MIU – Issue 159 – May 2024
This Market Integrity Update contains the following articles:
- MDP penalty reinforces market participants’ gatekeeper obligations to maintain market integrity
- Expanding our guidance for technological and operational resilience MIRs
- Managing third-party cyber risk: The new frontline in cyber risk management
- Competition in clearing and settlement reforms progress
MDP penalty reinforces market participants’ gatekeeper obligations to maintain market integrity
Market participants must have effective arrangements, systems and procedures in place to detect, disrupt and report suspicious trading activity.
This is highlighted by a $775,000 fine issued to J.P. Morgan Securities Australia Limited (JPMSAL), after the Market Disciplinary Panel (MDP) found it was 'careless' in allowing suspicious client orders to be placed on the futures market, ASX 24.
The MDP found JPMSAL should have suspected 36 orders placed by a client between 11 January 2022 and 3 March 2022 were submitted with the intention of creating a false or misleading appearance with respect to the market for, or the price of, the Eastern Australia Wheat futures January 2023 (WMF3) contracts.
The MDP’s decision emphasises that market participants cannot solely rely on automated trade monitoring systems to detect potential misconduct and must take immediate action once alerted to misconduct by ASIC. Market participants should ensure that staff have appropriate knowledge and expertise in the products they trade and allow clients to trade in, to oversee the market and be able to detect and quickly respond to any suspicious behaviour. Further, market participants should ensure clients they allow direct market access to, remain competent and aware of their obligations.
As gatekeepers to Australia’s markets, market participants are expected to uphold the highest standards. They have a central role in detecting, preventing and disrupting suspicious trading activity.
JPMSAL’s cooperation with ASIC’s investigation and not contesting the matter before the MDP, were relevant factors in the penalty assessment.
JPMSAL has complied with the infringement notice and paid the fine. Compliance with the infringement notice is not an admission of guilt or liability and by doing so, JPMSAL is not taken to have contravened section 798H(1) of the Corporations Act 2001.
- Read the media release
Expanding our guidance for technological and operational resilience MIRs
We’ve taken the first of three steps to clarify and expand our guidance on complying with market integrity rules relating to organisational and technological resilience. This follows recent industry engagement and a thematic review of identification of critical business services.
Earlier this year, we held roundtable discussions with AFMA and SIAA members about our guidance on market integrity rules relating to the technological and operational resilience of market participants in:
- Regulatory Guide 265 Guidance on ASIC market integrity rules for participants of securities markets (RG 265)
- Regulatory Guide 266 Guidance on ASIC market integrity rules for participants of futures markets (RG 266)
- Regulatory Guide 172 Financial markets: Domestic and overseas operators (RG 172).
As a first step, we’ve revised RG 265, RG 266 and RG 172 to correct minor drafting errors that caused confusion about the identification of critical business systems, and to clarify what we mean by ‘immediately’ when notifying ASIC of a major event.
Shortly, we’ll write to market participants to share our observations and guidance from a thematic review we conducted of arrangements for identifying critical business services and dealing with a major event. We plan to consult with industry on incorporating this guidance into RG 265, RG 266 and RG 172 when they’re next updated.
In the coming weeks, we’ll continue to meet with market participants and operators to discuss and consider their questions and requests for further expanded guidance. This will include whether and in what circumstances certain infrastructure (e.g. electricity, telecommunications, internet, data centres) and cloud computing service models (e.g. Software as a Service) should be identified as a critical business service.
Managing third-party cyber risk: The new frontline in cyber risk management
To mitigate cyber risk, organisations must take an active approach to identifying, assessing and monitoring third-party cyber risks.
Across Australia, organisations have moved to reinforce their internal cyber security following a series of high-profile incidents that began in late 2022. Without acting to mitigate third-party exposure – the new frontline in cyber risk management – the door remains open for bad actors to breach your defences.
We encourage organisations to identify your critical vendors and start by asking three simple questions:
- What level of access do third parties have to my systems? Implementing the principle of least privilege limits access to necessary functions, minimising the impact of breaches.
- How is third-party access protected? Threat actors seek elevated access to systems, which can quickly lead to a significant cyber breach if third-party credentials are compromised. Protecting credentials is tricky. Third parties might have multiple clients and credential storage methods, ranging from password managers to spreadsheets. Enabling multi-factor authentication with close monitoring can reduce the risk of third-party credential exploitation.
- Where is my data? Knowing what sensitive data you hold and where it is stored is critical to ensuring the correct level of protection is applied. Where third-party providers store, transfer and process data, additional scrutiny is needed.
If your organisation doesn’t have control over the type of protection applied to data stored by the third party, assess the potential impact of data exposure and question whether the level of sensitive data held by the third party can be reduced. Adding contract terms to transfer risk will not absolve you from cyber risk. You must scrutinise, understand and own the risk of exposing data to a third party. The Office of the Australian Information Commissioner has developed a guide to securing personal information, including information held by third party providers.
For more information, including questions to ask managed service providers and how to manage your security when engaging a managed service provider, visit the Australian Signals Directorate Cyber Security Centre.
Competition in clearing and settlement reforms progress
We welcome the Government’s action to progress implementation of rules for competition in clearing and settlement, which empowers ASIC (under the Corporations and Competition (CS Services) Instrument 2024) to make rules on clearing and settlement (CS) services relating to cash equities.
We’re committed to using our new powers on a timely basis to facilitate outcomes that are consistent with those that are expected in a competitive market for CS services. This includes by implementing the 2017 Council of Financial Regulators Regulatory Expectations for Conduct in Operating Cash Equity Clearing and Settlement Services in Australia (Regulatory Expectations) as enforceable obligations.
The Regulatory Expectations apply to ASX’s engagement with, and provision of services to, users of its monopoly cash equity CS services. The Regulatory Expectations are intended to support the long-term interests of the Australian market by delivering outcomes that are consistent with those that might be expected in a competitive environment, by:
- ensuring that ASX remains responsive to users’ evolving needs, including in relation to its governance framework
- providing access to its cash equity CS services on a transparent and non-discriminatory basis with terms and conditions, including pricing, that are fair and reasonable.
We intend to consult on draft CS services rules to deliver these outcomes in July 2024.