Australian regulator outlines market integrity rules for technological and operational resilience

The Australian Securities & Investments Commission (ASIC) has released a consultation paper outlining proposals for new market integrity rules for securities and futures market operators and participants that promote technological and operational resilience of their critical systems.

The regulator notes that failures of critical systems can have a severe impact on market integrity. For instance, there have been more errors with participants’ systems and processes that result in worse price outcomes for clients; client money are put at risk. The regulator has also noticed settlement failures, and anomalous, and in some cases manipulative, orders impacting the integrity of the market.

The multi-market environment for Australian listed securities creates interdependencies between market participants and market operators. The ASX equity market outage that occurred in September 2016 (ASX outage) created a ripple effect that affected the operation of the Chi-X market and participants’ access to Chi-X, as well as the operation of crossing systems. It also caused considerable uncertainty among market users, stifling trading volumes on the day and impacting trading revenues across the market.

There have been a number of other incidents that have impacted the operation of ASX or ASX 24 markets and their customers. In June 2018, for example, accidental activation of the gas fire suppression system damaged some customers’ hardware and their ability to trade.

Outsourcing and off-shoring of critical systems is becoming more prevalent. They provide the potential for efficiencies and better systems and services, and they can free up capacity for an entity to stay focused on its core business. However, they can introduce additional risks that need to be managed.

Cyber risk also continues to be a key concern across the financial market, with cyber attacks increasing in frequency and sophistication. The protection of data—in particular sensitive, confidential or personal data—is critical for the sound operation of the market and to facilitate investor trust and confidence in the market. There have been many instances in Australia and abroad of confidential client information being compromised.

Whereas the provisions in the Corporations Act are broad and core system and operational risk management expectations are implied in those obligations, ASIC believes it is important to have more specific expectations for market operators and market participants given the critical role they play in the market. The regulator considers that formalised baseline obligations are needed to ensure that market operators’ and participants’ systems and controls are adequate for their operations, to protect clients and to maintain the integrity of the market.

The proposed rules apply to:

• (a) futures and securities market operators of ASX, ASX 24, Chi-X, NSX and SSX; and
• (b) participants of those markets.

The proposed rules require that:

• (a) robust arrangements are implemented and maintained to ensure the resilience, reliability, integrity and security of critical systems;
• (b) change management arrangements are identified and implemented;
• (c) outsourcing arrangements are implemented and managed;
• (d) incidents are efficiently identified and rectified and, where appropriate, reported to ASIC in a timely and comprehensive manner;
• (e) robust arrangements are implemented for business continuity management, data security, backup and disaster recovery;
• (f) access to the services of market operators is provided on reasonable commercial terms and on a non-discriminatory basis; and
• (g) market operators have trading controls to prevent the entry of trading messages to ensure a fair, orderly and transparent market.

These new and specific obligations for market operators and market participants will also:

• (a) ensure consistency in approach between market operators and market participants in meeting their general obligations;
• (b) provide credible deterrence for poor technology, operational governance and controls;
• (c) facilitate our supervision of Australian financial markets; and
• (d) better align the Australian framework with international peers.

Market operators and market participants will be required to conduct a review of their existing arrangements to determine whether any additional arrangements need to be put in place to ensure compliance with the proposed rules. ASIC understands that it may take time to implement the necessary arrangements and so the regulator proposes to give market operators and market participants a six-month transitional period from the date the proposed rules are made.

Let’s note that, under s798H(1) of the Corporations Act, operators of licensed markets and participants in those markets are required to comply with the market integrity rules for that market, breaches of which may result in penalties of up to $1 million per breach. A breach of the market integrity rules may be dealt with by ASIC on an administrative basis or civil proceedings.

The regulator accepts opinions on the Consultation Paper before August 9, 2019.