Financial Markets Act, 2012 (Act No. 19 of 2012)RegulationsFinancial Markets Act RegulationsChapter VI : Central Counterparties13. Risk management framework13.10 Information technology |
(1) | A central counterparty must implement and document information technology systems based on internationally recognised technical standards and industry best practices, that— |
(a) | are reliable, secure and capable of processing the information necessary for the central counterparty to perform its activities and operations in a safe and efficient manner; |
(b) | enable connectivity with its clearing members and clients as well as with its service providers; |
(c) | provide for capacity planning and sufficient redundant capacity to allow the system to process all remaining transactions before the end of the day in circumstances where a major disruption occurs; |
(d) | provide for on-going capacity stress tests to determine the ability of those systems to process transactions in an accurate, timely and efficient manner; |
(e) | provide scalable capacity adequate to— |
(i) | handle increasing stress volumes; |
(ii) | maintain historical data as required; |
(f) | facilitate the proactive management of risk; |
(g) | enable the senior management of the central counterparty to duly manage and appropriately mitigate the central counterparty’s relevant risk exposures; |
(h) | are able to provide regular, accurate and timely information regarding matters such as the central counterparty’s aggregate risk profile, as well as the main assumptions used for risk aggregation; |
(i) | are adaptable and responsive to changes in the central counterparty’s underlying risk assumptions; |
(j) | are sufficiently flexible to generate relevant forward-looking scenario analyses that capture the controlling body and senior management’s interpretation of evolving market conditions and stressed conditions; |
(k) | are capable of capturing and bringing to the attention of senior management and the controlling body any breach in a specified internal, regulatory or other statutory limit; and |
(l) | make provision for any relevant initial and on-going validation. |
(2) | A licensed central counterparty must provide for procedures for the introduction of new technology including clear reversion plans. |
(3) | A licensed central counterparty must maintain an information security framework that— |
(a) | appropriately manages its information security risk; |
(b) | prevents unauthorised disclosure of information; |
(c) | ensures data accuracy and integrity and availability of the central counterparty’s functions and services; |
(d) | includes at least the following features— |
(i) | access controls to the system; |
(ii) | adequate safe guards against intrusions and data misuse; |
(iii) | specific devices to preserve data authenticity and integrity, including cryptographic techniques; |
(iv) | reliable networks and procedures for accurate and prompt data transmission without major disruptions; and |
(v) | audit trails. |
(4) | The information technology systems and the information security framework must be reviewed at least on an annual basis, and be subject to independent audit assessments, the results of the review must be reported to the controlling body and must be made available to the Authority within five working days after providing the report to the controlling body. |
(5) | A licensed central counterparty must immediately notify the Authority of any material systems failure, malfunction, delay or other disruptive incident, or any breach of data security, integrity or confidentiality, and provide a post-incident report that includes a root-cause analysis as soon as practicable. |
(6) | A licensed central counterparty must publish, at least, on its website, in their final form, all technology requirements regarding interfacing with or accessing the central counterparty— |
(a) | at least three months immediately before operations begin; or |
(b) | at least three months before implementing a material change to its technology requirements. |
(7) | After it has complied with subregulation (6), a licensed central counterparty must make testing facilities for interfacing with or accessing the central counterparty available, |
(a) | for at least two months immediately before operations begin; or |
(b) | for at least two months before implementing a material change to its technology requirements. |
(8) | A newly licensed central counterparty may not begin operations until it has complied with subregulations (6)(a) and (7)(a). |
(9) | Subregulations (6)(b) and (7)(b) do not apply if the change must be made immediately to address a failure, malfunction or material delay of its systems or equipment and— |
(a) | the central counterparty immediately notifies the Authority of its intention to make the change; and |
(b) | the central counterparty confirms the notification in paragraph (a) in writing and publishes the changed technology requirements as soon as practicable. |
(10) | A central counterparty must after every significant disruption, undertake a “post-incident” review to identify the causes and any required improvement to the normal operations or business continuity arrangements, and report the outcome of the review to the Authority without delay. |