The Board of the International Organization of Securities Commissions today published a Thematic Review (‘Review’) on the extent to which participating IOSCO member jurisdictions have implemented regulatory measures consistent with the two Recommendations and the two Standards set out in the 2015 IOSCO reports on Business Continuity Plans (BCPs) for Trading Venues and Market Intermediaries.
Authorities from 33 jurisdictions (16 developed jurisdictions and 17 emerging market jurisdictions) participated in the Review, which found that thirteen participating jurisdictions are Fully Consistent with the two Recommendations and the two Standards under review. The Review identified some gaps or shortcomings of different degrees of materiality in the other 20 participating jurisdictions for one or more of the Recommendations or Standards.
The two Recommendations under review state that regulators should require trading venues to 1) have mechanisms to help ensure the resiliency, reliability and integrity (including security) of critical systems and 2) establish, maintain and implement as appropriate a BCP. The two Standards state that regulators should require intermediaries to 1) create and maintain a written BCP that identifies procedures for an emergency or significant business disruption and 2) update their BCP in the event of any material change to operations, structure, business or location and conduct an annual review of their BCP to determine whether any modifications are necessary due to these changes.
In terms of the gaps, the Review found that regulatory frameworks of some jurisdictions did not ensure that relevant provisions for critical systems extend to outsourced functions. The Review also found that regulations in some participating jurisdictions did not have any obligations for intermediaries to conduct a regular review of BCP arrangements or update BCPs in response to material business changes.
The Review recommends that members include in their regulatory frameworks the necessary powers for the regulator to set and enforce requirements for trading venues and intermediaries when they establish, maintain and update BCPs; to ensure the regulatory frameworks require enterprise-wide BCPs and not only disaster recovery or contingency measures for IT systems; and to provide sufficient clarity on governance and accountability for boards or senior management in relation to critical systems.
IOSCO undertook this Review in response to the rapid rise of new technologies in securities markets, which have created risks capable of potentially disrupting trading venues and intermediaries. These vulnerabilities underscore the importance of effective BCPs, supported by adequate regulatory frameworks. While the report also discusses the measures that regulators, trading venues and market intermediaries took to ensure BCPs remained resilient during the COVID-19 crisis, the Review did not assess the operational resilience of trading venues and intermediaries during the COVID-19 pandemic. Given the relevance of this topic, IOSCO will be separately conducting work on operational resilience as part of its effort to examine risks exacerbated by the COVID-19 pandemic, as announced in its work program for 2021-2022.