2026 Assessment of the Reserve Bank Information and Transfer System 3. Material Developments

3.1 Governance and accountability

Over the assessment period, the RBA has progressed a broad program of governance changes, including the establishment of the Governance Board^[6] and enterprise-wide internal governance arrangements. These initiatives are intended to strengthen accountability, escalation, challenge and decision making across the RBA, including for RITS. Evidence from the assessment period indicates that the new governance arrangements are a significant improvement compared to the previous structure. However, these arrangements are still being embedded and could be further enhanced to support the RBA to fully observe the Governance Principle in operating RITS. Observance of this principle is foundational for strengthening observance across all PFMI.

3.1.1. Commencement of the Governance Board

The commencement of the Governance Board on 1 March 2025 is a material development since the 2024 RITS Assessment and a significant enhancement to the governance of the RBA. Previously, the Governor was the sole accountable authority for the RBA.^[7] Now, the Board is responsible for overseeing the RBA’s management and organisational affairs, including the operation and management of RITS.^[8] The Board comprises of three ex officio members (the RBA’s Governor, Deputy Governor and Chief Operating Officer) and six non-executive members appointed by the Treasurer. Executive members provide continuity and institutional knowledge; non-executive members bring external expertise in enterprise organisation, prioritisation and risk management.

The Governance Board meets quarterly and is progressing its understanding of RITS matters, including how to assess and prioritise RITS-related risks among competing enterprise-wide priorities. The RBA has provided the Board with foundational information on RITS, regular updates on RITS operational availability, information on enterprise wide technology change and risks (which implicitly include RITS), and briefings on RITS incidents.

The Audit and Risk Committee^[9] supports the Governance Board by reviewing the appropriateness of performance reporting, systems of risk oversight and management and systems of internal control. The Head of Audit reports directly to the Committee, consistent with the Audit Charter. The RBA’s Chief Risk Officer and the Head of Audit have direct access to the Committee, including for reporting on enterprise risk where appropriate. The Committee has reviewed technology and cyber risk for the RITS ecosystem, which represent material risk classes.

The Governance Board is a significant enhancement to the governance of the RBA. Opportunities to further strengthen RITS-specific governance arrangements could include: more explicit articulation of Board responsibilities with regards to RITS in key governance documents; establishing mechanisms to ensure that RITS risks and stakeholder interests are discussed regularly; and self-assessing Board performance against the PFMI.

3.1.2. Internal governance

Culture and governance recommendations from the RBA Review^[10] and the 2023 Deloitte Review^[11] are being addressed via the RBA Future Hub, a specially-established project department.^[12] During the assessment period, the Future Hub completed the design of most culture and governance initiatives, transferring them for implementation by relevant departments. However, the internal governance workstream remains in the design phase. Planned internal governance changes will better map and assign executive responsibilities and outline the roles of committees in supporting forward-looking risk management, escalation and decision-making processes. As part of this process, the RBA should clearly articulate the roles of its internal committees in relation to RITS and consider outcome-focused metrics to assess effectiveness of new governance arrangements over the next assessment period.

As governance for RITS improves, RITS performance should strengthen over time. Most RITS operational incidents that occurred during the assessment period were avoidable and attributed to governance and procedural issues rather than underlying technical defects. For example, the January 2026 incident was caused by shortcomings in intermediate certificate renewal processes, which indicate gaps in governance and assurance over key operational risks (see Section 3.4).

3.2. Risk management

Over the assessment period, the RBA prioritised several initiatives to enhance enterprise risk management. The RBA Future Hub completed the design of changes to the RBA’s comprehensive risk management framework and risk culture, as recommended in the RBA Review and the 2023 Deloitte Review. Responsibility for implementation of the changes has been transferred to the RBA’s Risk and Compliance Department.

New standards for risk and control identification and assessment, issue management, action management and incident management have been developed, as have new risk and control taxonomies and business requirements for upgrading the Risk Management System. RITS staff have undertaken foundational risk training and practiced implementing the new standards. While not RITS-specific, these initiatives should improve how RITS risks are identified, managed and escalated.

While risk management frameworks have strengthened in design, in practice, they have yet to prevent the materialisation of foreseeable RITS risks. Work to implement effective controls is incomplete, resulting in avoidable incidents. The January 2026 incident demonstrated that known operational risks are not being sufficiently mitigated on a forward-looking basis. Until robust operational resilience practices are embedded, the risk management framework will remain only partly effective in managing operational risks to RITS.

3.2.1. Three lines of accountability model

The 2023 Targeted Assessment, informed by external reviews, found that RITS did not have a fully implemented, embedded and effective 3LoA model.^[13] Over the assessment period, the RBA has made notable progress implementing an enhanced 3LoA model. A new dedicated Line 1 risk management position has been created within Payments Settlements Department, reporting directly to the Head of Department, and an equivalent position has been created in Information Technology Department. More broadly, capacity and capability in the Line 1 RITS teams across Payments Settlements Department and Information Technology Department has increased. The Risk and Compliance Department (Line 2) has been restructured to dedicate specific resources to RITS, with the internal Audit Department continuing to provide enterprise-wide Line 3 assurance. These developments will strengthen accountability for day-to-day risk management and mitigate key person risk.

While roles and responsibilities across the three lines of accountability model are now clearer in design, the framework is not yet fully embedded. For instance, with the remediation work on known gaps ongoing, internal audit coverage of RITS has been limited to reviews of specific issues and remediation programs. This constrained the effectiveness of the 3LoA model in relation to RITS operations and the ability of Line 3 to provide effective challenge.

3.2.2. Management of risks from change

Change-related risk has been a material component of the RITS risk profile during the assessment period, with the departments responsible for RITS managing a substantial proportion of the RBA’s change agenda. The concurrent change initiatives across the RBA have resulted in project delivery demand exceeding available capacity; this is expected to persist until at least 2027. External and internal reviews of RITS initiatives have highlighted emerging risks created by change saturation: diminishing capacity to absorb new processes and ways of working; absorption lagging delivery; and the increasing likelihood that intended benefits will not be fully realised or sustained. These may compound the identified operational, governance and sequencing risks to RITS unless integrated into existing risk management frameworks.

3.3. Operational risk

RITS is operating in a very complex environment. A dynamic external risk landscape is being shaped by geopolitical tensions and emerging technologies. The RBA’s ambitious change agenda is creating capacity constraints in some areas. Key initiatives in response to recommendations from past assessments have commenced, with efforts primarily focused on establishing foundational capability. However, strategic trade-offs in resourcing, prioritisation and sequencing mean that benefits from the change programs have yet to be fully realised, and the operational risk profile of RITS has not meaningfully reduced. The RBA should place a high priority on completing and embedding programs addressing prior RITS recommendations to return RITS operational risk within appetite, reflecting its systemic importance and potential to propagate disruptions.

3.3.1. Technology controls and processes

RITS is a critical national infrastructure asset that operates through multi-layered systems, processes and interdepartmental dependencies. Delivering RITS services that are highly reliable and available necessitates a sound control environment supported by effective technology processes. Past assessments identified scope for improvement in these areas; in response, the RBA has progressed initiatives intended to support improved tooling, monitoring and oversight of operational risk, and to reduce the likelihood and impact of potential operational issues.

During the assessment period, the RBA – through the Payments Operations Program – has achieved two important milestones for the control environment: establishing a new IT control library and completing an initial technology gap assessment. The assessment informed a control remediation program scheduled for completion by end-2027.

External assurance found that the technology gap assessment provided a valuable baseline view. However, it also highlighted that the assessment may have not fully captured current and emerging risks, and that the IT control library requires further work to improve usability for business-as-usual application. As the RBA’s control management standard mandates testing of key controls only, there remains a risk that some control vulnerabilities may go undetected. This is consistent with findings following the January 2026 incident, which demonstrated that control gaps can materialise into service disruptions prior to remediation being completed.

3.3.2. RITS operating model

In late 2025, in response to Recommendation 2023/1, the RITS operating model was introduced and is now undergoing phased implementation. The model aims to strengthen resilience across the RITS ecosystem through increased resourcing, new ways-of-working arrangements between Payments Settlements Department and Information Technology Department, refreshed release management and prioritisation frameworks, enhanced performance metrics and the comprehensive documentation and maintenance of procedures.

Achievements to date include roll-out of enhanced key performance indicators. These will provide a useful measure of where Payments Settlements Department and Information Technology Department need to focus additional effort to improve the operational resilience of RITS, and will be revised in 2026–2027. Recruitment of additional Payments Settlements and Information Technology staff is underway but has been slower than expected, in part due to resourcing interdependencies with concurrent enterprise projects including the RBA’s Core Modernisation Program (see Section 3.3.3). Staff readiness for changes to ways of working, and the introduction of key performance indicators, will need to be closely managed to ensure a successful implementation.

3.3.3. Core Modernisation

The Core Modernisation Program (CoreMod) is a multi-year initiative that commenced in 2024 to modernise the RBA’s core technology infrastructure. The program aims to establish a new data centre, deploy modern core infrastructure across the RBA’s data centres, and migrate application workloads between and within these environments.

CoreMod was expected to be completed by December 2026 but the program has been affected by numerous delays. Delays to infrastructure delivery had downstream impacts on other initiatives, including some affecting RITS (such as POP’s IT ecosystem uplift, the RITS operating model, and the FSS Next program). CoreMod delays also increase the operational risk profile of RITS, including through an extended reliance on componentry approaching end of life, and placed sustained demand on subject matter experts, reducing their availability for other initiatives. In addition, emerging issues with the program were not escalated promptly enough to enable effective corrective measures.

3.3.4. Cyber security

Cyber security threats represent a significant risk: they have the potential to undermine confidence in the payments system and lead to financial instability and substantial disruption to the economy. The RBA has developed a cyber security strategy focused on reducing cyber risk. The strategy emphasises enhanced cyber incident response and recovery, including scenario based testing of RITS resilience.

3.4. RITS incidents and responses

The majority of RITS operational incidents during the assessment period arose from procedural shortcomings rather than underlying technical failures. This is consistent with earlier assessments, which found that the key risks for RITS operations stem from governance and risk management of operational arrangements. These are still being improved as a part of the RBA’s change program.

The January 2026 incident^[14] was triggered by an incorrectly installed intermediate certificate on the database. The underlying root cause for the incident was that procedures and processes were not followed and knowledge gaps were present; this was also the underlying cause of the major RBA incidents in 2018 and 2022. Further, the recommended remedial actions across these events are very similar. These actions include strengthening coordination and contingency arrangements with industry, improving incident management frameworks, clarifying external communication protocols, and improving decision‑making around manual settlement operations. The recurrence of these recommended remedial actions suggests that sustained implementation of governance and risk management enhancements remains an ongoing challenge.

As a result of the incident, RITS will not meet its publicly stated operational reliability objective of at least 99.95 per cent availability in 2026, even if no further availability-impacting incidents occur. Further details on the availability performance, and how this is measured are included in Appendix A.

Endnotes

RBA (2025), ‘Governance Board’.[6]

Prior to the amendments to the Reserve Bank Act in 2024, the Governor was the accountable authority of the RBA and ultimately responsible for overseeing its operations, including RITS. The rating for Principle 2 of the PFMI (Governance) was downgraded to ‘broadly observed’ in 2023, largely reflecting the finding that, at both a staff and senior executive level, accountabilities, roles and responsibilities for RITS were sometimes unclear, insufficiently documented, and widely diffused across sometimes siloed teams.[7]

See RBA (2025), ‘Governance Board Charter’, March; RBA (2026), ‘Monetary Policy Board’; RBA (2024), ‘Payments System Board’. Arrangements for the PSB to have ongoing oversight of PY’s assessment of RITS against the PFMI have been detailed through an MoU among the Reserve Bank Boards. See RBA (2025), ‘Memorandum of Understanding among the Monetary Policy Board, Payments System Board, Governance Board and Executive’, May.[8]

RBA (2025), ‘Governance Board Audit and Risk Committee’.[9]

Australian Government (2023), ‘An RBA Fit for the Future: Review of the Reserve Bank of Australia’, Final Report, March.[10]

Deloitte (2023), ‘Independent Review of the October 2022 Reserve Bank Information and Transfer System (RITS) Outage’, Final Report, April.[11]

The Future Hub Program has responsibility for leading and coordinating the RBA’s response to recommendations from the RBA Review, as well as responsibility for some recommendations contained in the 2023 Deloitte Review and the assessments of RITS against the PFMI. See Australian Government (2023), ‘An RBA Fit for the Future: Review of the Reserve Bank of Australia’, Final Report, March; Deloitte (2023), ‘Independent Review of the October 2022 Reserve Bank Information and Transfer System (RITS) Outage’, Final Report, April; RBA (2026), ‘Assessments of RITS’.[12]

RBA (2023), ‘Targeted Assessment of the Reserve Bank Information and Transfer System’, May.[13]

RBA (2026), ‘27 January 2026 Payments Settlements Outage’, March.[14]