TARGET2 is a systemically important payment system and a service relevant for the Eurosystem’s statutory tasks of promoting the smooth operation of payment systems, implementing monetary policy and maintaining financial stability.
Considerable attention was paid to operational risk management aspects in the system’s design and development phase. A comprehensive risk management framework was developed for TARGET2. This Information Security Management System is based on the internationally recognised standard ISO/IEC 27002:2005.
Given its cross-system and cross-participant interdependencies, a failure in TARGET2 could easily spread across financial markets and ultimately have systemic implications beyond the euro area. In order to adequately address this risk, particular emphasis was placed on the implementation of an effective business continuity management programme.
To ensure a high level of resilience and thus the availability of the system in all circumstances, TARGET2 was established on the basis of a “two regions – four sites” principle. This means that its operational facilities are located in two distinct regions of Europe, and in each region there are two separate operational centres in locations with different risk profiles. Both regions are permanently staffed, and responsibility for live operations is periodically rotated between the regions.
To cater for situations in which its resilience measures are not sufficient, the Eurosystem has, in close cooperation with the user community, also developed contingency procedures. These ensure that the systemically important business continues in the event that a TARGET2 entity (a bank, an ancillary system, a central bank or the Single Shared Platform) suffers an operational problem. Those procedures include a contingeny module which operates independently from the main system and ensures that the most critical payments can be processed at all times.
Given that an operational failure by a participant could potentially have an adverse impact on the smooth functioning of TARGET2, the Eurosystem’s risk management framework also includes measures focusing primarily on the security and operational reliability of critical participants.
As the system operator, the Eurosystem has set the objective of ensuring that, in the event of a failure in the primary region, operations can be resumed in the secondary region within two hours. In the event of such a failure, the operational day will be completed with a maximum delay of two hours.
Business continuity procedures, contingency procedures and crisis management arrangements are all tested at regular intervals.