2024 Assessment of the Reserve Bank Information and Transfer System 2. Ratings and Recommendations

2.1 Introduction

RITS is Australia’s high-value payments system – it is used by banks and other approved institutions to settle their payment obligations on a real-time gross settlement (RTGS) basis. RITS also includes the FSS, which settles transactions submitted via the NPP feeder system on an RTGS basis. The FSS was designed to quickly settle individual transactions, including payments made by consumers and businesses, 24 hours per day and 7 days a week. Because RITS is used to process time-critical, high-value payments and provides settlement services for systemically important financial market infrastructures (FMIs), it is classified as a systemically important payment system (SIPS).

The RBA is both operator and overseer of RITS. RITS is owned and operated by the Reserve Bank. It falls under the governance structure of the RBA’s Executive and is subject to its general oversight, decision-making and audit processes. Payments Settlements Department has operational responsibility for RITS.

The RBA seeks to ensure effective oversight of RITS by separating its operational and oversight functions, and by producing transparent assessments against the PFMI. The RBA’s Payments Policy Department – the functional area responsible for oversight of the Australian payments system – has carried out this assessment. The Payments System Board has primary responsibility for approving periodic assessments of RITS.

A key element of the Payments System Board’s responsibility for the safety and stability of payment systems in Australia is the supervision or oversight of any SIPS. The Payments System Board’s policy (the Policy) is that all SIPS are expected to observe the PFMI issued by CPMI-IOSCO.[2] The Policy requires the RBA to undertake a detailed assessment, including ratings of how well the SIPS observed each of the principles set out in the PFMI, every two years.

This assessment provides a detailed assessment of RITS against the PFMI as at 31 March 2024. It provides an update of progress since the last detailed Assessment (published in June 2022) and the targeted ‘deep dive’ assessment (published in June 2023).[3] The focus of this assessment is on the critical services provided by the RBA as operator of RITS, in particular the provision of wholesale RTGS settlement services, as it is this role that makes RITS a SIPS. The assessment also includes the provision of the FSS. Where arrangements for the FSS differ, these have been noted.

2.2 2024 Ratings on observance of the PFMI

As at end March 2024, RITS was found to observe all relevant Principles except: Principle 2 (Governance), which it broadly observed; Principles 3 (Framework for the comprehensive management of risks), which it partly observed; and Principle 17 (Operational risk), which it partly observed (Table 1).

Table 1: Ratings of Observance of the Principles(a)
Principle Rating
1. Legal basis Observed
2. Governance Broadly Observed
3. Framework for the comprehensive management of risks Partly Observed
4. Credit risk Observed
5. Collateral Observed
7. Liquidity risk Observed
8. Settlement finality Observed
9. Money settlements Observed
12. Exchange-of-value settlement systems Not applicable
13. Participant-default rules and procedures Observed
15. General business risk Observed
16. Custody and investment risks Observed
17. Operational risk Partly observed
18. Access and participation requirements Observed
19. Tiered participation requirements Observed
21. Efficiency and effectiveness Observed
22. Communication procedures and standards Observed
23. Disclosure of rules, key procedures, and market data Observed

(a) Principles 6, 10, 11, 14, 20 and 24 are not relevant for payment systems.

2.3 Recommendations

2.3.1 2023/2022 recommendations – Status

Table 2: Progress against Recommendations (Year to March 2024)
Date/Item
(Principles)
Recommendation Status
2023/1
(P2, P17)
Implement a formally documented RITS operating model including a detailed service level agreement, IT service catalogue and resource management. Commenced
Preparations for a best practice operating model for RITS have commenced.
2023/2
(P17)
Develop and execute a detailed plan (including accountabilities and timeframes) to address identified operational gaps, including business continuity management, service provider management and operational risk management. Commenced
Work to uplift the risk management framework has commenced.
2023/3
(P3, P17)
Develop and execute a detailed plan (including accountabilities and timeframes) to address identified gaps in the RITS risk management framework, policies and procedures. Commenced
Work to uplift the risk management framework has commenced. Chief Risk Officer role has been added to key management committees.
2023/4
(P2, P3, P17)
The senior executive accountable for risk should be responsible for implementing and embedding the risk management framework for RITS, including an effective 3 Lines of Accountability model for RITS. Commenced
Work to design target state 3 Lines of Accountability model has commenced.
2023/5
(P3, P17)
Develop and execute a detailed plan (including accountabilities and timeframes) to address the identified gaps in RITS technology documentation, technology controls and processes to reduce design complexity. Emphasis should be on ensuring RITS has an efficient set of controls that are aligned to processes, risk objectives and are a more effective balance of automated and manual controls. Commenced
Work underway with detailed planning significantly progressed.
2023/6
(P17)
Identify, plan for and document a range of severe but plausible disruption scenarios that may impact the RITS ecosystem. This also requires an uplift to operational resilience documentation. Commenced
Documentation of business continuity scenarios completed. Further work planned for 2024.
2023/7
(P2)
The relevant Departments, Steering Committee and the senior executive accountable for risk should each promptly escalate serious issues of concern relating to the resilience and stability of RITS to the RBA’s Executive Committee. Additionally, a horizon scan for emerging or possible challenges to the resilience of RITS should be a standing agenda item in periodic strategic updates by relevant Departments to the Executive Committee. Commenced
Reporting of RITS issues through governance channels ongoing. Consideration of emerging risks has occurred.
2023/8
(P2, P3)
The Risk Management Committee, Investment Committee and Technology Committee should update their governance and reporting arrangements to ensure that the committees have mechanisms in place to facilitate timely, accurate and transparent provision of information on RITS-related risks, including to other committees. Commenced
Work to review risk management and governance arrangements is underway.
2022/1
(P17)
The RBA should complete the program of work to implement revised metrics to measure the operational resilience and stability of IT systems supporting RITS. Pending
Core set of metrics in use. Work to develop full set of metrics is pending due to dependencies on overall uplift program.

2.3.2 2024 observations and recommendations

In May 2023, the RBA committed to implementing all the recommendations set out in Table 2. Specifically, the RBA announced plans to:

  • formalise the RITS operating model to ensure responsibilities are well articulated, investments are appropriately targeted, and resilience is enhanced.
  • strengthen the risk management framework, with a focus on improving accountability for assurance activities.
  • uplift processes supporting the RITS ecosystem including better use of automation and more effective change management practices.
  • further develop frameworks to encourage feedback and constructive challenge in the areas supporting RITS, consistent with broader Bank initiatives.

The RBA recognised that this would entail a large, complex, multi-year program of work. The focus of the RBA’s efforts over the review period has been the development of a detailed implementation plan. Details of progress are noted in Section 3, Material Developments. Table 2 above highlights that this work is still in its early stages.

RBA staff are highly engaged in the overall uplift program, to implement the recommendations and to produce sustainable, long-term improvements. However, the breadth and pace of change puts pressure on the organisation and its people. The development of the 3 Lines of Accountability (3LoA) model will clarify roles and responsibilities and improve the effectiveness of second-line risk management for RITS operations. This is an area where some degree of uncertainty was observed during the assessment.

Consistent with the findings of the 2023 Targeted Assessment, this 2024 assessment concludes that many aspects of the governance, risk management and approach to managing operational risk for RITS are working well. However, the 2023 assessment, informed by the external reviews, identified several opportunities to augment the governance, risk management and operational risk arrangements supporting the operation of RITS. Until the change program has delivered key benefits, issues identified in the 2023 Targeted Assessment, remain.

Progress against the recommendations will be reported to the Payments System Board on a regular basis. The Payments System Board expects the Bank to make material progress, ensuring that key improvements have been delivered and are sufficiently embedded ahead of the March 2026 Assessment.

Conclusion. To fully observe Principles 2, 3 and 17 of the PFMI, the program of work established following the RBA’s 2022 technology outage should be progressed and intended outcomes delivered. Therefore, the recommendations set out in Table 2 will remain current and progress against these recommendations will be reassessed in the March 2026 Assessment.

2.3.3 2024 areas of oversight focus

Payments Policy Department has identified three areas of potential heightened risk for RITS over the coming years. These will be monitored as areas of oversight focus.

FSS readiness for BECS migration

Industry has announced plans to decommission BECS by June 2030. BECS facilitates payments in batches, which are settled in RITS on a deferred and netted basis. The NPP is deemed to be the receiver system for the vast majority of BECS transactions, which are individually settled (i.e. on a gross basis) in FSS. There is currently a much lower volume of payments being made on NPP compared to BECS. For the FSS to adequately settle a much larger volume of transactions on a 24/7, real-time basis, heightened requirements for scalability and operational resilience will need to be met. Monitoring the RBA’s preparations for the FSS to support the BECS migration will provide insights into the BECS risk assessment, which will be performed by Payments Policy Department as part of the oversight of BECS as a prominent payment system.

Area of oversight focus. Payments Policy Department will monitor the planning and preparation activities undertaken by the RBA to ensure that the FSS has capacity to adequately meet requirements as BECS transactions migrate to the NPP.

Management of change

The RBA is navigating a period of significant strategic, operational and cultural change. The current change program includes several RITS-specific programs and projects, as well as Bank-wide programs with significant implications for RITS and its operating environment. The quantity and pace of change has increased observably relative to prior periods. Successful implementation of these programs is intended to reduce risk in the long term. However, in the near term, the current volume and breadth of planned uplift, across multiple multi-year programs, has the potential to heighten risks for the operations of RITS.

Area of oversight focus. Payments Policy Department will monitor the impact and management of emerging risks associated with multiple long-term, inflight change programs, including initiatives to prioritise, coordinate, and manage resources across multiple, interrelated projects.

Cyber threat landscape

Cyber threats represent a significant risk to the reliable and efficient operation of FMIs, including RITS. Cyber events have the potential to disrupt and undermine confidence in the payment system and could lead to broader instability in the financial system and substantial disruption to economic activity.

Area of oversight focus. Payments Policy Department will continue to monitor developments designed to ensure that RITS remains resilient in the face of evolving cyber-security threats. This includes assessing progress in enhancing RITS cyber defences and its ability to recover from cyber-attacks in a timely manner.