Risk Committee Update: March 2026

This month’s Risk Committee newsletter focuses on the Risk Committee’s assessment of the rapidly evolving geopolitical situation in the Middle East and its potential implications for post-trade markets, financial market infrastructures (FMIs), sub-custodian banks, and global custodians operating in the region. There’s also an update on our full due diligence visits to Mexico and Poland.

Middle East Update: Impact on Post-Trade and Capital Markets

Thomas Murray’s Risk Committee (RC) met on 2 March 2026 to assess the rapidly evolving geopolitical situation in the Middle East and its potential implications for post-trade markets, financial market infrastructures (FMIs), sub-custodian banks, and global custodians operating in the region.

Over the weekend, a significant military escalation followed coordinated US and Israeli airstrikes targeting Iranian leadership and military infrastructure. The reported death of Iran’s Supreme Leader represents a major inflection point in regional tensions and has triggered retaliatory missile and drone strikes across Israel and several Gulf states. The situation remains fluid, with continued military activity, heightened security alerts, and broader geopolitical uncertainty.

Market impact

The immediate market impact has included temporary closures in the United Arab Emirates and Kuwait (which reopened on 2 March), widespread airspace restrictions across parts of the Gulf, and elevated oil price volatility driven by concerns over regional stability and shipping routes near the Strait of Hormuz. While most regional capital markets remain operational, they are functioning under heightened alert conditions and increased supervisory oversight.

Risk outlook

Following its review, the Thomas Murray RC has decided to place the Overall Risk Outlook and the Operational Risk Outlook “On Watch” for all monitored entities located in the Middle East, including central securities depositories, sub-custodian banks, and other capital market infrastructures. In the UAE, where markets remained closed on 3 March, the Liquidity Risk Outlook has also been placed On Watch to reflect potential funding pressures and settlement delays arising from the suspension of trading activity.

Across the wider region, markets in Kuwait, Oman, Bahrain, Saudi Arabia, Qatar, Egypt, Israel, and Jordan continued to operate as normal (at the time of writing on 3 March), although under enhanced monitoring. Turkey, while not directly affected by military action, has introduced precautionary market-stabilisation measures, including the temporary suspension of short selling, and adjustments to central bank liquidity operations, aimed at containing volatility and supporting financial stability.

All monitored entities have activated their business continuity and operational resilience frameworks. As of 3 March, no systemic settlement failures or prolonged infrastructure outages have been reported, and custody, clearing, and payment systems remain operational where markets are open.

Nevertheless, indirect disruption risks remain. Global custodians may experience operational impact where local markets close, where sub-custodian banks suspend activity, or where liquidity conditions tighten and foreign exchange availability becomes constrained. Thomas Murray is therefore closely monitoring settlement cycles, payment flows, funding conditions, and regulatory responses across affected jurisdictions.

Cyber threat environment has intensified

In parallel with the kinetic escalation, the cyber threat environment has intensified materially. The conflict is unfolding within a hybrid warfare context in which cyber operations form a central component of state and non-state activity. Recent monitoring indicates a sharp increase in cyber targeting across the Gulf states and Israel, with financial services, government institutions, media organisations, and critical infrastructure sectors facing elevated risk. Iran maintains a sophisticated and operationally active cyber capability, with a history of destructive malware deployment, financial sector targeting, and supply chain intrusion. The precedent of regional banking disruptions in 2025 underscores the potential for retaliatory or symbolic cyber operations against financial institutions during periods of heightened geopolitical tension.

While there is currently no evidence of widespread cyber disruption to capital market infrastructures, clients should assume an elevated threat posture. Strengthening perimeter security, validating patch management and remote access controls, ensuring immutable offline backups, and reviewing third-party dependencies remain prudent risk-mitigation steps under current conditions.

Thomas Murray continues to monitor developments closely and will convene ad hoc Risk Committee meetings as required. We are assessing potential impacts on market infrastructure resilience, liquidity dynamics, operational continuity, and regulatory intervention measures on an ongoing basis. Clients will be informed promptly of any material changes to risk outlooks or operational status across the region as further information becomes available.

The RC also hosted an Emergency Briefing, on 3 March, where they addressed the developing situation in the Middle East, delivering an overview of the current situation and assessing immediate implications for markets, financial institutions, and cyber risk. You can watch the briefing here.

Mexico Due Diligence Visit

During the first part of 2026, we undertook a full due diligence visit of Mexico, meeting with all the FMIs and a number of the key banks.

Key market developments include:

S.D. Indeval technology transformation

• S.D. Indeval, the CSD for the Mexican financial market (and part of the Mexican Stock Exchange Group), and the Mexican market infrastructures, are undertaking a large-scale technology transformation and innovation programme. This is expected to be the main area of focus for the CSD and the exchange over the coming years.
• This programme includes the implementation of a new core system for the CSD (Indeval), new core systems for the two central counterparties (CCV and Asigna), and a new system for the group’s derivatives exchange (MexDer).
• The current plan is to implement the new derivatives systems for MexDer and Asigna later this year, while the new Indeval core system is targeted for implementation in 2027.
• According to the group, this programme goes beyond a pure technology upgrade and is intended to support a more modern and resilient operating model. As part of this initiative, the group has entered into an agreement with AWS to migrate its servers to the cloud.

Central Counterparty for bonds (CCV)

• In December 2025, CCV expanded its clearing services to include fixed income securities, initially covering Mexican government bonds (Bonos M).
• The scope is expected to be extended in subsequent phases to other government instruments and repo transactions. While current usage remains limited, it’s anticipated that additional clearing members will join and transaction volumes will increase over time.
• CCV received authorisation from the National Banking and Securities Commission (CNBV) in September 2025.

FinCEN restrictions

• Effective 20 October 2025, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) implemented orders prohibiting certain fund transfers involving three Mexico-based financial institutions: CIBanco, Intercam Banco, and Vector Casa de Bolsa.
• In response, Indeval informed market participants that foreign custodians and correspondent banks would cease processing any direct or indirect fund transfers involving these entities (where FinCEN jurisdiction institutions are involved).

Repo market development

• Banco de México (Banxico) is leading an initiative to further develop the Mexican repo market by introducing additional repo structures (including evergreen, open, and forward repos), standardising practices, and aligning the market with international standards.
• Indeval is supporting this initiative by developing a dedicated settlement platform, with CCV expected to clear these transactions at a later stage.

Bank updates

Banks in Mexico retain their “Stable” outlook with only minor alterations to risk grades.

One bank though did receive a downgrade in asset safety risk due to holding all their client securities in a single omnibus account together with a clarification regarding the recognition of the nominee concept in Mexico.

Previously, we had assessed the nominee concept as fully recognised. However, this has been clarified as follows:

“Mexico’s law does not formally recognise nominee accounts; however, its custody framework effectively provides the same structure. Indeval holds securities under endorsement in administration, while participants must separate their own holdings from client assets, allowing intermediaries to safekeep securities for third parties without conferring ownership rights.”

The same bank though did receive an upgrade in asset servicing risk due to the implementation of a new tool that reads PDF stock exchange announcements and automatically populates SWIFT message fields. This has improved the capture method from manual to semi-automated, enhancing operational efficiency and reducing processing risk.

Poland Due Diligence Visit

Our annual review of banks and FMIs in Poland saw no grade changes to the four Polish banks we monitor. However, there have been a number of market developments.

KDPW is supporting the EBRD project on regional integration. They have run into some difficult conversations with the other involved CSDs, and no single solution has yet been found regarding settlement). KDPW has also begun the "CSD-on-DLT" initiative, which will add an extra DLT layer onto the legacy system so that it forms an integrated whole.

After numerous delays, GPW, the stock exchange, will launch WATS, its new trading system (developed in-house), in May 2026. GPW wanted to replace the old Euronext matching engine (UTP) by developing their own system that they would then be able to monetise. Euronext no longer supports UTP and GPW decided not to move to Optiq. GPW remains the largest and most liquid market in the CEE region - they had the second largest IPO in Europe last year (Zabka Group: EUR 1.5 billion).

In addition, both the exchange and the CSD are strengthening their relations with Armenia. The exchange has a stake in the Armenian exchange and the CSD has plans to establish a link with the Armenian CSD.