Australia’s financial markets have become increasingly digitised and automated, such that the technological and operational risks faced by market operators and participants have simultaneously increased. This is not to mention that failures in this area, as seen for example in connection with the November 2020 ASX outage, ‘can have significant real-world consequences’.
As a result of concerns relating to these risks, ASIC has introduced new market integrity rules (New Rules) to promote the technological and operational resilience of securities and futures market operations and participants. This includes the introduction of minimum expectations and controls to ensure these rules remain appropriate and protect against system vulnerability. The New Rules will take effect from 10 March 2023.
Accordingly, ASIC has made various amendments to the ASIC Market Integrity Rules (Securities Markets) 2017 (Securities Markets Rules) and the ASIC Market Integrity Rules (Futures Markets) 2017 (Futures Markets Rules). Furthermore, on 2 August 2022, ASIC also updated its regulatory guidance including RG 265 (Guidance on ASIC market integrity rules for participants of securities markets), RG 266 (Guidance on ASIC market integrity rules for participants of futures markets) and RG 172 (Financial markets: Domestic and overseas operators). These guides reflect any implementation of the New Rules, with the updated guidance further explaining the approach and scope of the New Rules, as well as ASIC’s expectations of how the guidance may apply in practice and how market participants can comply with their obligations under New Rules.
1.1 Technological and Operational Resilience Rules
(a) Adequate arrangements for critical business services: market participants must have adequate arrangements to identify, assess, manage, and monitor risks to ensure the resilience, reliability, integrity and security of critical business services: Rule 8B.2.1(1). These arrangements may include, without limitation, policies, procedures, and organisational resources (including financial, human, and technological resources) and should be commensurate with the nature, scale and complexity of the services offered. Critical Business Services is broadly defined in RG 265 as: ‘functions, infrastructure, processes or systems which in the event of failure to operate effectively, would or would be likely to cause significant disruptions to operations or materially impact services.’
(b) Change management of critical business services: market participants and operators must have adequate arrangements to ensure they continue to comply with Rule 8B.2.1(1) following the implementation of a new, or change to an existing, critical business service: Rule 8B.2.2. Adequate arrangements include, without limitation, testing of a new critical business service or material changes to an existing critical business service: Rule 8B.2.2(2)(a). The testing of new or material changes to existing critical business services should include testing of related changes to processes, technology, data, and infrastructure, and consider the effect on stakeholders relying on the critical business service. Testing should occur before the live implementation of a new critical business service or material changes to an existing critical business service.
(c) Outsourcing arrangements of critical business services: market participants and operators must implement appropriate frameworks for managing outsourcing arrangements. Due diligence must be conducted to ensure that the third-party provider has the ability and capacity to provide the services effectively. The performance of the third-party provider must be monitored to ensure that the services covered by the outsourcing arrangement are being provided and that the third party has the ability and capacity to continue to effectively provide the services over the duration of the arrangement. Adequate conflict management systems must also be in place for outsourcing arrangements.
(d) Information security: market participants and operators must have adequate arrangements and controls in place to ensure confidentiality, integrity, and protection of information: Rules 8B3.1(1) and (2), including recovery backup systems. In addition, market participants must protect their information assets from unauthorised access, theft, loss or corruption and ensure they have adequate arrangements to provide for the backup of data and recovery of data in the event of loss, theft or corruption. Records should maintain for at least seven years following an event of unauthorised access.
(e) Business continuity planning: market participants and operators must establish business continuity plans to respond to major events that have the potential to cause significant disruptions to operations or materially impact their services. This includes pandemics, natural disasters, cyber-attacks, power failures, failure of a critical third-party service (such as a market data provider) or an outage of a critical infrastructure provide (such as a market operator or operator of a CS facility). Business continuity plans are to be reviewed and tested annually at a minimum and each time there is a material change.
(f) Governance and resourcing: market participants and operators must have adequate governance arrangements and adequate financial, technological and human resources to comply with their obligations under the market integrity rules. The board or senior management must have oversight of the establishment, implementation, maintenance, review, testing and documentation of the business continuity plans.
(g) Trading controls (market operators only): a market operator must have controls, including automated controls, that enable immediate suspension, limitation or prohibition of the entry by a participant of trading where required for the purposes of ensuring the market or CGS market (as the case may be) is fair, orderly and transparent.
2.1 Prohibition on payment for order flow
In addition to the above changes, from 10 June 2022, the existing prohibition on payment for order flow in Part 5.4B of the Securities Markets Rules has been extended to cover when a market participant sells client order flow and payment for order flow that occurs amongst other market intermediaries. ASIC views these amendments as a proactive measure to deter the emergence of payment for order flow arrangements in Australia.
2.2 Deregulatory and minor administrative amendments
Lastly, with a view to refining the rules and reducing participants’ regulatory burden, ASIC has introduced minor deregulatory and administrative changes across 10 ASIC-made rule books, with varying transition periods, including (without limitation):
(a) Securities Markets Rules ASIC has (i) repealed the retail client adviser accreditation regime; (ii) amended rules regarding trade confirmations for non-retail clients and regulatory data reporting; and (iii) introduced a ‘good fame and character’ test for market operators (this test applies from 10 June 2022);
(b) Futures Markets Rules ASIC has: (i) replaced the prohibited employment rule with a ‘good fame and character’ test, and extended the test for market operators; (ii) introduced suspicious activity reporting obligations (these obligations applying from 10 June 2022); and (iii) removed the requirement for client authorisations to be in writing for a block trade and exchange for physical orders; and
(c) Across a number of rule books, ASIC also has clarified which decisions are subject to merits review and its power to grant waivers from the rules.
Strengthening the cyber and operational resilience of Australian financial services firms and markets is a key priority for ASIC. The new technological and operational resilience rules set minimum expectations and controls to mitigate these risks and help to safeguard the integrity and resilience of Australia’s markets.
It goes without saying that the importance of data security and cyber resilience as technological advancement increases is not limited to the domain of chief information security officers (or indeed in the case of privacy compliance, chief privacy officers) of large financial institutions, superannuation entities, mutuals, insurers and small and medium-sized enterprises. (See my earlier article here To retain or to destroy? The interaction between privacy, document retention and destruction policies for further insights). Further, the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) amendments and enhanced cyber security obligations relevant to critical infrastructure assets and sectors, are a further indicator of greater action being taken to manage the evolving national security risks posed to Australia’s critical infrastructure (See more here: Security Legislation Amendment (Critical Infrastructure) Act 2021).
Coming back to financial markets however, while there is no mistaking that the updated rules clarify and strengthen existing obligations for market operators and participants, one must query whether refining the rules in this way will in fact place a greater regulatory and/or compliance burden on market operators and participants, including having regard to some of the concerns raised in submissions to ASIC on Consultation Paper 314.
Matthew Bode, Partner
Celine Xia, Paralegal
 Per ASIC Commissioner Cathie Armour
 RG 265.572-573: adequate arrangements for critical business services.
 RG 104.21 – RG104.22
 RG 265.591
 RG 265.627: outsourcing arrangements involving a third-party provider.
 RG 265.650- RG 265.674: Business continuity plans.
 RG 265-654
 RG 265.675- RG 265.679: Governance.
 22-045MR ASIC amends market integrity rules and other ASIC-made rule books, 10 March 2022
 See ASIC Report 719 – Response to submissions on CP 314 Market Integrity rules for technological and operational resilience.