ECB Revised Assessment Methodology For Payment Systems


The European Central Bank (“ECB“) published a revised assessment methodology for payment systems on June 15, 2018.

The principles for financial market infrastructures (“PFMIs“) developed by the Committee on Payments and Market Infrastructures (“CPMI“) and the Technical Committee of the International Organization of Securities Commissions (“IOSCO“) were adopted in June 2013 as a basis for the conduct of Eurosystem oversight in relation to all types of financial market infrastructures (“FMIs“). For payment systems, the PFMIs are implemented through the ECB Regulation on oversight requirements for systemically important payment systems (Regulation 795/2014) (SIPS Regulation) and the revised oversight framework for retail payment systems.

The updated assessment methodology covers the requirements introduced by the Revised SIPS Regulation, which entered into force in December 2017. It also references the Eurosystem’s cyber resilience oversight expectations, which are based on the CPMI-IOSCO guidance on cyber resilience for financial market infrastructures published in June 2016.

The ECB previously updated the assessment methodology in February 2016.

ECB Speech on Eurosystem Cyber Resilience Strategy for FMIs


The Director General Market Infrastructure and Payments of the European Central Bank (“ECB“), Marc Bayle de Jessé, gave a speech on the ECB’s views on the regulation of cyber security on November 21, 2017.

In his speech, Mr. Bayle de Jessé provided an overview of the Eurosystem cyber resilience strategy for financial market infrastructures (“FMIs“). The strategy was approved by the ECB’s governing council in March 2017 and is intended to implement the June 2016 joint guidance (Guidance) of the Committee on Payments and Market Infrastructures (“CPMI“) and the International Organization of Securities Commissions (“IOSCO“) on cyber resilience for FMIs.

The strategy is based on three pillars:

  • Pillar 1. Working with financial firms and FMIs to ensure that they build defenses and enhance their level of cyber maturity. The Eurosystem is developing a harmonized approach to assessing payment systems in use in the Eurozone against the CPMI-IOSCO guidance. It is also developing tools for use by FMI operators to enhance their cyber resilience maturity. These tools include a cyber survey, which has been sent by the ECB to all payment systems in the Eurosystem, and a “European Red Team Testing Framework”, which involves testing FMIs’ cyber resilience without prior warning by mimicking the tactics of real cyber attackers.
  • Pillar 2. Strengthening the resilience of the sector. The ECB is working on cross-regulatory collaboration, information sharing, improved threat intelligence, close collaboration with European law enforcement agencies, market-wide exercises based on cyberattack scenarios, and a deeper understanding of third parties and the supply chain.In particular, the ECB is developing an analytical framework and methodology for sector mapping with the aim of producing sector and network maps that will be used to understand key risk areas and improved crisis communication procedures. The ECB also calls for cross-authority collaboration to be enhanced to ensure that authorities have a similar approach and focus on cyber resilience and for the efficient sharing of information on threats by market participants and regulators.

Pillar 3. Establishing strategic dialogue between the industry and regulators. The ECB is in the process of establishing the Euro Cyber Resilience Board. The aim of this board is to provide a forum that brings together market participants, competent authorities and cyber-security service providers. The aim of the Forum is to raise awareness and catalyze joint initiatives for developing effective solutions for the market, as well as sharing best practices and fostering trust and collaboration.

IOSCO and CPMI Report on Recovery of Financial Market Infrastructures

On October 15, following a consultation launched in August 2013, the International Organization of Securities Commission (IOSCO) and the Committee on Payments and Market Infrastructure (CPMI) issued a joint report on the recovery of financial market infrastructures (FMIs).

The report supplements the international standard for FMIs published by IOSCO and CPMI in April 2012 and contains guidance to FMIs on the means of developing plans to enable recovery from threats to viability and financial strength which could prevent them from providing critical services to their participants and the markets they serve.  The report also provides guidance to relevant authorities on carrying out their responsibilities in connection with the development and implementation of recovery plans.  Report.