Outsourcing of critical IT functions by operators of futures and securities markets such as the ASX, Chi-X, NSX and SSX will receive greater scrutiny from the corporate regulator under a new set of proposed rules.
The Australian Securities and Investments Commission (ASIC) plans to introduce rules that include formal obligations for market operators to ensure the resilience of key systems, including implementing “robust arrangements” for business continuity and data security as well as a range of provisions that will need to be included in outsourcing agreements.
ASIC in its consultation paper notes the impact of a major outage of ASX’s equities trading system in September 2016. That outage had a flow-on effect to other exchanges, the paper states. It is not the only incident that raised ASIC’s concerns: In June 2018, for example, some ASX customers’ hardware was damaged by the accidental activation of a gas-based fire suppression system.
Under the outsourcing rules proposed by ASIC, the regulator will have access to the same books and records it would if a particular function was performed in-house. The rules also require provisions in any outsourcing arrangement that will allow a market operator to transition to another service provider or bring a system in-house if the agreement is terminated.
Market operators will have to inform ASIC prior to entering an outsourcing arrangement, if the new rules go ahead.
“Outsourcing can provide benefits, such as lower costs and allowing access to specialist expertise and the latest technology solutions,” a consultation paper issued by ASIC states.
“However, outsourcing may also impede the ability of market operators and market participants to manage risks and monitor compliance with their obligations. Importantly, market operators and market participants can not outsource to a service provider their responsibility for meeting regulatory obligations.”
ASIC expects to finalise the new rules in November-December, with market operators given six months to comply with them.
In September 2018, the Australian Prudential Regulation Authority (APRA) issued guidance to banks and other regulated entities on the use of cloud computing services.
ASIC noted APRA’s decision but said it would not issue specific cloud rules; instead use of those services will be governed by the new outsourcing rules.
“The use of cloud computing is still somewhat in its infancy, with a focus more on storage of data rather than analysing or synthesising data,” the consultation paper states. However, ASIC said it is “closely monitoring developments with cloud computing and may release further, more targeted, guidance in this area.”
However, ASIC said it is “closely monitoring developments with cloud computing and may release further, more targeted, guidance in this area.”