ࡱ > bjbj|| 4 \ L ! ! ! ! ! %! %! %! 8 ]! T " %! } t E# E# [# [# [# % % % 0 2 2 2 2 2 2 $ f V ! % % % " % % V ! ! [# [# H 7 ) ) ) % ` ! [# ! [# 0 ) % 0 ) ) b Nv $ [# ТYq %! %' Z ry h M 0 } y ( 8 ! \ % % ) % % % % % V V ) % % % } % % % % % % % % % % % % % : DIRECTIVE 2014/18/EAC OF THE COUNCIL OF MINISTERS Of (Date of Approval by Council of Ministers) DIRECTIVE OF THE EAC ON BUSINESS CONTINUITY FOR SECURITIES MARKETS PREAMBLE The Council of Ministers of the East African Community Having regard to the Treaty establishing the East African Community and in particular Articles 85 (d), 14 and 16; Having regard to the recommendations of the Sectoral Council on Finance and Economic Affairs; WHEREAS Article 31 of the Protocol on the Establishment of the East African Community Common Market provides that for proper functioning of the Common Market the Partner States undertake to co-ordinate and harmonies their financial sector policies and regulatory framework to ensure the efficiency and stability of their financial systems as well as the smooth operations of the payment system; WHEREAS Article 47 of the Protocol on the Establishment of the East African Community Common Market provides that the Partner States shall undertake to approximate their national laws and to harmonize their policies and systems for purposes of implementing this Protocol and that the Council shall issue directives for the purposes of implementing this Article. HAS ADOPTED THIS DIRECTIVE ARTICLE 1 INTERPRETATION A l t e r n a t i v e S i t e m e a n s a s i t e h e l d i n r e a d i n e s s f o r u s e d u r i n g a b u s i n e s s c o n t i n u i t y e v e n t t o m a i n t a i n a n o r g a n i s a t i o n s b u s i n e s s c o n t i n u i t y a n d m a y r e l a t e t o w o r k s p a c e o r t e c h n o l o g y r e q u i r e m e n t s . B u s i n e s s C o n t i n u i t y m e a n s a s t a t e o f c o n t i n u e d u n i n t errupted operation of a business. Business Continuity Plan means a comprehensive written plan of action that sets out the procedures and establishes the processes and systems necessary to continue or restore the operation of an organization in the event of a disruption. Business Continuity Management means a whole-of-business approach that includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Business Impact Analysis means the process of identifying and measuring (quantitatively and qualitatively) the business impact or loss of business processes in the event of a disruption. It is used to identify recovery priorities, recovery resource requirements, and essential staff and to help shape a business continuity plan. Communication Protocols means established procedures for communicating that are agreed in advance between two or more parties internal or external to an organisation. Such procedures include the methodology for transmitting, writing, and reading of data and the nature of information that should be shared with various internal and external parties and how certain types of information should be treated (eg public or non-public). C o m m u n i t y m e a n s E a s t A f r i c a n C o m m u n i t y e s t a b l i s h e d b y A r t i c l e 2 o f t h e T r e a t y ; C o m p e t e n t A u t h o r i t y m e a n s t h e n a t i o n a l r e g u l a t o r y a g e n c y t h a t i s t h e p r i m a r y s u p e r v i s i n g e n t i t y o f s e c u r i t i e s m a r k e t s i n t h e P a r t n e r S t a t e ; C o u n c i l o f M i n i s t e r s m e a n s t h e C o u n c i l o f M i n i s t e r s o f t h e C o m m u n i t y e s t a b l i s h e d b y A r t i c l e 9 o f t h e T r e a t y ; C r i t i c a l M a r k e t P a r t i c i p a n t s m e a n s P a r t i c i p a n t s i n f i n a n c i a l m a r k e t s t h a t p e r f o r m c r i t i c a l o p e r a t i o n s o r p r o v i d e c r i t i c a l s e r v i c e s . T h e i r i n a b i l i t y t o p e r f o r m s u c h o p e r a t i o n s o r p r o v i d e s u c h s e r v i c e s f o r t h e i r o w n o r o t h e r s b e n e f i t c o u l d p o s e a s i g n i f i c a n t r i s k o f m a j o r d i s r u p t i o n t o t h e c o n t i n u e d o p e r a t i o n o f i n d i v i d u a l p a r t i c i p a n t s o r t h e f i n a n c i a l s y s t e m . C r i t i c a l O p e r a t i o n o r S e r v i c e m e a n s a n y a c t i v i t y , f u n c t i o n , p r o c e s s , o r s e r v i c e , t h e l o s s o f w h i c h w o u l d b e m a t e r i a l t o t h e c o n t i n u e d o p e r a t i o n o f t h e r e g u l a t e d p e r s o n s , C o m p e t e n t A u t h o r i t y , a n d / o r f i n a n c i a l s y s t e m c o n c e r n e d . W h e t h e r a p a r t i c u l a r o p e r a t i o n o r s e r v i c e i s c r i t i c a l d e p e n d s o n t h e n a t u r e o f t h e r e l e v a n t organisation or financial system. Data centre operations are an example of critical operations to most regulated persons. Examples of critical services to financial systems include, but are not limited to, large value payment processing, clearing and settlement of transactions, and supporting systems such as funding and reconciliation services. E m e r g e n c y R e s p o n s e O r g a n i z a t i o n m e a n s a n o r g a n i s a t i o n r e s p o n s i b l e f o r r e s p o n d i n g t o h a z a r d s t o t h e g e n e r a l p o p u l a t i o n ( e g f i r e d e p a r t m e n t , p o l i c e s e r v i c e s ) . F i n a n c i a l A u t h o r i t i e s m e a n s a f i n a n c i a l s e c t o r r e g u l a t o r y o r s u p e r v i s o r y o r g a n i s a t i o n h a v i n g s ome level of responsibility for safeguarding, and maintaining public confidence in, the financial system other than the Competent Authorities. Examples include prudential supervisors of insurance companies, and banks and other deposit-taking institutions, as well as financial services consumer protection agencies. Non-supervisory central banks are included in their capacity as overseers of payment and settlement systems. M a j o r O p e r a t i o n a l D i s r u p t i o n m e a n s a h i g h - i m p a c t d i s r u p t i o n o f n o r m a l b u s i n e s s o p e r a t i o n s a f f e c t i n g a l a r g e m e t r o p o l i t a n o r g e o g r a p h i c a r e a a n d t h e a d j a c e n t c o m m u n i t i e s t h a t a r e e c o n o m i c a l l y i n t e g r a t e d w i t h i t . I n a d d i t i o n t o i m p e d i n g t h e n o r m a l o p e r a t i o n o f r e g u l a t e d p e r s o n s a n d o t h e r c o m m e r c i a l o r g a n i s a t i o n s , m a j o r o p e r a t i o n a l d i s r u p t i o n s t y p i c a l l y a f f e c t t h e p h y s i c a l i n f r a s t r u c t u r e . P a r t n e r S t a t e s m e a n s t h e R e p u b l i c o f B u r u n d i , t h e R e p u b l i c o f K e n y a , t h e R e p u b l i c o f R w a n d a , t h e U n i t e d R e p u b l i c o f T a n z a n i a a n d t h e R e p u b l i c o f U g a n d a a n d a n y o t h e r c o u n t r y g r a n t e d m e m b e r s h i p t o t h e C o m m u n i t y u n d e r A r t i c l e 3 o f t h e T r e a t y ; R e c o v e r y m e a n s t h e r e b u i l d i n g o f s p e c i f i c b u s i n e s s o p e r a t i o n s f o l l o w i n g a d i s r u p t i o n t o a l e v e l s u f f i c i e n t t o m e e t o u t s t a n d i n g b u s i n e s s o b l i g a t i o n s . R e c o v e r y O b j e c t i v e m e a n s a p r e - d e f i n e d g o a l f o r r e c o v e r i n g s p e c i f i e d b u s i n e s s o p e r a t i o n s a n d s u p p o r t i n g s y s t e m s t o a s p e c i f i e d l e v e l o f s e r v i c e ( r e c o v e r y l e v e l ) w i t h i n a d e f i n e d p e r i o d f o l l o w i n g a d i s r u p t i o n ( r e c o v e r y t i m e ) . R e g u l a t ed person means any organization or natural person that is licensed, approved or in any way regulated by the Competent Authority and includes Securities Exchanges, broker/dealers investment advisers, registrars, custodians, managers, trustees and authorized corporate directors of collective investment schemes and any other category of persons or institutions as the Authority may from time to time designate. R e s i l i e n c e m e a n s t h e a b i l i t y o f a f i n a n c i a l i n d u s t r y p a r t i c i p a n t , f i n a n c i a l a u t h o r i t y o r f i n a n c i a l s y s t e m t o a b s o r b t h e i m p a c t o f a m a j o r o p e r a t i o n a l d i s r u p t i o n a n d c o n t i n u e t o m a i n t a i n c r i t i c a l o p e r a t i o n s o r s e r v i c e s . T r e a t y , m e a n s t h e T r e a t y f o r t h e establishment of the East African Community and any Annexes and Protocols thereto; ARTICLE 2 PRINCIPLES Implementing this Directive Partner States shall ensure that; The requirement for sound business continuity management applies to all Competent Authorities and regulated persons and that the ultimate responsibility for business continuity management not unlike the management of other risks rests with an organisations board of directors and senior management. Organisations explicitly consider and plan for major operational disruptions. Regulated persons develop recovery objectives that reflect the risk they represent to the operation of the financial system. Business continuity plans address the full range of internal and external communication issues an organisation may encounter in the event of a major operational disruption. Competent Authorities and Regulated persons communication procedures address communications with Competent Authorities in other jurisdictions in the event of major operational disruptions with cross-border implications. Business continuity plans are effective and identify necessary modifications through periodic testing. Competent Authorities incorporate business continuity management reviews into their frameworks for assessing regulated persons. ARTICLE 3 SCOPE This Directive shall apply to the Competent Authorities and all regulated persons in the Partner States. ARTICLE 4 OBJECTIVE The objective of this Directive is to enable the Competent Authorities and Regulated persons in EAC to analyze the potential and real operational disruptions they may face and to make provision for the development of business continuity plans with a view to: facilitate timely recovery of core business functions; protect the wellbeing of employees, families and clients of market intermediaries and Competent Authorities; minimize loss of revenue and clients; maintain market confidence and reputation of market intermediaries and Competent Authorities; minimize loss of data and or information; reduce critical decisions to be made in a time of crisis; and ensuring efficient markets, and reducing systemic risks. ARTICLE 5 BOARD AND SENIOR MANAGEMENT RESPONSIBILITY Regulated persons and Competent Authorities shall have effective and comprehensive approaches to business continuity management. An organizations board of directors and senior management are collectively responsible for the organizations business continuity. Business continuity management shall be an integral part of the overall risk management programme of regulated persons and Competent Authorities. Business continuity management policies, standards and processes shall be implemented on an enterprise-wide basis or, at a minimum, embedded in an organizations critical operations. Comprehensive business continuity management addresses not only technical considerations but also the human dimension. An organisations board and senior management shall be responsible for managing its business continuity effectively and for developing and endorsing appropriate policies to promote resilience to, and continuity in the event of, operational disruptions and shall - provide sufficient financial and human resources to implement and support the organisations approach to business continuity management; and create and promote an organisational culture that places a high priority on business continuity. An organizations board and senior management shall recognise that outsourcing a business operation does not transfer the associated business continuity management responsibilities to the service provider. A framework shall be implemented for reporting to the board and senior management on matters related to business continuity, including implementation status, incident reports, testing results and related action plans for strengthening an organisations resilience or ability to recover specific operations. An organisations business continuity management shall be subject to review by an independent party, such as external auditor, and significant findings shall be brought to the attention of the board and senior management on a timely basis. The roles, responsibilities and authority to act, as well as succession plans, shall be clearly articulated in an organisations business continuity management policies. A locus of responsibility for managing business continuity during a disruption shall be established, such as a crisis management team with appropriate senior management membership. Competent Authorities should be satisfied that they have powers to provide for sufficient flexibility to respond appropriately and expeditiously to a wide range of issues that might arise during an operational disruption that affect their own operations or those of the financial systems. Given the interdependencies within financial systems, it would be useful for financial authorities that share oversight responsibilities for a given financial system to agree on an appropriate framework for coordinating the response to major operational disruptions affecting that system. ARTICLE 6 MAJOR OPERATIONAL DISRUPTIONS Regulated persons and Competent Authorities shall incorporate the risk of a major operational disruption in their business continuity plans and which shall include the extent to which a regulated person prepares to recover from a major operational disruption shall be based on its unique characteristics and risk profile; and the identification, through a business impact analysis, of those business functions and operations that are to be recovered on a priority basis and establish appropriate recovery objectives for those operations. A Competent Authority shall play a major role in monitoring the status of the regulated persons for which it is responsible and also coordinate efforts to recover critical services to the financial system. Competent Authorities and Regulated persons shall evaluate whether their business continuity management is sufficient to address major operational disruptions and shall review the adequacy of their recovery arrangements in the following areas; whether the alternate site of the Regulated person and Competent Authorities is sufficiently remote from its primary business location and if it depends on the same physical infrastructure components; whether the alternate site has sufficient current data and the necessary equipment and systems to recover and maintain critical operations and services for a sufficient period of time in the event that its primary offices are severely damaged or access to the affected area is restricted. whether the business continuity plan requires the Regulated person or Competent Authority to provide sufficient staff and resources to recover critical operations and services consistent with its recovery objectives. ARTICLE 7 RECOVERY OBJECTIVES Regulated persons shall develop recovery objectives that reflect the risk they represent to the operation of the financial system. The Recovery objectives shall be established in consultation with, or by, the relevant Competent Authorities. Regulated persons shall consider the extent to which they pose a risk to other regulated persons operations and the financial system and augment their business continuity management to determine how a disruption of their operations would affect the operation of the broader financial system. The Competent Authorities and other financial sector regulators shall provide guidance to assist the Regulated persons to make the assessment in sub article (2) above. The board and senior management of the regulated person will be accountable for the regulated persons recovery objectives. The Competent Authorities in assessing the reasonableness of the regulated persons recovery objectives will consider the increased risk of failed transactions, liquidity and solvency problems, and loss of confidence that accompany prolonged disruptions in the financial system. The Recovery objectives of the Regulated persons shall identify expected recovery levels and recovery times for specific activities. The recovery objectives shall provide the regulated persons with benchmarks for testing the effectiveness of their business continuity management; assurance that the regulated persons representing similar external risks will attain a consistent level of resilience and ability to identify the appropriate timeframes for implementing the Recovery objectives. ARTICLE 8 COMMUNICATIONS Regulated persons and Competent Authorities shall include in their business continuity plans procedures for communicating within their organizations and with relevant external parties in the event of a major operational disruption; Regulated persons and Competent Authorities shall maintain clear and regular communication throughout the duration of a major operational disruption so as to maintain public confidence for the regulated persons and Competent Authorities operations or the financial system as a whole; The business continuity plans of regulated persons and Competent Authorities shall incorporate comprehensive emergency communication protocols and procedures such as the external parties with whom to communicate with and ; information regarding the status of the financial system and other organisations that provide physical infrastructure services regarding the status of any services required for the implementation of the participants business continuity plan; A Competent Authority may consider the following issues in dealing with emergency communication; The issuing of public statements during a crisis to assure the markets and the public that appropriate measures are being taken and inform them of those measures. coordinate with Competent Authorities and Other Financial Regulators who share oversight responsibilities for a group comprising more than one regulated person, may designate one Authority to act as a "coordinator" for purposes of facilitating communication during a major operational disruption. The communication procedures of the Regulated persons and the Competent Authorities shall include the following; Identification of those responsible for communicating with staff and the various external stakeholders. Building on any communication protocols that already exist within the financial system and include contact information for relevant domestic financial authorities, Regulated persons and the local emergency response organizations to facilitate an assessment of the condition of the financial system and coordinate recovery efforts. Address related issues that can arise during a major operational disruption, such as how to respond to failures in primary communication systems. In the case of Competent Authorities, include, as appropriate, contact information for national or regional protection and intelligence agencies and other relevant governmental authorities and; Provide for the regular updating of calling trees and other contact information and the periodic testing of calling trees. ARTICLE 9 CROSS-BORDER COMMUNICATIONS Regulated persons and Competent Authorities communication procedures shall address communications with Competent Authorities and regulated persons in other jurisdictions in the event of major operational disruptions with cross-border implications. Regulated persons and Competent Authorities shall pay special attention to communication procedures for disruptions which happen in the regional and international scope as a result of a major operational disruption across national borders. Regulated persons shall consider the possibility that a disruption of their business operations in one jurisdiction will affect significant subsidiary or branch operations or otherwise affect the financial system in other jurisdictions. Where this outcome is possible, a regulated persons communication protocols shall address the circumstances under which it will contact the relevant non-domestic Competent Authorities. Competent Authorities shall incorporate communication protocols in their business continuity plans for communicating with Competent Authorities and Financial Authorities in other jurisdictions in the event of a major operational disruption that affects (or could affect) the continued operation of the international financial system. Competent Authorities shall hold periodic discussions with Competent Authorities and financial authorities in other jurisdictions to develop a shared understanding of the events that could have significant cross-border effects on the financial system and agree on procedures for communicating with one another under such circumstances and the issues that should be addressed. The issues that might be covered in the event of cross-border disruptions would include; the impacts of the disruption in their respective markets and its contagion effects, if any; issues involving emergency closures or suspensions of major markets; changes in trading hours or clearing and settlement periods; and, the details of any regulatory forbearance that may have been extended. ARTICLE 10 TESTING Regulated Persons and Competent Authorities shall test their business continuity plans, evaluate their effectiveness, and update their business continuity management, as appropriate. The testing, which may take many forms, shall be conducted periodically, with the nature, scope and frequency determined by the criticality of the applications and business functions, the organizations role in broader market operations, and material changes in the organizations business or external environment. The testing should identify if there is need to modify the business continuity plan 7 8 9 : = > ? @ A i j k m 㬟㹂pbpRB hs hoo 5CJ aJ mH sH hs hW 5CJ aJ mH sH hI. hW 56CJ aJ "hs hW 56CJ aJ mH sH h= 5CJ aJ mH sH hs h