Financial Market Infrastructure Risk

A Case Study Example: A look back at the IMF US Financial Services Review

If your hands are tied on a risk, do you really have a choice about what you can do about it?

Organisations often find themselves in a situation where they are locked into a relationship with a supplier (for a variety of reasons) that could potentially put themselves (and the customer) at risk. So, what do you do? What can you do?

Most will agree that the global financial ecosystem simply makes the world go round. To most people, we see this as a series of different banks in varying sizes looking after our money and offering various products and facilities. We know they are heavily regulated and we know they can face public scrutiny if they aren’t safeguarding the interests of their customers. 

However, just like any other company in any other sector, these banks are supported by a myriad of suppliers who they have come to rely on to meet the customer needs. Of the most important of “suppliers” are the organisations that support the financial transactions i.e. Financial Market Infrastructures (FMIs). These organisations are fundamental to everyone’s daily cash-flow and financial position. 

This article discusses the IMF‘s US Financial Services review as a case study example, which presents how concentration risk can and is occurring even in the most heavily of regulated and scrutinised industries.

Resilience Principles for FMIs

The IMF used a common set of known principles to make an assessment on US Financial Services.

CPSS IOSCO Principles to be exact…please don’t snore just yet and hear me out! 

I hadn’t previously heard of these principles before either, nor did I apply a great deal of thought into how they are used to assess anything.  However, the more I researched and the more I looked at this particular example from the U.S, the more I realised how it represented a good example of concentration risk (as well as being a useful thing to know that exists).

What are these Principles and where do they come from?

The principles for FMIs are the international standards for risk management for things like payment systems, central securities depositories, securities settlement systems, central counterparties and trade repositories (investment banking stuff). 

The principles were issued by the Committee on Payments and Settlement Services (CPSS) (later renamed (Committee on Payments and Market Infrastructures – CPMI) and the International Organisation of Securities Commissions (IOSCO).  

The G20 started it

The G20, for those that do no know) is an international forum for major economies. Its leaders meet and commit to various declarations. It is via this forum that the financial leaders committed themselves to enhancing the financial stability of the network of counterparty exposures between financial institutions i.e. the companies in the middle that help with all the transacting and clearing. You might be surprised to know there are quite a few globally!

During the 2009 conference, the G20 made a declaration to centralise over-the-counter derivatives by 2012. A year later, there was a further declaration to ensure that the financial market infrastructure supporting this activity had to have an established framework for national regulators. Hey presto – 2012 the principles get published.

So, what are the Principles?

The 2012 publication pushed out a standard set of principles for risk management within the financial market infrastructure space, with a view to the financial ecosystem becoming more resilient. These principles now act as an international standard and are designed to help ensure the resilience of the infrastructure that supports the global financial market. 

The publication comes complete with an assessment methodology making up nearly 300 pages of documentation to consume. In addition, the full document contains 24 broad principles and organisations are expected to adhere to them and perform self-assessments. 

The principles cover everything you would expect to see in a risk management framework for a financial services organisation. It covers everything from data disclosures, credit and liquidity risk exposure and settlement rules through to operational risk and governance.

The assessment methodology can be used as a self-assessment tool as well as a guide for examiners to benchmark against. For example,  the International Monetary Fund (IMF) recently used these principles as a benchmarking tool as part of the US financial services assessment. There is a publicly available white paper on their findings and I think it provides a really useful example of how the principles and its framework is applied.  

How are the Principles used?

The IMF financial sector assessment program released a technical paper on the supervision of financial market infrastructures and resilience of central counterparties in the US in August 2020. The analysis and recommendations appear to form part of the rationale for reviewing the way the financial market ecosystem (and the supporting infrastructure) is prepared for major business and market-wide impacting events.

The paper initially suggests a timeframe for delivery on most recommendations to fall between 1 and 2 years. This was obviously looked at prior to, and in the midst of, the global pandemic. Therefore, one might expect the response to this paper from the market and the associated regulators to not be perhaps as swift as they had originally hoped? It’s hard to say without working in one of them!

Too big or too important to challenge or change?

The case study assessment findings of the US Financial Services review set out a requirement to uniform some of the approaches to managing risk across the core FMIs. 


“FMIs are highly concentrated”

“Risks… include a failure of large globally significant U.S. FMIs, which could trigger a major market dislocation because of their quasi-monopoly position in the market.”

“For certain risk management measures, the mission found that in some cases the outcome of the implementation of PFMI risk management standards (by the CCPs) was uneven, specifically regarding the independence of the risk management function.”

International Monetary Fund – 2020

So basically, these organisations all do it differently and potentially not in alignment to the new rules. However, we can’t go anywhere else for the service so how they do it has to be just fine or we need to find a way to better regulate them / enforce change.

In fairness, I believe this report promotes the urgent need to improve governance in this space so there will undoubtedly be a marked improvement going forward.

However, I also believe that this is a representative example of a challenge across all sectors. Major players provide with you something essential to your customer and you can’t go anywhere else for. AWS, Azure etc. Do you accept the risk? Is there any other choice? Is this just the cost of doing business?


Third party outsourcing and operational resilience continues to be widely reviewed across regulatory and professional communities. The modern organisation is flush with supporting vendors in every way one can imagine. One might argue that some companies are nothing more than a front-end brand with a finance team and a third-party management group! 

The case study example represents a circumstance that business owners and leaders will find themselves in if they haven’t already. A third-party relationship becomes too big to challenge and is that okay?

This IMF assessment on US FMIs was published in the summer of 2020.  I wonder how much of an influence it has had to prompt the wider US or global regulatory landscape to address the risk management and resilience capabilities within the FMIs? I also wonder if stuff like this is used to also demonstrate the issue of concentration risk with third parties? I guess time will tell.