2019 Assessment of the Reserve Bank Information and Transfer System 2. Summary and Review of Ratings and Recommendations

RITS is Australia's high-value payments system, which is used by banks and other approved institutions to settle their payment obligations on a real-time gross settlement (RTGS) basis.[4] RITS is owned and operated by the Bank. The Bank seeks to ensure effective oversight of RITS by separating the Bank's operational and oversight functions, as well as by producing transparent assessments against international standards. This Assessment has been produced by the Bank's Payments Policy Department, which is the functional area responsible for oversight of the Australian payments system, drawing on information provided by the Bank's Payments Settlements Department, which is the functional area responsible for operating RITS (see section A.3 for further background on the governance and oversight of RITS). This report has been endorsed by the Payments System Board.

This Assessment focuses on the critical services provided by the Bank as operator of RITS; in particular, RITS's role as a wholesale RTGS system, as it is this role that makes RITS a systemically important payment system.[5] Currently, the Bank considers that RITS is the only domestic systemically important payment system for which an assessment against international principles is necessary.[6] This view reflects the fact that RITS:

  • is the principal domestic payment system in terms of the aggregate value of payments
  • mainly handles time-critical, high-value payments
  • is used to effect settlement of payment instructions arising in other systemically important financial market infrastructures.

The FSS, which settles transactions submitted via the New Payments Platform (NPP) feeder system, is also established under the RITS Regulations. However, the focus on the FSS for this assessment is limited to its interaction with the core (wholesale) RITS system.[7] A similar approach is taken with the role RITS plays in the settlement of interbank payment obligations arising from net settlement systems, for example, those relating to cheque, direct entry and card transactions arising from the Low Value Settlement Service (LVSS).[8]

This section summarises steps taken since the publication of the 2018 Assessment in relation to the areas of supervisory focus identified in that assessment. It also summarises the ratings and recommendations arising from the current Assessment.

2.1 Developments in 2018 Areas of Oversight Focus

In the 2018 Assessment, RITS was found to have observed all of the relevant Principles and no recommendations were made.[9] However, the 2018 Assessment noted that Payments Policy Department would monitor progress in two areas, related to work to ensure that RITS remains resilient in the face of evolving cyber-security threats. Table 1 summarises these areas and progress by the Bank during the assessment period.

Table 1: Summary of Developments in Areas of Oversight Focus
Area of focus Developments
Progress in the implementation of the remaining recommendations arising out of the completed reviews of RITS's cyber security and cyber resilience. The highest priority recommendations were implemented in early 2017, with most of the remaining lower priority recommendations implemented in 2018. A small number of lower priority recommendations have been carried forward via related projects or initiatives.
Progress in the continued exploration of current and emerging technology that could enable further enhancements to the ability to recover RITS from cyber attacks in a timely manner. The Bank is further exploring a technology option that is ‘non-similar’ to RITS but which could provide an additional recovery option. This work is expected to continue into the next assessment period.

2.2 2019 Ratings and Recommendations

As of the end of March 2019, RITS was found to observe all of the relevant Principles other than Principle 17 (Operational risk), which it was found to broadly observe (Table 2).[10] In light of the lessons learned from the 30 August outage, Payments Policy Department has identified the following recommendations in order for RITS to observe Principle 17 on Operational Risk.

  • The Bank should implement planned actions that support the ability of RITS to recover the operations of critical IT systems within two hours of a disruption, including changes that support the automated failover of the RITS database in contingency scenarios affecting the primary site and improve the resilience of the FSS automatic failover process and systems.[11]
  • The Bank should carry out a contingency test that assumes FSS does not failover automatically in a site outage to validate that its business continuity plan supports the recovery of RITS within two hours of a disruption in these circumstances.
  • The Bank should document its process for determining whether RITS or FSS should be prioritised for restoration in circumstances where there is a potential resource conflict.

As part of its ongoing oversight process, Payments Policy Department will also continue to follow up on developments in the work to ensure that RITS remains resilient in the face of evolving cyber-security threats. As a particular area of oversight focus, Payments Policy Department will monitor progress in the continued exploration of ‘non-similar’ technology that could enable further enhancements to the ability to recover RITS from cyber attacks in a timely manner.

Table 2: Ratings of Observance of the Principles(a)
Principle Rating
1. Legal basis; 2. Governance; 3. Comprehensive framework for the management of risks; 4. Credit risk; 5. Collateral; 7. Liquidity risk; 8. Settlement finality; 9. Money settlements; 13. Participant-default rules and procedures; 15. General business risk; 16. Custody and investment risks; 18. Access and participation requirements; 19. Tiered participation requirements; 21. Efficiency and effectiveness; 22. Communication procedures and standards; 23. Disclosure of rules, key procedures, and market data Observed
17. Operational risk Broadly observed
12. Exchange-of-value settlement systems Not applicable

(a) Principles 6, 10, 11, 14, 20 and 24 are not relevant for payment systems.

Footnotes

This means that individual payments are processed and settled continuously and irrevocably in real time. [4]

‘RITS’ is used in this report to refer to the Bank as operator of RITS, as well as referring to the system itself. [5]

See the Joint Statement by the RBA and ASIC, Implementing the CPSS-IOSCO Principles for Financial Market Infrastructures in Australia, available at https://www.rba.gov.au/payments-and-infrastructure/financial-market-infrastructure/principles/implementation-of-principles.html. [6]

The NPP and FSS are not currently being used in ways that would trigger assessment against the Principles, based on the criteria for systemic importance listed above. [7]

Further information on net settlement systems linked to RITS is provided in section A.5 of Appendix A. [8]

In its assessment, Payments Policy Department has applied the approach and rating system set out in the Disclosure Framework. ‘Observed’ is the highest rating within this framework and is applied when Payments Policy Department assesses that ‘(An) FMI observes the principle. Any identified gaps and shortcomings are not issues of concern and are minor, manageable and of a nature that the FMI could consider taking them up in the normal course of its business.’ The full rating scale is set out in Appendix B. [9]

A rating of ‘broadly observed’ is applied when Payments Policy Department assesses that ‘(An) FMI broadly observes the principle. The assessment has identified one or more issues of concern that the FMI should address and follow up in a defined timeline.’ [10]

A software update to improve the resilience of the FSS automatic failover process was installed after this assessment was endorsed by the Payments System Board but before its publication. [11]