THE GOVERNING COUNCIL OF THE EUROPEAN CENTRAL BANK,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 127(2) thereof,

Having regard to the Statute of the European System of Central Banks and of the European Central Bank, and in particular Article 3.1, Article 22 and the first indent of Article 34.1 thereof,

Whereas:

(1) The Committee on Payment and Settlement Systems (CPSS) of the Bank for International Settlements and the Technical Committee of the International Organization of Securities Commissions (IOSCO) published the Principles for financial market infrastructures in April 2012(1). The Committee on Payments and Market Infrastructures (CPMI), the successor of the CPSS, and IOSCO subsequently published guidance on these principles. The European Central Bank (ECB) has decided to implement the CPMI-IOSCO principles and subsequent guidance insofar as they apply to systemically important payment systems (SIPS) by means of Regulation (EU) No 795/2014 of the European Central Bank (ECB/2014/28)(2).

(2) The Governing Council has reviewed the general application of Regulation (EU) No 795/2014 (ECB/2014/28), pursuant to Article 24 thereof. That review took account of the findings of the first comprehensive assessment of SIPS. The assessment found that certain matters required improvement or clarification and, in a few cases, a need for more substantial amendments seeking to ensure the application of the highest oversight standards.

(3) For the purposes of this Regulation, payment institutions and e-money institutions that have access to SIPS via direct participants, pursuant to Article 35(2) of Directive (EU) 2015/2366 of the European Parliament and of the Council(3), should be treated as indirect participants.

(4) To ensure effective risk mitigation, it is important to maintain a clear separation between operational, risk management and internal audit functions, including through mandating the carrying out of these functions by different persons. Furthermore, for non-Eurosystem SIPS operators, it should be ensured, subject to national law, that there is an independent member on their Board to enhance its effectiveness. As the Eurosystem has public policy objectives and responsibilities and an institutional set-up defined in the Treaty and the Statute of the European System of Central Banks and of the European Central Bank, Eurosystem SIPS operators should be granted an exemption from this requirement.

(5) Furthermore, the Governing Council identified a need to provide further clarity on the responsibilities of a SIPS operator's Board which include the approval of decisions that have a significant impact on the risk profile of a SIPS or SIPS operator and of the key risk documents governing the operation of the SIPS.

(6) The Governing Council generally agreed that there is a need to substantially improve the mitigation of liquidity risk generated in deferred net settlement (DNS) systems through ensuring effective liquidity risk mitigation for all cycles from the moment a transfer order has been included in the calculation of net settlement positions and the position is visible to the participant.

(7) To allow for the smooth functioning of a SIPS, participants need to have adequate tools to effectively manage their liquidity. The SIPS operator has to monitor and facilitate the smooth flow of liquidity at a system level, taking into account the liquidity exposure of each participant.

(8) A SIPS operator settling one-sided payments in euro has to ensure that final settlement takes place in central bank money. Because this requirement also applies where a SIPS offering settlement in central bank money is in an emergency situation, SIPS operators settling payments for other SIPS should endeavour to allow final settlement even in such a situation.

(9) To ensure that SIPS funds are protected against possible business losses, the assets held by a SIPS operator to cover general business risk should be segregated from the assets held for daily business operations. In addition, a distinction should be drawn between a SIPS recovery and orderly wind-down plan, on the one hand, and a SIPS capital plan, on the other. While the latter needs to reflect the possibility of raising capital, the former should ensure that, within the normal course of business, funds available for the recovery and orderly wind-down plan do not fall below the amount required to implement them.

(10) Ensuring effective operational risk management is a continuous process which requires that operational policies and procedures are periodically, and whenever necessary, tested and reviewed, especially following significant changes to the system. This is particularly true for the management of cyber risks which has grown in importance since the publication of Regulation (EU) No 795/2014 (ECB/2014/28). This Regulation sets out specific requirements that are important in order to mitigate cyber risks.

(11) In order for a competent authority to exercise its oversight powers effectively, these powers should be complemented with two additional tools. First, the competent authority should have the power to require a SIPS operator to appoint an independent expert to perform an investigation or independent review of the SIPS's operation. In addition, it should be able to impose requirements concerning the type of expert to be appointed, the content and scope of the report to be produced, the treatment of the report, including disclosure and publication, and timing for the production of the report. Second, in line with Responsibility B of the abovementioned Principles for financial market infrastructures, a competent authority should be able to conduct on-site inspections or delegate this task.

(12) While corrective measures may only be imposed for infringements of Regulation (EU) No 795/2014 (ECB/2014/28), there could be situations that merit initiating the procedure for the imposition of such measures on the grounds of suspected non-compliance, giving a SIPS operator the opportunity to be heard and to provide explanations before an infringement is established. The procedure for the imposition of corrective measures should be set out in a decision. Moreover, a competent authority other than the ECB should notify the ECB of its intention to impose corrective measures without undue delay.

(13) In view of the findings of the Governing Council's review and to implement the CPMI-IOSCO guidance insofar as they apply to SIPS, Regulation (EU) No 795/2014 (ECB/2014/28) should be amended accordingly,

HAS ADOPTED THIS REGULATION: