New licence conditions imposed on NZ fin services to boost tech resilience

FMA regulation change

A range of New Zealand-based financial services providers will be subject to new standard licencing conditions requiring operationally resilient technology systems and shortened reporting timeframes for cyber and outage incidents.

The new conditions, imposed by NZ’s financial regulator the Financial Markets Authority (FMA), affect a range of market service licences, including managers of registered investment schemes, providers of discretionary investment management services, derivatives issuers and prescribed intermediary services, which include peer-to-peer lending providers and crowdfunding service providers.

The new conditions come into force from 1 July 2024.

Under the new licence conditions, which the FMA consulted stakeholders on last year, licence holders will be required to maintain a documented business continuity plan that is appropriate for the scale and scope of their service, as well as ensure their critical technology systems are operationally resilient, secure and reliable for their uninterrupted delivery.

Furthermore, licence holders will be required to notify the FMA within 72 hours of the discovery of an event (typically cyber and operational incidents) that materially impacts critical technology systems – notably, an event which disrupts or affects the provision of the licensee’s market service or has an adverse impact on recipients of those services.

The FMA said this expedited reporting timeline, which demands action at the time of discovery and no later than 72 hours, reflects the increasing reliance on technology by licence holders and the likelihood of harm to consumers and investors should a disruption occur.

It also, the FMA added, reflects the significance of technology systems in maintaining “sound and efficient financial markets”.

The regulator said it is currently developing an online notification template to help assist regulated entities with the notification process, enabling for licensees “rapid notification of essential information [and] updates as information becomes clearer”.

Alongside co-regulator the Reserve Bank of New Zealand (RBNZ), the FMA will also develop a secure online portal to submit these notifications.

“The form is intended to be light-touch and, for RBNZ-regulated entities, compatible with the cyber incident notification process.”

FMA director of specialist supervision and response Peter noted that the online notification form would aid reporting by entities and provide the FMA early notification of these time-sensitive incidents.

“We have also ensured that Reserve Bank-regulated entities are not further burdened by ensuring this process remains compatible with the Reserve Bank requirements,” he added.

“The FMA continues to build its regulatory framework for promoting cyber and operational resilience in the financial markets.”

He added: “The feedback from our consultation on the new standard condition shows that the market is also supportive of our plan. We have used the feedback to refine our approach and help reduce regulatory burden.

The FMA notes that a similar standard condition is already in place for licensed financial advice providers (FAPs), and the same standard condition will apply to financial institutions to be licensed under the FMC Act as amended by the Financial Markets (Conduct of Institutions) Amendment Act 2022 (CoFI).