FMA introduces new standard condition on business continuity and technology systems plus new process for reporting operational incidents

Media Release  
MR No. 2024 – 10

The Financial Markets Authority (FMA) – Te Mana Tātai Hokohoko – is introducing a new standard condition for certain market licence holders following consultation. The new licence condition will focus on business continuity and technology systems. The new condition will come into effect on 1 July 2024. 

The standard condition is relevant to the following types of market service licences: 

• Managers of registered schemes (but not restricted schemes)  
• Providers of discretionary investment management services  
• Derivatives issuers  
• Prescribed intermediary services (peer-to-peer lending providers and crowdfunding service providers). 

The new standard condition requires licence holders to have and maintain a business continuity plan that is appropriate for the scale and scope of its service. Licence holders will also be required to make sure that their critical technology systems are operationally resilient. If the licence holder suffers an event that materially affects the supply of its service, it must notify the FMA as soon as possible, or no later than 72 hours after it has determined the event is a material incident. 

New notification process for reporting incidents relating to the cyber and operational resilience of technology systems 

Most market services licence holders are required to notify the FMA of any event that materially impacts the operational resilience of their critical technology systems. This includes an event that materially disrupts or affects the provision of the licensee’s market service or has a materially adverse impact on recipients of those services.    

The FMA has launched a secure online notification form for licence holders to notify the FMA of material incidents. This will aid reporting by including key information that will be requested at the time of reporting and provide instructions on what is expected of licence holders. The form is intended to be light-touch and, for Reserve Bank regulated entities, be compatible with the Reserve Bank cyber incident notification process. 

FMA Director of Specialist Supervision and Response, Peter Taylor, said: “The FMA continues to build its regulatory framework for promoting cyber and operational resilience in the financial markets. The feedback from our consultation on the new standard condition shows that the market is also supportive of our plan. We have used the feedback to refine our approach and help reduce regulatory burden. 

“The online notification form for reporting of cyber and operational incidents is intended to aid reporting by entities and provide the FMA early notification due to the often time-sensitive nature of these incidents. We have also ensured that Reserve Bank regulated entities are not further burdened by ensuring this process remains compatible with the Reserve Bank requirements.” 

Related documents

• Standard conditions for Discretionary Investment Management Service (DIMS) [PDF], 300KB
• Standard conditions for Managed investment scheme manager (MIS) [PDF], 294KB
• Standard conditions for Peer-to-peer lending service providers [PDF], 277KB
• Standard conditions for Crowdfunding service providers [PDF], 292KB
• Standard conditions for Derivatives issuers [PDF], 337KB
• Regulatory impact statement: Standard condition on business continuity and technology systems [PDF], 584KB
• Submissions report: Standard condition on business continuity and technology systems  [PDF], 5.4MB

 

ENDS  

Notes 

Media contacts:  

Andrew Park  
FMA Media Relations Manager  
[email protected]
021 220 6770

Matt Chatterton  
FMA Senior Adviser, Media Relations  
[email protected]
021 241 7868