/ Proposed Operational Risk Management Standard for Clearing and Settlement System Administrators, Securities Depository and Custody Companies, Stock Exchanges, Commodity Exchanges, Securities Intermediaries, Commodity Exchange Brokers and Registered Fund Managers (AGFs)
September 11, 2023On August 8, 2023, the Financial Market Commission of Chile (“CMF”) published for comment a General Applicability Rule (“NCG”) that aims to update the Operational Risk Management framework for Clearing and Settlement System Administrators, Securities Depository and Custody Companies, Stock Exchanges, Commodities Exchanges, Securities Intermediaries, Commodities Exchanges Brokers and AGFs, including the provisions of Law 21,521 (“FINTECH Law”) in order to provide instructions regarding the operational risk management of such entities. Thus, NCG’s proposal mainly considers the following:
- It understands that operational risk corresponds to the risk that deficiencies that may occur in information systems, internal processes or personnel, or disturbances caused by external events may cause the reduction, deterioration or interruption of the services provided by the entity and eventually lead to financial losses. It includes the risk of losses due to regulatory changes that affect the entity’s operations, as well as losses arising from non-compliance or non-adherence to current regulations. Considering the above, the NCG proposal seeks to ensure that the relevant entity has the capacity to continue providing its services in the event of a disruptive event, for which it must manage operational risk through an adequate combination of policies, procedures, controls, organizational structure and information systems, in accordance with the nature, volume and complexity of the activities it performs.
- Operational risk management policies and procedures shall be formally established and documented.
- Work plans and the issuance of operational risk management reports to the board of directors, or equivalent body, shall be part of comprehensive risk management, in accordance with the entity’s corporate governance and risk management regulations.
- Operational risk management policies and procedures shall regulate at least the following areas: (i) information security and cybersecurity; (ii) business continuity; and (iii) outsourcing of services. The aforementioned areas shall be considered by the entity in the reports made by the bodies in charge of risk management and internal audit, as appropriate.
- With regard to information security and cybersecurity, operational risk management should include at least the following: (i) policies that safeguard the availability, confidentiality and integrity of information assets; define risk appetite levels for information security and cybersecurity; determine the main roles and responsibilities; define procedures for information security and cybersecurity risk assessment; (ii) information and communication technology (ICT) policies; (iii) definition of the profile and required number of persons with verifiable knowledge of information security and cybersecurity standards; (iv) establishment of procedures for the entity’s personnel, including the board of directors or equivalent body, to contribute to the adequate management of information security and cybersecurity risks; (v) generation of contractual agreements for the revocation of rights of access to information and return of information assets as part of the process of change of position or termination of an employee; (vi) auditing of the information security and cybersecurity management processes; (vii) procedures that allow the board or equivalent body to be kept informed in a timely and periodic manner about the information security and cybersecurity management system; and (viii) detection and protection of cyber-attacks; interest management procedures; among others.
The information security and cybersecurity policy shall be part of the entity’s risk management policies, and shall be updated and approved at least annually by the board of directors, or equivalent body, or more frequently in the event of significant changes.
- In the area of business continuity, operational risk management should include at least the following: (i) policies that contemplate response procedures for the occurrence of internal or external events that could create an interruption in the continuity of business operations and training and awareness to ensure that the entity’s personnel are adequately prepared to face the contingency scenarios defined and that they understand their responsibilities in the management of business continuity system risks; and establish the main roles and responsibilities on the matter; (ii) have people with verifiable knowledge of business continuity standards and experience in the management of the associated risks; (iii) procedures that allow the Board of Directors to be informed in a timely and periodic manner, and the reporting of information on these matters must be recorded in the relevant minutes of the Board of Directors or equivalent body and in the committees that are formed to review these matters; procedures that consist of the entity having a secondary site that allows the entity to resume operations in the event of an interruption at the main site, allowing the reestablishment of the most relevant business processes; carry out or update, at least annually, in the event of events that threaten the continuity of business operations, a business interruption assessment (BIA) in order to identify the most relevant processes for business continuity, the impact of an interruption of these processes, and the time and resources necessary for their continuity and recovery; carry out or update, at least annually, a risk impact assessment (RIA); maintain the continuity of the most relevant processes, considering preventive measures to reduce the probability of damage, minimize recovery time and limit the impact on the entity’s business operations; implement a crisis management plan that determines the procedures for escalation, communications, management and reporting of operational continuity events to keep the board or equivalent body informed in a timely manner; have a business continuity and disaster recovery plan, approved annually by the board or equivalent body; have a continuous improvement plan for business continuity policies, plans and procedures.
Reports on the results of the tests performed should be issued to the board of directors or equivalent body, containing recommendations and actions to implement improvements to the business continuity and disaster recovery plan.
- In relation to the outsourcing of services, the operational risk management policy shall consider: (i) substitution risk: the possibility of substituting or not substituting a supplier within a determined period of time that guarantees the continuity of the contracted service; (ii) intervention risk: the possibility that the entity will have to take over the contracted function; (iii) subcontracting risk: the possibility that the provider will in turn subcontract all or part of the service, reducing the entity’s ability to supervise the outsourced function; and (iv) concentration risk: the possibility that an entity will contract one or more services from a single provider that is difficult to replace, increasing the possibility of failures or prolonged interruptions. In the operational risk management procedures that refer to this matter, at least, the following should be established: (i) procedures to determine critical services; (ii) procedures for the selection, contracting and monitoring of suppliers; (iii) provide certain minimum contents in contracts with outsourced service providers; (iv) have a register of outsourced services to manage outsourcing risks; (v) periodically monitor that the suppliers comply with the agreed conditions to guarantee the quality of service provision; (v) verify that the provider of the contracted services has adequate knowledge and experience; (vii) maintain personnel with the necessary knowledge to control the provision of services by its service providers.
The Board of Directors or equivalent body must be kept informed on matters related to outsourcing, for which purpose it must have procedures that allow it to be informed in a timely and periodic manner, among others. The reporting of information on these matters shall be recorded in the relevant minutes of the board of directors or equivalent body and in the committees formed to review these matters.
- The board of directors, or equivalent body, should ensure that the policies, processes and systems within the organization are consistent with the defined risk appetite and contain clear lines of responsibility for operational risk management. Likewise, it shall provide the relevant instances of the entity with the necessary resources and personnel for operational risk management, according to the volume and complexity of the entity’s operations.
- 9. Entities must inform the CMF of any operational incidents that affect or put at risk the continuity of the business, the resources and information of the entity or its clients and the quality of services.
Circular Letters No. 1,939 and No. 2,020 (addressed to securities depository and custody entities and financial instruments clearing and settlement systems administration companies) and General Applicability Rule No. 256 (addressed to participants of financial instruments clearing and settlement systems) are repealed, and General Applicability Rule No. 480, which regulates the interconnection of stock exchanges, is amended.
For further information, please contact Felipe Cousiño Prieto (Partner) and Francisca Donoso Fernández (Associate Attorney).