Responding to digitisation and automation Amendments to the ASIC Market Integrity Rules
17 March 2022
17 March 2022
With financial markets becoming increasingly digitised and automated, the technological and operational risks faced by market operators and market participants have simultaneously increased.
As a result of concerns relating to these risks, ASIC has determined that formalised baseline obligations are needed to ensure that market operators' and participants' systems and controls are adequate for their operations. Accordingly, various updates have been made to the Market Integrity Rules to enable them to protect against the increasing reliance on highly complex systems and to help safeguard the integrity and resilience of Australia's markets. This includes the introduction of minimum expectations and controls to ensure these rules remain appropriate and protect against system vulnerability.
Various consultations have been undertaken by ASIC in recent years ahead of this outcome, including in respect of:
In response to the feedback received from industry on each of these consultations, ASIC has made various amendments to the ASIC Market Integrity Rules (Securities Markets) 2017 (Securities Markets Rules) and the ASIC Market Integrity Rules (Futures Markets) 2017 (Futures Markets Rules). ASIC also proposes to update its regulatory guidance to reflect any implementation of the new Rules, with this updated guidance further explaining the approach and scope of the Rules, as well as ASIC's expectations of how the guidance may apply in practice.
In response to the feedback received on CP 314, the following requirements have been introduced to clarify and strengthen existing obligations for both market operators and participants:
topic | requirement |
---|---|
Critical systems arrangements | Market operators and participants will be required to have adequate arrangements to ensure the resilience, reliability, integrity and security of their "critical business services". What constitutes a critical business service is dependent on the size and complexity of the market operator or market participant's business. However, this will generally include any functions, infrastructure, processes or systems which in the event of failure to operate effectively, would or would be likely to cause significant disruption to their operations or materially impact the services they provide. Such arrangements must include, amongst other things, arrangements for:
|
Change management for Critical Business Services | Market operators and participants are also required under the new Market Integrity Rules to have in place adequate arrangements for change management of their critical business services. This must include arrangements for:
|
Outsourcing of Critical Business Services | Appropriate frameworks must be implemented by market operators and for managing outsourcing arrangements in relation to critical business services. Specifically, an operator or participant that enters into an outsourcing arrangement must:
|
Information security | Market operators and participants must have adequate arrangements in place to ensure the confidentiality, integrity and security of data obtained, held or used. This includes implementing controls to prevent unauthorised access to information assets and to protect against theft, loss or corruption. Of particular importance, the new Market Integrity Rules require market operators and participants to notify ASIC in writing, as soon as possible and, in any case, no later than 72 hours, after becoming aware of any unauthorised access to or use of its critical business services that impacts the effective operation or delivery of those services or unauthorised access to or use of market-sensitive, confidential or personal information. |
Business continuity arrangements | The new Market Integrity Rules require market operators and participants to establish, implement and maintain plans for effectively responding to a major event that would or would be likely to cause significant disruption to their operations or materially impact their services. Major events may include the failure of or disruption to a critical business service, including one operated by a service provider, or an event such as a pandemic or influenza event, natural disaster, cyber-attack or power failure. |
Governance arrangements and adequate resources | Market operators and participants must have adequate governance arrangements and adequate financial, technological and human resources to comply with their obligations under the new market integrity rules. These arrangements include arrangements for the operator's or participant's board or senior management to have oversight of the establishment, implementation, maintenance, review, testing and documentation of the business continuity plans. |
Fair access to the market (market operators only) | ASIC has formed the view that a fair access rule is necessary to prevent the use of discriminatory access requirements as a competitive tool, however, it will further consider and consult with the ACCC on this rule at a future time. |
Trading controls (market operators only) | A market operator must have controls, including automated controls, that enable immediate suspension, limitation or prohibition of the entry by a participant of trading where required for the purposes of ensuring the market or CGS market (as the case may be) is fair, orderly and transparent. |
In addition to the above changes, the existing prohibition on payment for order flow in Part 5.4B of the Securities Markets Rules has been extended to cover when a market participant sells client order flow and payment for order flow that occurs amongst other market intermediaries.
Specifically, the enhanced prohibition requires market participants to take reasonable steps, in circumstances where they handle or execute orders as a result of an arrangement with another person, to ensure that the other person has not made a cash payment to a third party, or an associate of a third party, for that third party's orders that is in excess of any payment made by the third party for directing those orders to the other person. Market participants and their associates are also prohibited under the enhanced prohibition from accepting cash payments from another person for directing the market participant's orders to that person where this amount is in excess of any payment made by the market participant for directing orders to the other person.
ASIC anticipates the compliance impact of these amendments to be minor, noting that compliance can largely be achieved through a participant's intermediary documentation and on-boarding processes. Importantly, ASIC also does not expect market participants to actively monitor their intermediaries.
Finally, ASIC has made minor deregulatory and administrative changes across 10 ASIC-made rule books to reduce the regulatory burden on participants and generally update and refine the rules.
In the Securities Markets Rules, ASIC has:
In the Futures Markets Rules, ASIC has:
Across a number of rule books, ASIC also has clarified which decisions are subject to merits review and its power to grant waivers from the rules.
As a result of industry feedback on CP 314, ASIC has extended the initial proposed six-month transition period for the changes relating to technological and operational resilience to 12 months, meaning that these updates to the market integrity rules will take effect from 10 March 2023.
The enhanced prohibition on payment for order flow will, on the other hand, commence from 10 June 2022, while the various deregulatory and administrative amendments have varying transition periods.
Authors: Nicky Thiyavutikan (Senior Associate); Jack Collins (Associate); and Caitlin Murphy (Associate).
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.