FMA proposes standard condition to enhance operational and cyber resilience

"The financial services sector is facing increasing technological risks," says FMA executive

FMA proposes standard condition to enhance operational and cyber resilience

The Financial Markets Authority (FMA) - Te Mana Tātai Hokohoko - has taken a step towards improving the operational and cyber resilience of certain financial market license holders.

In a move to enhance business continuity and technology systems, the FMA released a consultation document, presenting its proposal for a new standard condition.

Recognising the crucial role of operationally resilient businesses in maintaining the integrity and availability of New Zealand's financial markets, the FMA is aiming to ensure that market service providers are well-prepared to address business continuity and cyber risks. This approach not only supports the smooth functioning of financial markets but also instils confidence in consumers, assuring them that their information and investments are adequately protected.

The consultation primarily concerns the following types of market service licenses:

  • Managers of registered schemes (excluding restricted schemes)
  • Providers of discretionary investment management services
  • Derivatives issuers
  • Prescribed intermediary services (including peer-to-peer lending providers and crowdfunding service providers)

Under the proposed standard condition, licensees will be required to develop and maintain a business continuity plan appropriate to the scale and scope of their services. This plan ensures that their critical technology systems possess operational resilience.

If a licensee experiences an event that significantly impacts its service delivery, they must promptly notify the FMA, no later than 72 hours after the occurrence.

The 72-hour timeframe acknowledges the heavy reliance on technology by relevant license holders and the potential harm to consumers and investors during disruptions. It also underscores the vital role of technology in maintaining efficient financial markets.

The FMA had previously identified deficiencies in cyber resilience and operational systems among the entities it licenses, including inadequate technology investment and the use of outdated or unsupported systems.

This proposal aligns with the FMA's prior introduction of a Business Continuity Plan (BCP) and technology resilience standard condition for Financial Advice Providers in 2020. Furthermore, it is in line with the Conduct of Financial Institutions regime, which will come into effect in 2025. The consultation period extends until 1 September.

“The financial services sector is facing increasing technological risks that make it necessary for licensees to meet minimum business continuity and technology standards," said Paul Gregory, FMA executive director of response and enforcement. “This proposal continues the FMA’s roll-out of this standard condition across licence types, to reflect the importance of ensuring licence holders can continuously provide their market services. By doing so, consumers and investors can have confidence they can access their services and products, when and how they want or need to.”