Faster Payments Scheme Limited 2 Thomas More Square London E1W 1YN

CPMI-IOSCO SELF-ASSESSMENT PUBLIC DISCLOSURE FOR FASTER PAYMENTS SCHEME LIMITED (FPSL) 2015

Responding institution: Faster Payments Scheme Limited UK (English Law) Jurisdiction: Authority regulating of England

Date of Disclosure: 30th March 2015 For further information, [email protected] please contact:

PUBLIC – 1 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

I EXECUTIVE SUMMARY Faster Payments Scheme Limited (FPSL) is a Financial Market Infrastructure (FMI), designated under the Banking Act 2009 as a systemically important payment system. It is a not-for-profit, limited by guarantee company whose Company Members (referred to as ‘Members’) are direct settling participants in the Scheme which delivers a world-class instant payments capability to the UK payments market. Faster Payments was launched in May 2008 and delivers Near Real Time (NRT) payment services to meet the existing and future needs of the Members, their agency , corporates, government and retail customers. It achieves this by exploiting a shared infrastructure, delivering a highly reliable service and continuously innovating. FPSL is responsible for the operation and strategic development of the Faster Payments Service. It also provides both the management and administration of the Scheme and ensures Member and Supplier compliance with relevant internal Rules, Procedures, service levels and external regulation. The Faster Payments Service (FPS) provides, as its name suggests, a faster payment process than was previously available in the UK. The Scheme is composed of a group of banks and building societies called Members. Faster Payments currently has ten Members and over 250 financial institutions use agency arrangements to offer services to their customers. There are two main service levels in Faster Payments: 1) For payments where the customer is present, using internet, mobile or telephone banking, FPS provides a Near Real Time payment process. Customers making payments can be told, within a few seconds, that their payment has or has not been made. This is assured by exchanging a message with the beneficiary Member to check that the account exists and is open for credits. The beneficiary customer will receive the funds shortly thereafter. 2) For payments where the customer is not present, e.g. Standing Orders, the paying Member originates the payment on the due date and the beneficiary receives the funds via Faster Payment’s NRT system, i.e. same-day or better. The majority of Standing Orders are sent and accepted by 06:00 am.

History The Faster Payments Scheme commenced operations on 27 May 2008, when it was one of the first NRT retail payment systems in the world. The Scheme has grown markedly since launch and since the start of 2012, Faster Payments have processed all internet-banking payments and Standing Orders in the UK. In 2014, the Scheme processed over 1.1 billion payments with a value of more than £900bn. Faster Payments has not only become established in the UK payments landscape, but also provides a platform for further innovation in the UK payments market. Major projects for Faster Payments include helping Members enable mobile payments and providing automated redirection of payments for customers switching their current account. Faster Payments is the main payment mechanism for , the mobile payment service. The government acknowledges that the Faster Payments Scheme is of critical importance to the UK financial system and has confirmed that it meets the criteria for recognition set out in Part 5 of the Banking Act 2009. Accordingly, the Faster Payments Scheme is regulated by the . Faster Payments Scheme has a clearly defined set of rules and legal agreements (governed by English law) and has been designated (and continues to meet designation requirements) under the Settlement Finality Directive. Faster Payments processing is conducted in the UK only, although currently one participant is incorporated outside of the European Union.

PUBLIC – 2 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

FPSL Risk Profile FPSL manages a number of risk categories through its Risk Management Framework, the most inherently significant risks being:

• Cyber / Security Risk

• Third Party Supplier Failure Risk

• Direct Participant Operational Risk

• Legal / Regulatory Risk The consequences of a significant central processing outage or of a failure of the settlement process (including member failure to meet settlement obligations) are severe enough to be afforded a range of controls to prevent the risk occurrence. These include service levels and monitoring, secure messaging, secure dual site processing and strict change control. To mitigate settlement risk, Faster Payments Members’ net settlement positions are limited using hard debit caps. The caps are currently partially collateralised as a requirement of the Scheme’s Liquidity and Loss Share Agreement (LLSA). If a Member fails to settle, the LLSA also requires surviving Members to provide liquidity to meet any shortfall in the settlement obligations of the failed Member (up to the value of the largest Member). Surviving Members are subsequently partially refunded through liquidation of the failed Member’s collateral. The Scheme is awaiting changes in the Bank of England RTGS system that will allow participants to fully prefund their collateral with central bank money, eliminating any credit risk of default. This change had originally been planned for late 2014.

Self–Assessment Methodology This self-assessment has been undertaken by the FPSL Risk Management and Assurance Unit using a risk based assessment methodology. The following steps were undertaken: a) Initial review of the 24 principles from the CPMI-IOSCO Disclosure and Assessment Methodology and their associated key considerations to scope the assessment. b) Through a review of documentation and discussions with the Bank of England, agreement was made as to the scope and applicability of each principle and consideration. c) The Risk Unit then considered the status of FPSL’s observance to each of the principles and examined the risks to the Scheme inherent within each applicable principle. d) The Risk Unit then reviewed existing mitigating controls in place at the time of the assessment and assessed the effectiveness of these controls. e) The responses made were documented in a report and then independently audited by the Scheme’s third line Internal Audit Function. f) The final report was submitted to the Bank of England and Management Actions were tracked by FPSL Audit and Finance Committee.

In support of this disclosure, Faster Payments have presented to the Bank of England a report that sets out FPSL’s adherence to all principles and considerations. The self-assessment methodology described above was conducted as a second line Risk Unit activity, challenging first line management response and incorporating third line assurance via an independent internal audit. All gaps identified in the control framework are either in the process of remediation or are planned for remediation through defined Management Actions. This disclosure has been presented in its entirety to the FPSL Audit and Finance Committee and then to the FPSL Board. Their feedback has been incorporated in the final disclosure. Matters relevant to other

PUBLIC – 3 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015 committees for their consideration will be delegated in due course for monitoring and future mitigation decisions.

II SUMMARY OF MAJOR CHANGES SINCE THE LAST UPDATE OF THE DISCLOSURE

The significant changes from the March 2014 disclosure include:

• Governance within the Scheme has been further strengthened through the appointment of a third Independent Non-Executive Director (INED) as Independent Chair of the Audit and Finance Committee. The Risk Committee is also chaired by an Independent Director (Principle 2 relates).

• FPSL has further enhanced its Enterprise Risk Management Framework through the introduction of a Risk Information Management System (Magique) and development of a Risk Appetite Statement (Principles 3, 4, 15 and 17 relate).

• The Board Member voting protocol has been changed to better represent the interests of smaller Members by the movement to a ‘one director one vote’ model.

• With the addition of a third INED, the public interest veto of the independent directors has been strengthened by requiring a majority (>50%) of independent director votes, to be cast in favour for a public interest vote to be passed.

• The Articles of Association have been amended to explicitly incorporate integrity and financial stability goals in the Scheme’s Statement of Purpose.

• A Board level Cyber Risk Project Steering Group has been established to support security improvements and facilitate a major cyber security scenario test on the central infrastructure based on the CBEST framework.

III GENERAL BACKGROUND

History At its introduction in 2008, the Faster Payments Scheme was the first new payment system delivered in the UK since 1984, when the CHAPS Clearing System was launched. The Faster Payments Scheme is designed to enable electronic payments, typically made via the internet, mobile smart phone or telephone, to be processed in seconds rather than days. FPS can trace its creation from May 2005 when the Payment Systems Task Force, a stakeholder group chaired by the Office of Fair Trading, announced the introduction of a new service that would reduce clearing times on phone, internet and standing order payments. The banking industry committed to develop a system whereby payments would clear quickly and efficiently. In October 2005, the contract to provide the central infrastructure for this new service was awarded to Immediate Payments Limited (IPL), a joint venture company set up by Voca Limited and Link Interchange Limited. In 2007, the two organisations merged to form Limited. The new Faster Payments Scheme and infrastructure was launched on 27 May 2008 when banks rolled out the service to their customers. The Faster Payments Scheme runs alongside existing payment schemes in the UK such as CHAPS and Bacs. The responsibility for the day-to-day operation and management of the service is undertaken by FPSL although from November 2009 until 29th February 2012 this role was conducted by CHAPS Clearing Company Limited. VocaLink currently hold the contract to supply the central infrastructure for FPS.

PUBLIC – 4 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Since the beginning of 2012, the UK Payment Services Regulations have required all payments to reach the recipients’ account no later than the working day after the originator was debited. Consequently, by 2012 Faster Payments was able to reach over 99.9% of UK customers.

Faster Payments Scheme Limited (FPSL) FPSL is responsible for the day-to-day operations and management of the service and is a Company Limited by Guarantee. The current Members* of the Scheme Company are: • Bank PLC • Citibank N.A. • PLC • The Co-operative Bank PLC • Northern Bank (formerly Danske Bank) • HSBC Bank PLC • PLC • Nationwide • The Royal Group • Santander UK PLC *‘Company Members’ are analogous to Shareholders in a normal Limited company. In addition, over 250 institutions access FPS via agency arrangements through one or more Members.

PUBLIC – 5 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

How does the Faster Payments work?

Who Can Use the Faster Payments? Users of the Faster Payments can be divided into participants from the financial service community that use the central infrastructure directly and those indirect users that use the service through another financial institution. Institutions can currently become participants in Faster Payments, either as Members, Direct Agencies, Third-Party Beneficiaries or as Corporates. All these participants are able to submit payments into the service, either singly and/or in bulk files, depending on what type of participant they are, using their own direct connection to the service. Key Parties and Processes in Faster Payments

The System Operator FPSL, the system operator, is an inter-bank organisation responsible for administering Faster Payments.

The role as System Operator is to: • Provide direct participants with the infrastructure for the exchange and settlement of Faster Payment Messages and manage the operational process.

• Define, agree and ensure compliance to Scheme Rules, Security Codes of Conduct, Procedures, and other reference documents.

• Ensure that the suppliers to the Scheme comply with their contractual obligations and by doing so monitor, measure and manage direct participants and Supplier compliance and performance in order to promote the highest levels of integrity evidenced against internal and external audit and oversight.

Company Members FPSL Members are banks or building societies, which have settlement accounts at the Bank of England suitable for the settlement of FPS payments. All Members connect directly to the FPS Central Infrastructure. The detailed Membership criteria are defined on the FPSL website, for example, Members must install a Bank of England Enquiry Link facility. Members may sponsor Directly Connected Agencies, Bureaux, Corporates and File Input Module (FIM) only Agencies.

PUBLIC – 6 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Bank of England (RTGS) The Bank of England acts as the settlement agent and as the trustee for the collateral posted under the LLSA. The System is settled in the Bank of England’s Real Time Gross Settlement System (RTGS) system in the same way as other clearings (such as Bacs and Cheque and Credit Clearing). RTGS sends Faster Payments Scheme Members advices of the amounts to be settled via the Enquiry Link system.

Direct Agency A Direct Agency is a financial institution, which connects directly to the FPS Central Infrastructure but does not settle payments at the Bank of England. A Direct Agency is sponsored by a Member who authorises all debits and credits to and from Direct Agencies in near real time. A Direct Agency that is wholly owned by a Member may also sponsor Agencies, Corporates and Bureaux’.

Indirect Agency An Indirect Agency, such as a small bank or building society, sends and receives messages via a Member on its own behalf or on behalf of its customers, which themselves may be financial institutions.

Third Party Beneficiaries A Third Party Beneficiary is an organisation such as a credit card company or utility company that has a collection account with a Member. It is identified by one or more sort codes unique to the Third Party Beneficiary. Responding Third Party Beneficiaries are directly connected to the Central Infrastructure and operate a 24/7 service for payment receipt. Non-Responding Third Party Beneficiaries receive advice of payments, but, unlike a Responding Third Party Beneficiary, do not need to acknowledge receipt of such payments, and do not need to be connected to the Central Infrastructure 24/7.

Corporates Corporates are customers of a Member or an Indirect Agency, which sponsors them to have direct access to Faster Payments via Direct Corporate Access (DCA) for sending payments. No facilities are provided for Corporates to receive payments directly from Faster Payments. The Corporates’ Sponsoring Member (and Direct Agency or Indirect Agency where appropriate) authorises each file of payments from that Corporate. Each file contains payments drawn on a single account. Corporates submit payments in Standard 18 format; the DCA module translates them into a Faster Payments Scheme-specific format of ISO 8583.

Bureaux Bureaux submit files on behalf of Corporates. Each file contains payments from a single Corporate drawn on a single account. A submission may contain files drawn on different sponsors. Customers Personal and corporate customers of Members and Agencies may make and receive payments through FPS according to their contract with their Member or Agency.

General organisation of Faster Payments Scheme Limited (FPSL) FPSL has clearly defined governance arrangements, through Membership Agreements and the Company’s Memorandum & Articles of Association. The latter sets out the governance arrangements for Members and Directors:

• Participation and Membership criteria

• Composition, execution and reporting of General Meetings

• Member voting rights, including proxies and resolution arrangements

• Director’s powers, appointment and removal process

• Establishment and functioning of committees

PUBLIC – 7 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

FPSL operates a number of Board sub-committees to ensure good governance of the scheme, attended by directors and expert staff drawn from Members.

*Recently established Renumeration Committee (reporting to Board) and Cyber-Risk Project Steering Committee (reporting to the Risk Committee) are not yet on diagram.

Legal and Regulatory Framework FPSL has legal agreements in place with all relevant stakeholders (Members, VocaLink and Bank of England as Settlement Service Provider). All contracts are drawn up on behalf of Faster Payments Scheme Limited by professional lawyers. FPSL no longer has any operational or contractual relationship with the . All FPSL legal agreements contain a number of clauses which are commonly used in outsourcing agreements, for example:

• Governing Law (English law)

• Records Retention (six full years plus current calendar year from date of creation)

• Confidentiality and security

• Supplier personnel

• Warranties and undertakings

• External intervening threats

• Assignment, transfer and subcontracting

• Relief events (from failure to perform obligations)

• Regulatory compliance (with Bank of England Oversight)

• Insurance FPSL Scheme Rules and Procedures are designated under English law.

PUBLIC – 8 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

FPSL Risk Committee regularly monitors regulatory developments to ensure the company remains compliant.

System Design and Operations Payment Types The System supports the following payment types; all are credit (push) payments; FPS does not support debit (pull) payments:

• Single Immediate Payments (SIPs) • Forward Dated Payments (FDPs) • Standing Order Payments (SOPs) • DCA Corporate Bulk Payments (DCAs) • Return Payments • Scheme Return Payments

The latter two payment types are generated by the Receiving Member and the Central Infrastructure retrospectively. These return payments relate to payments that cannot be applied to an eligible account or cannot be processed on to the receiving bank.

Clearing Timetable The system clears 95% of Single Immediate Payments (SIPs) and Forward Dated Payments (FDPs) 24 hours a day, 7 days a week, 365/6 days a year in Near Real Time (NRT). The remaining 5% relate to payments being made to non-current accounts or sent to agency banks that may not operate 24/7. These payments are applied to the beneficiary account within timescales compliant with Payment Services Regulations. Standing Order Payments (SOP’s) are cleared only on ‘Working Days’ which are defined as Monday to Friday’s excluding English Bank Holidays. SOPS are always cleared within a single working day, so that the Originating Customer is debited on the same day that the Beneficiary Customer is credited. In most cases, Standing Orders are cleared by 06:00.

Settlement Risk As a Deferred Net Settlement (DNS) System, Settlement Risk is managed utilising Multilateral Net Sender Caps (MNSCs) that are currently supported by a lodgement of collateral at the Bank of England. The MNSCs are under the control of the Scheme. As mentioned above, all payments are processed through the system as single payments notwithstanding that, they might have been entered into the system as a file.

The Central Infrastructure maintains a Multilateral Net Settlement Position for each Member (MNSP). The MNSP equals the total payments of all Members and its sponsored Participants have received and accepted, less the total value of all payments it, and its sponsored Participants, have submitted and have been accepted.

As payments pass through, MNSPs are updated by debiting the sender Member Position and crediting the receiving Member Position subject to there being adequate headroom in the position to complete the debit transaction. Members utilise a Net Sender Threshold, which alerts them electronically if they are within a configurable percentage of their MNSC. This threshold is controlled by the Member.

PUBLIC – 9 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Settlement within the System occurs three times per day on Working Days as defined above. The cut off times for settlement are currently; 07:00, 12:45 and 15:30. This is configurable both in the number of intra Working Day settlements and in the timing of the settlements.

Where there are one or more non-Working Days between the last settlement of a Working Day and the first settlement of the next Working Day, a Settlement Cycle can span several days. When a Settlement Cycle ends, it is ‘cut-off’ and a new Settlement Cycle starts. Therefore, for practical purposes a Settlement Cycle starts at one settlement cut-off and ends at the next settlement cut-off.

Shortly after settlement cut-off, the Central Infrastructure sends a SWIFT MT298 settlement message to the Bank of England, and also sends an Unsolicited Message (USM) to each Member informing them of their MNSP (how much the Member is obliged to pay or due to receive in the settlement). After a configurable period the Bank of England settles, and returns a settlement complete message to the Central Infrastructure, which informs Members that settlement is complete in an Unsolicited Message. All Members settle or no Members settle; there is no partial settlement.

PUBLIC – 10 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

IV: SUMMARY OF KEY POINTS ARISING FROM ASSESSMENT OF EACH PRINCIPLE

Principle Summary

1. Legal basis The FMI has a sound legal basis which is supported by a legal opinion from Scheme Members and its in-house legal team. An FMI should have a well-founded, clear, Although the strict enforceability of the Rules, Procedures and contracts cannot be transparent, and tested unless a party should choose to challenge the condition in the courts, FPSL enforceable legal basis is as confident as it can be as to their enforceability. The Rules, procedures and for each material contracts are also based on other payments schemes as a precedent. aspect of its activities in all relevant jurisdictions.

2. Governance FPSL has clear and transparent governance arrangements which follows best practice and promotes the safety and efficiency of the FMI. An FMI should have governance Recent improvements include the appointment of three Independent Non- arrangements that are Executive Directors (INED’s) as Chairman of the FPSL Board, Chair of the Risk clear and transparent, Committee and Chair of the Audit and Finance Committee. The job descriptions of promote the safety and the Independent Non-Executive Directors have an explicit reference to public efficiency of the FMI, interest and financial stability. and support the stability The Articles of Association have been amended to explicitly state integrity and of the broader financial financial stability in the Scheme’s Statement of Purpose. system, other relevant public interest The FPSL website has full details of Governance arrangements. considerations, and the A Board Effectiveness Review has been completed by the Company INED objectives of relevant Chairman. stakeholders.

3. Framework for the A fully documented Enterprise Risk Management (ERM) Framework is being comprehensive operationally embedded to support the identification, measurement, management, management of monitoring and reporting of risk within a risk management cycle. This includes risks Risk Policies, Appetite Statements and Limits. An FMI should have a FPSL has defined a clear plan to embed the policies and processes and to foster sound risk- a risk management culture. To support this, an Internal Audit has been conducted management to identify further gaps and to support tracking of improvements. framework for Compliance to the Principle has been strengthened through implementation of a comprehensively Risk Information Management System, Scenario Testing and development of managing legal, credit, recovery and wind-down plans. The ERM framework continues to be embedded in liquidity, operational, 2015. and other risks.

4. Credit risk FPSL manages Credit Risk within settlement as a key element of the wider ERM Framework and it is monitored through a dedicated Settlement Risk Committee. An FMI should Collateral is held and managed by the Bank of England on behalf of FPSL. effectively measure, monitor, and manage Cash prefunding of Net Settlement Caps (NSC) to eliminate credit and liquidity its credit exposures to risk within settlement is anticipated during 2015 subject to appropriate technology participants and those changes being completed in the Bank of England RTGS system. arising from its payment, clearing, and settlement processes.

PUBLIC – 11 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Principle Summary An FMI should maintain sufficient financial resources to cover its credit exposure to each participant fully with a high degree of confidence.

5. Collateral FPSL retains responsibility for the collateral risk but the Bank of England, through a Deed of Charge between it and the Members, manages collateral on behalf of An FMI that requires FPSL, setting the requirements haircuts and limits and undertaking collateral collateral to manage its valuation. FPSL monitors collateral bi-monthly through the Settlement Risk or its participants’ credit Committee and FPSL obtains copies of the holdings of each Member, by nominal exposure should accept value and haircutted value (“Adjusted Market Value”) on a daily basis. collateral with low credit, liquidity, and Cash prefunding of Net Settlement Caps (NSC) to eliminate credit and liquidity market risks. An FMI risk within settlement is anticipated during 2015. should also set and enforce appropriately conservative haircuts and concentration limits.

7. Liquidity risk The ERM Framework contains suitable liquidity safeguards and management tools. These are documented and enforced in the Liquidity and Loss Settlement An FMI should Agreement (LLSA). effectively measure, monitor, and manage The payment system is denominated in Sterling only and the central infrastructure its liquidity risk. An FMI manages liquidity risk through a Net Sender Cap (NSC) mechanism. should maintain Settlement Risk Committee manages liquidity risk via reviews of eligible collateral, sufficient liquid NSC’s and contingency processes for management of liquidity, settlement and resources in all relevant participant default. FPSL conduct stress testing and regularly reviews the breadth currencies to effect and depth required for further stress and scenario testing. same-day and, where appropriate, intraday Cash prefunding of Net Settlement Caps (NSC) to eliminate credit and liquidity and multiday settlement risk within settlement is anticipated during 2015. of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate liquidity obligation for the FMI in extreme but plausible market conditions.

PUBLIC – 12 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Principle Summary

8. Settlement finality Faster Payments guarantees in central bank money, settlement of a payment at the point it is accepted by the receiving party in the Central Infrastructure. An FMI should provide clear and certain final Full ‘Money Settlement’ by Members at the BoE is materially compliant for all settlement, at a Monday to Friday transactions lodged up to 3:30pm as they are settled on the minimum by the end of same day. Transactions lodged after 3:30pm or over the weekend are annotated the value date. Where as same value date, cleared immediately, but settled in the next day or the next necessary or Monday as appropriate. preferable, an FMI FPSL do not believe this settlement arrangement represents a material financial should provide final stability risk but is rated yellow to reflect residual settlement risk following settlement intraday or invocation of LLSA. This will be eliminated following introduction of pre-funding in real time. anticipated for 2015.

9. Money All money settlements are conducted and denominated through the Central Bank settlements in Sterling. An FMI should conduct its money settlements in central bank money where practical and available. If central bank money is not used, an FMI should minimise and strictly control the credit and liquidity risk arising from the use of commercial bank money.

13. Participant-default The Liquidity and Loss Sharing Agreement (LLSA) and Scheme Rules define rules and requirements and Procedures regarding defaults, use of collateral, calls for procedures liquidity and renegotiating and replenishing resources. An FMI should have Key points: effective and clearly • Scheme Rules published on the FPSL website are reviewed annually. defined rules and procedures to manage • The Bank of England is required to notify FPSL of any Member defaults. a participant default. • Procedures are made available to Members / suppliers and other relevant These rules and parties e.g. Bank of England. procedures should be designed to ensure that • Contingency processes to manage a single Member failure to settle and the the FMI can take timely LLSA being invoked are tested annually through a procedural test with action to contain losses Members and Bank of England RTGS. and liquidity pressures Principle will be fully compliant following completion of Prefunding project as all and continue to meet its Members failing scenario will then be covered. obligations.

15. General business As part of FPSL’s Enterprise Risk Management Framework, the identification and risk management of general business risk is embedded within the strategic planning processes. In addition, a risk register is maintained to track and manage identified An FMI should identify,

PUBLIC – 13 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Principle Summary monitor, and manage risks through the Risk Committee. Reporting of financial controls and contingent its general business reserves is managed through the Audit and Finance Committee. risk and hold sufficient The Scheme has added to its reserves to ensure there are sufficient resources to liquid net assets funded continue operations and services as a going concern if losses materialise or by equity to cover funding from Members is delayed. potential general business losses so that The Scheme has developed a recovery/wind down plan and the Scheme Rules it can continue already provide adequate assurance for funding of FPSL operational continuity. operations and services Existing reserves are held in cash and in the event of Member default, or reserves as a going concern if falling close to minimum requirements, additional calls on Members are possible. those losses materialise. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations and services.

16. Custody and All FPSL assets are held in regulated entities. The custodian banks’ accounting investment risks practices and procedures are supervised and monitored with annual audit statements available under their publicly disclosed financial statements. An FMI should safeguard its own and Company reserve funds (all cash) are held in these Member commercial banks its participants’ assets and are administered separately from the operating funds (also held in cash). and minimise the risk of They are monitored by the Scheme’s Finance / Accounting function. The Audit loss on and delay in and Finance Committee review financial reports quarterly. access to these assets. Participants’ assets are held and administered by the Bank of England in eligible An FMI’s investments (listed) collateral, which are reviewed regularly by the Settlement Risk Committee. should be in instruments with minimal credit, market, and liquidity risks.

17. Operational risk Through FPSL’s robust ERM policies, processes and procedures (see Principle 3) operational risks are: An FMI should identify the plausible sources of • Identified and assessed though defined risk management methodologies such operational risk, both as Risk and Control Self-Assessments of suppliers and Members. internal and external, • Captured in a consistent format within risk registers. and mitigate their impact through the use • Monitored and reported though risk reports and monthly operational risk KPI’s of appropriate systems, to the Risk Committee. policies, procedures, • Monitored for operational suppliers through appropriate supplier SLAs within and controls. Systems contracts on availability and capacity. should be designed to ensure a high degree of This framework is supported by the following elements: security and operational • Roles and responsibilities for the management of operational risk are clearly reliability and should defined and delegated by the Board to the Risk Committee in their Terms of have adequate,

PUBLIC – 14 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Principle Summary scalable capacity. Reference. Business continuity • Service management is provided by VocaLink using ITIL standards and management should monitored by SLA reporting in the VocaLink contract and an annual ISAE3000 aim for timely recovery Audit. of operations and fulfilment of the FMI’s • Scheme contingency arrangements are managed through operational incident obligations, including in management procedures. the event of a wide- • Business continuity and disruption planning is in place, covering impact on scale or major Scheme and stakeholders. Plans are tested regularly and processes are disruption. documented.

• Security requirements are documented in the Security Policy and the Security Code of Conduct (SCoC) document. Assurance is provided through supplier contracts and Member self-certification. Compliance is monitored through the Operations Committee.

• Human Resources (HR) is managed through appropriate HR policies and procedures which are documented in a staff manual. This includes policies on staff reliability, succession planning, operational rotation of duties and skills training.

• Internal Audit is conducted through an independent function. Audit plans are agreed annually and key findings and recommendations are managed and tracked by the Audit and Finance Committee.

• The Audit and Finance Committee monitor assurance activities (including Internal Audit) and provide independent assurance to the Board on operational risk capabilities.

18. Access and FPSL strongly supports and encourages increased participation in the Scheme. participation To promote this, FPSL has an on-boarding team and the FPSL website provides requirements clear guidance on the criteria and requirements of participation. An FMI should have To ensure fair and open access for participation, FPSL Scheme Rules are objective, risk-based, reviewed by the Board and external legal counsel. To strengthen governance and publicly disclosed around access, three independent non-executive directors have responsibility for criteria for participation, ensuring fair and open access for participation. In addition, Member appointed which permit fair and directors are excluded from the new Member decision process. open access. Members’ on-going compliance to Scheme requirements are managed by FPSL through:

• Member self-certification to availability and security standards • Incident Management Procedures • Scheme review of regulatory compliance requirements • Maintenance of settlement account status • Allocation and use of valid sort codes Within Scheme Rules and Procedures, the following processes are documented: • The Membership application process • Orderly on-boarding Rules and exit Procedures • Member Default Procedure Formal projects are set up for effecting Member entry and exits, including those

PUBLIC – 15 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Principle Summary arising from the impact of mergers and acquisitions of direct participants. Scheme Rules have been published on FPSL’s website and detailed information on costs, risks of Membership and technical specifications are available to prospective participants under NDA (Non-Disclosure Agreement).

19. Tiered The current risk exposure (materiality) from tiered indirect participation is judged to participation be relatively small compared to direct Member participation. Members are arrangements obligated under the Scheme Rules to ensure agency bank payment processing is compliant with Scheme requirements. An FMI should identify, monitor, and manage The data collection and analysis from Members is currently being improved so that the material risks to the the indirect agency position and associated risks can be monitored quarterly by FMI arising from tiered the Risk Committee and the Bank of England. Data gathered so far, does not participation indicate any cause for concern. arrangements. The Scheme has recently published a White Paper outlining how it intends to make both direct and indirect participation of all types of PSP easier in the future.

21. Efficiency and Operational effectiveness objectives are set primarily in the company strategy. effectiveness The on-boarding team also provides advice on the requirements for prospective participants. Additional advice is taken from customer fora and Electronic Scheme An FMI should be Affiliates to ensure end customer demands are met. efficient and effective in meeting the Operational efficiency and effectiveness objectives are set out in Scheme Rules requirements of its and Procedures and in supplier contracts in the form of Service Level Agreements participants and the (SLAs). Changes to objectives are driven by incident reports and operational markets it serves. reporting of performance against SLAs and KPI’s, highlighting areas for potential change. Monthly KPI reviews, SLAs, operational reports and major incident reports are all used to determine change requirements. Development Committee have the remit for ensuring Scheme design / operating structure meets market, legislative and participant requirements and the Development Committee Terms of Reference has been amended to specifically address the needs of the market. In addition, the recently appointed independent non-executive director’s remit includes liaison with the external market and the participants in meeting the customer requirements. Progress against the strategic development objective is monitored through the Development Committee and other committees, with progress against such objectives reported to the Board for quarterly review, appraisal and direction.

22. Communication Faster Payments uses internationally accepted communication protocols such as procedures and Multi-Protocol Label Switching (MPSL) standards to interconnect FPS Members standards and direct agencies through a real-time switch provided by a major UK telecoms provider. An FMI should use, or at a minimum Communications between the Bank of England and VocaLink used to effect accommodate, relevant settlements are conducted through SWIFT. Corporates submit payment files by internationally accepted secure internet connection direct to VocaLink. Indirect participants connect with communication direct Members via a range of services, with direct Members submitting payments procedures and on their behalf direct to VocaLink. standards in order to Direct Participants based outside the UK connect to VocaLink direct through UK facilitate efficient

PUBLIC – 16 –

CPMI-IOSCO Disclosure for Faster Payments Scheme 2015

Principle Summary payment, clearing, based Points of Presence. settlement, and Scheme procedures ensure that BIC/IBAN references are attached to cross- recording. border transactions

The Scheme uses the ISO 8583 international messaging standard. DCA corporate participants submit payment files to VocaLink via Standard 18 for subsequent conversion to ISO 8583 and onward transmission. SWIFT formats are used between the Bank and VocaLink for settlement transactions.

23. Disclosure of The Scheme publically disclose the following documents: rules, key • Company Articles of Association procedures, and • Scheme Rules market data • Trend Data on Volumes and Values • Fee Structure* An FMI should have • Governance structure clear and • Compliance to CPMI IOSCO principles summary comprehensive rules • Annual Accounts and procedures and *while there is no membership fee there are costs associated with Membership should provide which are set out on the website. sufficient information to enable participants to Detailed procedural documentation such as the Security Code of Conduct and have an accurate technical specifications are available to Members, potential Members, suppliers understanding of the and any participants nominated by Members under NDA. The Bank of England is risks, fees, and other also provided copies of all documents. These documents are all reviewed annually material costs they (including for clarity) by FPSL, Members and VocaLink. Full details of available incur by participating in documents are included in Appendix A. the FMI. All relevant Clarity of the Rules and Procedures is also addressed by discussion at rules and key committees, in the on-boarding process for new Members, via incident procedures should be management reviews and the annual Member self-certification process. publicly disclosed. Financial obligations of the participating Members are determined and provided to Members under the annual budgeting process. The annual budget process is managed by the Audit and Finance Committee and the Board signs off the budget.

PUBLIC – 17 –