Payments and market infrastructure development: European Central Bank

The infamous Bangladesh Bank cyber heist in 2016 was a fresh awakening to the growing threat of cyber crime. Since then, payment service providers and market infrastructure firms have come under increasing pressure from supervisors to build and bolster their cyber defence strategies and infrastructure.

In June 2016, two key global standard-setting bodies for market infrastructure firms – the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions (Iosco) – published a 30-page document reinforcing the importance of cyber security. The document – which, on publication, effectively became mandatory – presented a framework and set of principles that firms should adopt and implement to demonstrate and enhance their cyber resilience.

Later followed cyber guidelines from organisations such as the National Institute of Standards and Technology, Isaca, the International Organisation for Standardization and the International Electrotechnical Commission. The result was a need for financial market infrastructure (FMI) providers to meet standards being set by a range of different bodies.

“Today, we are faced with decentralised requests for assessments of compliance against different standards coming from different angles,” Jessica Ramos-Byrne, head of regulatory and oversight affairs at EBA Clearing, tells Central Banking. She explains that the often-overlapping requirements require a significant allocation of resources to administrative tasks.

But this changed in December 2018, when the European Central Bank launched its own advice to FMIs to help them comply with the increasingly fragmented cyber resilience guidelines. The central bank deconstructed each of the cyber resilience frameworks, breaking them down line by line. It then rewrote each point into a simple, concrete and digestible set of guidelines called the Cyber Resilience Oversight Expectations (Croe).

“Literally, if the line in the guidance says you need to do A, the Croe will say you need to do X, Y and Z, and these are examples of how you can do it,” says Emran Islam, a market infrastructure expert in the ECB oversight division.

This has helped firms such as EBA Clearing. “Having the Croe as a centralised benchmark that we can refer to with our stakeholders is really helpful. Our participants can obtain the necessary assurance on the depth and breadth of our cyber resilience activities and that we are doing whatever is possible within the nature and scope of our activities, to mitigate these risks and control them,” says Ramos-Byrne.

“The Croe provides a strong point of reference, which allows complying entities to further standardise their approach to managing cyber threats, but also to avoiding, detecting and responding to actual threats,” André Vink, chief risk officer at EBA Clearing, tells Central Banking. He notes that the Croe “creates an enormous amount of awareness first and foremost, but also offers a comprehensive yet modular way of dealing with everything that has to do with cyber security”.

EBA Clearing considers the Croe its main point of reference and, because the framework “sets the bar across the board”, the firm also uses it to help assess its compliance with all other frameworks in different jurisdictions, says Ramos-Byrne.

One size doesn’t fit all

The ECB went one step further by helping supervisors and FMIs overcome a challenge presented by existing one-size-fits-all guidelines. For example, the ECB must ensure that both the pan-European Target2 payment system – which processes up to two billion transactions a day – and the Dutch’s iDeal payments system – which transacts roughly 20 million a month – are building adequate cyber reliance in accordance to their particularities.

The ECB designed the Croe to have three tranches of expectations: evolving; advancing; and innovating. The segmentations are designed so smaller FMIs, such as iDeal, could work towards fulfilling the lower tranches and, over time, move on to the more advanced expectations, which Target2 might be expected to fulfil.

“This was the first time that I felt a framework was not only about looking at what you have done, but also at what your goals are. The Croe gives direction,” says Vink. “Given the broad scope of the Croe, it can serve as a solid benchmark for all types of entities.”

EBA Clearing has now institutionalised the Croe framework, hosting an annual review of its Croe compliance with its member organisations.

“If this framework were rolled out globally, it would help entities operating in a multinational environment to be more efficient at putting in place and managing the necessary controls,” says Vink. “Banks and authorities could also find it easier to assess the cyber resilience levels of FMIs with a single framework.”

Globalising cyber standards

The World Bank is taking the ECB’s Croe to a global scale. Its payment system development group, which provides technical assistance on payment infrastructure to central banks, has adopted the Croe as its key framework to disseminate across emerging market economies.

“In order to improve cyber resilience for FMIs, a global momentum is necessary to complement country efforts,” Dorothee Delort, World Bank senior financial sector specialist, tells Central Banking.

Under the Financial Inclusion Global Initiative (FIGI), implemented in partnership by the World Bank Group and funded by the Bill & Melinda Gates Foundation, the World Bank was working on developing a methodology to put into operation the June 2016 CPMI-Iosco guidance on cyber resilience, says Delort.

“The ECB’s framework, aka the Croe, was deemed appropriate for the needs of central banks, especially the less sophisticated central banks,” she says. “Because of its flexibility, with three levels of expectations, the Croe can accommodate the needs of markets with various degrees of sophistication.”

The Bretton Woods institution, under FIGI, hosted its first financial sector cyber resilience workshop on November 6–7 in Mexico, where it introduced chapters of the Croe to an audience of emerging market central banks. Central banks and financial supervisory authorities from 15 countries in the Latin America and Caribbean region – including Argentina, Brazil, Colombia, Costa Rica and the Dominican Republic – participated in the workshop.

Similar events are being planned, and will take place in North Africa/Africa and Asia in 2020 and 2021.

The Central Banking Awards were written by Christopher Jeffery, Daniel Hinge, Dan Hardie, Rachael King, Victor Mendez-Barreira, Alice Shen and William Towning