Payment systems oversight

Payment systems fulfill an important role in maintaining the stability of the financial system. Disruptions in the money cycle could have considerable repercussions, ranging from problems for individual stakeholders to the destabilization of the entire financial system, and, consequently, the undermining of confidence in the currency. Risks that are typically associated with payment systems include:

• credit risk (obligations are not met)
• liquidity risk (obligations are not met in time)
• legal risk (contracts prove impossible to enforce)
• technical-operational risk (human error, IT problems, terrorist attacks, etc. cause a system breakdown), and
• systemic risk (one participant’s or one system’s problems set off a chain reaction, causing disruptions in other payment systems or in the entire financial system)

The security of payment systems is of fundamental macroeconomic importance; therefore payment systems oversight is one of the key tasks of a central bank.

The OeNB carries out its oversight function under the framework provided by the oversight policies set out by the Governing Council of the ECB, which are based on Article 127 (2) of the Treaty on the Functioning of the European Union as well as Articles 3 and 22 of the Statute of the ESCB and of the ECB. The main oversight objectives are to prevent system failure and to safeguard the efficiency and security of market infrastructures. For further details on the legal framework for payment systems oversight at the European level, see the website of the ECB.

Under domestic law, the OeNB’s responsibility for payment systems oversight has been laid down in Article 44a of the Nationalbank Act. Domestic constitutional law moreover ensures that the OeNB is not bound by any instructions as the designated authority for payment systems oversight. The OeNB ordinance on the system security of payment systems, which entered into force on August 1 2023, aims to increase transparency for the subjects of oversight. The OeNB fulfills its statutory task in particular by conducting in-depth assessments of the measures implemented to ensure the security of payment systems (system assessments). Furthermore, the Nationalbank Act imposed statistical reporting requirements and empowered the OeNB to take sanctions in this area.

Operators of payment systems are the main subjects of oversight (see Article 44a para 5 Nationalbank Act), as they are ultimately responsible for the design of their systems, their organizational structure and processes as well as their systems’ operational soundness and technical security. Essentially, this includes the major Austrian financial market infrastructures for clearing and settling interbank payments and securities transactions (clearing systems, central counterparties and central securities depositories) as well as – in retail payments – above all card payment systems, point-of-sale operators or e-money systems.

The OeNB carries out payment system assessments both on a regular and on an ad hoc basis. On a global level, the key regulatory frameworks include the Principles for financial market infrastructures of the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO), which form the basis of the above mentioned OeNB ordinance on the system security of payment systems. These assessments focus on system security from

• the legal perspective: the legal basis on which a system operates must be clearly defined and enforceable among all stakeholders;
• the financial perspective: all system stakeholders must be aware of, and able to manage, the financial risks involved in operating, contributing to or using a system;
• the organizational perspective: the internal procedures and control structures must ensure smooth functioning and must work also under exceptional circumstances and in crisis events;
• the technical perspective: a system must ensure a high (i.e. state-of-the-art) level of confidentiality, integrity and availability. With regard to cybersecurity, the minimum requirement is that there must be mechanisms in place for sharing information on current threats and vulnerabilities, and the systems must be resilient to attacks.

If a system assessment identifies potential problems or shortcomings, the OeNB and system operators will agree on remedial measures, whose implementation is then reviewed in follow-up assessments.

The ECB has published on 3.12.2018 the Cyber resilience oversight expectations for financial market infrastructures (CROEs). They are based on the global CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures and build the framework for the oversight activities in the area of cyber resilience. The addressees of the CROEs are all payment systems, T2S as well as central counterparties and central securities depositories.

The OeNB monitors the ongoing operational activities of payment system providers and the participants of payments systems, who regularly report quantitative and qualitative information to the OeNB. This information is fed into payment systems statistics. If the OeNB identifies significant deviations or problems on this basis, it may launch an ad hoc system assessment.

To help us comply with our oversight responsibilities, we require payment system operators to report changes affecting supervised payment systems to the OeNB in a timely manner. Under Article 44a para 7a Nationalbank Act, operators of payment systems are obligated to inform the OeNB in writing of the launch or discontinuation of a payment system within a period of two weeks. Furthermore, payment system operators have to inform the OeNB in writing of the participants which have registered for their payment system and of any changes relating to system participants within a period of two weeks.

• The reports of system operators must include the following information:
  • In the event of the launch or discontinuation of a payment system: Name of the payment system; name and residence of the payment system operator; and name and residence of payment system participants, indicating the type of participation (e.g. direct or indirect).
  • In the event of changes relating to system participants: Name and residence of participants that have joined or left the payment system, indicating the type of participation (e.g. direct or indirect).
• Any changes are to be emailed to the OeNB.

In case of major security or operational incidents, the major incident reporting framework for payment schemes and retail payment systems is applicable. Operators of payment schemes and retail payment systems have to report such incidents via a standardized template. The documents (framework and template) can be requested from zsa@oenb.at.

Given the rise in cross-border activities and the growing integration of payment systems, regulation needs to ensure a level playing field across borders. This is why key European regulators (ECB, EBA, ESMA) are harmonizing regulatory practices and developing common regulatory frameworks.

The assurance that transactions will at some point be complete and will not be subject to reversal (finality of settlement) is of crucial importance to receivers of payments. The Austrian law on settlement finality in payment and securities settlement systems (Finality Act) provides for legal certainty in this context, mitigating the risks for participants in systems recognized under this law. Transactions processed and settled through recognized systems are legally binding, also for third parties. In Austria, the OeNB is responsible for recognizing payment and securities settlement systems under the Finality Act. See the ESMA website for an online list of designated payment and securities settlement systems across the EU.

The Eurosystem published the final oversight framework for electronic payment instruments, schemes and arrangements (PISA) in November 2021. This framework essentially serves two purposes: first, to consolidate existing oversight standards for card payment schemes (such as VISA or Mastercard), credit transfer schemes (such as SEPA) and the like into a single framework; and second, to integrate new standards for payment innovations (such as stablecoins) and related payment instruments.

The framework can be accessed on the ECB website (Eurosystem publishes new framework for overseeing electronic payments (europa.eu)) and consists of three documents:

• The oversight framework as such: Outlines who the framework is aimed at, provides definitions of key terminology (such as payment instrument, payment scheme, payment arrangement – see pages 3 to 5) and outlines the organization of oversight activity.
• Assessment methodology: Covers relevant oversight standards based on the CPMI-IOSCO principles for financial market infrastructures (PFMI).
• Exemption policy: Addresses proportionality considerations and provides thresholds definitions for users, amounts, etc.

The framework applies from November 15, 2022.

The ECB’s official response to the public consultation on the draft framework launched at the end of 2020 can be found here: Response to the public consultation on the Eurosystem oversight framework package for electronic payment instruments, schemes and arrangements (europa.eu).
All comments received by the ECB have been summarized in an Excel file and can be found here:
https://www.ecb.europa.eu/paym/pdf/consultations/ecb.PISApublicconsultation202111_5.en.xlsx.

Queries about PISA may also be addressed to the OeNB’s payment oversight experts at zsa@oenb.at.