2022 Assessment of the Reserve Bank Information and Transfer System 2. Summary and Review of Ratings and Recommendations
- Download the complete Document 888KB
RITS is Australia's high-value payments system. It is used by banks and other approved institutions to settle their payment obligations on a real-time gross settlement (RTGS) basis. RITS is owned and operated by the Reserve Bank of Australia (the Bank). The Bank seeks to ensure effective oversight of RITS by separating its operational and oversight functions, as well as by producing transparent assessments against international standards.
The Bank's Payments Policy Department – the functional area responsible for oversight of the Australian payments system – has produced this Assessment. In undertaking their assessment, Payments Policy staff worked closely with, and drew on information provided by, Payments Settlements Department – the functional area responsible for operating RITS. Payments Policy staff also sought feedback from other departments within the Bank, including those responsible for providing technology services for RITS (see Appendix A for further background on the governance and oversight of RITS). This report has been approved by the Payments System Board.
This Assessment focuses on the critical services provided by the Bank as operator of RITS, in particular the role of RITS as a wholesale RTGS system, as it is this role that makes RITS a systemically important payment system.[3] Currently, RITS is the only domestic systemically important payment system for which an assessment against international principles is necessary. This view reflects the fact that RITS:
- processes an aggregate value of Australian dollar payments that is high relative to other payment systems
- mainly handles time-critical and high-value payments
- is used to effect settlement of payment instructions arising in other systemically important financial market infrastructures.
The Fast Settlement Service (FSS), which settles transactions submitted via the New Payments Platform (NPP) feeder system, is also established under the RITS Regulations. However, focus on the FSS for the purposes of this Assessment is limited to its interaction with the core (wholesale) RITS system.[4] A similar approach is taken with the role RITS plays in the settlement of interbank payment obligations arising from net settlement systems, for example, those relating to cheque, direct entry and card transactions arising from the Low Value Settlement Service (LVSS).
2.1 Progress against 2021 Recommendations
The 2021 Assessment concluded that RITS observed all relevant Principles, except for Principle 13 (Participant-default rules and procedures) and Principle 17 (Operational risk) which were broadly observed. In order to to fully observe these principles, Payments Policy Department recommended the Bank:
- formally document its decision-making and crisis-management arrangements in the event of a RITS member default
- complete the implementation of all initiatives related to the Bank's Technology Stability Improvement Program (TSIP)
- fully implement proposals to improve oversight of key maintenance activities conducted by external contractors on the Bank's critical infrastructure.
The Bank has fully addressed the recommendation relating to Principle 13. In March 2022 the Bank's Executive Committee approved the RITS Suspension and Termination Decision-Making Framework. The framework documents the Bank's high-level arrangements for decision-making and crisis-management in the event of a RITS member default (see 3.2 below).
During the assessment period the Bank formally closed the TSIP, although work to progress several initiatives emanating from the TSIP continued after the program's closure. The program's initiatives relevant to the continued operational stability of RITS have now been largely implemented. Further work is underway to measure the effectiveness of the TSIP intiatives on the operational resilience of RITS (see 3.1.2 below).
In the year to March 2022, the Bank also rolled out improved oversight of key maintenance activities conducted by external contractors. This included implementing enhanced contractor induction arrangements, improved oversight of compliance with procedures by contractors and new service delivery arrangements for the Bank's facilities (see 3.1.5 below).
2.2 Developments in 2021 Areas of Oversight Focus
The 2021 Assessment noted that Payments Policy Department would monitor progress in two areas of oversight focus over the year to March 2022. The first was monitoring developments to maintain resilience of RITS in the face of evolving cyber security threats. The second was to monitor the impact of planned upgrades to the Bank's physical infrastructure on the operational stability and resilience of RITS. Table 1 summarises these areas of focus and the progress made during the assessment period.
| Area of focus | Key developments |
|---|---|
| Developments to maintain resilience of RITS in the face of evolving cyber-security threats | The Bank completed a project to establish a third-site data bunker for storing data from the Bank's most critical systems, including RITS and the FSS. The Bank also developed enhanced security standards for RITS members. The new standards are intended to support members in maintaining best practice security arrangements, enhancing the effective management and control of RITS-related cyber risks. |
| Impact of planned upgrades to the Bank's physical infrastructure on the operational stability and resilience of RITS | The Bank completed the Data Centre Improvement Program (DCIP) which was established to improve the operational resilience of the Bank's data centres and address potential capacity constraints over the longer term. Work on the Bank's project to upgrade its head office building commenced. Scheduled for completion in 2024, this upgrade will support the long-term resilience of RITS, although it creates some operational risks while the work is underway. |
2.3 2022 Ratings, Recommendations and Areas of Oversight Focus
As at end March 2022, RITS was found to observe all relevant Principles except for Principle 17 (Operational risk), which it broadly observed. To observe Principle 17, Payments Policy Department recommends that the Bank complete the program of work to implement revised metrics to measure the operational resilience and stability of IT systems supporting RITS.
Over the year to March 2023, areas of particular interest for Payments Policy Department in its oversight of RITS will include:
- developments designed to ensure that RITS remains resilient in the face of evolving cyber-security threats. Specifically, Payments Policy Department will monitor if and how the data bunker is used in recovery, as well as progress on the continued exploration of enhancements to the ability to limit exposure to cyber risk and recover RITS from extreme cyber-attacks in a timely manner.
- the impact of staff resourcing challenges on RITS and how operational risks associated with higher staff turnover and difficulty in recruiting staff with the appropriate skills are identified and mitigated.
- the impact of planned upgrades to the Bank's physical infrastructure on the operational stability and resilience of RITS, including how any potential risks associated with the changes are being mitigated.
| Principle | Rating |
|---|---|
| 1. Legal basis | Observed |
| 2. Governance | |
| 3. Comprehensive framework for the management of risks | |
| 4. Credit risk | |
| 5. Collateral | |
| 7. Liquidity risk | |
| 8. Settlement finality | |
| 9. Money settlements | |
| 13. Participant-default rules and procedures | |
| 15. General business risk | |
| 16. Custody and investment risks | |
| 18. Access and participation requirements | |
| 19. Tiered participation requirements | |
| 21. Efficiency and effectiveness | |
| 22. Communication procedures and standards | |
| 23. Disclosure of rules, key procedures, and market data | |
| 17. Operational risk | Broadly observed |
| 12. Exchange-of-value settlement systems | Not applicable |
|
(a) Principles 6, 10, 11, 14, 20 and 24 are not relevant for payment systems. |
|
Endnotes
The Bank's Policy Statement on the Supervision and Oversight of Systemically Important Payment Systems is available at <https://www.rba.gov.au/payments-and-infrastructure/financial-market-infrastructure/principles/implementation-of-principles.html>. [3]
The NPP and FSS are not currently being used in ways that would trigger assessment against the Principles, based on the criteria for systemic importance set out in the Policy Statement. [4]