Business Continuity & Disaster Recovery in the Financial Services Sector Business Continuity & Disaster Recovery in the Financial Services Sector Aspects

Business Continuity & Business Continuity & Disaster Recovery in Disaster Recovery in

the Financial Services the Financial Services SectorSector

Aspects of Risk Mitigation

in the Financial ServicesJoseph Demanuele

25 June 2007

25 June 2007 ISACA / MFSA 2

Agenda

The MFSA – Organisation, functions and obligations Business Continuity Compliance – current position

and future considerations High Level Principles of Business Continuity –

published by a Forum of Financial Services Supervisors

Business Continuity in the UK Financial Services – challenges for 2007

Survey on Business Continuity - in the global Financial Services Sector by a leading risk magazine


The MFSA“Ensure high standards of

conduct and management in financial services and promote the legitimate expectations of

consumers”

Public Authority set up by the MFSA Act with functions to:-

Regulate & supervise financial services -Single Regulator Inform, promote and protect interests of consumers of financial

services Promote fair competition practices / consumer choice Monitor legislation / advise Govt on formulation of policies Ensure high standards of conduct / management in sector


The Main Organs

Board of Governors(Responsibility for setting policy)

Co-Ordination CommitteeChairman – Dir.Gen. – Chief Oper.Off.

(Co-ordinating the implementation of policies)

Supervisory Council(Regulatory function of the Authority)

Board of Management & Resources

(Carry out day-to-day management )


The Organisational Units

Supervisory Council

Insurance

Director General

Banking SecuritiesCorporate Services

Company Compliance

Pensions

Board of Management & Resources

Finance &Administration

Chief Operations Officer

IT & Communication

Human Resources & Training

Research & Business Dev.


Conduct & Management

MFSA Act. Article 4 (1) (g) states that:“Without prejudice to any other power or function conferred to it by this Act or any other law, it shall be the function of the Authority ……… to ensure high standards of conduct and management throughout the financial system”

How is this function carried out? Ensure that licence holders have a Business

Continuity Plan (BCP) in place which has been tested and is being continuously updated

Periodic on site Compliance visits


Other Obligations

Besides the MFSA Act, the Authority ensures compliance with:- Other local legislation regulating financial services EU legislation and other international treaties

Transpose EU legislation into local legislation Adopt new Directives, such as MiFID,

Solvency II, CRD, and others


On Site Compliance

MFSA Units carrying regular on-site compliance visits:- Securities Unit Insurance Business Unit Company Compliance Unit Banking Unit

Last year 98 compliance visits were conducted on site.

Moving towards the adoption of risk-based approach supervision.


Securities Unit – Current Position Investment Services Guidelines (based on current ISD 2) – Part

CI of SLC 3.07(l) in the Conduct of Business Rules section states:

“The Licence Holder shall organise and control its affairs in a responsible manner and shall have adequate operational, administrative and financial procedures and controls……… and to enable it to be effectively prepared to manage, reduce and mitigate the risks to which it is exposed……..

For this purpose, the Licence Holder shall have an appropriate Disaster Recovery and Business Continuity Plan which is regularly tested and updated”

Therefore, it is a standard licence condition to have a DRP and a BCP

MFSA checks adherence through compliance visits


Securities Unit - Current Position (cont..) Compliance Team shall:-

Check and see evidence that there is a proper BCP and procedures for disaster recovery

Ensure that the BCP is proportionate and adequate for the size of business and activities

See evidence that proper tests are being carried out e.g. record of fire drills, IT shutdowns

No BCP in place – in breach of licence conditions. Compliance Team may give guidance regarding compliance.


Securities Unit – New Requirements under MiFID EU’s Markets in Financial Instruments (MiFID) – a

comprehensive regulatory regime governing financial trading and intermediation in Europe. Replaces ISD (1993) and follows the Lamfalussy four level approach

Dir. 2004/39/EC is the MiFID framework directive under Level I - Art.13 (4) – Organisational Requirements states:

“An investment firm shall take reasonable steps to ensure continuity and regularity in the performance of investment services and activities. To this end the investment firm shall employ appropriate and proportionate systems, resources and procedures.”


Securities Unit – MFSA’s Draft MiFID Rules

Commission Directive 2006/73/EC is the implementing directive to 2004/39/EC – organisational and operating conditions for investment firms – forms part of Level 2 and Art 5 (3) states: “Member states shall require investment firms to establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to their systems and procedures, the preservation of essential data and functions and the maintenance of investment services and activities on where this is not possible, the timely recovery of such data and functions and the timely resumption of their investment services and activities.”

Draft MiFID rules issued by the MFSA in draft form for consultation in Jan 2007 - become applicable from 1 Nov 2007

Business Continuity section of MiFID transposed in Part C rule 1.18(b) – practically identical to Dir. 2006/73/EC

Draft MiFID Rules on www.mfsa.com.mt


Insurance Business Unit -Current Position

BCP is not currently a specific requirement under any insurance legislation or regulation,

However BCP is still included in compliance visit procedures as “best practice”

Enquires during on-site visits include: Is there a BCP? Includes a DRP? Current and operational? Regularly tested? Procedures for recovery of data? Back-up procedures? Restoration of backups?


Insurance Business – Impact of Solvency II

Solvency II - complete overhaul of the supervision of insurance business within the EU introducing a new solvency regime with an integrated risk approach reflecting risks taken by insurers better than the current Solvency I regime.

Currently in consultation process, through CEIOPS. Directive expected by end 2007

Implementation by EU Member States - scheduled for 2010. Three pillar structure (as in Basel II and CRD) –

Pillar I - Quantitative capital requirements Pillar II - Qualitative supervisory review Pillar III - Market discipline

Employs Lamfalussy 4 level approach arrangements


Insurance Business - Solvency II – Pillar II Pillar II - outlines the obligations of the

Supervisory Authority and the Insurers’ general governance including organisational structure and internal control mechanisms and processes to manage material risk as may be appropriate within the nature, scale and complexity of the firm

Risk management, including business continuity functions - ultimately responsibility of management

Written and clear policies in respect of internal control, outsourcing and risk management


Company Compliance Unit CCU is responsible to authorise and supervise companies offering

fiduciary services including mandatory and trustee services in terms of the Trusts and Trustees Act (TTA). Also responsible to consider applications for Listing in terms of the Listing Rules.

TTA Art.47 empowers the MFSA to conduct compliance visits Clause 9.4 of the Code of Practice for Trustees states:

“Trustees should have effective management and systems that are commensurate with the scale and complexity of the trust business to be undertaken. They must also have appropriate management resources to control the company’s affairs (or in the case of individual trustees their business affairs), including ensuring compliance with legal obligations and standards under this Code.

BCP compliance is included in the new draft checklist for on-site visits by the CCU Compliance Team


Banking Unit – Current PositionOn-site compliance for credit & financial institutions Verify completeness of the BCP Establish that BCP is a comprehensive document providing

guidance in the event of major incidents that may include - inability to access premises, systems outage, unavailability of key personnel, occurrences that may preclude the institution from carrying out routine operations.

BCP to include a disaster recovery simulation performed at least once annually.

Test results are documented and weaknesses identified - to be rectified within stipulated timeframes.

Ensure that a full IT system backup is taken daily BCP to outline employees’ training procedures for its operation Plan to be commensurate with the institution’s business dimensions.


Capital Requirements Directive (CRD) CRD applies Basel II requirements for credit institutions and

investment firms across EU. There are three pillars under the new Basel II accord:- Pillar I - involves the measurement of risk, Pillar II - involves the supervisory review process, Pillar III - deals with market discipline by developing a set of

disclosure requirements Pillar II - enhances the link between a credit institution’s risk profile,

its risk management, its risk mitigation systems, and its capital CEBS guidelines on Pillar II – BCP is encouraged as a “best

practice” requirement and is part of the risk assessment process under Pillar II.

As “best practice” the Basel Committee on Banking Supervision in a forum with other supervisors came up with high level principles on business continuity.


High Level Principles of Business Continuity

JOINT FORUM, based in Basel made up of BASEL COMMITTEE ON BANKING SUPERVISION (BCBS) INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS (IOSCO) INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS (IAIS)

concluded in Feb 2005 that high-level principles on business continuity would contribute to the resilience of the global financial system

Defined effective business continuity management to incorporate business impact analyses, recovery strategies and business continuity plans as well as programmes for testing, training and awareness, and communication and crisis management

The 7 high level principles developed for two distinct but related audiences – financial industry participants (include unlicensed providers to the financial services industry) and financial authorities.


The 7 High Level Principles of Business Continuity Principle 1: Board and senior management responsibility for the

organisation’s business continuity. Principle 2: Major operational disruptions – affecting operations of the

financial system within their responsibility to be addressed in the BCP Principle 3: Recovery objectives – developed reflecting the risk they

represent to the operation of the financial system. Principle 4: Communications - procedures for communicating within

their organisations and with relevant external parties to form part of the BCP

Principle 5: Cross-border communications – procedures for communications with financial authorities in other jurisdictions in the event of major operational disruptions with cross-border implications.

Principle 6: Testing - their BCP’s, evaluate their effectiveness, and update their business continuity management, as appropriate.

Principle 7: Business continuity management reviews by financial authorities – who should incorporate business continuity management reviews for the ongoing assessment of the financial industry participants for which they are responsible.


High Level Principles of Business Continuity – Case Studies US-Canadian electrical power grid outages in August 2003 The impact of the 2003 SARS outbreak on Hong Kong

SAR’s securities markets The impact of the 2003 SARS outbreak on the Canadian

securities industry The 2004 Japan Niigata Chuetsu earthquake measuring

6.8 on the Richter scale The London terrorist attacks on 7 July 2005 - 50 killed and

700 injured - the public transportation system in London was at a complete standstill for a significant period.


Business Continuity issues for UK Financial Sector 2007 - FSA

Business continuity firmly on FSA’s agenda Priority Risk Report – agenda for compliance visits – represents a

barometer of risk issues from both regulator and regulated firms. Cross-sectoral risks highlighted:-

Pandemic flu – tap reports by larger corporations Terrorism – still a real threat

Sectoral issues:- Outsourcing in retail financial services (banks, Ins.), especially

offshore – emerging operational and reputation risk Investment banks and Securities firms:-

MiFID implementation challenges Credit & equity derivatives – volume growth - back office backlogs Asset fund management – change in processes Hedge Funds – are now subject to regulation by the FSA


Survey on BCP in Financial Services Firms (by OpRisk & Comp) Firms not taking BCP seriously as they should Board/SM not giving importance to BCP – 68% Lack funds/resources - 49% Difficulties to communicate BCP internally –32% Difficulties to co-ordinate with external stakeholders –24% BCP regarded as an IT issue – 89% Employ specialised risk managers – 29% Compliance mentality to BCP Updating of BCP’s – annually 46% Concern that BCP not given priority due to compliance

projects for MiFID, Basel II, SOX issues etc


References

Capital Requirements Directives Directive 2006/48/EC: http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_177/l_17720060630en02010255.pdf Directive 2006/49/EC: http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_177/l_17720060630en02010255.pdf MiFID Framework Directive - Directive 2004/39/EC: http://europa.eu.int/eur-lex/pri/en/oj/dat/2004/l_145/l_14520040430en00010044.pdf Implementing Directive - Directive 2006/73/EC: http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_241/l_24120060902en00260058.pdf High Level Principles for Business Continuity Source: Bank for International Settlements website available at: http://www.bis.org/publ/joint14.pdf

OtherMalta Financial Services Authority (MFSA) - www.mfsa.com.mtUK Financial Services Authority (FSA) - www.fsa.gov.uk

Documents

Business Continuity & Disaster Recovery in the Financial Services Sector Business Continuity & Disaster Recovery in the Financial Services Sector Aspects