Norway: Financial Sector Assessment Program-Technical Note-Oversight and Supervision of Financial Market Infrastructure, and Selected Issues in the Payment System

This Technical Note reviews the oversight and supervisory framework for systemically important Financial Market Infrastructure (FMI) in Norway. Norway has a modern and stable FMI. The assessment results suggest an effective supervision and oversight framework supported by a strong legal basis, adequate oversight resources, and good domestic and foreign cooperation between authorities. All Norwegian FMIs have completed assessments against the new international standards and are in the process of improving observance where needed. The authorities could consider strengthening their cooperation to address the risks from outsourced critical infrastructures and tighter interdependencies across FMIs. The authorities could also consider additional measures to strengthen the operational resiliency of payment systems.

Abstract

This Technical Note reviews the oversight and supervisory framework for systemically important Financial Market Infrastructure (FMI) in Norway. Norway has a modern and stable FMI. The assessment results suggest an effective supervision and oversight framework supported by a strong legal basis, adequate oversight resources, and good domestic and foreign cooperation between authorities. All Norwegian FMIs have completed assessments against the new international standards and are in the process of improving observance where needed. The authorities could consider strengthening their cooperation to address the risks from outsourced critical infrastructures and tighter interdependencies across FMIs. The authorities could also consider additional measures to strengthen the operational resiliency of payment systems.

Introduction

1. This report contains the assessment of the interbank payment systems and authorities’ responsibilities in Norway. This includes the Norges Bank’s Settlement System (NBO) and the Norwegian Interbank Clearing System (NICS), and the oversight and supervisory responsibilities of Norges Bank and the Finanstilsynet (Financial Supervisory Authority of Norway, FSA). The assessment was undertaken in the context of the IMF’s FSAP to Norway in February and March 2015. The assessor would like to thank the authorities for the excellent cooperation and hospitality.4

2. The scope includes a targeted assessment of the comprehensive risk management framework and operational risks of the interbank payment systems. The objective has been to identify potential risks that may affect financial stability. Although safe and efficient payment systems contribute to maintaining and promoting financial stability and economic growth, they may also concentrate risk. If not properly managed, such FMIs can be sources of financial shocks, such as liquidity dislocations and credit losses, or a major channel through which these shocks are transmitted across domestic and international financial markets.

3. The basis for the assessments was derived from the Principles for Financial Market Infrastructures (PFMIs). Interbank payment systems are assessed against Principle 3 on Framework for the comprehensive management of risks, Principle 17 on Operational risk, and Annex F on Oversight expectations applicable to critical service providers (CSPs) under the Committee on Payments and Market Infrastructure-International Organization of Securities Commissions (CPMI-IOSCO) PFMIs. The CPMI-IOSCO Assessment Methodology for the Oversight Expectations of CSPs was also applied to assess an FMI’s CSPs against the oversight expectations in Annex F.

4. This note reviews the oversight and supervisory framework for systemically important FMIs in Norway. Authorities’ responsibilities are assessed against Responsibilities A to E of the PFMIs (Box 1), and is solely based on Norges Bank’s responses and not the FSA. Prior to the mission, Norges Bank prepared the self-assessment of its responsibilities against the PFMIs, and completed the Questionnaire on FMIs in Norway. Furthermore, the assessor studied the relevant national laws, Norges Bank Financial Infrastructure Report, Norges Bank Annual Reports on Payment Systems, and Financial Supervisory Authority of Norway Annual Reports. The assessor had daily and thorough discussions with Norges Bank (Financial Infrastructure Unit of the Financial Stability Department; Interbank Settlement Unit and Information Technology Unit of the Markets and Banking Services Department), the FSA (Information Technology and Payment Services Section, Investment Firm and Infrastructure Section), Finance Norway (NICS Operations Office), and private sector representatives (SpareBank 1 SMN, DNB Bank, EVRY, Nets Norway, Oslo Clearing, and VPS).

Responsibilities of Central Banks, Market Regulators, and Other Relevant Authorities for Financial Market Infrastructures

Responsibility A: Regulation, supervision, and oversight of FMIs

FMIs should be subject to appropriate and effective regulation, supervision, and oversight by a central bank, market regulator, or other relevant authority.

Responsibility B: Regulatory, supervisory, and oversight powers and resources

Central banks, market regulators, and other relevant authorities should have the powers and resources to carry out effectively their responsibilities in regulating, supervising, and overseeing FMIs.

Responsibility C: Disclosure of policies with respect to FMIs

Central banks, market regulators, and other relevant authorities should clearly define and disclose their regulatory, supervisory, and oversight policies with respect to FMIs.

Responsibility D: Application of the principles for FMIs

Central banks, market regulators, and other relevant authorities should adopt the CPSS-IOSCO Principles for financial market infrastructures and apply them consistently.

Responsibility E: Cooperation with other authorities

Central banks, market regulators, and other relevant authorities should cooperate with each other, both domestically and internationally, as appropriate, in promoting the safety and efficiency of FMIs.

Source: CPSS-IOSCO Principles for FMIs (PFMIs), April 2012.

Overview of the Payment, Clearing, and Settlement Landscape

A. Description of Landscape

5. There are five systemically important FMIs that are located in Norway (Figure 1).5 This includes four interbank payment and settlement systems, and one central securities depository that functions as a securities settlement system. There are currently no trade repositories. Two systemically important foreign central counterparties (CCPs) have branches in Norway. The FMIs have tight interdependencies. The key features are as follows:

  • Norges Bank Settlement System (NBO). The NBO settles the interbank positions of participants on a gross and net basis across their accounts held at Norges Bank, which is the ultimate settlement bank in Norway. The NBO settles the clearing positions from the NICS, the securities settlement system VPS, and the SIX x-clear Norwegian Branch (formerly Oslo Clearing settlement system). It also receives payments from Norwegian banks and payments sent to and from the CLS system. Daily operational hours are from 5.30 a.m. to 4.30 p.m. (4.00 p.m. closing time in the summer). There are 21 direct participants in settlement of net positions from the NICS, and 109 smaller banks that participate indirectly through a private settlement bank. Norges Bank holds the accounts of 131 banks.

  • Norwegian Interbank Clearing System (NICS). The NICS is the banks’ jointly owned system for receiving and clearing payment transactions. Small-value payments such as card and credit and debit transfers are multilaterally cleared. Total net credit or debit positions are calculated for each bank against other participant banks, which are then settled in the NBO at four different intervals (5:30 a.m., 11:00 a.m., 1:30 p.m., and 3:30 p.m.). NICS also handles large-value transactions sent by banks, which are relayed on a gross basis for settlement in the NBO.

  • Private Settlement Systems. DNB and Sparebank 1 SMN each own and operate settlement systems. Both have direct participation in the NBO to settle their own positions (as first-tier banks), and for other indirect participants (as second-tier banks).6 There were 97 and 11 small bank participants in the DNB and Sparebank 1 SMN settlement systems at end-2014, respectively.

  • Norwegian Central Securities Depository (Verdipapirsentralen, VPS). The VPS records the owners and holders of rights to registered financial instruments, and handles their transfers. It also functions as a securities settlement system (VPO). As of end-2014, there were 70 members, including 37 direct and 33 indirect participants. Payments between direct participants for trades in equities, equity capital instruments, listed funds, notes and bonds are settled in the VPO. Securities are netted and settled at the CSD. The settlement of securities takes place after the netting and settlement of cash on a delivery versus payment (DVP) basis at Norges Bank. The settlement of cash is a prerequisite for securities settlement. There are two settlement cycles (within 6.20 a.m. and 12.30 p.m.).

Figure 1.
Figure 1.

Payment, Clearing, and Settlement Landscape in Norway

Citation: IMF Staff Country Reports 2015, 254; 10.5089/9781513532752.002.A001

Source: IMF staff.Notes: DNB and Spare Bank 1 SMN are also Tier-1 banks. MTFs include, for example, BATS CHI-X and Turquoise. CLS is operated from the U.S./U.K. LCH.Clearnet Ltd is operated from the U.K. SIX x-clear Norwegian Branch and LCH.Clearnet Ltd are considered systemically important foreign CCPs in Norway. LCH.Clearnet Ltd is a direct participant in VPO. Trading on Nasdaq OMX Stockholm and MTFs are cleared on other CCPs. The settlement of securities in VPS/VPO takes place after cash settlement in the NBO.

6. The NBO remains systemically important and highly concentrated. The NBO’s average daily turnover amounted to around 200 billion NOK in 2014. Around 90 percent of total transaction values were concentrated in the top five participants. The average daily turnover as a percentage of gross domestic product was around 6 percent in 2014. Other FMIs that have significant daily turnover include the NICS, VPO, and CLS (Table 2).

Table 2.

Norway: Average Daily Turnover in Selected FMIs in 2014

article image
Source: Norges Bank.

7. The Norwegian payment system is linked to CLS.7 CLS participates in the NBO and holds an account in Norges Bank, which is used to transact all incoming and outgoing payments in NOK from correspondent banks in Norway. The NOK and 16 other eligible currencies are settled by CLS Bank International located in the U.S.8 One Norwegian bank participates directly as a settlement member in CLS. There are 33 Norwegian indirect participants (third parties). Four banks act as liquidity providers, which are committed to provide liquidity if necessary to cover outgoing payments. CLS helps to mitigate foreign exchange settlement risks through its payment versus payment arrangements. CLS average daily turnover, measured by settlement and pay-ins of NOK, amounted to 361 billion NOK and 7.8 billion NOK, respectively, in 2014.

8. Four foreign CCPs are licensed to provide cross-border services in Norway, including two that are systemically important. 9

  • The Swiss CCP SIX x-clear Ltd has been authorized by the Norwegian Ministry of Finance to act as a CCP in Norway. On May 1st, 2015, Oslo Clearing was legally integrated into the Swiss CCP SIX x-clear. The clearing services previously provided by Oslo Clearing is now provided by the SIX x-clear Norwegian Branch, which clears equities, equity derivatives, and securities lending transactions in NOK. The Norwegian branch of SIX x-clear participates in VPO with its own settlement account both in VPS and at Norges Bank;

  • The UK CCP LCH.Clearnet Ltd operates on Oslo Børs, providing clearing services in NOK for equities traded on Oslo Børs and interoperability with the SIX x-clear Norwegian Branch for equities and derivatives on equities that are traded on the London Stock Exchange (LSE). Oslo Børs and the LSE have a common order book for equity derivatives. LCH.Clearnet Ltd is an international CCP with over 170 members and has no branch in Norway. LCH.Clearnet Ltd is considered a systemically important foreign CCP in Norway as the amounts cleared are large and important for financial stability. LCH.Clearnet Swap Clear service for interest derivatives includes Norwegian members such as DNB;

  • The German CCP European Commodity Clearing (ECC) Ltd operates on the pulp and paper exchange Norexeco, and clears commodity derivative trades in euro and USD. As Norexeco is not yet in operation, the ECC has not commenced clearing in Norway. The ECC is licensed as a CCP in Germany in accordance with the European Market Infrastructure Regulation (EMIR) and has no branch in Norway. According to supplementary requirements in German national legislation, German CCPs also need a banking license. The German banking license is not relevant for the ECC’s Norwegian CCP license; and

  • The Swedish CCP Nasdaq OMX Clearing AB operates through its Norwegian branch Nasdaq OMX Oslo NUF. This CCP is for secondary listed Norwegian equity derivatives on the Stockholm stock exchange. The Nasdaq OMX Oslo branch is currently a CCP for energy, freight, iron ore, seafood and quota derivatives and electricity certificates. The branch provides clearing in several currencies of commodities derivatives. The main currencies are euro and USD.

B. Major Changes and Ongoing Reforms

9. Stability and structural issues have been largely addressed since the FSAP of 2005. Follow-up measures were taken to mitigate potential spillover risks from two-tiered settlement arrangements. Norges Bank receives reports on breaches to limits provided by private settlement banks to their tier two banks. Daily clearing in the NICS increased from two to four sessions, while netting of payments in different formats has been merged. For direct participants, payments larger than 25 million NOK are automatically excluded from netting in the NICS and are settled on a gross basis at the NBO. The switchover to direct participation in the NBO due to the failure of a private settlement bank was tested with results suggesting the availability of sufficient liquidity for a one day disruption. Further analysis was made on the contagion effects if a bank has insufficient funds to ‘meet its net settlement obligations.10 On insolvency issues, a consultation paper (in Norwegian) was published by the finance ministry on February 18th, 2015, and is due for comments on May 19th, 2015. This includes a prescript to clarify insolvency provisions in the Payment Systems Act. If this prescript becomes effective, Norges Bank and VPS will be able to change their rules so that transactions from a failed participant in the securities settlement system can be settled even in the case of insolvency.

10. Norges Bank changed to a new settlement system in 2009. The second generation RTGS system was based on the purchase of off-the-shelf software from an external vendor and the outsourcing of IT operations. This has helped reduce costs associated with providing settlement services. Moreover, the risks from depending on IT expertise from a few central bank staff to update and maintain the NBO were mitigated. 11 Comparatively, the first generation RTGS system was developed in-house by Norges Bank’s internal IT department in 1999. The changeover followed the decision to outsource NBO-related IT operations, including the Society for Worldwide Interbank Financial Telecommunication (SWIFT) interface and collateral management system, to a third party service provider since 2002. Although Norges Bank’s core function includes its role as ultimate settlement bank, the authorities viewed that such responsibilities could be discharged without having to execute the daily operational and development tasks.12 Additionally, all Norges Bank IT-related operations have also been outsourced to the same firm as of late-2009.

11. The Norwegian Parliament will be voting on the EMIR and the Central Securities Depositories Regulation (CSDR). EMIR and CSDR have not currently been integrated into the European Economic Area (EEA) Agreement due to possible inconsistencies with the Norwegian Constitution.13 A formal agreement is not yet in place. However, the parties have agreed on a political solution on the incorporation of the EU Regulations establishing the European Supervisory Authorities into the EEA Agreement. The technical details are currently being negotiated. This will allow the following implementation of EMIR and CSDR in Norwegian legislation. If approved, both regulations will be included in the EEA Agreement, giving the European Free Trade Association’s (EFTA) Surveillance Authority (ESA) the role of an intermediate authority between Norwegian institutions and the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA). In effect, ESA will be given power to make legal decisions for Norwegian institutions.14 The ESA will be given new competences to adopt legally binding decisions towards national surveillance authorities and financial institutions.

12. The Norwegian CSD is positive in relation to joining a common technology platform that settles securities trades in Europe. The platform, called TARGET2-Securities (T2S), is part of the European Central Bank and Eurosystem’s efforts to promote a single securities market in Europe. This involves the establishment of a common technology solution that CSDs and central banks can use for settling securities trade in EUR and other European currencies. T2S is expected to start operations by June 2015, after which CSDs are expected to migrate to the new system in four waves until February 2017. If VPS joins T2S, it would after these waves. The VPS plans to introduce a new system for securities registration and settlement by 2017. VPS will discuss its potential participation in the T2S in 2015, involving market participants and Norges Bank. A prerequisite for VPS’ participation in T2S is for Norges Bank to place the Norwegian krone at disposal in T2S.

Effectiveness of the Oversight and Supervision Framework

A. Regulation, Supervision, and Oversight of FMIs

13. Norges Bank and the FSA are the authorities responsible for the oversight and supervision of FMIs in Norway. FMIs licensed under the Payments Systems Act (Section 2) are supervised by Norges Bank. Norwegian FMIs licensed under the Financial Supervision Act (Section 1) are supervised by the FSA. Both authorities jointly supervise and oversee Norwegian FMIs under two publicly disclosed cooperative arrangements, which establish the nature of tasks, cooperation, and division of responsibilities. The cooperative arrangements do not cater for joint supervision. They determine which information should be exchanged and when, including during a crisis and when the two parties should have joint consultations. The criteria for identifying FMIs is clearly defined and publicly disclosed with ten FMIs subject to supervision and oversight (Table 3). There are six criteria, which are published in Norges Bank’s Financial Infrastructure Report and website, including: (i) number of completed transactions and values; (ii) type of participants; (iii) markets impacted by the system; (iv) market shares; (v) interconnectedness with other FMIs and financial institutions; and (vi) available alternatives to using the FMI at short notice. For the FSA, the criteria is established by law so all institutions that operate FMIs are subject to licensing and supervisory requirements. The FSA is also a member of IOSCO so supervision is based on the PFMIs. For the Norges Bank, there are differences in the scope for supervision and oversight. Supervision is aimed at ensuring compliance against laws, regulation, and other requirements from the authorities. Oversight covers assessments against the CPMI-IOSCO PFMIs, evaluation of related issues on financial stability, and issuance of public statements.

Table 3.

Norway: FMIs Subject to Supervision and Oversight

article image
Sources: Norges Bank; and FSA.Note: UK and Norwegian authorities are establishing cooperation agreements on the supervision and oversight of LCH.Clearnet Ltd. A cooperation agreement has been concluded between the Swiss and the Norwegian authorities on the oversight and supervision of SIX x-clear Ltd.

B. Regulatory, Supervisory, and Oversight Powers and Resources

14. There is a strong legal basis that gives sufficient powers to discharge responsibilities, while moral suasion is generally used and effective. Legal powers are derived from the Norges Bank Act, Payment Systems Act, Financial Supervision Act, Securities Register Act, Securities Trading Act, and relevant regulations relating to the use of information and communications technology, and payment institutions. Licensing regimes and the authorities’ in charge are well established. Although the supervisory authority for an FMI has legal powers, an overseer relies on moral suasion as a general rule. The Norges Bank Act (Section 27 and Circular 30.11.2005 nr. 1351) empowers the central bank to obtain information about an FMI, including statistical information on customers. The Payment Systems Act (Sections 2–9) gives Norges Bank legal powers to require changes in licensed payment systems (NICS and DNB). However, such powers do not cover other Norwegian FMIs (VPS, Sparebank 1 SMN, and Oslo Clearing). These three institutions are supervised by the FSA. Oslo Clearing’s and VPS’ associated securities settlement systems are also approved by the FSA. If the PFMIs overlap with laws and regulations, Norges Bank induces change by publishing assessment results, requesting FMIs to develop plans to improve observance, and monitoring progress in supervisory and oversight meetings. The FSA can order an FMI to act according to the PFMIs if this is justifiable according to Norwegian legislation.

15. The NBO and licensed payment systems are subject to reporting requirements, while critical disruptions need to be notified immediately. Such payment systems are required to submit quarterly and annual reports to Norges Bank on operational disruptions, participation, turnover, exposure, or planned changes. Norges Bank has semiannual meetings with all FMIs that are under its oversight. This includes the collection of quantitative data on direct and indirect participants for the FMIs to analyze risk exposures. Norges Bank also has online access to information in the VPS to monitor securities settlement activity, including the “VPS Settlement Benchmark” (settlement degree and aggregated positions) and “VPS Oppgjørsinfo” (individual positions for settlement members). The FSA (a separate unit from VEPIN and ITBET that investigates insider dealing and market manipulation) and the police also have access to VPS Oppgjørsinfo.

16. Norges Bank has sufficient resources to fulfill regulatory, supervisory, and oversight responsibilities, and leverages on operational and technical skills from the FSA. Norges Banks’ Financial Infrastructure Unit, which has FMI oversight responsibilities, is staffed with eight persons, mainly economists. There is also access to resources from the research and legal units to analyze more specialized topics such as the quantitative analysis of financial risk in CCPs. The Financial Infrastructure Unit does not have staff with expertise on IT and operational issues of FMIs, and leverage on the FSA staff for know-how in such areas as established under cooperative arrangements, which appear to be working well. Norges Bank has cooperated with the FSA on VPS and Oslo Clearing.

17. The FSA organizes FMI supervision through two sections, which are well-staffed. The Investment Firm and Infrastructure (VEPIN) Section is responsible for approving SSSs, and supervision of CCPs, the Norwegian CSD and SSS, and trading venues. VEPIN has 15 employees where 5 work full time on infrastructure supervision. This includes 2 lawyers and 3 economists. Other VEPIN staffs are also involved on a part-time basis in FMI supervision. The Information Technology and Payment Services Supervision (ITBET) Section is responsible for supervising the IT systems of FMIs and institutions under its general supervision, and payment services. Some of ITBET’s major tasks include preparing the Risk and Vulnerability Analysis Report, and monitoring the payment services and threat landscape. ITBET has seven experienced employees.

C. Disclosure of Policies with Respect to FMIs

18. Norges Bank’s FMI policies are made explicit and publicly disclosed, which could be made similar for the FSA. Norges Bank’s FMI policies are published in the Financial Infrastructure Report and website. Differences in the scope for supervision and oversight of FMIs are described. Supervision is aimed at ensuring compliance against laws, regulation and other requirements from the authorities. Oversight covers FMI assessments against the CPMI-IOSCO PFMIs, evaluation of possible additional issues on financial stability, and issuance of public statements on different issues that concerns the FMI. The FSA’s FMI policies are described in Norwegian on its website and Annual Report.15 However, they could be made more transparent, in English, and also disclosed through the Risks and Vulnerability Analysis (RAV) Report. This is to provide information to interested parties, which may include foreign investors and foreign FMIs.

D. Application of the PFMIs

19. Norges Bank’s NBO oversight and operational responsibilities are separated to prevent potential conflicts of interest. NBO operations are under the responsibility of the Interbank Settlement Unit located in the Markets and Banking Services Department. NBO oversight is by the Financial Infrastructure Unit in the Financial Stability Department. If conflicts of interest arise, the directors of the both departments raise the issues to the Governor and Deputy Governor. Like other FMIs, the Interbank Settlement Unit was requested, as NBO operator, to complete a self-assessment for the Financial Infrastructure Unit to make a comparative assessment to identify gaps.

20. All FMIs located in Norway have completed self-assessments. As noted, this follows Norges Bank’s request to systemically important FMIs, including the NBO, NICS, DNB Bank, Sparebank 1 SMN, VPS, and Oslo Clearing. Norges Bank’s own assessments were largely consistent with the evaluation results by each FMI, and have been published in the Financial Infrastructure Report of 2014. Norges Bank’s assessments of VPS and Oslo Clearing were done in cooperation with the FSA. So far only VPS and Oslo Clearing have published information according to Principle 23 on Disclosure of rules, key procedures, and market data of the CPMI-IOSCO PFMI.

21. There appears to be minor inconsistencies in the application of international standards, which would benefit from further validation. First, although overall assessment results suggest that only two FMIs (VPS and Oslo Clearing) publicly disclosed responses to the CPMI-IOSCO Disclosure Framework for FMIs to improve their transparency, all FMIs were assessed as fully observing Principle 23 on Disclosure of rules, key procedures, and market data. Second, although VPS’ disaster recovery and business continuity rules require that all systems shall be operational within four hours (instead of two hours); it fully observed Principle 17 on Operational risk. Although the authorities would be focusing on the improvement of observance in targeted areas assessed to have shortcomings in selected FMIs, the comparison of evaluation results across the FMIs to validate for consistency would be helpful.

22. Norges Bank should deepen cooperation in the future assessment of operational risk in the NBO, and also establish oversight expectations for critical service providers. Norges Bank should leverage on the FSA’s operational and technical expertise in payment systems for the assessment of potential operational risks in the NBO, which has been subject to outsourcing and was assessed as broadly observed. This could be done within the context of the cooperation agreement to complement the skill set of the Norges Banks’ Financial Infrastructure Unit. Such cooperation does not imply changes to formal oversight responsibilities. Although Norges Bank plans to adopt the CPMI-IOSCO Assessment Methodology for the Oversight Expectations Applicable to Critical Service Providers, it should consider establishing specific oversight expectations for systemically important payment systems, which have undergone extensive outsourcing. This should cover five areas, including risk identification and management, information security, reliability and resilience, technology planning, and communication with users. Assessments should include assigned ratings that are publicly disclosed and used as a basis for contract renewal.

E. Cooperation with Other Authorities

23. Norges Bank and the FSA have established two domestic cooperation agreements on FMIs. The first addresses tasks pursuant to the Payment Systems Act.16 The second covers SSSs and clearing houses.17 Each authority extends invitations to the other for observers to attend relevant supervisory and oversight meetings. Such meetings address common concerns such as for CCPs and the SSS/VPS (once or twice a year) and on the IT-issues in payment systems (four times a year). Norges Bank is also invited by the FSA to take part as observers on relevant oversight inspections and meetings and on-site IT-inspections of FMIs or their CSPs. The FSA and Norges Bank jointly organize a yearly conference around the topics of payment systems, IT, and risks and vulnerability.

24. The Financial Infrastructure Crisis Preparedness Committee (BFI) could be made more transparent in cooperation agreements and expand its mandate. The BFI was established in October 2000 and was led by Norges Bank until 2010. As focus shifted from currency issues to IT-related incidents, the FSA’s ITBET Section resumed the leadership role. The BFI is a central crisis management group consisting of participants from Norges Bank, the FSA, Finance Norway, FMIs, Nets, EVRY, and major banks. Its mandate is to coordinate information sharing with relevant government authorities and participants in the event of a crisis. This is done by identifying the source of the problem, the potential consequences, and measures taken. The BFI holds three regular meetings on an annual basis and arranges at least one contingency exercise a year. The role of the BFI, however, is not mentioned in the authorities’ cooperation agreements, while its current mandate appear to be narrowly focused on IT-related incidents.18

25. The authorities should consider deepening cooperation in crisis management to handle potential risks from tighter interdependencies and critical infrastructures. Although Norges Bank and the FSA cooperate well under a clear legal framework with division of responsibilities in normal and stressed circumstances, this may prove insufficient during crisis events in the absence of a lead supervisor or overseer of the FMIs. The authorities should include crisis management in existing cooperation arrangements, and enhance the role played by the BFI. This should indicate the roles, responsibilities and potential tools of the authorities to manage a crisis. The framework could adopt a more comprehensive risk management approach in addition to monitoring just IT incidents. Risk scenarios could include, for example, the default of a clearing member in a CCP, participant failure in the securities settlement, and the simultaneous cyber attack on the primary and secondary sites of a payment system. Expanding the activities of the BFI does not imply a reduction in the responsibilities of the individual FMI system owners. Foreign cooperation arrangements that are planned to oversee CCPs that have been licensed to operate in Norway could also be expanded to cover cooperation in times of crisis.

26. Norges Bank and the FSA maintain good cooperation with foreign authorities. Norges Bank cooperates with other foreign central banks to oversee CLS.19 It has also held meetings with the Swedish and Danish central banks to gather information on understanding the new international standards. The FSA participates in four EMIR supervisory colleges. It has signed the ESMA MOU as an additional basis for information exchange and is an observer in the ESMA Board of Supervisors Meetings. It also participates in international working committees such as the ESMA Standing Committees on Post Trading and Secondary Markets and the CPMI-IOSCO commodities working group. The FSA has participated in the Swedish Supervisory Authority and the Swedish central bank’s CPMI-IOSCO assessment of Nasdaq OMX Clearing AB.

27. Cooperative oversight arrangements for foreign-based CCPs that operate in Norway are planned. Norges Bank and the FSA have established a MOU with the Swiss National Bank and the Swiss Financial Market Supervisory Authority for the oversight of the Swiss CCP SIX x-clear Ltd. Likewise, Norges Bank is also in discussions with the Bank of England to develop a cooperative oversight arrangement for the oversight of the U.K. CCP LCH.Clearnet Ltd. Currently, the licenses issued by the Norwegian Ministry of Finance to LCH.Clearnet Ltd, Nasdaq OMX Clearing AB, and the ECC include a condition regarding MOU for the FSA, but not Norges Bank. In all three cases, the foreign authorities would act as the lead overseer.

28. The mission recommends the following:

  • Conduct a joint assessment of the NBO’s operational risk;

  • Establish oversight expectations for CSPs of systemically important payment systems.20 This should cover five areas, including risk identification and management, information security, reliability and resilience, technology planning, and communication with users. These expectations could be published in Norges Bank’s Financial Infrastructure Report;

  • Identify, assess, and monitor CSPs. Assessments could be given assigned ratings, disclosed to the public, and used as a basis for renewing contracts with CSPs;

  • Enhance Norges Bank-FSA cooperation agreements to handle crisis events, and broaden the role of the Financial Infrastructure Crisis Preparedness Committee to cover all FMI-related risks;

  • Enhance the transparency of the FSA’s FMI policy through its Risks and Vulnerability Analysis Report and website;

  • Enter into foreign cooperation arrangements to oversee CCPs that have been licensed to operate in Norway, which could be expanded to cover cooperation in times of crisis; and

  • Adopt the prescript for the Payment Systems Act to address insolvency provisions for failed participants in the securities settlement system.

Selected Issues in the Payment System

A. Operational Risk

29. Norwegian payment systems have a good record of operational stability. Service availability is generally high and regularly reported in Norges Bank’s Financial Infrastructure Report. The NBO’s operations have been stable since the new settlement system was introduced in April 2009 with availability at close to 100 percent in 2014. The NBO Online, which gives banks access to account information, was 99.99 percent. The SIL system, which registers securities pledged by banks as collateral for loans, was 100 percent. For the NICS, operational disruptions have continuously decreased since its start-up in 1998. This is measured by recording all disruptions and assigning error points according to level of severity.

30. Operational risk from outsourcing has raised oversight challenges, which has been demonstrated by recent operational disruptions in Norway.21 The NICS experienced three major operational disruptions during 2013 and 2014. On March 18, 2013, severe network problems led to communication failure for nearly 3 hours between participating banks and the NICS. On February 4 and 6, 2014, connection problems between the NICS and SWIFT resulted disrupted the receipt and processing of SWIFT transactions. The disruption lasted over an hour for one incident and was slightly above two hours for the other. Similarly, the DNB settlement system recorded four operational disruptions in 2013, which did not appear to be severe or have a direct impact for participant banks.

31. Although the use of shared infrastructure helps achieve cost efficiency, their failure also creates vulnerabilities for FMIs. The FSA’s RAV Report pointed to two serious operational incidents following the failure of shared infrastructure in 2013.22 Both incidents involved network outages at two major IT service providers, which lasted between 2 and 4 hours. Moreover, their continuity solutions did not function properly as planned. As a result, this prompted one major bank to end their contractual agreement with one of the IT service providers, for parts of their IT operations solutions, and changes to an overseas service supplier. As both IT service suppliers also serve as CSPs for many FMIs in Norway, this could be a source of operational risks given their tight interdependencies. As the NBO has a dedicated infrastructure with its CSP, this helps mitigates the risks from sharing common infrastructure.

32. There are efficient back-up systems to ensure operational resiliency, but recovery time objectives and end-of-day settlement goals need to be clearly established in business continuity plans. Such objectives follow operational disruptions and extreme circumstances. The NBO is designed with full redundancy in all components without any single point of failure in the infrastructure. In the event of a fault in a hardware component, operations will automatically switch to the redundant component, with the result that the requirement for the resumption of operations within 2 hours and settlement by the end of the day can be achieved.

33. The location of primary and secondary sites of NBO and NICS do not appear to have completely distinct risk profiles, which makes them vulnerable to wide scale or major disruptions. Furthermore, operational risks may also arise from the routine maintenance of software, which is being addressed with the insourcing of IT application skills and the set-up of an alternative third site for the NBO. Software errors have been found to be very time-consuming (several days) to locate and correct, and could serve as a single point of failure if not properly resolved or mitigated.23 For the NBO, the strengthening of internal IT expertise in central-bank-specific systems has been stated in its strategy for 2014–16. Moreover, the introduction of an enhanced contingency solution based on different software is planned for in the second half of 2015. Based on SWIFT’s Market Infrastructure Resiliency Service (MIRS), it is a shared platform that could act as an alternative recovery site for RTGS operators. It is designed to back-up an RTGS system for an entire crisis period that could prolong up to a month and could be activated within a maximum of 2.5 hours after the decision is made to activate. Comparatively, alternative clearing solutions are being studied for the NICS, which does not appear to include a similar alternative third site.

34. Cyber risks have also emerged as a source of potential systemic risk. This could involve complex and high frequency attacks against numerous targets (including infiltration of non-substitutable and/or interconnected services), with the motive to disrupt, destabilize, and impact the functionality, availability, and accessibility of markets and/or data integrity.24 Recent incidents on payment card breaches and card fraud reported by the FSA in its RAV Report provide lessons on potential cyber risks for Norwegian FMIs, including the NBO and NICS.25 This could be managed in accordance with international standards and best practices (particularly Principles 2, 3, and 17 of the CPMI-IOSCO PFMIs), settlement finality, recovery time objective of 2 hours, and end-of-day settlement.26

35. Although operational risk appears to be well managed, the authorities could consider additional measures to ensure resiliency and strengthen business continuity. The mission recommends the following:

  • Report service availability. For the NICs, the reporting of service availability, in addition to error reporting, would help monitor, communicate, and compare its operational stability vis-à-vis other FMIs. The reporting of service availability could also cover private settlement bank that are subject to supervision and oversight as FMIs.

  • Establish clear recovery time objectives. For the NBO and NICS, recovery time objectives do not seem to appear in the business continuity plan although, in practice, back-up systems could commence processing immediately. Critical IT systems need to resume operations within two hours following disruptive events and ensure end of day settlement following disruptions, even in case of extreme circumstances. This should be applicable for other FMIs, particularly the VPS, which appears to have a recovery time objective of 4 hours;

  • Maintain alternative settlement arrangements. Although the planned introduction of a third site for the NBO would help mitigate operational risks, alternative settlement methods could be maintained, documented, and tested, if this does not in itself increase operational risk. This could include the use of manual paper based procedures to allow the processing of time-critical transactions in extreme circumstances. For the NICS, the assessment of alternative clearing solutions could include a feasibility study for a third site;

  • Insource IT application skills for the NBO. This is to ensure sufficient in-house skills within the Norges Bank that are readily available when needed;

  • Monitor critical service providers. Additionally, there should be robust arrangements for the selection and substitution of CSPs, timely access to all necessary information, and proper controls and monitoring tools. Authorities’ assessment results of CSPs against international standards could be used as the basis for contract renewal. The CSP should also develop a recovery plan in line with international guidance to ensure its financial soundness, and use of risk mitigation measures if needed, to ensure the smooth operations of the FMI.

  • Analyze risks in secondary sites. For the NBO and NICS, the location of secondary sites and their proximity to primary sites would also benefit from a comparative risk analysis. If necessary, secondary sites could be moved at a geographical distance that has a distinct risk profile from the primary sites.

B. Risk Management Framework

36. There is a well established risk management framework for the NBO. This framework was designed in line with the Regulation on Internal Control and Risk Management at Norges Bank and internal rules issued by the Executive Board and the Governor. The Executive Board adopted the revised Principles for Risk Management in compliance with the Ministry of Finance’s Regulation on Risk Management and Internal Control at Norges Bank in 2013. Risks are managed at four levels and are regularly reported to senior management.27 There is a comprehensive analysis of risks analysis, encompassing the following: (i) failures in hardware, communications solutions or software; external attacks; disloyal personnel; and technical failures and lack of expertise associated with suppliers.

37. There is a lack of a comprehensive risk management framework for the NICS, which has been raised by the authorities and is being addressed. While the NICS Operations Office’s CSP has a robust risk management and information security framework, this was found to be absent for the former, which holds the license and has ultimate responsibility. The NICS Operations Office is currently in the process of establishing a comprehensive risk management framework. The mission agrees with Norges Bank’s assessment results, which recommends improvements in the observance of Principles 2 on Governance, Principle 3 on Comprehensive risk management framework, and Principle 17 on operational risk. The lack of dedicated and full-time employees in the NICS Operations Office, which currently relies on resources assigned on an ad hoc basis by Finance Norway, appears to have contributed to such shortcomings.

38. The mission recommends the following:

  • Strengthen the governance of the NICS. The governance structure needs greater transparency, including a description of the relationship between Finance Norway’s Payments and Infrastructure Committee, NICS Operations Office, and the CSP. The precise definition for independence should be specified and publicly disclosed, and exclude parties with significant business relationships with the FMI, cross-directorships, or controlling shareholdings. A risk committee should be established with clear reporting lines;

  • Establish a comprehensive risk management framework for the NICS. This should be independent from the CSP’s risk management framework, and establish the role and responsibilities of the NICS Operations Office under Finance Norway, which is a federation and not a regular company. The framework should include a general business risk assessment from the failure of its CSP, which should be required to prepare a financial recovery and wind-down plan;

  • Promote greater transparency for the NBO and NICS. Both FMIs should complete regularly and disclose publicly responses to the CPMI-IOSCO Disclosure Framework for FMIs. At a minimum, the responses should be reviewed every two years to ensure continued accuracy and usefulness.

C. Critical Service Providers

39. The Norwegian payments system is largely dependent on CSPs, which are being assessed against new international standards. The use of CSPs has been partly driven by outsourcing to improve cost efficiency and to leverage on the larger pool of IT skills provided by third-party service providers. CSPs are mainly IT and messaging providers whose continuous and adequate activities are essential to the operations of an FMI, or in some cases, multiples FMIs.28 International experience suggests that FMIs may consider the SWIFT network, technology firms that operate infrastructures, regional utilities contracted for telecommunications or other infrastructural services, and market-wide data providers as CSPs.29 Authorities have already started to identify CSPs for the NBO and NICS. Assessments of CSP financial strength and risk management practices against the CPMI-IOSCO PFMI’s Annex F are planned for 2015.

40. The financial strength of CSPs needs to be ensured as competition in the outsourcing sector could lead to supplier or ownership changes, which can impact the operation of FMIs.30 Such changes may reveal financial losses or declining profit margins, shift business strategies, or lead to job and skill losses. The NBO and NICS are vulnerable to such changes and appear to have established sound change management practices to manage potential risks. Norges Bank, as NBO owner and operator, is capable of ensuring the continuity of operations as necessary in extreme financial circumstances, and is therefore, not subject to the requirement of preparing a financial recovery and wind down plan. However, Norges Bank’s CSP that operates NBO IT-related components should establish appropriate recovery and wind down plans. For the NICS, the NICS Operations Office does not have a recovery and wind down plan either due to the federation status of Finance Norway. However, a financial recovery and wind down plan for its CSP is included in the risk management framework for the NICS Operations Office. This framework also includes measures to monitor and manage the general business risk for its CSP. The use of service level agreements, monitoring of service suppliers, and setting of availability targets have helped mitigate operational risks.

41. There appears to be a high dependence on a single telecommunications provider, which should be addressed with alternative routing in contingency arrangements. This is to mitigate the risk of telecommunication facility failures from being a single point of failure. The operational reliability of telecommunications facilities is critically important for payment systems. Although the key methods for ensuring telecommunications continuity such as redundancy and recoverability appear to be included in existing arrangements in the NBO and NICS, the development of alternative routing methods would further strengthen operational resiliency. This is to ensure that there is no dependence on a single supplier, while telecommunication lines could be separated. Furthermore, contingency procedures and bilateral arrangements should be established for performing critical functions in the event of a total failure of the telecommunication networks. For example, while SWIFT serves as the main channel for the largest banks in Norway to submit payment orders to the NBO, there is an alternative route through NBO Online. This latter system is a web-based banking application that gives participating banks direct access to the NBO where they can register payment orders, manage payment orders held in queues, monitor account balances, access information on securities pledged to Norges Bank, and make enquiries. The feasibility of using NBO Online for contingency purposes could therefore be considered by Norges Bank.

42. The mission recommends the following:

  • Establish oversight expectations for CSPs of systemically important payment systems;

  • Identify, assess, and monitor CSPs. Assessments could be given assigned ratings, disclosed to the public, and used as a basis for renewing contracts with CSPs; and

  • Examine the use of NBO Online as part of contingency arrangements.

1

Prepared by Mr. Tanai Khiaonarong (MCM).

2

The Norges Bank’s Settlement System (NBO) is linked to the CLS system, a foreign multicurrency cash settlement system that supports 17 eligible currencies, including the Norwegian krone. The VPS has indirect links to Luxembourg-based Clearstream and Belgium-based Euroclear. The U.K. CCP LCH.Clearnet, German CCP European Commodity Clearing (ECC), Swedish CCP Nasdaq OMX Clearing AB, and Swiss CCP SIX x-clear have licenses to provide cross-border services in Norway. SIX x-clear Norwegian branch has links with LCH.Clearnet.

3

Formerly the Annual Report on Payment Systems until May 2014.

4

The assessor was Tanai Khiaonarong, Senior Financial Sector Expert from the IMF’s Monetary and Capital Markets Department.

5

See Norges Bank’s Financial Infrastructure Report and Annual Report on Payment Systems (http://www.norges-bank.no/en/Published/Publications/Financial-Infrastructure-Report/).

6

There were four private settlement banks at the end of 2013. Danske Bank and Skandinaviska Enskilda Banken are also settlement banks serving one bank each but are not considered FMIs.

7

“CLS” refers to the entire CLS organization which includes: (1) CLS Group Holdings, the group holding company incorporated under the laws of Switzerland and regulated by the Federal Reserve as a bank holding company in the United States; (2) CLS UK Intermediate Holdings, a limited company incorporated under the laws of England and Wales, a ‘shell’ company from a governance perspective providing corporate services (i.e., Finance, Human Resources, Audit and Communications) to CLS Bank and its affiliated companies; (3) CLS Bank, an Edge corporation organized under the laws of the United States and regulated by the Federal Reserve; and (4) CLS Services, a limited company incorporated under laws of England and Wales, which provides operational and back-office support to CLS Bank and its affiliated companies.

8

The US dollar, euro, pound sterling, Canadian dollar, Swiss franc, Hong Kong dollar, Australian dollar, New Zealand dollar, Mexican peso, Israeli shekel, Korean won, Singapore dollar, Japanese yen, South African rand, Danish krone, and Swedish krona.

9

Norwegian banks are also clearing members in foreign CCPs. This includes Eurex Clearing, EuroCCP, and ICE Clear Europe.

10

See Annual Report on Payment Systems 2012 (http://www.norges-bank.no/pages/94894/Annual_Report_2012.pdf).

11

See Watne, Kjetil (2012) A New Settlement System at Norges Bank, Norges Bank Economic Bulletin, Vol. 83, 4-13.

12

See Solheim, Jon A., and Helge Strømme (2004) Upgrading and Outsourcing Norges Bank’s Settlement System, Norges Bank Economic Bulletin, Q2.

13

At the EFTA and Economic and Financial Affairs Council meeting in Luxembourg on October 14, 2014, the EU and EEA reached an agreement on a proposal that makes it possible to implement EMIR and CSDR.

18

The role of the BFI has been described in Norges Bank and the FSA’s letter of December 16th, 2005 submitted to the Ministry of Finance on their cooperation in financial stability and crisis management. See http://www.norges-bank.no/en/Published/Submissions/2005/submission-2005-12-16html.

19

The Federal Reserve charters, regulates, and supervises CLS Bank. Under the Protocol for the Cooperative Oversight Arrangement of CLS of November 25th, 2008, the Federal Reserve has primary responsibility and coordinates the oversight of CLS. Other participating central banks whose eligible currencies are supported by CLS, including Norges Bank, designate a responsible senior official to the CLS Oversight Committee where meetings are chaired by the Federal Reserve. The protocol establishes the key elements governing the cooperative oversight, including the assessment of the overall system, approval of proposed new currencies, review of CLS proposals, oversight information, exchange of information, and procedures to achieve consensus. CLS published its PFMI disclosure framework on December 30th, 2014.

20

For example, see the European Central Bank’s Business Continuity Oversight Expectations for Systemically Important Payment Systems of June 2006, which was based on earlier international standards (http://www.ecb.europa.eu/press/pr/date/2006/html/pr060609.en.html).

21

See “Challenges for the Payment System”, Speech by Deputy Governor Jon Nicolaisen at Finance Norway’s payments conference, November 12th, 2014. (http://www.norges-bank.no/en/Published/Speeches/2014/12-november-Nicolaisen/).

23

For example, the Bank of England reported that technical issues relating to the routine maintenance of the RTGS payment system paused settlement on October 20, 2014. This prompted RTGS opening hours to be extended until 8 p.m. and use of manual procedures to process time critical payments by the end-of-day. See (http://www.bankofengland.co.uk/publications/Pages/news/2014/135.aspx).

24

See IOSCO (2013) Cyber-Crime, Securities Markets, ad Systemic Risk, July.

25

This involved credit card and/or contact data being compromised for Norwegian and foreign card users as a result of a concerted hacker attack.

26

See CPMI-IOSCO (2014) Cyber Resilience in Financial Market Infrastructures, November (http://www.bis.org/cpmi/publ/d122.htm).

27

This includes the following: (i) operational units, including the Interbank Settlement and IT Units under the Markets and Banking Services Department, conduct daily risk analysis and mitigation measures, with directors reporting to the executive director; (ii) executive directors who are responsible for risks under their areas, establish risk indicators, and report progress through the Risk Management Unit to the Governor on a quarterly basis and to the Executive Board twice a year; (iii) the Risk Management Unit is responsible for Norges Bank’s overall risk assessment and informs the Governor. Additionally, the Compliance Unit ensures that the risk of complying with laws, regulations and internal rules is reduced; and (iv) Internal Audit, on behalf of the Executive Board, ensures effective internal controls.

28

Unless otherwise indicated by the relevant authorities, activities not directly related to essential operations of the FMI and utilities (such as basic telecommunication services, water, electricity and gas) are out of scope when identifying CSPs.

30

For the NBO, Norges Bank signed an agreement for IT services with ErgoGroup AS in 2003, which was later merged with EDB Business Partner to form EVRY in March 2012. EVRY is currently under possible ownership changes. Norway Post and Telenor are majority shareholders of EVRY. As of August 2014, EVRY publicly announced its intention to seek strategic opportunities, which could include the sale of the company. For the NICS, Nets Holding A/S, which is a Danish holding company, was bought by a consortium consisting of the private equity firms Advent International and Bain Capital, and the Danish pension fund ATP in 2014. Nets Holding A/S was previously owned by Nordic banks and Denmark’s central bank. Nets Holding A/S wholly owns Nets Norway AS, which includes Nets Norge Infrastruktur AS that performs the technical operations of NICS.