3.1 Risk management in net settlement systems

Until the end of the 1980s, risk management in many net settlement systems relied primarily on membership criteria and, indirectly, on the prudential regulation and supervision of individual participants. Only a few systems had introduced mechanisms to control the size of intraday exposures or to allocate any losses if one or more participants failed to settle ("failure­to­settle procedures"). Most had no more than a provision to unwind the settlement to exclude some or all of the transactions with a defaulting participant. One result of the growing awareness of settlement and systemic risks in such unsecured DNS systems has been the introduction of RTGS systems. This approach has been taken in many systems operated by central banks, as described above. However, another approach, which is observed mainly in private sector systems, has been to retain the principle of net settlement but address the risks by introducing clearly defined risk control mechanisms. The following focuses on this approach ­ that is, the implementation of secured DNS systems

An important framework for risk management in DNS systems was given by the Lamfalussy standards, set out by the G­10 central banks in the Lamfalussy Report in 1990. While the standards were originally established to provide a basic framework for the design and operation of cross­border and multicurrency netting schemes, they have increasingly been viewed as applicable to large­value DNS systems in general. For example, the EU central banks' recommendations regarding the minimum common features of domestic payment systems include the principle that large­value net settlement systems should meet the Lamfalussy standards in full. In addition, the Federal Reserve amended its payment system risk policy in December 1994 by incorporating the Lamfalussy standards for the design and operation of privately operated large­value multilateral netting schemes.

From the point of view of risk control mechanisms, Lamfalussy Standards III and IV are particularly important in stipulating the minimum requirements with regard to the system's ability to limit credit and liquidity exposures and to ensure timely completion of daily settlements (i.e. certainty of settlement) in the event of an inability to settle by the participant with the largest single net debit position. There are a number of ways in which the standards can be met, which can very broadly be classified into three groups - "defaulters pay" methods, "survivors pay" methods and "third parties pay" methods - although in practice many systems use a combination of methods. In each case, the core risk control element is the setting of a limit or cap on the multilateral net debit position of each participant; a sending bank is not able to process any transfer orders that would cause it to exceed its net debit cap. The cap, sometimes called a net sender cap, sets a ceiling on the loss that can arise should a participant default and fail to settle. The three methods vary, however, both in the way the cap is determined and in how, if a default does occur, the resulting loss is shared (i.e. liquidity or loss­sharing arrangements).

Under a defaulters pay arrangement, the size of the cap is determined by the participant itself, with the participant having to secure its position in some way - for example, the cap is determined by the amount of collateral the participant provides. In the event of a participant failure the collateral will, if necessary, be used to ensure that the defaulter's obligations to the remaining members of the system are still met. For example, the system's clearing house may initially use the collateral to draw on a prearranged line of credit to obtain the funds to cover the defaulter's obligations and ensure that settlement of the system can take place; subsequently it can sell the collateral to provide funds to repay the credit line. The arrangement is known as defaulters pay because the principle is that the defaulting participant itself, rather than the clearing house or the other participants in the system, bears all the loss. Because each participant fully collateralises its own debit position, the system can in principle ensure that settlement takes place without any loss to the remaining participants regardless of the number of banks that fail.

In contrast, the essence of a survivors pay arrangement is that the loss is shared in some way among the remaining participants ("survivors"). The key requirement is that the survivors should have both the ability and the incentive to control their potential loss. Although there are different ways to achieve this, a typical approach is based on the setting of so­called bilateral credit or bilateral net receiver limits. These bilateral caps, set by the participants themselves, control the bilateral flow of payment messages from one participant to another; they allow each participant to limit the extent to which it has a net credit position vis­à­vis another participant. A sending bank is not able to process any transfer orders that would cause the receiving bank's bilateral net credit position with the sending bank to exceed the bilateral credit limit set by that receiving bank.

Bilateral caps typically serve two purposes where they are used in a DNS system. First, for each participant in the system, the multilateral net sender cap is set as some function of the sum of the bilateral caps that have been set against it by the other participants; this means that the net sender cap for one participant is determined by the judgements the other participants in the system have made about its creditworthiness in determining their bilateral caps vis­à­vis that participant. Second, if a participant defaults, the resulting loss is shared pro rata among the survivors according to the bilateral cap each had set against the defaulter.

To ensure that each participant can meet its share of the loss caused by the default of any other participant, it is required to put up collateral. As with a defaulters pay arrangement, the collateral can be used to cover any shortfall arising from a survivor being unable to meet its share of the loss. However, the amount of collateral can vary. To meet Lamfalussy Standard IV, each participant must put up collateral to cover the loss that would arise if the participant with the largest net debit position were unable to settle, that is, the system can in principle guarantee completion of settlement if any one participant fails to settle. Some systems require more collateral, however, to increase the probability that they would be able to ensure settlement even if more than one participant were to fail simultaneously. Unlike defaulters pay arrangements, a key feature of survivors pay arrangements is that, although they can guarantee that settlement can still take place under specified conditions, by definition the surviving banks are likely to face "losses" in the sense that, compared with the settlement positions they would have had if there had been no default, the amounts they have to pay in the settlement will be larger (or the amounts they receive smaller) because of the effect of the loss­sharing.

Finally, some liquidity or loss­sharing schemes incorporate a third parties pay arrangement. In particular, in one system the central bank plays the role of final guarantor of the certainty of settlement by absorbing any loss or shortfall that might be caused in excess of the collateral posted by participants.

Further enhancements. In several G­10 countries, initiatives have recently been taken to enhance the risk control mechanisms in DNS systems or to establish new DNS systems, in particular with a view to achieving stronger forms of certainty of settlement. For instance, CHIPS initiated a set of modifications called "the Settlement Finality Improvements" in January 1996, which included a reduction of net debit caps, an increase in minimum collateral requirements and a clarification of the procedures for liquidating collateral in the event of settlement failures. The final phase of these improvements was implemented by CHIPS in January 1997 and CHIPS' simulations indicate that as a result it would be able to settle even in the event of the simultaneous failure of its two largest participants. LVTS, which is a new large­value DNS system under development in Canada, will adopt loss­sharing arrangements on the basis of a combination of survivors pay and defaulters pay collateralisation in conjunction with the central bank's guarantee of settlement in all circumstances to deal with all multiple failures.

Some DNS systems have also incorporated mechanisms for making irrevocable and unconditional funds transfers during the day rather than only at the end of the day. In some cases this has resulted in hybrid systems which combine features, including risk control measures, of gross and net settlement systems. One example is EAF2 in Germany, which is characterised by a two-phase procedure. During the first phase (08:00 to 12:45) batch processings are carried out every 20 minutes
in which outgoing funds transfers are offset as far as possible against incoming transfers. Offset transfers become immediately irrevocable and unconditional so that banks can transfer funds to their receiving customers without incurring credit risk. However, the actual incoming transfers are not booked immediately on the books of the central banks and any net liquidity inflows resulting from the batch processings can therefore not be used outside the system. Funds transfers which cannot be offset during one batch processing are automatically carried over into the next cycle. At the end of the first phase all a participant's bilateral debit and credit positions resulting from the batch processings are cumulated into a single debit and a single credit balance and booked on its settlement account at the central bank.

At the beginning of the second phase (13:00 to 14:15) there is a multilateral netting and settlement of all the funds transfers which have not been offset in the first phase. If the calculated multilateral net debit position cannot be covered by a participant at the time, the system will remove, through the use of a special algorithm based on agreed criteria, individual transfers to reduce net debit positions below the available cover. Unexecuted transfers are carried over into a second multilateral netting and settlement process during which participants are granted another 45 minutes to obtain cover. If cover is insufficient the special algorithm will again withdraw individual transfers until the total existing cover is sufficient. Unexecuted transfers are then deemed to be revoked and are deleted.

Table 4

Salient features of risk control measures in selected DNS systems

	CHIPS	EAF/EAF2	LVTS (planned)	ECU clearing
Same-day settlement	Y (1981)	Y (1990)	Y	Y (1988)
Real-time monitoring	Y (1970)	Y (1996)	Y	Y (1996)
Bilateral credit limits	Y (1984)	-	Y	-
Multilateral net debit cap	Y (1986)	-	Y	Y (1993)
Loss-sharing rule	Y (1990)	-	Y	Y (1993)
Collateral requirement	Y (1990)	Y (1996)	Y	envisaged
Central bank guarantee	-	-	Y	-
Multiple batch	-	Y (1996)	-	-
Centrally located queue	-	Y (1996)	envisaged	Y (1996)

Note: Y indicates that the system incorporates the corresponding risk management technique. The year in which the technique was introduced is shown in brackets.

EAF2 processes mainly large-value credit transfers in Deutsche marks related to money market and foreign exchange transactions between banks in Frankfurt. Experience with the system, which started operating in early 1996, has shown that participants take advantage of the bilateral offsetting feature during the first phase, since 70% of the value of transactions becomes final as early as 10:30. More than 99% of the value of all transfers is executed after the first multilateral netting and settlement process.

3.2 RTGS, secured net and hybrid systems

RTGS systems and secured DNS systems use different methods to control intraday credit and liquidity exposures and systemic risk. In addition, as described above, various alternative models are possible under both approaches, which may result in different balances between risk and efficiency as well as in different allocations of risk management responsibilities between the central bank and the private sector.

Nonetheless, it is also possible to identify several techniques to address payment system risk that are common to both RTGS and secured DNS systems. For example, modern secured DNS systems, like RTGS systems, are based on real­time processing of payment messages; in the case of DNS systems this processing is necessary, for example, to calculate the multilateral net debit position of the sending bank and to ensure that it remains below the limit set. Moreover, the use of limits in secured DNS systems raises the possibility that, as in RTGS systems, payment messages will be queued before they can be processed and sent to the receiving bank. If liquidity in the system is scarce (because of tight net sender caps) queue management techniques similar to those in RTGS systems may need to be adopted; the issues discussed earlier in the report, such as centralised versus decentralised queue management, minimising externalities, the transparency of queues and avoiding gridlock, are all therefore potentially relevant to secured DNS systems. Similarly, DNS systems can also adopt different message flow structures (V, Y, L or T­shaped).

A major difference between the two types of system lies in the form of the intraday liquidity in the system. In existing RTGS systems the principal form of credit (if any) is the (explicit) credit provided by the central bank, whereas in a DNS system the multilateral net debit positions are a form of (implicit) credit provided by system participants to each other. However, even here there can be similarities. For example, an RTGS system with collateralised central bank credit and a defaulters pay DNS system have in common the fact that sending banks have to fully collateralise their positions and so (provided the collateral arrangement is robust) there is no risk to the provider of the credit; in both types of system, sending banks can, in principle at least, supplement their liquidity by borrowing on the money markets from other participants and thus prevent limits from delaying payments; and, as noted in Part II, some interbank exposures may arise in certain RTGS designs (e.g. because of queue transparency or the message flow structure), while central banks may have exposures in secured DNS systems (e.g. where an element of "third party pays" applies).

As risk controls are tightened and more sophisticated payment flow management techniques are applied, the two types of system may in certain respects come to look increasingly similar while in other respects retaining their significant differences. Some systems already combine certain features of both RTGS and DNS systems and it is also possible that there will be a further development of such "hybrid" arrangements. Because of the many possible forms that RTGS and secured DNS systems can take, an assessment of the balance between the efficiency, risk control and cost of an individual system will depend on the particular features that the system adopts.