New Zealand regulator criticizes NZX for technology issues
New Zealand’s Financial Markets Authority (FMA) today released a review of NZX, concluding that the stock exchange failed to meet its licensed market operator obligations due to insufficient technology resources.
The regulator explains that, as a licensed market operator, NZX is required to meet certain obligations under the Financial Markets Conduct Act (FMC Act). One of those obligations is to have sufficient technology resources to operate its licensed markets properly, including arrangements to ensure market disclosures are made available.
The FMA launched a targeted review of NZX’s technology after it suffered trading volume-related system issues and outages in April 2020. The scope of the review was expanded following DDoS (Distributed Denial of Service) attacks on NZX in August 2020.
The regulator also had concerns that NZX’s trading system was unable to trade securities at zero or negative yields. The volume-related issues and DDoS event repeatedly halted or disrupted market activity.
Overall, the FMA review found NZX did not have adequate technology capability across its people, processes and platform to comply with market operator obligations and especially in the context of its systemic importance. Additionally, the performance of NZX’s systems did not meet regulatory requirements or expectations for fair, orderly and transparent markets.
Regarding NZX’s trading volume-related issues, the FMA review concluded fundamental tools and practices were either lacking, insufficiently robust or not fully utilised. NZX was aware of the capacity limitations of its core back end processing system, particularly as daily trading volumes had increased in the last three years.
In relation to the DDoS attacks, the FMA review found NZX’s crisis management planning and procedures were basic. A DDoS attack was foreseeable, the FMA review determined, and an attack of sufficient magnitude to take down servers – and with them NZX’s market announcement platform – was at least possible and should have been planned for. NZX self-rated its IT security profile at a basic maturity level, indicating that a number of best practices had not been adopted.
NZX is required to develop a formal action plan to address the issues raised by the FMA. The market regulator has met with the NZX Board to discuss its findings and received assurances that the NZX Board takes responsibility for making the necessary investment and to address the issues highlighted in the report.
Sanctions for a breach of NZX’s statutory obligations are limited. However, given the commitments received from the NZX and the actions plans already initiated by NZX following its internal and external reviews, the FMA considers the requirement to produce a detailed, time-bound action plan will be sufficient. The FMA acknowledges NZX has already taken significant steps to improve its systems and processes.