12 July 2023

FMA releases standard condition for consultation to improve operational and cyber resilience

Media Release
MR No. 2023 – 29

The Financial Markets Authority (FMA) – Te Mana Tātai Hokohoko –  today released a consultation document on its proposal to introduce a new standard condition for certain financial market licence holders.  The new licence condition will focus on business continuity and technology systems. 

Operationally resilient businesses are important for the integrity and availability of New Zealand’s financial markets. The FMA wants to ensure that market service providers are prepared to respond to business continuity and cyber risks when they emerge.  As well as supporting well-functioning financial markets, this helps consumers to have confidence that their information and investments are being properly looked after.  

This consultation is relevant to the following types of market service licences:  

  • Managers of registered schemes (but not restricted schemes)   
  • Providers of discretionary investment management services 
  • Derivatives issuers and  
  • Prescribed intermediary services (peer-to-peer lending providers and crowdfunding service providers). 

The new standard condition proposes that licencees must have and maintain a business continuity plan that is appropriate for the scale and scope of its service, to make sure that their critical technology systems are operationally resilient. If the licencee suffers an event that materially affects the supply of its service, it must notify the FMA as soon as possible, and no later than 72 hours after the event. 

The 72-hour period reflects the reliance on technology by the relevant licence holders and the likelihood of harm to consumers and investors when disruptions occur. It also reflects the significance of technology in maintaining sound and efficient financial markets. 

The FMA introduced a BCP and technology resilience standard condition for Financial Advice Providers in 2020 and this requirement is also included in the Conduct of Financial Institutions regime which comes into force in 2025. 

The FMA has previously noted shortcomings in the cyber resilience and operational systems among entities it licences, including underinvestment in technology and the use of unsupported or legacy systems. 

Paul Gregory, FMA Executive Director of Response and Enforcement said: “The financial services sector is facing increasing technological risks that make it necessary for licensees to meet minimum business continuity and technology standards." 

“This proposal continues the FMA’s roll-out of this standard condition across licence types, to reflect the importance of ensuring licence holders can continuously provide their market services. By doing so, consumers and investors can have confidence they can access their services and products, when and how they want or need to.” 

Consultation on the proposal runs until 1 September. 

Download the consultation document for proposed standard condition on business continuity and technology systems.

 

Notes 

The latest CERTNZ Data Landscape report for January-March 2023 shows that the highest number of reported cyber security incidents were from the finance and insurance services sector. 

Media contacts:  

Andrew Park  
FMA Media Relations Manager  
[email protected]   
021 220 6770  

Matt Chatterton  
FMA Senior Adviser, Media Relations  
[email protected] 
021 241 7868