Some jurisdictions have regulatory requirements for critical systems of trading venues that do not extend to outsourced functions.
IOSCO has published a thematic review on the extent to which securities regulators have implemented its recommended business continuity measures for trading venues and market intermediaries.
IOSCO’s recommendations and standards in this area were set out in a 2015 IOSCO reports on Business Continuity Plans (BCPs) for Trading Venues and Market Intermediaries.
IOSCO undertook the review in response to the rapid rise of new technologies in securities markets, which it says have created risks capable of potentially disrupting trading venues and intermediaries. “These vulnerabilities underscore the importance of effective BCPs, supported by adequate regulatory frameworks,” it said.
The review found that just 13 of 33 participating jurisdictions are ‘Fully Consistent’ with both the recommendations for trading venues and the standards for market intermediaries.
For trading venues, the recommendations were for regulators to require trading venues to
- have mechanisms to help ensure the resiliency, reliability and integrity (including security) of critical systems [20 jurisdictions ‘Fully Consistent’]
- establish, maintain and implement as appropriate a BCP [17 jurisdictions ‘Fully Consistent’]
Key gaps identified were related to regulatory frameworks that did not ensure that relevant provisions for critical systems extended to outsourced functions, or in some cases, critical systems were not defined.
In some jurisdictions, regulators lacked sufficient statutory authority over trading venues, instead relying on non-binding MoUs or accepted regulatory practice, without legislative support.
Other shortcomings observed included a lack of clarity regarding board and senior management accountability for critical systems, as well as a lack of requirements for formal periodic reviews, capacity testing or stress testing of critical systems.
For market intermediaries, the standards were for regulators to require intermediaries to
- create and maintain a written BCP that identifies procedures for an emergency or significant business disruption [21 jurisdictions ‘Fully Consistent’]
- update their BCP in the event of any material change to operations, structure, business or location and conduct an annual review of their BCP to determine whether any modifications are necessary due to these changes [15 jurisdictions ‘Fully Consistent’]
Regulations in some jurisdictions did not have any obligations for intermediaries to conduct a regular review of BCP arrangements, or update BCPs in response to material business changes.
Some jurisdictions had regulations requiring disaster recovery or contingency measures for IT systems, but did not require intermediaries to have broader BCPs, or specify clear requirements on governance, review or testing of BCPs.
The review is available here.
The review did not assess the operational resilience of trading venues and intermediaries during the Covid-19 pandemic; this work will be conducted separately as part of IOSCO’s efforts to examine risks exacerbated by the Covid-19 pandemic.