2014/15 Assessment of ASX Clearing and Settlement Facilities A2.2 Austraclear

Austraclear is a wholly owned subsidiary of ASX Settlement Corporation Limited, itself a wholly owned subsidiary of ASX Limited (see ‘ASX Group Structure’ in Appendix A). It is a securities settlement facility (SSF) that provides settlement and depository services for debt securities, and settlement services for derivatives traded on the ASX 24 market and for margin payments in ASX Clear and ASX Clear (Futures).

Standard 1: Legal basis

A securities settlement facility should have a well-founded, clear, transparent and enforceable legal basis for each material aspect of its activities in all relevant jurisdictions.

Rating: Observed

Austraclear is a separate legal entity within the ASX Group that solely provides settlement and related depository services (SSF Standard 1.1). Austraclear's legal basis is founded on clear and understandable rules that operate within the framework of relevant laws and regulations (SSF Standards 1.2, 1.3). The certainty of this legal basis in relevant jurisdictions is reinforced by supporting legislation, including Austraclear's protection as a real-time gross settlement (RTGS) system under the Payment Systems and Netting Act 1998 (PSNA), and is subject to periodic review by ASX Legal (SSF Standards 1.2, 1.5). Austraclear has publicly outlined the key features of its legal basis on its website, and from time to time, for information, may provide legal opinions to participants or other stakeholders in respect of the legal basis of significant new services (SSF Standard 1.4). ASX has not identified any material risks arising from potential conflicts of law relating to the operations of Austraclear (SSF Standard 1.6).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 1 during the 2014/15 Assessment period. The legal basis of Austraclear is described in further detail under the following sub-standards.

1.1 A securities settlement facility should be a legal entity which is separate from other entities that may expose it to risks unrelated to those arising from its function as a securities settlement facility.

Austraclear is a wholly owned subsidiary of ASX Settlement Corporation Limited, which is itself a wholly owned subsidiary of ASX Limited. As a separate legal entity, Austraclear's securities settlement activities are separate from the activities conducted by ASX's other clearing and settlement (CS) facilities and the rest of the ASX Group, notwithstanding the sharing of operational resources across multiple entities within the group.

Austraclear provides settlement services and related depository services for debt securities, and settlement services for derivatives traded on the ASX 24 market and for margin payments in ASX Clear and ASX Clear (Futures), in accordance with the Austraclear Regulations and Procedures. ASX Collateral Management Services Pty Limited (ASX Collateral), a related legal entity within the ASX Group and a wholly owned subsidiary of ASX Operations Pty Limited, acts as a Special Purpose Participant in Austraclear. ASX Collateral operates a centralised collateral management service (CCMS) under which exchange of title to debt securities occurs in Austraclear.

In July 2014, Austraclear expanded the range of its services through the launch of a settlement service for foreign currency payments, initially covering payments denominated in Chinese renminbi (RMB) (see SSF Standard 8). The foreign currency settlement service is designed to operate independently from Austraclear's Australian dollar services. Austraclear's ancillary services do not have a distinct profile from, or pose additional risks to, its activity of operating an SSF.

1.2 The legal basis should provide a high degree of certainty for each material aspect of a securities settlement facility's activities in all relevant jurisdictions.

Legal basis

Austraclear's settlement arrangements for transactions entered into by its participants require a high degree of legal certainty. Key components of the legal framework under which the SSF operates are:

• Austraclear holds a CS facility licence, under Part 7.3 of the Corporations Act 2001. This licence is administered by the Australian Securities and Investments Commission (ASIC) in consultation with the Bank, with the Minister acting as ultimate decision-maker on licensing matters.
• Austraclear has defined Regulations and Procedures. Under section 822B of the Corporations Act, these Regulations and Procedures have effect as a contract under seal between: Austraclear and each of its participants; each participant and each other participant; and each participant. The Regulations and Procedures set out the rights and obligations of participants and Austraclear, including in the event of default or suspension.
• The finality of settlements undertaken by Austraclear is protected by its approval, and the approval of the Reserve Bank Information and Transfer System (RITS), as an RTGS system under Part 2 of the PSNA (see SSF Standard 1.5).

The legal basis of Austraclear's activities is reviewed by ASX Legal whenever there are material amendments to the Regulations or Procedures. Three such reviews occurred for Austraclear during the Assessment period.

The legal basis for the operation of the CCMS in Austraclear and the status of ASX Collateral as a Special Purpose Participant is set out in the Austraclear Regulations. Legal arrangements between ASX Collateral and customers of the CCMS (which must be Full Participants) are set out in standard-form Collateral Management Service Agreements. The standard form Service Agreements specify the nature of services that the Collateral Manager provides to users. These agreements are between ASX Collateral and users of the collateral service; Austraclear is not a party to these contracts.

The Austraclear Regulations provide for settlement instructions to be submitted to Austraclear by a Collateral Manager admitted as a Special Purpose Participant and acting as agent for its customers, which must be admitted as Full Participants.

Rights and interests

The rights and interests of Austraclear, its participants and, where relevant, its participants' customers in securities deposited with Austraclear are defined in Austraclear's Regulations and Procedures (see SSF Standard 9).

1.3 A securities settlement facility should have rules, procedures and contracts that are clear, understandable and consistent with relevant laws and regulations.

Section 822A of the Corporations Act establishes a framework to prescribe the matters that must be dealt with in the Regulations and those that may instead be considered under the Procedures. Rule changes are subject to a Ministerial disallowance process.

Austraclear's Regulations and Procedures are published on the ASX public website and the ASX restricted participant website, and are supplemented with explanatory material, to support participants' (and prospective participants') understanding of the risks they face through participation in the system. In addition to the Regulations and Procedures, publicly available material includes high-level descriptions of Austraclear's operations and settlement process, the Austraclear system (including test system), business continuity arrangements, classes of Austraclear participant, technical documentation, and fees and charges.

There is a clear process for changing Austraclear's Regulations and Procedures. Proposed rule changes may be submitted informally to ASIC. In consultation with the Bank, ASIC will consider the changes and advise ASX of any regulatory concerns. Once such concerns are satisfactorily addressed, ASIC will invite formal submission of the proposed changes, which triggers a 28-day ‘disallowance’ period (referred to above), during which the Minister may choose to disallow the changes. The Minister considers a number of factors, including whether the proposed changes are consistent with the public interest. To assist the Minister in this process, ASIC provides detailed advice to the Minister, incorporating the views of the Bank as appropriate. If changes to the Regulations are not disallowed by the Minister, they are notified to participants via the ASX website.

1.4 A securities settlement facility should be able to articulate the legal basis for its activities to the Reserve Bank and other relevant authorities, participants and, where relevant, participants' customers, in a clear and understandable way.

The legal basis for the activities of Austraclear and the facility's protection as an approved RTGS system under the PSNA (see also SSF Standard 1.5) are described on the ASX public website in its Disclosure Framework document, which sets out in detail how each CS facility meets the requirements of each Principle within the Principles for Financial Market Infrastructures developed by the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) (see SSF Standard 18.4).^[1]

On behalf of each licensed entity within the ASX Group, including all CS facilities, ASX Limited submits an Annual Group Licence Report to ASIC and the Bank. This report sets out the legal basis for the CS facilities' activities under their licence obligations, and is used by ASIC in the preparation of ASIC's Market Assessment Report for the ASX Group.

Austraclear may seek independent legal opinions on relevant legal matters relating to significant new services, including any implications that their introduction may have for the legal basis of existing functionality. These opinions may, in some circumstances, be shared with participants or other stakeholders for their information, particularly to demonstrate that new Regulations will have the intended legal effect. For example, in assessing the legal basis of its foreign currency settlement service ASX sought external legal advice regarding the extension of finality protections under Part 2 of the PSNA to transactions settled under the new service.

1.5 A securities settlement facility should have rules, procedures and contracts that are enforceable in all relevant jurisdictions. There should be a high degree of certainty that actions taken by the securities settlement facility under such rules and procedures will not be voided, reversed or subject to stays, including in the event that the securities settlement facility enters into external administration or that one or more of its participants or a settlement bank defaults or is suspended.

Settlement finality

The finality of Austraclear's settlement process is protected by:

• its approval as an RTGS system under Part 2 of the PSNA. This approval protects the finality of payments or securities settlements made through Austraclear in the event of a participant entering external administration (see SSF Standard 7.1)
• the approval of RITS as an RTGS system under Part 2 of the PSNA (see SSF Standard 8). This approval protects payments between participants that are ‘Participating Banks’ from being voided in the case of a Participating Bank entering external administration.

Enforceability of rules under external administration

ASX Legal has analysed the legal enforceability of Austraclear's Regulations upon the SSF's entry into external administration and has identified no material legal risk to enforceability.

1.6 A securities settlement facility conducting business in multiple jurisdictions should identify and mitigate the risks arising from any potential conflicts of law across jurisdictions. A securities settlement facility should provide the Reserve Bank with a legal opinion that demonstrates the enforceability of its rules and addresses relevant conflicts of law across the jurisdictions in which it operates. This should be reviewed on a periodic basis or when material changes occur that may have an impact on the opinion, and updated where appropriate.

Although Austraclear's operations are based in Australia, participants of Austraclear include subsidiaries and branches of entities that are based in foreign countries. Austraclear's Regulations are governed by Australian law and require that all of its participants submit to the exclusive jurisdiction of New South Wales courts. ASX Legal's analysis of potential conflicts of law across jurisdictions has identified no material legal risks.

Standard 2: Governance

A securities settlement facility should have governance arrangements that are clear and transparent, promote the safety of the securities settlement facility, and support the stability of the broader financial system, other relevant public interest considerations and the objectives of relevant stakeholders.

Rating: Observed

Austraclear pursues objectives that place a high priority on risk management, through compliance with relevant Financial Stability Standards (FSS) and the broader Corporations Act requirement to do all other things necessary to reduce systemic risk. Austraclear also acknowledges public policy objectives directed at financial market and payments system integrity, as well as the interests of customers and other stakeholders (SSF Standard 2.1). Austraclear's governance arrangements are documented and publicly disclosed. These arrangements give ultimate responsibility for the oversight of operations and risk management of Austraclear to the ASX Limited Board and the Austraclear Board (see ‘ASX Group Structure’ in Appendix A). Board and committee charters document Board roles and lines of responsibility and accountability (SSF Standards 2.2, 2.3). The performance of each relevant Board is reviewed at least annually for both individual directors and the Board as a whole. The relevant Boards each include a majority of independent non-executive directors and the Austraclear Board includes directors appointed for their expertise in clearing and settlement matters (SSF Standard 2.4). Board remuneration is designed to attract and retain appropriately skilled and qualified directors.

The reporting lines of management are set out in the CS Boards' Charter, along with roles and responsibilities of key management personnel. Remuneration of senior management in risk management roles is structured to provide appropriate incentives for sound and effective risk management (SSF Standard 2.5). ASX maintains a clear and documented risk management framework subject to regular internal and external review (SSF Standard 2.6). Key processes and internal controls are subject to review by ASX's Internal Audit unit, which is itself subject to periodic external review (SSF Standard 2.7). ASX utilises formal and informal consultation processes to ensure that the design and decisions of Austraclear reflect the interests of participants and other stakeholders. Austraclear has also established an Advisory Committee that provides a standing forum for user feedback on the design and ongoing development of services (SSF Standard 2.8). ASX has conflict-handling procedures in place to address potential conflicts of interest that may arise by virtue of its group structure. These require that staff and directors act in the best interests of each facility as appropriate. The composition of the CS Boards supports the effective handling of any conflicts that might arise (SSF Standard 2.9).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 2 during the 2014/15 Assessment period. Austraclear's governance arrangements are described in further detail under the following sub-standards.

2.1 A securities settlement facility should have objectives that place a high priority on the safety of the securities settlement facility and explicitly support the stability of the financial system and other relevant public interest considerations.

The high-level objectives of Austraclear are set out in the CS Boards' Charter, which is available on the ASX public website. The objectives prioritise on the Boards' responsibilities in the area of risk management and, in particular, Austraclear's responsibility for complying with relevant FSS.

Austraclear's objectives recognise the public interest. These objectives are reflected in the ASX Limited Board Charter, which provides that the Board has a responsibility to oversee the conduct of the affairs of the ASX Group consistent with licence obligations, as well as public policy objectives directed at financial market and payments system integrity. The CS Boards' Charter also specifically acknowledges the Board's public interest responsibilities, as well as its obligations under Part 7.3 of the Corporations Act. These include that Austraclear, to the extent that it is reasonably practicable to do so, comply with relevant FSS and do all other things necessary to reduce systemic risk arising from its services, and that it provide its services in a fair and effective way.

To support the interests of its customers, ASX has developed a Customer Charter, which is referenced in the CS Boards' Charter. The Customer Charter commits that ASX: work with its customers to deliver products and services that meet their needs and provide them with choice; make its products and services available on a non-discriminatory basis and on reasonable commercial terms; and manage its businesses and operations on a commercial basis to benefit its customers and provide appropriate returns to ASX shareholders. The Customer Charter recognises ASX's role as a provider of critical infrastructure to the Australian financial markets and commits to make the necessary investments to ensure it can fulfil this role and provide confidence to market participants, investors and regulators.

Austraclear's governance arrangements allow for appropriate consideration of stakeholder views. When considering major operational or risk management changes, or new services, ASX uses stakeholder forums, and formal and informal consultation processes to communicate proposed changes to relevant stakeholders (see SSF Standard 2.8). Consultations and responses to consultations are made available on the ASX public website. In addition, the ASX Group has disclosure obligations under the Corporations Act and Listing Rules which it manages in accordance with those laws and rules.

2.2 A securities settlement facility should have documented governance arrangements that provide clear and direct lines of responsibility and accountability. These arrangements should be disclosed to owners, the Reserve Bank and other relevant authorities, participants and, at a more general level, the public.

The governance arrangements of Austraclear are documented on its public website. This documentation includes the Charters of the ASX Limited Board, the CS Boards (which include the Austraclear Board), and other subsidiary boards and committees. The charter documents provide information about the role and composition of the CS Boards and Board committees. The CS Boards are responsible for the oversight and risk management of the ASX CS facilities (see SSF Standard 2.3). The board committees advise the ASX Limited Board on a number of matters:

• The Audit and Risk Committee is responsible for the oversight of ASX Group enterprise-wide risk. The Committee monitors ASX's financial management, internal controls, legal compliance and audit function, and assists the CS Boards in fulfilling their responsibility for the oversight of risk management of the ASX CS facilities.
• The Remuneration Committee oversees the remuneration and incentive framework for the Managing Director and Chief Executive Officer (CEO), non-executive directors, senior executives, and ASX staff more generally (see CCP Standard 2.5).
• The Nomination Committee is responsible for reviewing matters relating to board composition and performance, succession planning, and training for non-executive board members (see CCP Standard 2.4).

The charter documents also provide information about the key senior managers of the settlement facilities; namely the Managing Director and CEO, and the Group Executive, Operations (GE, Operations). Profiles of CS facility directors are also publicly available online. Key governance policies and charters are reviewed regularly by the relevant boards and committees.

The ASX Limited Annual Report provides information about ASX Group's risk management arrangements, including the role of boards, key committees, key subsidiary boards (e.g. ASX Compliance) and the roles of senior group executives who report directly to the Managing Director and CEO. Explanatory documentation on the website also describes: the FSS and CPMI-IOSCO Principles; group and business structure, including an organisational chart showing senior Group Executives; and risk management policies (in summary form). ASX's response to the CPMI-IOSCO Disclosure Framework also summarises key governance and risk management arrangements (see SSF Standard 18.4).

Under the Corporations Act, ASX must notify ASIC as soon as practicable after a person becomes or ceases to become a director, secretary or senior manager of Austraclear, including when a person changes from one of those positions to another. Changes to these positions and senior risk management personnel are also notified to the Bank.

2.3 The roles and responsibilities of a securities settlement facility's board of directors (or equivalent) should be clearly specified, and there should be documented procedures for its functioning, including procedures to identify, address and manage member conflicts of interest. The board should regularly review both its overall performance and the performance of its individual board members.

Ultimate responsibility for the oversight of risks faced by Austraclear lies with the ASX Limited Board and the Austraclear Board. The ASX Limited Board is accountable for the overall management of the ASX Group. Its responsibilities include:

• reviewing the Group's corporate strategy and approving major initiatives
• overseeing and monitoring the Group's performance consistent with its strategic goals, licence obligations and public policy objectives
• reviewing and approving financial plans, and monitoring financial performance
• appointing and assessing the performance of the Managing Director and CEO
• overseeing the risk management, internal control, and compliance functions, including oversight of ASX's enterprise risk management policy
• ensuring that appropriate mechanisms are in place for identifying, controlling, monitoring and reporting significant risks
• reporting to, and communicating with, shareholders.

The ASX Limited Board Charter delegates certain responsibilities to the Austraclear Board, including the review and oversight of Austraclear's settlement-related risk, and its compliance with the FSS. The CS Boards' Charter elaborates on the roles and responsibilities of the Austraclear Board. The CS Boards' Charter places requirements on the structure of the CS Boards, including that the majority of directors and the Chair be independent. The Austraclear Board meets regularly (five times in the Assessment period) and receives detailed reports on Austraclear's business and operations, risk management and financial performance.

Board performance is dealt with periodically in private session by the relevant boards. The process may be facilitated by external independent consultants. A number of tools are used, which may include private session review, skills matrices and surveys, and externally facilitated group discussions. Details of Board performance reviews are set out in the ASX Limited Annual Report (the same process applies for the key subsidiary boards).

The CS Boards' Charter sets out how the Boards address directors' interests and potential conflicts. Directors of the CS Boards must disclose all material personal interests (such as shareholdings, directorships and consultancy arrangements) which may potentially conflict with their duties. If there is a change in a director's material personal interests, the director must notify that change at the next meeting of the CS Boards. If there is a real possibility of a material conflict of interest and duty on a matter being voted on at a meeting of the CS Boards, the director must not be present for the discussion or vote related to that matter.

2.4 The board should comprise suitable members with the appropriate skills and incentives to fulfil its multiple roles. This typically requires the inclusion of non-executive board member(s).

At the end of the Assessment period, the ASX Limited Board had ten members, comprising the ASX CEO and nine independent, non-executive directors. As set out in the CS Boards' Charter, the CS Boards, in consultation with the Nomination Committee and the ASX Limited Board, determine the composition of the CS Boards, with directors selected based on relevant skills and expertise. At the end of the Assessment period, the Austraclear Board comprised one executive director (the ASX CEO) and six non-executive directors. Two new directors were appointed during the Assessment period. Three of the non-executive directors, including the Chair, are also members of the ASX Limited Board, while the remaining three are external directors appointed for their expertise in clearing and settlement operational and risk management matters. This ensures that directors have the capacity to conduct informed independent review of relevant issues. The ASX Clear (Futures) and Austraclear Boards share common directors, but two of these directors do not serve on the ASX Clear or ASX Settlement Boards. This difference between the CS Boards is primarily for business reasons, but also supports ASX's conflict-handling arrangements (see SSF Standard 2.9).

The CS Boards' Charter sets out the ASX policy that the majority of directors on each of its CS Boards must be independent. The Board Policy and Guideline to Relationships Affecting Independent Status is available on the ASX website. The independence of directors is assessed according to this policy, which is aligned to the ASX Corporate Governance Council's Corporate Governance Principles and Recommendations for listed companies. The policy requires, for example, that each independent director be free of business or other relationships that could interfere with the independent exercise of the director's judgement. Specifically considered is whether the director is a substantial shareholder of ASX, as well as whether in the last three years the director was previously employed by ASX or was an adviser to ASX. The biographies of the directors, which show their relationship with other ASX Group companies, are set out on the ASX website.

Selection, succession planning and training for board members are dealt with in private session by the Nomination Committee and Boards at appropriate intervals. New directors receive a comprehensive induction from Board and Nomination Committee members, as well as senior managers and other key staff. Directors' fees at both ASX Limited and Austraclear are considered at regular intervals by the ASX Limited Remuneration Committee, to ensure that it has in place a fee scale that enables ASX to attract and retain appropriately skilled and qualified non-executive directors and recognises the workload and level of skill and expertise that a director must have to effectively meet their responsibilities. Remuneration of directors is determined in private session by the ASX Limited Board on the recommendation of the Remuneration Committee. Non-executive directors' fees are broadly aligned to the top quartile of the marketplace. In conducting a review, the Board may take advice from an external remuneration consultant. The process involves benchmarking against a group of peer companies. The last fee review took place in June 2015.

2.5 The roles and responsibilities of management should be clearly specified. A securities settlement facility's management should have the appropriate experience, mix of skills and integrity necessary to effectively discharge its responsibilities for the operation and risk management of the securities settlement facility. Compensation arrangements should be structured in such a way as to promote the soundness and effectiveness of risk management.

ASX has clear and direct reporting lines between management and the CS Boards. This is set out in the CS Boards' Charter, along with the roles and responsibilities of the Managing Director and CEO, the Chief Risk Officer (CRO), and the GE, Operations. The Managing Director and CEO has responsibility for the overall operational and business management and profit performance of ASX, while the GE, Operations is responsible for the overall settlement risk management of the CS facilities and for ensuring that the SSFs meet regulatory obligations placed on them. The GE, Operations has a direct reporting line to the CS Boards.

ASX has a comprehensive remuneration policy and performance management framework in place, which aims to ensure that management personnel have an appropriate mix of skills and experience to discharge their responsibilities. The ASX Limited Remuneration Committee has delegated responsibility from the ASX Limited Board to conduct detailed examination of matters including oversight of the remuneration and incentive framework, succession plans, recruitment, retention and termination strategies, and the remuneration of the Managing Director and CEO and ASX Group non-executive directors. The Committee members are appointed by the ASX Limited Board, and must consist of only non-executive directors, with at least three members, a majority of independent directors, and an independent chair who is not Chairman of ASX Limited. The Committee has direct access to ASX senior management and the authority to seek independent advice. The CS Boards have delegated responsibility to the Committee for compensation arrangements and performance management processes relating to the CRO and the GE, Operations. The CS Boards provide input on the setting of Key Performance Indicators and may review the performance outcomes for the CRO and the GE, Operations. In June 2015, ASX announced changes to compensation arrangements for senior executives, including the CRO and GE, Operations, to place greater weight on longer-term incentives. These changes did not alter the Key Performance Indicators of either the CRO or GE, Operations, which remain aligned with the objectives of sound and effective risk management.

ASX carries out succession planning and management processes in order to ensure leadership continuity in key positions, and develop intellectual depth and business knowledge. This includes the biannual review of a ‘talent assessment tool’ by Group Executives and Human Resources to identify and manage the development of high potential staff according to individual and business needs. Succession and contingency planning is conducted for Group Executives, General Managers and other key staff.

2.6 The board should establish a clear, documented risk management framework that includes the securities settlement facility's risk tolerance policy, assigns responsibilities and accountability for risk decisions, and addresses decision-making in crises and emergencies. Governance arrangements should ensure that the risk management and internal control functions have sufficient authority, independence, resources and access to the board, including through the maintenance of a separate and independent internal audit function.

ASX has a documented risk management framework, which is described under SSF Standard 3.1. The CS Boards are responsible for approving and reviewing high-level risk management policies relevant to clearing and settlement operations. The Boards approve all new clearing and settlement risk policies and standards, as well as material changes to existing clearing and settlement policies and standards. The Boards consider these policies and standards at a concurrent meeting; where the policy or standard is relevant to more than one facility, the Boards of those facilities would simultaneously determine whether to approve the policy or standard. If the policy requirements under consideration differ across facilities, the Boards of each relevant facility would separately determine whether to approve the policy or standard (during the concurrent meeting). Board feedback is incorporated before risk policies and standards are approved.

Responsibilities under the high-level risk management policy are distributed as follows:

• Detailed reporting to the CS Boards occurs quarterly on the implementation of risk management policies and standards, and on broader management and operational matters. Internal Audit conducts a rotational risk-based audit program, which includes ensuring that relevant operational units comply with Board approved policies and standards, where necessary using external specialists to assist with reviews. The CS Boards may also request external reviews. The ASX Settlement Risk Policy Framework provides a formal structure for the development, governance and review of settlement risk policies and standards, and is reviewed annually. ASX formally documented the policies and standards referenced in the Framework during 2014/15. The Bank will continue to monitor the implementation of those policies and standards.
• The Audit and Risk Committee has responsibility for the oversight of the Enterprise Risk Management Framework.
• The Enterprise Risk Management Committee (ERMC), comprising executives from across the departments, is responsible for enterprise risk management policy and reviewing controls, processes and procedures to identify and manage risks. This committee is also responsible for formally approving significant operational risk policies prepared by individual departments.
• Individual departments are responsible for: identifying business-specific risks; applying controls; maintaining risk-management systems; reporting on the effectiveness of risk controls; and implementing enhancements and taking remedial action as appropriate. Each department is required to maintain a record of its risk profile, reviewing this on a six-monthly basis and updating as appropriate. This record includes ‘Key Risk Indicators’ and action plans to address any identified risk that is not adequately mitigated. Policies are formally reviewed every 18 months to three years. More frequent reviews are undertaken where there are potential changes to technology, legal or regulatory requirements, or business drivers.

The Clearing and Settlement Operations and Settlement Services departments have responsibilities relevant to the management of settlement risks that are defined in ASX's Settlement Risk Policy Framework.

Directors are entitled to obtain independent advice. The Annual Report addresses directors' access to information, management and advice. To the extent that directors wish to seek independent advice, they can raise this in board meetings, with the Managing Director and CEO, or with the Chairman.

2.7 A securities settlement facility's operations, risk management processes, internal control mechanisms and accounts should be subject to internal audit and, where appropriate, periodic independent expert reviews. Internal audits should be performed, at a minimum, on an annual basis. The outcome of internal audits and external reviews should be notified to the Reserve Bank and other relevant authorities.

ASX maintains an internal audit plan that provides for a three-to-five year review cycle of key operational and risk management processes, and internal control mechanisms that are governed by ASX's Enterprise Risk Management Framework, business continuity framework, enterprise compliance framework and internal audit methodology. The internal audit plan is approved by the ASX Limited Audit and Risk Committee, and the audit work that is relevant to the CS Boards and ASX Compliance Board is endorsed by those Boards. The key governance frameworks are reviewed by external independent experts, as required. ASX's internal audit arrangements are set out in an Internal Audit Charter which is reviewed and approved by the ASX Limited Audit and Risk Committee on an annual basis and made available on the ASX public website.

The Internal Audit department is a separate department within ASX that reports to the CRO for administrative purposes, and the Audit and Risk Committee and Managing Director and CEO for audit purposes. The Internal Audit department's reporting structure also includes reporting lines to the CS Boards and ASX Compliance Board. Internal Audit's principal objective is to ‘provide independent, objective assurance and consulting services designed to add value and improve the operations of ASX’. Its scope covers the policies, processes and procedures of all risk management and internal control systems. The General Manager of Internal Audit has direct access to the ASX Limited Audit and Risk Committee, CS Boards and ASX Compliance Board. Members of the Internal Audit department are required to hold appropriate undergraduate and postgraduate qualifications relevant to their roles.

The role and performance of the Internal Audit function is regularly reviewed by the ASX Limited Audit and Risk Committee. Internal Audit is also reviewed by external independent auditors on a three-year cycle. The last such audit was carried out in October/November 2014.

ASX has a clearly defined methodology for internal audit, based on the International Professional Practices Framework set out by the Institute of Internal Auditors.^[2] The audit process includes phases for planning, fieldwork, reporting, final sign-off, and issues logging and follow-up. The planning phase includes the preparation of terms of reference that define the purpose, timing, approach and scope of the audit.

The internal audit methodology allows for ad hoc reviews if, for example, material new risks are identified or other changes to ASX's business occur. This is a matter which the General Manager, Internal Audit and the Audit and Risk Committee consider. The ASX Compliance Board and the CS Boards may also request ad hoc reviews.

2.8 Governance arrangements should ensure that the securities settlement facility's design, rules, overall strategy and major decisions reflect appropriately the legitimate interests of its direct and indirect participants and other relevant stakeholders. Governance arrangements should provide for consultation and stakeholder engagement through appropriate forums on operational arrangements, risk controls and default management rules and procedures. Major decisions should be clearly disclosed to relevant stakeholders and, where there is a broad market impact, the public.

The interests of direct and indirect participants and other relevant stakeholders are recognised in the ASX Limited Board Charter, the CS Boards' Charter and the ASX Customer Charter (see SSF Standard 2.1).

The views of participants and other stakeholders are sought through formal and informal means. Austraclear routinely conducts stakeholder consultations when considering major changes to existing services or new service offerings. Participants' views may also be gathered through the induction program for new participants, as well as ongoing participant liaison and compliance checks. Austraclear has also established an Advisory Committee to provide a standing structure for user feedback on Austraclear's design, operation and the development of its forward work plan. The Advisory Committee, which meets quarterly, is currently made up of representatives from nine of Austraclear's major participants, including the Chairs of the Australian Custodial Services Association custody working group and the Australian SWIFT Securities Market Practice Group, and representatives from the Bank and the Australian Financial Markets Association. The Advisory Committee may convene technical working groups to examine and provide advice on specific matters as required.

2.9 A securities settlement facility that is part of a group of companies should ensure that measures are in place such that decisions taken in accordance with its obligations as a securities settlement facility cannot be compromised by the group structure or by board members also being members of the board of other entities in the same group. In particular, such a securities settlement facility should consider specific procedures for preventing and managing conflicts of interest, including with respect to intragroup outsourcing arrangements.

ASX has conflict handling arrangements to help manage potential conflicts of interest that its directors and staff may face. The potential for intragroup conflicts arising from ASX's group structure is addressed by ‘intragroup’ service agreements, which set out the basis on which other group entities will provide services to the CS facilities and specify that the entities providing the services must have sufficient financial and other resources to meet their obligations. These agreements provide that ASX Group staff are under a duty to act in the best interests of the facility that is receiving the services.

ASX's governance arrangements are designed to ensure that shared directorships within the ASX Group cannot compromise each CS facility's compliance with its licence obligations, including observance of the FSS. ASX considers that there is limited potential for shared directorships to create conflicts between ASX's group-wide commercial interests and the risk management function of the CS facilities. More broadly, it considers that conflicts between directors' roles on the CS Boards and the ASX Limited Board are unlikely given the distinct roles the separate entities perform, and in view of group-wide arrangements to manage matters such as operations and compliance. If a conflict were to arise, a director sitting on multiple CS Boards would be expected to make decisions in the best interests of each facility.

The structure of the CS Boards further limits the potential for conflict. Two directors are able to form a quorum of the Austraclear Board, allowing matters that raise potential conflicts of interest to be considered and voted on without the involvement of directors that are also on the ASX Limited Board.

Standard 3: Framework for the comprehensive management of risks

A securities settlement facility should have a sound risk management framework for comprehensively managing legal, credit, liquidity, operational and other risks.

Rating: Observed

ASX maintains an Enterprise Risk Management Policy that sets out its framework for managing the full range of strategic, legal, financial and operational risks faced by Austraclear. This high-level framework is supported by more granular policies (many of which were finalised or refreshed during 2014/15) and a governance structure to oversee Austraclear's risk management activities (SSF Standard 3.1). Austraclear's risk management framework does not place financial obligations on participants, but provides incentives to participants, such as additional operational requirements for collateral managers, to control the risks that they bring to the SSF (SSF Standards 3.2, 3.3). As part of its risk management framework, Austraclear reviews risks associated with interdependencies with other entities on an ongoing basis and, in relation to new initiatives, applies appropriate tools to manage these risks (SSF Standard 3.4). Austraclear has further developed its recovery arrangements in line with CPMI-IOSCO guidance on recovery planning (SSF Standard 3.5).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 3 during the 2014/15 Assessment period. While existing arrangements are assessed to meet the minimum requirement under the standard, Austraclear is encouraged to complete planned updates to the documentation of its recovery plans.

Austraclear's risk management framework is described in further detail under the following sub-standards.

3.1 A securities settlement facility should have risk management policies, procedures and systems that enable it to identify, measure, monitor and manage the range of risks that arise in or are borne by the securities settlement facility. This risk management framework should be subject to periodic review.

Identification of risk

ASX's high-level framework for risk management is described in its Enterprise Risk Management Policy. This policy divides risks identified by ASX into two broad groupings: strategic risks and operational risks. Operational risks are further categorised into financial risks, legal and regulatory risks, and technological and operational risks. Specific risks identified by ASX are described within these broad categories. For each identified risk, ASX judges how likely it is the risk event will occur within the next 12 months and the potential impact. Reputational and participant impacts are considered along with the financial, operational and regulatory impacts of risks.

Comprehensive risk policies, procedures and controls

ASX's Enterprise Risk Management Policy has been developed with reference to the international standard ISO 31000 Risk Management – Principles and Guidelines (see SSF Standard 2.6).^[3] At a high level, the ASX Enterprise Risk Management Policy outlines: the overall risk environment in the ASX Group; the objectives of risk management policies; the process by which risks are identified and assessed; the controls in place to detect and mitigate risks; and how risks are monitored and communicated. ASX's stated tolerance for financial, operational, legal and regulatory risks is ‘very low’.

ASX uses key risk indicators to measure levels of risk in the organisation and categorise risk levels according to a scale: satisfactory; within risk tolerance but requiring action to further control the level of risk; or exceeding ASX's risk tolerance.

The Enterprise Risk Management Policy also assigns specific risk responsibilities across the ASX Group, including to the ASX Limited Board of Directors, the Audit and Risk Committee, the ERMC, the General Manager, Enterprise Risk and managers of individual departments. Managers of each department are responsible for identifying and monitoring risks relevant to their department's activities, as well as for designing and implementing risk management policies and controls to manage identified risks. Department managers assess the appropriateness and operational effectiveness of these controls twice a year; these assessments are reviewed by Internal Audit and the ERMC.

In 2013/14, ASX adopted an updated and formalised Settlement Risk Policy Framework to better align both it and related governance structures with the new FSS. The Framework sets out a comprehensive set of settlement-related risk policies to support the risk management approach of ASX's SSFs, including Austraclear. These policies govern more detailed internal standards, which in turn govern specific procedures for the management of settlement-related risks. The structure of policies, standards and procedures reflects the requirements of the FSS. During the 2014/15 Assessment period, ASX finalised remaining policies and standards referenced in the Framework, and reviewed the policies and standards already in place.

A number of boards and internal committees oversee settlement risk management policy, including:

• The CS Boards. Each CS facility has a board (see SSF Standard 2.3 and ‘ASX Group Structure’ in Appendix A), which shares members with the other ASX CS facilities, has oversight of the Settlement Risk Policy Framework, and is responsible for any significant amendments. Policies and designated key standards under the Framework are governed by the CS Boards.
• The Settlement Risk Policy Committee (SRPC). The SRPC reviews and approves clearing risk policies and standards prior to submission to the CS Boards. The SRPC is chaired by the GE, Operations and includes the ASX Group Legal Counsel, General Manager of Clearing and Settlement Operations, the General Manager of Participants Compliance and the General Manager of Settlement Services. It will meet as needed when settlement risk policy matters arise.
• The Capital and Liquidity Committee (CALCO). CALCO is constituted to ensure the structural integrity and efficient use of the liquidity, on- and off-balance sheet assets, liabilities and capital resources of the ASX Group. CALCO advises on changes to settlement risk policies related to capital, liquidity and balance sheet management. CALCO is chaired by the CRO and comprises senior managers and executives from Finance, Risk and Internal Audit. CALCO generally meets on a quarterly basis.
• The SSF Risk, Operations and Compliance Committee (SROCC). SROCC is chaired by the GE, Operations and is made up of senior managers and executives from the settlement operations and compliance areas of ASX. The committee acts as an information-sharing and discussion body for the purpose of enhancing ASX's ability to identify, assess and reduce systemic, operational or compliance risk, and manage settlement risk. The SROCC currently meets on a monthly basis.
• The Participant Incident Response Committee (PIRC). The PIRC is responsible for coordinating ASX's response to a settlement participant incident, and provides input into policy determinations and settings as necessary in response to such incidents. The PIRC is chaired by the GE, Operations, and is made up of senior staff from the operational, risk management, compliance and legal departments. Meetings of the PIRC are convened as required to address an actual or potential participant incident.

Information and control systems

Since Austraclear does not assume credit or liquidity risk as principal (see SSF Standards 4 and 6), it does not require information and control systems to monitor these risks. Furthermore, Austraclear's use of delivery-versus-payment (DvP) Model 1 settlement avoids the creation of credit exposures during the settlement process and limits the direct liquidity impact of a participant default on non-defaulting participants. Accordingly, there are no relevant participant settlement and funding flows for Austraclear to measure and monitor (see SSF Standard 6.2).

Internal controls

ASX's risk management policies are generally reviewed formally every 18 months to three years, although more frequent reviews may occur depending on changes to technology, business drivers or legal requirements. Reviews are conducted by specific working groups and committees. Final approval of reviews for more significant policies is the responsibility of the ERMC. Under the Enterprise Risk Management Policy, ASX's departments are required to update a risk profile every six months, which identifies relevant risks and sets out planned actions to respond to those risks.

Risk management arrangements are also subject to periodic review by Internal Audit. Such audits provide assurance that the risk management framework continues to be effective. Risk management arrangements may also be subject to review by external experts from time to time. The last such review of the Enterprise Risk Management Policy was undertaken by PricewaterhouseCoopers in 2011 and the next review is scheduled for the second half of 2015.

The Enterprise Risk Management Policy is reviewed by the Audit and Risk Committee on a two year cycle, with the most recent review taking place in August 2015.

3.2 A securities settlement facility should ensure that financial and other obligations imposed on participants under its risk management framework are proportional to the scale and nature of individual participants' activities.

Austraclear does not place financial obligations on its participants. Austraclear is not a participant or guarantor to any transaction submitted for settlement through Austraclear and is not directly exposed to credit or liquidity risk. The DvP Model 1 settlement process does not expose participants to credit risk (see SSF Standard 10.2). Transactions that are not settled successfully on the day that they are submitted are removed from the settlement queue at close of business without penalty. Operational and other participation requirements placed on participants are discussed under SSF Standards 14.6 and 15.2.

3.3 A securities settlement facility should provide incentives to participants and, where relevant, their customers to manage and contain the risks they pose to the securities settlement facility.

Austraclear may apply sanctions to, or place additional requirements on, participants that fail to comply with its Regulations. Participants may ultimately be required to seek alternative settlement arrangements.

3.4 A securities settlement facility should regularly review the material risks it bears from and poses to other entities (such as other FMIs, money settlement agents, liquidity providers and service providers) as a result of interdependencies, and develop appropriate risk management tools to address these risks.

Austraclear reviews the material risks that it bears from and poses to other entities in the context of its ongoing review of enterprise risks (such as the six-monthly update of department risk profiles; see SSF Standard 3.1), and its processes for identifying risks associated with new activities. In the case of new products and services, ASX undertakes risk assessments when undertaking an expansion of its activities or in the event of material changes to its business. Risk assessments are built into ASX's project management framework (see SSF Standards 12.1 and 14.4).

For instance, Austraclear has identified potential risks to its operational activities arising from participants outsourcing their back-office processing offshore. Austraclear has also identified interdependencies with service providers, notably Clearstream Banking S.A. (Clearstream) for key components of the ASX Collateral service. Austraclear's response to these interdependencies is outlined in SSF Standard 14.5.

Interdependencies with ASX Clear and ASX Clear (Futures) for the settlement of margin and other payment obligations are managed within the context of ASX Group's broader risk management framework (see SSF Standard 17). Interdependencies with LCH.Clearnet Limited (LCH.C Ltd) for the management of its AUD liquidity requirements are managed in the context of Austraclear's operational risk management framework (see SSF Standards 14 and 17).

3.5 A securities settlement facility should identify scenarios that may potentially prevent it from being able to provide its critical operations and services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-down. A securities settlement facility should prepare appropriate plans for its recovery or orderly wind-down based on the results of that assessment. Where applicable, a securities settlement facility should also provide relevant authorities with the information needed for purposes of resolution planning.

During the 2014/15 Assessment period, Austraclear has further developed its recovery arrangements to build on a basic recovery plan developed in early 2014. The earlier plan identified scenarios that could threaten Austraclear's ongoing provision of critical settlement services, and set out how it would respond to such scenarios on the basis of powers under its Regulations and Procedures. The plan sets out the likely sequence of actions that ASX would take under each identified recovery scenario, and analyses the advantages and disadvantages of tools available to Austraclear to respond to such scenarios.

Austraclear has enhanced its recovery approach in line with CPMI-IOSCO guidance on recovery planning published in October 2014, clarifying its process for addressing non default-related losses via business risk capital arrangements (see SSF Standard 12.3). While no rule changes are required to implement this enhancement, Austraclear is in the process of updating its recovery plan in line with the expanded set of recovery tools for the ASX CCPs. Austraclear will also give consideration to how its recovery plan is maintained and tested on an ongoing basis. Section 6 discusses ASX's recovery planning arrangements in further detail.

Standard 4: Credit risk

A securities settlement facility should effectively measure, monitor and manage its credit exposures to participants and those arising from its settlement processes. A securities settlement facility should maintain sufficient financial resources to cover its credit exposure to each participant fully with a high degree of confidence.

Rating: Not applicable

Austraclear does not extend credit to participants or provide a settlement guarantee. Accordingly, Austraclear does not assume credit risk as principal.

The Bank has concluded that SSF Standard 4 does not apply to Austraclear.

4.1 A securities settlement facility should establish a robust framework to manage its credit exposures to its participants and the credit risks arising from its settlement processes. Credit exposures may arise from current exposures, potential future exposures, or both.

Not applicable to Austraclear.

4.2 A securities settlement facility should identify sources of credit risk, routinely measure and monitor credit exposures, and use appropriate risk management tools to control these risks. To assist in this process, a securities settlement facility should ensure it has the capacity to calculate exposures to participants on a timely basis as required, and to receive and review timely and accurate information on participants' credit standing.

Not applicable to Austraclear.

4.3 A securities settlement facility should have the authority to impose activity restrictions or additional credit risk controls on a participant in situations where the securities settlement facility determines that the participant's credit standing may be in doubt.

Not applicable to Austraclear.

4.4 A securities settlement facility should cover its current and, where they exist, potential future exposures to each participant fully with a high degree of confidence using collateral and other equivalent financial resources (see SSF Standard 5 on collateral). In the case of a deferred net settlement (DNS) securities settlement facility in which there is no settlement guarantee, but where its participants face credit exposures arising from its settlement processes, the facility should maintain, at a minimum, sufficient resources to cover the exposures of the two participants and their affiliates that would create the largest aggregate credit exposure in the system.

Not applicable to Austraclear.

4.5 A securities settlement facility should establish explicit rules and procedures that address fully any credit losses it may face as a result of any individual or combined default among its participants with respect to any of their obligations to the securities settlement facility. These rules and procedures should address how potentially uncovered credit losses would be allocated, including the repayment of any funds a securities settlement facility may borrow from liquidity providers. These rules and procedures should also indicate the securities settlement facility's process to replenish any financial resources that the securities settlement facility may employ during a stress event, so that the securities settlement facility can continue to operate in a safe and sound manner.

Not applicable to Austraclear.

Standard 5: Collateral

A securities settlement facility that requires collateral to manage its or its participants' credit exposures should accept collateral with low credit, liquidity and market risks. A securities settlement facility should also set and enforce appropriately conservative haircuts and concentration limits.

Rating: Not applicable

Since Austraclear does not assume credit risk as principal (see SSF Standard 4), it does not collect collateral from participants.

The Bank has concluded that SSF Standard 5 does not apply to Austraclear.

5.1 A securities settlement facility should generally limit the assets it (routinely) accepts as collateral to those with low credit, liquidity and market risks.

Not applicable to Austraclear.

5.2 In determining its collateral policies, a securities settlement facility should take into consideration the broad effect of these policies on the market. As part of this, a securities settlement facility should consider allowing the use of collateral commonly accepted in the relevant jurisdictions in which it operates.

Not applicable to Austraclear.

5.3 A securities settlement facility should establish prudent valuation practices and develop haircuts that are regularly tested and take into account stressed market conditions.

Not applicable to Austraclear.

5.4 In order to reduce the need for procyclical adjustments, a securities settlement facility should establish stable and conservative haircuts that are calibrated to include periods of stressed market conditions, to the extent practicable and prudent.

Not applicable to Austraclear.

5.5 A securities settlement facility should avoid concentrated holdings of certain assets where this would significantly impair the ability to liquidate such assets quickly without significant adverse price effects.

Not applicable to Austraclear.

5.6 A securities settlement facility that accepts cross-border collateral should mitigate the risks associated with its use and ensure that the collateral can be used in a timely manner.

Not applicable to Austraclear.

5.7 A securities settlement facility should use a collateral management system that is well designed and operationally flexible.

Not applicable to Austraclear.

Standard 6: Liquidity risk

A securities settlement facility should effectively measure, monitor and manage its liquidity risk. A securities settlement facility should maintain sufficient liquid resources in all relevant currencies to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate liquidity obligation for the securities settlement facility in extreme but plausible market conditions.

Rating: Observed

Austraclear settlements are conducted in real time on a DvP Model 1 basis, minimising the liquidity risk exposure for its participants (SSF Standard 6.1). Austraclear does not assume liquidity risk as principal through its settlement process (SSF Standards 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 6 during the 2014/15 Assessment period. Austraclear's arrangements to minimise liquidity risk for its participants are described in further detail under the following sub-standards.

6.1 A securities settlement facility should have a robust framework to manage its liquidity risks from its participants, commercial bank money settlement agents, nostro agents, custodians, liquidity providers and other entities.

Austraclear conducts its securities settlements on a DvP Model 1 basis in real time (see SSF Standard 10). By using such a settlement mechanism, Austraclear minimises the liquidity impact of a participant default on other participants. Only the bilateral counterparties to securities trades struck over the counter with the defaulted participant would face a direct liquidity impact. Such counterparties would be able to manage their liquidity risk within their proprietary frameworks for counterparty risk management.

6.2 A securities settlement facility should have effective operational and analytical tools to identify, measure and monitor its settlement and funding flows on an ongoing and timely basis, including its use of intraday liquidity.

Since Austraclear does not assume liquidity risk as principal, and its use of DvP Model 1 settlement limits the liquidity impact of a participant default on non-defaulting participants, there are no relevant settlement and funding flows for Austraclear to measure and monitor.

6.3 A securities settlement facility should maintain sufficient liquid resources in all relevant currencies to effect same-day settlement and, where appropriate, intraday or multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate payment obligation in extreme but plausible market conditions.

Since Austraclear does not assume liquidity risk as principal it does not need to maintain liquid resources to cover payment obligations.

6.4 For the purpose of meeting its minimum liquid resource requirement, a securities settlement facility's qualifying liquid resources in each currency include cash at the central bank of issue and at creditworthy commercial banks, committed lines of credit, committed foreign exchange swaps and committed repos, as well as highly marketable collateral held in custody and investments that are readily available and convertible into cash with prearranged and highly reliable funding arrangements, even in extreme but plausible market conditions. If a securities settlement facility has access to routine credit at the central bank of issue, the securities settlement facility may count such access as part of the minimum requirement to the extent it has collateral that is eligible for pledging to (or for conducting other appropriate forms of transactions with) the relevant central bank. All such resources should be available when needed.

Since Austraclear does not assume liquidity risk as principal it does not maintain liquid resources to cover payment obligations in stressed scenarios.

6.5 A securities settlement facility may supplement its qualifying liquid resources with other forms of liquid resources. If the securities settlement facility does so, these liquid resources should be in the form of assets that are likely to be saleable or acceptable as collateral for lines of credit, swaps or repos on an ad hoc basis following a default, even if this cannot be reliably prearranged or guaranteed in extreme market conditions. Even if a securities settlement facility does not have access to routine central bank credit, it should still take account of what collateral is typically accepted by the relevant central bank, as such assets may be more likely to be liquid in stressed circumstances. A securities settlement facility should not assume the availability of emergency central bank credit as part of its liquidity plan.

Since Austraclear does not assume liquidity risk as principal it does not maintain liquid resources to cover payment obligations in stressed scenarios.

6.6 A securities settlement facility should obtain a high degree of confidence, through rigorous due diligence, that each provider of its minimum required qualifying liquid resources, whether a participant of the securities settlement facility or an external party, has sufficient information to understand and to manage its associated liquidity risks, and that it has the capacity to perform as required under its commitment. Where relevant to assessing a liquidity provider's performance reliability with respect to a particular currency, a liquidity provider's potential access to credit from the central bank of issue may be taken into account. A securities settlement facility should regularly test its procedures for accessing its liquid resources at a liquidity provider.

Since Austraclear does not assume liquidity risk as principal it does not maintain liquid resources to cover payment obligations in stressed scenarios.

6.7 A securities settlement facility with access to central bank accounts, payment services or securities services should use these services, where practical, to enhance its management of liquidity risk.

Austraclear does not assume liquidity risk as principal.

6.8 A securities settlement facility should determine the amount and regularly test the sufficiency of its liquid resources through rigorous stress testing. A securities settlement facility should have clear procedures to report the results of its stress tests to appropriate decision-makers at the securities settlement facility and to use these results to evaluate the adequacy of, and adjust, its liquidity risk management framework. In conducting stress testing, a securities settlement facility should consider a wide range of relevant scenarios. Scenarios should include relevant peak historic price volatilities, shifts in other market factors such as price determinants and yield curves, multiple defaults over various time horizons, simultaneous pressures in funding and asset markets, and a spectrum of forward-looking stress scenarios in a variety of extreme but plausible market conditions. Scenarios should also take into account the design and operation of the securities settlement facility, include all entities that might pose material liquidity risks to the securities settlement facility (such as commercial bank money settlement agents, nostro agents, custodians, liquidity providers and linked FMIs) and, where appropriate, cover a multiday period. In all cases, a securities settlement facility should document its supporting rationale for, and should have appropriate governance arrangements relating to, the amount and form of total liquid resources it maintains.

Since Austraclear does not assume liquidity risk as principal it does not maintain liquid resources to cover payment obligations in stressed scenarios.

6.9 A securities settlement facility should establish explicit rules and procedures that enable the securities settlement facility to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations on time following any individual or combined default among its participants. These rules and procedures should address unforeseen and potentially uncovered liquidity shortfalls and should aim to avoid unwinding, revoking or delaying the same-day settlement of payment obligations. These rules and procedures should also indicate the securities settlement facility's process to replenish any liquidity resources it may employ during a stress event, so that it can continue to operate in a safe and sound manner.

Since Austraclear does not assume liquidity risk as principal, it does not need rules and procedures to address a liquidity shortfall.

Standard 7: Settlement finality

A securities settlement facility should provide clear and certain final settlement, at a minimum by the end of the value date. Where necessary or preferable, a securities settlement facility should provide final settlement intraday or in real time.

Rating: Observed

Austraclear defines the point at which settlement is final in its Regulations, and finality is ensured by its approval under Part 2 of the PSNA. The finality of interbank obligations arising from its settlements is protected by the approval of RITS under the same legislation (SSF Standard 7.1). Final settlement occurs on a DvP (or equivalent simultaneous exchange of assets) Model 1 basis in real time (SSF Standard 7.2). Austraclear defines clear cut-off times for the cancellation of payment or transfer instructions (SSF Standard 7.3).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 7 during the 2014/15 Assessment period. Austraclear's arrangements for ensuring finality of settlements are described in further detail under the following sub-standards.

7.1 A securities settlement facility's rules and procedures should clearly define the point at which settlement is final.

The point at which settlement is final is defined in the Austraclear Regulations. In the case of transactions involving the transfer of a security, settlement is final when Austraclear has made the appropriate amendments to the security records of the participants involved in the transaction. In the case of transactions involving an AUD cash payment, the cash element of the transaction is settled and may not be unwound when a message is received from RITS that the cash transfer has been made. Upon receipt of the RITS confirmation, Austraclear will update the cash record of the participant. The cash record is a record of the day's flow of debits and credits against each participant's nominated account that allows participants to limit the amount of their funds made available for settlement of transactions.^[4]

For foreign currency cash payments, the transaction is settled and may not be unwound once Austraclear has received settlement instructions from the paying participant that satisfy cash record limit checks with its participating bank. Participants receive a claim on the foreign currency settlement bank upon updating of their cash record in that currency (see SSF Standard 8.5).

The finality of Austraclear's settlement process (including for foreign currency cash payments) is ensured by its approval under Part 2 of the PSNA (see SSF Standard 1.2). In addition, the payments between participants that are ‘Participating Banks’ are protected by virtue of the approval of RITS as an RTGS system under Part 2 of the PSNA. With this approval, a payment executed in RITS at any time on the day on which a RITS participant enters external administration has the same standing as if the participant had gone into external administration on the next day. Accordingly, in the event of insolvency all transactions settled on the day of the insolvency are irrevocable and cannot be unwound.

Since the protection of the PSNA covers any exchange of assets, it extends to delivery-versus-delivery (DvD) settlement of substitutions generated by ASX Collateral. The point of finality in the case of collateral substitutions is identical to other obligations settled in Austraclear.

7.2 The securities settlement facility should complete final settlement no later than the end of the value date, and preferably intraday or in real time, to reduce settlement risk. A securities settlement facility should consider adopting real-time gross settlement (RTGS) or multiple batch processing during the settlement day.

Settlement of securities transactions in Austraclear occurs on a DvP (or equivalent simultaneous exchange of assets) Model 1 basis. This involves the simultaneous exchange of assets (cash and securities) between the buyer and seller on an item-by-item basis in real time. Austraclear additionally provides for one-way cash transfers between participants, which are also settled on an item-by-item basis. Although settlements occur in real time, transactions may be held pending during the settlement day (the value date) due to insufficient funds or securities. However, all settlements must occur by the end of the settlement day. Any instructions not settled at the end of the day are automatically moved to a ‘failed’ status and removed from Austraclear. To the extent that participants to a ‘failed’ transaction intend to complete settlement, these transactions must be resubmitted to Austraclear. ‘Failed’ transactions are not automatically restored on the following day. Austraclear's Regulations establish the basis for settlement of transactions entered into the system.

7.3 A securities settlement facility should clearly define the point after which unsettled payments, transfer instructions or other obligations may not be revoked by a participant.

The cut-off times for cancelling payment or transfer instructions are in line with the daily Austraclear cycle. Some cut-off times vary according to whether participants are engaged in evening settlement operations in RITS. Key cut-off times are:

• 1.00 pm for automated re-generation of corporate action instructions (e.g. maturity and coupon payments to bond holders) if amendments are required. However, manual corrections can be processed after this time.
• 4.28 pm for the cancellation of DvP and cash transactions by participants that do not engage in evening operations.
• 6.32 pm AEST (8.32 pm AEDT) for the cancellation of transactions by participants engaging in evening operations.

No transaction can be cancelled once it is at ‘payment pending’ status in Austraclear, which occurs following matching of instructions from both participants involved in the transaction or, in the case of foreign currency payments, once the transaction has passed cash record limit checks. In all cases, the above deadlines can be extended at the discretion of Austraclear, with extension of the last two deadlines requiring the Bank's approval due to the implications for RITS.

Standard 8: Money settlements

A securities settlement facility should conduct its money settlements in central bank money where practical and available. If central bank money is not used, a securities settlement facility should minimise and strictly control the credit and liquidity risk arising from the use of commercial bank money.

Rating: Observed

Austraclear conducts its AUD money settlements across the Exchange Settlement Accounts (ESAs) of Participating Banks at the Bank, via RITS (SSF Standard 8.1). Participating Banks that effect money settlements on their own behalf or on behalf of other participants must be prudentially regulated and meet Austraclear's participation requirements (SSF Standard 8.3).

In July 2014, Austraclear began offering a foreign currency settlement service, initially supporting the settlement of payments in Chinese RMB across the books of the Bank of China (Sydney branch) (SSF Standards 8.2, 8.3). Austraclear's Regulations and legal agreement with Bank of China state that payments through this service settle with finality in real time (SSF Standard 8.5).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 8 during the 2014/15 Assessment period. Austraclear's money settlement arrangements are discussed in further detail under the following sub-standards.

8.1 A securities settlement facility should conduct its money settlements in central bank money, where practical and available, to avoid credit and liquidity risks.

Austraclear's AUD money settlements are all settled in central bank money. Payment obligations in Austraclear are settled on an RTGS basis across ESAs at the Bank, via RITS.

This includes money settlements initiated by ASX Collateral; while it is expected that most collateral substitutions will involve the exchange of one security for another on a DvD basis, cash may be used as a last resort to effect collateral substitution.

8.2 If central bank money is not used, a securities settlement facility should conduct its money settlements using a settlement asset with little or no credit or liquidity risk.

During the Assessment period all Australian dollar money settlements in Austraclear were effected using central bank money.

In July 2014, Austraclear began offering a foreign currency settlement service, initially supporting the settlement of payments in RMB. Settlement of these payment transactions is effected in commercial bank money across the books of the Bank of China (Sydney branch). Austraclear requires that a foreign currency settlement bank be prudentially supervised (i.e. licensed as an authorised deposit-taking institution (ADI)).

8.3 If a securities settlement facility settles in commercial bank money or its participants effect settlements using commercial settlement banks, it should monitor, manage and limit credit and liquidity risks arising from the commercial bank money settlement agents and commercial settlement banks. In particular, a securities settlement facility should establish and monitor adherence to strict criteria for commercial banks appropriate to their role in the settlement process, taking account of matters such as their regulation and supervision, creditworthiness, capitalisation, access to liquidity and operational reliability. A securities settlement facility should also monitor and manage the concentration of its and its participants' credit and liquidity exposures to commercial bank money settlement agents and settlement banks.

Settlement of AUD payments is in central bank funds. Since not all Austraclear participants are eligible to hold an ESA, Austraclear rules provide for those participants to nominate a Participating Bank (an ESA holder that agrees to act on behalf of a participant as settlement agent). A Participating Bank in Austraclear must be approved by the Australian Prudential Regulation Authority (APRA) as an ADI for the purpose of carrying out banking business within Australia, and be a member of RITS with an ESA. Participating Banks must also satisfy Austraclear's general participation requirements, which cover matters such as operational capacity, financial standing, and business continuity arrangements (see SSF Standard 15).

Austraclear is not a party to arrangements between settlement participants and Participating Banks (which may also be Austraclear participants) and is not directly exposed to credit or liquidity risk. Under Austraclear Regulations, Participating Banks must meet the AUD money settlement obligations of any participant that they represent in central bank money. Participating Banks do not receive title to any securities due from settlement. Title is delivered to the participant upon settlement in central bank money. Credit exposures, if any, between participants and Participating Banks are managed bilaterally on the same basis as any transactional banking arrangement.

Austraclear is similarly not directly exposed to credit or liquidity risks from Bank of China in respect of its settlement service for RMB payments. To act as a foreign currency settlement bank, a bank must be an ADI subject to regulation by APRA. In considering a bank's application to be a foreign currency settlement bank, Austraclear considers factors such as the bank's prudential regulation, operational reliability and capacity, business continuity management and business integrity and operations. Business continuity requirements are set out in the Austraclear Regulations. In November 2014, Bank of China was appointed the official RMB clearing bank for Australia by the People's Bank of China (PBC), affording it more direct access to RMB liquidity from the PBC.

8.4 If a securities settlement facility conducts money settlements on its own books, it should minimise and strictly control its credit and liquidity risks.

Austraclear does not conduct money settlements on its own books.

8.5 A securities settlement facility's legal agreements with any commercial bank money settlement agents should state clearly when transfers on the books of the relevant commercial bank are expected to occur, that transfers are to be final when effected, and that funds received should be transferable as soon as possible, at a minimum by the end of the day and ideally intraday, in order to enable the securities settlement facility and its participants to manage credit and liquidity risks.

Austraclear does not use commercial bank money settlement agents for its AUD money settlement activities. Participants' arrangements with Participating Banks to access central bank money settlement are conducted under legal agreements between the parties involved; Austraclear is not a party to these agreements.

Austraclear's legal agreement with Bank of China acknowledges that the record of RMB transfers in Austraclear provides participants with a claim on Bank of China, notwithstanding that participants' accounts at Bank of China are updated only at the end of day. The transfer of these claims are final once participants' RMB cash records in Austraclear have been updated.

Standard 9: Central securities depositories

A securities settlement facility operating a central securities depository should have appropriate rules and procedures to help ensure the integrity of securities issues and minimise and manage the risks associated with the safekeeping and transfer of securities. A securities settlement facility operating a central securities depository should maintain securities in an immobilised or dematerialised form for their transfer by book entry.

Rating: Observed

Austraclear acts as central securities depository for the securities that it settles. Austraclear employs a range of controls to ensure the integrity of these securities, which are subject to annual audit. Austraclear's Regulations and Procedures identify the interests held by participants in each type of security held within Austraclear, identify how these interests can be transferred within the facility, and provide that participants' securities would not be subject to claims by creditors in the event that Austraclear entered external administration (SSF Standard 9.1).

Austraclear does not allow overdrafts or debit balances in securities accounts within its system, and maintains paper securities in immobilised form, with other securities dematerialised (SSF Standards 9.2, 9.3). Austraclear's Regulations set out its obligations in providing safe keeping of participant assets, and Austraclear employs operational controls and insurance to mitigate custody risk (SSF Standard 9.4). Participant assets are segregated from Austraclear's own assets, and Austraclear supports the segregation of participant and client assets through optional sub-accounts (SSF Standard 9.5). Austraclear's provision of ancillary services to issuers is subject to operational risk controls (SSF Standard 9.6).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 9 during the 2014/15 Assessment period. Austraclear's arrangements for its central securities depository activities are described in further detail under the following sub-standards.

9.1 A securities settlement facility operating a central securities depository should have appropriate rules, procedures and controls, including robust accounting practices, to safeguard the rights of securities issuers and holders, prevent the unauthorised creation or deletion of securities, and conduct periodic and at least daily reconciliation of securities issues it maintains.

Austraclear employs a range of controls to ensure the integrity of securities it holds. It maintains dual redundancy and a synchronous data update model which ensures that securities holding data are consistent across primary and backup data centres (see SSF Standard 14). Austraclear produces a daily report that reconciles opening and closing balances of holdings to transactions. This report is used to identify if a holding has not been accurately updated.

Annual audits of Austraclear's system controls are conducted by an external auditor and the resulting report is published on the ASX website. These audits assess controls over transaction processing, as well as change management, security protocols, data system operations and disaster recovery planning. The auditor's opinion is provided under the Australian Government Auditing and Standards Board standard ASAE 3402 – Assurance Report on Controls at a Service Organisation. ASX Internal Audit performs an additional risk-based audit of key Austraclear functions on a rolling three-year cycle.

In the case of settlement of collateral pledges, Austraclear requires that both the pledgor and pledgee match the request within the system. This places a lock on those securities until the pledgee accepts a request from the pledgor to release the lock.

These rules and procedures should:

(a) identify the type of title or interest held by participants for particular securities, to the extent such title or interest is recognised by the facility's rules and procedures;

Austraclear's Regulations identify title for three different classes of securities: dematerialised securities; non-paper securities and Euroentitlements; and paper securities.

• Dematerialised securities are electronic securities that are registered in the Austraclear system rather than externally. They include electronic certificates of deposit, electronic promissory notes and electronic bank accepted bills of exchange. A dematerialised security is held by a participant as a ‘chose in action’. This legal structure imposes rights and obligations that replicate the rights and obligations of a negotiable instrument.
• Non-paper securities and Euroentitlements are electronic securities that are not registered within the Austraclear system. Non-paper securities include Australian Government securities, registrable state and semi-government securities, and corporate debt. Euroentitlements are claims to investment-grade AUD-denominated European securities that are deemed acceptable by Austraclear and are deposited in an account that Austraclear maintains at Clearstream. The entitlements remain within Austraclear and transfer of title occurs across these accounts, rather than offshore. In the case of non-paper securities and Euroentitlements, Austraclear holds legal title for the participant as nominee, while the participant retains beneficial title.
• Paper securities are negotiable instruments and include some certificates of deposit, promissory notes and bills of exchange. Austraclear holds these securities for the participant as bailee. The participant retains legal and beneficial title (see SSF Standard 9.1(b)).

The Austraclear Rules and Procedures provide the legal and operational basis for the transfer of title or interests between participants, including the timing of transfers and the role of pledges (encumbrances). Securities pledged in Austraclear require both the pledgor and pledgee to match a pledge request within the system. This places a lock on those securities until the pledgee accepts a request from the pledgor to release the lock.

Under the standard Austraclear account structure, participants can pledge securities to collateralise an exposure created outside the system without the transfer of title, or to exchange securities under repurchase agreements with the transfer of title. These securities may then be used by the collateral receiver without encumbrance (as long as the collateral giver has agreed that they may be re-used, which is standard practice).

The account structure that supports the CCMS includes new Collateral Accounts to hold securities that have been given as collateral by way of outright transfer (Transferred Collateral Accounts) or security interest (Secured Collateral Accounts). These accounts are used only by users of the CCMS (who must be Full Participants) and are controlled by the Collateral Manager as their agent. A collateral receiver may re-use securities held by it in a Transferred Collateral Account (unless re-use has been restricted by agreement between the collateral giver and collateral receiver), but only within the CCMS and through the Collateral Manager as its agent. The collateral receiver may also instruct the Collateral Manager to transfer the securities to another account for sale or repo outside of the Collateral Management System, but only on condition that equivalent replacement securities are transferred into the Collateral Account.

Settlement instructions for the CCMS are generated by the optimisation service operated by Clearstream based on exposure details provided by customers. The settlement instructions are given to Austraclear by the Collateral Manager who is responsible for account and collateral management on behalf of its customers.

(b) clearly identify the way in which the transfer of (or any other forms of dealing with) securities and related payments can be effected through the facility; and

The transfer of title to securities in the Austraclear system is effected by electronic book entry. Transfers of dematerialised securities are transfers of contractual rights within the Austraclear system. Non-paper securities are transferred through the passing of beneficial title from the seller to the buyer. Paper securities are transferred through updates to participants' security records. Austraclear also uses ‘allonges’ to record indorsements in respect of paper securities, maintaining the negotiability of these instruments. Austraclear retains legal title in the relevant registry. Settlement occurs via a DvP process in real time. The Austraclear Regulations and Procedures also provide for the free-of-payment transfer of securities, where required.

(c) ensure that, to the extent permissible by law, the creditors of the operator of the securities settlement facility have no claim over securities or other assets held, deposited or registered by participants in the facility.

In the event of Austraclear's insolvency, the rules and arrangements for title within Austraclear provide assurance that participants' securities would be immune from claims by Austraclear's creditors. Austraclear is not counterparty to any transactions settled in its system.

9.2 A securities settlement facility operating a central securities depository should prohibit overdrafts and debit balances in securities accounts.

Austraclear does not maintain cash accounts, removing the possibility of overdrafts or the extension of credit by Austraclear. All AUD transactions are settled across the ESAs of Participating Banks, while foreign currency transactions are settled as claims on the relevant foreign currency settlement bank (see SSF Standard 8).

Any instruction to move securities from a participant's securities account in Austraclear in excess of available securities remains in a ‘not ready’ status until sufficient securities are received into that account. If the instruction remains outstanding at the end of the day, it will move to a ‘failed’ status and automatically be removed from Austraclear. This removes the possibility of a debit balance in securities accounts.

9.3 A securities settlement facility operating a central securities depository should maintain securities in an immobilised or dematerialised form for their transfer by book entry. Where appropriate, a securities settlement facility operating a central securities depository should provide incentives to immobilise or dematerialise securities.

The securities maintained in Austraclear are either paper, non-paper or dematerialised (see SSF Standard 9.1(a)). Paper securities are immobilised and held by Austraclear as bailee for the holder.

9.4 A securities settlement facility operating a central securities depository should protect assets against custody risk through appropriate rules and procedures consistent with its legal framework.

Austraclear's Regulations require that Austraclear provide safe keeping for paper securities, and do all that is in its power to replace the security if it becomes lost, stolen, destroyed or damaged. If Austraclear were liable to a participant due to the loss or destruction of a paper security, its liability could extend to the face value of the security.

Austraclear has identified potential custody risks arising from negligence, misuse of assets, fraud, poor administration, or inadequate recordkeeping. Operational controls to mitigate these risks include segregation of duties, access restrictions and authorisation checks.

Austraclear is covered by the ASX Group general and professional indemnity insurance policies for civil liabilities arising from its central securities depository activities. Where losses are the result of employee wrongdoing or a computer manipulation, Austraclear is covered by the ASX Group comprehensive Crime Policy. The Austraclear Rules also include specific warranties and indemnities limiting potential liabilities arising from custody risk.

9.5 A securities settlement facility operating a central securities depository should employ a robust system that ensures segregation between its own assets and the securities of its participants, and segregation among the securities of participants. Where supported by the legal framework, a securities settlement facility operating a central securities depository should also support operationally the segregation of securities belonging to a participant's customers on the participant's books and facilitate the transfer of customer holdings.

Austraclear segregates its own assets and securities from those of its participants. Participant holdings are legally and operationally segregated within participant accounts. Participants have the further option to segregate client holdings by adopting sub-accounts. Austraclear does not mandate the segregation of client holdings; however, this may be required by regulatory regimes governing participants.

9.6 A securities settlement facility operating a central securities depository should identify, measure, monitor and manage its risks from other activities that it may perform; additional tools may be necessary in order to address these risks.

Austraclear offers paying agent services to issuers of debt securities. This service is governed under a service agreement and documented terms and conditions, which are available on the ASX public website. The service is subject to the same operational risk framework that is applied across all ASX facilities (see SSF Standard 14). Austraclear's liability from this activity is limited under the service agreement. Austraclear does not provide a centralised securities lending facility or act as a principal in securities lending transactions.

Standard 10: Exchange-of-value settlement systems

If a securities settlement facility settles transactions that comprise the settlement of two linked obligations (for example, securities or foreign exchange transactions), it should eliminate principal risk by conditioning the final settlement of one obligation upon the final settlement of the other.

Rating: Observed

Austraclear eliminates principal risk in settlements involving the transfer of a security in exchange for cash or another security by ensuring that delivery occurs if and only if the associated payment is settled at the same time (SSF Standard 10.1). For the purchase of securities, Austraclear does this through the use of a DvP Model 1 settlement mechanism, which simultaneously settles linked payment and securities obligations on an item-by-item basis in real time. Collateral substitutions are performed on a DvD basis, whereby linked securities transactions settle simultaneously, including where a chain of substitutions are being performed (SSF Standard 10.2).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 10 during the 2014/15 Assessment period. Austraclear's arrangements for exchange-of-value settlements are described in further detail under the following sub-standards.

10.1 A securities settlement facility that is an exchange-of-value settlement system should eliminate principal risk by ensuring that the final settlement of one obligation occurs if and only if the final settlement of the linked obligation also occurs, regardless of whether the securities settlement facility settles on a gross or net basis and when finality occurs.

Austraclear eliminates principal risk by ensuring that the settlement of securities delivery obligations occurs if and only if associated payment obligations are settled. It does so by settling securities transactions on a DvP Model 1 basis (see SSF Standard 10.2). Collateral substitutions instructed by ASX Collateral are settled on a DvD basis under the same arrangements as those for transfer of cash and securities. Where cash is used as a last resort, settlement is on a DvP Model 1 basis.

By volume, DvP settlements accounted for around 46 per cent of total settlements during the Assessment period, one-way cash transfers accounted for around 41 per cent, and DvD transfers related to the ASX Collateral service accounted for around 13 per cent. There were also a small number of free-of-payment securities transfers – making up less than 1 per cent of the total volume of settlements. By value, DvP settlements predominate, accounting for 79 per cent of total transfers involving a cash payment leg in the year to end June 2015.

10.2 A securities settlement facility that is an exchange-of-value settlement system should eliminate principal risk by linking the final settlement of one obligation to the final settlement of the other through an appropriate delivery versus payment (DvP), delivery versus delivery (DvD) or payment versus payment (PvP) settlement mechanism.

Settlement of securities transactions in Austraclear (including the opening and closing of tri-party repo trades submitted by ASX Collateral) is on a DvP Model 1 basis. This entails that: there is a simultaneous transfer of cash and securities obligations between the buyer and seller on an item-by-item basis in real time; final settlement occurs if and only if both of the linked transfers are completed successfully; and if one transfer fails, the linked transfer will also be cancelled.

In the case of collateral substitutions initiated by ASX Collateral, the settlement mechanism requires that finality is achieved only when both linked securities deliveries have been successfully completed – that is, settlement occurs on a DvD basis. The system design further provides for the grouping of linked transactions to accommodate chains of substitutions where collateral has been re-used.

While this design protects against principal risk, multiple substitutions in a long re-use chain may have implications for timely completion of transactions at the end of the day. To mitigate this risk, and ensure that the potential for gridlock is no greater than under non-centralised collateral arrangements, participants engaging in the re-use of collateral may allow cash as collateral of last resort. Substitutions involving the use of cash as collateral of last resort settle on a DvP Model 1 basis, consistent with the settlement of other transactions exchanging securities for cash in Austraclear.

Standard 11: Participant default rules and procedures

A securities settlement facility should have effective and clearly defined rules and procedures to manage a participant default. These rules and procedures should be designed to ensure that the securities settlement facility can take timely action to contain losses and liquidity pressures and continue to meet its obligations.

Rating: Observed

Austraclear has powers under its Regulations and Procedures to manage a participant default, and has documented procedures setting out how to manage a default, including in respect of special purpose participants that are collateral managers. Powers available to Austraclear include powers to suspend or terminate the participant status of a defaulting participant (SSF Standards 11.1, 11.2). Participants are also required to report default events or an expected default to the SSF. Austraclear sets out its default management powers in its Regulations and Procedures (SSF Standard 11.3). Since Austraclear is not exposed to financial loss in the event of a participant default, its handling of a default situation is largely procedural in nature (SSF Standard 11.4). Austraclear's default management arrangements are designed for the particular characteristics of its activities, and take into account potential impacts on relevant markets (SSF Standard 11.5).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 11 during the 2014/15 Assessment period. Austraclear's default management arrangements are described in further detail under the following sub-standards.

11.1 A securities settlement facility should have default rules and procedures that enable the securities settlement facility to continue to meet its obligations in the event of a participant default and that address the replenishment of resources following a default. A securities settlement facility should ensure that financial and other obligations created for non-defaulting participants in the event of a participant default are proportional to the scale and nature of individual participants' activities.

The default of a participant in Austraclear does not require the SSF to meet obligations on its behalf; nor does it create additional obligations for non-defaulting participants. Steps taken by Austraclear to manage a participant default are therefore largely procedural in nature. Participant defaults may result from insolvency events or a failure to comply with the requirements of the Austraclear Regulations, and are dealt with under Regulations 3.10 to 3.14 and under the ASX Enforcement and Appeals Rulebook. Austraclear maintains an internal checklist setting out actions to be taken by relevant business units within ASX in managing a participant default. The default of an Austraclear participant would be managed by the PIRC. The PIRC is chaired by the GE, Operations, and is made up of senior staff from the operational, risk management, compliance and legal units.

In the event that a default involved a user of ASX Collateral, the intent of default rules and procedures would be to preserve contractual default arrangements set out in Principal Agreements that govern the terms of the collateralised trade. These arrangements entitle the collateral receiver to treat collateral held as owned on an outright basis, and include clauses permitting either counterparty to terminate a future obligation to return collateral or cash where the other counterparty has suffered an event of default.

Upon notification of a default under a Principal Agreement, ASX Collateral would act as the collateral receiver's agent and, upon instructions from the collateral receiver, instruct Austraclear to transfer collateral held from the receiver's Collateral Account to its Source Account or Austraclear trading account.

Nothing in the arrangements requires ASX Collateral to enquire into the validity of any matters in connection with Principal Agreements, including in relation to actions taken in a default event. Any dispute over actions taken would be a matter for parties to the Principal Agreement. ASX Collateral is not a party to the Principal Agreement and its role as agent is strictly limited. Equally, Austraclear is not party to the Principal Agreement; Austraclear's role in the process would be to act on the instructions of ASX Collateral. Nevertheless, the Austraclear Regulations provide an indemnity to Austraclear against any loss or claim arising from its actions in accordance with instructions from ASX Collateral.

11.2 A securities settlement facility should be well prepared to implement its default rules and procedures, including any appropriate discretionary procedures provided for in its rules. This requires that the securities settlement facility should:

1. require its participants to inform it immediately if they:
   1. become subject to, or aware of the likelihood of external administration, or have reasonable grounds for suspecting that they will become subject to external administration; or
   2. have breached, or are likely to breach, a risk control requirement of the securities settlement facility; and
2. allow for the cancellation or suspension of a participant or commercial settlement bank from the securities settlement facility:
   1. if the participant or commercial settlement bank is in external administration; or
   2. if there is a reasonable suspicion that the participant or commercial settlement bank may become subject to external administration; and
3. allow participant users of a commercial settlement bank which becomes subject to external administration, or which is reasonably likely to become subject to external administration, to quickly nominate a new commercial settlement bank.

Austraclear's Regulations and Procedures provide for the cancellation or suspension of a participant or Participating Bank that becomes subject to external administration, or where there is a reasonable suspicion that this may occur. A participant or a Participating Bank is also required to notify Austraclear if it becomes subject to external administration or where it reasonably suspects that this may occur. Similar powers and requirements apply to Foreign Currency Settlement Banks.

There is no restriction within the Austraclear Regulations and Procedures on a participant changing its Participating Bank, including the case where that Participating Bank is insolvent.

11.3 A securities settlement facility should publicly disclose key aspects of its default rules and procedures. Where a securities settlement facility settles via a multilateral net batch, arrangements for dealing with any unsettled trades of a defaulting participant that are not guaranteed by a central counterparty, such as reconstituting the multilateral net batch excluding the settlement obligations of the defaulting participant, should be clear to all its participants and should be capable of being executed in a timely manner.

Austraclear's Regulations and Procedures are published on the ASX public website. These include a requirement for a participant to give notice of insolvency or the reasonable possibility of insolvency and the right of Austraclear to suspend or terminate participant status in a default event.

11.4 A securities settlement facility should involve its participants and other stakeholders in the testing and review of the securities settlement facility's default procedures. Such testing and review should be conducted at least annually and following material changes to the rules and procedures to ensure that they are practical and effective.

ASX conducts regular in-house default management ‘fire drills’ to test default procedures as they would apply to participants across one or more of the ASX CS facilities. These fire drills focus on the more complex scenario of a clearing participant default and only relate to Austraclear in that they involve the declaration of default. Other procedural steps related to a default of an Austraclear participant are not covered, but these are carried out in practice from time to time to a greater degree than for the other ASX facilities that have a narrower participation base (see below). Since neither Austraclear nor its participants are exposed to financial obligations created by the default of a participant in respect of Austraclear transactions (a participant may be impacted by the default of another participant if it has outstanding unsettled bilateral transactions with the defaulting participant, but these exposures would not be generated within Austraclear), the management of a settlement-only participant default situation is generally procedural in nature. Austraclear has on occasion needed to employ its default management procedures, most recently to address the default of BBY Limited in May 2015 (see Appendix A1.1, CCP Standard 12.2 and Section 4). Prior to that, Austraclear was required to manage a default in July 2013, following the appointment of an external administrator to a participant in July 2013. Since the participant provided agency settlement services for other Austraclear participants, Austraclear's management of the default included facilitating a transition to alternative arrangements for participants reliant on these agency services for settlement.

11.5 A securities settlement facility should demonstrate that its default management procedures take appropriate account of interests in relevant jurisdictions and, in particular, any implications for pricing, liquidity and stability in relevant financial markets.

All products settled by Austraclear are AUD-denominated (including Euroentitlements) and Austraclear's operations are conducted domestically. Key participants generally have a significant domestic presence and Participating Banks must be domestically licensed ADIs with an ESA at the Bank. As Austraclear's default management procedures do not place financial obligations on participants, there would be expected to be minimal potential impacts on market pricing, liquidity and stability stemming from execution of these procedures.

Standard 12: General business risk

A securities settlement facility should identify, monitor and manage its general business risk and hold, or demonstrate that it has legally certain access to, sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialise. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations and services.

Rating: Observed

Austraclear identifies, monitors and manages its general business risks in the context of its overall Enterprise Risk Management Policy (SSF Standard 12.1). It has access to sufficient funds held at group level to support continued operations as a going concern if it incurs general business losses. These funds are backed by equity and invested in liquid assets. The legal basis of Austraclear's access to funds held at group level is set out in the ASX Group Support Agreement (SSF Standards 12.2, 12.3, 12.4). During the Assessment period, Austraclear enhanced its recovery arrangements in line with the CPMI-IOSCO guidance on recovery planning (SSF Standard 12.3). ASX maintains viable arrangements to raise additional equity for its CS facilities as required (SSF Standard 12.5).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 12 during the 2014/15 Assessment period. While existing arrangements are assessed to meet the minimum standard, the Bank encourages Austraclear to test and review its capacity to raise additional equity to replenish general business risk capital.

Austraclear's management of general business risk is described in further detail under the following sub-standards.

12.1 A securities settlement facility should have robust management and control systems to identify, monitor and manage general business risks, including losses from poor execution of business strategy, negative cash flows or unexpected and excessively large operating expenses.

ASX's approach to business risk is consistent with its overall Enterprise Risk Management Policy and Framework (see SSF Standard 3). Under the framework, formal policies are in place for individual risk categories such as accounting, authorisations, business continuity, technology, fraud control and procurement.

ASX monitors a variety of financial business risks, including market risk, credit risk, liquidity risk and capital risk.

• Group funds (as distinct from collateral lodged by participants) may be exposed to market risk due to changes in market variables such as interest rates, foreign exchange rates and equity prices. Mitigants for market risk include hedging of foreign exchange risk and monitoring of equity price risk, with appropriate capital allocation.
• Credit risk for the Group's general business activities arises in the collection of receivables, which principally comprise fees from market participants, issuers, users of market data and other customers. Mitigants include active collection procedures on trade receivables and ‘ageing’ of receivable amounts.
• Liquidity risk arises from the Group's time-critical payables, and is mitigated by prudent liquidity management, with forward planning and forecasting of liquidity requirements.
• ASX may be exposed to capital risk if equity in group entities falls below prudent or regulatory minimum levels. ASX manages its capital at a group level, in accordance with an objective of maintaining a prudent level of surplus net tangible equity. Ongoing monitoring of cash flows and capital adequacy is conducted via quarterly meetings of CALCO.

ASX undertakes periodic strategic risk assessments in the context of its overall business plans. Through this process, ASX identifies new strategic business initiatives, such as the projects that delivered the ASX Collateral and over-the-counter (OTC) derivatives clearing services. These are subject to financial analysis, which includes high, low and base case revenue assumptions and forecasts. Impacts on capital are also determined and analysed.

ASX undertakes risk assessments when undertaking any expansion of its activities or in the event of material changes to its business. Risk assessments are built into ASX's project management framework (see SSF Standard 14.4). Under this framework an initial high-level risk indication is defined at the project concept stage. This is followed by a formal project risk assessment covering both project delivery risks and impacts to business activities. ASX typically conducts a series of workshops involving project staff to discuss risks associated with any planned new service. Prior to the approval of a project for launch/production, ASX prepares an operational readiness summary and conducts a final workshop to discuss possible risks associated with initial launch. This includes consideration of potential failure scenarios and workarounds, procedures for escalation of issues, and help desk and key staff availability.

Following launch, the risks of a new activity are captured in risk profiles that are prepared by department management every six months. CALCO also monitors actual and forecast capital and liquidity requirements on a quarterly basis, including requirements related to new projects.

12.2 A securities settlement facility should hold, or demonstrate that it has legally certain access to, liquid net assets funded by equity (such as common stock, disclosed reserves or other retained earnings) so that it can continue operations and services as a going concern if it incurs general business losses. The amount of liquid net assets funded by equity a securities settlement facility should hold, or have access to, should be determined by its general business risk profile and the length of time required to achieve a recovery or orderly wind-down, as appropriate, of its critical operations and services if such action is taken.

ASX has set aside $241 million for operational and business risk across the four ASX Group CS facilities, $166 million of which has been attributed specifically to operational and business risks across both Austraclear and ASX Settlement. Since ASX has identified constraints to making business risk capital bankruptcy remote within the SSFs, this capital is held at the ASX Group level. Each CS facility has a separate allocation for business risk capital that is explicitly recognised within group-wide capital holdings. These holdings include an additional buffer against potential losses sustained elsewhere in the group. The ASX Group Support Agreement places an obligation on ASX to maintain sufficient capital to support Austraclear's continued operations in the event of general business losses, supporting the legal certainty of Austraclear's access to business risk capital as required.

In determining the sufficiency of the $166 million in operational and business risk capital set aside for Austraclear and ASX Settlement, ASX first calculated risk amounts for the individual SSFs. This was based on a methodology in use at other SSFs, fund managers and custodians that applies a capital charge for operational and business risk to the value of securities held in the facility. The correlation between asset values and associated risks is modelled on a percentage basis, with the percentage of required risk resources declining as the level of assets increases – recognising that a significant part of the risk resources required will represent a fixed cost. ASX's application of this methodology results in a charge of 0.68 basis points on $1.75 trillion of securities held in Austraclear and a charge of 0.74 basis points on $1.55 trillion securities held in ASX Settlement, giving a required value of risk resources of around $120 million and $115 million for Austraclear and ASX Settlement, respectively.

ASX assumes that the two facilities will not both require their full risk funds at the same time. This reflects that the custodial and operational risks that this capital is calibrated to cover are unlikely to result in simultaneous peak losses in both SSFs. ASX has applied a ‘square root of the sum of squares’ formula to arrive at the figure of $166 million to cover the operational and business risk exposure of the two settlement facilities. The business risk capital held in respect of the SSFs is sufficient to ensure that, even if one SSF were to utilise the full value of its required risk resources ($120 million and $115 million for Austraclear and ASX Settlement respectively), sufficient funds would be available to fund the other SSF's recovery plan and meet the single largest uninsured business loss event for that facility. In addition, ASX's general capital buffer is sufficient to ensure that it would remain able to provide to the second SSF the full value of its required risk resources in the event that this was required.

12.3 A securities settlement facility should maintain a viable recovery or orderly wind-down plan and should hold, or have legally certain access to, sufficient liquid net assets funded by equity to implement this plan. At a minimum, a securities settlement facility should hold, or have legally certain access to, liquid net assets funded by equity equal to at least six months of current operating expenses. These assets are in addition to resources held to cover participant defaults or other risks covered under SSF Standard 4 on credit risk and SSF Standard 6 on liquidity risk. However, equity held under international risk-based capital standards can be included where relevant and appropriate to avoid duplicate capital requirements.

Austraclear has developed a plan setting out options for its recovery or wind-down based on its existing Operating Rules, and has developed enhancements to this plan, in line with CPMI-IOSCO guidance on recovery planning (see SSF Standard 3.5). ASX will be formally documenting its enhanced recovery arrangements over the coming period. In calculating the quantum of business risk capital described under SSF Standard 12.2, ASX has sought to ensure access to sufficient liquid net assets to fund operations during the execution of Austraclear's recovery plan or to cover a minimum of six months of current operating expenses.

Austraclear's enhanced recovery approach establishes arrangements to address losses that arise from a range of general business risks. These general business losses to Austraclear would be absorbed by ASX, including through application of general business risk capital held for the SSFs by ASX Limited (see SSF Standard 12.2). This recovery approach takes into account that ASX supplements its business risk capital through the use of insurance to cover its exposure to a broad range of risks (including coverage of professional indemnity and fraud risks). ASX Limited has also committed to maintaining adequate levels of business risk capital for the CCPs and SSFs, recapitalising these funds as required (SSF Standard 12.5). Austraclear would apply a similar approach to address losses on its treasury investment portfolio since the amount invested is not material.

12.4 Assets held to cover general business risk should be of high quality and sufficiently liquid in order to allow the securities settlement facility to meet its current and projected operating expenses under a range of scenarios, including in adverse market conditions.

The risk capital for ASX's CS facilities is invested in accordance with the ASX Limited and ASX Operations Pty Limited Investment Mandate. The Investment Mandate specifies investment objectives, responsibilities, approved products and counterparties, and audit and maintenance of the mandate. Approved products are generally highly rated and liquid products such as: cash deposits; bank bills, negotiable certificates of deposit and floating rate notes issued by APRA-approved ADIs; foreign exchange in specified currencies; Australian Government securities; and selected semi-government securities. Limits are applied against counterparty, liquidity and market risks. Liquidity limits are specified for maximum instrument maturity and weighted average maturity.

12.5 A securities settlement facility should maintain a viable plan for raising additional equity should its equity fall close to or below the amount needed. This plan should be approved by the board of directors and updated regularly.

As noted, ASX Limited manages its operational and business risk capital at the group level. The ASX Limited Board monitors the ongoing capital adequacy of the ASX Group as part of its regular capital planning activities. The Board determines the most appropriate means of raising additional capital when needed, giving due consideration to prevailing market conditions and available alternative financing mechanisms. For example, in June 2013, ASX Limited conducted a capital raising by way of a $553 million share entitlement offer, with the bulk of the funds being used to increase the business risk capital of the CS facilities and their pooled financial resources to deal with participant default.

Austraclear's enhanced recovery approach depends on timely and reliable recapitalisation processes to address general business and investment losses. Austraclear is therefore reviewing its recapitalisation arrangements to ensure consistency with its enhanced recovery arrangements. The Bank will continue to discuss recapitalisation arrangements with Austraclear over the 2015/16 Assessment period.

Standard 13: Custody and investment risks

A securities settlement facility should safeguard its own and its participants' assets and minimise the risk of loss on and delay in access to these assets. A securities settlement facility's investments should be in instruments with minimal credit, market and liquidity risks.

Rating: Observed

The assets of Austraclear are invested on its own behalf in cash or other high-quality liquid assets, which allow prompt access to its assets when required (SSF Standards 13.1, 13.2). Austraclear controls investment risk by limiting its approved counterparties to large Australian banks, and investing predominantly in cash (SSF Standard 13.4).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 13 during the 2014/15 Assessment period. Austraclear's arrangements for managing custody and investment risks are described in further detail under the following sub-standards.

13.1 A securities settlement facility should hold its own and its participants' assets at supervised and regulated entities that have robust accounting practices, safekeeping procedures and internal controls that fully protect these assets.

Austraclear has funds from retained earnings that are invested in cash or other high-quality liquid assets; it does not use custodians to invest these funds (see SSF Standard 13.4).

ASX Collateral does not create custody risk for Austraclear. While the Collateral Manager has control over new collateral accounts for the purposes of submitting settlement instructions on behalf of service users, title of securities remains at all times with the service users.

Austraclear has custody of participants' securities deposited in the Austraclear system. For details of these custodial arrangements and arrangements to safeguard the integrity of securities held in Austraclear, see SSF Standard 9. Austraclear does not hold other assets of participants.

13.2 A securities settlement facility should have prompt access to its assets and the assets provided by participants, when required.

Under the terms of the Austraclear Investment Mandate, funds held by Austraclear must be invested with large Australian banks in highly liquid assets (see SSF Standard 13.4). Austraclear does not use custodians to hold its assets or participants' assets. These arrangements aim to ensure that Austraclear has prompt access to its assets when required.

13.3 A securities settlement facility should evaluate and understand its exposures to its custodians, taking into account the full scope of its relationships with each.

Austraclear does not use custodians to hold its assets or the assets provided by participants.

13.4 A securities settlement facility's investment strategy should be consistent with its overall risk management strategy and fully disclosed to its participants, and investments should be secured by, or be claims on, high-quality obligors. These investments should allow for quick liquidation with little, if any, adverse price effect.

Austraclear is exposed to investment risk on funds from contributions and retained earnings. These funds, currently around $10 million, are small relative to the total funds held by ASX Limited at the group level to cover general business risk and are invested predominantly in cash. The Investment Mandate for Austraclear funds requires that liquidity be maintained so that it can meet its liabilities in a timely fashion. Investment products are limited to a small set of low risk and highly liquid AUD-denominated products – cash, bank bills or certificates of deposit – with large Australian banks as counterparties. Hard limits are set on maximum instrument maturity (180 days) and weighted average maturity (60 days).

Standard 14: Operational risk

A securities settlement facility should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the securities settlement facility's obligations, including in the event of a wide-scale or major disruption.

Rating: Observed

Austraclear's key operating system is EXIGO.

Austraclear manages its operational risks in the context of its group-wide Enterprise Risk Management Framework (SSF Standard 14.1). Responsibility for approving and reviewing operational risk management policy is shared between the ASX Limited and CS Boards, the Audit and Risk Committee and individual departments. The management of each department is responsible for implementing operational risk controls in their respective areas (SSF Standard 14.2). Austraclear sets clear operational reliability objectives and pursues policies designed to achieve those objectives. Key objectives for EXIGO, such as minimum availability of 99.9 per cent and peak capacity utilisation of 50 per cent, were met during the Assessment period. Austraclear maintains physical and information security policies based on relevant domestic and international standards (SSF Standard 14.3). Austraclear considers that it has sufficient well-trained and competent personnel and other resources to operate EXIGO. Austraclear prioritises its projects to ensure that business development work does not risk the availability of these resources for key systems (SSF Standard 14.4).

Austraclear manages operational interdependencies with participants, and with ASX Clear and ASX Clear (Futures), through its participant monitoring processes and group-wide risk management framework, respectively (SSF Standard 14.5). Its dependencies on service providers and utilities are subject to ongoing monitoring and contingency arrangements where appropriate. Austraclear has introduced clauses in its legal agreements with key outsourcing and critical service providers that impose requirements on those providers equivalent to those under the FSS, access to information for the Bank, and notice to the Bank in the case of termination (SSF Standards 14.9, 14.10, 14.11).

Austraclear also maintains business continuity arrangements that provide a high degree of redundancy and, through the use of dual sites, target the resumption of operations within two hours following disruptive events. These arrangements are regularly tested in real time during live operations (SSF Standard 14.7). Participants are required to maintain appropriate operational and business continuity arrangements that complement Austraclear's own arrangements, and are appropriate to the nature and scale of their business. Austraclear monitors participants' compliance with these requirements, and broader operational performance, on an ongoing basis (SSF Standards 14.6, 14.8).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 14 during the 2014/15 Assessment period. In order to continue to observe this standard, Austraclear will need to review its operational arrangements in light of the proposed establishment of a special resolution regime for financial market infrastructures (FMIs) in Australia. In particular, Austraclear will need to ensure that its operations are organised in such a way as to facilitate effective crisis management actions under that regime once finalised.

In addition, Austraclear is encouraged to continue its dialogue with the Bank on its cyber risk management arrangements, including on the Board-level governance of its cyber risks and ongoing review of its information security strategy and policy framework. Austraclear is also encouraged to review its cyber risk management arrangements in light of forthcoming CPMI-IOSCO guidance on cyber resilience for FMIs.

The Bank will continue to examine prioritisation decisions, resourcing challenges, interdependencies with day-to-day business-as-usual processes, and potential change-management issues associated with ASX's technology transformation project. The Bank will also discuss with Austraclear how it applies the CPMI-IOSCO oversight expectations in managing its relationships with external providers of critical services, including the role of the recently released CPMI-IOSCO Assessment Methodology in its oversight of these critical service providers.

Austraclear's arrangements for managing operational risks are described in further detail under the following sub-standards.

Identifying and managing operational risk

14.1 A securities settlement facility should establish a robust operational risk management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.

ASX's operational risk policies and controls have been developed in accordance with ASX's group-wide Enterprise Risk Management Framework (see SSF Standard 3.1). Under this framework, the ASX Limited Board is responsible for reviewing and overseeing the group's risk management systems (see SSF Standard 2.6). The Board delegates review of the Enterprise Risk Management Framework to its Audit and Risk Committee. An ERMC, comprising executives from across ASX's departments, is responsible for approving enterprise risk policies and reviewing controls, processes and procedures to identify and manage risks, as well as the formal approval of significant operational risk policies prepared by individual departments (see SSF Standard 14.2). Under the Enterprise Risk Management Framework, individual departments are also responsible for: identifying business-specific risks; applying controls; maintaining risk management systems; reporting on the effectiveness of risk controls; and implementing enhancements and taking remedial action.

Dedicated security teams have responsibility for assessing both physical and cyber security risks, and are overseen by an internal Security Steering Committee (see SSF Standard 14.3). The Security Steering Committee is responsible for approving, implementing and overseeing ASX's information and physical security strategies, and coordinating ASX's security initiatives with management of its Technology (IT security) and Finance (physical security) divisions. It is chaired by the Information Technology (IT) Security Manager, and comprises: the Chief Information Officer (CIO); Chief Financial Officer (CFO); GE, Operations; General Manager, Technology Governance; General Manager, Corporate Technology; National Facilities Manager; and General Manager, Internal Audit. The Security Steering Committee provides reports to the Audit and Risk Committee and the executive-level ERMC, including regular Technology status and enterprise risk reports as well as ad hoc security reports.

14.2 A securities settlement facility's board of directors should clearly define the roles and responsibilities for addressing operational risk and should endorse the securities settlement facility's operational risk management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.

The roles and responsibilities for addressing operational risk are clearly defined in the CS Boards' Charter, the Audit and Risk Committee Charter, and the Enterprise Risk Management Framework. As described above, risk responsibilities are shared between the ASX Limited Board, the CS Boards, the Audit and Risk Committee, the ERMC and individual departments.

Ultimate responsibility for the management of ASX's cyber-related risks lies with the ASX Limited Board, reflecting that different business areas share common vulnerabilities to cyber threats and that the response to such threats may require group-wide coordination. In practice, however, the Board delegates its ongoing oversight of cyber resilience to the ASX Limited Audit and Risk Committee, subject to the Board's stated very low tolerance for residual operational risks. The Board remains informed of significant cyber-related developments or issues, including where cyber incidents could threaten the availability or integrity of ASX systems, and in considering cyber risks in the approval of major projects. The Audit and Risk Committee receives regular updates on information security matters and oversees the cyber resilience activities of ASX management and staff. ASX's governance arrangements for cyber resilience are described in more detail in Section 3.5.6, Box B.

Policies and procedures are the subject of internal and external review. ASX's Internal Audit department routinely monitors compliance with operational policy, reporting to the Audit and Risk Committee on a quarterly basis. Scheduled reviews carried out by Internal Audit include business unit process and operational audits and information technology reviews. Internal Audit also reviews major projects and carries out special investigations as required (e.g. following a major operational incident). Audit findings may prompt a review of policy, which would be conducted in consultation with key stakeholders. Technology-related security policy is considered by external auditors annually.

ASX benchmarks its operational risk policy against relevant international standards. For example:

• ISO 31000 – Risk Management Principles and Guidelines is used to benchmark ASX's overarching framework for operational risk management.
• The business continuity framework is benchmarked against the Business Continuity Institute's Good Practice Guidelines 2013, and the international standard ISO 22301:2012 Business Continuity Management Systems.
• The technology risk management framework is benchmarked against ISO 17799 (which covers principles for information security management) and ISO 27001 (requirements for information security management systems). Cyber security strategies are further benchmarked against the Australian Signals Directorate's Strategies to Mitigate Targeted Cyber Intrusions.
• The compliance framework is benchmarked to the AS 3806-2006: Compliance Programs.
• The ASX Fraud Control Policy is benchmarked against AS 8001-2008: Fraud and Corruption Control.

During the Assessment period, ASX carried out a high-level self-assessment of its cyber resilience practices against the United States National Institute of Standards and Technology (NIST) Cyber Security Framework.^[5] This self-assessment concluded that ASX's cyber security practices generally aligned with the upper two tiers of maturity levels under the NIST Framework (see Section 3.5.6, Box B).

In addition, Austraclear's operational risk controls and reliability objectives are designed to meet operational standards set by the Bank as part of its ‘Step-in and Service Agreement’. As a feeder system to RITS, and as a systemically important system, Austraclear's system architecture is required under these standards to be equivalently operationally robust to that of RITS.

The risk framework defines a variety of control procedures to support the core operational systems. These include audit logs, segregation of duties controls such as dual input checks and approval, management sign-off and processing checklists as the primary preventative controls, supported by reconciliations and management reviews of activity.

Change management and project management

Austraclear operates a separate test environment for its core system (EXIGO), and has a formal change management process which is documented in the ASX Technology Change Management Policy and Guideline. The policy and guidelines cover the requirements for the notification, risk assessment, testing and implementation of technology changes for all ASX CS facilities, as well as the key roles and responsibilities in relation to technology change management. There are also defined procedures for communicating with participants and vendors details of technology upgrade releases, which include regular notices to participants of upcoming changes. Aspects of the change management process are reviewed each year by the external auditor.

Major projects are overseen by the Enterprise Portfolio Steering Committee (EPSC), which is comprised of representatives of the Group Executive. The EPSC is responsible for determining project priorities across the ASX Group, and overseeing the quality of project execution and resourcing. Project management of major projects is undertaken by the Project Management Office (PMO). Projects incorporate testing processes, which verify that systems or services meet benchmarks set prior to implementation. Testing addresses both technical and operational aspects of projects. The project management process includes engagement with customers and third-party vendors of supporting systems where appropriate, particularly in customer testing. Project plans also include formal checkpoints to ensure all appropriate risk management controls are in place prior to live use of a new or updated system or service.

In February 2015, ASX announced a technology transformation program to upgrade all of its major trading and post-trading systems over the next three to four years (see Section 3.5.6). The program is intended to rationalise ASX's core technology onto a single services platform, removing interdependencies that currently exist between unrelated systems. The first phase of the program will upgrade ASX's trading, risk management and market monitoring systems. A subsequent phase of the technology transformation program will focus on ASX's clearing and settlement platforms. This includes the consolidation of derivatives clearing onto a common platform and the replacement of the CHESS clearing and settlement system for cash equities.

Given the significance of the technology transformation program for ASX's critical trading, clearing, settlement and risk management systems, the ASX Limited Board and CS Boards will receive regular status updates throughout the life of the project, with executive-level oversight of project management provided by the EPSC. ASX's Audit and Risk Committee, together with the ERMC, oversees the management of operational and strategic risks associated with execution of the program, with internal and external audit providing review of key elements. ASX has formally adopted an ‘Agile project management’ approach for its technology transformation. This seeks to streamline decision making by bringing together the human and technological resources that support the design, development and testing processes, and delivering project outputs in a series of incremental stages (so-called ‘sprints’).

The Bank is receiving detailed monthly updates on the progress of the technology transformation program. These updates also provide an opportunity for the Bank to examine interdependencies with day-to-day business-as-usual processes and potential change-management issues.

14.3 A securities settlement facility should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives. These policies include, but are not limited to, having: exacting targets for system availability; scalable capacity adequate to handle increasing stress volumes; and comprehensive physical and information security policies that address all potential vulnerabilities and threats.

Operational reliability and availability

Availability targets are documented and defined formally for critical services. EXIGO is required under its Step-in and Service Agreement with the Bank to meet a minimum availability target of 99.9 per cent; during the 2014/15 Assessment period EXIGO was available 100 per cent of the time.

Operational capacity

System capacity is monitored on an ongoing basis, with monthly reviews of current and projected capacity requirements. The results are reviewed against established guidance for capacity headroom over peak recorded values for all critical systems; that is, to maintain capacity 50 per cent over peak recorded daily volumes, with the ability to increase to 100 per cent over peak within six months. Capacity data are reported monthly to the CEO. Average capacity utilisation of EXIGO during the Assessment period was 24 per cent, while peak utilisation was 35 per cent. Austraclear considers that it has sufficient technical and human resources to operate EXIGO during peak periods, including in the event of operational incidents or system failure.

Information and physical security

ASX's cyber resilience approach is defined by the Information Security Strategy approved by the Security Steering Committee, and more granular policies and standards set out in ASX's Information Security Policy Framework. The Information Security Strategy sets out six high-level objectives for ASX's information security approach:

• ensuring that information security supports enterprise-wide strategy and governance, safeguarding the confidentiality, integrity and availability of critical data and systems
• ensuring that information security is implemented using a risk-based approach
• ensuring that information security considers interdependencies with external stakeholders (including participants and regulators)
• supporting the development of a culture of security and the acceptance of information security responsibilities throughout the organisation
• ensuring information security is flexible enough to adjust to meet changing market demands
• pursuing continual improvement in the effective and efficient deployment of information security controls.

The Information Security Strategy and Policy Framework are reviewed on a regular basis by the IT Security Team, with formal review by the Security Steering Committee carried out on an ad hoc basis in response to material changes to the security environment. The last such review was in October 2014.

Information security policy is tested at a number of levels. This includes penetration testing against the ASX perimeter and vulnerability testing within the perimeter. Austraclear performs EXIGO security testing on a quarterly basis. ASX operates a suite of controls designed to prevent and detect cyber attacks on its systems, such as denial of service or malware threats. These include continuous monitoring of its network for cyber intrusions and malicious code, steps to monitor suspicious internet traffic, regular scans to ensure that both the network perimeter and system assets remain secure, and the maintenance of spare capacity to manage legitimate or malicious surges in internet traffic, as well as steps to regulate access to ASX systems (described below). User access for the key systems is restricted to prevent inappropriate or unauthorised access to application software, operating systems and underlying data. User activities are uniquely identifiable and can be tracked via audit trail reports. The level of access is authorised by the system owner with users granted the minimum level of access to systems necessary to perform their roles effectively. External access to ASX systems must pass through multiple layers of firewalls and intrusion prevention, and individual networks are segregated. ASX's system architecture is designed to minimise the risk of a cyber threat spreading, via the segregation of critical systems. ASX has also recently commenced a project to implement a new identity management application to enhance the identity management capability and automate many of the set-up, maintenance and removal processes associated with user access administration.

Application testing is carried out in test environments (see SSF Standard 14.2). Testing reports are documented, with identified problems escalated to management and tracked through to remediation. Similarly, any significant technology-based operational incidents are reported to senior management and issues are tracked through to resolution via regular updates to management.

Physical access is controlled at both an enterprise and departmental level. The key systems supporting ASX's clearing and settlement processes are operated within secure buildings. Settlement operations are separated from general office areas with permitted access determined at a senior manager level and records of access maintained. Physical security arrangements for the primary and backup data centres are broadly equivalent.

14.4 A securities settlement facility should ensure that it can reliably access and utilise well-trained and competent personnel, as well as technical and other resources. These arrangements should be designed to ensure that all key systems are operated securely and reliably in all circumstances, including where a related body becomes subject to external administration.

Access to resources

Austraclear has arrangements in place to ensure that it has well-trained and competent personnel operating EXIGO. Staff are provided with relevant policies and guidelines from commencement of employment, with weekly communications thereafter. Staff are evaluated with reference to each defined operational process and broader skills matrices, with training provided for identified areas of weakness. Austraclear has a formal succession planning and management process in place for key staff. ASX has sought to automate routine operational processes and reporting over recent years, freeing up additional staff resources that would otherwise be devoted to these tasks.

In April 2015, ASX launched a new customer support centre within ASX's Australian Liquidity Centre.^[6] The customer support centre brings together operations, technology and market surveillance staff in a single location, which is now ASX's primary operations base as well as primary data centre.^[7] The current customer support centre was previously ASX's secondary operations site for business continuity purposes. To facilitate rapid recovery in the event of an operational disruption, around 30 per cent of ASX's operational staff are now based at its secondary operations site (formerly the primary operations site). In case of a disruption to staffing arrangements at the primary site for staff, the secondary operations centre has capacity to house 65 per cent of all operational staff.

Following the opening of the centre, ASX established a new Customer Experience team under a new Executive General Manager. This team brings together the main customer-facing functions from across ASX and is responsible for the development and delivery of the ASX customer experience.

Alongside these changes to broader customer support arrangements, ASX introduced changes to the organisation of its operations division in June 2015. Most notable was the creation of a new ‘Risk Manager, Operations’ position, reporting directly to the GE, Operations; the new Risk Manager will have responsibility for matters such as operational business continuity, incident reporting and management, and will work closely with the General Manager responsible for enterprise-wide risk management. The new role is intended to enhance support for risk identification and management in operational processes.

Resources shared with a related body

Within the ASX group structure, most operational resources are provided by ASX Operations Pty Limited, a subsidiary of ASX Limited (see ‘ASX Group Structure’ in Appendix A), under a contractual Support Agreement. ASX Operations is also required under the Support Agreement to provide the Bank with reasonable rights of access in respect of information relating to its operation of critical functions provided to Austraclear (see SSF Standard 14.10 in respect of broader rights of access provided to the Bank by Austraclear's critical service providers).

In the event that ASX Operations became subject to external administration, to the extent permissible by law, provisions within the Support Agreement provide for Austraclear and the other clearing and settlement corporate entities to retain the use of operational resources. Under proposals currently under consideration by the government in the context of establishing of a special resolution regime for CS facilities (see SSF Standard 14.11), the Bank would have the power to issue directions in day-to-day oversight, recovery and resolution to related entities such as ASX Operations that provide critical services to a CS facility under ex ante legal agreements. This proposed directions power would further safeguard Austraclear's access to critical services provided by ASX Operations.

Resourcing of major projects

The EPSC is tasked with ensuring that ASX has sufficient well-qualified personnel to cope with periods in which it is simultaneously undertaking a number of projects, including those resulting in significant changes to business (see SSF Standard 14.2). In managing projects affecting core systems (including EXIGO), the PMO rates projects to ensure that they receive appropriate access to resources.

For example, in its oversight of ASX's technology transformation program (see SSF Standard 14.2), the EPSC determines the prioritisation of resourcing for key projects. The Bank is receiving detailed monthly updates on the progress of the technology transformation program. These updates also provide an opportunity for the Bank to examine prioritisation decisions and resourcing challenges.

Another key project for Austraclear during the Assessment period has been an initiative to bring EXIGO development support in house. Austraclear has managed the additional resource implications of this ‘insourcing’ project through the recruitment of additional developers and the secondment of a senior developer from the vendor (see SSF Standard 14.5). Delivery of the project has nevertheless experienced delays, in part due to the diversion of some resources to other projects such as ASX Collateral and the foreign currency settlement service and, most recently, to provide additional time for clients to update their systems. The project is expected to be completed in October 2015. ASX has taken steps to ensure the availability of EXIGO development support from the current service provider for the additional period.

14.5 A securities settlement facility should identify, monitor and manage the risks that key participants, other FMIs and service and utility providers might pose to its operations. A securities settlement facility should inform the Reserve Bank of any critical dependencies on utilities or service providers. In addition, a securities settlement facility should identify, monitor and manage the risks its operations might pose to its participants and other FMIs. Where a securities settlement facility operates in multiple jurisdictions, managing these risks may require it to provide adequate operational support to participants during the market hours of each relevant jurisdiction.

Dependencies on participants and other FMIs

ASX identifies, monitors and mitigates potential dependencies on participants in a number of ways:

• by holding regular discussions with participants on risk management processes (see SSF Standard 3.1)
• through participation requirements related to operational capacity and business continuity arrangements (see SSF Standards 14.6 and 15.2)
• as part of its assessments of project-related risks (see SSF Standard 14.1)
• through general monitoring of risks under its risk management framework (see SSF Standard 3.1).

For Austraclear, ASX has identified risks relating to its operational activities arising from participants outsourcing their back-office processing offshore. Participants' outsourcing of back-office processes and technology to overseas domiciled hubs or third-party vendors may complicate incident management due to differences in time zones and languages, and in some cases a lack of familiarity with local market practices and conventions. Such factors, if inadequately mitigated, could increase operational risk. During the period, ASX reviewed and standardised its offshoring and outsourcing guidance across its markets and CS facilities, with the exception of Austraclear. ASX is currently working on a project to align, where appropriate, the admission, notification and offshoring and outsourcing requirements for the Austraclear facility with those of the other CS facilities.

Austraclear has operational interdependencies with ASX Clear, ASX Clear (Futures), LCH.Clearnet Limited (LCH.C Ltd), and Clearstream (see SSF Standard 17). Operational interdependencies with ASX Clear and ASX Clear (Futures) are managed in the context of ASX's group-wide operational risk management framework. Operational risks arising from the link with LCH.C Ltd are managed on the same basis as those with participants more broadly (see SSF Standard 17.1).

Dependencies on service providers

ASX has a formal policy that sets out the process for entering into, maintaining and exiting key outsourcing arrangements. If a key service is to be provided by an external service provider, ASX first conducts a tender process in which proposals from potential vendors are assessed against relevant criteria. Arrangements have been implemented under which ASX would consult with the Bank before entering into new agreements with third parties for critical services. ASX also provides the Bank with a list of critical outsourcing arrangements on an annual basis. Issues relating to outsourcing or service provision are escalated as appropriate to executive management via the ASX Technology Vendor Management Group and the relevant operational support area.

ASX assesses the operational performance of its service providers on an ongoing basis against its own operational policies, to ensure that service providers meet the resilience, security and operational performance requirements of the FSS. ASX maintains current information on its service providers' operations and processes through ongoing liaison, and in turn provides relevant updates to service providers regarding ASX operations. Service providers are also assessed through software regression testing when there is a major system upgrade.^[8] Contractual arrangements with critical service providers require the approval of Austraclear before the service provider can itself outsource material elements of its service. Austraclear's dependencies on service providers include:

• SWIFT. Participants are able to use the SWIFT messaging service to submit settlement instructions to Austraclear. This makes Austraclear reliant on interactions with SWIFT for the processing of transactions from participants using this service. In the event of a SWIFT failure, Austraclear would revert to manual processing of SWIFT payments.
• RITS and foreign currency settlement banks. As the cash leg of all AUD DvP and payment only transactions occur over RITS, transactions, the failure of RITS would potentially prevent settlement in EXIGO. However, ASX has prepared business plans that contemplate EXIGO continuing to operate independently. Steps taken to address interdependencies with Foreign Currency Settlement Banks acting as commercial bank money settlement agents for foreign currency payments are described under SSF Standard 8.3; operational arrangements for foreign currency settlements are designed not to affect the settlement of Australian dollar transactions.
• ASX Collateral/Clearstream. Austraclear also has interdependencies with ASX Collateral. Particularly since access to securities held in collateral accounts in Austraclear would be impaired in the event of an operational disruption to ASX Collateral services, ASX Collateral is required to deliver an equivalent standard of resilience to that of Austraclear. This extends to the outsourced services provided by Clearstream. In terms of architecture, system capacity, recovery time, and availability targets, ASX Collateral and Clearstream are designed to operate to a similar standard to that of Austraclear. In addition, the Service Level Agreement between ASX Operations Pty Limited and Clearstream requires that Clearstream provide ‘round the clock’ operational and technical support via its network of operational centres, with the support during Australian operational hours provided primarily by Clearstream's Singapore centre.

• Utilities and service providers. All other Austraclear operational functions are performed within ASX. However, external suppliers are used for utilities, hardware maintenance, operating system and product maintenance and support, and certain security-related specialist independent services.

  ASX has put in place a number of mitigants to address the risks associated with dependencies on utilities and service providers.

  — Primary and backup data centres are connected to different electricity grids and telecommunication exchanges.

  — Each data centre has backup power generators with capacity to run the site at full load for 72 hours.

  — All external communications links to data centres are via dual geographically separated links.

  — ASX conducts regular testing of backup arrangements. Major systems are tested on a two-year cycle. Participants are notified of business continuity tests in advance through ASX notices.

  — ASX also performs a periodic assessment of suppliers, including consideration of contingency arrangements should externally provided services not be available (such as the use of alternative suppliers) as well as incident escalation procedures and contacts.

• IT licensing and support. Austraclear has a key dependence on a third-party vendor for IT licensing, support and maintenance services for its core EXIGO system. During 2011/12, Austraclear commenced an insourcing project to take over EXIGO's third-level operational and software support (requiring expert knowledge of the core system) from the third-party vendor. This project has the potential to significantly reduce operational risk by giving Austraclear control over future development of the system in terms of both the nature and timing of future enhancements. The project will improve operational risk by significantly simplifying the system through the removal of unused components. It should also improve the timeliness of Austraclear's responses to operational incidents, given the current reliance on 24-hour support across different time zones for highly technical matters. ASX has recruited developers for this project and a senior developer from the third-party vendor has been seconded to Sydney during the development phase. As a contingency, ASX has retained the option to extend existing support arrangements for as long as required. This option has been utilised to accommodate delays without compromising support for EXIGO, including delays created by the resource requirements of other projects and, most recently, to provide additional time for clients to update their systems. The project is now expected to be completed in October 2015 (see SSF Standard 14.4).

Disclosure

The nature and scope of Austraclear's dependencies on critical service providers are disclosed to participants through: Regulations; Guidance Notes; Notices and Bulletins; technical documentation available on the ASX participant website; more general information available on the ASX public website; and in one-on-one meetings with participants, both during the induction process for new participants and on an ongoing basis.

Operational Support

Austraclear provides telephone and email support to participants via a helpdesk, which operates from 7.00 am to 7.30pm (9.30pm during daylight saving time). In April 2015, ASX launched a new customer support centre that brings together operations, technology and market surveillance staff in a single location (see SSF Standard 14.4).

14.6 A participant of a securities settlement facility should have complementary operational and business continuity arrangements that are appropriate to the nature and size of the business undertaken by that participant. The securities settlement facility's rules and procedures should clearly specify operational requirements for participants.

Business continuity requirements are set out in the Austraclear Regulations and Procedures, supplemented by additional guidance issued by ASX on 1 July 2014. These require large participants to maintain adequate business continuity arrangements (see SSF Standard 14.8) to allow the recovery of usual operations within two hours, and no more than four hours, following a contingency event. The targeted recovery time for smaller participants is four hours (and no more than six). Where a participant also acts as a foreign currency settlement bank, it is subject to additional operational resilience requirements reflecting its critical role in the operation of the foreign currency settlement service. If a participant fails to maintain business continuity arrangements consistent with these recovery targets, it may become subject to sanctions or restrictions on its activities. Spot checks of participants' business continuity management are conducted if risk factors are identified, such as where a participant has experienced operational problems. These spot checks examine the participant's governance and processes for resilience and business continuity.

The Regulations and Procedures also require more broadly that participants have facilities, procedures and personnel that are adequate to meet technical and performance requirements. ASX's preferred approach to dealing with operational issues is to work collaboratively with the participant to educate them on their obligations. If the matter is serious, ASX may require that the participant address the weakness as a matter of priority. ASX may also impose conditions on participation, or require that the participant appoint an independent expert to assist with the remediation task.

To further strengthen the Bank's influence over ASX Collateral (and, by extension, Clearstream), or any future Collateral Manager, the Bank has worked with ASIC to develop additional operational resilience requirements for Special Purpose Participants of Austraclear that provide collateral management services. These requirements, which are based on the operational standards imposed on Austraclear by the Bank as part of its Step-in and Service Agreement, include conditions on operational hours, system availability and capacity, outage reporting, business continuity arrangements, and IT governance and security.

Business continuity arrangements

14.7 A securities settlement facility should have a business continuity plan that addresses events posing a significant risk of disrupting operations, including events that could cause a wide-scale or major disruption. The plan should incorporate the use of a secondary site and should be designed to ensure that critical information technology systems can resume operations within two hours following disruptive events. Business continuity arrangements should provide appropriate redundancy of critical systems and appropriate mitigants for data loss. The business continuity plan should be designed to enable the securities settlement facility to complete settlement by the end of the day of the disruption, even in case of extreme circumstances. The securities settlement facility should regularly test these arrangements.

Business continuity management

Austraclear's approach to business continuity is defined in the ASX Business Continuity Management Policy. This policy describes the incident management and business continuity arrangements for all ASX CS facilities, including the appropriate operational response to a CS facility disruption, and the key roles and responsibilities in relation to business continuity. The Business Continuity Policy is supported by a range of other internal documents, including the Business Resumption Plan, the Pandemic Response Plan, and the testing policy for ASX's Business Continuity and Disaster Recovery Plans.

The Group Business Continuity Manager is responsible for developing the ASX business continuity management policies and procedures, and coordinating business continuity activities and training across the CS facilities. The outcomes of these activities are overseen by the Business Continuity Steering Committee, which is chaired by the General Manager Enterprise Risk and includes the Chief Information Officer, CRO, CFO and GE, Operations. The ERMC is responsible for approving ASX's overall business continuity strategy and any related policies.

Austraclear policy requires that failover to the backup data centre should occur within two hours. Plans for recovery of key systems apply to both physical and cyber threats to business continuity; these cover scenarios such as the loss of systems or site access (with or without damage to internal site infrastructure), mass unavailability of staff or a pandemic event. The Bank will discuss further with ASX its plans for recovery of key systems in the event of a cyber-related incident in the context of forthcoming CPMI-IOSCO guidance on cyber resilience.

Austraclear employs a variety of technologies to ensure a high degree of redundancy in its systems – both across sites and within a single site. ASX maintains both a primary and a backup data centre, with broadly equivalent operational requirements. Key plant and equipment at the primary data centre are designed to the Uptime Institute Tier 3 standard of concurrent maintainability.^[9] The main computer network is connected via point-to-point optical fibre, which ASX operates with its own technology, thereby reducing the potential for outages due to operational problems with the telecommunications provider. All core systems employ multiple servers with spare capacity. Front-end servers handling communications with participants are configured to provide automatic failover across sites. Failover of the more critical data servers is targeted to take place within two hours, but would generally be expected to occur within an hour, under the control of management.

Disruption to participants in such circumstances would be mitigated by the high degree of redundancy in front-end system components. In most circumstances, these would be expected to maintain communications with participants' systems and queue transactions until the data servers were reactivated. The integrity of transactions would be supported by: queuing messages until they could be processed; storing all transactions in the database with unique identifiers, thereby preventing the loss or duplication of transactions; and synchronising database records between the primary and backup data centres. Furthermore, in the event that a significant part of a system or an operational site failed, Austraclear has contingency arrangements to activate an additional tier of ‘cold’ redundancy arrangements (either by converting test systems into production systems or rebuilding systems from readily available hardware) within 24 hours to meet the contingency of any further service interruption.

Austraclear regularly tests its business continuity and technology disaster recovery arrangements against the range of identified business interruption scenarios. The testing requirements are set out in ASX's Business Continuity and Disaster Recovery Plans Testing Policy. Dual site operational teams across the primary and secondary operations sites effectively test backup operational processes on a continuous basis. These arrangements are supplemented by periodic desktop simulations, and exercises testing remote access and full attendance at the secondary site. ASX also participates in industry-wide tests of business continuity arrangements. Live technology tests, where settlement services are provided in real time from the backup data centre, are conducted on a two-year cycle. The use of live tests ensures that participant connectivity to the backup data centre is also tested. Test results are formally documented and reported to ASX senior management and are also made available to internal and external auditors. In addition to receiving the results of business continuity tests, Internal Audit also reviews Technology operational incidents, contributes to business continuity policy updates, and ensures that business continuity has been considered as part of project risk assessments. ASX's business continuity framework is audited externally every three to five years; the most recent audit, conducted in August 2015, found that ASX's business continuity standards were broadly consistent with widely recognised global standards and did not identify any major areas of concern. Under the terms of Austraclear's Step-in and Service Agreement with the Bank, Austraclear is also required to take part in annual connectivity tests between the Austraclear and RITS systems.

Incident management

Austraclear has clearly defined procedures for crisis and event management. These procedures, as well as key roles and responsibilities for managing an incident, are documented in ASX's Major Incident Management Plan. The procedures cover incident notification (including notification and incident reporting to the Bank and ASIC), emergency response (including building evacuation), incident response (including overall incident assessment and monitoring), and incident management testing. These include the use of Twitter to advise stakeholders of market-wide operational or technical incidents. ASX maintains a major incident management team that includes senior representatives of the core business activities, as well as facilities management, business continuity, and media and communications. The procedures identify responsibilities, including for internal communication and external communication to emergency services, the market, industry and media.

The ASX Technology Incident Management Procedure would be invoked in the event of a high severity technology incident. The Incident Management Procedure provides guidelines for system recovery prioritisation and resource allocation, and the actions that would need to be taken in the event of an incident. The Procedure also outlines the key roles and responsibilities for managing an incident, as well as indicative communication and notification requirements.

14.8 A securities settlement facility should consider making contingency testing compulsory for the largest participants to ensure they are operationally reliable and have in place tested contingency arrangements to deal with a range of operational stress scenarios that may include impaired access to the securities settlement facility.

The Austraclear Regulations and Procedures require participants to maintain adequate business continuity arrangements that are appropriate to the nature and size of their business as a participant. The Regulations specify that participants must have arrangements that allow for the recovery of usual operations (see SSF Standard 14.6). It is Austraclear's expectation (set out in guidance) that this would be within two hours following a contingency event for large participants. These arrangements are reviewed as part of the participant admissions process. Participants are also subject to spot checks of their ongoing compliance with the Austraclear Regulations and procedures. Spot checks may be based on topical themes, in some cases arising from observations of general business developments, and in other cases motivated by a participant that has been experiencing operational problems. If a participant fails to implement any recommendations arising from a check, ASX may impose sanctions.

Participants are involved in the contingency testing of Austraclear's systems, as this testing is conducted in a live environment. ASX conducts comprehensive business continuity testing of key systems at least every two years, with participants being notified of the start and completion of testing. Participants are also involved in testing of major system changes or in advance of the introduction of a new system. Austraclear conducts regular connectivity tests and maintains an external testing environment for system changes.

In addition to operational reliability requirements that apply to ASX Collateral as a Special Purpose Participant of Austraclear, ASX Operations Pty Limited conducts contingency testing of ASX Collateral as a critical ASX system. As part of this testing, ASX applies some of the contingency scenarios defined in its Service Level Agreement with Clearstream.

Outsourcing and other dependencies

14.9 A securities settlement facility that relies upon, outsources some of its operations to, or has other dependencies with a related body, another FMI or a third-party service provider (for example, data processing and information systems management) should ensure that those operations meet the resilience, security and operational performance requirements of these SSF Standards and equivalent requirements of any other jurisdictions in which it operates.

ASX has developed a set of standard clauses for inclusion in contracts with third-party service providers of critical services to Austraclear (see SSF Standard 14.5). Similar clauses are also included in the Support Agreement between Austraclear and ASX Operations Pty Ltd, which provides all internal operational services for the facilities. The clauses seek to ensure that the agreements meet the resilience, security and operational performance requirements of the FSS. The clauses also allow the Bank to gather information from the service provider about the operation of critical functions (see SSF Standard 14.10). In the event that the Bank concluded that the terms of the service provider agreement did not meet FSS requirements, the clauses require the service provider to negotiate acceptable new terms with ASX in good faith. Furthermore, if Austraclear were to become insolvent, the clauses provide for the Bank to negotiate with the service provider to continue service provision (see SSF Standard 14.11). ASX applies these clauses to all new agreements with service providers, and has incorporated them into all of its key existing service agreements.

The resilience, security and operational performance of SWIFT, which Austraclear relies upon for messaging, is primarily overseen by the SWIFT Oversight Group, comprising the G10 central banks and chaired by the National Bank of Belgium (NBB). In 2012, the National Bank of Belgium established the SWIFT Oversight Forum (SOF) to include 12 additional central banks, including the Bank, in the oversight process. Through its membership of the SOF, the Bank is able to access information relevant to SWIFT oversight. To support its oversight activities, the Oversight Group has set proprietary minimum standards – the High-level Expectations (HLEs) – against which SWIFT is assessed. In its capacity as a member of the SOF, the Bank receives SWIFT's annual self-assessment against the HLEs.

In December 2014, CPMI and IOSCO published a finalised Assessment Methodology for the oversight expectations applicable to organisations providing critical services to FMIs.^[10] The Assessment Methodology provides a framework for considering how to apply the oversight expectations for critical service providers set out in Annex F of the Principles and the Bank's guidance to CCP Standard 16.9. The Bank will discuss with ASX how it applies these oversight expectations in managing its relationships with external providers of critical services, including the role of the CPMI-IOSCO Assessment Methodology in its oversight of these critical service providers.

ASX Collateral

Given the interdependencies between Austraclear and ASX Collateral, it is important that ASX Collateral is held to equivalent standards of operational robustness. ASX Collateral employs the same risk management framework for operational risk and operational procedures as those adopted for the Austraclear EXIGO system. This includes a service availability target of 99.9 per cent, and a minimum capacity headroom target of 50 per cent of total capacity. ASX Collateral's business continuity arrangements are also consistent with those for the Austraclear EXIGO system and are reviewed alongside Austraclear's own business continuity arrangements. The CCMS is replicated at the backup data centre, with failover to occur within one to two hours, depending on the nature of the contingency event. A high degree of redundancy is built into the CCMS – both across the primary and backup data centres and within each centre. In the case of a significant outage of the CCMS, critical collateral transfers may be conducted as ‘Austraclear assisted transactions’, consistent with existing Austraclear functionality.

ASX Collateral has access to other ASX Group personnel as required to carry out its operations under the ASX Group Support Agreement with ASX Operations Pty Limited. This agreement aims to allow for access to resources in the event of external administration of ASX Operations Pty Limited – to the extent permissible by law.

Resilience requirements imposed on ASX Collateral apply equally to ASX Collateral's outsourced arrangements with Clearstream. Clearstream's reliability targets for its Collateral Management Exchange (CmaX) system are broadly equivalent to those of Austraclear. Specifically, they require 99.8 per cent availability and capacity utilisation of no more than 20 per cent. Clearstream can scale its service to cover 15 times the current average production load by the straightforward upgrade of existing hardware, and additional capacity can be obtained by adding servers and tuning software. Clearstream's resilience standards are broadly equivalent to those of Austraclear, including the use of geographically separated underground data centres with security huts, managed firewalls, anti-virus and anti-malware protection for email, and data encryption.

Clearstream is subject to oversight under several regimes. In particular, the Central Bank of Luxembourg (Banque Centrale du Luxembourg, BCL) performs periodic assessments of Clearstream against applicable standards. These assessments evaluate Clearstream's operational risk management framework for its collateral management service (i.e. not specifically the ASX iteration). Additional assessments, from the point of view of user requirements, are carried out by the Eurosystem on a near-annual basis. None of these various assessments have identified significant issues with Clearstream's operation of its services. Clearstream is also subject to periodic examination by international assessors.

14.10 All of a securities settlement facility's outsourcing or critical service provision arrangements should provide rights of access to the Reserve Bank to obtain sufficient information regarding the service provider's operation of any critical functions provided. A securities settlement facility should consult with the Reserve Bank prior to entering into an outsourcing or service provision arrangement for critical functions.

ASX's standard clauses for service providers require the provider to grant reasonable access to the Bank in respect of information relating to its operation of a critical function provided to Austraclear. ASX applies these clauses to all new agreements with service providers, and has incorporated them into all of its key existing service agreements. The Bank also receives information on SWIFT through its membership of the SOF (see SSF Standard 14.9).

Rights of access for the Bank to ASX Collateral are provided by overlapping requirements established under Australian Financial Services Licence conditions imposed on ASX Collateral, intragroup contractual arrangements, and additional requirements on Special Purpose Austraclear Participants that are Collateral Managers. Rights of access to the Bank in respect of CCMS services provided by Clearstream are provided by the Master Framework Agreement between ASX Operations Pty Limited and Clearstream.

14.11 A securities settlement facility should organise its operations, including any outsourcing or critical service provision arrangements, in such a way as to ensure continuity of service in a crisis and to facilitate effective crisis management actions by the Reserve Bank or other relevant authorities. These arrangements should be commensurate with the nature and scale of the securities settlement facility's operations.

Standard clauses in Austraclear's agreements with service providers, including (via ASX Collateral) Clearstream for the CmaX system, require that providers give the Bank notice of any intention to terminate the agreement as a consequence of Austraclear's failure to pay fees, or in the event of the insolvency of Austraclear or any other ASX entity (see SSF Standards 14.9 and 14.10). This is intended to give the Bank an opportunity to take action to remedy the breach or otherwise ensure continued service provision.

Austraclear's arrangements to ensure continuity of operations in the event of a crisis will be shaped by the proposed introduction into Australian law of a special resolution regime for FMIs. For example, under the proposed regime the Bank would have powers to direct related entities (such as ASX Operations) to perform obligations under ex ante agreements to provide critical services (see SSF Standard 14.4). The government, on the advice of the Council of Financial Regulators, progressed work on the proposed FMI resolution regime via a February 2015 consultation paper. Austraclear will need to ensure that its arrangements to support continuity of operations in a crisis are appropriately adapted to the proposed FMI resolution regime once finalised.

Standard 15: Access and participation requirements

A securities settlement facility should have objective, risk-based and publicly disclosed criteria for participation, which permit fair and open access.

Rating: Observed

Austraclear has objective and transparent participation requirements set out in its Regulations and Procedures (SSF Standard 15.1). These include minimum capital and other financial requirements, as well as operational arrangements tailored to the specific activities of Austraclear, including additional requirements for special purpose participants that are collateral managers (SSF Standard 15.2). Austraclear monitors participants' compliance with requirements on an ongoing basis, and has the authority to suspend or terminate participation or take other disciplinary or remedial action in the event of a breach of these requirements (SSF Standard 15.3).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 15 during the 2014/15 Assessment period. Austraclear's access and participation requirements are described in further detail under the following sub-standards.

15.1 A securities settlement facility should allow for fair and open access to its services, including by direct and, where relevant, indirect participants and other FMIs, based on reasonable risk-related participation requirements.

Austraclear has objective and transparent participation requirements, which are detailed in a number of policies and standards under the Settlement Risk Policy Framework. The participation requirements are publicly available and form part of Austraclear's Regulations and Procedures. ASX has an internal policy and supporting standards that summarise the minimum requirements placed on participants under the Regulations and Procedures (see SSF Standard 15.2), and document the responsibilities of the CS Boards, SRPC and relevant executives for ensuring these requirements are met and periodically reviewed. The Regulations and Procedures provide for an appeals process should an application for participation be rejected or a participant's access be terminated.

The CCMS's access to Austraclear is via a non-exclusive ‘Special Purpose Participant (Collateral Manager)’ category of participation. There are no provisions in the Austraclear Regulations that prevent fair and open access to other entities that may seek to offer their services as a Collateral Manager. In November 2014, LCH.Clearnet Limited, a UK-based CCP licensed as a CS facility in Australia, was admitted as a Special Purpose (Exchange) Participant (see SSF Standard 17.1).

At the end of June 2015, Austraclear had 846 participants.

15.2 A securities settlement facility's participation requirements should be justified in terms of the safety of the securities settlement facility and the markets it serves, be tailored to and commensurate with the securities settlement facility's specific risks, and be publicly disclosed. Subject to maintaining acceptable risk control standards, a securities settlement facility should endeavour to set requirements that have the least restrictive impact on access that circumstances permit.

Austraclear's participation requirements are designed to promote the safety and integrity of the SSF. They cover operational capacity, financial standing and business continuity arrangements.

Participation requirements for Special Purpose Participants that are Collateral Managers are based on requirements for other categories of participants and may be justified in terms of the safety of Austraclear and the market it serves. Specific business continuity requirements for Collateral Managers reflect the potential critical functionality of such infrastructure.

Under the Regulations and Procedures, Austraclear must be satisfied that a potential participant has (or will have) the relevant managerial, operational and financial capacity and appropriate complementary business continuity arrangements in place to enable it to meet its ongoing obligations. In addition, an applicant for special purpose participation as a Collateral Manager is required to have an Australian Financial Services Licence covering the activities that it will conduct as a Collateral Manager.

Additional requirements that apply to participants that are Foreign Currency Settlement Banks are described under SSF Standard 8.3.

15.3 A securities settlement facility should monitor compliance with its participation requirements on an ongoing basis and have clearly defined and publicly disclosed procedures for facilitating the suspension and orderly exit of a participant that breaches, or no longer meets, the participation requirements.

Austraclear's arrangements for monitoring and enforcing compliance with its Regulations are published on the ASX public website. Under these, Austraclear has wide-ranging powers to sanction its participants in order to preserve the integrity of the SSF. Austraclear may suspend or terminate a participant's authority to settle transactions in the event of a default, or in the event of a breach of the Regulations and Procedures that may have an adverse effect on the SSF. The action taken in the event of a breach will depend on a number of factors, including the participant's history of compliance and whether the breach implies negligence, incompetence or dishonesty. Where a breach has been identified and the participant has taken appropriate steps to rectify it, Austraclear will typically continue to monitor the participant closely for a period of time. Breaches are also referred to ASIC and, in most cases, are investigated by ASX Compliance for formal disciplinary action.

Standard 16: Tiered participation arrangements

A securities settlement facility should identify, monitor and manage the material risks to the securities settlement facility arising from tiered participation arrangements.

Rating: Observed

In managing the risks associated with tiered arrangements, Austraclear is able to gather basic information on indirect participation (SSF Standards 16.1, 16.2). Austraclear does not maintain formal thresholds at which substantial indirect participants are encouraged to seek direct participation, but does actively manage risks posed by indirect participant activity through its relationship with the direct participant (SSF Standard 16.3). Austraclear is not directly exposed to financial risks arising from tiered participation (SSF Standard 16.4).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 16 during the 2014/15 Assessment period. Austraclear's approach to tiered participation arrangements is described in further detail under the following sub-standards.

16.1 A securities settlement facility should ensure that its rules, procedures and agreements allow it to gather basic information about indirect participation in order to identify, monitor and manage any material risks to the securities settlement facility arising from such tiered participation arrangements.

Given the nature of the wholesale OTC market in debt securities that Austraclear settles, participation in Austraclear is generally direct. Furthermore, since Austraclear does not assume credit or liquidity risk as principal, the primary risks that could arise from indirect participation are operational. In particular, indirect participation arrangements that concentrated settlement activity within a few direct participants could concentrate operational risk to the facility. Any significant activity associated with indirect participation would be likely to be recorded in sub-accounts of direct Austraclear participants. Austraclear is able to monitor these.

Austraclear currently considers the risks from concentration of indirect participants to be low.

16.2 A securities settlement facility should identify material dependencies between direct and indirect participants that might affect the securities settlement facility.

Austraclear monitors dependencies arising from tiered participation indirectly via a variety of means. These include regular discussions with participants on developments in their business and risk management activities, participants' own risk assessments, and discussions with new participants as part of the induction process. Based on this information, Austraclear has not identified any material dependencies between direct and indirect participants that might affect its operations.

16.3 A securities settlement facility should identify indirect participants responsible for a significant proportion of transactions processed by the securities settlement facility and indirect participants whose transaction volumes or values are large relative to the capacity of the direct participants through which they access the securities settlement facility in order to manage the risks arising from these transactions.

In general, participation in Austraclear is direct, reflecting the profile of the wholesale OTC debt market that it serves. At end June 2015 there were 846 direct Austraclear participants.

ASX encourages participants to develop appropriate risk control measures in managing their relationships with clients, including any substantial indirect participants. ASX does not set thresholds, either formal or informal, at which it would encourage direct participation by an indirect participant. ASX's general approach to managing risks associated with participants' business activities is based on a framework that can flexibly detect and respond to new risks as they arise, rather than setting firm ex ante activity limits.

16.4 A securities settlement facility should regularly review risks arising from tiered participation arrangements and should take mitigating action when appropriate.

Austraclear is not directly exposed to financial risks from indirect participation, and its exposure to operational risks from indirect participants is limited by the bilateral nature of settlement between its participants and its relatively broad participation base. Austraclear would only be expected to face material risks from indirect participation were the nature of its participation base or activities to change significantly.

Standard 17: FMI links

A securities settlement facility that establishes a link with one or more FMIs should identify, monitor and manage link-related risks.

Rating: Observed

Austraclear maintains four links to other FMIs:

• ASX Clear, for funds transfers in relation to margin payments
• ASX Clear (Futures), for AUD funds transfers in relation to margin payments, lodgement of AUD-denominated non-cash collateral and settlement of 90-day bank bill futures
• LCH.Clearnet Limited (LCH.C Ltd), for the management of LCH.C Ltd's AUD liquidity requirements
• Clearstream, in relation to Euroentitlements managed in Austraclear.

There are no direct financial risks associated with these links but Austraclear is exposed to operational risks. These are managed in the context of the operational risk management practices of each FMI (SSF Standard 17.1). The legal basis of each link is supported by finality legislation, and link arrangements have been discussed with the Bank (SSF Standards 17.2, 17.3). Austraclear's link with Clearstream does not involve the extension of credit, provisional transfers of securities or the use of custodians (SSF Standards 17.4, 17.5, 17.6).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 17 during the 2014/15 Assessment period. Austraclear's management of link-related risks is described in further detail under the following sub-standards.

17.1 Before entering into a link arrangement, and on an ongoing basis once the link is established, a securities settlement facility should identify, monitor and manage all potential sources of risk arising from the link arrangement. Link arrangements should be designed such that the securities settlement facility is able to comply with these SSF Standards.

Identifying link-related risks

Austraclear maintains four links to other FMIs. A link for the purposes of this standard is any connection that is made to another FMI according to a set of contractual and operational arrangements, irrespective of the complexity or otherwise of the link and whether it is directly with the FMI or through an intermediary.^[11]

• ASX Clear. This link supports AUD funds transfers related to margin payments. Cash transfers are entered into Austraclear by ASX Clear and then matched in Austraclear against the respective clearing participants' cash settlement instructions. Regular margin collections and intraday margin calls, which make up the majority of cash transfers in ASX Clear, are submitted automatically to Austraclear by ASX Clear's margin and collateral systems.
• ASX Clear (Futures). This link supports AUD funds transfers in relation to margin payments, lodgement of AUD-denominated non-cash collateral, and settlement of 90-day bank bill futures. As for ASX Clear, cash transfers are entered into Austraclear by ASX Clear (Futures), and then matched in Austraclear against the respective clearing participants' cash settlement instructions. Regular margin collections, which make up the majority of cash transfers, are submitted to Austraclear by ASX Clear (Futures)' margin and collateral systems, while intraday margin collections are entered manually. AUD-denominated non-cash collateral is lodged via a collateral lodgement form. This needs to be received by ASX Clear (Futures) the day prior to the collateral being needed to cover margin, with the security being transferred to ASX Clear (Futures) via a free-of-payment trade in Austraclear. Settlement of 90-day bank bill futures takes place in Austraclear according to procedures set out in ASX 24's Operating Rules and Procedures. Sellers and buyers who are not full participants of Austraclear must appoint a full participant to act as their settlement agent.
• LCH.Clearnet Limited (LCH.C Ltd). This link enables LCH.C Ltd, a UK-based CCP licensed as a CS facility in Australia, to manage its AUD liquidity requirements. LCH.C Ltd was admitted as a Special Purpose Participant in Austraclear in November 2014. LCH.C Ltd holds securities eligible for repo with the Bank in its Austraclear account to cover its estimated AUD liquidity needs (on a business as usual basis as well as to cover stressed liquidity exposures). On a daily basis, LCH.C Ltd draws on this pool of assets to generate intraday liquidity in its ES Account with the Bank.
• Clearstream. This link relates to Euroentitlements managed in Austraclear (see SSF Standard 9.1). Austraclear is a participant in Clearstream. A participant that has a Eurobond holding in Clearstream may choose to lodge that security in Austraclear, by transfer to Austraclear's Clearstream account. Participants with Eurobond holdings in Euroclear may also transfer securities to Austraclear's Clearstream account via a separate link maintained between Euroclear and Clearstream. Once available in the Austraclear system, arrangements for sales and purchases of the security are as for other debt securities. Withdrawals of Euroentitlements from the Austraclear system are processed in a similar way to deposits, with Austraclear on request transferring the securities from its account in Clearstream to the participant's account with either Clearstream or Euroclear.

Managing operational risk

Links with ASX Clear and ASX Clear (Futures) are subject to the same operational risk management framework that applies for all the ASX CS facilities (see SSF Standard 14). This addresses operational risks associated with software, infrastructure or network failures and manual processing errors. An incident report is required for any significant technical or operational incident, including an assessment of mitigating actions to reduce the risk of reoccurrence. In addition, six-monthly risk profile assessments are prepared and presented to the Audit and Risk Committee, and an independent system-controls audit is conducted annually.

Operational risks arising from the link with LCH.C Ltd are managed on the same basis as operational interdependencies with participants more broadly (see SSF Standard 14). Austraclear is exposed to limited operational risk from this link, since a disruption to LCH.C Ltd's operations would impact only those participants with outstanding unsettled transactions with LCH.C Ltd. LCH.C Ltd's operational risk management arrangements are overseen by the Bank, as well as its primary supervisory authority, the Bank of England.

The Bank also considers the interdependencies created between Austraclear and LCH.C Ltd in its ongoing oversight and supervision of LCH.C Ltd.

Clearstream's operational risk management arrangements are overseen by BCL, which performs periodic assessments of Clearstream against applicable standards (see SSF Standard 14.9).

Managing financial risk

Austraclear does not assume any direct financial risks from its links to other FMIs.

17.2 A link should have a well-founded legal basis, in all relevant jurisdictions, that supports its design and provides adequate protection to the securities settlement facility and other FMIs involved in the link.

Austraclear's links to ASX Clear, ASX Clear (Futures) and LCH.C Ltd have their legal basis in the Regulations, Operating Rules and Procedures of each facility. The finality of settlements made via these links is supported by the approval of Austraclear under Part 2 of the PSNA (see SSF Standard 1.5).

Austraclear's link to Clearstream has a legal basis in a contract between the two FMIs, and the system rules of Clearstream's international central securities depository. As noted under SSF Standard 17.1, Clearstream is regulated by BCL in accordance with international standards.

17.3 Where relevant to its operations in Australia, a securities settlement facility should consult with the Reserve Bank prior to entering into a link arrangement with another FMI.

Austraclear has discussed its current link arrangements with the Bank. In November 2014, Austraclear admitted LCH.C Ltd as a participant. LCH.C sought participation in Austraclear for the purpose of managing its AUD liquidity needs. Austraclear consulted with the Bank prior to entering into this link arrangement.

17.4 A securities settlement facility operating a central securities depository that links to another central securities depository should measure, monitor and manage the credit and liquidity risks arising from such links. Any credit extended to the linked central securities depository should be covered fully with high-quality collateral and be subject to limits.

Austraclear does not extend credit to Clearstream.

17.5 Provisional transfers of securities between a securities settlement facility operating a central securities depository and another central securities depository should be prohibited or, at a minimum, the retransfer of provisionally transferred securities should be prohibited prior to the transfer becoming final.

Euroentitlements are not made available to participants in Austraclear until title has been confirmed by deposit in Austraclear's account at Clearstream. Provisional transfers of securities cannot arise under the link between the two central securities depositories.

17.6 A securities settlement facility operating an investor central securities depository that uses an intermediary to operate a link with an issuer central securities depository should measure, monitor and manage the additional risks (including custody, credit, legal and operational risks) arising from the use of the intermediary.

Austraclear does not use custodians or other intermediaries in its link with Clearstream.

Standard 18: Disclosure of rules, key policies and procedures, and market data

A securities settlement facility should have clear and comprehensive rules, policies and procedures and should provide sufficient information and data to enable participants to have an accurate understanding of the risks they incur by participating in the securities settlement facility. All relevant rules and key policies and procedures should be publicly disclosed.

Rating: Observed

Austraclear fully discloses its Regulations and Procedures to participants, and publicly discloses its rules and a range of additional relevant information on its risk management procedures. ASX provides links to information that is subject to disclosure requirements from a central location on its public website (SSF Standard 18.1). This includes information regarding the general descriptions of system design and the roles and obligations of Austraclear and its participants (SSF Standard 18.2). Austraclear provides new participants with comprehensive documentation, and verifies their understanding of their responsibilities as participants; existing participants are also provided with education on their obligations where required (SSF Standard 18.3). ASX has updated its response to the CPMI-IOSCO Disclosure Framework and plans to periodically review and enhance this document where appropriate (SSF Standard 18.4).

The Bank will continue to monitor steps by Austraclear to refine and enhance its disclosure.

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 18 during the 2014/15 Assessment period. Austraclear's disclosure of rules, key policies and procedures, and market data is described in further detail under the following sub-standards.

18.1 A securities settlement facility should adopt clear and comprehensive rules, policies and procedures that are fully disclosed to participants. Relevant rules and key policies and procedures should also be publicly disclosed (including specific requirements relating to SSF Standards 1.4, 2.2, 11.3, 13.4, 15.2 and 15.3).

Austraclear's Regulations and Procedures form the basis of all material aspects of the SSF's service to participants. The Regulations and Procedures are disclosed on the ASX public website.^[12] The Regulations and Procedures are also posted on the ASX participant website. ASX is in the process of enhancing the design and functionality of its participant website to better support the dissemination of non-public information to participants.

To assist participants in their understanding of the risks of participating in Austraclear, and for the information of other interested stakeholders, ASX publishes a range of additional material on its public website. Information specific to Austraclear includes information about participant requirements, SWIFT message protocols, trade and settlement monitoring systems, known software release issues and change requests, and business continuity arrangements. More general information includes: the ASX Group's regulatory framework; requirements of the FSS; requirements of the Corporations Act for provision of services in a ‘fair and effective’ way; the ASX Group's other obligations under the Corporations Act; and ASX Group's compliance with the Principles. ASX maintains a centralised list of links on its website to information required to be disclosed under the FSS.

Specific disclosure requirements are dealt with under SSF Standards 1.4, 2.2, 11.3, 13.4, 15.2 and 15.3.

18.2 A securities settlement facility should disclose clear descriptions of the system's design and operations, as well as the securities settlement facility's and participants' rights and obligations, so that participants can assess the risks they would incur by participating in the securities settlement facility (see SSF Standards 2.8 and 8.5).

General descriptions of Austraclear's system design and operations are available on the ASX public website, including as part of ASX's response to the CPMI-IOSCO Disclosure Framework (see SSF Standard 18.5).^[13] The Disclosure Framework document describes the ASX group structure, provides a general description of the CS facilities and their roles, system design and operations, outlines the legal and regulatory framework for clearing and settlement, and provides a description of steps taken by ASX to ensure compliance with the Principles and the corresponding FSS. The ASX public website provides high-level additional information on system design and operations, which ASX intends to update with additional detail once the EXIGO insourcing project is complete.

18.3 A securities settlement facility should provide all necessary and appropriate documentation and training to facilitate participants' understanding of the securities settlement facility's rules, policies and procedures and the risks they face from participating in the securities settlement facility.

All applicants for participation in Austraclear are provided with a comprehensive application pack, which includes information regarding key requirements of the facilities. Applicants are provided with access to the Regulations, Procedures and Guidance Notes via the ASX website, as well as publicly available information about the facilities, services and participation requirements. When Austraclear has completed an initial assessment of an application, the applicant is also invited to attend formal ‘on boarding’ meetings with the Compliance and Operations departments to discuss key areas of importance for participants.

As part of the formal admission process, the applicant must provide supporting evidence of its capacity to comply with the rules. This is reviewed and discussed with the applicant prior to approving admission. When reviewing the submissions, ASX will make enquiries of participants about their risk assessments, the design of the controls to mitigate those risks, and details of participants' arrangements to ensure compliance with the Operating Rules and Procedures.

Where ASX becomes aware or suspects that a participant lacks a satisfactory understanding of the Regulations and Procedures, or the risks of participation, ASX will generally work collaboratively with the participant to educate them on their obligations. ASX may become aware of issues through its routine risk monitoring activities or through its regular discussions with participants (see SSF Standard 14.5). An example of a matter that might raise concerns would be if a participant had a high frequency of technical connectivity issues. If the matter is serious, ASX may require that the participant remediate the weakness. Alternatively, ASX may impose conditions on participation, or require that the participant appoint an independent expert to assist with the remediation task.

18.4 A securities settlement facility should complete regularly and disclose publicly responses to the CPSS-IOSCO Disclosure Framework for Financial Market Infrastructures.^[14] A securities settlement facility also should, at a minimum, disclose basic risk and activity data, as directed by the Reserve Bank from time to time.

ASX has published its response to the CPMI-IOSCO Disclosure Framework, including information describing how its CS facilities observe the applicable Principles. This document was revised during the Assessment period, expanding on previous versions to provide greater detail as to how the CS facilities meet the Principles and corresponding FSS, and to present this information in a way that is more useful for participants. ASX plans to update this document periodically (at least annually) and further enhance its disclosure as necessary from time to time.

ASX currently reports basic risk and activity data for the CS facilities via a monthly activity report. The Bank will continue to monitor steps by Austraclear to refine and enhance its disclosure.

Standard 19: Regulatory reporting

A securities settlement facility should inform the Reserve Bank in a timely manner of any events or changes to its operations or circumstances that may materially impact its management of risks or ability to continue operations. A securities settlement facility should also regularly provide information to the Reserve Bank regarding its financial position and risk controls on a timely basis.

Rating: Observed

The Bank meets regularly with Austraclear to discuss matters relevant to its compliance with the FSS, and related aspects of its risk management and operational arrangements. The Bank has been kept informed of relevant developments during the Assessment period (SSF Standard 19.1). Austraclear provides the Bank with financial, activity and operational data and reports on a regular and timely basis (SSF Standard 19.2).

The Bank's assessment is that Austraclear has observed the requirements of SSF Standard 19 during the 2014/15 Assessment period. Austraclear's regulatory reporting arrangements with the Bank are described in further detail under the following sub-standards.

19.1 A securities settlement facility should inform the Reserve Bank as soon as reasonably practicable if:

1. it breaches, or has reason to believe that it will breach:
   1. an SSF Standard; or
   2. its broader legislative obligation to do, to the extent that it is reasonably practicable to do so, all things necessary to reduce systemic risk;
2. it becomes subject to external administration, or has reasonable grounds for suspecting that it will become subject to external administration;
3. a related body to the securities settlement facility becomes subject to external administration, or if the securities settlement facility has reasonable grounds for suspecting that a related body will become subject to external administration;
4. a participant becomes subject to external administration, or if the securities settlement facility has reasonable grounds for suspecting that a participant will become subject to external administration;
5. a participant fails to meet its obligations under the securities settlement facility's risk control requirements or has its participation suspended or cancelled because of a failure to meet the securities settlement facility's risk control requirements;
6. it fails to enforce any of its own risk control requirements;
7. it plans to make significant changes to its risk control requirements or its rules, policies and procedures;
8. it or a service it relies on from a third party or outsourced provider experiences a significant operational disruption, including providing the conclusions of its post-incident review;
9. any internal audits or independent external expert reviews are undertaken of its operations, risk management processes or internal control mechanisms, including providing the conclusions of such audits or reviews;
10. its operations or risk controls are affected, or are likely to be affected, by distress in financial markets;
11. it has critical dependencies on utilities or service providers, including providing a description of the dependency and an update if the nature of this relationship changes;
12. it proposes to grant a security interest over its assets (other than a lien, right of retention or statutory charge that arises in the ordinary course of business);
13. it proposes to incur or permit to subsist any loans from participants or members unless such loans are subordinated to the claims of all other creditors of the securities settlement facility; or
14. any other matter arises which has or is likely to have a significant impact on its risk control arrangements (see also SSF Standards 1.6, 14.10 and 17.3).

Three routine meetings are held between the Bank and ASX each quarter:

• executive-level meetings to discuss developments relevant to compliance with the FSS, involving the CRO and other relevant members of ASX's management team; representatives from ASIC attend these meetings to discuss matters of common interest
• risk management meetings, involving general managers and other staff responsible for clearing risk policy and the implementation of risk management arrangements
• operations meetings, involving the GE, Operations, and other members of the management team responsible for implementation of operational strategy, management of operational risk and business continuity planning.

These meetings provide a forum for the discussion of material developments, such as issues regarding participant compliance, changes to risk management controls, and the results of internal audits. Matters discussed in the formal scheduled meetings are followed up, as appropriate, in more focused targeted sessions.

The Bank expects to be notified immediately of any significant risk related developments; for example, if there was an operational outage or a participant entered external administration. Notification to the Bank of significant developments is specified in many of ASX's key internal risk management policies. The Bank and ASX hold ad hoc meetings to discuss relevant matters as required.

During the 2014/15 Assessment period, ASX provided the Bank with timely reports on the status of important project milestones, including the final stages of the EXIGO insourcing project and further developments to the foreign currency settlement service. The Bank is satisfied with its level of communication with ASX over this period.

19.2 A securities settlement facility should also provide to the Reserve Bank, on a timely basis:

1. audited annual accounts;
2. management accounts on a regular basis, and at least quarterly;
3. risk management reports on a regular basis, and at least quarterly;
4. periodic activity, risk and operational data, as agreed with the Reserve Bank; and
5. any other information as specified by the Reserve Bank from time to time.

Audited annual reports are published on the ASX public website, while ASX provides the Bank with quarterly statements of balance sheet, income, and collateral held for each CS facility.

ASX provides detailed activity, risk and operational data. Data provided quarterly to the Bank include settlement values and volumes, and data on system availability and capacity utilisation. The quarterly operations meetings between the Bank and ASX provide a forum for discussion of developments observed in the data.

From time to time, the Bank will request additional information from Austraclear on topics of interest, particularly in regard to any operational incidents or the status of projects with significant risk implications.

During the previous Assessment period the Bank conducted a review of the data that it collects from ASX in order to better support its assessment of the CS facilities against the requirements of the FSS. As a result of this review, ASX has implemented enhancements to the data it reports to the Bank during the Assessment period.

Footnotes

Available at <http://www.asx.com.au/documents/asx-compliance/pfmi-disclosure-framework.pdf>. Prior to 1 September 2014, CPMI was known as the Committee on Payment and Settlement Systems (CPSS). [1]

The Institute of Internal Auditors is the leading international organisation representing internal auditors. It has developed a set of standards that provides a framework for carrying out and evaluating the performance of internal audits. [2]

ISO is an international standard-setting body and ISO 31000 is considered to be relevant guidance for enterprise risk management. The ISO 31000 standard has been reproduced by Standards Australia and Standards New Zealand as AS/NZS 31000. [3]

The cash record starts at zero at the beginning of the day and records debit and credit cash movements through the day. A total debit limit may be set on the cash record by the participant. When a settlement instruction has been matched, the cash leg of each transaction is tested against the debit limit. If the debit limit is not exceeded, the transaction will be sent to RITS for settlement; otherwise, the transaction will remain in a pending state until sufficient funds are available (i.e. through another transaction that delivers cash or through the participant increasing the limit). [4]

The NIST Cybersecurity Framework is used widely by critical infrastructure providers and other organisations in a number of jurisdictions internationally. [5]

The Australian Liquidity Centre provides market participants with the option to ‘co-locate’ their servers with ASX's data centre. [6]

ASX currently maintains three main sites for its operations and data processing: a primary operations site that also operates as the primary data centre (where the majority of staff are located); a secondary operations site; and a backup data centre. [7]

When a component of software is updated, ‘regression testing’ aims to perform checks on the full software to verify that the operation of other software components has not been inadvertently affected by the update. [8]

The Uptime Institute is an IT consulting organisation that has developed a widely adopted classification system for the level of redundancy arrangements in data centres. ‘Tier 3’ is the second highest standard of redundancy, indicating that a data centre has redundant components, multiple independent power and cooling systems, and a high degree of availability. [9]

See CPMI-IOSCO (2014), Principles for financial market infrastructures: Assessment methodology for the oversight expectations applicable to critical service providers, December. Available at <http://www.bis.org/cpmi/publ/d123.htm>. [10]

Links to payment systems are addressed in SSF Standard 8. [11]

Available at <http://www.asx.com.au/regulation/rules/austraclear-regulations.htm>. [12]

Available at <http://www.asx.com.au/documents/regulation/ASX_PFMI_Disclosure_Framework_28_February_2015.PDF>. [13]

The CPSS was renamed the CPMI in October 2014. [14]