Bank to examine prioritisation decisions and resourcing challenges.

Another key project for Austraclear during the Assessment period has been an an insourcing initiative to take over EXIGO's third-level operational and software support from a service provider (requiring expert knowledge of the core system). This project was completed in November 2015. The EXIGO insourcing project, which commenced during 2011/12, required ASX to manage the transition process and adequately resource third-level support for Austraclear. ASX recruited dedicated developers for this project (see SSF Standard 14.5). In addition, ASX staff spent time at the service provider's offices to acquire the specialist knowledge required to provide advanced support for EXIGO. While carrying out the insourcing project, ASX retained the option to extend third-level support arrangements for as long as required. This option was utilised to accommodate delays without compromising support for EXIGO, including delays created by the resource requirements of other projects and to provide additional time for clients to update their systems. ASX also retained third-level support from the service provider for a further two months following the completion of the project.

14.5 A securities settlement facility should identify, monitor and manage the risks that key participants, other FMIs and service and utility providers might pose to its operations. A securities settlement facility should inform the Reserve Bank of any critical dependencies on utilities or service providers. In addition, a securities settlement facility should identify, monitor and manage the risks its operations might pose to its participants and other FMIs. Where a securities settlement facility operates in multiple jurisdictions, managing these risks may require it to provide adequate operational support to participants during the market hours of each relevant jurisdiction.

Dependencies on participants and other FMIs

ASX identifies, monitors and mitigates potential dependencies on participants in a number of ways:

by holding regular discussions with participants on risk management processes (see SSF Standard 3.1)
through participation requirements related to operational capacity and business continuity arrangements (see SSF Standards 14.6 and 15.2)
as part of its assessments of project-related risks (see SSF Standard 14.1)
through general monitoring of risks under its risk management framework (see SSF Standard 3.1).

For example, over the past few years, ASX has monitored and managed risks relating to Austraclear's operational activities arising from participants outsourcing their back-office processing offshore. Participants' outsourcing of back-office processes and technology to overseas domiciled hubs or third-party vendors may complicate incident management due to differences in time zones and languages, and in some cases a lack of familiarity with local market practices and conventions. Such factors, if inadequately mitigated, could increase operational risk. To manage this risk, ASX has standardised its offshoring and outsourcing guidance across its markets and CS facilities, with the exception of Austraclear. ASX is currently working on a project to align, where appropriate, the admission, notification and offshoring and outsourcing requirements for the Austraclear facility with those of the other CS facilities.

Austraclear has operational interdependencies with ASX Clear, ASX Clear (Futures), LCH.C Ltd, and Clearstream (see SSF Standard 17). Operational interdependencies with ASX Clear and ASX Clear (Futures) are managed in the context of ASX's group-wide operational risk management framework. Operational risks arising from the link with LCH.C Ltd are managed on the same basis as those with participants more broadly (see SSF Standard 17.1).

Dependencies on service providers

ASX has a formal policy that sets out the process for entering into, maintaining and exiting key outsourcing arrangements. If a key service is to be provided by an external service provider, ASX first conducts a tender process in which proposals from potential vendors are assessed against relevant criteria. Arrangements have been implemented under which ASX would consult with the Bank before entering into new agreements with third parties for critical services. ASX also provides the Bank with a list of critical outsourcing arrangements on an annual basis. Issues relating to outsourcing or service provision are escalated as appropriate to executive management via the ASX Technology Vendor Management Group and the relevant operational support area.

ASX assesses the operational performance of its service providers on an ongoing basis against its own operational policies, aiming to ensure that service providers meet the resilience, security and operational performance requirements of the FSS. ASX maintains current information on its service providers' operations and processes through ongoing liaison, and in turn provides relevant updates to service providers regarding ASX operations. Service providers are also assessed through software regression testing when there is a major system upgrade.^[11] Contractual arrangements with critical service providers require the approval of Austraclear before the service provider can itself outsource material elements of its service. Austraclear's dependencies on service providers include:

SWIFT. Participants are able to use the SWIFT messaging service to submit settlement instructions to Austraclear. This makes Austraclear reliant on interactions with SWIFT for the processing of transactions from participants using this service. In the event of a SWIFT failure, Austraclear would revert to manual processing of SWIFT payments.
RITS and foreign currency settlement banks. As the cash leg of all AUD DvP and payment only transactions occur over RITS, transactions, the failure of RITS would potentially prevent settlement in EXIGO. However, ASX has prepared business plans that contemplate EXIGO continuing to operate independently. Steps taken to address interdependencies with Foreign Currency Settlement Banks acting as commercial bank money settlement agents for foreign currency payments are described under SSF Standard 8.3; operational arrangements for foreign currency settlements are designed not to affect the settlement of AUD transactions.
ASX Collateral/Clearstream. Austraclear also has interdependencies with ASX Collateral. Particularly since access to securities held in collateral accounts in Austraclear would be impaired in the event of an operational disruption to ASX Collateral services, ASX Collateral is required to deliver an equivalent standard of resilience to that of Austraclear. This extends to the outsourced services provided by Clearstream. In terms of architecture, system capacity, recovery time, and availability targets, ASX Collateral and Clearstream are designed to operate to a similar standard to that of Austraclear. In addition, the Service Level Agreement between ASX Operations Pty Limited and Clearstream requires that Clearstream provide ‘round the clock’ operational and technical support via its network of operational centres, with the support during Australian operational hours provided primarily by Clearstream's Singapore centre.
Utilities and service providers. All other Austraclear operational functions are performed within ASX. However, external suppliers are used for utilities, hardware maintenance, operating system and product maintenance and support, and certain security-related specialist independent services.
ASX has put in place a number of mitigants to address the risks associated with dependencies on utilities and service providers.

— Primary and backup data centres are connected to different electricity grids and telecommunication exchanges.

— Each data centre has backup power generators with capacity to run the site at full load for 72 hours.

— All external communications links to data centres are via dual geographically separated links.

— ASX conducts regular testing of backup arrangements. Major systems are tested annually. Participants take part in these business continuity tests and are notified of the tests in advance through ASX notices.

— ASX also performs a periodic assessment of suppliers, including consideration of contingency arrangements should externally provided services not be available (such as the use of alternative suppliers) as well as incident escalation procedures and contacts.
IT licensing and support. Austraclear has a key dependence on a third-party vendor for IT licensing, support and maintenance services for its core EXIGO system. During 2011/12, Austraclear commenced an insourcing project to take over EXIGO's third-level operational and software support (requiring expert knowledge of the core system) from the third-party vendor. This project has the potential to significantly reduce operational risk by giving Austraclear control over future development of the system in terms of both the nature and timing of future enhancements. The project will improve operational risk by significantly simplifying the system through the removal of unused components. It should also improve the timeliness of Austraclear's responses to operational incidents, given the current reliance on 24-hour support across different time zones for highly technical matters. ASX has recruited developers for this project and a senior developer from the third-party vendor has been seconded to Sydney during the development phase. As a contingency, ASX has retained the option to extend existing support arrangements for as long as required. This option has been utilised to accommodate delays without compromising support for EXIGO, including delays created by the resource requirements of other projects and, most recently, to provide additional time for clients to update their systems. The project is now expected to be completed in October 2015 (see SSF Standard 14.4).

Disclosure

The nature and scope of Austraclear's dependencies on critical service providers are disclosed to participants through: Regulations; Guidance Notes; Notices and Bulletins; technical documentation available on the ASX participant website; more general information available on the ASX public website; and in one-on-one meetings with participants, both during the induction process for new participants and on an ongoing basis.

Operational Support

Austraclear provides telephone and email support to participants via a helpdesk in its customer support centre. The service operates from 7.00 am to 7.30 pm (9.30 pm during daylight saving time).

14.6 A participant of a securities settlement facility should have complementary operational and business continuity arrangements that are appropriate to the nature and size of the business undertaken by that participant. The securities settlement facility's rules and procedures should clearly specify operational requirements for participants.

Business continuity requirements are set out in the Austraclear Regulations and Procedures, supplemented by additional guidance issued by ASX. These require large participants to maintain adequate business continuity arrangements (see SSF Standard 14.8) to allow the recovery of usual operations preferably within two hours, and no more than four hours, following a contingency event. The targeted recovery time for smaller participants is preferably four hours, and no more than six. Where a participant also acts as a foreign currency settlement bank, it is subject to additional operational resilience requirements reflecting its critical role in the operation of the foreign currency settlement service. If a participant fails to maintain business continuity arrangements consistent with these recovery targets, it may become subject to sanctions or restrictions on its activities. Spot checks of participants' business continuity management are conducted if risk factors are identified, such as where a participant has experienced operational problems. These spot checks examine the participant's governance and processes for resilience and business continuity.

The Regulations and Procedures also require more broadly that participants have facilities, procedures and personnel that are adequate to meet technical and performance requirements. ASX's preferred approach to dealing with operational issues is to work collaboratively with the participant to educate them on their obligations. If the matter is serious, ASX may require that the participant address the weakness as a matter of priority. ASX may also impose conditions on participation, or require that the participant appoint an independent expert to assist with the remediation task.

To further strengthen the Bank's influence over ASX Collateral (and, by extension, Clearstream), or any future Collateral Manager, the Bank has worked with ASIC to develop additional operational resilience requirements for Special Purpose Participants of Austraclear that provide collateral management services. These requirements, which are based on the operational standards imposed on Austraclear by the Bank as part of its Step-in and Service Agreement, include conditions on operational hours, system availability and capacity, outage reporting, business continuity arrangements, and IT governance and security.

Business continuity arrangements

14.7 A securities settlement facility should have a business continuity plan that addresses events posing a significant risk of disrupting operations, including events that could cause a wide-scale or major disruption. The plan should incorporate the use of a secondary site and should be designed to ensure that critical information technology systems can resume operations within two hours following disruptive events. Business continuity arrangements should provide appropriate redundancy of critical systems and appropriate mitigants for data loss. The business continuity plan should be designed to enable the securities settlement facility to complete settlement by the end of the day of the disruption, even in case of extreme circumstances. The securities settlement facility should regularly test these arrangements.

Business continuity management

Austraclear's approach to business continuity is defined in the ASX Business Continuity Management Policy. This policy describes the incident management and business continuity arrangements for all ASX CS facilities, including the appropriate operational response to a CS facility disruption, and the key roles and responsibilities in relation to business continuity. The Business Continuity Policy is supported by a range of other internal documents, including the Business Resumption Plan, the Pandemic Response Plan, and the testing policy for ASX's Business Continuity and Disaster Recovery Plans.

The Group Business Continuity Manager is responsible for developing the ASX business continuity management policies and procedures, and coordinating business continuity activities and training across the CS facilities. The outcomes of these activities are overseen by the Business Continuity Steering Committee, which is chaired by the General Manager Enterprise Risk and includes the CIO, CRO, CFO and GE, Operations. The ERMC is responsible for approving ASX's overall business continuity strategy and any related policies.

Austraclear policy requires that failover to the backup data centre should occur within two hours. Plans for recovery of key systems apply to both physical and cyber threats to business continuity; these cover scenarios such as the loss of systems or site access (with or without damage to internal site infrastructure), mass unavailability of staff or a pandemic event.

Austraclear employs a variety of technologies to ensure a high degree of redundancy in its systems – both across sites and within a single site. ASX maintains both a primary and a backup data centre, with broadly equivalent operational requirements. Key plant and equipment at the primary data centre are designed to the Uptime Institute Tier 3 standard of concurrent maintainability.^[12] The main computer network is connected via point-to-point optical fibre, which ASX operates with its own technology, thereby reducing the potential for outages due to operational problems with the telecommunications provider. All core systems employ multiple servers with spare capacity. Front-end servers handling communications with participants are configured to provide automatic failover across sites. Failover of the more critical data servers is targeted to take place within two hours, but would generally be expected to occur within an hour, under the control of management.

Disruption to participants in such circumstances would be mitigated by the high degree of redundancy in front-end system components. In most circumstances, these would be expected to maintain communications with participants' systems and queue transactions until the data servers were reactivated. The integrity of transactions would be supported by: queuing messages until they could be processed; storing all transactions in the database with unique identifiers, thereby preventing the loss or duplication of transactions; and synchronising database records between the primary and backup data centres. Furthermore, in the event that a significant part of a system or an operational site failed, Austraclear has contingency arrangements to activate an additional tier of ‘cold’ redundancy arrangements (either by converting test systems into production systems or rebuilding systems from readily available hardware) within 24 hours to meet the contingency of any further service interruption.

Austraclear regularly tests its business continuity and technology disaster recovery arrangements against the range of identified business interruption scenarios. The testing requirements are set out in ASX's Business Continuity and Disaster Recovery Plans Testing Policy. Dual site operational teams across the primary and secondary operations sites effectively test backup operational processes on a continuous basis. These arrangements are supplemented by periodic desktop simulations, and exercises testing remote access and full attendance at the secondary site. ASX also participates in industry-wide tests of business continuity arrangements. For teams not located across both sites, connectivity and procedural testing of the secondary site are performed monthly by representatives from those teams. Live technology tests, where settlement services are provided in real time from the backup data centre, are conducted on a two-year cycle. The use of live tests ensures that participant connectivity to the backup data centre is also tested. Test results are formally documented and reported to ASX senior management and are also made available to internal and external auditors. In addition to receiving the results of business continuity tests, Internal Audit also reviews Technology operational incidents, contributes to business continuity policy updates, and helps ensure that business continuity has been considered as part of project risk assessments. ASX's business continuity framework is audited externally every three to five years; the most recent audit, completed in November 2015, found that ASX's business continuity standards were broadly consistent with widely recognised global standards and did not identify any major areas of concern. Under the terms of Austraclear's Step-in and Service Agreement with the Bank, Austraclear is also required to take part in annual connectivity tests between the Austraclear and RITS systems.

Incident management

Austraclear has clearly defined procedures for crisis and event management. These procedures, as well as key roles and responsibilities for managing an incident, are documented in ASX's Major Incident Management Plan. The procedures cover incident notification (including notification and incident reporting to the Bank and ASIC), emergency response (including building evacuation), incident response (including overall incident assessment and monitoring), and incident management testing. These include the use of Twitter to advise stakeholders of market-wide operational or technical incidents. ASX maintains a major incident management team that includes senior representatives of the core business activities, as well as facilities management, business continuity, and media and communications. The procedures identify responsibilities, including for internal communication and external communication to emergency services, the market, industry and media.

The ASX Technology Incident Management Procedure would be invoked in the event of a high severity technology incident. The Incident Management Procedure provides guidelines for system recovery prioritisation and resource allocation, and the actions that would need to be taken in the event of an incident. The Procedure also outlines the key roles and responsibilities for managing an incident, as well as indicative communication and notification requirements.

14.8 A securities settlement facility should consider making contingency testing compulsory for the largest participants to ensure they are operationally reliable and have in place tested contingency arrangements to deal with a range of operational stress scenarios that may include impaired access to the securities settlement facility.

The Austraclear Regulations and Procedures require participants to maintain adequate business continuity arrangements that are appropriate to the nature and size of their business as a participant. The Regulations specify that participants must have arrangements that allow for the recovery of usual operations (see SSF Standard 14.6). It is Austraclear's expectation (set out in guidance) that this would be within two hours following a contingency event for large participants. These arrangements are reviewed as part of the participant admissions process. Participants are also subject to spot checks of their ongoing compliance with the Austraclear Regulations and procedures. Spot checks may be based on topical themes, in some cases arising from observations of general business developments, and in other cases motivated by a participant that has been experiencing operational problems. If a participant fails to implement any recommendations arising from a check, ASX may impose sanctions.

Participants are involved in the contingency testing of Austraclear's systems, as this testing is conducted in a live environment. ASX conducts comprehensive business continuity testing of key systems at least every two years, with participants being notified of the start and completion of testing. Participants are also involved in testing of major system changes or in advance of the introduction of a new system. Austraclear conducts regular connectivity tests and maintains an external testing environment for system changes.

In addition to operational reliability requirements that apply to ASX Collateral as a Special Purpose Participant of Austraclear, ASX Operations Pty Limited conducts contingency testing of ASX Collateral as a critical ASX system. As part of this testing, ASX applies some of the contingency scenarios defined in its Service Level Agreement with Clearstream.

Outsourcing and other dependencies

14.9 A securities settlement facility that relies upon, outsources some of its operations to, or has other dependencies with a related body, another FMI or a third-party service provider (for example, data processing and information systems management) should ensure that those operations meet the resilience, security and operational performance requirements of these SSF Standards and equivalent requirements of any other jurisdictions in which it operates.

ASX has developed a set of standard clauses for inclusion in contracts with third-party service providers of critical services to Austraclear (see SSF Standard 14.5). Similar clauses are also included in the Support Agreement between Austraclear and ASX Operations Pty Ltd, which provides all internal operational services for the facilities. The clauses seek to ensure that the service providers meet the resilience, security and operational performance requirements of the FSS. The clauses also allow the Bank to gather information from the service provider about the operation of critical functions (see SSF Standard 14.10). In the event that the Bank concluded that the terms of the service provider agreement did not meet FSS requirements, the clauses require the service provider to negotiate acceptable new terms with ASX in good faith. Furthermore, if Austraclear were to become insolvent, the clauses provide for the Bank to negotiate with the service provider to continue service provision (see SSF Standard 14.11). ASX applies these clauses to all new agreements with service providers, and has incorporated them into all of its key existing service agreements.

The resilience, security and operational performance of SWIFT, which Austraclear relies upon for messaging, is primarily overseen by the SWIFT Oversight Group, comprising the G10 central banks and chaired by the National Bank of Belgium. In 2012, the National Bank of Belgium established the SWIFT Oversight Forum (SOF) to include 12 additional central banks, including the Bank, in the oversight process. Through its membership of the SOF, the Bank is able to access information relevant to SWIFT oversight. To support its oversight activities, the Oversight Group has set proprietary minimum standards – the High-level Expectations (HLEs) – against which SWIFT is assessed. In its capacity as a member of the SOF, the Bank receives SWIFT's annual self-assessment against the HLEs.

ASX Collateral

Given the interdependencies between Austraclear and ASX Collateral, it is important that ASX Collateral is held to equivalent standards of operational robustness. ASX Collateral employs the same risk management framework for operational risk and operational procedures as those adopted for the Austraclear EXIGO system. This includes a service availability target of 99.9 per cent, and a minimum capacity headroom target of 50 per cent of total capacity. ASX Collateral's business continuity arrangements are also consistent with those for the Austraclear EXIGO system and are reviewed alongside Austraclear's own business continuity arrangements. The CCMS is replicated at the backup data centre, with failover to occur within one to two hours, depending on the nature of the contingency event. A high degree of redundancy is built into the CCMS – both across the primary and backup data centres and within each centre. In the case of a significant outage of the CCMS, critical collateral transfers may be conducted as ‘Austraclear assisted transactions’, consistent with existing Austraclear functionality.

ASX Collateral has access to other ASX Group personnel as required to carry out its operations under the ASX Group Support Agreement with ASX Operations Pty Limited. This agreement aims to allow for access to resources in the event of external administration of ASX Operations Pty Limited – to the extent permissible by law.

Resilience requirements imposed on ASX Collateral apply equally to ASX Collateral's outsourced arrangements with Clearstream. Clearstream's reliability targets for its Collateral Management Exchange (CmaX) system are broadly equivalent to those of Austraclear. Specifically, they require 99.8 per cent availability and capacity utilisation of no more than 20 per cent. Clearstream can scale its service to cover 15 times the current average production load by the straightforward upgrade of existing hardware, and additional capacity can be obtained by adding servers and tuning software. Clearstream's resilience standards are broadly equivalent to those of Austraclear, including the use of geographically separated underground data centres with security huts, managed firewalls, anti-virus and anti-malware protection for email, and data encryption.

Clearstream is subject to oversight under several regimes. In particular, the Central Bank of Luxembourg (Banque Centrale du Luxembourg, BCL) performs periodic assessments of Clearstream against applicable standards. These assessments evaluate Clearstream's operational risk management framework for its collateral management service (i.e. not specifically the ASX iteration). Additional assessments, from the point of view of user requirements, are carried out by the Eurosystem on a near-annual basis. None of these various assessments have identified significant issues with Clearstream's operation of its services. Clearstream is also subject to periodic examination by international assessors.

14.10 All of a securities settlement facility's outsourcing or critical service provision arrangements should provide rights of access to the Reserve Bank to obtain sufficient information regarding the service provider's operation of any critical functions provided. A securities settlement facility should consult with the Reserve Bank prior to entering into an outsourcing or service provision arrangement for critical functions.

ASX's standard clauses for service providers require the provider to grant reasonable access to the Bank in respect of information relating to its operation of a critical function provided to Austraclear. ASX applies these clauses to all new agreements with service providers, and has incorporated them into all of its key existing service agreements. The Bank also receives information on SWIFT through its membership of the SOF (see SSF Standard 14.9).

Rights of access for the Bank to ASX Collateral are provided by overlapping requirements established under Australian Financial Services Licence conditions imposed on ASX Collateral, intragroup contractual arrangements, and additional requirements on Special Purpose Austraclear Participants that are Collateral Managers. Rights of access to the Bank in respect of CCMS services provided by Clearstream are provided by the Master Framework Agreement between ASX Operations Pty Limited and Clearstream.

14.11 A securities settlement facility should organise its operations, including any outsourcing or critical service provision arrangements, in such a way as to ensure continuity of service in a crisis and to facilitate effective crisis management actions by the Reserve Bank or other relevant authorities. These arrangements should be commensurate with the nature and scale of the securities settlement facility's operations.

Standard clauses in Austraclear's agreements with service providers, including (via ASX Collateral) Clearstream for the CmaX system, require that providers give the Bank notice of any intention to terminate the agreement as a consequence of Austraclear's failure to pay fees, or in the event of the insolvency of Austraclear or any other ASX entity (see SSF Standards 14.9 and 14.10). This is intended to give the Bank an opportunity to take action to remedy the breach or otherwise ensure continued service provision.

Austraclear's arrangements to ensure continuity of operations in the event of a crisis will be shaped by the proposed introduction into Australian law of a special resolution regime for FMIs. For example, under the proposed regime the Bank would have powers to direct related entities (such as ASX Operations) to perform obligations under ex ante agreements to provide critical services (see SSF Standard 14.4). The government, on the advice of the CFR, progressed work on the proposed FMI resolution regime via a February 2015 consultation paper. Following the release of the conclusions to this consultation in November 2015, the government began developing legislative proposal to implement the regime. At the same time, the CFR continues to develop operational arrangements to support the regime once implemented.

Footnotes

The Australian Liquidity Centre provides market participants with the option to ‘co-locate’ their servers with ASX's data centre. [9]

ASX currently maintains three main sites for its operations and data processing: a primary operations site that also operates as the primary data centre (where the majority of staff are located); a secondary operations site; and a backup data centre. [10]

When a component of software is updated, ‘regression testing’ aims to perform checks on the full software to verify that the operation of other software components has not been inadvertently affected by the update. [11]

The Uptime Institute is an IT consulting organisation that has developed a widely adopted classification system for the level of redundancy arrangements in data centres. ‘Tier 3’ is the second highest standard of redundancy, indicating that a data centre has redundant components, multiple independent power and cooling systems, and a high degree of availability. [12]