Business Continuity & Disaster Recovery in the Financial Services Sector Aspects of Risk Mitigation in the Financial Services Joseph Demanuele 25 June 2007

Agenda The MFSA – Organisation, functions and obligations Business Continuity Compliance – current position and future considerations High Level Principles of Business Continuity – published by a Forum of Financial Services Supervisors Business Continuity in the UK Financial Services – challenges for 2007 Survey on Business Continuity - in the global Financial Services Sector by a leading risk magazine 25 June 2007 ISACA / MFSA

The MFSA “Ensure high standards of conduct and management in financial services and promote the legitimate expectations of consumers” Public Authority set up by the MFSA Act with functions to:- Regulate & supervise financial services -Single Regulator Inform, promote and protect interests of consumers of financial services Promote fair competition practices / consumer choice Monitor legislation / advise Govt on formulation of policies Ensure high standards of conduct / management in sector 25 June 2007 ISACA / MFSA

The Main Organs 25 June 2007 ISACA / MFSA

The Organisational Units 25 June 2007 ISACA / MFSA

Conduct & Management MFSA Act. Article 4 (1) (g) states that: “Without prejudice to any other power or function conferred to it by this Act or any other law, it shall be the function of the Authority ……… to ensure high standards of conduct and management throughout the financial system” How is this function carried out? Ensure that licence holders have a Business Continuity Plan (BCP) in place which has been tested and is being continuously updated Periodic on site Compliance visits 25 June 2007 ISACA / MFSA

Other Obligations Besides the MFSA Act, the Authority ensures compliance with:- Other local legislation regulating financial services EU legislation and other international treaties Transpose EU legislation into local legislation Adopt new Directives, such as MiFID, Solvency II, CRD, and others 25 June 2007 ISACA / MFSA

On Site Compliance MFSA Units carrying regular on-site compliance visits:- Securities Unit Insurance Business Unit Company Compliance Unit Banking Unit Last year 98 compliance visits were conducted on site. Moving towards the adoption of risk-based approach supervision. 25 June 2007 ISACA / MFSA

Securities Unit – Current Position Investment Services Guidelines (based on current ISD 2) – Part CI of SLC 3.07(l) in the Conduct of Business Rules section states: “The Licence Holder shall organise and control its affairs in a responsible manner and shall have adequate operational, administrative and financial procedures and controls……… and to enable it to be effectively prepared to manage, reduce and mitigate the risks to which it is exposed……..   For this purpose, the Licence Holder shall have an appropriate Disaster Recovery and Business Continuity Plan which is regularly tested and updated” Therefore, it is a standard licence condition to have a DRP and a BCP MFSA checks adherence through compliance visits 25 June 2007 ISACA / MFSA

Securities Unit - Current Position (cont..) Compliance Team shall:- Check and see evidence that there is a proper BCP and procedures for disaster recovery Ensure that the BCP is proportionate and adequate for the size of business and activities See evidence that proper tests are being carried out e.g. record of fire drills, IT shutdowns No BCP in place – in breach of licence conditions. Compliance Team may give guidance regarding compliance. 25 June 2007 ISACA / MFSA

Securities Unit – New Requirements under MiFID EU’s Markets in Financial Instruments (MiFID) – a comprehensive regulatory regime governing financial trading and intermediation in Europe. Replaces ISD (1993) and follows the Lamfalussy four level approach Dir. 2004/39/EC is the MiFID framework directive under Level I - Art.13 (4) – Organisational Requirements states: “An investment firm shall take reasonable steps to ensure continuity and regularity in the performance of investment services and activities.  To this end the investment firm shall employ appropriate and proportionate systems, resources and procedures.” 25 June 2007 ISACA / MFSA

Securities Unit – MFSA’s Draft MiFID Rules Commission Directive 2006/73/EC is the implementing directive to 2004/39/EC – organisational and operating conditions for investment firms – forms part of Level 2 and Art 5 (3) states: “Member states shall require investment firms to establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to their systems and procedures, the preservation of essential data and functions and the maintenance of investment services and activities on where this is not possible, the timely recovery of such data and functions and the timely resumption of their investment services and activities.” Draft MiFID rules issued by the MFSA in draft form for consultation in Jan 2007 - become applicable from 1 Nov 2007 Business Continuity section of MiFID transposed in Part C rule 1.18(b) – practically identical to Dir. 2006/73/EC Draft MiFID Rules on www.mfsa.com.mt 25 June 2007 ISACA / MFSA

Insurance Business Unit -Current Position BCP is not currently a specific requirement under any insurance legislation or regulation, However BCP is still included in compliance visit procedures as “best practice” Enquires during on-site visits include: Is there a BCP? Includes a DRP? Current and operational? Regularly tested? Procedures for recovery of data? Back-up procedures? Restoration of backups? 25 June 2007 ISACA / MFSA

Insurance Business – Impact of Solvency II Solvency II - complete overhaul of the supervision of insurance business within the EU introducing a new solvency regime with an integrated risk approach reflecting risks taken by insurers better than the current Solvency I regime. Currently in consultation process, through CEIOPS. Directive expected by end 2007 Implementation by EU Member States - scheduled for 2010. Three pillar structure (as in Basel II and CRD) – Pillar I - Quantitative capital requirements Pillar II - Qualitative supervisory review Pillar III - Market discipline Employs Lamfalussy 4 level approach arrangements 25 June 2007 ISACA / MFSA

Insurance Business - Solvency II – Pillar II Pillar II - outlines the obligations of the Supervisory Authority and the Insurers’ general governance including organisational structure and internal control mechanisms and processes to manage material risk as may be appropriate within the nature, scale and complexity of the firm Risk management, including business continuity functions - ultimately responsibility of management Written and clear policies in respect of internal control, outsourcing and risk management 25 June 2007 ISACA / MFSA

Company Compliance Unit CCU is responsible to authorise and supervise companies offering fiduciary services including mandatory and trustee services in terms of the Trusts and Trustees Act (TTA). Also responsible to consider applications for Listing in terms of the Listing Rules. TTA Art.47 empowers the MFSA to conduct compliance visits Clause 9.4 of the Code of Practice for Trustees states: “Trustees should have effective management and systems that are commensurate with the scale and complexity of the trust business to be undertaken. They must also have appropriate management resources to control the company’s affairs (or in the case of individual trustees their business affairs), including ensuring compliance with legal obligations and standards under this Code. BCP compliance is included in the new draft checklist for on-site visits by the CCU Compliance Team 25 June 2007 ISACA / MFSA

Banking Unit – Current Position On-site compliance for credit & financial institutions Verify completeness of the BCP Establish that BCP is a comprehensive document providing guidance in the event of major incidents that may include - inability to access premises, systems outage, unavailability of key personnel, occurrences that may preclude the institution from carrying out routine operations.  BCP to include a disaster recovery simulation performed at least once annually. Test results are documented and weaknesses identified - to be rectified within stipulated timeframes.  Ensure that a full IT system backup is taken daily  BCP to outline employees’ training procedures for its operation   Plan to be commensurate with the institution’s business dimensions. 25 June 2007 ISACA / MFSA

Capital Requirements Directive (CRD) CRD applies Basel II requirements for credit institutions and investment firms across EU. There are three pillars under the new Basel II accord:- Pillar I - involves the measurement of risk, Pillar II - involves the supervisory review process, Pillar III - deals with market discipline by developing a set of disclosure requirements   Pillar II - enhances the link between a credit institution’s risk profile, its risk management, its risk mitigation systems, and its capital CEBS guidelines on Pillar II – BCP is encouraged as a “best practice” requirement and is part of the risk assessment process under Pillar II.  As “best practice” the Basel Committee on Banking Supervision in a forum with other supervisors came up with high level principles on business continuity. 25 June 2007 ISACA / MFSA

High Level Principles of Business Continuity JOINT FORUM, based in Basel made up of BASEL COMMITTEE ON BANKING SUPERVISION (BCBS) INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS (IOSCO) INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS (IAIS) concluded in Feb 2005 that high-level principles on business continuity would contribute to the resilience of the global financial system Defined effective business continuity management to incorporate business impact analyses, recovery strategies and business continuity plans as well as programmes for testing, training and awareness, and communication and crisis management The 7 high level principles developed for two distinct but related audiences – financial industry participants (include unlicensed providers to the financial services industry) and financial authorities. 25 June 2007 ISACA / MFSA

The 7 High Level Principles of Business Continuity Principle 1: Board and senior management responsibility for the organisation’s business continuity. Principle 2: Major operational disruptions – affecting operations of the financial system within their responsibility to be addressed in the BCP Principle 3: Recovery objectives – developed reflecting the risk they represent to the operation of the financial system. Principle 4: Communications - procedures for communicating within their organisations and with relevant external parties to form part of the BCP Principle 5: Cross-border communications – procedures for communications with financial authorities in other jurisdictions in the event of major operational disruptions with cross-border implications. Principle 6: Testing - their BCP’s, evaluate their effectiveness, and update their business continuity management, as appropriate. Principle 7: Business continuity management reviews by financial authorities – who should incorporate business continuity management reviews for the ongoing assessment of the financial industry participants for which they are responsible. 25 June 2007 ISACA / MFSA

High Level Principles of Business Continuity – Case Studies US-Canadian electrical power grid outages in August 2003 The impact of the 2003 SARS outbreak on Hong Kong SAR’s securities markets The impact of the 2003 SARS outbreak on the Canadian securities industry The 2004 Japan Niigata Chuetsu earthquake measuring 6.8 on the Richter scale The London terrorist attacks on 7 July 2005 - 50 killed and 700 injured - the public transportation system in London was at a complete standstill for a significant period. 25 June 2007 ISACA / MFSA

Business Continuity issues for UK Financial Sector 2007 - FSA Business continuity firmly on FSA’s agenda Priority Risk Report – agenda for compliance visits – represents a barometer of risk issues from both regulator and regulated firms. Cross-sectoral risks highlighted:- Pandemic flu – tap reports by larger corporations Terrorism – still a real threat Sectoral issues:- Outsourcing in retail financial services (banks, Ins.), especially offshore – emerging operational and reputation risk Investment banks and Securities firms:- MiFID implementation challenges Credit & equity derivatives – volume growth - back office backlogs Asset fund management – change in processes Hedge Funds – are now subject to regulation by the FSA 25 June 2007 ISACA / MFSA

Survey on BCP in Financial Services Firms (by OpRisk & Comp) Firms not taking BCP seriously as they should Board/SM not giving importance to BCP – 68% Lack funds/resources - 49% Difficulties to communicate BCP internally –32% Difficulties to co-ordinate with external stakeholders –24% BCP regarded as an IT issue – 89% Employ specialised risk managers – 29% Compliance mentality to BCP Updating of BCP’s – annually 46% Concern that BCP not given priority due to compliance projects for MiFID, Basel II, SOX issues etc 25 June 2007 ISACA / MFSA

References Capital Requirements Directives Other MiFID   Directive 2006/48/EC:  http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_177/l_17720060630en02010255.pdf Directive 2006/49/EC:     MiFID Framework Directive - Directive 2004/39/EC: http://europa.eu.int/eur-lex/pri/en/oj/dat/2004/l_145/l_14520040430en00010044.pdf Implementing Directive - Directive 2006/73/EC:            http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_241/l_24120060902en00260058.pdf High Level Principles for Business Continuity Source: Bank for International Settlements website available at: http://www.bis.org/publ/joint14.pdf Other Malta Financial Services Authority (MFSA) - www.mfsa.com.mt UK Financial Services Authority (FSA) - www.fsa.gov.uk 25 June 2007 ISACA / MFSA