Key Takeaways
- The Bank of Canada evaluates systemic financial market infrastructures (FMIs) against risk‑management standards that fully embed the Principles for Financial Market Infrastructures (PFMIs) and their Key Considerations.
- These standards are the baseline for assessing whether an FMI adequately controls its operational, credit, liquidity, legal, and settlement risks.
- The Bank supplements the PFMIs with international guidance from the Committee on Payments and Market Infrastructures – International Organization of Securities Commissions (CPMI‑IOSCO), which is incorporated as explanatory notes and additional topic‑specific documents.
- Domestic coordination with the Canadian Securities Administrators (CSA) yields Canadian‑specific supplementary guidance that clarifies how the international standards apply within Canada’s regulatory environment.
- A dedicated Bank of Canada document, Expectations for Cyber Resilience of Financial Market Infrastructures, translates the CPMI‑IOSCO cyber guidance into concrete expectations for Canadian FMIs.
- FMIs must report material cyber and information‑technology incidents to the Bank according to its reporting guideline, ensuring timely oversight and mitigation.
- Together, the PFMIs, CPMI‑IOSCO guidance, Canadian supplementary material, and the cyber‑resilience expectations form a comprehensive framework that the Bank uses to monitor and promote the safety and soundness of systemic FMIs.
Risk‑Management Standards Aligned with the PFMIs
The Bank of Canada’s approach to overseeing systemic FMIs begins with a set of risk‑management standards that are directly derived from the Principles for Financial Market Infrastructures (PFMIs). These Principles, issued by the CPMI‑IOSCO, cover governance, risk‑management frameworks, operational reliability, credit and liquidity risk management, settlement finality, money‑settlement, physical‑custody, access policies, efficiency, and transparency. The Bank’s standards do not merely reference the PFMIs; they fully incorporate the Principles and their accompanying Key Considerations, ensuring that every element of an FMI’s risk‑control environment is measured against an internationally recognised benchmark. By anchoring its expectations to the PFMIs, the Bank creates a common language with other central banks and regulators, facilitating cross‑border cooperation and consistent supervision.
Assessment Methodology Against Established Benchmarks
When the Bank evaluates a designated clearing or settlement system, it compares the FMI’s actual risk‑management practices to the standards outlined above. This comparative analysis examines whether the FMI has appropriate governance structures, robust internal controls, adequate capital and liquidity buffers, effective contingency planning, and transparent reporting mechanisms. The Bank looks for evidence that the FMI not only meets the minimum requirements of the PFMIs but also adopts leading‑edge practices where relevant. Any gaps identified trigger a dialogue with the FMI’s management, prompting remedial action plans or, in severe cases, more intensive supervisory measures. This systematic, standards‑based review helps the Bank satisfy itself that systemic FMIs are adequately controlling the risks they pose to the Canadian financial system.
Incorporation of International CPMI‑IOSCO Guidance
Beyond the core PFMIs, the Bank explicitly expects designated FMIs to consider supplementary international guidance developed by CPMI‑IOSCO. This guidance appears in the PFMIs themselves as Explanatory Notes, which elaborate on how each Principle should be interpreted and applied in practice. In addition, CPMI‑IOSCO has produced a suite of topic‑specific documents covering areas such as FMI recovery planning, cyber resilience, the role of critical service providers, and central counterparty (CCP) resilience. The Bank treats these materials as authoritative references; FMIs are required to integrate the relevant recommendations into their policies, procedures, and testing regimes. By aligning with CPMI‑IOSCO guidance, the Bank ensures that Canadian FMIs benefit from the latest international thinking and remain competitive with peers in other jurisdictions.
Domestic Supplementary Guidance from the Canadian Securities Administrators
To address nuances unique to Canada’s market structure and regulatory landscape, the Bank works closely with the Canadian Securities Administrators (CSA) to produce Canadian‑specific supplementary guidance. This domestic material clarifies how the PFMIs and CPMI‑IOSCO notes should be implemented within the Canadian context, taking into account factors such as the country’s payment‑system architecture, the prevalence of certain asset classes, and the interaction with provincial securities regulators. The guidance does not alter or replace any PFMI Principle; rather, it offers practical illustrations, examples, and interpretation aids that help FMIs translate high‑level standards into concrete actions. This collaborative effort reduces compliance uncertainty and promotes consistent application of risk‑management expectations across the Canadian FMI sector.
Bank of Canada’s Expectations for Cyber Resilience
Recognising the growing threat posed by cyber‑attacks, the Bank of Canada has issued a dedicated publication titled Expectations for Cyber Resilience of Financial Market Infrastructures. This document translates the CPMI‑IOSCO Cyber Guidance into specific, actionable expectations for Canadian FMIs. It outlines requirements for cyber‑risk governance, threat intelligence sharing, incident detection and response capabilities, regular testing (including penetration testing and tabletop exercises), and the maintenance of robust backup and recovery procedures. The Bank also stresses the importance of securing critical service providers and third‑party vendors, acknowledging that cyber risk often extends beyond the FMI’s direct perimeter. By setting clear cyber‑resilience benchmarks, the Bank aims to bolster the overall stability of the financial system against disruptive digital threats.
Incident Reporting Obligations for Cyber and IT Events
Complementing its cyber‑resilience expectations, the Bank mandates that FMIs report material cyber and information‑technology incidents in accordance with its reporting guideline. The guideline defines what constitutes a “material” incident—typically events that could jeopardize the FMI’s ability to settle transactions, compromise confidential data, or undermine market confidence—and specifies the timelines, format, and content required for notifications. Prompt reporting enables the Bank to assess systemic implications, coordinate with other regulators (such as the Office of the Superintendent of Financial Institutions and provincial securities commissions), and, if necessary, invoke contingency measures or request remedial actions. This reporting framework enhances transparency and ensures that emerging cyber threats are swiftly communicated to the appropriate authorities.
Integrated Framework for Oversight of Systemic FMIs
Taken together, the PFMIs, CPMI‑IOSCO explanatory and topic‑specific guidance, Canadian supplementary material from the CSA, the Bank’s cyber‑resilience expectations, and its incident‑reporting guideline constitute a comprehensive supervisory toolkit. The Bank uses this framework to evaluate whether systemic FMIs are not only meeting baseline standards but also continuously improving their risk‑management capabilities in response to evolving market dynamics and technological threats. By maintaining alignment with international best practices while tailoring expectations to the Canadian environment, the Bank of Canada contributes to the resilience, efficiency, and integrity of the nation’s financial market infrastructure—a cornerstone of overall financial stability.