Business Continuity & Disaster Recovery in the Financial Services Sector
Download
1 / 24

Business Continuity & Disaster Recovery in the Financial Services Sector Aspects of Risk Mitigation in the Financial Services - PowerPoint PPT Presentation

Business Continuity & Disaster Recovery in the Financial Services Sector Aspects of Risk Mitigation in the Financial Services Joseph Demanuele 25 June 2007 Agenda The MFSA – Organisation, functions and obligations Business Continuity Compliance – current position and future considerations

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentationdownload

Business Continuity & Disaster Recovery in the Financial Services Sector Aspects of Risk Mitigation in the Financial Services

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

Business Continuity & Disaster Recovery in the Financial Services SectorAspects of Risk Mitigation in the Financial Services

Joseph Demanuele

25 June 2007


Agenda l.jpg

Agenda

  • The MFSA – Organisation, functions and obligations

  • Business Continuity Compliance – current position and future considerations

  • High Level Principles of Business Continuity – published by a Forum of Financial Services Supervisors

  • Business Continuity in the UK Financial Services – challenges for 2007

  • Survey on Business Continuity - in the global Financial Services Sector by a leading risk magazine

ISACA / MFSA


Slide3 l.jpg

The MFSA“Ensure high standards of conduct and management in financial services and promote the legitimate expectations of consumers”

Public Authority set up by the MFSA Act with functions to:-

  • Regulate & supervise financial services -Single Regulator

  • Inform, promote and protect interests of consumers of financial services

  • Promote fair competition practices / consumer choice

  • Monitor legislation / advise Govt on formulation of policies

  • Ensure high standards of conduct / management in sector

ISACA / MFSA


The main organs l.jpg

The Main Organs

ISACA / MFSA


The organisational units l.jpg

The Organisational Units

ISACA / MFSA


Conduct management l.jpg

Conduct & Management

  • MFSA Act. Article 4 (1) (g) states that:

    “Without prejudice to any other power or function conferred to it by this Act or any other law, it shall be the function of the Authority ……… to ensure high standards of conduct and management throughout the financial system”

  • How is this function carried out?

    • Ensure that licence holders have a Business Continuity Plan (BCP) in place which has been tested and is being continuously updated

    • Periodic on site Compliance visits

ISACA / MFSA


Other obligations l.jpg

Other Obligations

  • Besides the MFSA Act, the Authority ensures compliance with:-

    • Other local legislation regulating financial services

    • EU legislation and other international treaties

  • Transpose EU legislation into local legislation

  • Adopt new Directives, such as MiFID, Solvency II, CRD, and others

ISACA / MFSA


On site compliance l.jpg

On Site Compliance

  • MFSA Units carrying regular on-site compliance visits:-

    • Securities Unit

    • Insurance Business Unit

    • Company Compliance Unit

    • Banking Unit

  • Last year 98 compliance visits were conducted on site.

  • Moving towards the adoption of risk-based approach supervision.

ISACA / MFSA


Securities unit current position l.jpg

Securities Unit – Current Position

  • Investment Services Guidelines (based on current ISD 2) – Part CI of SLC 3.07(l) in the Conduct of Business Rules section states:

    “The Licence Holder shall organise and control its affairs in a responsible manner and shall have adequate operational, administrative and financial procedures and controls……… and to enable it to be effectively prepared to manage, reduce and mitigate the risks to which it is exposed……..

      For this purpose, the Licence Holder shall have an appropriate Disaster Recovery and Business Continuity Plan which is regularly tested and updated”

  • Therefore, it is a standard licence condition to have a DRP and a BCP

  • MFSA checks adherence through compliance visits

ISACA / MFSA


Securities unit current position cont l.jpg

Securities Unit - Current Position (cont..)

  • Compliance Team shall:-

    • Check and see evidence that there is a proper BCP and procedures for disaster recovery

    • Ensure that the BCP is proportionate and adequate for the size of business and activities

    • See evidence that proper tests are being carried out e.g. record of fire drills, IT shutdowns

  • No BCP in place – in breach of licence conditions. Compliance Team may give guidance regarding compliance.

ISACA / MFSA


Securities unit new requirements under mifid l.jpg

Securities Unit – New Requirements under MiFID

  • EU’s Markets in Financial Instruments (MiFID) – a comprehensive regulatory regime governing financial trading and intermediation in Europe. Replaces ISD (1993) and follows the Lamfalussy four level approach

  • Dir. 2004/39/EC is the MiFID framework directive under Level I - Art.13 (4) – Organisational Requirements states:

    “An investment firm shall take reasonable steps to ensure continuity and regularity in the performance of investment services and activities.  To this end the investment firm shall employ appropriate and proportionate systems, resources and procedures.”

ISACA / MFSA


Securities unit mfsa s draft mifid rules l.jpg

Securities Unit – MFSA’s Draft MiFID Rules

  • Commission Directive 2006/73/EC is the implementing directive to 2004/39/EC – organisational and operating conditions for investment firms – forms part of Level 2 and Art 5 (3) states:

    “Member states shall require investment firms to establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to their systems and procedures, the preservation of essential data and functions and the maintenance of investment services and activities on where this is not possible, the timely recovery of such data and functions and the timely resumption of their investment services and activities.”

  • Draft MiFID rules issued by the MFSA in draft form for consultation in Jan 2007 - become applicable from 1 Nov 2007

  • Business Continuity section of MiFID transposed in Part C rule 1.18(b) – practically identical to Dir. 2006/73/EC

  • Draft MiFID Rules on www.mfsa.com.mt

ISACA / MFSA


Insurance business unit current position l.jpg

Insurance Business Unit -Current Position

  • BCP is not currently a specific requirement under any insurance legislation or regulation,

  • However BCP is still included in compliance visit procedures as “best practice”

  • Enquires during on-site visits include:

    • Is there a BCP? Includes a DRP?

    • Current and operational? Regularly tested?

    • Procedures for recovery of data?

    • Back-up procedures? Restoration of backups?

ISACA / MFSA


Insurance business impact of solvency ii l.jpg

Insurance Business – Impact of Solvency II

  • Solvency II - complete overhaul of the supervision of insurance business within the EU introducing a new solvency regime with an integrated risk approach reflecting risks taken by insurers better than the current Solvency I regime.

  • Currently in consultation process, through CEIOPS. Directive expected by end 2007

  • Implementation by EU Member States - scheduled for 2010.

  • Three pillar structure (as in Basel II and CRD) –

    • Pillar I - Quantitative capital requirements

    • Pillar II - Qualitative supervisory review

    • Pillar III - Market discipline

  • Employs Lamfalussy 4 level approach arrangements

ISACA / MFSA


Insurance business solvency ii pillar ii l.jpg

Insurance Business - Solvency II – Pillar II

  • Pillar II - outlines the obligations of the Supervisory Authority and the Insurers’ general governance including organisational structure and internal control mechanisms and processes to manage material risk as may be appropriate within the nature, scale and complexity of the firm

  • Risk management, including business continuity functions - ultimately responsibility of management

  • Written and clear policies in respect of internal control, outsourcing and risk management

ISACA / MFSA


Company compliance unit l.jpg

Company Compliance Unit

  • CCU is responsible to authorise and supervise companies offering fiduciary services including mandatory and trustee services in terms of the Trusts and Trustees Act (TTA). Also responsible to consider applications for Listing in terms of the Listing Rules.

  • TTA Art.47 empowers the MFSA to conduct compliance visits

  • Clause 9.4 of the Code of Practice for Trustees states:

    “Trustees should have effective management and systems that are commensurate with the scale and complexity of the trust business to be undertaken. They must also have appropriate management resources to control the company’s affairs (or in the case of individual trustees their business affairs), including ensuring compliance with legal obligations and standards under this Code.

  • BCP compliance is included in the new draft checklist for on-site visits by the CCU Compliance Team

ISACA / MFSA


Banking unit current position l.jpg

Banking Unit – Current Position

On-site compliance for credit & financial institutions

  • Verify completeness of the BCP

  • Establish that BCP is a comprehensive document providing guidance in the event of major incidents that may include - inability to access premises, systems outage, unavailability of key personnel, occurrences that may preclude the institution from carrying out routine operations. 

  • BCP to include a disaster recovery simulation performed at least once annually.

  • Test results are documented and weaknesses identified - to be rectified within stipulated timeframes. 

  • Ensure that a full IT system backup is taken daily 

  • BCP to outline employees’ training procedures for its operation  

  • Plan to be commensurate with the institution’s business dimensions.

ISACA / MFSA


Capital requirements directive crd l.jpg

Capital Requirements Directive (CRD)

  • CRD applies Basel II requirements for credit institutions and investment firms across EU. There are three pillars under the new Basel II accord:-

    • Pillar I -involves the measurement of risk,

    • Pillar II - involves the supervisory review process,

    • Pillar III - deals with market discipline by developing a set of disclosure requirements  

  • Pillar II - enhances the link between a credit institution’s risk profile, its risk management, its risk mitigation systems, and its capital

  • CEBS guidelines on Pillar II – BCP is encouraged as a “best practice” requirement and is part of the risk assessment process under Pillar II. 

  • As “best practice” the Basel Committee on Banking Supervision in a forum with other supervisors came up with high level principles on business continuity.

ISACA / MFSA


High level principles of business continuity l.jpg

High Level Principles of Business Continuity

  • JOINT FORUM, based in Basel made up of

    • BASEL COMMITTEE ON BANKING SUPERVISION (BCBS)

    • INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS (IOSCO)

    • INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS (IAIS)

      concluded in Feb 2005 that high-level principles on business continuity would contribute to the resilience of the global financial system

  • Defined effective business continuity management to incorporate business impact analyses, recovery strategies and business continuity plans as well as programmes for testing, training and awareness, and communication and crisis management

  • The 7 high level principles developed for two distinct but related audiences – financial industry participants (include unlicensed providers to the financial services industry) and financial authorities.

ISACA / MFSA


The 7 high level principles of business continuity l.jpg

The 7 High Level Principles of Business Continuity

  • Principle 1: Board and senior management responsibilityfor the organisation’s business continuity.

  • Principle 2: Major operational disruptions – affecting operations of the financial system within their responsibility to be addressed in the BCP

  • Principle 3: Recovery objectives – developed reflecting the risk they represent to the operation of the financial system.

  • Principle 4: Communications - procedures for communicating within their organisations and with relevant external parties to form part of the BCP

  • Principle 5: Cross-border communications – procedures for communications with financial authorities in other jurisdictions in the event of major operational disruptions with cross-border implications.

  • Principle 6: Testing - their BCP’s, evaluate their effectiveness, and update their business continuity management, as appropriate.

  • Principle 7: Business continuity management reviews by financial authorities – who should incorporate business continuity management reviews for the ongoing assessment of the financial industry participants for which they are responsible.

ISACA / MFSA


High level principles of business continuity case studies l.jpg

High Level Principles of Business Continuity – Case Studies

  • US-Canadian electrical power grid outages in August 2003

  • The impact of the 2003 SARS outbreak on Hong Kong SAR’s securities markets

  • The impact of the 2003 SARS outbreak on the Canadian securities industry

  • The 2004 Japan Niigata Chuetsu earthquake measuring 6.8 on the Richter scale

  • The London terrorist attacks on 7 July 2005 - 50 killed and 700 injured - the public transportation system in London was at a complete standstill for a significant period.

ISACA / MFSA


Business continuity issues for uk financial sector 2007 fsa l.jpg

Business Continuity issues for UK Financial Sector 2007 - FSA

  • Business continuity firmly on FSA’s agenda

  • Priority Risk Report – agenda for compliance visits – represents a barometer of risk issues from both regulator and regulated firms.

  • Cross-sectoral risks highlighted:-

    • Pandemic flu – tap reports by larger corporations

    • Terrorism – still a real threat

  • Sectoral issues:-

    • Outsourcing in retail financial services (banks, Ins.), especially offshore – emerging operational and reputation risk

    • Investment banks and Securities firms:-

      • MiFID implementation challenges

      • Credit & equity derivatives – volume growth - back office backlogs

      • Asset fund management – change in processes

      • Hedge Funds – are now subject to regulation by the FSA

ISACA / MFSA


Survey on bcp in financial services firms by oprisk comp l.jpg

Survey on BCP in Financial Services Firms (by OpRisk & Comp)

  • Firms not taking BCP seriously as they should

  • Board/SM not giving importance to BCP – 68%

  • Lack funds/resources - 49%

  • Difficulties to communicate BCP internally –32%

  • Difficulties to co-ordinate with external stakeholders –24%

  • BCP regarded as an IT issue – 89%

  • Employ specialised risk managers – 29%

  • Compliance mentality to BCP

  • Updating of BCP’s – annually 46%

  • Concern that BCP not given priority due to compliance projects for MiFID, Basel II, SOX issues etc

ISACA / MFSA


References l.jpg

References

Capital Requirements Directives

Directive 2006/48/EC: 

http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_177/l_17720060630en02010255.pdf

Directive 2006/49/EC: 

http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_177/l_17720060630en02010255.pdf

MiFID

Framework Directive - Directive 2004/39/EC:

http://europa.eu.int/eur-lex/pri/en/oj/dat/2004/l_145/l_14520040430en00010044.pdf

Implementing Directive - Directive 2006/73/EC:           

http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_241/l_24120060902en00260058.pdf

High Level Principles for Business Continuity

Source: Bank for International Settlements website available at:

http://www.bis.org/publ/joint14.pdf

Other

Malta Financial Services Authority (MFSA) - www.mfsa.com.mt

UK Financial Services Authority (FSA) - www.fsa.gov.uk

ISACA / MFSA


ad
  • Login