Overview: This article goes beyond the PFMI text by adding oversight-focused guidance, short checklists, practical examples of what regulators actually implemented (EU, UK, Singapore, Australia, Canada), and common pitfalls to help FMIs and supervisors apply Principles 1–3 effectively.
Note on wording: Below each principle you’ll find a short quoted excerpt (≤25 words) summarizing the PFMI wording. For the full official text, see the BIS/CPMI-IOSCO PFMI document (link in References).
1️⃣ Principle 1 — Legal Basis
“An FMI should have a well-founded, clear, transparent and enforceable legal basis in all relevant jurisdictions.”
Plain-language summary
Principle 1 requires that an FMI’s rules, procedures and contractual arrangements are legally valid and enforceable where the FMI operates and where its participants are located. Legal certainty underpins settlement finality, enforceable netting, collateral rights and predictable default handling.
What regulators actually did (concrete actions)
- 🇪🇺European Union (ECB & ESMA): Adopted the Settlement Finality Directive, required CCPs/CSDs to produce independent legal opinions for every jurisdiction where participants reside, and mandated detailed rule definitions for finality, entry/exit points and default triggers. The ECB has delayed recognitions where cross-border enforceability was not proven.
- 🇸🇬Singapore (MAS): Requires annual cross-jurisdiction legal reviews, independent external legal opinions, and scenario-based legal testing (e.g., foreign freeze orders, insolvency cross-claims). MAS has required contract rewrites where obligations were ambiguous during outages.
- 🇦🇺Australia (RBA): Mandates legal-basis assessments for systemically important FMIs and proof of enforceability of close-out netting; required rule rewrites where default waterfalls were unclear during RBA assessments.
Principle 1 — Oversight checklist
- Independent, external legal opinions covering all relevant jurisdictions.
- Settlement finality protected by domestic law or equivalent statutory protection.
- Netting and collateral arrangements are bankruptcy-remote or otherwise insolvency-protected.
- Participant agreements clearly state rights/obligations in default and outage scenarios.
- Cross-border legal gaps are identified and mitigated (gap analysis).
Common pitfalls:
- Outdated legal opinions (not refreshed regularly).
- Over-reliance on internal legal memos instead of independent counsel.
- Vague default provisions or undefined timing for finality.
2️⃣ Principle 2 — Governance
“An FMI should have governance arrangements that are clear and transparent and that promote the safety and efficiency of the FMI.”
Plain-language summary
Principle 2 requires governance that protects the public interest: clear roles and responsibilities, independent oversight of risk, documented decision-making, conflict-of-interest management, and demonstrated board-level challenge and accountability.
What regulators actually did (concrete actions)
- 🇬🇧United Kingdom (Bank of England): Requires independent non-executive directors with risk expertise, reviews board minutes for evidence of effective challenge, enforces separation between risk oversight and commercial functions, and expects annual board effectiveness assessments. The BoE has required governance remediation where challenge is insufficient.
- 🇨🇦Canada (Bank of Canada): Mandates publication of governance disclosures, documented conflict-of-interest frameworks, and onsite interviews with board members as part of supervisory reviews. Authorities have compelled restructuring of committees when undue management influence is detected.
- 🇸🇬Singapore (MAS): Requires an independent Risk Committee reporting to the Board; fitness & propriety checks for senior management; expects governance aligned with public-interest objectives, not only commercial goals.
Principle 2 — Oversight checklist
- Board & committee charters are documented and published.
- Independent non-executive members with relevant, verifiable expertise.
- Risk oversight functions (Risk, Audit, Compliance) are independent of operations/sales.
- Board minutes show evidence of challenge, escalation and follow-up actions.
- Conflicts of interest are declared and mitigated; remuneration aligns with risk outcomes.
Common governance weaknesses:
- Board minutes that lack detail or show rubber-stamping.
- Risk committees dominated by commercial leads.
- No documented succession plans or competency assessments for directors.
3️⃣ Principle 3 — Framework for the Comprehensive Management of Risks
“An FMI should have a sound framework for the comprehensive management of legal, credit, liquidity, operational and other risks.”
Plain-language summary
Principle 3 demands an enterprise-wide, integrated risk-management framework that identifies, measures, monitors and mitigates all material risks (credit, liquidity, operational, cyber, legal, business, custodial, and interconnectedness risks).
What regulators actually did (concrete actions)
- 🇪🇺EU (ESMA & ECB): Enforced mandatory stress testing programs (credit, liquidity, reverse stress tests, participant concentration). Required publication of methodology summaries and remediation when scenarios fail.
- 🇦🇺Australia (RBA): Requires scenario-based stress testing including ‘extreme but plausible’ liquidity events; CCPs must backtest and demonstrate sensitivity analyses; interdependency assessments with banks and critical service providers are mandatory.
- 🇸🇬Singapore (MAS): Integrates cyber risk into enterprise risk frameworks, mandates risk appetite statements tied to KPIs and early-warning metrics, and performs deep-dive operational resilience reviews.
Principle 3 — Oversight checklist
- Board-approved enterprise-wide risk framework covering all material risks.
- Clear, measurable risk appetite statement and linked KPIs/limits.
- Regular, documented stress tests (credit & liquidity) with governance over assumptions and frequency.
- Integration of cyber & operational risk with recovery and business continuity plans.
- Assessment of interdependencies with other FMIs and critical service providers (CSPs).
- Formal escalation triggers and breach reporting to the Board and supervisors.
Common risk-management failures:
- Stress tests focused on credit only; liquidity shocks ignored.
- Risk registers not maintained or not forward-looking.
- Cyber risk treated as an IT topic rather than enterprise risk.
- No scenario-testing of critical service provider outage impacts.
Why Principles 1–3 are even more critical in the digital era
Real-time/instant payments, APIs, cloud services, and 24/7 settlement increase legal complexity, operational and cyber risk, and cross-border exposure. That makes enforceable legal frameworks, robust governance, and integrated risk management non-negotiable.
Quick reference — country summary table
| Jurisdiction | Key regulatory actions |
|---|---|
| ECB/ESMA | Settlement Finality Directive; mandatory cross-jurisdiction legal opinions; public assessments; stress-test mandates; enforcement where legal certainty lacking. |
| England | INEDs requirement; review of board minutes for effective challenge; separation of risk & commercial functions; remediation orders for governance gaps. |
| Singapore | Annual cross-jurisdiction legal reviews; independent external legal opinions; mandatory risk committee; integrated cyber & operational reviews; contract rewrites when needed. |
| Australia | Enforceability checks for netting & collateral; scenario-based liquidity stress testing; required rule rewrites after assessments. |
| Canada | Published governance disclosures; onsite board interviews; restructuring of boards/committees where independence is weak. |
Key takeaways
- Principle 1 (Legal Basis) must be proven with independent, up-to-date legal opinions covering cross-border enforceability.
- Principle 2 (Governance) requires evidence of challenge, independent oversight, and alignment with the public interest.
- Principle 3 (Risk Framework) demands integrated, forward-looking stress testing and inclusion of cyber & operational risks.
- Supervisors across leading jurisdictions have moved from guidance to enforcement — expect remediation, rewrites and public assessments where gaps are found.
References & further reading
- CPMI-IOSCO (2012) — Principles for Financial Market Infrastructures (PFMI), BIS
- Monetary Authority of Singapore (MAS) — supervisory guidance & oversight publications
- Reserve Bank of Australia (RBA) — FMI assessments & guidance
- Bank of England — FMI supervision
- Bank of Canada — FMI oversight practices
Note: Full official PFMI wording is available in the BIS/CPMI-IOSCO PFMI document. The short excerpts above are concise references (≤25 words) — consult the BIS link for the verbatim principles.