IFSCA

Guidelines for BCP-DR for Market Infrastructure Institution

IFSC (International Financial Services centres Authority) regulates financial services & financial institutions in India. IFSCA released a circular IFSCA/CMD-DMIIT/DR/774/2022/01 on November 16, 2022, regarding the new business continuity & disaster recovery requirements for India- based market infrastructure institutions (MII).

In the circular, IFSCA, IOSCO memeber, has adopted the principles for financial market infrastructure laid down by CPMI-IOSCO.

Principle 17 Of PFMI, Mitigation and management of operational risk is required, which is essential Market Infrastructure Institution and helps to identify the internal and external operational risk and mitigate the risk with the help of appropriate systems, policies and procedures. Additionally, timely recovery of the operations and fulfilment of FMI’s obligation is the aim of business continuity management; it includes the event of a wide-scale or significant disruption.

This article discusses the framework for the Business continuity plan & disaster recovery for MIIs in the IFSCA. It covers the Configuration of DRS/NS, DR Drills/ Testing, and a policy of BCP.

What are the market infrastructure institutions?

The market infrastructure institutions include a stock exchange, depositories and clearing houses. It is a crucial part of the nation’s essential economic infrastructure.

MIIs help use money in the economy and promote economic development. MII constitute the nucleus of the capital allocation system and are indispensable for economic growth. Like other infrastructure institutions, it has a net positive effect on society.

What are the institutions in India which qualify as Market infrastructure institutions?

SEBI lists seven, including the BSE, NSE, multi-commodity exchange of India and the metropolitan SEBI.

The two depositories- central depository ltd. And the national securities depository ltd. These depositories are charged with safeguarding securities and enabling their trading and transfer, which are tagged MIIs.

The seven clearing houses, including the multi-commodity exchange Clearing Corporation.

What is the business continuity plan?

Business continuity planning^[1], also called business continuity & resiliency planning, prepare a guideline for the operation of a continuity business under adverse condition such as natural calamity, regular business process interruption, damage or loss to infrastructure or business crime.

Intelligible, Risk management and disaster management are significant factors in business continuity planning.

Business Continuity Plan & Disaster Recovery for MIIs

• To maintain data and transactions, MIIs must have BCP and DRS. 
• All the Market Infrastructure Institution must have a near site to ensure zero data loss other than DRS.
• A minimum distance of 500 km shall be ensured b/w the primary data centre and DRS so that the same disaster does not affect DRS and PDC.
• In the DRS, a sufficient number of trained staff shall hire by MIIs to ensure the capability of current operations from the DRS, excluding the involvement of the PDC.
• In the event of any disaster, roles and responsibilities and actions will take by the employees, IRT/CMT and outsourced staff. The BCP-DR policy document that part is MII which documented the disasters.
• Every quarter, the MIIs technology committee review the execution of the BCP-DR policy approved by the Market Infrastructure Institution governing board.
• The Market infrastructure institutions will provide the training program to their employees and outsourced staff, vendors, etc., to enhance knowledge and awareness among them so that they will discharge their duties per the BCP policy.

Configuration of Disaster recovery sites/near sites with PDC

The following guidelines will apply to the configuration of DRS/NS with PDC:-

• Computing environments such as Hardware, system software, enivornment application, network & security devices and associated application environments of DRS and PDC will have one-to-one correspondence b/w them.
• The intermediary level will not require system configuration changes to switch from PDC to DRS.
• The involvement of Trading risk management, Collateral Management, Clearing & Settlement and Index computation by critical systems for an exchange corporation.
• Suppose a disruption of one or more of the critical systems happens. In that case, Market Infrastructure Institution will declare the incident as a disaster within 30 minutes of the incident and take necessary precautions to redevelop the operations.
• The PDC and DRS/NS solution architecture shall ensure high availability, fault tolerance, no single point of failure, zero data loss, and data and transaction integrity.
• Any updates made at the PDC will be reflected at DRS/NS immediately with headroom flexibility without compromising performance metrics.
• sufficient resources (with appropriate training and experience) should be available to manage operations at NS, PDC, or DRS, in the case maybe, regularly and during disasters.

DR Drills/ Testing

• IFSCA issue the following guidelines for the DR Drills/testing shall apply:-
• It will be conducted every quarter.
• The staff based at PDC will not be involved in supporting operations during the DR drill.
• It includes the implementation of overall operations from DRS for atleast one full trading day.
• Before the commencement of DR drills, the timing diagrams identify resources DRS and PDC.
• These drill results and documentation will be documented and placed before the MIIs governing board.
• Scrutinize the preparedness of the Market Infrastructure Institution to switch their operations from the PDC to the DRS by the system auditor that covering the Business countinuity plan-DR aspect as a part of the complusory annual Systems Audit.
• During mock trading sessions, the Stock Exchanges will involve a scenario of intraday switchover from the PDC to Disaster recovery to demonstrate their preparedness to meet RTO/RPO as stipulated above.
• To identify the causes and to prevent the recurrence of similar problems, the Market Infrastructure Institution will undertake & document Root Cause Analysis (RCA) of their technical/system-related problems.

BCP – DR Policy Document

The BCP – the MIIs shall prepare DR policy document as per the following:

1. The BCP-DR policy documents outline the following:
   • Disaster for a Market Infrastructure Institution is defined in broad scenarios.
   • The standard operating process to be followed in the disaster event.
   • Escalation hierarchy within the MII to manage the Disaster.
   • Documentation policy on record keeping about DR drills.
   • Framework to constantly monitor the health and performance of Critical Systems in the ordinary course of business.
2. Governing Board should approve the BCP-DR policy document of the MII after being vetted by Technology Committee and communicated to IFSCA.
3. In case an MII want to lease its premises at the DRS to another organization, it includes its subsidiaries or company in that it has a stake, the MII should make sure that such agreements do not compromise the confidentiality, availability, integrity, standard targets performance & service levels of the MII’s systems at the Disaster recovery system.

Conclusion

This circular is issued in the exercise of powers mentioned in Section 12 of the IFSCA (International Financial Services Centres Authority) Act 2019 to build up and regulate the financial product, financial service and financial institution in the International Financial Services Centres.

guidelines-for-bcp-dr-for-miis16112022070946

Read Our Article: System & Network Audit of Market Infrastructure Institutions: SEBI Circular