Legal development

Responding to digitisation and automation Amendments to the ASIC Market Integrity Rules

Insight Hero Image

    What you need to know

    • The new Market Integrity Rules clarify and strengthen existing obligations for market operators and participants and provide greater domestic and international alignment.
    • The concept of a "critical business service" is introduced by the new Rules, with market operators and market participants being required to, amongst other things, have adequate arrangements to ensure the resilience, reliability, integrity and security of these systems.
    • Market participants and operators are also required under the new Rules to have in place adequate arrangements to ensure the confidentiality, integrity and availability of information obtained, held or used in relation to its operations and services. 
    • There is an additional obligation for market operators and market participants to establish business continuity plans for dealing with major events that cause significant disruption to market-related operations and services.
    • ASIC has separately amended the prohibition on payment for order flow to address certain regulatory gaps and made deregulatory, minor and administrative amendments to 10 ASIC-made Rule books. 

    What you need to do

    • Consider which of your functions, infrastructure, processes or systems will be critical business services for the purposes of the new Market Integrity Rules.
    • Understand the types of events that would, or would be likely to, cause significant disruption to your business and your existing capacity to appropriately respond to such events.
    • Review your existing arrangements and continuity plans to determine whether they will enable compliance with the new requirements and uplift these where necessary.

    Background

    With financial markets becoming increasingly digitised and automated, the technological and operational risks faced by market operators and market participants have simultaneously increased.  

    As a result of concerns relating to these risks, ASIC has determined that formalised baseline obligations are needed to ensure that market operators' and participants' systems and controls are adequate for their operations.  Accordingly, various updates have been made to the Market Integrity Rules to enable them to protect against the increasing reliance on highly complex systems and to help safeguard the integrity and resilience of Australia's markets.  This includes the introduction of minimum expectations and controls to ensure these rules remain appropriate and protect against system vulnerability. 

    Various consultations have been undertaken by ASIC in recent years ahead of this outcome, including in respect of:

    • the risks posed by significant changes in the technology and associated processes underpinning financial markets, as well as the nature of users and how they interact with financial markets (see Consultation Paper 314: Market integrity rules for technological and operational resilience (CP 314));
    • closing the regulatory gap in the existing rules which have the capacity to circumvent the emergence of payment for order flow arrangements in Australia (see Consultation Paper 347: Proposed amendments to the prohibition on order incentives in the ASIC market integrity rules); and
    • other consequential amendments to the market integrity rules to reduce the regulatory burden on participants and to refine the rules to ensure they remain appropriate (see Consultation Paper 342: Proposed amendments to the ASIC market integrity rules and other ASIC-made rules). 

    In response to the feedback received from industry on each of these consultations, ASIC has made various amendments to the ASIC Market Integrity Rules (Securities Markets) 2017 (Securities Markets Rules) and the ASIC Market Integrity Rules (Futures Markets) 2017 (Futures Markets Rules).  ASIC also proposes to update its regulatory guidance to reflect any implementation of the new Rules, with this updated guidance further explaining the approach and scope of the Rules, as well as ASIC's expectations of how the guidance may apply in practice. 

    Key requirements under the new market integrity rules

    In response to the feedback received on CP 314, the following requirements have been introduced to clarify and strengthen existing obligations for both market operators and participants: 

     
    topicrequirement
    Critical systems arrangements

    Market operators and participants will be required to have adequate arrangements to ensure the resilience, reliability, integrity and security of their "critical business services".

    What constitutes a critical business service is dependent on the size and complexity of the market operator or market participant's business. However, this will generally include any functions, infrastructure, processes or systems which in the event of failure to operate effectively, would or would be likely to cause significant disruption to their operations or materially impact the services they provide.

    Such arrangements must include, amongst other things, arrangements for:

    • identifying critical business services;
    • identifying, assessing, managing and monitoring for any risks to the resilience, reliability, integrity and security of critical business services;
    • ensuring critical business services have sufficient and scalable capacity for ongoing and planned operations and services; and
    • preventing unauthorised access to or use of critical business services.
    Change management for Critical Business Services

    Market operators and participants are also required under the new Market Integrity Rules to have in place adequate arrangements for change management of their critical business services. This must include arrangements for:

    • testing new critical business services or material changes to existing critical business service before implementation;
    • communicating with persons that may be materially impacted by the implementation for the purposes of ensuring those persons are adequately informed about the nature, timing and impact of the implementation a reasonable time before it occurs; and
    • ensuring, to the extent reasonably practicable, that persons that may be materially impacted by the implementation are adequately prepared for the implementation before it occurs.
    Outsourcing of Critical Business Services

    Appropriate frameworks must be implemented by market operators and for managing outsourcing arrangements in relation to critical business services.

    Specifically, an operator or participant that enters into an outsourcing arrangement must:

    • conduct due diligence enquiries for the purposes of ensuring the service provider has the ability to effectively provide the services covered by the arrangement;
    • ensure that the outsourcing arrangement is contained in a legally binding agreement;
    • monitor the performance of the service provider to ensure that they are providing, and will continue to provide, the services covered by the outsourcing arrangement effectively;
    • have in place arrangements to identify and manage any conflicts of interest which could arise or have been identified;
    • have in place adequate arrangements to ensure they are able to comply with any obligations in relation to the critical business that are the subject of an outsourcing arrangement;
    • ensure that they, as well as ASIC and any auditors, have access to all books, records and other information relating to the critical business services that are maintained by the service provider; and
    • ensure that for each outsourcing arrangement, the board, a director or a member of senior management has confirmed compliance with the obligations under the market integrity rules and made a written attestation to that effect.
    Information security

    Market operators and participants must have adequate arrangements in place to ensure the confidentiality, integrity and security of data obtained, held or used. This includes implementing controls to prevent unauthorised access to information assets and to protect against theft, loss or corruption.

    Of particular importance, the new Market Integrity Rules require market operators and participants to notify ASIC in writing, as soon as possible and, in any case, no later than 72 hours, after becoming aware of any unauthorised access to or use of its critical business services that impacts the effective operation or delivery of those services or unauthorised access to or use of market-sensitive, confidential or personal information.

    Business continuity arrangements

    The new Market Integrity Rules require market operators and participants to establish, implement and maintain plans for effectively responding to a major event that would or would be likely to cause significant disruption to their operations or materially impact their services.

    Major events may include the failure of or disruption to a critical business service, including one operated by a service provider, or an event such as a pandemic or influenza event, natural disaster, cyber-attack or power failure.

    Governance arrangements and adequate resourcesMarket operators and participants must have adequate governance arrangements and adequate financial, technological and human resources to comply with their obligations under the new market integrity rules. These arrangements include arrangements for the operator's or participant's board or senior management to have oversight of the establishment, implementation, maintenance, review, testing and documentation of the business continuity plans.
    Fair access to the market (market operators only)ASIC has formed the view that a fair access rule is necessary to prevent the use of discriminatory access requirements as a competitive tool, however, it will further consider and consult with the ACCC on this rule at a future time.
    Trading controls (market operators only)A market operator must have controls, including automated controls, that enable immediate suspension, limitation or prohibition of the entry by a participant of trading where required for the purposes of ensuring the market or CGS market (as the case may be) is fair, orderly and transparent.

    Prohibition on payment for order flow 

    In addition to the above changes, the existing prohibition on payment for order flow in Part 5.4B of the Securities Markets Rules has been extended to cover when a market participant sells client order flow and payment for order flow that occurs amongst other market intermediaries.  

    Specifically, the enhanced prohibition requires market participants to take reasonable steps, in circumstances where they handle or execute orders as a result of an arrangement with another person, to ensure that the other person has not made a cash payment to a third party, or an associate of a third party, for that third party's orders that is in excess of any payment made by the third party for directing those orders to the other person.  Market participants and their associates are also prohibited under the enhanced prohibition from accepting cash payments from another person for directing the market participant's orders to that person where this amount is in excess of any payment made by the market participant for directing orders to the other person.

    ASIC anticipates the compliance impact of these amendments to be minor, noting that compliance can largely be achieved through a participant's intermediary documentation and on-boarding processes.  Importantly, ASIC also does not expect market participants to actively monitor their intermediaries.

    Deregulatory, minor and administrative amendments 

    Finally, ASIC has made minor deregulatory and administrative changes across 10 ASIC-made rule books to reduce the regulatory burden on participants and generally update and refine the rules. 

    In the Securities Markets Rules, ASIC has: 

    • repealed the retail client adviser accreditation regime; 
    • amended rules covering trade confirmations for non-retail clients and regulatory data reporting; and 
    • introduced a 'good fame and character' test for market operators. 

    In the Futures Markets Rules, ASIC has: 

    • replaced the prohibited employment rule with a 'good fame and character' test, and extended the test for market operators; 
    • introduced suspicious activity reporting obligations; and 
    • removed the requirement for client authorisations to be in writing for a block trade and exchange for physical orders. 

    Across a number of rule books, ASIC also has clarified which decisions are subject to merits review and its power to grant waivers from the rules. 

    When do the new rules come into effect?

    As a result of industry feedback on CP 314, ASIC has extended the initial proposed six-month transition period for the changes relating to technological and operational resilience to 12 months, meaning that these updates to the market integrity rules will take effect from 10 March 2023. 

    The enhanced prohibition on payment for order flow will, on the other hand, commence from 10 June 2022, while the various deregulatory and administrative amendments have varying transition periods.

     

    Authors: Nicky Thiyavutikan (Senior Associate); Jack Collins (Associate); and Caitlin Murphy (Associate).

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.