2020 Assessment of the Reserve Bank Information and Transfer System 2. Summary and Review of Ratings and Recommendations

RITS is Australia's high-value payments system, which is used by banks and other approved institutions to settle their payment obligations on a real-time gross settlement (RTGS) basis.[4] RITS is owned and operated by the Reserve Bank. The Bank seeks to ensure effective oversight of RITS by separating its operational and oversight functions, as well as by producing transparent assessments against international standards. This Assessment has been produced by the Bank's Payments Policy Department, which is the functional area responsible for oversight of the Australian payments system. In undertaking the Assessment, Payments Policy Staff worked closely with and drew on information provided by Payments Settlements Department, the functional area responsible for operating RITS. Staff also sought feedback from other departments within the Bank, including those responsible for providing technology services for RITS (see section A.3 for further background on the governance and oversight of RITS). This report has been approved by the Payments System Board.

This Assessment focuses on the critical services provided by the Bank as operator of RITS; in particular, RITS's role as a wholesale RTGS system, as it is this role that makes RITS a systemically important payment system.[5] Currently, the Bank considers that RITS is the only domestic systemically important payment system for which an assessment against international principles is necessary.[6] This view reflects the fact that RITS:

  • processes an aggregate value of Australian dollar payments that is high relative to other payment systems
  • mainly handles time-critical, high-value payments
  • is used to effect settlement of payment instructions arising in other systemically important financial market infrastructures.

The Fast Settlement Service (FSS), which settles transactions submitted via the New Payments Platform (NPP) feeder system, is also established under the RITS Regulations. However, the focus on the FSS for this assessment is limited to its interaction with the core (wholesale) RITS system.[7] A similar approach is taken with the role RITS plays in the settlement of interbank payment obligations arising from net settlement systems, for example, those relating to cheque, direct entry and card transactions arising from the Low Value Settlement Service (LVSS).[8]

This section summarises steps taken since the publication of the 2019 Assessment in relation to the recommendations and areas of oversight focus identified in that assessment. It also summarises the ratings and recommendations arising from the current Assessment.

2.1 Progress against 2019 Recommendations

In the 2019 Assessment, RITS was found to observe all of the relevant Principles other than Principle 17 (Operational risk), which it was found to broadly observe (Table 2).[9]

In that assessment, Payments Policy Department identified the following recommendations in order for RITS to observe Principle 17 on Operational Risk.

  • The Bank should implement planned actions that support the ability of RITS to recover the operations of critical IT systems within two hours of a disruption, including changes that support the automated failover of the RITS database in contingency scenarios affecting the primary site and improve the resilience of the FSS automatic failover process and systems.
  • The Bank should carry out a contingency test that assumes FSS does not failover automatically in a site outage to validate that its business continuity plan supports the recovery of RITS within two hours of a disruption in these circumstances.
  • The Bank should document its process for determining whether RITS or FSS should be prioritised for restoration in circumstances where there is a potential resource conflict.

The Bank fully addressed the second and third of these recommendations and addressed most elements of the first recommendation during the assessment period. The remaining action to fully address the first recommendation is the implementation of a change that supports the automated failover of the RITS database in contingency scenarios affecting the primary site, which was completed in June.[10] For further details on the Bank's implementation of these recommendations, see section 3.1.2.

2.2 Developments in 2019 Areas of Oversight Focus

The 2019 Assessment also noted that Payments Policy Department would monitor progress in one area of oversight focus, related to work to ensure that RITS remains resilient in the face of evolving cyber-security threats. Table 1 summarises this area of focus and progress made during the assessment period.

Table 1: Summary of Developments in Areas of Oversight Focus
Area of focus Developments
Progress in the continued exploration of current and emerging technology that could enable further enhancements to the ability to recover RITS from cyber attacks in a timely manner. The Bank is exploring a number of options that could enhance its ability to recover from a cyber disruption. This includes improvements to defences against a disruption and enhancements to monitoring and incident remediation. The Bank will also explore the capability to settle certain transactions outside of the core system and conduct some limited testing of new technology via the Bank's innovation lab. This work is expected to continue into the next assessment period.

2.3 2020 Ratings, Recommendations and Areas of Oversight Focus

As of the end of March 2020, RITS was found to observe all of the relevant Principles other than Principle 17 (Operational risk), which it was found to broadly observe. To observe Principle 17 (Operational Risk), Payments Policy Department recommends that the Bank complete implementation of initiatives to support the continued operational stability of RITS as part of its Technology Stability Improvement Program.

In addition, as part of its ongoing oversight process Payments Policy Department will:

  • continue to follow up on developments in the work to ensure that RITS remains resilient in the face of evolving cyber security threats. In particular, Payments Policy Department will monitor progress in the exploration of enhancements to the ability to recover RITS from cyber attacks in a timely manner
  • monitor the ongoing response of the Bank to the COVID-19 pandemic.
Table 2: Ratings of Observance of the Principles(a)
Principle Rating
1. Legal basis
2. Governance
3. Comprehensive framework for the management of risks
4. Credit risk
5. Collateral
7. Liquidity risk
8. Settlement finality
9. Money settlements
13. Participant-default rules and procedures
15. General business risk
16. Custody and investment risks
18. Access and participation requirements
19. Tiered participation requirements
21. Efficiency and effectiveness
22. Communication procedures and standards
23. Disclosure of rules, key procedures, and market data 		Observed
17. Operational risk Broadly observed
12. Exchange-of-value settlement systems Not applicable

(a) Principles 6, 10, 11, 14, 20 and 24 are not relevant for payment systems.

Footnotes

This means that individual payments are processed and settled continuously and irrevocably in real time. [4]

‘RITS’ is used in this report to refer to the Bank as operator of RITS, as well as referring to the system itself. [5]

The Bank's Policy Statement on the Supervision and Oversight of Systemically Important Payment Systems is available at <https://www.rba.gov.au/payments-and-infrastructure/financial-market-infrastructure/principles/implementation-of-principles.html>. [6]

The NPP and FSS are not currently being used in ways that would trigger assessment against the Principles, based on the criteria for systemic importance listed in the Policy Statement. [7]

Further information on net settlement systems linked to RITS is provided in section A.5 of Appendix A. [8]

In its assessment, Payments Policy Department has applied the approach and rating system set out in the Disclosure Framework. ‘Observed’ is the highest rating within this framework and is applied when Payments Policy Department assesses that ‘(An) FMI observes the principle. Any identified gaps and shortcomings are not issues of concern and are minor, manageable and of a nature that the FMI could consider taking them up in the normal course of its business.’ The full rating scale is set out in Appendix B. A rating of ‘broadly observed’ is applied when Payments Policy Department assesses that ‘(An) FMI broadly observes the principle. The assessment has identified one or more issues of concern that the FMI should address and follow up in a defined timeline.’ [9]

This action will automate one element of RITS' recovery process under specific scenarios but does not materially affect the ability to recover RITS within the two hour target. [10]