DECISION (EU) 2022/1981 OF THE EUROPEAN CENTRAL BANK
of 10 October 2022
on the use of services of the European System of Central Banks by competent authorities
(ECB/2022/33)
THE GOVERNING COUNCIL OF THE EUROPEAN CENTRAL BANK,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 127(6) and Article 132 thereof,
Having regard to the Statute of the European System of Central Banks and of the European Central Bank, and in particular Article 34 thereof,
Having regard to Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (1), and in particular Article 6(1) in conjunction with Article 6(7) thereof,
Whereas:
(1) Services of the European System of Central Banks (ESCB) are provided to central banks within the ESCB to indirectly support the performance of their tasks. The ESCB services are developed, run and maintained by one or more central banks (hereinafter the ‘providing central banks’) and steered by an ESCB Committee. The ESCB services are financed by participating central banks (hereinafter the ‘participating central banks’), whose respective contributions are defined in financial envelopes approved by the Governing Council. The rights and obligations of the participating central banks are set out in European Central Bank (ECB) legal acts, as is the case for the ESCB public key infrastructure (ESCB-PKI), and/or in agreements between the participating central banks.
(2) It is necessary for the smooth, effective and consistent functioning of the Single Supervisory Mechanism (SSM) that practical arrangements for the cooperation between the ECB and the national competent authorities (NCAs) within the SSM include arrangements for the use by NCAs of ESCB services for carrying out their tasks under Regulation (EU) No 1024/2013.
(3) Pursuant to Decision (EU) 2022/1982 of the European Central Bank (ECB/2022/34) (2), competent authorities may use the ESCB services for the purpose of cooperating with the ESCB and with each other in order to carry out their tasks under Regulation (EU) No 1024/2013.
(4) The ESCB services that should be made available to competent authorities should be defined by reference to exhaustive lists of (a) ESCB services that all competent authorities should be required to use in carrying out their SSM tasks to ensure efficiency and consistency in the functioning of the SSM and (b) ESCB services that competent authorities may decide to use on a voluntary basis for the purpose of carrying out their SSM tasks.
(5) Competent authorities that use the ESCB services when carrying out their tasks under Regulation (EU) No 1024/2013 should comply with the legal framework governing each ESCB service, taking into account that competent authorities are not part of the governance framework of the ESCB. In particular, such competent authorities should contribute to the costs of developing and operating the ESCB services concerned according to a defined reimbursement framework, which should be based on a cost allocation key. Competent authorities should not have to submit a declaration of participation in respect of ESCB services that they are required to use, but should comply with the requirements regarding such services as set out in this Decision,
HAS ADOPTED THIS DECISION:
Article 1
Definitions
For the purposes of this Decision, the following definitions apply:
(1) ‘competent authority’ means either a national competent authority or the European Central Bank (ECB);
(2) ‘national competent authority’ (NCA) means a national competent authority as defined in point (2) of Article 2 of Regulation (EU) No 1024/2013 and, for the purposes of this Decision, also includes, in respect of the supervisory tasks assigned to them, national central banks that have been assigned certain supervisory tasks under national law and are not designated as NCAs;
(3) ‘ESCB services’ means any one or more of the electronic applications, systems, platforms, databases and services listed in Annexes I and II;
(4) ‘providing central bank’ means a central bank developing, running and maintaining an ESCB service.
Article 2
Use of ESCB services by competent authorities
1. Competent authorities shall use the ESCB services listed in Annex I for the purpose of carrying out their tasks under Regulation (EU) No 1024/2013.
2. Competent authorities may use the ESCB services listed in Annex II for the purpose of carrying out their tasks under Regulation (EU) No 1024/2013.
3. Competent authorities that decide to use ESCB services set out in Annex II shall submit a declaration to the Governing Council by which they confirm their participation and accept compliance with the related obligations, including the obligation to pay their contributions directly to the providing central bank in accordance with Article 3.
4. Competent authorities that use ESCB services shall comply with the legal framework governing each ESCB service, including the agreements between the participating and providing central banks. The agreements between the parties may establish direct contractual relationships between the providing central banks and the competent authorities.
5. When using the services listed in Annex I the competent authorities shall comply with the requirements set out in Annex III.
Article 3
Financial arrangements
Competent authorities that use ESCB services shall contribute to the costs of developing and operating the respective ESCB service in accordance with a defined reimbursement framework, which is based on a cost allocation key, as further specified in the respective financial envelopes following the applicable reimbursement rules.
Article 4
Entry into force
This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Frankfurt am Main, 10 October 2022.
The President of the ECB
Christine LAGARDE
(1)
OJ L 287, 29.10.2013, p. 63
.
(2) Decision (EU) 2022/1982 of the European Central Bank of 10 October 2022 on the use of services of the European System of Central Banks by competent authorities and by cooperating authorities, and amending Decision ECB/2013/1 (ECB/2022/34) (see page 29 of this Official Journal).
ANNEX I
ESCB services that competent authorities are required to use
— CoreNet3
— Enterprise Service Bus (ESB)
— Identity and Access Management Service (IAM)
ANNEX II
ESCB services that competent authorities may use
— ESCB Teleconference System
— Secure ESCB Email (SEE)
— ESCB public key infrastructure (ESCB PKI)
— ESCB Performing Survey Initiative LimeSurvey-based Solution (EPSILON)
— ENTM Modelling tool and repository (ENTM)
ANNEX III
Requirements for ESCB services that competent authorities are required to use
(1) Competent authorities must carry out the tasks and assume the responsibilities corresponding to their role in the relevant ESCB service.
(2) Competent authorities must adjust their internal systems and interfaces to operate seamlessly with the ESCB service.
(3) Competent authorities will be liable for any loss or damage incurred as a result of any deliberate or negligent action and/or omission in performing their obligations. The limitations of liability laid down in the Level 2 – Level 3 Agreement will apply accordingly.
(4) Competent authorities will bear the burden of proof of demonstrating that they have not breached their duty of reasonable care in performing their obligations, including in operating the technical facilities.
(5) Outsourcing, delegation or subcontracting by a competent authority to third parties will be without prejudice to the liability of that competent authority.
Competent authorities may only outsource, delegate or subcontract to a third party tasks that have or may have a material impact on compliance with the requirements set forth in this Annex to the extent that they have obtained the express, prior and written consent (or deemed consent as provided for in paragraph (6)) of the Eurosystem central banks, or the ESCB central banks, as the case may be. No such consent is needed if the third party is a joint affiliate of the relevant competent authority and if that competent authority’s rights and obligations remain materially unchanged.
(6) Competent authorities must give reasonable prior notice of any planned outsourcing, delegation or subcontracting as referred to in paragraph 5 and must provide details of the requirements that are proposed to apply to such outsourcing, delegation or subcontracting.
The competent ESCB Committee must respond to any request for consent under paragraph 5 within two months of it being notified of the planned outsourcing, delegation or subcontracting. Any refusal to grant consent must be accompanied by the reasons for such refusal. If the competent authority receives no response within the two-month deadline, it may notify the competent ESCB Committee of its request once again. The Eurosystem central banks, or ESCB central banks, as the case may be, will have one further month within which to respond to the second notification. If there is no response within that time period, the competent authority will be deemed to have received consent to proceed with the outsourcing, delegation or subcontracting.
(7) Competent authorities must keep confidential all sensitive, secret or confidential information and know-how (whether such information is of a commercial, financial, regulatory, technical or other nature) that is marked as such and belongs to the providing central bank and/or to other ESCB/Eurosystem central banks, and may not disclose such information to any third party without the express, prior and written consent of the central bank(s) concerned.
(8) Competent authorities must restrict access to the information or know-how referred to in paragraph 7 to their relevant technical staff, and such access may only be exercised in cases of clear operational need.
(9) Competent authorities must establish appropriate measures to prevent access to such confidential information or know-how by persons other than the relevant technical staff.
(10) In the exceptional case that the usage of the ESCB service involves the processing of personal data by the competent authority, the competent authority must comply with the applicable data protection legislation. The Eurosystem central banks, or ESCB central banks, as the case may be, must determine the purposes for which and the means by which personal data may be processed. In relation to the processing of personal data the competent authority and the Eurosystem central banks, or ESCB central banks, as the case may be, should seek to conclude a contract that clarifies the necessary aspects of the controller–processor relationship.
The competent authority must declare to the competent data protection authorities, if so required under the data protection legislation applicable to its processing of personal data, the processing of personal data in the context of the relevant ESCB service.
(11) Access to personal data may be granted only to those with an need to know in order to perform their tasks and fulfil their responsibilities in relation to the relevant ESCB service.
Feedback