Public consultation on a proposed recast of the ECB Regulation on oversight requirements for systemically important payment systems (SIPS Regulation)

18 October 2024

The European Central Bank (ECB) is launching a public consultation on the planned recast of the regulation laying down oversight requirements for systemically important payment systems (SIPS Regulation). Over the past year a general review of the Regulation was conducted, and several parts were identified for updating. In addition, the recast introduces changes to the Regulation that will allow a euro area branch that belongs to a non-euro area legal entity to be identified as a SIPS operator. To gather input from interested market participants, the public consultation on the proposed amendments will last for six weeks, between 18 October and 29 November 2024.

The planned recast of the SIPS Regulation entails the following main changes: 1) revision of the definition of a SIPS operator so as to exceptionally include a euro area branch of a legal entity located outside the euro area, as well as amendments catering for the oversight of such a branch; 2) new requirements on how SIPS operators are governed; 3) addition of a new article on cyber risk requirements; and 4) addition of a new article setting out key requirements for outsourcing.

1. The revised definition of a SIPS operator proposes allowing, on an exceptional basis, a euro area branch belonging to a legal entity located outside the euro area to be responsible for the operation of a SIPS. The changes also aim to enable the effective oversight of such a branch in its role as a SIPS operator. Regardless of the responsibilities imposed on the branch management, the overseer will also assess, when necessary, whether the legal entity to which the branch belongs meets the SIPS requirements.
2. With a view to increasing the effectiveness of their boards and management, it is proposed to explicitly require all SIPS operators to establish a risk committee. Additionally, SIPS operators are to be required to ensure that no member of the board, the management and (where applicable) the branch management, has a record in respect of convictions or penalties related to specific areas of law.
3. A new article setting out key requirements on cyber risk (currently laid out in the Eurosystem cyber resilience oversight expectations for financial market infrastructures (CROE)) is proposed. The new requirements include, among other things: definitions of key cyber-related terms; a requirement for SIPS operators to establish an effective cyber resilience framework and strategy; and further requirements on the identification and detection of cyber risks, as well as related protection, response and recovery. An obligation to establish a threat-led penetration testing programme is included, as well as requirements on situational awareness and continuous learning regarding the evolution of cyber risks.
4. Key requirements regarding outsourcing are proposed in an additional article. The new article includes high-level, legally binding requirements on managing outsourcing risk. A separate document to be published at a later stage will provide further detailed guidance on how outsourcing expectations under the Regulation are to be interpreted and implemented.

The SIPS Regulation (EU No. 795/2014) was adopted in 2014 by the Governing Council of the ECB. The current recast of the Regulation follows amendments made in 2017 and 2021. Read more about the Eurosystem’s role in the oversight of payments systems on our website.