Page 51 - ITU-T Focus Group Digital Financial Services – Interoperability
P. 51

ITU-T Focus Group Digital Financial Services
                                                       Interoperability



               51. RPEs participating in an interoperability agreement should assess the operational risks arising from
               interoperability. They should identify the possible effects of interoperability on their own ability to process
               payments in the normal course of business, and to manage risks that stem from other participating RPEs
               experiencing an external operational failure. RPEs should be committed to providing reliable services, not only
               for the benefit of their customers, but for all entities that would be affected by their inability to effect payments.
               52. Participating RPEs should agree on specific service levels. These levels should be defined in a service
               level agreement and include operational reliability requirements for interoperability. RPE availability should
               be specified as part of the agreement rules, including the strategies for dealing with RPE non-availability in a
               way that still provides satisfaction to customers.

               53. An interoperability agreement should impose on participating RPEs, general obligations to follow and
               comply with. The agreements should include an obligation for RPEs to have a compliance program to ensure
               service continuity. The impact on customers when a RPE is non-compliant is different in batch systems and
               real time payment systems. In a batch system, there may be time for a remitting RPE to correct and resubmit
               rejected payments without customers being aware, whereas in a real-time system payment rejections impact
               the customer immediately. Therefore, real time systems normally require higher levels of testing to ensure
               continuity of service both during implementation and also when RPEs and central processors make changes
               post live. Participating RPEs should agree bilaterally what testing regimes they need to apply to ensure that
               all actors remain compliant with all agreed technical rules and standards.
               54. Connectivity and security policies of RPEs should be covered by an interoperability agreement. One
               solution could be for full alignment between systems and security provisions and for preferred technology
               solutions to be agreed and specified under the agreements. As an alternative, networks and security protocols
               could be agreed upon bilaterally by participating RPEs. In practice, there may be a general rule whereby the
               sending RPE uses the connectivity solutions and complies with the security of the receiving RPE.
               55. RPEs participating in an interoperability agreement need to share information. RPEs should provide an
               appropriate level of information to share with each other in order for each of them to perform a robust and
               periodic assessment of the operational risks associated with interoperability and take measures to contain
               these risks. Systems and communication arrangements should be reliable and secure so that interoperability
               does not pose a significant operational risk to the participating RPEs. Any reliance on a critical service provider
               by a RPE should be disclosed as appropriate to the other RPEs. In addition, in the case of a cross-border
               interoperability arrangement, participating RPEs should consider operational risks resulting from complexities
               or inefficiencies associated with differences in time zones, particularly as these differences can affect staff
               availability.

               56. Operational malfunctioning should require cooperation. In case of operational malfunctioning, an incident
               is likely to be resolved more efficiently if the measures are undertaken by the participating RPEs in cooperation
               with each other and in accordance with pre-established, clear, and immediately available procedures, stating
               the division of responsibilities and contact information. It must be considered that an incident in interoperable
               systems could impact the processing of payments not involving interoperability, and vice versa. Thus, rules and
               procedures related to business continuity should be coordinated and regularly tested; contact lists should be
               kept updated for both normal and abnormal circumstances.

               FINANCIAL RISK

               Principle 5: RPEs participating in an interoperability agreement should closely monitor and effectively measure
               and manage the financial risks arising from the agreement.

               Key issues:

               5.1  RPEs should have a clear understanding of the impact interoperability has on each of the financial risks
                    they incur.

               5.2  The assets used for settling payments via interoperable systems should carry little or no credit or liquidity
                    risk.




                                                                                                       41
   46   47   48   49   50   51   52   53   54   55   56