ECB Speech on Eurosystem Cyber Resilience Strategy for FMIs


The Director General Market Infrastructure and Payments of the European Central Bank (“ECB“), Marc Bayle de Jessé, gave a speech on the ECB’s views on the regulation of cyber security on November 21, 2017.

In his speech, Mr. Bayle de Jessé provided an overview of the Eurosystem cyber resilience strategy for financial market infrastructures (“FMIs“). The strategy was approved by the ECB’s governing council in March 2017 and is intended to implement the June 2016 joint guidance (Guidance) of the Committee on Payments and Market Infrastructures (“CPMI“) and the International Organization of Securities Commissions (“IOSCO“) on cyber resilience for FMIs.

The strategy is based on three pillars:

  • Pillar 1. Working with financial firms and FMIs to ensure that they build defenses and enhance their level of cyber maturity. The Eurosystem is developing a harmonized approach to assessing payment systems in use in the Eurozone against the CPMI-IOSCO guidance. It is also developing tools for use by FMI operators to enhance their cyber resilience maturity. These tools include a cyber survey, which has been sent by the ECB to all payment systems in the Eurosystem, and a “European Red Team Testing Framework”, which involves testing FMIs’ cyber resilience without prior warning by mimicking the tactics of real cyber attackers.
  • Pillar 2. Strengthening the resilience of the sector. The ECB is working on cross-regulatory collaboration, information sharing, improved threat intelligence, close collaboration with European law enforcement agencies, market-wide exercises based on cyberattack scenarios, and a deeper understanding of third parties and the supply chain.In particular, the ECB is developing an analytical framework and methodology for sector mapping with the aim of producing sector and network maps that will be used to understand key risk areas and improved crisis communication procedures. The ECB also calls for cross-authority collaboration to be enhanced to ensure that authorities have a similar approach and focus on cyber resilience and for the efficient sharing of information on threats by market participants and regulators.

Pillar 3. Establishing strategic dialogue between the industry and regulators. The ECB is in the process of establishing the Euro Cyber Resilience Board. The aim of this board is to provide a forum that brings together market participants, competent authorities and cyber-security service providers. The aim of the Forum is to raise awareness and catalyze joint initiatives for developing effective solutions for the market, as well as sharing best practices and fostering trust and collaboration.

FSA Guidance on the Practice of PFOF

On 14 May 2012, the FSA published guidance on payment for order flow (“PFOF”) arrangements. These are arrangements where a broker receives payment from market makers in exchange for sending order flow to them. Firms should manage conflicts of interests and tell customers about the PFOF arrangements and put relevant procedures in place to make sure that payments led to better service. Orrick’s Client Alert. Finalised Guidance.

Financial Industry Alert: FSA Releases Finalised Guidance on Payment for Order Flow Arrangements

On 14 May 2012, the FSA issued its finalised guidance on payment for order flow (“PFOF”) arrangements following its October 2011 guidance consultation. The guidance appears to have been issued on substantially the same basis as the original consultation which stated that “PFOF arrangements create a clear conflict of interest between the clients of the firm and the firm itself. Therefore it is unlikely to be compatible with our inducements rule and risks compromising compliance with best execution rules”. Click here to read more.

SEC Guidance on Legality and Tax Opinions in Registered Offerings

On October 14, the Division of Corporation Finance of the SEC issued guidance on preparing legality and tax opinions filed in connection with registered offerings of securities. The bulletin outlines: (i) the requirements for such opinions; (ii) the SEC’s opinion review practices; and (iii) the nature of the written consent that must be filed by counsel with each registration statement. SEC Bulletin.