Bank Negara Malaysia: Framework for Electronic Trading Platforms

Transcription

1. Framework for Electronic Trading Platforms Applicable to the following market participants in the wholesale financial markets : 1. Approved money brokers operating electronic broking platforms 2. Operators of electronic trading platforms Issued on: 08 November 2019 BNM/RH/PD 032-19
2. Framework for Electronic Trading Platforms Page 2 of 13 TABLE OF CONTENTS PART A OVERVIEW ............................................................................................... 3 1 Introduction................................................................................................ 3 2 Applicability ............................................................................................... 4 3 Legal provisions ........................................................................................ 4 4 Effective date............................................................................................. 4 5 Interpretation ............................................................................................. 4 6 Related legal instruments and policy documents ...................................... 5 7 Policy documents and circulars superseded ............................................. 5 PART B POLICY REQUIREMENTS ........................................................................ 6 8 Approval requirements .............................................................................. 6 9 Scope of activities ..................................................................................... 8 PART C OPERATIONAL REQUIREMENTS ........................................................... 9 10 Due diligence………………………………………………………………..…..9 11 Onboarding and pre-disclosures requirements.......................................... 9 12 IT security and protection .......................................................................... 9 13 Record keeping ....................................................................................... 10 14 Cloud services ......................................................................................... 10 15 Business continuity plan .......................................................................... 11 16 System testing ......................................................................................... 11 PART D GOVERNANCE ....................................................................................... 12 17 Role and responsibilities of the Board of Directors .................................. 12 18 Role and responsibilities of the Management .......................................... 12 PART E REPORTING REQUIREMENTS ............................................................. 13 19 Monitoring and surveillance ..................................................................... 13 Issued on: 08 November 2019
3. Framework for Electronic Trading Platforms PART A Page 3 of 13 OVERVIEW 1 Introduction 1 .1 In recent years, the use of technology in wholesale financial markets globally has increased in prominence and contributed towards promoting greater efficiency and transparency in the intermediation and price discovery process. 1.2 Automated systems are often location neutral, and its facilities allow for crossborder, multilateral transactions. A centralised trading venue has also been observed to increase connectivity with the potential to generate large economies of scale. The design of automated systems often varies and evolves at a rapid pace, allowing for wider outreach among wholesale market participants. 1.3 The proliferation of operators of automated systems of electronic trading platforms offering innovative solutions underscores the need to ensure sound and robust risk management processes, to address the various dimensions of risk that can occur on an ex-post basis. This in turn calls for clear standards of integrity that needs to be met by the service providers. 1.4 Against the backdrop of increased electronification within the wholesale financial markets and in order to maintain orderly conditions in, and integrity of the financial market, operators of electronic trading platforms must have the requisite operational and governance capacity to offer their services to Malaysian onshore market participants. Under the Code of Conduct for Malaysia Wholesale Financial Markets, market participants in the money and foreign exchange markets are allowed to offer such services only upon being duly approved by the Bank. 1.5 This policy document sets out the approval requirements for platform operators to be eligible to provide their services on electronic trading platforms in the wholesale financial markets in Malaysia and the internal control requirements applicable to approved platform operators to safeguard the system integrity and data confidentiality of such platforms. In addition, this policy document imposes requirements for approved platform operators to put in place and maintain appropriate internal governance policies and procedures in providing their services. 1.6 For avoidance of doubt, section 141 of the Financial Services Act 2013 (FSA) and section 153 of the Islamic Financial Services Act 2013 (IFSA) on prohibited conduct in the money and foreign exchange markets are applicable to approved platform operators under this policy document. Issued on: 08 November 2019
4. Framework for Electronic Trading Platforms Page 4 of 13 2 Applicability 2 .1 This policy document is applicable to approved platform operators as defined in paragraph 5.2. 2.2 This policy document will not apply to – (a) an operator of a recognised market registered, or a stock market of an approved stock exchange, under the Capital Markets and Services Act 2007 (CMSA) which offers facilities that enable the trading of financial instruments other than in the money market or foreign exchange market; (b) a stock market operated by overseas stock exchange which is under the regulatory or supervisory oversight of the relevant authority, or any facility offered by such stock exchange; or (c) a proprietary single-bank platform offered solely for bilateral transactions undertaken with the bank for financial instruments in the money market or foreign exchange market. 3 Legal provisions 3.1 The requirements in this policy document are specified pursuant to sections 140 and 143 of the FSA, and sections 152 and 155 of the IFSA. 3.2 The guidance in this policy document is issued pursuant to section 266 of the FSA and section 277 of the IFSA. 4 Effective date 4.1 This policy document comes into effect on 11 November 2019. 5 Interpretation 5.1 The terms and expressions used in this policy document shall have the same meanings assigned to them in the FSA and IFSA, unless otherwise defined in this policy document. 5.2 For the purpose of this policy document – “S” denotes a standard, obligation, requirement, specification, direction, condition and any interpretative, supplemental and transitional provisions that must be complied with. Non-compliance may result in enforcement action; “G” denotes guidance which may consist of such information, advice or recommendation intended to promote common understanding and sound industry practices which are encouraged to be adopted; “approved platform operators” means a market participant approved by the Bank under paragraph 8.4 to operate an electronic trading platform in the wholesale financial market; Issued on: 08 November 2019
5. Framework for Electronic Trading Platforms Page 5 of 13 “electronic broking platform” means any facility, system, trading venue, marketplace or organisation which, by electronic means, brings together market participants to conclude buying and selling of financial instruments in the money market or foreign exchange market based on established methods or standard market conventions, and brokerage fee is paid as a consideration for the conclusion of trade; “electronic trading platform” means any facility, system, trading venue, marketplace or organisation which, by electronic means, brings together market participants to negotiate, conclude or execute buying and selling of financial instruments in the money market or foreign exchange market based on established methods or standard market conventions, and includes an electronic broking platform; “platform operators” refers to– (a) approved money brokers which operate electronic broking platforms; and (b) other market participants which operate electronic trading platforms, whether or not any form of remuneration, fee, commission or subscription is chargeable; “Management” refers to the Chief Executive Officer (CEO) and senior officers of the approved platform operators; “users” in relation to an electronic trading platform, means market participants utilising the services offered by an approved platform operator. 6 6.1 Related legal instruments and policy documents This policy document must be read together 1 with other relevant legal instruments and policy documents that have been issued by the Bank, in particular – (a) Policy Document on the Code of Conduct for Malaysia Wholesale Financial Markets issued on 13 April 2017; and (b) Policy Document on Fit and Proper Criteria for Approved Person issued on 24 December 2018.2 7 Policy documents and circulars superseded 7.1 This policy document supersedes the Guidelines on Electronic Broking System by Licensed Money Brokers issued on 1 August 2005. 1 For the purpose of managing technology risk, platform operators are also encouraged to be familiarised with the Policy Document on Risk Management in Technology issued on 18 July 2019. 2 This is only applicable to approved money brokers which operate electronic broking platforms. Issued on: 08 November 2019
6. Framework for Electronic Trading Platforms PART B Page 6 of 13 POLICY REQUIREMENTS 8 Approval requirements S 8 .1 A market participant who intends to operate an electronic trading platform must obtain the Bank’s prior written approval. G 8.2 Prior to submitting an application for the purpose of paragraph 8.1, an applicant may submit any enquiries on the applicable approval process and prudential requirements to Jabatan Operasi Pelaburan & Pasaran Kewangan via e-mail at fmd@bnm.gov.my. S 8.3 An application for approval under paragraph 8.1 must be submitted in writing to the Bank together with the following documents or information: (a) details of the applicant, the type of the electronic trading platform, including the main characteristics, features, functionalities and capabilities of such platform and its modus operandi; (b) details of the applicant’s Board of Directors (the Board), Management and business structure; (c) personal particulars of the applicant’s chairman, directors and CEO; (d) a statutory declaration by each of the directors including the chairman declaring that they meet the fit and proper criteria; (e) a statutory declaration by the CEO declaring that the CEO meets the fit and proper criteria3; (f) a copy of the applicant’s latest audited financial statements; (g) details of the internal verification and due diligence conducted for the purpose of paragraph 8.8(a); (h) an independent external audit report on the electronic trading platform made for the purpose of paragraph 8.8(b); (i) a feasible business plan; (j) if applicable, cloud services to be used by the applicant and details of the cloud services provider’s or the applicant’s data centre infrastructure, including compliance with any relevant international standards; and (k) any other information as may be required by the Bank. S 8.4 Upon making an assessment of the application submitted under paragraph 8.1(a) the Bank may approve such application for a period of three (3) years or such other period as specified by the Bank, with or without conditions or reject the application; and (b) the Bank will notify the applicant of its decision in writing under paragraph 8.4(a). 3 For purposes of paragraphs 8.3(d) and (e), applicants may refer to the Policy Document on Fit and Proper Criteria for Approved Person issued by the Bank on 24 December 2018, or fit and proper criteria applied by the relevant financial regulatory authority in the applicant’s domicile. In the case of approved money brokers, reference must be made to the Policy Document on Fit and Proper Criteria for Approved Person. Issued on: 08 November 2019
7. Framework for Electronic Trading Platforms S 8 .5 Page 7 of 13 Where the Bank approves an application under paragraph 8.4, the approved platform operator shall commence its operations within a period as may be specified by the Bank in the approval letter. Renewal of approval S 8.6 An application for a renewal of the approval granted under paragraph 8.4 shall be submitted to the Bank in writing at least ninety (90) days before the expiry of the approval period. S 8.7 Upon making an assessment of the application for renewal submitted under paragraph 8.6 – (a) the Bank may approve such application for a period of three (3) years or such other period as specified by the Bank, with or without conditions or reject the application; and (b) the Bank will notify the applicant of its decision in writing under paragraph 8.7(a). Independent Audit Review S 8.8 Prior to submitting an application under paragraph 8.1, the applicant is required to ensure that – (a) a competent and operationally independent internal audit team has verified the effectiveness of the procedures and controls for the operations of the electronic trading platform; and (b) an independent external auditor has conducted due diligence on the electronic trading platform to ensure that the operational and governance requirements under Part C and D of this policy document have been met. S 8.9 An approved platform operator must submit to the Bank a report on a postimplementation review, conducted by an independent internal 4 or external auditor within six (6) months from the date of the effective implementation of the electronic trading platform. The approved platform operator must consult the Bank on the scope of post-implementation review. 4 This is subject to the Board’s approval. Issued on: 08 November 2019
8. Framework for Electronic Trading Platforms Page 8 of 13 9 Scope of activities G 9 .1 Subject to paragraph 9.2, an approved platform operator may offer ancillary services or functionalities in addition to the scope of services or functionalities under the electronic trading platform approved by the Bank pursuant to paragraph 8.4. S 9.2 Where an approved platform operator intends to offer additional services or functionalities under paragraph 9.1, it shall notify the Bank in writing prior to offering such additional services or functionalities.5 S 9.3 An approved platform operator shall identify and manage any actual and potential conflict of interest situation arising from its services. For such purpose, the approved platform operator shall not act in the capacity of a principal6 and undertake any transaction with, or on behalf of a user of its platform as an agent. 5 Where relevant, all related activities in addition to those approved under this policy should also be guided by the requirements under the Policy Document on Outsourcing issued on 28 December 2018 and any other applicable regulatory requirements issued by the Bank. 6 “Principal” refers to a market participant who transacts for its own account and not acting as an agent. Issued on: 08 November 2019
9. Framework for Electronic Trading Platforms PART C 10 Page 9 of 13 OPERATIONAL REQUIREMENTS Due Diligence S 10 .1 An approved platform operator must establish and implement effective policies on due diligence on prospective users prior to their onboarding. S 10.2 An approved platform operator must perform adequate due diligence on each application by a market participant to become a user of the electronic trading platform and ensure that such market participant fulfils all requirements to be eligible to access such platform. S 10.3 Prior to onboarding, an approved platform operator must notify prospective users, particularly those that are non-financial institutions or new to accessing or using electronic trading platforms, the relevant obligations and prevailing rules and regulations7, trading conventions and relevant requirements within the Malaysian wholesale financial markets. 11 Onboarding and pre-disclosures requirements S 11.1 An approved platform operator must establish, maintain and publish proper rules, criteria and procedures for usage of its electronic trading platform. S 11.2 To promote legitimate access and safeguard the integrity of the systems of the electronic trading platform, the set of rules, criteria and procedures referred to in paragraph 11.1 must contribute towards fair, orderly and transparent use of the electronic trading platform and at minimum, must include the following – (a) (b) (c) (d) (e) (f) transparent criteria for determining financial instruments that can be traded on the platforms; non-discriminatory rules for determining access to the platforms; rules to ensure fair and orderly trading on the platforms; rules to facilitate efficient settlement of transactions concluded through the platforms; business continuity plan in the event of system disruptions and for the handling of trading errors; and mechanisms for resolution of trade disputes. 12 IT security and protection S 12.1 An approved platform operator must establish and implement information technology (IT) security and protection policies for the operations of the electronic trading platform. S 12.2 Such policies must form part of the approved platform operator’s standard operating procedures, which outline the technical, logical and administrative 7 This includes all relevant foreign exchange administration rules issued by the Bank. Issued on: 08 November 2019
10. Framework for Electronic Trading Platforms Page 10 of 13 controls with regard to system protection . These procedures must be robust, comprehensive and subject to regular review by the Management and Board of the approved platform operator. S 12.3 To ensure confidentiality, integrity and availability of electronic trading platforms, an approved platform operator must establish an effective access control policy and relevant restrictions to manage the risk of unauthorised access to the electronic trading platform. For example, the use of encryption and other security controls can be utilised to achieve IT security and protection objectives. S 12.4 Approved platform operators engaging in other business segments (e.g. news portal) must establish effective controls to prevent unauthorised leakage of information which may lead to abuse of data. S 12.5 Approved platform operators must not use or disclose users’ data for purposes other than as agreed with its user (e.g. commoditisation of data) unless prior consent has been obtained. 13 Record keeping 13.1 An approved platform operator must establish and implement policies and procedures for record keeping which at minimum must include the following – (a) data and transaction details executed on the electronic trading platform; and (b) details of trade dispute and their resolution. S 1 13.2 The records must contain reasonable level of granularity and details and must be kept up to a period of seven (7) years and shall be made available to the Bank for monitoring purposes at all times. S 14 Cloud services G 14.1 Cloud storage is a cloud computing model in which data is stored on remote servers accessible from the internet. Cloud storage provides users with virtual storage architecture that is scalable according to their requirements. S 14.2 In the event that an approved platform operator intends to use8 cloud services to warehouse its data, it shall conduct a risk assessment prior to using cloud services which must include consideration of how risks associated with cloud usage (e.g. contagion, concentration, business continuity, cyber security, data accessibility risks) can be effectively managed. Platform operators should make reference to the requirements on “Cloud Services” under Policy Document on Risk Management in Technology issued on 18 July 2019. 8 Issued on: 08 November 2019
11. Framework for Electronic Trading Platforms Page 11 of 13 15 Business continuity plan S 15 .1 Business continuity is important as it reflects the ability of an approved platform operator to maintain essential functions during and after disaster recovery. An approved platform operator must establish and implement business continuity arrangements in relation to its electronic trading platform to address disruptive incidents, including but not limited to system failures. S 15.2 An approved platform operator must ensure the timely resumption of operations of the electronic trading platform and for this purpose, the business continuity arrangements shall cover, at minimum the following – (a) governance for the development and deployment of the arrangements; (b) consideration of an adequate range of possible scenarios related to the operations of the electronic trading platform which require specific continuity arrangements; (c) the backing up of critical business data (including compliance) that flows through the electronic trading platform; (d) the procedures for moving to, and operating the electronic trading platform from a back-up site; (e) staff training on the operations of the arrangements and individuals’ roles and responsibilities in such arrangements; and (f) an on-going programme for the testing, evaluation and review of the arrangements including procedures for undertaking improvements to the arrangements from time to time. 16 System testing S 16.1 An approved platform operator must carry out and complete a thorough testing of system functionalities and capabilities of the electronic trading platform prior to deployment. This must provide for clearly delineated development and testing methodologies such as unit testing, integration testing, user acceptance testing, application security testing, stress and regression testing, exception and negativity testing. S 16.2 An approved platform operator must conduct periodic capacity testing of critical systems to safeguard and determine the system’s ability to process transactions with the ability to handle any spikes in trading volumes in an accurate, robust, and timely manner. Reports on the relevant system testing methodologies, properties and test results must be retained for record and audit purposes. S 16.3 An approved platform operator must ensure that compliance and risk management controls are embedded in the systems (including controls to generate error reports automatically) of the electronic trading platform and that such systems can continue to work effectively under stressed market conditions. Issued on: 08 November 2019
12. Framework for Electronic Trading Platforms S 16 .4 In the event of any service disruption, an approved platform operator shall inform the Bank of such incident immediately and provide updates following the incident, including the relevant remedial and resolution actions. Such notification and updates are to be provided to Jabatan Operasi Pelaburan & Pasaran Kewangan via e-mail at fmd@bnm.gov.my. PART D 17 Page 12 of 13 GOVERNANCE Roles and Responsibilities of the Board of Directors S 17.1 The Board of an approved platform operator is required to establish and oversee the effective implementation of policies and procedures relating to the operations of an electronic trading platform as part of its business. This shall include policies on the management of conflicts of interest in accordance with paragraph 9.3. S 17.2 In relation to paragraph 17.1, the Board is responsible – (a) to ensure that Management has systems and processes in place to monitor and enforce compliance with the policies and procedures approved by the Board; (b) to review and update such policies and procedures on a periodic basis; (c) to ensure that the operations of the electronic trading platform are consistent with the strategies, resources and management expertise of the approved platform operator; (d) to ensure that it is adequately informed and updated by Management on the risk exposures arising from the development and operations of the electronic trading platform; (e) to monitor appropriate risk mitigations to address such risk exposures as updated by the Management under paragraph (d); and (f) to ensure that the approved platform operator complies with, or services which it offers are in accordance with, all relevant rules and regulations9 at all times in relation to the operations of the electronic trading platform. 18 S Roles and Responsibilities of the Management 18.1 The Management of an approved platform operator is responsible to effectively implement the policies and procedures established by the Board by ensuring that – (a) adequate operational policies, procedures and effective internal controls are in place for day-to-day operations of the electronic trading platform; (b) adequate resources and competencies are available to carry out the daily operations of the approved platform operator effectively; 9 This includes all relevant foreign exchange administration rules issued by the Bank. Issued on: 08 November 2019
13. Framework for Electronic Trading Platforms (c) (d) (e) (f) (g) PART E Page 13 of 13 clear lines of responsibility and accountability for managing the operations of the electronic trading platform are established; comprehensive reporting structure and processes for the Management are in place; rules in relation to the operations of the electronic trading platform are established, in particular rules made pursuant to paragraph 11.2, and are monitored and implemented on an ongoing basis; the Board is updated on risk exposures arising from the development and operations of the electronic trading platform; and a set of comprehensive business rules to govern the operations of the electronic trading platform is established and implemented. REPORTING REQUIREMENTS 19 Monitoring and surveillance G 19.1 Approved platform operators are encouraged to monitor the intraday trading activities on their electronic trading platforms (e.g. capacity utilisation) and inform the Bank of any irregularities or suspicions of irregularities in trading patterns, if any. S 19.2 An approved platform operator is required to submit to the Bank the following information: (a) a complete list of its onshore users, both banking and non-banking institutions at the end of each calendar quarter which shall include details as specified by the Bank; and (b) any other information, in particular statistical and transactional information concluded on and relating to the electronic trading platform as may be required by the Bank from time to time. S 19.3 An approved platform operator shall submit the information required under paragraph 19.2 (a) to the Bank within ten (10) business days from the date of which the submission is required. G 19.4 Information under paragraphs 19.1 to 19.3 is to be provided to Jabatan Operasi Pelaburan & Pasaran Kewangan via e-mail at fmd@bnm.gov.my. G 19.5 Approved platform operators may facilitate its users’ compliance with applicable reporting requirements by relevant authorities by introducing or inserting user features and functionalities (e.g. purpose fields) on the electronic trading platform. Issued on: 08 November 2019