FR31/2015 Mechanisms for Trading Venues to Effectively ...

Mechanisms for Trading Venues to Effectively Manage Electronic Trading Risks and Plans for

Business Continuity

Final Report

The Board

OF THE

INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS

FR31/2015

December 2015

Copies of publications are available from: The International Organization of Securities Commissions Web site: .

? International Organization of Securities Commissions (2015 ) . All rights reserved. Brief excerpts may be reproduced or translated, provided the source is stated.

ii

Foreword

The Board of the International Organization of Securities Commissions (IOSCO) has issued this report on Mechanisms for Trading Venues to Effectively Manage Electronic Trading Risks and Plans for Business Continuity (Report), following publication of a Consultation Report with the same title. 1 The Report provides background on the project and the work undertaken by IOSCO's Committee on the Regulation of Secondary Markets with regard to the robustness of trading venues and their business continuity plans and recovery planning, particularly in light of market disruptions that have occurred in some IOSCO jurisdictions. This Report discusses IOSCO's findings based on the responses to surveys to both regulators and Trading Venues and proposes some recommendations 2 to regulators to help ensure that they manage effectively identified risks. The Report also proposes sound practices3 that should be considered by Trading Venues in developing and implementing risk mitigation mechanisms that ensure the integrity, resiliency and reliability of their critical systems as well as their BCP. It is recognized that not every sound practice will work for all Trading Venues. Use of any sound practice would be at the discretion of each Trading Venue.

1

See CR03/2015 Mechanisms for Trading Venues to Effectively Manage Electronic Trading Risks and Plans

for Business Continuity, Consultation Report, April 2015, available at:



2

Recommendations are results or conclusions regarding regulatory issues and approaches that IOSCO

members should consider. These may or may not be incorporated, for assessment purposes, into the IOSCO

Methodology for Assessing Implementation of the IOSCO Objectives and Principles of Securities

Regulation (Assessment Methodology).

3

"In general, in accordance with IOSCO taxonomy, "sound practices" consist of practices that regulators

could consider. In this report, however, we direct the sound practices to trading venues. In either case, such

practices would not be reflected in the Assessment Methodology, as they do not represent a standard that

IOSCO members are necessarily expected to implement or be assessed against.

iii

Contents

A. Introduction and Background

1

B. Technology-related Risks faced by Trading Venues

5

C. Description of Critical Systems

6

1. Execution Systems

7

2. Data Dissemination Systems

7

3. Network Infrastructure Systems

7

4. Surveillance Systems

7

5. Risk Management Systems

7

6. Order Entry Systems

8

7. Order Routing Systems

8

8. Other Systems

8

D. Managing Technology to Mitigate Risk

8

1. Governance

9

2. IT Skills

10

3. Ongoing monitoring of critical systems

10

4. Systems Reviews

11

5. Incident Management

12

6. Controls around the development of new or changes to critical systems

13

7. Outsourcing

16

8. Recommendation and Sound Practices

18

E. Managing External Risks to Critical Systems

20

1. Risks posed by access to Trading Venues

20

(a) Tools to manage risks that arise from Electronic Trading

20

(b) Managing risks due to new, and changes to

Trading Venue participant systems

21

(c) Managing risks due to DEA Client order flow

22

2. Risks posed by Cyber-attacks

23

(a) Regulatory requirements relating to cyber-security of Trading Venues 24

(b) Trading Venues and cyber-security

24

(c )Trading Venue participants and cyber-security

25

3. Sound practices relating to external risks to a Trading Venue's systems

26

iv

F. How to Plan for Disruptions: Business Continuity Plans

27

1. Regulatory requirements relating to the BCP

28

2. Trading Venue BCPs

29

(a) Scenarios

29

(b) Governance

29

(c) Redundancy

30

(d) Minimum service level of the critical functions

31

(e) Communication

32

(f) Recordkeeping

32

(g) Testing and periodic review

33

(h) BCP and Outsourced Services

34

(i) BCP and Intermediaries

34

3. Recommendation and Sound practices

34

G. Conclusion

37

Annex 1: Consultation Report Summary of Comments and Feedback Statement

38

Annex 2: Joint Forum BCP Principles

43

Annex 3: IOSCO Report: Principles for Outsourcing by Markets

44

Annex 4: IOSCO Report: Principles for Direct Electronic Access to Markets

46

v

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download