Regulation (EU) 2025/1355 of the European Central Bank of 2 July 2025 on oversight requirements for systemically important payment systems (ECB/2025/22) (recast)

THE GOVERNING COUNCIL OF THE EUROPEAN CENTRAL BANK,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 127(2) thereof,

Having regard to the Statute of the European System of Central Banks and of the European Central Bank, and in particular Article 3.1, Article 22 and Article 34.1, first indent, thereof,

Whereas:

(1) Regulation (EU) No 795/2014 of the European Central Bank (ECB/2014/28) (1) has been substantially amended several times (2). Following the review by the Governing Council of the application of the Regulation under Article 24 thereof, further amendments are to be made. Therefore, the Regulation should be recast in the interests of clarity.

(2) The fo3urth indent of Article 127(2) of the Treaty and the fourth indent of Article 3.1 of the Statute of the European System of Central Banks and of the European Central Bank (hereinafter the ‘Statute of the ESCB’) empower the Eurosystem to promote the smooth operation of payment systems.

(3) The Eurosystem promotes the smooth operation of payment systems, inter alia, by conducting oversight.

(4) The Committee on Payments and Market Infrastructures (CPMI), previously known as CPSS, and the Technical Committee of the International Organization of Securities Commissions (IOSCO) issued principles for financial market infrastructures. The CPMI-IOSCO recommends implementing these principles to the fullest extent allowed by the national legal and regulatory frameworks. To ensure the efficiency of the oversight of payment systems, the European Central Bank (ECB) implemented these principles, by means of Regulation (EU) No 795/2014 (ECB/2014/28), which applies to both large-value payment systems and retail payment systems of systemic importance.

(5) This Regulation applies to payment systems operated both by central banks and by private operators. That said, the CPMI-IOSCO principles acknowledge that there are exceptional cases where they are applied differently to payment systems operated by central banks due to requirements laid down in relevant law, regulation, or policy. Given that the Eurosystem has public policy objectives, responsibilities and an institutional set-up defined in the Treaty and the Statute of the ESCB, Eurosystem systemically important payment systems (SIPS) may be exempted from certain requirements under this Regulation. In particular, Eurosystem SIPS should be exempted from specific requirements on governance, wind-down plans, equity and liquid assets, collateral and investment risks, which cover the same areas as the respective requirements formally adopted by the Governing Council. These exemptions are specified in several provisions of the Regulation.

(6) In line with the principle of proportionality, the Governing Council identifies a payment system as a SIPS, if it meets specific criteria as set out in this Regulation. Furthermore, a payment system can be identified as a SIPS on the basis of a flexible methodology that takes into account qualitative aspects such as the size of a payment system, its complexity and substitutability.

(7) The Governing Council identifies a SIPS operator for each SIPS. The identified SIPS operator is accountable vis-à-vis the competent authority for the compliance of the SIPS with the oversight requirements under this Regulation. A SIPS operator should be a legal entity in the euro area that is responsible for operating a SIPS. Exceptionally, the Governing Council may on a case-by-case basis also identify as a SIPS operator a branch that is established in the euro area and that is a legally dependent part of a legal entity established outside the euro area. Against this background, the definition of ‘SIPS operator’ should be extended accordingly.

(8) As a result of the exceptional designation of a branch as a SIPS operator, the applicable requirements of this Regulation regarding the composition, roles, skills and responsibilities of the management of a legal entity identified as a SIPS operator should likewise apply to the management of a branch that is identified as a SIPS operator, and the managing directors who constitute the branch management should also be members of the management as defined in Article 9(11)(b). Further, where a branch is identified as a SIPS operator, the relevant competent authority, when assessing the compliance of the SIPS with the requirements of this Regulation, may take into account, where necessary, any actions and frameworks established at the level of the legal entity and related to the SIPS and/or the SIPS operator.

(9) Where necessary, for the purposes of efficient oversight, including minimising duplication of effort and reducing the burden on the SIPS and the relevant authorities, the competent authority should cooperate with other authorities. Where a branch is identified as a SIPS operator, the relevant competent authority should also cooperate with the authority responsible for the oversight or supervision of the legal entity of which the branch is a legally dependent part.

(10) The business activity of a SIPS may fluctuate over time. In order to ensure the integrity of the SIPS identification framework, while as far as possible maintaining continuity and avoiding frequent reclassifications of payment systems, a payment system ceases to be identified as a SIPS if it does not meet the criteria for identification as a SIPS in two consecutive verification reviews. However, maintaining the SIPS status over such a period of time may not be appropriate if it is unlikely that the system would fulfil the criteria qualifying it as a SIPS in the next verification exercise. Consequently, the possibility of an earlier reclassification based on a case-by-case evaluation is also possible.

(11) This Regulation sets out clearly defined procedures to ensure that due process guarantees are respected both before and after the Governing Council adopts a decision identifying a payment system as a SIPS.

(12) The ECB has recourse to the national central banks to carry out ESCB tasks to the extent deemed possible and appropriate. In the case of each SIPS, the relevant Eurosystem central bank is designated as the competent authority for assessing the compliance of that SIPS with the oversight requirements under this Regulation. In the case of a SIPS of pan-European importance, the oversight is carried out by the ECB as the designated competent authority. However, in the case of such a SIPS, where there is a proven, long-standing oversight relationship between it and a national central bank over the previous five years, two Eurosystem central banks, i.e. the national central bank with which the long-standing oversight relationship has been established, and the ECB, are designated as competent authorities.

(13) The requirements laid down in this Regulation are proportionate to the specific risks and exposures of SIPS. The provisions of this Regulation also take into consideration the experience and findings of the oversight assessments conducted on the basis of Regulation (EU) No 795/2014 (ECB/2014/28) in the past years, as well as the recent technological and regulatory developments in the European Union, including the adoption of Regulation (EU) 2022/2554 of the European Parliament and of the Council (3).

(14) The efficiency and soundness of a SIPS requires compliance with applicable national laws and clear rules, procedures and contracts under which it operates. Compliance with the law refers to the legal systems of all countries in which a SIPS operator is established and/or operates and in which the SIPS’s participants are established and/or operate.

(15) The efficiency and soundness of a SIPS also depends on the clarity and appropriateness of its governance arrangements, which must be clearly documented. The governance arrangements of a SIPS should ensure that the Board has the benefit of advice from an objective and independent risk committee in relation to its risk-related responsibilities. Furthermore, in order to ensure the integrity of the members of the Board and the Management, and where applicable the Branch Management, a SIPS operator should consider any record of the members in respect of convictions or penalties for breaches of the applicable commercial law, insolvency law, financial services law, anti-money laundering law and counter-terrorist financing law and breaches of professional duty as well as for fraud.

(16) Furthermore, a sound and evolving framework to comprehensively manage legal, credit, liquidity, operational, general business, custody, investment and other risks is essential to identify, measure, monitor and manage the entire range of risks that arise in the operation of a SIPS or are borne by a SIPS operator. This also holds true for the soundness and resilience of a SIPS operator’s collateral framework, participant default rules and procedures and business continuity plans.

(17) For the purposes of the comprehensive management of operational risks and in view of the increasing deployment and use of technological means in the operation of a SIPS, as well as the increased threat from cyber attacks and damage that a successful cyber attack could cause to the functioning of a SIPS, a SIPS operator should have in place a cyber resilience strategy and framework with adequate procedures, processes and controls to manage cyber risk effectively and ensure a high level of cyber resilience. The requirements relating to such a cyber resilience strategy and framework should be based on the Cyber resilience oversight expectations for financial market infrastructures (4) with the purpose of rendering some key expectations legally binding for SIPS operators. Moreover, it is essential that a SIPS operator periodically tests the effectiveness of the SIPS controls and systems by performing threat led penetration testing in accordance with the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU) (5) (hereinafter the ‘TIBER-EU framework’). Where a SIPS operator is a branch, the competent authority may accept testing performed by the legal entity of which the branch is a legally dependent part, if it can be deemed a comparable exercise to a TIBER-EU test, and if it captures also the effectiveness of the branch’s relevant controls and systems.

(18) Further, in view of the increased use of outsourcing and the risks that such practices might create for the efficiency and safety of a SIPS, a SIPS operator should always retain responsibility for the outsourced functions, operations and/or services. Furthermore, it should have in place contractual arrangements and frameworks that ensure that any risks arising from outsourcing are adequately assessed and mitigated by the SIPS operator before entering into such an arrangement and during the duration of the outsourcing. Moreover, in the case of outsourcing of critical functions, operations and/or services exit plans should exist that ensure the continued smooth functioning of the SIPS in the event that an outsourcing arrangement is discontinued. Intragroup arrangements are not inherently less risky than outsourcing to third parties. Hence, while recognising the potential benefits resulting from intragroup arrangements, the requirements regarding outsourcing should also apply to intragroup arrangements that constitute outsourcing.

(19) The reduction of systemic risk requires, inter alia, settlement finality and therefore a SIPS operator should use its best efforts to achieve the SIPS’s designation under Directive 98/26/EC of the European Parliament and of the Council (6). Intraday or real time settlement is also advisable if compatible with the SIPS general business model and necessary to enable the SIPS operator and participants to manage their respective credit and liquidity risks.

(20) Objective, risk-based, and publicly disclosed criteria for participation in a SIPS, permitting fair and (subject to acceptable risk control standards) open access to a SIPS, promote the safety and efficiency of the SIPS and of the markets it serves, while not restricting free provision of services to a disproportionate extent.

(21) Provisions of this Regulation requiring a SIPS operator to collect, process and transmit data should be without prejudice to any applicable rules on protection of data of participants or customers.

(22) An overall efficient and effective SIPS, with clearly defined, measurable and achievable goals and objectives, is best equipped to meet the needs of the SIPS participants and the markets it serves.

(23) The possibility for competent authorities to request corrective measures to remedy or avoid repetition of non-compliance with this Regulation, and the possibility for the ECB to impose effective, proportionate and dissuasive sanctions for infringements of this Regulation are essential elements in implementing the CPMI-IOSCO principles to the fullest extent allowed under the Treaty and the Statute of the ESCB. While corrective measures may only be imposed for infringements of this Regulation, there could be situations that merit initiating the procedure for the imposition of such measures on the grounds of suspected non-compliance, giving a SIPS operator the opportunity to be heard and to provide explanations before an infringement is established. In cases where the SIPS operator is a branch, the corrective measures or sanctions should be imposed on the branch.

(24) A SIPS operator that is newly identified as such by a decision made pursuant to this Regulation should not be required to comply with the oversight requirements set out in this Regulation during the period of one year from the date on which it is notified of that decision. This is to allow time for the newly identified SIPS operator to familiarise itself with those oversight requirements and to implement them,

HAS ADOPTED THIS REGULATION:

PART I

SUBJECT MATTER, SCOPE AND DEFINITIONS

Article 1

Subject matter and scope

This Regulation sets out the process and criteria for the identification of a payment systems as a SIPS and imposes oversight requirements on SIPS operators.

Article 2

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘payment system’ means a formal arrangement between three or more participants, not counting possible settlement banks, central counterparties, clearing houses or indirect participants, with common rules and standardised arrangements for the execution of transfer orders between the participants;

(2) ‘financial market infrastructure’ (FMI) means a multilateral system among participating institutions, including the system operator, used to clear, settle, or record payments, securities, derivatives, or other financial transactions;

(3) ‘Eurosystem SIPS’ means SIPS owned and operated by a Eurosystem central bank;

(4) ‘collateral’ means an asset or third-party commitment that is used by a collateral provider to secure an obligation vis-à-vis a collateral taker. Collateral includes both domestic and cross-border collateral;

(5) ‘investment risk’ means the risk of loss faced by a SIPS operator or participant when the SIPS operator invests its own or its participants’ resources, e.g. collateral;

(8) ‘branch’ means an undertaking that has no legal personality and forms a legally dependent part of an existing entity;

(9) ‘the Board’ means: (a) in a unitary board system, the single board of a SIPS operator; (b) in a dual board system, the supervisory or equivalent board of a SIPS operator, appointed in accordance with national law; and (c) where a branch is identified as a SIPS operator, the board of the legal entity of which the branch is a legally dependent part;

(10) ‘the Management’ means executive directors, e.g. in a unitary board system, the members of the Board of the SIPS operator who are engaged in the daily management of the SIPS and any other executive officers appointed by the Board who are engaged in the daily management of the SIPS or, in a dual board system, the members of the management board of the SIPS operator and any other executive officers appointed by the Board or by the management board who are engaged in the daily management of the SIPS;

(11) ‘the Branch Management’ means, in cases where a branch is identified as a SIPS operator, the managing directors formally appointed to be responsible for the branch and to whom the conduct of the daily management of the SIPS is duly delegated;

(12) ‘relevant authorities’ means authorities who have a legitimate interest in accessing information from a SIPS to fulfil their statutory requirements, e.g. resolution authorities and supervisors of major participants;

(13) ‘legal risk’ means the risk arising from the application of law or regulation, usually resulting in a loss;

(14) ‘credit risk’ means the risk that a counterparty, whether a participant or other entity, will be unable to fully meet its financial obligations when they fall due or at any time in the future;

(15) ‘liquidity risk’ means the risk that a counterparty, whether a participant or other entity, will have insufficient funds to meet its financial obligations when they fall due, although it may have sufficient funds to do so in the future;

(16) ‘operational risk’ means the risk that deficiencies in information systems or internal processes, human error, management failures, or disruptions caused by external events, third parties or outsourced functions, operations and/or services will result in the reduction, deterioration or breakdown of services provided by a SIPS;

(17) ‘general business risk’ means any potential impairment of the financial position of the SIPS as a business concern as a consequence of a decline in its revenues or an increase in its expenses, such that expenses exceed revenues and result in a loss that must be charged against capital;

(18) ‘custody risk’ means the risk of incurring a loss on assets held in custody in the event of a custodian’s or sub-custodian’s insolvency, negligence, fraud, poor administration or inadequate record keeping;

(19) ‘cyber risk’ means the combination of the probability of cyber incidents occurring and their impact;

(20) ‘outsourcing’ means an arrangement in any form between the SIPS operator and a third party or intragroup entity under which that third party or intragroup entity undertakes functions, operations and/or services that otherwise would have been undertaken by the SIPS operator;

(21) ‘systemic risk’ means the risk of a participant or the SIPS operator not meeting their respective obligations in a SIPS will cause other participants and/or the SIPS operator to be unable to meet their obligations when they become due, potentially with spillover effects threatening the stability of or confidence in the financial system;

(22) ‘corrective measure’ means a specific measure or action, regardless of its form, duration or gravity, that is imposed on a SIPS operator by a competent authority to remedy, or avoid a repetition of, non-compliance with the requirements of Articles 8 to 27 and Article 29;

(23) ‘settlement bank’ means a bank holding accounts with regards to payments, where the discharge of obligations arising from a payment system takes place;

(25) ‘transfer order’ means a transfer order as defined in Article 2, point (i), first indent, of Directive 98/26/EC (11);