Federal Register of Legislation - Australian Government

Primary content

Rules/Other as made
This instrument amends the ASIC Market Integrity Rules (Securities Markets) 2017 and the ASIC Market Integrity Rules (Futures Markets) 2017 by inserting Chapter 8A and Chapter 8B and repealing rule 9.1.3 of the ASIC Market Integrity Rules (Securities Markets) 2017.
Administered by: Treasury
Registered 09 Mar 2022
Tabling HistoryDate
Tabled Senate28-Mar-2022
Tabled HR29-Mar-2022

 

Australian Securities and Investments Commission

 

Explanatory Statement

 

ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74

This is the Explanatory Statement for ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74

The Explanatory Statement is approved by the Australian Securities and Investments Commission (ASIC).

 

Summary

 

ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74 (the Amendment Instrument) makes new market integrity rules (the Rules) by:

 

(a)    inserting Chapter 8A and Chapter 8B into the ASIC Market Integrity Rules (Securities Markets) 2017 (Securities Markets Rules); and

 

(b)   inserting Chapter 8A and Chapter 8B into the ASIC Market Integrity Rules (Futures Markets) 2017 (Futures Markets Rules).

The Amendment Instrument also repeals rule 9.1.3 of the Securities Markets Rules which is superseded by the making of the Rules.

The Amending Instrument has been made under subsection 798G(1) of the Corporations Act 2001 (Corporations Act).

 

The Rules are intended to promote the resilience of market operators’ and market participants’ critical business services.

 

The Rules:

 

(a)  establish formalised and clear baseline obligations for market operators and market participants to ensure strong deterrence for poor technology, operational governance and controls;

(b)  better align the regulatory framework for market operators and market participants with international regulatory approaches;

 

(c)  promote the resilience and robustness of Australian financial market infrastructures; and

 

(d) better align ASIC regulatory requirements with prudential standards imposed by the Australian Prudential Regulatory Authority (APRA).

 

The Rules address the following key areas:

 

(a)    critical business services arrangements;

(b)   change management;

(c)    outsourcing;

(d)   information security;

(e)    business continuity planning;

(f)    governance and resourcing; and

(g)   trading controls (market operators only).

 

Purpose of the instrument

Background

In 2010, the supervisory function for Australia’s domestic licensed financial markets transferred from ASX Limited (ASX) to ASIC.  Consequently, ASIC was empowered to make and enforce market integrity rules to support its function of supervising Australian market operators and market participants.

Currently, ASIC administers five market integrity rulebooks. These include the Securities Markets Rules and the Futures Markets Rules. The Securities Markets Rules impose obligations on ASX, Cboe Australia Pty Ltd (formerly known as Chi-X Australia Pty Ltd) (Cboe), National Stock Exchange of Australia (NSXA), Sydney Stock Exchange (SSX) and participants of these securities markets. The Futures Markets Rules impose obligations on Australian Securities Exchange limited (ASX 24), the derivative market licensee operated by ASX, Financial and Energy Exchange (FEX) and participants of these futures markets.

Create formalised and clear baseline obligations to ensure strong deterrence for poor technology, operational governance and controls.

Market operators and market participants’ systems are increasingly automated, complex, and interconnected, and are often outsourced. Our current regulatory framework has not kept pace with other regulators in addressing these developments. In Australia, market operators and market participants are only subject to general obligations under the Corporations Act to ensure they have adequate resources and risk management systems in place. The general obligations under the Corporations Act and existing guidance do not specifically address the risks created by the evolution of the Australian financial markets.

Market operators are only subject to the high-level obligations under the Corporations Act to ensure that their market is fair, orderly and transparent (paragraph 792A(1)(a)) and that they have sufficient resources (financial, technological and human) to operate the market (paragraph 792A(1)(d)). There is some guidance on market operator systems and controls in Regulatory Guide 172 Financial markets: Domestic and overseas operators (RG 172) but this guidance does not have the effect of rules.

Under existing obligations for Australian financial services licensees in the Corporations Act, market participants are required to ensure they have adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements (paragraph 912A(1)(d)), and adequate risk management systems (paragraph 912A(1)(h)).

Securities participants also have an obligation under the Securities Markets Rules to have and to maintain the necessary organisational and technical resources to ensure, among other things, that trading messages submitted by them do not interfere with the efficiency and integrity of the market or the proper functioning of the trading platform (Rule 5.5.2). This rule has limited application and there is no equivalent for futures participants. Some guidance for financial services licensees is contained in Regulatory Guide 104 Licensing: Meeting the general obligations (RG 104), but this guidance is limited and also does not have the effect of rules.

Beyond these general obligations, there are no specific regulatory requirements governing the technological and operational resilience of markets. Given the significant developments and technical innovations that have occurred in Australia’s financial markets in recent years (and the resulting risks), we believe that clear expectations in rules are required. This will promote the continued effectiveness of our regulatory regime and resilience of our markets.

Address recent failures of market operator and market participant systems

The current regulatory framework does not properly address the increased technological risks and systemic vulnerability experienced by market operators and market participants. Failure of critical business services can have far reaching repercussions on Australia’s financial markets and can undermine the integrity of the Australian financial system.

We are seeing more errors occurring with market participants' trading systems and processes, resulting in worse price outcomes for clients; client money being placed at risk, increased settlement failure rates and anomalous, in some cases manipulative, orders affecting the integrity of the market.

In September 2016, an ASX outage shut down Australia’s equity markets, including the Chi-X market and the equity market participants’ ability to trade, undermining a key benefit of market competition. It also highlighted failures in market operator and market participant business continuity and incident management arrangements. The outage resulted in millions of dollars of lost revenue, missed trading opportunities, exposure to undue risk (e.g. hedging risk) and client losses. We reviewed the causes and impacts of the outage in Report 509 Review of the ASX equity market outage on 19 September 2016 (REP 509). We also conducted a deeper review of ASX’s technology and operational risk management capabilities in Report 592 Review of ASX Group’s technology governance and operational risk management standards (REP 592). It led to a number of improvements in the ASX’s systems, incident management and communication protocols.

In November 2020, an ASX outage again occurred, shortly after a major upgrade to its equity trading platform. As a result of this outage, ASIC and the Reserve Bank of Australia required ASX to engage an independent expert to review the incident. Overall, the independent expert found that ASX met or exceeded leading industry practices in many areas. However, the independent expert identified several key shortcomings in the ASX trading platform upgrade project (See Media Release (21-220MR) Update on the independent expert review of November’s ASX Trade outage). The independent expert made recommendations in seven key categories, namely: risk; governance; delivery; requirements; vendor management; testing; and incident management.

On 24 November 2021, we released Report 708 ASIC’s expectations for industry in responding to a market outage (REP 708) which outlined the findings from our own review of the November 2020 market outage. The report sets out our expectations of both market operators and market participants for facilitating trading during a market outage. ASIC sees the Rules as an important initiative to promote the resilience and robustness of the Australian equities market and to avoid future outages.

Address current inconsistency with international regulatory approaches, including IOSCO recommendations and standards

In 2019-2020, the International Organization of Securities Commissions (IOSCO) conducted a thematic review to assess the consistency of regulatory frameworks with the IOSCO’s recommendations and standards on business continuity for trading venues and market intermediaries. Of the 33 member jurisdictions that participated in the review, 13 were found to be fully consistent. Australia was, overall, only broadly consistent with the principles. We expect the implementation of the Rules will ensure we are fully consistent with relevant IOSCO recommendations and standards.

The Rules are largely based on the recommendations, standards and sound practices set out in a range of IOSCO reports on managing trading risk, outsourcing, critical systems and business continuity plans, including:

(a)  Mechanisms for trading venues to effectively manage electronic trading risks and plans for business continuity, FR31/2015 (IOSCO Report FR31/2015);

 

(b)  Market intermediary business continuity and recovery planning, FR32/2015 (IOSCO Report FR32/2015);

 

(c)    Regulatory issues raised by the impact of technological changes on market integrity and efficiency, final report, FR09/11 (IOSCO Report FR09/11) and corresponding consultation paper CR02/11;

(d) Principles on outsourcing by markets, final report, July 2009; and

 

(e)  Principles on outsourcing of financial services for market intermediaries, final report, February 2005.

 

The Rules are also based on international regulatory experiences and approaches including:

 

(a)  the EU’s General Data Protection Regulation (EU) 2016/679 (GDPR) on data protection and privacy;

 

(b)  the SEC’s Regulation Systems Compliance and Integrity (Reg SCI) which was introduced in 2014 to strengthen the technology infrastructure of the US securities markets; and

 

(c)  FCA/Bank of England joint discussion paper released in 2018 on building the UK financial sector’s operational resilience.

Alignment with APRA’s prudential standards

APRA is conducting a comprehensive review of its prudential requirements for operational resilience. This is expected to include revisions to the existing Prudential Standard CPS 231 Outsourcing and Prudential Standard CPS 232 Business Continuity Management and set expectations for operational risk management. These standards will form part of a suite of standards covering operational resilience, which also includes Prudential Standard CPS 234 Information Security which was updated in 2019.

We have worked closely with APRA to align the Rules and the APRA prudential standards. APRA expects to publicly consult on its revised standards in Q2 2022.

Alignment with the ASIC Act

The Rules for market operators and market participants are consistent with ASIC's regulatory responsibilities under the Australian Securities and Investments Commission Act 2001 to:

(a)  maintain, facilitate and improve the performance of the financial system and the entities within that system in the interests of commercial certainty, reducing business costs, and the efficiency and development of the economy;

 

(b)  promote the confident and informed participation of investors and consumers in the financial system; and

 

(c)  consider the effects that the performance of its functions and the exercise of its powers will have on competition in the financial system.

 

COVID-19 pandemic

 

The COVID-19 pandemic has more broadly highlighted the need to promote resilience in operational activities and to maintain business continuity in situations where external and often unforeseen shocks impact firms and their service providers. Resilient market operators and market participants are essential to the integrity of Australia’s securities and futures markets. 

 

The Rules require market operators and market participants to:

 

(a)    have adequate arrangements to ensure the resilience, reliability, integrity and security of their critical business services. Critical business services in this context include infrastructure, functions, and processes, including the technological systems of a market operator or a market participant;

 

(b)   have adequate arrangements following the implementation of a new critical business service or a change to an existing critical business service;

 

(c)    arrangements in relation to outsourcing of their critical business services;

 

(d)   adequate arrangements to ensure the confidentiality, integrity and security of information;

 

(e)    establish, implement and maintain business continuity plans for effectively responding to a major event. A major event is an event that would or would be likely to cause significant disruption to their market-related operations or materially impact their market-related services; and

 

(f)    appropriate governance arrangements and adequate financial, technological and human resources to comply with their obligations under the Rules. 

 

The Rules also require market operators only, to have controls, including automated controls, that enable immediate suspension, limitation or prohibition of the entry by a market participant of trading messages where required for the purposes of ensuring the market is fair, orderly and transparent.

 

Consultation

 

We consulted publicly with industry in Consultation Paper 314 Market Integrity rules for technological and operational resilience (CP 314). We sought feedback on the Rules, as well as the financial, compliance, competition and other impacts of the proposals.

 

We received 22 written submissions to CP 314 from stakeholders including market operators, market participants, industry bodies and associations, service providers and the public. The submissions were broadly supportive of the Rules and recognised the importance of robust and resilient critical business services. We amended the Rules, where appropriate, to reflect feedback received.

 

Following the formal consultation process, we engaged in further bi-lateral consultation with several market operators, market participants and industry bodies including the Australian Financial Markets Association and the Stockbrokers and Financial Advisers Association, to seek further clarity on their submissions. We also consulted further with APRA to seek to align the Rules with APRA’s prudential standards.

 

The Rules incorporate the following amendments made in response to the feedback on the proposals consulted upon in CP 314:

 

(a)           the proposed six-month transition period was extended to 12-months and applies to all the Rules;

(b)          the reference to ‘critical systems’ was replaced with ‘critical business services’ to better reflect the intention behind the way the phrase was defined (i.e. not just systems but relevant functions, infrastructure and processes). It is also more consistent with APRA standards and guidance issued by international regulators;

(c)           the requirement to test any changes to existing critical systems was amended to apply to new critical business services or where there are material changes. This aligns more closely with the equivalent APRA standard, which requires testing of business continuity plans at least annually or more frequently if there are material changes to business operations;

(d)          the requirement for the outsourcing agreement to provide that service providers obtain written approval from market operators and market participants before outsourcing or making material changes to their systems was replaced with a ‘written notification’ requirement;

(e)           the attestation with regard to outsourcing arrangements may be provided by the entity’s board or a director or a senior manager, rather than the entity’s board and senior management as initially proposed;

(f)           the reference to ‘data’ was replaced with ‘information’ to better reflect the intention of the proposed rule and to align with APRA standards;

(g)          the requirement for market participants and market operators to have an incident management plan was removed as it may have been too burdensome for smaller market participants, and because we think business continuity plans will be sufficient;

(h)          the requirement for market operators to test their business continuity plan arrangements quarterly was amended to require annual testing to reduce regulatory burden, costs and potential operational risk; and

(i)            the requirement for the board and senior management to have oversight of the business continuity plan was amended to require board or senior management oversight.

 

Operation of the instrument

Unless otherwise indicated, capitalised terms in this Explanatory Statement have the same meaning as in the Securities Markets Rules and the Futures Markets Rules.

Part 1 – Preliminary

Name of legislative instrument

Section 1 of Part 1 of the Amendment Instrument provides that the name of the Amendment Instrument is the ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74.

Commencement

Section 2 of Part 1 of the Amendment Instrument provides that the Amendment Instrument commences on the day that is 12 months after the day it is registered on the Federal Register of Legislation.

Authority

Section 3 of Part 1 of the Amendment Instrument provides that the Amendment Instrument is made under subsection 798G(1) of the Corporations Act.

Schedules

Section 4 of Part 1 of the Amendment Instrument provides that each instrument that is specified in a Schedule to the Amendment Instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to the Amendment Instrument has effect according to its terms.

Repeal of amending and repealing instruments

Section 5 of Part 1 of the Amendment Instrument provides that:

(1)  the repeal of an instrument by section 4 of the Amendment Instrument does not affect any amendment to or repeal of another instrument (however described) made by the instrument; and

(2)  subsection (1) does not limit the effect of section 7 of the Acts Interpretation Act 1901 as it applies to the repeal of an instrument by section 4 of the Amendment Instrument.

Schedule 1—Amendments to the ASIC Market Integrity Rules (Securities Markets) 2017

Rule 9.1.3

Item 1 of Schedule 1 of the Amendment Instrument repeals Rule 9.1.3.

Chapters 8A and 8B

Item 2 of Schedule 1 of the Amendment Instrument inserts Chapter 8A and 8B into the Securities Markets Rules as follows:

 

Chapter 8A: Market operators – Critical Business Services, Information Security and Business Continuity Plans

 

Part 8A.1 Application and Definitions

 

Rule 8A.1.1 Application of Chapter

 

Rule 8A.1.1 provides that the Chapter applies to:

 

(a)    the operator of a Market on or through which offers to acquire or dispose of Equity Market Products are made or accepted; and

 

(b)   the operator of a CGS Market.

 

Rule 8A.1.2 Definitions

 

Rule 8A.1.2 provides definitions for the following terms used in Chapter 8A:

 

·         “Business Continuity Plans”

·         “Critical Business Services”

·         “Critical Business Services Arrangements”

·         “Incident”

·         “Information Asset”

·         “Major Event”

·         “Market Operations”

·         “Market Services”

·         “Operator”

·         “Outsourcing Arrangement”

·         “Participant”

·         “Service Provider”

 

Part 8A.2 Trading Controls

 

Rule 8A.2.1 Operator to have trading controls

 

Rule 8A.2.1 provides that an Operator must have controls, including automated controls, that enable immediate suspension, limitation or prohibition of the entry by a Participant of Trading Messages where required for the purposes of ensuring the Market or CGS Market (as the case may be) is fair, orderly and transparent.

 

Part 8A.3 Critical Business Services

 

Rule 8A.3.1 Resilience, reliability, integrity and security

 

Adequate arrangements

 

Rule 8A.3.1(1) provides that an Operator must have adequate arrangements (Critical Business Services Arrangements) to ensure the resilience, reliability, integrity and security of its Critical Business Services.

 

The note at the end of subrule 8A.3.1(1) sets out non-exhaustive examples of arrangements that an Operator must have to ensure the resilience, reliability, integrity and security of its Critical Business Services. These arrangements would generally include, but are not limited to, policies, procedures and organisational resources including financial, human and technological resources.

 

Subrule 8A.3.1(2) provides that, without limiting subrule 8A.3.1(1), an Operator’s Critical Business Services Arrangements must include arrangements for all of the following:

 

(a)    identifying Critical Business Services;

 

(b)   identifying, assessing, managing and monitoring for any risks to the resilience, reliability, integrity and security of Critical Business Services;

 

(c)    ensuring Critical Business Services have sufficient and scalable capacity for ongoing and planned Market Operations and Market Services;

 

(d)   preventing unauthorised access to or use of Critical Business Services;

 

(e)    managing the implementation of new Critical Business Services and of changes to existing Critical Business Services in accordance with Rule 8A.3.2;

 

(f)    dealing with a Major Event affecting Critical Business Services in accordance with Part 8A.5 of the Rules; and

 

(g)   managing Outsourcing Arrangements in relation to Critical Business Services in accordance with Rule 8A.3.3.

Review and change of arrangements

Subrule 8A.3.1(3) provides that an Operator must undertake a review of its Critical Business Services Arrangements following each material change to its Critical Business Services; and at least once every 12 months.

Subrule 8A.3.1(3) also provides that an Operator must apply recommended changes to their Critical Business Services Arrangements arising from this review to ensure that they comply with subrules 8A.3.1(1) and 8A.3.1(2).

Documentation of arrangements

Subrule 8A.3.1(4) provides that an Operator must document its Critical Business Services Arrangements, the scope and results of each review performed in accordance with subrule 8A.3.1(3) and any changes applied to the Critical Business Services Arrangements as a result of the review or otherwise.

 

Subrule 8A.3.1(4)  also provides that an Operator must maintain that documentation for a period of at least seven years from the later of the date it is created or the date it is last amended.

 

Rule 8A.3.2 Change management for Critical Business Services

 

Subrule 8A.3.2(1) provides that an Operator must have adequate arrangements to ensure that its Critical Business Services Arrangements continue to comply with subrule 8A.3.1(1) following the implementation of a new Critical Business Service or of a change to an existing Critical Business Service.

 

Subrule 8A.3.2(2) provides that, without limiting subrule 8A.3.2(1), the arrangements referred to in subrule 8A.3.2(1) must include arrangements for all of the following:

 

(a)    testing new Critical Business Services or material changes to existing Critical Business Services before implementation;

 

(b)   communicating with persons that may be materially impacted by the implementation for the purposes of ensuring those persons are adequately informed about the nature, timing and impact of the implementation a reasonable time before it occurs; and

 

(c)    ensuring, to the extent reasonably practicable, that persons that may be materially impacted by the implementation are adequately prepared for the implementation before it occurs.

 

The note at the end of subrule 8A.3.2(2) sets out non-exhaustive examples of persons that may be materially impacted by the implementation of a new Critical Business Service or of a change to an existing Critical Business Service. This may include ASIC, Participants, other Operators and the operators of licensed clearing and settlement facilities.

 

Subrule 8A.3.2(3) provides that, without limiting paragraph 8A.3.2(2)(b) an Operator must give written notice of the proposed implementation to ASIC a reasonable time before the implementation.

 

Rule 8A.3.3 Outsourcing of Critical Business Services

 

Subrule 8A.3.3(1) provides that an Operator that enters into an Outsourcing Arrangement, must do all of the following:

 

(a)    before entering into the Outsourcing Arrangement, conduct due diligence enquiries for the purposes of ensuring the Service Provider has the ability and capacity to provide the services covered by the Outsourcing Arrangement effectively;

 

(b)   ensure that the Outsourcing Arrangement is contained in a documented legally binding agreement between the Operator and the Service Provider that:

 

(i)       sets out the nature, scope and quality of the services to be provided

   under the Outsourcing Arrangement;

 

(ii)     requires the Service Provider to give written notice to the Operator before the Service Provider:

 

A.    enters into any arrangement with another person (Sub-Contractor) under which the Sub-Contractor will provide services material to the provision by the Service Provider of the services covered by the Outsourcing Arrangement; and

 

B.     makes any other material change to the manner in which the services covered by the Outsourcing Arrangement are provided;

 

(iii)   deals with the circumstances and manner in which the Outsourcing Arrangement may be terminated; and

 

(iv)   provides for the orderly transfer of services provided under the Outsourcing Arrangement to the Operator or another Service Provider in the event of termination of the Outsourcing Arrangement;

 

(c)    while the Outsourcing Arrangement is in place, monitor the performance of the Service Provider to ensure that the Service Provider is providing the services covered by the Outsourcing Arrangement effectively and has the ability and capacity to continue to provide those services effectively;

 

(d)   have in place adequate arrangement to identify and manage any conflicts of interest that have been identified or could arise between the Operator and the Service Provider, including conflicts involving Sub-Contractors and related entities of the Operator, Service Provider and any Sub-Contractor;

 

(e)    have in place adequate arrangements to ensure the Operator is able to comply with its obligations under the Act and the Rules in relation to the Critical Business Services that are the subject of an Outsourcing Arrangement including, without limitation, arrangements with the Service Provider to:

(i)     ensure the resilience, reliability, integrity and security of those Critical Business Services in accordance with Rule 8A.3.1;

(ii)   ensure the confidentiality, integrity and availability of information obtained, held or used by the Operator in relation to those Critical Business Services in accordance with Part 8A.4 of the Rules; and

(iii) deal with a Major Event in accordance with Part 8A.5 of the Rules;

 

The note at the end of subrule 8A.3.3(1)(e) sets out non-exhaustive examples of the arrangements that an Operator may have in place to ensure compliance with subrule 8A.3.3(1)(e), which includes requirements on the Service Provider as set out in the note.

 

(f)    ensure that the Operator and its auditors are able to promptly, upon request, access books, records and other information of the Service Provider relating to the Critical Business Services;

 

(g)   ensure that ASIC has the same access to all books, record and other information relating to the Critical Business Services and maintained by the Service Provider, that ASIC would have if not for the Outsourcing Arrangement; and

 

(h)   ensure that for each Outsourcing Arrangement, the Operator’s Board or a director or senior manager have confirmed that they have complied with the Operator’s obligations in this subrule and have made a written attestation to that effect.

 

Subrule 8A.3.3(2) provides that the Operator must comply with subrule 8A.3.3(1) in a manner that is appropriate to the nature, complexity and risks of the Outsourcing Arrangement; and the materiality of the Outsourcing Arrangement to the Operator’s Market Operations and Market Services.

 

Subrule 8A.3.3(3) provides that, in determining for the purposes of subrule 8A.3.3(1) whether the Service Provider has the ability and capacity to provide the services covered by the Outsourcing Arrangement effectively, the Operator must take into account the extent to which the Service Provider is providing the same or similar services to other Operators and Participants.

 

Subrule 8A.3.3(4) provides that an Operator must give written notice to ASIC as soon as practicable after the Operator enters into an Outsourcing Arrangement, and in any event no later than 20 business days after entering into the Outsourcing Arrangement.

 

Part 8A.4 Information security

 

Rule 8A.4.1    Information security

 

Subrule 8A.4.1(1) provides that an Operator must have adequate arrangements to ensure the confidentiality, integrity and availability of information obtained, held or used by the Operator in relation to its Market Operations and Market Services.

 

Subrule 8A.4.1(2) provides that, without limiting subrule 8A.4.1(1), the arrangements referred to in subrule 8A.4.1(1) must include all of the following:

 

(a)    arrangements to identify and document Information Assets that are integral to the provision of the Operator’s Market Operations and Market Services;

 

(b)   controls, including automated controls, designed to prevent unauthorised access to Information Assets;

 

(c)    controls for identifying, assessing, managing and monitoring for unauthorised access to Information Assets; and

 

(d)   arrangements designed to protect Information Assets from theft, loss or corruption.

 

Subrule 8A.4.1(3) provides that an Operator must have adequate arrangements to ensure the availability of access to data obtained, held or used by the Operator in its Market Operations and Market Services.

Subrule 8A.4.1(4) provides that, without limiting subrule 8A.4.1(3), the arrangements referred to in subrule 8A.4.1(3) must include arrangements designed to provide for the backup of the data and the timely recovery of the data in the event of any theft, corruption or loss of the data.

Subrule 8A.4.1(5) provides that an Operator must notify ASIC in writing, as soon as possible and, in any case, no later than 72 hours, after becoming aware of any unauthorised access to or use of its Critical Business Services that impacts the effective operation or delivery of those services; or unauthorised access to or use of market-sensitive, confidential or personal information.

 

Part 8A.5 Business Continuity Plans

Rule 8A.5.1 Business continuity

Business Continuity Plans

Rule 8A.5.1 provides requirements for Operators to have Business Continuity Plans. These are defined in subrule 8A.5.1(1) as plans for effectively responding to a Major Event. A Major Event is defined in subrule 8A.5.1(1) as an event that would or would be likely to cause significant disruption to an Operator’s Market Operations or materially impact the Operator’s Market Services.

Subrule 8A.5.1(1) provides that an Operator must establish, implement and maintain Business Continuity Plans for effectively responding to a Major Event.

The note at the end of subrule 8A.5.1(1) provides examples of what may be considered a Major Event. This includes the failure of or disruption to a Critical Business Service, including one operated by a Service Provider, or an event such as a pandemic or influenza event, natural disaster, cyber-attack or power failure.

Subrule 8A.5.1(2) provides that an Operator’s Business Continuity Plans must be designed to enable:

(a)    continuity of the usual operation of the Operator’s Critical Business Services, Market Operations and Market Services during a Major Event; and

 

(b)   to the extent continuation of the usual operation of the Operator’s Critical Business Services, Market Operations and Market Services during a Major Event is not possible, timely and orderly restoration of those usual operations following the Major Event.

Subrule 8A.5.1(3) provides that an Operator’s Business Continuity Plans must be appropriate to the nature, scale and complexity of the Operator’s Critical Business Services, Market Operations and Market Services and to the Operator’s structure and location.

 

Subrule 8A.5.1(4) provides that, without limiting subrules 8A.5.1(1) to (3), the Operator’s Business Continuity Plans must identify and address all of the following:

 

(a)    the types of Major Events that may impact the Operator’s Critical Business Services, Market Operations and Market Services;

 

(b)   activation procedures including trigger conditions for enacting the Operator’s Business Continuity Plans;

 

(c)    the potential impact Major Events may have on the Operator’s Critical Business Services, Market Operations and Market Services;

 

(d)   the classification of types of Major Events according to the potential severity of the impacts referred to in paragraph 8A.5.1(4)(c);

 

(e)    escalation procedures that are appropriate to the classification referred to in paragraph 8A.5.1(4)(d);

 

(f)    the actions, arrangements and resources required to achieve the outcomes referred to in subrule 8A.5.1(2);

 

The note at the end of subrule 8A.5.1(4)(f) sets out non-exhaustive examples of the actions, arrangements and resources covered by subrule 8A.5.1(4)(f). This includes key operational functions and processes, staff, alternate suppliers/service providers, technology, alternative premises and other physical infrastructure.

 

(g)   specific objectives for the time taken to achieve the outcomes referred to in paragraph 8A.5.1(2)(b);

 

(h)   procedures for communicating during a Major Event with persons that may be impacted by the Major Event, for the purposes of ensuring those persons are adequately informed about:

 

(i)     the nature and impact of the Major Event;

 

(ii)   the steps that are being taken or will be taken to manage the Major Event;

 

(iii) the likely timing of the steps referred to in subparagraph (ii); and

 

(iv) the likely timing of the resumption of the usual operation of the Operator’s Critical Business Services, Market Operations and Market Services; and

 

(i)     any operational dependencies between the Operator and any other person that may affect the matters referred to in paragraphs 8A.5.1(2)(a) to (h).

 

Subrule 8A.5.1(5) provides that, without limiting paragraph 8A.5.1(4)(i), an Operator must have in place adequate arrangements to ensure that the Operator is able to carry out its Business Continuity Plans with respect to any Critical Business Services the subject of an Outsourcing Arrangement.

 

Notification of an Incident or Major Event

 

Subrule 8A.5.1(6) provides that, without limiting paragraph 8A.5.1(4)(h), an Operator must:

(a)    notify ASIC immediately upon becoming aware of an unexpected disruption to the usual operation of the Operator’s Critical Business Services that may interfere with the fair, orderly or transparent operation of any Market or CGS Market (Incident); or a Major Event; and

 

(b)   notify other Operators, operators of Clearing Facilities and Participants that may be impacted by an Incident or a Major Event, as soon as practicable after becoming aware of the Incident or Major Event.

Subrule 8A.5.1(7) provides that, if a notification is made under subrule 8A.5.1(6), the Operator must within seven days of the notification provide ASIC with a written report detailing the circumstances of the Incident or Major Event, and the steps taken to manage the Incident or Major Event.

 

Review, update and testing of plans

 

Subrule 8A.5.1(8) provides that an Operator must:

 

(a)    review and test its Business Continuity Plans and the arrangements referred to in subrule 8A.5.1(5):

 

(i)     at a frequency and in a manner appropriate to the nature, scale and complexity of the Operator’s Critical Business Services, Market Operations and Market Services and to the Operator’s structure and location; and

 

(ii)   at a minimum:

 

A.    each time there is a material change to the Operator’s Critical Business Services, Market Operations and Market Services or to the Operator’s structure and location;  

 

B.     as soon as practicable after the occurrence of a Major Event; and

 

C.     once every 12 months; and

 

(b)   update the Business Continuity Plans as required to ensure they comply with subrules 8A.5.1(1) to (4).

Documentation of plans and testing

Subrule 8A.5.1(9) provides that an Operator must document:

(a)    its Business Continuity Plans; and

(b)   the scope and results of all reviews and testing performed in accordance with subrule 8A.5.1(8).

Subrule 8A.5.1(9) also provides that the documentation required by subrule 8A.5.1(9) must be maintained for a period of at least seven years from the later of the date it is created or the date it is last amended.

 

Part 8A.6 Governance

 

Rule 8A.6.1 Responsibility for compliance

Subrule 8A.6.1(1) provides that an Operator must have appropriate governance arrangements and adequate financial, technological and human resources to comply with its obligations under Chapter 8A.

Subrule 8A.6.1(2) provides that, without limiting subrule 8A.6.1(1), the arrangements referred to in that subrule must include arrangements for the Operator’s Board or senior management to have oversight of the establishment, implementation, maintenance, review, testing and documentation of the Operator’s Business Continuity Plans.

 

Chapter 8B: Market Participants—Critical Business Services, Information Security and Business Continuity Plans

 

Part 8B.1 Application and Definitions

 

Rule 8B.1.1 Application of Chapter

 

Rule 8B.1.1 provides that the Chapter applies to:

 

(a)    Participants of a Market on or through which offers to acquire or dispose of Equity Market Products are made or accepted;

 

(b)   CGS Market Participants.

 

Rule 8B.1.2 Definitions

Rule 8B.1.2 provides definitions for the following terms used in Chapter 8B:

·         “Business Continuity Plans”

·         “Critical Business Services”

·         “Critical Business Services Arrangements”

·         “Information Asset”

·         “Major Event”

·         “Operator”

·         “Outsourcing Arrangement”

·         “Participant”

·         “Participant Operations”

·         “Participant Services”

·         “Service Provider”

 

Part 8B.2 Critical Business Services

 

Rule 8B.2.1 Resilience, reliability, integrity and security

Adequate arrangements

Rule 8B.2.1(1) provides that a Participant must have adequate arrangements (Critical Business Services Arrangements) to ensure the resilience, reliability, integrity and security of its Critical Business Services.

The note at the end of subrule 8B.2.1(1) sets out non-exhaustive examples of  arrangements that a Participant must have to ensure the resilience, reliability, integrity and security of its Critical Business Services. These arrangements would generally include, but are not limited to, policies, procedures and organisational resources including financial, human and technological resources.

Subrule 8B.2.1(2) provides that, without limiting subrule 8B.2.1(1), a Participant’s Critical Business Services Arrangements must include arrangements for all of the following:

(a)    identifying Critical Business Services;

 

(b)   identifying, assessing, managing and monitoring for any risks to the resilience, reliability, integrity and security of Critical Business Services;

 

(c)    ensuring Critical Business Services have sufficient and scalable capacity for the Participant’s ongoing and planned Participant Operations and Participant Services;

 

(d)   preventing unauthorised access to or use of Critical Business Services;

 

(e)    managing the implementation of new Critical Business Services and of changes to existing Critical Business Services in accordance with Rule 8B.2.2;

 

(f)    dealing with a Major Event affecting Critical Business Services in accordance with Part 8B.4 of the Rules; and

 

(g)   managing Outsourcing Arrangements in relation to Critical Business Services in accordance with Rule 8B.2.3.

Review and change of arrangements

Subrule 8B.2.1(3) provides that a Participant must undertake a review of its Critical Business Services Arrangements following each material change to its Critical Business Services and at least once every 12 months.

Subrule 8B.2.1(3) also provides that a Participant must apply recommended changes to their Critical Business Services Arrangements arising from this review to ensure that they comply with subrules 8B.2.1(1) and 8B.2.1(2).

Documentation of arrangements

Subrule 8B.2.1(4) provides that a Participant must document its Critical Business Services Arrangements, the scope and results of each review performed in accordance with subrule 8B.2.1(3) and any changes applied to the Critical Business Services Arrangements as a result of the review or otherwise.

Subrule 8B.2.1(4) also provides that a Participant must maintain that documentation for a period of at least seven years from the later of the date it is created or the date it is last amended.

Rule 8B.2.2 Change management for Critical Business Services

 

Subrule 8B.2.2(1) provides that a Participant must have adequate arrangements to ensure that its Critical Business Services Arrangements continue to comply with subrule 8B.2.1(1) following the implementation of a new Critical Business Service or of a change to an existing Critical Business Service.

 

Subrule 8B.2.2(2) provides that, without limiting subrule 8B.2.2(1), the arrangements referred to in that subrule must include arrangements for all of the following:

 

(a)    testing new Critical Business Services or material changes to existing Critical Business Services before implementation;

 

(b)   communicating with persons that may be materially impacted by the implementation for the purposes of ensuring those persons are adequately informed about the nature, timing and impact of the implementation a reasonable time before it occurs; and

 

(c)    ensuring, to the extent reasonably practicable, that persons that may be materially impacted by the implementation are adequately prepared for the implementation before it occurs.

 

The note at the end of subrule 8B.2.2(2) sets out non-exhaustive examples of persons that may be materially impacted by the implementation of a new Critical Business Service or of a change to an existing Critical Business Service. This may include ASIC, other Participants, Operators and the operators of licensed clearing and settlement facilities.

 

Rule 8B.2.3 Outsourcing of Critical Business Services

 

Subrule 8B.2.3(1) provides that a Participant that enters into an Outsourcing Arrangement, must do all of the following:

 

(a)    before entering into the Outsourcing Arrangement, conduct due diligence enquiries for the purposes of ensuring the Service Provider has the ability and capacity to provide the services covered by the Outsourcing Arrangement effectively;

 

(b)   ensure that the Outsourcing Arrangement is contained in a documented legally binding agreement between the Participant and the Service Provider, that:

 

(i)       sets out the nature, scope and quality of the services to be provided under the Outsourcing Arrangement;

 

(ii)     requires the Service Provider to give written notice to the Participant before the Service Provider:

 

A.    enters into any arrangement with another person (Sub-Contractor) under which the Sub-Contractor will provide services material to the provision by the Service Provider of the services covered by the Outsourcing Arrangement; and

 

B.     makes any other material change to the manner in which the services covered by the Outsourcing Arrangement are provided;

 

(iii)   deals with the circumstances and manner in which the Outsourcing Arrangement may be terminated; and

 

(iv)   provides for the orderly transfer of services provided under the Outsourcing Arrangement to the Participant or another Service Provider in the event of termination of the Outsourcing Arrangement;

 

(c)    while the Outsourcing Arrangement is in place, monitor the performance of the Service Provider to ensure that the Service Provider is providing the services covered by the Outsourcing Arrangement effectively and has the ability and capacity to continue to provide those services effectively;

 

(d)   have in place adequate arrangement to identify and manage any conflicts of interest that have been identified or could arise between the Participant and the Service Provider, including conflicts involving Sub-Contractors and related entities of the Participant, Service Provider and any Sub-Contractor;

 

(e)    have in place adequate arrangements to ensure the Participant is able to comply with its obligations under the Act and the Rules in relation to the Critical Business Services the subject of an Outsourcing Arrangement including, without limitation, arrangements with the Service Provider to:

 

(i)     ensure the resilience, reliability, integrity and security of those Critical Business Services in accordance with Rule 8B.2.1;

 

(ii)   ensure the confidentiality, integrity and availability of information obtained, held or used by the Participant in relation to those Critical Business Services in accordance with Part 8B.3 of the Rules; and

 

(iii) deal with a Major Event in accordance with Part 8B.4 of the Rules;

 

The note at the end of subrule 8B.2.3(1)(e) sets out non-exhaustive examples of the arrangements that a Participant may have in place to ensure compliance with subrule 8B.2.3(1), which includes requirements on the Service Provider as set out in the note.

 

(f)    ensure that the Participant and its auditors are able to promptly, upon request, access books, records and other information of the Service Provider relating to the Critical Business Services;

 

(g)   ensure that ASIC has the same access to all books, records and other information relating to the Critical Business Services and maintained by the Service Provider, that ASIC would have if not for the Outsourcing Arrangement; and

 

(h)   ensure that for each Outsourcing Arrangement, the Participant’s Board or a director or senior manager have confirmed that they have complied with the Participant’s obligations in this subrule and made a written attestation to that effect.

 

Subrule 8B.2.3(2) provides that the Participant must comply with subrule 8B.2.3(1) in a manner that is appropriate to the nature, complexity and risks of the Outsourcing Arrangement and the materiality of the Outsourcing Arrangement to the Participant’s Participant Operations and Participant Services.

 

Subrule 8B.2.3(3) provides that, for the purposes of subrule 8B.2.3(1), in determining whether the Service Provider has the ability and capacity to provide the services covered by the Outsourcing Arrangement effectively, the Participant must take into account the extent to which the Service Provider is providing the same or similar services to other Participants.

 

Part 8B.3 Information Security

 

Rule 8B.3.1 Information security

 

Subrule 8B.3.1(1) provides that a Participant must have adequate arrangements to ensure the confidentiality, integrity and availability of information obtained, held or used by the Participant in relation to its Participant Operations and Participant Services.

 

Subrule 8B.3.1(2) provides that, without limiting subrule 8B.3.1(1), the arrangements referred to in that subrule must include all of the following:

 

(a)    arrangements to identify and document Information Assets that are integral to the provision of the Participant’s Participant Operations and Participant Services;

 

(b)   controls, including automated controls, designed to prevent unauthorised access to Information Assets;

 

(c)    controls for identifying, assessing, managing and monitoring for unauthorised access to Information Assets; and

 

(d)   arrangements designed to protect Information Assets from theft, loss or corruption.

 

Subrule 8B.3.1(3) provides that a Participant must have adequate arrangements to ensure the availability of access to data obtained, held or used by the Participant in its Participant Operations and Participant Services.

Subrule 8B.3.1(4) provides that, without limiting subrule 8B.3.1(3), the arrangements referred to in that subrule must include arrangements designed to provide for the backup of the data and the timely recovery of the data in the event of any theft, corruption or loss of the data.

Subrule 8B.3.1(5) provides that a Participant must maintain, for a period of at least seven years after the relevant event, records of any:

 

(a)    unauthorised access to or use of its Critical Business Services that impacts the effective operation or delivery of those services; or

 

(b)   unauthorised access to or use of market-sensitive, confidential or personal information.

 

Part 8B.4 Business Continuity Plans

 

Rule 8B.4.1 Business continuity

 

Business Continuity Plans

Rule 8B.4.1 provides requirements for Participants to have Business Continuity Plans. These are defined in subrule 8B.4.1(1) as plans for effectively responding to a Major Event. A Major Event is defined in subrule 8B.4.1(1) as an event that would or would be likely to cause significant disruption to a Participant’s Participant Operations or materially impact the Participant’s Participant Services.

Subrule 8B.4.1(1) provides that a Participant must establish, implement and maintain Business Continuity Plans for effectively responding to a Major Event.

The note at the end of subrule 8B.4.1(1) provides examples of what may be considered a Major Event. This includes the failure of or disruption to a Critical Business Service, including one operated by a Service Provider, or an event such as a pandemic or influenza event, natural disaster, cyber-attack or power failure.

 

Subrule 8B.4.1(2) provides that a Participant’s Business Continuity Plans must be designed to enable:

 

(a)    continuity of the usual operation of the Participant’s Critical Business Services, Participant Operations and Participant Services during a Major Event; and

 

(b)   to the extent continuation of the usual operation of the Participant’s Critical Business Services, Participant Operations and Participant Services during a Major Event is not possible, timely and orderly restoration of those usual operations following the Major Event.

 

Subrule 8B.4.1(3) provides that a Participant’s Business Continuity Plans must be appropriate to the nature, scale and complexity of the Participant’s Critical Business Services, Participant Operations and Participant Services and to the Participant’s structure and location.

 

Subrule 8B.4.1(4) provides that, without limiting subrules 8B.4.1(1) to (3), the Participant’s Business Continuity Plans must identify and address all of the following:

 

(a)    the type of Major Events that may impact the Participant’s Critical Business Services, Participant Operations and Participant Services;

 

(b)   activation procedures including trigger conditions for enacting the Participant’s Business Continuity Plans;

 

(c)    the potential impact Major Events may have on the Participant’s Critical Business Services, Participant Operations and Participant Services;

 

(d)   the classification of types of Major Events according to the potential severity of the impacts referred to in paragraph 8B.4.1(4)(c);

 

(e)    escalation procedures that are appropriate to the classification referred to in paragraph 8B.4.1(4)(d);

 

(f)    the actions, arrangements and resources required to achieve the outcomes referred to in subrule 8B.4.1(2);

 

The note at the end of subrule 8B.4.1(4)(f) sets out non-exhaustive examples of the actions, arrangements and resources covered by subrule 8B.4.1(4)(f). This includes key operational functions and processes, staff, alternate suppliers/service providers, technology, alternative premises and other physical infrastructure.

 

(g)   specific objectives for the time taken to achieve the outcomes referred to in paragraph 8B.4.1(2)(b);

 

(h)   procedures for communicating during a Major Event with persons that may be impacted by the Major Event, for the purposes of ensuring those persons are adequately informed about:

 

(i)     the nature and impact of the Major Event;

 

(ii)   the steps that are being taken or will be taken to manage the Major Event;

 

(iii) the likely timing of the steps referred to in subparagraph (ii); and

 

(iv) the likely timing of the resumption of the usual operation of the Participant’s Critical Business Services, Participant Operations and Participant Services; and

 

(i)     any operational dependencies between the Participant and any other person that may affect the matters referred to in subparagraphs 8B.4.1(4)(a) to (h).

Subrule 8B.4.1(5) provides that, without limiting paragraph 8B.4.1(4)(i), a Participant must have in place adequate arrangements to ensure that the Participant is able to carry out its Business Continuity Plans with respect to any Critical Business Services the subject of an Outsourcing Arrangement.

Notification of a Major Event

Subrule 8B.4.1(6) provides that, without limiting paragraph (4)(h), a Participant must notify ASIC immediately upon becoming aware of a Major Event.

Subrule 8B.4.1(7) provide that, if a notification is made under subrule 8B.4.1(6), the Participant must within seven days of the notification provide ASIC with a written report detailing the circumstances of the Major Event and the steps taken to manage the Major Event.

Review, update and testing of plans

Subrule 8B.4.1(8) provides that a Participant must:

 

(a)     review and test its Business Continuity Plans and the arrangements referred to in subrule 8B.4.1(5):

 

(i)       at a frequency and in a manner appropriate to the nature, scale and complexity of the Participant’s Critical Business Services, Participant Operations and Participant Services and to the Participant’s structure and location; and

 

(ii)     at a minimum:

 

A.     each time there is a material change to the Participant’s Critical Business Services, Participant Operations and Participant Services or to the Participant’s structure and location;

 

B.      as soon as practicable after the occurrence of a Major Event; and

 

C.      once every 12 months; and

 

(b)   update the Business Continuity Plans as required to ensure they comply with subrules 8B.4.1(1) to (4).

 

Documentation of plans and testing

 

Subrule 8B.4.1(9) provides that a Participant must document:

(a)    its Business Continuity Plans; and

(b)   the scope and results of all reviews and testing performed in accordance with subrule 8B.4.1(8).

 

Subrule 8B.4.1(9) also provides that the documentation required by subrule 8B.4.1(9) must be maintained for a period of at least seven years from the later of the date it is created or the date it is last amended.

 

Part 8B.5  Governance

 

Rule 8B.5.1 Responsibility for compliance

Subrule 8B.5.1(1) provides that a Participant must have appropriate governance arrangements and adequate financial, technological and human resources to comply with its obligation under Chapter 8B.

Subrule 8B.5.1(2) provides that, without limiting subrule 8B.5.1(1), the arrangements referred to in that subrule must include arrangements for the Participant’s Board or senior management to have oversight of the establishment, implementation, maintenance, review, testing and documentation of the Participant’s Business Continuity Plans.

 


 

Schedule 2—Amendments to the ASIC Market Integrity Rules (Futures Markets) 2017

Chapters 8A and 8B

Item 1 of Schedule 2 of the Amendment Instrument inserts Chapter 8A and 8B into the Futures Markets Rules as follows:

 

Chapter 8A: Market operators – Critical Business Services, Information Security and Business Continuity Plans

 

Part 8A.1 Application and Definitions

 

Rule 8A.1.1 Application of Chapter

 

Rule 8A.1.1 provides that the Chapter applies to Market operators.

 

Rule 8A.1.2 Definitions

 

Rule 8A.1.2 provides definitions for the following terms used in Chapter 8A:

 

·         “Business Continuity Plans”

·         “Critical Business Services”

·         “Critical Business Services Arrangements”

·         “Incident”

·         “Information Asset”

·         “Major Event”

·         “Market Operations”

·         “Market Services”

·         “Outsourcing Arrangement”

·         “Service Provider”

 

Part 8A.2 Trading Controls

 

Rule 8A.2.1 Market Operator to have trading controls

 

Rule 8A.2.1 provides that a Market operator must have controls, including automated controls, that enable immediate suspension, limitation or prohibition of the entry by a Market Participant of Trading Messages where required for the purposes of ensuring the Market is fair, orderly and transparent.

 

Part 8A.3 Critical Business Services

 

Rule 8A.3.1 Resilience, reliability, integrity and security

 

Adequate arrangements

 

Rule 8A.3.1(1) provides that a Market operator must have adequate arrangements (Critical Business Services Arrangements) to ensure the resilience, reliability, integrity and security of its Critical Business Services.

 

The note at the end of subrule 8A.3.1(1) sets out non-exhaustive examples of arrangements that a Market operator must have to ensure the resilience, reliability, integrity and security of its Critical Business Services. These arrangements would generally include, but are not limited to, policies, procedures and organisational resources including financial, human and technological resources.

 

Subrule 8A.3.1(2) provides that, without limiting subrule 8A.3.1(1), a Market operator’s Critical Business Services Arrangements must include arrangements for all of the following:

 

(a)    identifying Critical Business Services;

 

(b)   identifying, assessing, managing and monitoring for any risks to the resilience, reliability, integrity and security of Critical Business Services;

 

(c)    ensuring Critical Business Services have sufficient and scalable capacity for ongoing and planned Market Operations and Market Services;

 

(d)   preventing unauthorised access to or use of Critical Business Services;

 

(e)    managing the implementation of new Critical Business Services and of changes to existing Critical Business Services in accordance with Rule 8A.3.2;

 

(f)    dealing with a Major Event affecting Critical Business Services in accordance with Part 8A.5 of the Rules; and

 

(g)   managing Outsourcing Arrangements in relation to Critical Business Services in accordance with Rule 8A.3.3.

Review and change of arrangements

Subrule 8A.3.1(3) provides that a Market operator must undertake a review of its Critical Business Services Arrangements following each material change to its Critical Business Services; and at least once every 12 months.

Subrule 8A.3.1(3) also provides that a Market operator must apply recommended changes to their Critical Business Services Arrangements arising from this review to ensure that they comply with subrules 8A.3.1(1) and 8A.3.1(2).

Documentation of arrangements

Subrule 8A.3.1(4) provides that a Market operator must document its Critical Business Services Arrangements, the scope and results of each review performed in accordance with subrule 8A.3.1(3) and any changes applied to the Critical Business Services Arrangements as a result of the review or otherwise.

Subrule 8A.3.1(4) also provides that a Market operator must maintain that documentation for a period of at least seven years from the later of the date it is created or the date it is last amended.

Rule 8A.3.2 Change management for Critical Business Services

Subrule 8A.3.2(1) provides that a Market operator must have adequate arrangements to ensure that its Critical Business Services Arrangements continue to comply with subrule 8A.3.1(1) following the implementation of a new Critical Business Service or of a change to an existing Critical Business Service.

 

Subrule 8A.3.2(2) provides that, without limiting subrule 8A.3.2(1), the arrangements referred to in subrule 8A.3.2(1) must include arrangements for all of the following:

 

(a)    testing new Critical Business Services or material changes to existing Critical Business Services before implementation;

 

(b)   communicating with persons that may be materially impacted by the implementation for the purposes of ensuring those persons are adequately informed about the nature, timing and impact of the implementation a reasonable time before it occurs; and

 

(c)    ensuring, to the extent reasonably practicable, that persons that may be materially impacted by the implementation are adequately prepared for the implementation before it occurs.

The note at the end of subrule 8A.3.2(2) sets out non-exhaustive examples of persons that may be materially impacted by the implementation of a new Critical Business Service or of a change to an existing Critical Business Service. This may include ASIC, Market Participants, other Market operators and the operators of licensed clearing and settlement facilities.

 

Subrule 8A.3.2(3) provides that, without limiting paragraph 8A.3.2(2)(b) a Market operator must give written notice of the proposed implementation to ASIC a reasonable time before the implementation.

 

Rule 8A.3.3 Outsourcing of Critical Business Services

 

Subrule 8A.3.3(1) provides that a Market operator that enters into an Outsourcing Arrangement, must do all of the following:

 

(a)    before entering into the Outsourcing Arrangement, conduct due diligence enquiries for the purposes of ensuring the Service Provider has the ability and capacity to provide the services covered by the Outsourcing Arrangement effectively;

 

(b)   ensure that the Outsourcing Arrangement is contained in a documented legally binding agreement between the Market operator and the Service Provider that:

 

(i)       sets out the nature, scope and quality of the services to be provided under the Outsourcing Arrangement;

 

(ii)     requires the Service Provider to give written notice to the Market operator before the Service Provider:

 

A.    enters into any arrangement with another person (Sub-Contractor) under which the Sub-Contractor will provide services material to the provision by the Service Provider of the services covered by the Outsourcing Arrangement; and

 

B.     makes any other material change to the manner in which the services covered by the Outsourcing Arrangement are provided;

 

(iii)   deals with the circumstances and manner in which the Outsourcing Arrangement may be terminated; and

 

(iv)   provides for the orderly transfer of services provided under the Outsourcing Arrangement to the Market operator or another Service Provider in the event of termination of the Outsourcing Arrangement;

 

(c)    while the Outsourcing Arrangement is in place, monitor the performance of the Service Provider to ensure that the Service Provider is providing the services covered by the Outsourcing Arrangement effectively and has the ability and capacity to continue to provide those services effectively;

 

(d)   have in place adequate arrangement to identify and manage any conflicts of interest that have been identified or could arise between the Market operator and the Service Provider, including conflicts involving Sub-Contractors and related entities of the Market operator, Service Provider and any Sub-Contractor;

 

(e)    have in place adequate arrangements to ensure the Market operator is able to comply with its obligations under the Act and the Rules in relation to the Critical Business Services that are the subject of an Outsourcing Arrangement including, without limitation, arrangements with the Service Provider to:

 

(i)     ensure the resilience, reliability, integrity and security of those Critical Business Services in accordance with Rule 8A.3.1;

 

(ii)   ensure the confidentiality, integrity and availability of information obtained, held or used by the Market operator in relation to those Critical Business Services in accordance with Part 8A.4 of the Rules; and

 

(iii) deal with a Major Event in accordance with Part 8A.5 of the Rules;

 

The note at the end of subrule 8A.3.3(1)(e) sets out non-exhaustive examples of the arrangements that a Market operator may have in place to ensure compliance with subrule 8A.3.3(1)(e), which includes requirements on the Service Provider as set out in the note.

 

(f)    ensure that the Market operator and its auditors are able to promptly, upon request, access books, records and other information of the Service Provider relating to the Critical Business Services;

 

(g)   ensure that ASIC has the same access to all books, record and other information relating to the Critical Business Services and maintained by the Service Provider, that ASIC would have if not for the Outsourcing Arrangement; and

 

(h)   ensure that for each Outsourcing Arrangement, the Market operator’s Board or a director or senior manager have confirmed that they have complied with the Operator’s obligations in this subrule and have made a written attestation to that effect.

 

Subrule 8A.3.3(2) provides that the Market operator must comply with subrule 8A.3.3(1) in a manner that is appropriate to the nature, complexity and risks of the Outsourcing Arrangement and the materiality of the Outsourcing Arrangement to the Market operator’s Market Operations and Market Services.

 

Subrule 8A.3.3(3) provides that, in determining for the purposes of subrule 8A.3.3(1) whether the Service Provider has the ability and capacity to provide the services covered by the Outsourcing Arrangement effectively, the Market operator must take into account the extent to which the Service Provider is providing the same or similar services to other Market operators and Market Participants.

 

Subrule 8A.3.3(4) provides that a Market operator must give written notice to ASIC as soon as practicable after the Market operator enters into an Outsourcing Arrangement, and in any event no later than 20 business days after entering into the Outsourcing Arrangement.

 

Part 8A.4 Information security

 

Rule 8A.4.1    Information security

 

Subrule 8A.4.1(1) provides that a Market operator must have adequate arrangements to ensure the confidentiality, integrity and availability of information obtained, held or used by the Market operator in relation to its Market Operations and Market Services.

 

Subrule 8A.4.1(2) provides that, without limiting subrule 8A.4.1(1), the arrangements referred to in subrule 8A.4.1(1) must include all of the following:

 

(a)    arrangements to identify and document Information Assets that are integral to the provision of the Market operator’s Market Operations and Market Services;

 

(b)   controls, including automated controls, designed to prevent unauthorised access to Information Assets;

 

(c)    controls for identifying, assessing, managing and monitoring for unauthorised access to Information Assets; and

 

(d)   arrangements designed to protect Information Assets from theft, loss or corruption.

Subrule 8A.4.1(3) provides that a Market operator must have adequate arrangements to ensure the availability of access to data obtained, held or used by the Market operator in its Market Operations and Market Services.

Subrule 8A.4.1(4) provides that, without limiting subrule 8A.4.1(3), the arrangements referred to in subrule 8A.4.1(3) must include arrangements designed to provide for the backup of the data and the timely recovery of the data in the event of any theft, corruption or loss of the data.

Subrule 8A.4.1(5) provides that a Market operator must notify ASIC in writing, as soon as possible and, in any case, no later than 72 hours, after becoming aware of any unauthorised access to or use of its Critical Business Services that impacts the effective operation or delivery of those services, or unauthorised access to or use of market-sensitive, confidential or personal information.

 

Part 8A.5 Business Continuity Plans

 

Rule 8A.5.1 Business continuity

 

Business Continuity Plans

 

Rule 8A.5.1 provides requirements for Market operators to have Business Continuity Plans. These are defined in subrule 8A.5.1(1) as plans for effectively responding to a Major Event. A Major Event is defined in subrule 8A.5.1(1) as an event that would or would be likely to cause significant disruption to a Market operator’s Market Operations or materially impact the Market operator’s Market Services.

Subrule 8A.5.1(1) provides that a Market operator must establish, implement and maintain Business Continuity Plans for effectively responding to a Major Event.

The note at the end of subrule 8A.5.1(1) provides examples of what may be considered a Major Event. This includes the failure of or disruption to a Critical Business Service, including one operated by a Service Provider, or an event such as a pandemic or influenza event, natural disaster, cyber-attack or power failure.

Subrule 8A.5.1(2) provides that a Market operator’s Business Continuity Plans must be designed to enable:

(a)    continuity of the usual operation of the Market operator’s Critical Business Services, Market Operations and Market Services during a Major Event; and

 

(b)   to the extent continuation of the usual operation of the Market operator’s Critical Business Services, Market Operations and Market Services during a Major Event is not possible, timely and orderly restoration of those usual operations following the Major Event.

Subrule 8A.5.1(3) provides that a Market operator’s Business Continuity Plans must be appropriate to the nature, scale and complexity of the Market operator’s Critical Business Services, Market Operations and Market Services and to the Market operator’s structure and location.

Subrule 8A.5.1(4) provides that, without limiting subrules 8A.5.1(1) to (3), the Market operator’s Business Continuity Plans must identify and address all of the following:

 

(a)    the types of Major Events that may impact the Market operator’s Critical Business Services, Market Operations and Market Services;

 

(b)   activation procedures including trigger conditions for enacting the Market operator’s Business Continuity Plans;

 

(c)    the potential impact Major Events may have on the Market operator’s Critical Business Services, Market Operations and Market Services;

 

(d)   the classification of types of Major Events according to the potential severity of the impacts referred to in paragraph 8A.5.1(4)(c);

 

(e)    escalation procedures that are appropriate to the classification referred to in paragraph 8A.5.1(4)(d);

 

(f)    the actions, arrangements and resources required to achieve the outcomes referred to in subrule 8A.5.1(2);

 

The note at the end of subrule 8A.5.1(4)(f) sets out non-exhaustive examples of the actions, arrangements and resources covered by subrule 8A.5.1(4)(f). This includes key operational functions and processes, staff, alternate suppliers/service providers, technology, alternative premises and other physical infrastructure.

 

(g)   specific objectives for the time taken to achieve the outcomes referred to in paragraph 8A.5.1(2)(b);

 

(h)   procedures for communicating during a Major Event with persons that may be impacted by the Major Event, for the purposes of ensuring those persons are adequately informed about:

 

(i)     the nature and impact of the Major Event;

 

(ii)   the steps that are being taken or will be taken to manage the Major Event;

 

(iii) the likely timing of the steps referred to in subparagraph (ii); and

 

(iv) the likely timing of the resumption of the usual operation of the Market operator’s Critical Business Services, Market Operations and Market Services; and

 

(i)     any operational dependencies between the Market operator and any other person that may affect the matters referred to in paragraphs 8A.5.1(2)(a) to (h).

 

Subrule 8A.5.1(5) provides that, without limiting paragraph 8A.5.1(4)(i), a Market operator must have in place adequate arrangements to ensure that the Market operator is able to carry out its Business Continuity Plans with respect to any Critical Business Services the subject of an Outsourcing Arrangement.

 

Notification of an Incident or Major Event

 

Subrule 8A.5.1(6) provides that, without limiting paragraph 8A.5.1(4)(h), a Market operator must:

(a)    notify ASIC immediately upon becoming aware of an unexpected disruption to the usual operation of the Market operator’s Critical Business Services that may interfere with the fair, orderly or transparent operation of any Market or CGS Market (Incident); or a Major Event; and

 

(b)   notify other Market operators, operators of Clearing Facilities and Market Participants that may be impacted by an Incident or a Major Event, as soon as practicable after becoming aware of the Incident or Major Event.

Subrule 8A.5.1(7) provides that, if a notification is made under subrule 8A.5.1(6), the Market operator must within seven days of the notification provide ASIC with a written report detailing the circumstances of the Incident or Major Event, and the steps taken to manage the Incident or Major Event.

 

Review, update and testing of plans

 

Subrule 8A.5.1(8) provides that a Market operator must:

 

(a)     review and test its Business Continuity Plans and the arrangements referred to in subrule 8A.5.1(5):

 

(i)     at a frequency and in a manner appropriate to the nature, scale and complexity of the Market operator’s Critical Business Services, Market Operations and Market Services and to the Market operator’s structure and location; and

 

(ii)   at a minimum:

 

A.     each time there is a material change to the Market operator’s Critical Business Services, Market Operations and Market Services or to the Market operator’s structure and location;

 

B.      as soon as practicable after the occurrence of a Major Event; and

 

C.     once every 12 months; and

 

(b)   update the Business Continuity Plans as required to ensure they comply with subrules 8A.5.1(1) to (4).

 

Documentation of plans and testing

Subrule 8A.5.1(9) provides that a Market operator must document:

(a)    its Business Continuity Plans; and

(b)   the scope and results of all reviews and testing performed in accordance with subrule 8A.5.1(8).

 

Subrule 8A.5.1(9) also provides that the documentation required by subrule 8A.5.1(9) must be maintained for a period of at least seven years from the later of the date it is created or the date it is last amended.

 

Part 8A.6 Governance

 

Rule 8A.6.1 Responsibility for compliance

 

Subrule 8A.6.1(1) provides that a Market operator must have appropriate governance arrangements and adequate financial, technological and human resources to comply with its obligations under Chapter 8A.

Subrule 8A.6.1(2) provides that, without limiting subrule 8A.6.1(1), the arrangements referred to in that subrule must include arrangements for the Market operator’s Board or senior management to have oversight of the establishment, implementation, maintenance, review, testing and documentation of the Market operator’s Business Continuity Plans.

 

Chapter 8B: Market Participants—Critical Business Services, Information Security and Business Continuity Plans

 

Part 8B.1 Application and Definitions

 

Rule 8B.1.1 Application of Chapter

 

Rule 8B.1.1 provides that the Chapter applies to Market Participants.

 

Rule 8B.1.2 Definitions

Rule 8B.1.2 provides definitions for the following terms used in Chapter 8B:

·         “Business Continuity Plans”

·         “Critical Business Services”

·         “Critical Business Services Arrangements”

·         “Information Asset”

·         “Major Event”

·         “Outsourcing Arrangement”

·         “Participant Operations”

·         “Participant Services”

·         “Service Provider”

 

Part 8B.2 Critical Business Services

 

Rule 8B.2.1 Resilience, reliability, integrity and security

 

Adequate arrangements

 

Rule 8B.2.1(1) provides that a Market Participant must have adequate arrangements (Critical Business Services Arrangements) to ensure the resilience, reliability, integrity and security of its Critical Business Services.

 

The note at the end of subrule 8B.2.1(1) sets out non-exhaustive examples of  arrangements that a Market Participant must have to ensure the resilience, reliability, integrity and security of its Critical Business Services. These arrangements would generally include, but are not limited to, policies, procedures and organisational resources including financial, human and technological resources.

 

Subrule 8B.2.1(2) provides that, without limiting subrule 8B.2.1(1), a Market Participant’s Critical Business Services Arrangements must include arrangements for all of the following:

 

(a)    identifying Critical Business Services;

 

(b)   identifying, assessing, managing and monitoring for any risks to the resilience, reliability, integrity and security of Critical Business Services;

 

(c)    ensuring Critical Business Services have sufficient and scalable capacity for the Market Participant’s ongoing and planned Participant Operations and Participant Services;

 

(d)   preventing unauthorised access to or use of Critical Business Services;

 

(e)    managing the implementation of new Critical Business Services and of changes to existing Critical Business Services in accordance with Rule 8B.2.2;

 

(f)    dealing with a Major Event affecting Critical Business Services in accordance with Part 8B.4 of the Rules; and

 

(g)   managing Outsourcing Arrangements in relation to Critical Business Services in accordance with Rule 8B.2.3.

 

Review and change of arrangements

 

Subrule 8B.2.1(3) provides that a Market Participant must undertake a review of its Critical Business Services Arrangements following each material change to its Critical Business Services and at least once every 12 months.

 

Subrule 8B.2.1(3) also provides that a Market Participant must apply recommended changes to their Critical Business Services Arrangements arising from this review to ensure that they comply with subrules 8B.2.1(1) and 8B.2.1(2).

 

Documentation of arrangements

 

Subrule 8B.2.1(4) provides that a Market Participant must document its Critical Business Services Arrangements, the scope and results of each review performed in accordance with subrule 8B.2.1(3) and any changes applied to the Critical Business Services Arrangements as a result of the review or otherwise.

 

Subrule 8B.2.1(4) also provides that a Market Participant must maintain that documentation for a period of at least seven years from the later of the date it is created or the date it is last amended.

 

Rule 8B.2.2 Change management for Critical Business Services

 

Subrule 8B.2.2(1) provides that a Market Participant must have adequate arrangements to ensure that its Critical Business Services Arrangements continue to comply with subrule 8B.2.1(1) following the implementation of a new Critical Business Service or of a change to an existing Critical Business Service.

 

Subrule 8B.2.2(2) provides that, without limiting subrule 8B.2.2(1), the arrangements referred to in that subrule must include arrangements for all of the following:

 

(a)    testing new Critical Business Services or material changes to existing Critical Business Services before implementation;

 

(b)   communicating with persons that may be materially impacted by the implementation for the purposes of ensuring those persons are adequately informed about the nature, timing and impact of the implementation a reasonable time before it occurs; and

 

(c)    ensuring, to the extent reasonably practicable, that persons that may be materially impacted by the implementation are adequately prepared for the implementation before it occurs.

 

The note at the end of subrule 8B.2.2(2) sets out non-exhaustive examples of persons that may be materially impacted by the implementation of a new Critical Business Service or of a change to an existing Critical Business Service. This may include ASIC, other Market Participants, Market operators and the operators of licensed clearing and settlement facilities.

 

Rule 8B.2.3 Outsourcing of Critical Business Services

 

Subrule 8B.2.3(1) provides that a Market Participant that enters into an Outsourcing Arrangement, must do all of the following

 

(a)    before entering into the Outsourcing Arrangement, conduct due diligence enquiries for the purposes of ensuring the Service Provider has the ability and capacity to provide the services covered by the Outsourcing Arrangement effectively;

 

(b)   ensure that the Outsourcing Arrangement is contained in a documented legally binding agreement between the Market Participant and the Service Provider, that:

 

(i)       sets out the nature, scope and quality of the services to be provided under the Outsourcing Arrangement;

 

(ii)     requires the Service Provider to give written notice to the Market Participant before the Service Provider:

 

A.    enters into any arrangement with another person (Sub-Contractor) under which the Sub-Contractor will provide services material to the provision by the Service Provider of the services covered by the Outsourcing Arrangement; and

 

B.     makes any other material change to the manner in which the services covered by the Outsourcing Arrangement are provided;

 

(iii)   deals with the circumstances and manner in which the Outsourcing Arrangement may be terminated; and

 

(iv)   provides for the orderly transfer of services provided under the Outsourcing Arrangement to the Market Participant or another Service Provider in the event of termination of the Outsourcing Arrangement;

 

(c)    while the Outsourcing Arrangement is in place, monitor the performance of the Service Provider to ensure that the Service Provider is providing the services covered by the Outsourcing Arrangement effectively and has the ability and capacity to continue to provide those services effectively;

 

(d)   have in place adequate arrangement to identify and manage any conflicts of interest that have been identified or could arise between the Market Participant and the Service Provider, including conflicts involving Sub-Contractors and related entities of the Market Participant, Service Provider and any Sub-Contractor;

 

(e)    have in place adequate arrangements to ensure the Market Participant is able to comply with its obligations under the Act and the Rules in relation to the Critical Business Services the subject of an Outsourcing Arrangement including, without limitation, arrangements with the Service Provider to:

 

(i)     ensure the resilience, reliability, integrity and security of those Critical Business Services in accordance with Rule 8B.2.1;

 

(ii)   ensure the confidentiality, integrity and availability of information obtained, held or used by the Market Participant in relation to those Critical Business Services in accordance with Part 8B.3 of the Rules; and

 

(iii) deal with a Major Event in accordance with Part 8B.4 of the Rules;

 

The note at the end of subrule 8B.2.3(1)(e) sets out non-exhaustive examples of the arrangements that a Market Participant may have in place to ensure compliance with subrule 8B.2.3(1), which includes requirements on the Service Provider as set out in the note.

 

(f)    ensure that the Market Participant and its auditors are able to promptly, upon request, access books, records and other information of the Service Provider relating to the Critical Business Services;

 

(g)   ensure that ASIC has the same access to all books, records and other information relating to the Critical Business Services and maintained by the Service Provider, that ASIC would have if not for the Outsourcing Arrangement; and

 

(h)   ensure that for each Outsourcing Arrangement, the Market Participant’s Board or a director or senior manager have confirmed that they have complied with the Participant’s obligations in this subrule and made a written attestation to that effect.

 

Subrule 8B.2.3(2) provides that the Market Participant must comply with subrule 8B.2.3(1) in a manner that is appropriate to the nature, complexity and risks of the Outsourcing Arrangement and the materiality of the Outsourcing Arrangement to the Market Participant’s Participant Operations and Participant Services.

 

Subrule 8B.2.3(3) provides that, in determining for the purposes of subrule 8B.2.3(1) whether the Service Provider has the ability and capacity to provide the services covered by the Outsourcing Arrangement effectively, the Market Participant must take into account the extent to which the Service Provider is providing the same or similar services to other Market Participants.

 

Part 8B.3 Information Security

 

Rule 8B.3.1 Information security

 

Subrule 8B.3.1(1) provides that a Market Participant must have adequate arrangements to ensure the confidentiality, integrity and availability of information obtained, held or used by the Market Participant in relation to its Participant Operations and Participant Services.

 

Subrule 8B.3.1(2) provides that, without limiting subrule 8B.3.1(1), the arrangements referred to in that subrule must include all of the following:

 

(a)    arrangements to identify and document Information Assets that are integral to the provision of the Market Participant’s Participant Operations and Participant Services;

 

(b)   controls, including automated controls, designed to prevent unauthorised access to Information Assets;

 

(c)    controls for identifying, assessing, managing and monitoring for unauthorised access to Information Assets; and

 

(d)   arrangements designed to protect Information Assets from theft, loss or corruption.

 

Subrule 8B.3.1(3) provides that a Market Participant must have adequate arrangements to ensure the availability of access to data obtained, held or used by the Market Participant in its Participant Operations and Participant Services.

 

Subrule 8B.3.1(4) provides that, without limiting subrule 8B.3.1(3), the arrangements referred to in that subrule must include arrangements designed to provide for the backup of the data and the timely recovery of the data in the event of any theft, corruption or loss of the data.

 

Subrule 8B.3.1(5) provides that a Market Participant must maintain, for a period of at least seven years after the relevant event, records of any:

 

(a)    unauthorised access to or use of its Critical Business Services that impacts the effective operation or delivery of those services; or

 

(b)   unauthorised access to or use of market-sensitive, confidential or personal information.

 

Part 8B.4 Business Continuity Plans

Rule 8B.4.1 Business continuity

Business Continuity Plans

Rule 8B.4.1 provides requirements for Market Participants to have Business Continuity Plans. These are defined in subrule 8B.4.1(1) as plans for effectively responding to a Major Event. A Major Event is defined in subrule 8B.4.1(1) as an event that would or would be likely to cause significant disruption to a Market Participant’s Participant Operations or materially impact the Market Participant’s Participant Services.

Subrule 8B.4.1(1) provides that a Market Participant must establish, implement and maintain Business Continuity Plans for effectively responding to a Major Event.

The note at the end of subrule 8B.4.1(1) provides examples of what may be considered a Major Event. This includes the failure of or disruption to a Critical Business Service, including one operated by a Service Provider, or an event such as a pandemic or influenza event, natural disaster, cyber-attack or power failure.

Subrule 8B.4.1(2) provides that a Market Participant’s Business Continuity Plans must be designed to enable:

(a)    continuity of the usual operation of the Market Participant’s Critical Business Services, Participant Operations and Participant Services during a Major Event; and

 

(b)   to the extent continuation of the usual operation of the Market Participant’s Critical Business Services, Participant Operations and Participant Services during a Major Event is not possible, timely and orderly restoration of those usual operations following the Major Event.

Subrule 8B.4.1(3) provides that a Market Participant’s Business Continuity Plans must be appropriate to the nature, scale and complexity of the Market Participant’s Critical Business Services, Participant Operations and Participant Services and to the Market Participant’s structure and location.

Subrule 8B.4.1(4) provides that, without limiting subrules 8B.4.1(1) to (3), the Market Participant’s Business Continuity Plans must identify and address all of the following:

(a)    the type of Major Events that may impact the Market Participant’s Critical Business Services, Participant Operations and Participant Services;

 

(b)   activation procedures including trigger conditions for enacting the Market Participant’s Business Continuity Plans;

 

(c)    the potential impact Major Events may have on the Market Participant’s Critical Business Services, Participant Operations and Participant Services;

 

(d)   the classification of types of Major Events according to the potential severity of the impacts referred to in paragraph 8B.4.1(4)(c);

 

(e)    escalation procedures that are appropriate to the classification referred to in paragraph 8B.4.1(4)(d);

 

(f)    the actions, arrangements and resources required to achieve the outcomes referred to in subrule 8B.4.1(2);

 

The note at the end of subrule 8B.4.1(4)(f) sets out non-exhaustive examples of the actions, arrangements and resources covered by subrule 8B.4.1(4)(f). This includes key operational functions and processes, staff, alternate suppliers/service providers, technology, alternative premises and other physical infrastructure.

 

(g)   specific objectives for the time taken to achieve the outcomes referred to in paragraph 8B.4.1(2)(b);

 

(h)   procedures for communicating during a Major Event with persons that may be impacted by the Major Event, for the purposes of ensuring those persons are adequately informed about:

 

(i)     the nature and impact of the Major Event;

 

(ii)   the steps that are being taken or will be taken to manage the Major Event;

 

(iii) the likely timing of the steps referred to in subparagraph (ii); and

 

(iv) the likely timing of the resumption of the usual operation of the Market Participant’s Critical Business Services, Participant Operations and Participant Services; and

 

(i)     any operational dependencies between the Market Participant and any other person that may affect the matters referred to in subparagraphs 8B.4.1(4)(a) to (h).

 

Subrule 8B.4.1(5) provides that, without limiting paragraph 8B.4.1(4)(i), a Market Participant must have in place adequate arrangements to ensure that the Market Participant is able to carry out its Business Continuity Plans with respect to any Critical Business Services the subject of an Outsourcing Arrangement.

 

Notification of a Major Event

Subrule 8B.4.1(6) provides that, without limiting paragraph (4)(h), a Market Participant must notify ASIC immediately upon becoming aware of a Major Event.

 

Subrule 8B.4.1(7) provide that, if a notification is made under subrule 8B.4.1(6), the Market Participant must within seven days of the notification provide ASIC with a written report detailing the circumstances of the Major Event and the steps taken to manage the Major Event.

 

Review, update and testing of plans

 

Subrule 8B.4.1(8) provides that a Market Participant must:

 

(a)    review and test its Business Continuity Plans and the arrangements referred to in subrule 8B.4.1(5):

 

(i)     at a frequency and in a manner appropriate to the nature, scale and complexity of the Market Participant’s Critical Business Services, Participant Operations and Participant Services and to the Participant’s structure and location; and

 

(ii)   at a minimum:

 

A.    each time there is a material change to the Market Participant’s Critical Business Services, Participant Operations and Participant Services or to the Market Participant’s structure and location;

 

B.     as soon as practicable after the occurrence of a Major Event; and

 

C.     once every 12 months; and

 

(b)   update the Business Continuity Plans as required to ensure they comply with subrules 8B.4.1(1) to (4).

 

Documentation of plans and testing

 

Subrule 8B.4.1(9) provides that a Market Participant must document:

(a)    its Business Continuity Plans; and

 

(b)   the scope and results of all reviews and testing performed in accordance with subrule 8B.4.1(8).

Subrule 8B.4.1(9) also provides that the documentation required by subrule 8B.4.1(9) must be maintained for a period of at least seven years from the later of the date it is created or the date it is last amended.

 

Part 8B.5 Governance

 

Rule 8B.5.1 Responsibility for compliance

 

Subrule 8B.5.1(1) provides that a Market Participant must have appropriate governance arrangements and adequate financial, technological and human resources to comply with its obligation under Chapter 8B.

 

Subrule 8B.5.1(2) provides that, without limiting subrule 8B.5.1(1), the arrangements referred to in that subrule must include arrangements for the Market Participant’s Board or senior management to have oversight of the establishment, implementation, maintenance, review, testing and documentation of the Market Participant’s Business Continuity Plans.

 

Legislative authority

The amending instrument has been made under subsection 798G(1) of the Corporations Act.

Subsection 798G(1) of the Corporations Act provides that ASIC may, by legislative instrument, make rules (the market integrity rules) that deal with:

(a)    the activities or conduct of licensed markets;

(b)   the activities or conduct of persons in relation to licensed markets; and

(c)    the activities or conduct of persons in relation to financial products traded on licensed markets.

 

Under subsection 33(3) of the Acts Interpretation Act 1901 (as in force as at 1 January 2005 and as applicable to the relevant powers because of section 5C of the Act), where an Act confers a power to make, grant or issue any instrument of a legislative or administrative character (including rules, regulations or by-laws), the power shall be construed as including a power exercisable in the like manner and subject to the like conditions (if any) to repeal, rescind, revoke, amend, or vary any such instrument.

 

Accordingly, the power under subsection 798G(1) of the Corporations Act to make the market integrity rules includes a power to amend those rules. 

 

Subsection 798G(3) of the Corporations Act provides that ASIC must not make a market integrity rule unless the Minister has consented, in writing, to the making of the rule. The Minister consented to the making of the Rules on 31 January 2022.

This instrument is subject to disallowance under section 42 of the Legislation Act 2003. Section 44 of the Legislation Act 2003 does not apply to this instrument.

 

Legislative instrument and primary legislation 

 

The subject matter and policy implemented by this instrument is more appropriate for a legislative instrument rather than primary legislation because:

 

(a)    The Securities Markets Rules and the Futures Markets Rules are made by ASIC utilising powers given by Parliament to ASIC that allow ASIC to make rules that deal with activities or conduct of licensed markets, and of persons in relation to, and financial products traded on, those licensed markets. This instrument amends the Securities Markets Rules and the Futures Markets Rules.

 

(b)   The instrument, the Securities Markets Rules and the Futures Markets Rules more broadly, contain technical detail which would otherwise introduce unnecessary complexity to the primary legislation. As a consequence, if the matters in the instrument (or the Securities Markets Rules and the Futures Markets Rules) were to be inserted into the primary legislation, they would insert, into an already complex statutory framework, a set of provisions that are highly specific in nature and may become redundant over time due to the pace of technological and market developments.

 

The duration of the amendments made by this instrument align with the duration of the Securities Markets Rules and the Futures Markets Rules, which this instrument amends. Under item 18 of section 12 of the Legislation (Exemptions and Other Matters) Regulation 2015, the Securities Markets Rules and the Futures Markets Rules are exempt from sunsetting. Market integrity rules regulate the operation of financial markets. As noted in the Explanatory Statement to the Legislation (Exemptions and Other Matters) Regulation 2015, commercial certainty would be undermined by the sunsetting of these rules. 

 

Statement of Compatibility with Human Rights 

The Explanatory Statement for a disallowable legislative instrument must contain a Statement of Compatibility with Human Rights under subsection 9(1) of the Human Rights (Parliamentary Scrutiny) Act 2011. A Statement of Compatibility with Human Rights is in the Attachment.


 

                                                                                                                        Attachment

Statement of Compatibility with Human Rights

This Statement of Compatibility with Human Rights is prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.  

 

ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74

 

ASIC Market Integrity Rules (Securities Markets and Futures Markets) Amendment Instrument 2022/74 (the Amendment Instrument) makes new market integrity rules (the Rules) by:

 

(a)    inserting Chapter 8A and Chapter 8B into the ASIC Market Integrity Rules (Securities Markets) 2017 (Securities Markets Rules); and

 

(b)   inserting Chapter 8A and Chapter 8B into the ASIC Market Integrity Rules (Futures Markets) 2017 (Futures Markets Rules).

The Amendment Instrument also repeals rule 9.1.3 of the Securities Markets Rules which is superseded by the making of the Rules.

The Amending Instrument has been made under subsection 798G(1) of the Corporations Act 2001

 

The Rules are intended to promote the resilience of market operators’ and market participants’ critical business services.

 

The Rules:

 

(a)  establish formalised and clear baseline obligations for market operators and market participants to ensure strong deterrence for poor technology, operational governance and controls;

 

(b)  better align the regulatory framework for market operators and market participants with international regulatory approaches;

 

(c)  promote the resilience and robustness of Australian financial market infrastructures; and

 

(d) better align ASIC regulatory requirements with prudential standards imposed by the Australian Prudential Regulatory Authority (APRA).

 

The Rules address the following key areas:

 

(a)    critical business services arrangements;

(b)   change management;

(c)    outsourcing;

(d)   information security;

(e)    business continuity planning;

(f)    governance and resourcing; and

(g)   trading controls (market operators only).

 

Assessment of human rights implications

This legislative instrument does not engage any of the applicable rights or freedoms.

 

Conclusion

This instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.