O PERATIONAL RELIABILITY AND ROBUSTNESS

2.5.1. The SO and SI of a designated RPS should implement effective measures to ensure that the infrastructure associated with the system provides adequate and continued services so as to minimize disruptions to retail payment transactions, clearing and settlement processes, and to promote retail payment transaction integrity, confidentiality and availability.

2.5.2. A designated RPS should have clearly defined operational reliability

objectives (e.g. operational performance objectives and service-level targets) and policies that are designed to achieve such objectives. The performance of the system against the established objectives should be assessed on a regular basis.

2.5.3. The operational capacity of a designated RPS should be scalable to handle stress volumes, taking into account the operational reliability objectives.

The capacity and performance of a designated RPS should be monitored, reviewed and tested on an ongoing basis. The SO and SI of a designated RPS should also conduct demand forecasts and make appropriate plans to handle plausible changes in the volume of business or technical requirements of the system, and conduct system capacity stress testing regularly to validate whether the system can handle large volumes of transfer orders under different extreme but plausible circumstances.

Operational risk management

2.5.4. The SO and SI of a designated RPS should have in place a robust, adequate and effective operational risk system to ensure that payment transactions effected through the system are transferred, cleared and/or settled (as applicable) in a timely, accurate and reliable manner.

2.5.5. The SO and SI of a designated RPS should identify the operational processes and equipment that are of crucial importance for the functioning of the system, and monitor the performance of the system. Arrangements should also be in place to detect anomalies in such processes and equipment, such that emergence of possible incidents can be identified and addressed at an early stage.

2.5.6. The SO and SI of a designated RPS should have in place a comprehensive incident management framework with documented procedures and sufficient management oversight to record, report, analyse, respond to and recover from all operational incidents properly with respect to the system, including, among others, those arising from or involving the system’s participants and participants’ customers. This should include:

(a) a system for classifying incidents and operational problems according to their criticality and for determining the escalation and handling procedures;

(b) reporting to the HKMA of material incidents which may have implications to the safety or efficiency of the designated RPS as soon as practicable;

(c) an effective strategy for communicating with participants and other stakeholders upon the occurrence of incidents to address their possible concerns and restore their confidence in the system; and

(d) post-incident review to identify the root causes of the incident and any necessary enhancement to the operation and/or business continuity arrangements. The review should, where relevant, include participants of the designated RPS.

2.5.7. A designated RPS should have in place adequate measures to prevent and detect, and mitigate the risks posed by and the impact of, fraudulent transactions carried out through the system, which include monitoring of payment activities carried out through the system and taking prompt actions against fraud and any risks posed by such activities. Proper arrangements should also be put in place to facilitate participants in sharing information and conducting customer education that are relevant to fraud awareness so as to reduce the risk of fraud.

Outsourcing and support service arrangements

2.5.8. Where certain operations of a designated RPS are outsourced to service providers, or support services are provided by service providers, the SO and/or SI concerned should ensure that the outsourcing or support service arrangement will not impair the safety or efficiency of the system. The SO and/or SI remains solely responsible for meeting any statutory and regulatory requirements applicable to the designated RPS.

2.5.9. A proposed outsourcing or support service arrangement should be subject

to comprehensive risk assessment and all risks identified should be properly addressed before implementation of the arrangement. Outsourcing or support service agreements with service providers should be established to clearly set out the outsourcing or support service arrangements, rights and obligations of the parties involved, and measurable performance standards.

An effective management programme should be in place to ensure that the outsourced operations or support services continue to meet the required performance standards, any risks arising from the outsourcing or support service arrangements are timely identified and mitigated, and that the outsourcing or support service agreements are regularly reviewed and amended accordingly where appropriate for necessary updates in view of changes in market standards, operational needs and external environment.

Business continuity management (BCM)

2.5.10. The SO and SI of a designated RPS should have in place adequate BCM programmes that are appropriate to the nature, scale, and complexity of the business of the designated RPS, and implement such BCM programmes quickly and effectively in the event of service disruptions, including those caused by service providers. The BCM programmes should identify and address events that may pose a significant risk of disrupting operations of the system, in particular events that could cause a wide-scale and major disruption. The BCM programmes should include proper business impact analyses, recovery objectives and strategies, business continuity plans and alternative sites for business and IT recovery to ensure timely resumption of critical operations following a service disruption. The BCM programmes should be properly documented and subject to regular review and testing.