Compliance

Service Compliance

SIPS

As a critical system for the national economy, STET is classified by the Eurosystem as a Systemically Important Payment System (SIPS). This, STET complies with the ten Core Principles established for SIPS and aims to comply with the European Central Bank Regulations No. 795/2014 and No. 2017/2094 .

The Requirement for Operational Excellence

The Core Principles require the following:

I. A well-founded legal basis II. Rules that enable participants to clearly understand financial risk III. Clearly defined procedures for managing credit and liquidity risk IV. Prompt final settlement on the value date V. Timely completion of daily multilateral net settlement in the event of a participant failure VI. Settlement assets that are preferably claims on the central bank VII. A high degree of security, operational reliability, and contingency arrangements to ensure daily processing is completed VIII. A payment system that is practical for users and efficient for the wider economy IX. Objective participation criteria that ensure fair and open access X. Effective, accountable, and transparent governance arrangements

Systems not classified as SIPS are only required to comply with principles I, II, VII and X.

PCI DSS

Risk Monitoring

Our card authorization network complies with an information security policy based on ISO 27001 and PCI-DSS standards.

This policy defines the core guidelines related to the information systems it governs.

As an extension of this policy, an internal control process has been implemented, based on the COBIT standard.

Controls are performed on both a permanent and regular basis.

Service Level Management

Service Level Management ensures that STET services meet clients expectations:

  • Service Level Objectives: A client-facing view designed to monitor STET service performance using a defined set of indicators, such as fulfilment time, service availability, compliance, incident response time/time to restore service, change deployment time, report lead time…
  • Key Performance Indicators: An internal view of STET service operation performance, used for continuous improvement.
  • Service Level Management trends are monitored and analyzed in the service dashboard produced by STET service delivery managers.

In order to deliver world-class performance and quality of service, STET implements industrial processes that are robust, optimized and benchmarked against best practices frameworks such as the IT Infrastructure Library.

All STET staff and suppliers follow the same procedures and have access to the same tools, providing STET and its clients with a common language and supporting the continuous improvement of service quality.

STET operational processes are regularly audited by the STET Corporate Quality team and by central banks.

Risk Management

STET operates the clearing and settlement platform CORE, as well as the routing and authorization network e-RSB.

Classified by the Eurosystem as a SIPS under the BIS Core Principles for Payment Infrastructures, STET must mitigate all risks that could impact its operations in order to prevent any systemic consequences in the event of a system failure or participant default.

Accordingly, STET places particular emphasis on maintaining a robust and efficient risk policy.

STET risk governance is structured around several committees, all of which report to the Board of Directors. The key committees advising STET’s executive management (CEO and Deputy CEO) and the Board of Directors include the Audit & Risk Committee, the Regulatory Compliance Committee, and the Finance Committee, and the Guaranty Mechanism Steering Committee. Board members chair the first three committees, while the fourth is chaired by a representative of STET’s clients. All committees include representatives of STET stakeholders.

Audit & Risk Committee

The Audit & Risk Committee acts as an advisory body to the Board of Directors, the CEO, and the Deputy CEO. It coordinates compliance and risk management activities across STET and ensures the independence of the various internal control functions.

Chaired by a member of the Board, this committee includes the Head of the Audit & Risk Department, along with other members appointed by the Board of Directors on the recommendation of shareholders.

The Regulatory Compliance Committee advises the Board of Directors on compliance matters in accordance, among other topics, with the Committee on Payments and Market Infrastructures (CPMI) regulations. The Committee draws up recommendations regarding actions to be undertaken to meet evolving regulatory requirements. Alongside the oversight by the Banque de France, the Regulatory Compliance Committee reviews STET compliance with applicable regulations and assesses their potential impacts on STET activities.

This Committee is chaired by the Chairman of the Board and includes the Chair of the Audit & Risk Committee, the CEO, the Deputy CEO, and other members appointed by the Board of Directors on the recommendation of STET shareholders.

Learn more about the Committee on Payments and Market Infrastructures (CPMI) standards: https://www.bis.org/cpmi/

Financial Committee

The Financial Committee advises the Board of Directors on financial management and policies related to the business. Chaired by a member of the Board, this committee includes STET’s CEO and CFO, along with other members appointed by the Board of Directors on the recommendation of shareholders.

Guarantee Mechanism Steering Committee

The Guaranty Mechanism Steering Committee monitors the Financial Security Mechanism, as well as the use and provision of the Guaranty Fund. This committee reports to the Clients Committee.

Subject to oversight by the Banque de France, the Guaranty Mechanism Steering Committee includes representatives from each bank that participates directly in the CORE(FR) community, along with representatives from STET.

Security

STET Information Security Policy is based on the ISO/IEC 27001 and 27002 standards, complemented by applicable payment industry security rules and best practices, such as the BIS Core Principles.

  • System components that store or process critical payment data are hosted in high-security, high-availability production sites, equipped and managed to protect against failures, intrusions, and natural disasters.
  • Payment data is encrypted and wrapped in digitally signed, encrypted envelopes before transmission over external networks. It is deciphered just before processing and re-encrypted immediately afterwards.
  • STET internal networks are segmented according to the sensitivity of the data they carry. Critical data resides in a restricted internal network area, which is protected from the wider internal network by firewalls using different technologies.

Through its security management process, STET continuously assesses the alignment of its security levels with requirements and objectives, and follows an ongoing security improvement program.

A software vulnerability management process ensures the timely implementation of security updates with due diligence.

Financial Security Mechanism

Securing the CORE (FR) System & Protecting Non-Defaulting Participants

STET has implemented a Financial Security Mechanism designed to mitigate liquidity risk within the CORE(FR) system in the event of participant failure or default. The provisions included in the security mechanism aim to guaranty the finality of operations, thereby securing payment flows processed by the CORE(FR) system and ensuring end-of-day settlements.

Default or Failure of a Participant in the CORE(FR) System A Direct Participant is considered “in default” if any of the following occurs:

  • Failure to pay a negative clearing balance debited from its payment account at the end of a settlement period
  • Failure to reimburse the Common Guaranty Fund after using it to cover a negative clearing balance within the required timeframe
  • Failure to provide the required individual guaranty within the required timeframe
  • Failure to restore its contribution to the Common Guaranty Fund following a call for collective reconstruction
  • Failure to provide an additional contribution in the event of a call for such payment within the required timeframe

A Direct Participant is considered “in failure” if any of the following occurs:

  • It becomes subject to insolvency proceedings
  • It fails to remedy a previously identified default within the required timeframe.

If an Indirect Participant of the CORE(FR) system defaults, the Direct Participant representing it is held responsible and must assume the associated risk.

Financial Security Mechanism

The Financial Security Mechanism is the system for raising liquidity/cash in the event of a Participant’s default or failure. It ensures the settlement of clearing balances.

The mechanism consists of two sequential procedures designed to address participant default: first, a call on Individual Guaranty, followed by a call on the Common Guaranty Fund. If these two measures are insufficient to resolve the situation, the defaulting participant’s access to the exchanges is suspended and it is excluded from the next clearing cycle. If the default persists the next day, this participant is permanently excluded from the system.

In addition, a participant in default or failure at the end of the settlement period may be subject to financial penalties for non-compliance with the CORE(FR) system’s operational rules.

Stakeholders in the Financial Security Mechanism

The procedures of the Financial Security Mechanism are systematically applied when the conditions are met and are managed by the following stakeholders:

  • The Financial Security Mechanism Steering Committee: Ensures the mechanism functions properly. In the event of participant default or failure, the committee confirms the participant’s suspension and the termination of its contracts.
  • The Supervision Unit: Composed of STET operational experts and the Bank of France (as supervisor), it oversees the proper implementation of the mechanism.
  • The Financial Crisis Unit: Activated when a financial crisis arises due to the default or failure of a Direct Participant in CORE(FR), this unit manages incidents and broader crises under the oversight of the Financial Security Mechanism Steering Committee.

Resilience & Business Continuity

In accordance with its Risk Management Policy, STET has developed a Business Continuity Plan covering both its CORE system and its card authorization network.

Resilience of the CORE System

The high-rated resilience of the CORE System is the result of several key factors:

  • Use of modern yet proven middleware components, minimizing the need for custom code.
  • Systematic redundancy of all critical hardware and middleware components, enabling seamless process recovery through alternate systems.
  • Advanced transaction management, allowing for automatic clean-up and restart of interrupted processes. A real-time System data replication between two datacenters, ensuring a short synchronization window and rapid switchover in the event of a failure at one site.

STET ensures business continuity in the event of a failure or scheduled downtime:

  • Resilience is built into and across STET’s datacenters, covering infrastructure such as facilities, power supply, telecommunications, software, hardware, and data.
  • Monitoring and administrative resources are also resilient, supported by two mirrored servers located at separate sites, accessible to support staff via encrypted connections.
  • STET’s service support teams operate from locations that are physically separate from its datacenters.

STET ensures resilient client access through:

  • An encrypted STET network built on the virtual private networks of two world-class telecommunications operators
  • SWIFTNet
  • A secure STET extranet

Resilience of our Card Network

STET ensures its network’s high availability and resilience through full redundancy of all its components:

  • Three active-active service centers located in France
  • Tier-3 certified remote platforms
  • A dual-loop inter-site network
  • A back-up Network Monitoring and Management Centre
  • Two MPLS IP-VN access networks provided by two separate operators. Each network can be backed up via STET’s rsBoX (TCP proxy), with switching service instances distributed across three sites and accessible to all clients.

Bank Operations Monitoring

STET monitors key stages of the banking cycle, including operational flows between clients and STET, as well as the successful completion of transactions. Specifically, STET tracks data exchange completion, compliance with exchange and clearing cut-offs, the consistency of clearing positions, and TARGET2 settlement orders.

STET also monitors exceptional cases, such as rejected transactions or postponed settlements, and ensures that any related banking alerts are promptly communicated to clients.

STET calculates and reports fees and issues the following daily reports:

  • Bank Operations Report: Details incoming and outgoing transactions and accepted or rejected operations, categorized by client and transaction type (e.g. credit transfers, direct debits) and expressed in volume or value.
  • Settlement Report: Outlines both forecasted and actual settlement instructions sent to TARGET2, including any use of STET’s Financial Security Mechanisms.
  • Customer Event Report: Summarizes information or service requests, incidents or other notifications declared by the client to its community.

Monthly management reports consolidating this information are also provided for community oversight purposes.