2026 Assessment of the Reserve Bank Information and Transfer System 2. Ratings and Recommendations

Download the complete Document 822KB

2.1 Introduction

RITS is used by banks and other approved institutions to settle their payment obligations on a real-time gross settlement (RTGS) basis. RITS also includes the Fast Settlement Service (FSS), which settles transactions submitted via the New Payments Platform (NPP) feeder system on an RTGS basis. Because RITS is used to process time-critical, high-value payments and provides settlement services for systemically important financial market infrastructures (FMIs), it is classified as a SIPS.

RITS is owned and operated by the RBA. During the assessment period, governance arrangements for RITS underwent notable structural changes. In March 2025, the Governance Board commenced operations under the provisions of the Reserve Bank Act 1959 (Reserve Bank Act) as the accountable authority of the RBA. It assumed responsibility for overseeing the management and organisational affairs of the RBA, including its payments operations.^[1] Operational responsibility for RITS remains with Payments Settlements Department.

RITS, as a SIPS, is expected to observe the PFMI. Periodic assessments of RITS against the PFMI are produced by the RBA’s Payments Policy Department for review and approval by the Payments System Board. Arrangements in place to support the separation of the RBA’s operational and oversight functions in relation to RITS include a memorandum of understanding (MOU) between the Governance Board, Payments System Board, Monetary Policy Board, and the Executive of the RBA.^[2]

RITS is subject to an assessment against the PFMI every two years.^[3] This assessment is for 31 March 2026 and provides an update on progress since the previous assessment published in June 2024.^[4]^,^[5]

2.2. 2026 ratings on observance of the PFMI

In line with the PFMI, the assessment rates RITS observance of the relevant principles as follows:

Observed is used when that any identified gaps and shortcomings are not issues of concern and are minor, manageable and of a nature that the facility could consider taking them up in the normal course of its business.
Broadly observed means that there are one or more issues of concern that the facility should address and follow up on in a defined timeline.
Partly observed highlights that there are one or more issues of concern that could become serious if not addressed promptly and the facility should accord a high priority to addressing these issues.
Not observed indicates that there are one or more serious issues of concern that warrant immediate action and the facility should accord the highest priority to addressing these issues.

The PFMI rating framework therefore is built on combination of the gravity and urgency of the need to remedy identified gaps and issues of concern.

As at end March 2026, RITS was found to observe all relevant Principles except Principle 2 (Governance), Principle 3 (Framework for the comprehensive management of risks) and Principle 17 (Operational risk) (Table 1). The rating for Principle 3 (Framework for the comprehensive management of risks) and Principle 17 (Operational risk) remained at partly observed. RITS observance of Principle 2 (Governance) has been downgraded from broadly to partly observed. The downgrade primarily reflects urgency of addressing the existing and new recommendations in relation to governance rather than a deterioration in the governance of RITS compared with 2024 assessment. It also reflects a stronger conviction that effective governance is foundational to observance of the PFMI, especially in an increasingly complex risk environment.

Table 1: Ratings of Observance of the Principles^(a)
Principle	Rating
1. Legal basis	Observed
2. Governance	Partly observed (↓)
3. Framework for the comprehensive management of risks	Partly observed
4. Credit risk	Observed
5. Collateral	Observed
7. Liquidity risk	Observed
8. Settlement finality	Observed
9. Money settlements	Observed
13. Participant-default rules and procedures	Observed
15. General business risk	Observed
16. Custody and investment risks	Observed
17. Operational risk	Partly observed
18. Access and participation requirements	Observed
19. Tiered participation requirements	Observed
21. Efficiency and effectiveness	Observed
22. Communication procedures and standards	Observed
23. Disclosure of rules, key procedures, and market data	Observed
(a) Principles 6, 10, 11, 14, 20 and 24 are not relevant for payment systems and Principle 12 is not applicable to RITS.

2.3 Recommendations

2.3.1 Previous recommendations – Status update

Previous recommendations for RITS were developed following the October 2022 RBA-wide technology incident that affected services provided by RITS. Most of these recommendations are being addressed through multi-year work programs led by two RBA project departments, the Payments Operations Program and the RBA Future Hub. The Payments Operation Program is primarily focusing on uplifting the RITS operating model, the RBA’s IT controls framework and its knowledge management. The Future Hub is focusing on implementing recommendations relating to people and culture, risk management and governance. Over the assessment period, several of the initiatives have transitioned to business-as-usual.

Table 2: Progress Against Previous Recommendations (Year to March 2026)
Date/Item (Principles)	Recommendation	Status
2023/1 (P2, 17)	Implement a formally documented RITS operating model including a detailed service level agreement, IT service catalogue and resource management.	Implementing Uplift is underway with a targeted completion in H2 2026. Expected Completion: Q4 2026
2023/2 (P17)	Develop and execute a detailed plan (including accountabilities and timeframes) to address identified operational gaps, including business continuity management, service provider management and operational risk management.	Commenced Assessment of service provider and business continuity management has taken place with return to appetite plans underway. The Future Hub has descoped its operational resilience uplift and it has been transferred to the RBA’s Risk and Compliance Department. Expected Completion: TBA
2023/3 (P3, 17)	Develop and execute a detailed plan (including accountabilities and timeframes) to address identified gaps in the RITS risk management framework, policies and procedures.	Implementing New standards for risk and control identification and assessment, issue, action and incident management have been finalised, alongside endorsement of a new risk and control taxonomy and business requirements for upgrading the risk management system. Expected Completion: Q4 2026
2023/4 (P2, 3, 17)	The senior executive accountable for risk should be responsible for implementing and embedding the risk management framework for RITS, including an effective 3LoA model for RITS.	Implementing A revised 3LoA model for the RBA has been introduced. Expected Completion: Q4 2026
2023/5 (P3, 17)	Develop and execute a detailed plan (including accountabilities and timeframes) to address the identified gaps in RITS technology documentation, technology controls and processes to reduce design complexity. Emphasis should be on ensuring RITS has an efficient set of controls that are aligned to processes, risk objectives and are a more effective balance of automated and manual controls.	Commenced Work continues to document and test key controls to the expectations of the new risk and control management standards. Expected Completion: Q4 2027
2023/6 (P17)	Identify, plan for and document a range of severe but plausible disruption scenarios that may impact the RITS ecosystem. This also requires an uplift to operational resilience documentation.	Commenced Documentation has been reviewed by an external organisation. Uplift continues to take place. Expected Completion: Q2 2027
2023/7 (P2)	The relevant departments, Steering Committee and the senior executive accountable for risk should each promptly escalate serious issues of concern relating to the resilience and stability of RITS to the RBA’s Executive Committee. Additionally, a horizon scan for emerging or possible challenges to the resilience of RITS should be a standing agenda item in periodic strategic updates by relevant departments to the Executive Committee.	Commenced Governance implementation plan launched in Q3 2025. Expected Completion: Q4 2026
2023/8 (P2,3)^(a)	Governance and reporting arrangements across relevant governance structures, including the Governance Board, the Audit and Risk Committee, Executive Committee, Risk Management Committee, Investment Committee and Technology Committee should be updated to ensure that mechanisms in place facilitate timely, accurate and transparent provision of information on RITS-related risks.	Commenced Governance implementation plan launched in Q3 2025. Expected Completion: Q4 2026
2022/1 (P17)	The RBA should complete the program of work to implement revised metrics to measure the operational resilience and stability of IT systems supporting RITS.	Implementing Service level agreements and key performance indicators have been introduced with progressive rollout of reporting and calibration occurring in 2026. Expected Completion: Q4 2026
(a) This recommendation has been revised since the 2024 RITS Assessment to reflect recent changes in governance structures.

2.3.2 Areas of oversight focus

The RBA’s Payments Policy Department has identified four areas of potential heightened risk for RITS over the coming years: change management; governance of RITS; RITS modernisation; and cyber resilience. These will be monitored as areas of oversight focus.

Change management

This was identified as an area of oversight focus in the 2024 Assessment. The current assessment has found that the scale and breadth of concurrent change initiatives across the RBA, including those affecting RITS, remains significant. This environment contributes to resource contention and heightened change‑management risk for RITS. Departments that support RITS face ongoing challenges in absorbing uplifts while maintaining operational stability, and evidence from the assessment period indicates that effective prioritisation and coordination were difficult to consistently achieve in practice. Accordingly, change management will continue to be an area of oversight focus for 2026, given the scale, pace and interdependencies of initiatives affecting the RITS ecosystem.

Area of oversight focus. Payments Policy Department will continue to monitor the impact and management of emerging risks associated with multiple long-term, inflight change programs, including initiatives to prioritise, coordinate and manage resources across multiple, interrelated projects, and capacity to absorb new processes and ways of working.

Governance of RITS

In response to external and internal reviews, the RBA has progressed a series of uplifts to its governance structure over the assessment period. These changes include the establishment of the Governance Board and enhanced internal governance arrangements. While evidence from the assessment period indicates that these structural governance changes should set the RBA up well in the years ahead, some of these initiatives are still being embedded, while RITS-specific governance arrangements could be further enhanced to support its observance of all the PFMI.

Area of oversight focus. Payments Policy Department will monitor the implementation of internal governance initiatives to ensure that they support the reduction of risk to RITS by promoting forward-looking risk management, escalation and decision-making processes, and enhancing the flow of timely information to the Governance Board.

RITS modernisation

The RBA is developing a plan to set strategic foundations for the modernisation of RITS, aimed at addressing increasing system complexity, reducing risks associated with legacy infrastructure and improving the RBA’s ability to support private-sector payments innovation. This will be a multi-year program, with the Governance Board responsible for oversight of the program.

Area of oversight focus. Payments Policy Department will monitor the planning and preparation activities undertaken by the RBA with regards to modernising RITS operations, with a focus on the mitigation of existing and emerging risks and effective engagement with stakeholders across the payments ecosystem.

Cyber threat landscape

Cyber threats represent a significant and growing risk to the reliable and efficient operation of FMIs, including RITS. The cyber environment is constantly evolving and has the potential to disrupt and undermine confidence in the payment system and lead to broader instability in the financial system. The cyber threat landscape was also an area of oversight in the 2024 Assessment.

Area of oversight focus. Payments Policy Department will continue to monitor developments designed to ensure that RITS remains resilient in the face of evolving cyber-security threats. This includes assessing progress in enhancing RITS cyber defences and its ability to recover from cyber-attacks in a timely manner.

Previous areas of oversight focus

FSS readiness for BECS migration

At the time of the 2024 Assessment, industry plans to decommission the Bulk Electronic Clearing System (BECS) by June 2030 raised concerns regarding the scalability and resilience of the FSS under a significantly larger volume of transactions. In December 2025, the target end date of June 2030 was removed pending development of a clear roadmap for the future of A2A payments in Australia, reducing the risk of a disorderly transition. Overall, the RBA welcomes the revised approach to transitioning account-to-account (A2A) payments away from BECS. Payments Settlements Department, responsible for operating RITS and the FSS, is represented on the A2A Roundtable and has maintained momentum in its A2A workstreams despite changing industry timelines. Given the extended timeframe now available to ensure a coordinated transition across the A2A ecosystem, FSS readiness for the BECS migration will not remain an area of oversight focus for the next assessment period.

Endnotes

RBA (2025), ‘Governance Board Charter’, March.[1]

RBA (2025), ‘Memorandum of Understanding among the Monetary Policy Board, Payments System Board, Governance Board and Executive’, May. [2]

See RBA (2019), ‘Policy Statement on the Supervision and Oversight of Systemically Important Payment Systems’, June. [3]

RBA (2024), ‘Assessment of Reserve Bank Information and Transfer System’, June. [4]

RBA (2023), ‘Targeted Assessment of the Reserve Bank Information and Transfer System’, May. [5]