ASIC expands operational resilience guidance for market participants.
ASIC (in Australia) has officially released a letter to market participants “outlining technological and operational resilience guidance, clarifying how to identify critical business services and notification of a major event.”
The guidance relates to the technological and operational resilience requirements “detailed in Chapters 8A and 8B of the ASIC Market Integrity Rules (Securities Markets) 2017 and ASIC Market Integrity Rules (Futures Markets) 2017.”
ASIC expects market participants to maintain “a strong and continued focus on their technological and operational resilience, noting it is not a ‘set-and-forget’ process. Adjustments to critical business services arrangements should be made as required.”
ASIC is committed to advancing digital and data resilience and safety “as one of its strategic priorities for 2024-25.”
Resilient market operators and market participants are “essential to the integrity of our securities and futures markets and to the efficient functioning of the economy.”
The market integrity rules set minimum expectations and controls “to mitigate risks to help safeguard the integrity and resilience of Australia’s markets.”
ASIC encourages market participants “to carefully consider the guidance set out in the letter and in Regulatory Guides 265 and 266, as it clarifies expectations around critical business service arrangements, specifically market participants’ identification of critical business services and major event notifications.”
ASIC will now consult with industry on incorporating “this guidance into Regulatory Guides 265, 266 and 172 when they’re next updated.”
Chapters 8A and 8B of the ASIC Market Integrity Rules (Securities Markets) 2017 and ASIC Market Integrity Rules (Futures Markets) 2017 (the Resilience Rules), which came “into effect on 10 March 2023, aim to promote the technological and operational resilience of market participants.”
In 2023, ASIC conducted a thematic review “of market participants’ arrangements for complying with the Resilience Rules, focusing on the requirements to identify their critical business services and notify ASIC of major events.”
As a first step, in May 2024, they made revisions “correcting minor drafting errors in RG 265, RG 266 and RG 172 that caused confusion about the identification of critical business services, and clarifying what we mean by ‘immediately’ when notifying ASIC of a major event.”
As a second step, ASIC issue a letter to market participants “to share observations and guidance from the thematic review we conducted of market participants’ arrangements for identifying critical business services and dealing with a major event.”
ASIC’s third step, which is currently underway, is to meet with market participants “to discuss and consider questions and requests for further expanded guidance.”
ASIC is Australia’s corporate, markets and financial services regulator.