Risk Management Governance
STET operates the clearing and settlement platform CORE, as well as the routing and authorization network E-rsb.
Being defined by the Eurosystem as a SIPS (Systematically Important Payment System) according to the BIS Core Principles for Payment Infrastructures, STET shall prevent all risks that might impact its activities in order to prevent any systemic risk in the event of a system failure or a participant default.
Therefore, STET pays special attention to the implementation of a robust and efficient risk policy.
STET‘s risk management governance relies on several committees, all of them reporting to the Board of Directors:
The key committees advising the STET Board of Directors and Top Executive Management - CEO and Deputy CEO – are the Audit and Risk Committee, the CPMI Committee, the Finance Committee, and the Guaranty Mechanism Steering Committee.
The first three committees are chaired by one of the Board Members, and the fourth by a representative of STET clients. All these committees include representatives of STET stakeholders.
Audit & Risk Committee
The Audit and Risk Committee acts as an advisory committee to the Board of Directors, the CEO and the Deputy CEO. It ensures the coordination of compliance matters and risk management throughout STET. This committee also guarantees the adequate independence of the various control bodies.
Chaired by one of the Board members, this committee includes the Head of the Audit and Risk Department and other members appointed by the Board of Directors upon shareholders proposal.
The CPMI Committee advises the Board of Directors on Compliance matter in accordance with the Committee on Payments and Market Infrastructures (CPMI) regulation. The committee elaborates recommendations concerning the actions to be undertaken in order to satisfy the evolving regulation requirements. Along with the Banque de France oversight, the CPMI Committee discusses of STET compliance with the regulation and evaluates the potential impacts on STET activities.
This Committee is chaired by the Board Chairman and includes the Audit and Risk Committee Chairman, the CEO, the Deputy CEO, as well as other members appointed by the Board of Directors upon STET shareholders proposal.
Learn more about the Committee on Payments and Market Infrastructures (CPMI) standard: https://www.bis.org/cpmi/
The Financial Committee advises the General Manager on the financial management and policy issues related to the business.
This committee is led by one of the Board Directors. It includes others Board members along with STET CEO, STET Financial Director and, at least, 2 representatives of STET shareholders.
Guaranty Mechanism Steering Committee
The Guaranty Mechanism Steering Committee contributes to The Financial Security Mechanism follow-up and monitors the use and the provision of the Guaranty Fund. This committee reports to the Client Committee.
Overseen by the Banque de France, this Guaranty Mechanism Steering Committee gathers representatives of each bank participating directly in the CORE(FR) community, along with STET representatives.
STET Information Security Policy is based on the ISO/IEC 27001 and 27002 standards, which are complemented with the relevant payment industry security rules and good practices such as BIS (Bank Interchange System) Core Principles.
- The systems components which store or process critical payment data are located in high security, high availability production sites equipped and managed to protect them against failures, intrusions and natural disasters.
- STET system access is provided through encrypted virtual private networks built upon two distinct operators’ private networks.
- Payment data is encrypted and wrapped in encrypted and signed envelopes before they are sent on external networks. Payment data is decrypted just before it is processed and encrypted back just after processing.
- STET internal networks are segmented according to the sensibility of the data they convey and critical data reside in a restricted internal network zone protected from the internal network zone by firewalls of different technologies.
Through its security management process, STET continuously assesses conformity of security level to requirements and objectives and follows a security improvement process.
A software vulnerability review monitors the implementation of software security updates with due diligence.
Financial Security Mechanism
Securing the CORE(FR) system and protecting the non-defaulting participants
STET has implemented a financial security mechanism designed to prevent any liquidity risk within the CORE(FR) system in the event of a Participant failure or default. Provisions included in the security mechanism aim at guaranteeing the purpose of operations, thus securing payment flows processed by the CORE(FR) system and settlements at the end of the day.
The Default and Failure of one Participant in the CORE(FR) system A Direct Participant is considered to be ‘in default’ if one of the following events occurs:
- It has not paid the negative clearing balance charged to the payment account at the end of the settlement period,
- Having used the Common Guarantee Fund to settle a negative clearing balance, it did not refund it in due time,
- It did not constitute the required individual guarantees in due time,
- In the event of a call for collective reconstruction, it did not rebuild its contribution to the Common Guarantee Fund,
- In the event of a call for an additional contribution, it did not make the additional payment in due time.
A Direct Participant is « in failure » if one of the following events occurs:
- It is liable to an insolvency procedure,
- It did not correct, in due time, a default previously noticed The default of an Indirect Participant to the CORE(FR) system, if it happens, will be directly supported by the Direct Participant which represents it.
The Financial Security Mechanism
The Security Mechanism represents the system for raising liquidities/cash in the event of one Participant default or failure. This system ensures the clearing balance settlement.
This system consists of two procedures implemented one after the other to answer to the situation of default of one Participant: a call procedure to Individual Guarantees and a call procedure to a Common Guarantee Fund. If these two measures are not enough to resolve the situation, the Participant in default is suspended from the exchanges and excluded from the next clearing. If the default is still noticed on D+1, this Participant is excluded from the system.
In addition, a Participant in default or failure at the end of the settlement period may be subject to financial penalties in case of non-compliance to the CORE(FR) system operational rules.
The Stakeholders of the Financial Security Mechanism
The procedures of the Financial Security Mechanism are systematically applied when the conditions are gathered. They are managed by the following stakeholders:
- The Financial Security Mechanism Steering Committee guarantees its well-functioning. In the event of default or failure of a Participant, the committee notices and confirms the suspension of the defaulting Participant and the termination of its contracts;
- The Supervision Unit, composed of the STET operational experts and the Bank of France as Supervisor, is in charge of overseeing the proper functioning of the security mechanism;
- The Financial Crisis Unit is activated when a financial crisis situation determined by the default or the failure of one of its Direct Participants appears in CORE (FR). The Unit manages the incidents & the crisis under the supervision of the Financial Security Mechanism Steering Committee
Resilience & Business Continuity
In accordance with its Risk Management Policy, STET developed a Business Continuity Plan, both for its CORE system and its card authorisation network.
Resilience of the CORE System
The high-rated resilience of the CORE System can be explained through different factors:
- A set of modern but mature middleware components, limiting specific code writing to the strict necessary level.
- A systematic redundancy of all critical hardware and middleware components, allowing resuming of a process by another component
- A high level of transaction handling, providing an automated cleaning and restart of an interrupted process A real-time replication of the data processed by the System between two data centres, enabling a short synchronisation phase and a fast switch, should of one of them be in default.
STET ensures business continuity in case of failure or scheduled downtime:
- STET ensures resilience within and between its data centres covering facilities, power, telecommunication, software and hardware systems, data.
- STET monitoring and administration resources are also resilient as they are supported by two mirrored servers hosting tools in different location that can be accessed by support staff through encrypted links.
- STET Service support staff location is separate from STET data centres.
STET ensures resilience of Clients access through :
- STET encrypted network build upon two world class telecommunication operators virtual private networks,
- STET secured extranet.
Resilience of our Cards Network
The network owes its high availability rate and excellent resilience to the total redundancy of its component parts:
- 3 active-active service centers hosted in France,
- tier-3 remote platforms,
- a double-loop inter-site network,
- a backup Network Monitoring and Management Center,
- 2 MPLS IP-VN access networks provided by 2 different operators, each one can be backed up via the rsBoX (TCP proxy) provided by STET and switching service instances distributed over 3 sites and accessible to all customers.
Bank Operations Monitoring
STET monitors key events of the banking cycle, operations flows between clients and STET as well as the correct completion of operations. In particular, STET monitors the completion of data exchange, the respect of exchange and clearing cut offs, the consistency of clearing positions and Target 2 settlement orders.
STET also monitors non-standard processing - such as operation rejection or settlement postponing banking alerts - that need to be communicated on time to the clients.
STET computes and reports fees and delivers the following daily reports :
- “Bank Operations Report” with mention of incoming or outgoing operations, accepted / rejected operations, classified by client and operation category - Credit transfer, Direct Debit - and expressed in term of volume or amount.
- “Settlement Report” providing settlement instructions - forecasts and the actual one - addressed to Target 2, stating the eventual use of STET financial security mechanisms.
- “Customer event Report” including information or service request, incidents or any information declared by the client to its community.
Monthly management reports including synthesis of all the above are provided for community management purpose.