2.4. Technology resources
2.4.1. Sufficient resources
An Authorised Market Institution must have sufficient technology resources to continually operate, maintain and supervise its facilities
2.4.2. Confidentiality
The Authorised Market Institution must take reasonable steps to ensure that its information, records and data are secure and the confidentiality is maintained
2.4.3. Cyber-security
The Authorised Market Institution must take reasonable steps to ensure that its information technology systems are reliable and adequately protected from external attack or incident.
2.4.4. Resources of Members
(1)An Authorised Market Institution must ensure that its Members and other participants on its facilities have sufficient and secure technology resources which are compatible with its own.
(2)The requirements in (1) do not apply to:
- (a) an Authorised Crowdfunding Platform (or its Clients);
- (b) [intentionally omitted]
2.4.5. On-going monitoring
For the purposes of meeting the requirement in AMI 2.4.1, an Authorised Market Institution must have adequate procedures and arrangements for the evaluation, selection and on-going maintenance and monitoring of information technology systems. Such procedures and arrangements must, at a minimum, provide for:
- (a) problem management and system change;
- (b) testing information technology systems before live operations in accordance with the requirements in AMI 2.4.6 and 2.4.7;
- (c) real time monitoring and reporting on system performance, availability and integrity; and
- (d) adequate measures to ensure:
- (i) the information technology systems are resilient and not prone to failure;
- (ii) business continuity in the event that an information technology system fails;
- (iii) protection of the information technology systems from damage, tampering, misuse or unauthorised access; and
- (iv) the integrity of data forming part of, or being processed through, information technology systems.
2.4.6. Testing of technology systems
An Authorised Market Institution must, before commencing live operation of its information technology systems or any updates thereto, use development and testing methodologies in line with internationally accepted testing standards in order to test the viability and effectiveness of such systems. For this purpose, the testing must be adequate for the Authorised Market Institution to obtain reasonable assurance that, among other things:
- (a) the systems enable it to comply with all the applicable requirements, including legislation, on an on-going basis;
- (b) the systems can continue to operate effectively in stressed market conditions;
- (c) the systems have sufficient electronic capacity to accommodate reasonably foreseeable volumes of messaging and orders;
- (d) the systems are adequately scalable in emergency conditions that might threaten the orderly and proper operations of its facility; and
- (e) any risk management controls embedded within the systems, such as generating automatic error reports, work as intended.
2.4.7. Testing relating to Members’ technology systems
(1) An Authorised Market Institution must implement standardised conformance testing procedures to ensure that the systems which its Members are using to access facilities operated by it have a minimum level of functionality that is compatible with the Authorised Market Institution’s information technology systems and will not pose any threat to fair and orderly conduct of its facilities.
(2) An Authorised Market Institution must also require its Members, before commencing live operation of any electronic trading system, user interface or a trading algorithm, including any updates to such arrangements, to use adequate development and testing methodologies to test the viability and effectiveness of their systems, to include system resilience and security.
(3) For the purposes of (2), an Authorised Market Institution must require its Members:
- (a) to adopt trading algorithm tests, including tests in a simulation environment which are commensurate with the risks that such a strategy may pose to itself and to the fair and orderly functioning of the facility operated by the Authorised Market Institution; and
- (b) not to deploy trading algorithms in a live environment except in a controlled and cautious manner.
(4) The requirements in (1)-(3) do not apply to:
- (a) an Authorised Crowdfunding Platform (or its Clients); or
- (b) [intentionally omitted]
2.4.8. Regular review of systems and controls
(1) An Authorised Market Institution must undertake regular review and updates of its information technology systems and controls as appropriate to the nature, scale and complexity of its operations.
(2) For the purposes of (1), an Authorised Market Institution must adopt well defined and clearly documented development and testing methodologies which are in line with internationally accepted testing standards.