Australia’s corporate and financial services regulator has thrown its support behind a proposal to require large technology suppliers to hold a license to supply core systems to the financial services industry.
The Australian Securities and Investment Commission (ASIC) today gave its stamp of approval to a recommendation in the July interim Murray Report, as part of its second submission to the Government’s financial system inquiry.
The interim report offered several recommendations as to how the industry should be regulated into the future - including consideration of mobile wallets and Bitcoin - and discussed how to approach risks to the health of the country’s financial markets, such as the failure of IT systems on which trading relies.
It suggested third-party software providers who supply “widely used and significant business systems to stockbrokers” be required to hold an Australian Financial Services License to manage risks of failure, to allow for minimum standards to be set, and for monitoring of the systems to occur.
The panel admitted there would be practical implementation challenges, and asked the financial services industry for feedback on appropriate risk-based criteria to ensure only suppliers of the most crucial systems be subject to regulation.
In its responding submission, released today, ASIC signalled its support for regulatory oversight of technology service providers “of sufficient scale”, suggesting such oversight could include imposing AFS licenses as well as giving oversight responsibility to market participants who outsource their material business functions to IT providers.
“Technology underpins all key operations in Australia’s financial markets. Market participants and market operators rely heavily on key technology service providers to perform core business operations in the financial markets.
“This reliance means that outages or system malfunctions at a technology service provider that provides a large proportion of the industry with services (e.g. technology service providers of sufficient scale) have the capacity to affect the fair and orderly functioning of Australia’s financial markets."
The regulator said the existing limited regulatory visibility and oversight of large IT providers placed the onus on financial services firms to ensure their chosen technology was appropriate for their operations.
Current legislation also assumed market participants would consider the risks (including systems failures) of the technology to their operations, but there was no provision governing whether technology failures would disrupt the broader Australian financial markets, ASIC said.
“For example, a major system failure or malfunction by a technology service provider of sufficient scale could have widespread ramifications for the ability of multiple market participants to settle trades for that period.
“It is also unclear to what extent market participants and market operators can adequately mitigate and manage their operational risks when they rely on vendors to perform significant business operations (both through outsourcing and offshoring).”
Regulating the oversight of large IT providers in the financial services sector would therefore help mitigate the risk of disruption posed to the wider local financial markets, the regulator argued.
Requiring IT service providers to hold AFS licenses would mean they would need to prove adequate risk management, and could potentially include conditions governing mandatory business continuity and minimum IT infrastructure requirements.
ASIC suggested the regulatory model include guidelines to help it ascertain what constitutes an IT service provider of “sufficient scale” which had the potential to affect the operation of the financial services markets.
Such factors could include the IT provider’s market share, how many market participants use them, the critical nature of the service provided, their ability to be substituted by another provider’s service, and their interconnectedness in the market, ASIC said.