Commission Delegated Regulation (EU) 2020/1230 of 29 November 2019 supplementing ... (32020R1230)
EU - Rechtsakte: 06 Right of establishment and freedom to provide services

COMMISSION DELEGATED REGULATION (EU) 2020/1230

of 29 November 2019

supplementing Regulation (EU) 2017/2402 of the European Parliament and of the Council with regard to regulatory technical standards specifying the details of the application for registration of a securitisation repository and the details of the simplified application for an extension of registration of a trade repository

(Text with EEA relevance)

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012 (1), and in particular the third subparagraph of Article 10(7) thereof insofar as it relates to points (b) and (c) of the first subparagraph of that paragraph,
Whereas:
(1) Article 7(2) of Regulation (EU) 2017/2402 requires the information for a securitisation transaction to be made available by means of a securitisation repository or, where no such repository is registered in accordance with Article 10 of that Regulation, by means of a website meeting certain requirements. Article 10 of Regulation (EU) 2017/2402 sets out the conditions and procedure for the registration of securitisation repositories, including the requirement to submit either an application for registration or, in the case of trade repositories already registered under Chapter 1 of Title VI of Regulation (EU) No 648/2012 of the European Parliament and of the Council (2) or under Chapter III of Regulation (EU) 2015/2365 of the European Parliament and of the Council (3), an application for extension of registration for the purposes of Article 7 of Regulation (EU) 2017/2402.
(2) In order to minimise additional operational costs for market participants, the rules for the registration of securitisation repositories, including the rules for registration by means of an extension of registration for the purposes of Article 7 of Regulation (EU) 2017/2402, should build on existing infrastructures, operational processes and formats introduced in connection with the reporting of securities financing transactions and derivative contracts. The rules on registration should, however, also reflect the specificities of securitisations, including complexities associated with hosting securitisation data and documentation and should reflect recent market developments, such as the common use of Legal Entity Identifiers, which improves the organisation and classification of information on legal entities to be provided in the application. For clarity and ease of reference for applicants, it is also desirable for the rules on registration to follow the order of the relevant requirements in Regulation (EU) 2017/2402.
(3) Securitisations are highly complex instruments involving many different types of information, including information on the features of underlying exposures, information on their cash flows, information on the structure of the securitisation and information on the legal and operational arrangements entered into with third parties. It is therefore important that a prospective securitisation repository is able to demonstrate sufficient knowledge and working experience with securitisations, and the capacity to receive, process and make available the relevant information set out in Regulation (EU) 2017/2402. Prospective securitisation repositories should also be able to demonstrate that their staff, systems, controls and procedures are adequate for ensuring compliance with the requirements set out in Regulation (EU) 2017/2402.
(4) Securitisation repositories may provide services, referred to as ‘ancillary securitisation services’, which are directly related to and arise from the delivery of services for which registration as a securitisation repository is required under Regulation (EU) 2017/2402 (referred to as ‘core securitisation services’). For example, securitisation repositories may provide research or consultancy services to a prospective securitisation issuer which make use of the securitisation data available to the securitisation repository. Securitisation repositories may also provide ancillary services that are neither directly related to, nor arise from the delivery of core securitisation services (ancillary non-securitisation services). However, the use of common resources within a securitisation repository for the provision of both core securitisation services and ancillary securitisation services, or indeed ancillary non-securitisation services, could lead to contagion of operational risks across those services. Services involving the validation, reconciliation, processing or record-keeping of information may therefore require an effective means of operational separation in order to avoid such contagion. On the other hand, practices such as common front-end systems, a common access point to information or use of the same staff working in sales, compliance or a client services helpdesk may be considered less prone to contagion and hence will not necessarily require operational separation. Applicants for registration as a securitisation repository should therefore be required to demonstrate that they have established an appropriate level of operational separation between the resources, systems and procedures used in those business lines that are involved in the provision of core securitisation services and the resources, systems and procedures used in other business lines involved in the provision of ancillary services, regardless of whether those other business lines are run by the securitisation repository, an affiliated entity, or another entity.
(5) Article 10(5) of Regulation (EU) 2017/2402 envisages a simplified application for an extension of registration, where trade repositories registered under Regulation (EU) No 648/2012 or under Regulation (EU) 2015/2365 apply for their existing registration as a trade repository to be extended for the purposes of Article 7 of Regulation (EU) 2017/2402. Therefore, to avoid any duplication of requirements, the information to be provided by a trade repository applying for an extension of registration should be confined to details about the adaptations necessary to ensure compliance with Regulation (EU) 2017/2402.
(6) This Regulation is based on the draft regulatory technical standards submitted by the European Securities and Markets Authority (ESMA) to the Commission.
(7) In accordance with Article 10 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4), ESMA has conducted an open public consultation on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Securities and Markets Stakeholder Group established by Article 37 of that Regulation,
HAS ADOPTED THIS REGULATION:

Article 1

Definitions

For the purposes of this Regulation, the following definitions shall apply:
(1) ‘user’, in relation to a securitisation repository, means any of the following:
(a) any entity listed in Article 17(1) of Regulation (EU) 2017/2402;
(b) any reporting entity in relation to that securitisation repository;
(c) any other client of the securitisation repository who uses core securitisation services provided by the securitisation repository;
(2) ‘reporting entity’ means the entity designated in accordance with the first subparagraph of Article 7(2) of Regulation (EU) 2017/2402;
(3) ‘core securitisation services’ means services for which registration as a securitisation repository is required under Regulation (EU) 2017/2402;
(4) ‘ancillary securitisation services’ means services provided by a securitisation repository that are directly related to and arise from the delivery of core securitisation services provided by that securitisation repository;
(5) ‘ancillary non-securitisation services’ means services that are neither core securitisation services nor ancillary securitisation services;
(6) the following expressions have the meaning given to that expression in Article 2 of Regulation (EU) No 648/2012:
(a) ‘group’;
(b) ‘parent undertaking’;
(c) ‘subsidiary’;
(d) ‘capital’;
(e) ‘close links’;
(f) ‘board’;
(7) ‘senior management’ means the person or persons who effectively direct the business of the securitisation repository, and the executive member or members of its board.

Article 2

Identification, legal status and type of securitisation

(1)   An application for registration as a securitisation repository shall identify the applicant and the activities that the applicant intends to carry out for which registration as a securitisation repository is required.
(2)   For the purposes of paragraph 1, the application shall in particular contain the following:
(a) the corporate name of the applicant, its legal address within the Union and the corporate name and legal address of any subsidiaries and branches of the applicant;
(b) the applicant’s legal entity identifier (LEI) registered with the Global Legal Entity Identifier Foundation;
(c) the uniform resource locator (URL) of the applicant’s website;
(d) an excerpt from the relevant commercial or court register showing the place of incorporation and scope of business activity of the applicant, or some other form of certified evidence of the place of incorporation and scope of business activity of the applicant, valid in either case as at the date of the application for registration as a securitisation repository;
(e) the securitisation types (ABCP transaction or non-ABCP transaction), risk transfer methods (traditional securitisation or synthetic securitisation) and underlying exposure types (residential real estate, commercial real estate, corporate, leasing, consumer, automobile, credit card, esoteric) for which the applicant wishes to be registered;
(f) whether the applicant is authorised or registered by a competent authority in the Member State where it is established and, if so, the name of the competent authority and any reference number related to the authorisation or registration;
(g) the articles of incorporation or equivalent terms of establishment and, where relevant, other statutory documentation stating that the applicant is to conduct core securitisation services;
(h) the name and contact details of the person(s) responsible for compliance, or any other staff involved in compliance assessments for the applicant, in relation to its provision of core securitisation services;
(i) the name and contact details of the contact person for the purposes of the application;
(j) the programme of operations, including the location of the main business activities of the applicant;
(k) any ancillary securitisation or ancillary non-securitisation service that the applicant provides or intends to provide;
(l) any information on any pending judicial, administrative, arbitration or any other litigation proceedings irrespective of their type, that the applicant may be party to, particularly as regards tax and insolvency matters and where significant financial or reputational costs may be incurred, or any non-pending proceedings, that may still have any material impact on securitisation repository costs.
(3)   Upon request, the applicant shall provide ESMA with additional information during the examination of the application for registration where such information is needed for the assessment of the applicant’s ability to comply with the applicable requirements of Regulation (EU) 2017/2402 and for ESMA to duly interpret and analyse the documentation to be submitted or already submitted.
(4)   Where an applicant considers that a requirement of this Regulation is not applicable to it, it shall clearly indicate that requirement in its application and explain why that requirement does not apply.

Article 3

Organisational chart

(1)   An application for registration as a securitisation repository shall contain a chart detailing the organisational structure of the applicant, including that of any ancillary securitisation services and of any ancillary non-securitisation services.
(2)   The chart referred to in paragraph 1 chart shall include information about the identity of the person responsible for each significant role, including the identity of each member of its senior management and of persons who effectively direct the business of any subsidiaries and branches.

Article 4

Corporate governance

(1)   An application for registration as a securitisation repository shall contain information regarding the applicant’s internal corporate governance policies and the procedures and terms of reference which govern its senior management, including the board, its non-executive members and, where established, committees.
(2)   The information referred to in paragraph 1 shall describe the selection process, appointment, performance evaluation and removal of senior management.
(3)   Where the applicant adheres to a recognised corporate governance code of conduct, the application for registration as a securitisation repository shall identify the code and provide an explanation for any situations where the applicant deviates from that code.

Article 5

Internal control

(1)   An application for registration as a securitisation repository shall contain detailed information about the internal control system of the applicant, including information regarding its compliance function, risk assessment, internal control mechanisms and the arrangements of its internal audit function.
(2)   The detailed information referred to in paragraph 1 shall contain:
(a) the applicant’s internal control policies and the procedures to ensure the consistent and effective implementation of those policies;
(b) any policies, procedures and manuals for monitoring and evaluating the adequacy and effectiveness of the applicant’s systems;
(c) any policies, procedures and manuals for controlling and safeguarding the applicant’s information processing systems;
(d) the identity of the internal bodies in charge of evaluating any internal control findings.
(3)   An application for registration as a securitisation repository shall contain the following information with respect to the applicant’s internal audit activities:
(a) in case there is an Internal Audit Committee, its composition, competences and responsibilities;
(b) its internal audit function charter, methodologies, standards and procedures;
(c) an explanation of how its internal audit function charter, methodology and procedures are developed and applied, taking into account the nature and extent of the applicant’s activities, complexities and risks;
(d) a work plan for the Internal Audit Committee for the three years following the date of application, focusing on the nature and extent of the applicant’s activities, complexities and risks.

Article 6

Conflicts of interest

(1)   An application for registration as a securitisation repository shall contain the following information on the policies and procedures put in place by the applicant to manage conflicts of interest:
(a) policies and procedures with respect to the identification, management, elimination, mitigation and disclosure of conflicts of interest without delay;
(b) a description of the process used to ensure that the relevant persons are aware of the policies and procedures referred to in point (a);
(c) a description of the level and form of separation that exists between the various business functions within the applicant’s organisation, including a description of:
(i) the measures taken to prevent or control the exchange of information between functions where a risk of a conflict of interest may arise;
(ii) the supervision of those whose main functions involve interests that are potentially in conflict with those of a client;
(d) any other measures and controls put in place to ensure the policies and procedures referred to in point (a) with respect to conflicts of interest management and the process referred to in point (b) are followed.
(2)   An application for registration as a securitisation repository shall contain an up-to-date inventory, at the time of the application, of existing and potential material conflicts of interest in relation to any core or ancillary securitisation services as well as any ancillary non-securitisation services provided or received by the applicant and a description of how those conflicts are, or will be managed. The inventory shall include conflicts of interest arising from the following situations:
(a) any situation where the applicant may realise a financial gain or avoid a financial loss, to the detriment of a client;
(b) any situation where the applicant may have an interest in the outcome of a service provided to a client, which is distinct from the client’s interest in that outcome;
(c) any situation where the applicant may have an incentive to prioritise its own interests or the interest of another user or group of users rather than the interests of the client to whom a service is provided;
(d) any situation where the applicant receives or may receive an incentive from any person other than the client, in relation to a service provided to the client, in the form of money, goods or services, but excluding incentives by way of commission or fees received for the service.
(3)   Where an applicant is part of a group, the inventory shall include any existing and potential material conflicts of interest arising from other undertakings within the group and how those conflicts are being managed and mitigated.

Article 7

Ownership of the securitisation repository

(1)   An application for registration as a securitisation repository shall contain:
(a) a list containing the name of each person or entity who directly or indirectly holds 5 % or more of the applicant’s capital or of its voting rights or whose holding makes it possible to exercise a significant influence over the applicant’s management;
(b) a list of any undertakings in which a person referred to in point (a) holds 5 % or more of the capital or voting rights or over whose management they exercise a significant influence.
(2)   Where the applicant has a parent undertaking or an ultimate parent undertaking, the applicant shall:
(a) identify the LEI registered with the Global Legal Entity Identifier Foundation, and legal address of the parent undertaking or the ultimate parent undertaking;
(b) indicate whether the parent undertaking or ultimate parent undertaking is authorised or registered and subject to supervision and, when this is the case, state any reference number and the name of the responsible supervisory authority.

Article 8

Ownership chart

(1)   An application for registration as a securitisation repository shall contain a chart showing the ownership links within the applicant’s group, including between the ultimate parent undertaking, parent undertaking, subsidiaries and any other associated entities or branches.
(2)   The undertakings in the chart referred to in paragraph 1 shall be identified by their full name, legal status, legal address and LEI registered with the Global Legal Entity Identifier Foundation.

Article 9

Policies and procedures

Policies and procedures that are to be provided as part of an application for registration as a securitisation repository shall contain the following:
(a) evidence that the board approves the policies and that senior management approves the procedures and is responsible for the implementation and maintenance of those policies and procedures;
(b) a description of how those policies and procedures are communicated within the applicant’s organisation, how compliance with those policies and procedures is ensured and monitored on a day-to-day basis, and who is responsible for compliance with those policies and procedures;
(c) any records indicating that staff members and staff members who are operating under any outsourcing arrangement are aware of those policies and procedures;
(d) a description of the measures to be taken in the event of a breach of those policies and procedures;
(e) a description of the procedure for reporting to ESMA any material breach of the policies or procedures which may result in a breach of the conditions for registration;
(f) a description of the arrangements for notifying ESMA promptly of any planned material changes to the applicant’s information technology systems, prior to their implementation.

Article 10

Regulatory compliance

An application for registration as a securitisation repository shall contain the following regarding the applicant’s policies and procedures for ensuring compliance with Regulation (EU) 2017/2402:
(a) a description of the roles of the persons responsible for compliance and of any other staff involved in the compliance assessments, including a description of how the independence of the compliance function from the rest of the business is ensured;
(b) the internal policies and procedures designed to ensure that the applicant, including its managers and employees, complies with Regulation (EU) 2017/2402, including a description of the role of the board and senior management;
(c) where available, the most recent internal report on compliance with Regulation (EU) 2017/2402 prepared by the persons responsible for such compliance or by any other staff involved in such compliance assessments within the applicant’s organisation.

Article 11

Staffing policies and procedures

An application for registration as a securitisation repository shall contain the following:
(a) a copy of the remuneration policy for senior management, board members and for staff employed in risk and control functions of the applicant;
(b) a description of the measures put in place by the applicant to mitigate the risk of over-reliance on any individual employee.

Article 12

Information about the applicant’s staff members involved in the provision of core securitisation services

An application for registration as a securitisation repository shall contain the following information about the applicant’s staff members involved in the provision of core securitisation services:
(a) a general list of staff members directly employed by the applicant, including their role and qualifications per role;
(b) a specific description of the information technology staff members directly employed to provide core securitisation services, including the role and the qualifications of each individual;
(c) a description of the roles and qualifications of each individual who is responsible for internal audit, internal controls, compliance, risk assessment and internal review;
(d) the identity of staff members and the identity of staff members who are operating under any outsourcing arrangement;
(e) details of training provided to staff members on the applicant’s policies and procedures as well as on the securitisation repository business, including any examination or other type of formal assessment required for staff members regarding the conduct of core securitisation services.
The description referred to in point (b) of the first paragraph shall include written evidence of the experience in information technology of at least one staff member responsible for information technology matters.

Article 13

Financial reports and business plans

(1)   An application for registration as a securitisation repository shall contain the following financial information:
(a) a complete set of financial statements of the applicant, prepared in conformity with either of the following:
(i) international standards adopted in accordance with Article 3 of Regulation (EC) No 1606/2002 of the European Parliament and of the Council (5);
(ii) national accounting standards of the Member State in which the applicant is established, as required by Directive 2013/34/EU of the European Parliament and of the Council (6);
(b) where the financial statements of the applicant are subject to statutory audit within the meaning given in Article 2(1) of Directive 2006/43/EC of the European Parliament and of the Council (7), the financial statements shall contain the audit report on the annual and consolidated financial statements;
(c) where the applicant is audited, the name and the national registration number of the external auditor.
(2)   Where the financial information referred to in paragraph 1 is not available, an application for registration as a securitisation repository shall contain the following information about the applicant:
(a) a pro-forma statement demonstrating proper resources and expected business status in the six months following registration as a securitisation repository;
(b) an interim financial report where the financial statements are not yet available for the period of time required under the acts specified in paragraph 1;
(c) a statement of financial position, such as a balance sheet, income statement, changes in equity and of cash flows, a summary of accounting policies and other explanatory notes required under the acts specified in paragraph 1.
(3)   An application for registration as a securitisation repository shall contain a financial business plan, containing different business scenarios for the provision of core securitisation services over a minimum three-year reference period and including the following information for each scenario:
(a) the expected revenue from each of the following categories of service provided by the applicant, stated separately for each such category:
(i) core securitisation services;
(ii) ancillary securitisation services;
(iii) core trade repository services of centrally collecting and maintaining the records of derivatives under Regulation (EU) No 648/2012;
(iv) ancillary trade repository services that are directly related to and arising from centrally collecting and maintaining the records of derivatives under Regulation (EU) No 648/2012;
(v) core trade repository services of centrally collecting and maintaining the records of securities financing transactions under Regulation (EU) 2015/2365;
(vi) ancillary trade repository services that are directly related to and arising from centrally collecting and maintaining the records of securities financing transactions under Regulation (EU) 2015/2365;
(vii) combined ancillary services that are directly related to and arising from each of the following combinations of service:
— both core securitisation services and core trade repository services of centrally collecting and maintaining the records of derivatives under Regulation (EU) No 648/2012;
— both core securitisation services and core trade repository services of centrally collecting and maintaining the records of securities financing transactions under Regulation (EU) 2015/2365;
— both core trade repository services of centrally collecting and maintaining the records of derivatives under Regulation (EU) No 648/2012 and core trade repository services of centrally collecting and maintaining the records of securities financing transactions under Regulation (EU) 2015/2365;
(viii)
any ancillary non-securitisation services, whether or not provided in the Union, that are subject to registration and to supervision by a public authority;
(b) the number of securitisation transactions that the applicant expects to be made available to users listed in Article 17(1) of Regulation (EU) 2017/2402;
(c) the fixed and variable costs for providing core securitisation services.
The different business scenarios identified in the financial business plan shall include a base revenue scenario, positive and negative variations of at least 20 % from that base revenue scenario, and positive and negative variations of at least 20 % from the base expected number of securitisation transactions identified in the financial business plan.
(4)   An application for registration as a securitisation repository shall contain the audited annual financial statements of any parent undertaking for the three financial years preceding the date of the application, where available.
(5)   An application for registration as a securitisation repository shall contain the following information about the applicant:
(a) an description of any future plans for the establishment of subsidiaries and the location of those subsidiaries;
(b) a description of planned business activities, including business activities of any subsidiaries or branches.

Article 14

Information technology resources

An application for registration as a securitisation repository shall contain the following information about information technology resources:
(a) a detailed description of the information technology system used by the applicant to provide core securitisation services, including a description of which information technology system will be used for which securitisation type and underlying exposure type as referred to in Article 2(2)(e);
(b) the relevant business requirements, the functional and technical specifications, the storage capacity, the system scalability (both for performing its functions and handling increases in information to process and access requests), the maximum limits on the size of data submissions made in accordance with Commission Delegated Regulation (EU) 2020/1229 (8), the architectural and technical design of the system, the data model and data flows and the operations and administrative procedures and manuals;
(c) a detailed description of user facilities developed by the applicant in order to provide services to users;
(d) the investment and renewal policies and procedures on information technology resources of the applicant, including the review and development cycle of the applicant’s systems and versioning and testing policies;
(e) a document describing in detail how the applicant has implemented the reporting templates, via an Extensible Markup Language (XML) schema, set out in the Annexes to Commission Implementing Regulation (EU) 2020/1225 (9), the Annexes to Commission Implementing Regulation (EU) 2020/1227 (10)and any additional XML messages, using the specifications made available by ESMA;
(f) the policies and procedures for handling any changes to the reporting templates set out in the Annexes to Implementing Regulation (EU) 2020/1225.

Article 15

Information collection and availability mechanisms

(1)   An application for registration as a securitisation repository shall contain:
(a) a detailed description of the procedure and of the resources, methods and channels that the applicant will use to ensure the timely, structured and comprehensive collection of data from reporting entities, including a copy of any reporting manual to be made available to reporting entities;
(b) a description of the resources, methods and channels that the applicant will use to ensure direct and immediate access to the information referred to in Articles 2 to 8 of Commission Delegated Regulation (EU) 2020/1224 (11) to the entities listed in Article 17(1) of Regulation (EU) 2017/2402, including a copy of any user manual and internal procedures that are needed for obtaining such access;
(c) a description of the procedures that the applicant will use to calculate the data completeness scores referred to in Article 3 of Delegated Regulation (EU) 2020/1229 and a description of the resources, methods and channels that the applicant will use to ensure direct and immediate access to those data completeness scores to the entities listed in Article 17(1) of Regulation (EU) 2017/2402, in accordance with that Regulation, including a copy of any user manual and internal procedures that are needed for obtaining such access.
(2)   The detailed description referred to in point (a) of paragraph 1 shall:
(a) distinguish between automated and manual resources, methods, and channels;
(b) where any of the resources, methods or channels are manual:
(i) describe how those resources, methods or channels are scalable as referred to in point (b) of Article 14 of this Regulation;
(ii) describe the specific procedures put in place by the applicant to ensure that those resources, methods and channels comply with Article 24 of this Regulation.

Article 16

Ancillary services

Where an applicant for registration as a securitisation repository, an undertaking within the applicant’s group, or an undertaking with which the applicant has an agreement relating to core securitisation services, offers, or plans to offer, ancillary securitisation services or ancillary non-securitisation services, the application for registration shall contain:
(a) a description of the ancillary securitisation services or ancillary non-securitisation services that the applicant, or the undertaking within its group, performs or plans to perform, and a description of any agreement that the applicant may have with undertakings offering any such services, as well as copies of those agreements;
(b) the procedures and policies that will ensure the necessary level of operational separation in terms of resources, systems, information and procedures between the applicant’s core securitisation services and any ancillary securitisation or ancillary non-securitisation services, irrespective of whether that service is provided by the applicant, an undertaking within its group, or any other undertaking with which it has an agreement.

Article 17

Senior management and members of the board

An application for registration as a securitisation repository shall contain the following information in respect of each member of the senior management:
(a) a copy of the member’s curriculum vitae, including the following information to the extent relevant in assessing the adequacy of the member’s experience and knowledge for the purposes of performing his or her responsibilities:
(i) an overview of the member’s post-secondary education;
(ii) the member’s employment history with dates, identification of positions held and a description of the functions occupied;
(iii) any professional qualification held by the member, together with the date when that qualification was acquired and the status of any membership in a relevant professional body;
(b) detailed information on knowledge and experience on securitisation matters and on IT management, operations and development;
(c) details regarding any criminal convictions in connection with the provision of financial or data services or in relation to acts of fraud or embezzlement, in particular in the form of an official certificate, if available within the relevant Member State;
(d) a declaration signed by the member that states whether he or she:
(i) has been convicted of any criminal offence in connection with the provision of financial or data services or in relation to acts of fraud or embezzlement;
(ii) has been subject to any adverse decision in any proceedings of a disciplinary nature brought by a regulatory authority or government body or agency or is the subject of any such proceedings which are not concluded;
(iii) has been subject to an adverse judicial finding in civil proceedings before a court in connection with the provision of financial or data services, or for impropriety or fraud in the management of a business;
(iv) has been part of the board or senior management of an undertaking whose registration or authorisation was withdrawn by a regulatory body;
(v) has been refused the right to carry on activities which require registration or authorisation by a regulatory body;
(vi) has been part of the board or senior management of an undertaking which has gone into insolvency or liquidation, either while the member was connected to the undertaking or within a year of the member’s ceasing to be connected to the undertaking;
(vii) has been part of the board or senior management of an undertaking which was subject to an adverse decision or penalty by a regulatory body;
(viii)
has been otherwise fined, suspended, disqualified, or been subject to any other sanction in relation to fraud, embezzlement or in connection with the provision of financial or data services, by a government or regulatory or professional body;
(ix) has been disqualified from acting as a director, disqualified from acting in any managerial capacity, or dismissed from employment or other appointment in an undertaking as a consequence of misconduct or malpractice;
(e) a declaration of any potential conflicts of interests that the member may have in performing his or her duties and how these conflicts are managed.

Article 18

Transparency of access rules

(1)   An application for registration as a securitisation repository shall contain:
(a) the policies and procedures pursuant to which different types of user will report and access the information centrally collected, produced and maintained in the securitisation repository, including any process for users to access, view, consult or modify the information maintained by the securitisation repository, as well as the procedures used to authenticate the identity of users accessing the securitisation repository;
(b) a copy of the terms and conditions which determine the rights and obligations of the different types of user in relation to information maintained by the securitisation repository;
(c) a description of the different categories of access available to users;
(d) a detailed description of the access policies and procedures to ensure that users have non-discriminatory access to information maintained by the securitisation repository, including:
(i) any access restrictions;
(ii) variations in access conditions or restrictions across reporting entities and across the different entities listed in Article 17(1) of Regulation (EU) 2017/2402;
(iii) how the access policies and procedures ensure that access is restricted to the least possible extent and which procedures exist to question and reverse a restriction or denial of access;
(e) a detailed description of the access policies and procedures pursuant to which other service providers have non-discriminatory access to information maintained by the securitisation repository where the relevant reporting entity has provided its written, voluntary and revocable consent, including:
(i) any access restrictions;
(ii) variations in access conditions or restrictions;
(iii) how the access policies and procedures ensure that access is restricted to the least possible extent and which procedures exist to question and reverse a restriction or denial of access;
(f) a description of the channels and mechanisms to publicly disclose to potential and actual users the procedures by which those users may ultimately access the information maintained by the securitisation repository and to publicly disclose to potential and actual reporting entities the procedures by which they may ultimately make available information via the applicant.
(2)   The information referred to in points (a) to (d) of paragraph 1 shall be specified for each of the following categories of user:
(a) staff and other personnel affiliated with the applicant, including within the same group;
(b) originators, sponsors and SSPEs (as a single category);
(c) the entities listed in Article 17(1) of Regulation (EU) 2017/2402;
(d) other service providers;
(e) each other category of user identified by the applicant (with the information specified separately for each such category).

Article 19

Pricing policy transparency

An application for registration as a securitisation repository shall contain a description of the following:
(a) the applicant’s pricing policy, including any existing discounts, rebates and conditions to benefit from such reductions;
(b) the applicant’s fee structure for providing core and ancillary securitisation services, including the estimated cost of each of those services, along with the details of the methods used to account for the separate cost that the applicant may incur when providing core securitisation services and ancillary securitisation services, as well as the fees charged by the applicant for transferring information to another securitisation repository and for receiving information transferred from another securitisation repository;
(c) the methods used by the applicant to make the information referred to in points (a) and (b) publicly available, including a copy of the fee structure separated according to core securitisation services and, where these are provided, ancillary securitisation services.

Article 20

Operational risk

(1)   An application for registration as a securitisation repository shall contain:
(a) a detailed description of the resources available and procedures designed to identify and mitigate operational risk and any other material risk to which the applicant is exposed, including a copy of any relevant policies, methodologies, internal procedures and manuals drawn up for that purpose;
(b) a description of the liquid net assets funded by equity to cover potential general business losses in order to continue providing core securitisation services as a going concern;
(c) an assessment of the sufficiency of the applicant’s financial resources to cover the operational costs of a wind-down or reorganisation of the critical operations and services over at least a nine-month period;
(d) the applicant’s business continuity plan and a description of the policy for updating that plan, including:
(i) all business processes, resources, escalation procedures and related systems which are critical to ensuring the core securitisation services of the applicant, including any relevant outsourced service and including the applicant’s strategy, policy and objectives for the continuity of those processes;
(ii) any arrangements in place with other financial market infrastructure providers including other securitisation repositories;
(iii) the arrangements to ensure a minimum service level of the critical functions and the expected timing of the full recovery of those functions;
(iv) the maximum acceptable recovery time for business processes and systems, taking into account the deadlines for reporting laid down in Article 7(1) of Regulation (EU) 2017/2402 and the volume of information that the applicant needs to process within the quarterly period;
(v) the procedures to deal with incident logging and reviews;
(vi) a periodic testing programme, ensuring that sufficient tests will be carried out to cover an adequate range of possible scenarios, in the short and medium term, including but not limited to system failures, natural disasters, communication disruptions, loss of key staff and inability to use the premises regularly used and providing for the tests to identify how hardware, software and communications respond to potential threats, together with the results and follow-up actions resulting from any tests and those systems that have been shown to be unable to cope with the specific scenarios being tested;
(vii) the number of alternative technical and operational sites available, their location, the resources of those sites when compared with the main site and the business continuity procedures in place in the event that alternate sites need to be used;
(viii)
information on access to a secondary business site to enable staff to ensure continuity of core securitisation services if a main office location is not available;
(ix) plans, procedures and arrangements for handling emergencies and ensuring safety of staff;
(x) plans, procedures and arrangements to manage crises, to coordinate the overall business continuity efforts and to determine their timely (within the recovery time objective set by the applicant) and effective activation, mobilisation and escalation capabilities;
(xi) plans, procedures and arrangements to recover the applicant’s system, application and infrastructure components within the recovery time objective set by the applicant;
(xii) details on staff training on the operation of the business continuity arrangements, and individuals’ roles in that regard, including specific security operations staff ready to react immediately to a disruption of services;
(e) a description of the arrangements for ensuring the applicant’s core securitisation services in case of disruption and the involvement of its users and other third parties in those arrangements;
(f) a description of the applicant’s arrangements for publishing on its website and promptly informing ESMA and other users of any service interruptions or connection disruptions as well as the time estimated to be needed to resume regular service;
(g) a description of the applicant’s arrangements permitting its staff to continuously monitor in real-time the performance of its information technology systems.
(2)   An application for registration as a securitisation repository shall include a copy of policies and procedures to ensure the orderly transfer of information to other securitisation repositories and the redirection of reporting flows to other securitisation repositories.

Article 21

Outsourcing

(1)   An application for registration as a securitisation repository shall demonstrate that, where an applicant arranges for activities to be performed on its behalf by third parties, including by undertakings with which it has close links, shall ensure that the third party has the ability and the capacity to perform those activities reliably and professionally.
(2)   The application for registration as a securitisation repository shall specify or contain all of the following:
(a) a description of the scope of the activities to be outsourced as well as the detail and extent to which those activities are outsourced;
(b) a copy of the relevant service level agreements with clear roles and responsibilities, metrics and targets for every key requirement of the applicant that is outsourced, the methods employed to monitor the service level of the outsourced functions and the measures or actions to be taken in the event of not meeting service level targets;
(c) a copy of the contracts governing those service level agreements, including the identification of the third party service provider;
(d) a copy of any external reports on the outsourced activities, where available;
(e) details of the organisational measures and policies with respect to outsourcing and the risks posed by it as specified in paragraph 4.
(3)   The application for registration shall demonstrate that the outsourcing does not reduce the applicant’s ability to perform senior management or management body functions.
(4)   The application for registration as a securitisation repository shall contain information sufficient to demonstrate how the applicant remains responsible for any outsourced activity and a description of the organisational measures taken by the applicant to ensure the following:
(a) that the third party service provider is carrying out outsourced activities effectively and in compliance with applicable laws and regulatory requirements and that the third party service provider adequately addresses identified failures;
(b) the identification by the applicant of risks in relation to outsourced activities and the adequate periodic monitoring of those risks;
(c) that there are adequate control procedures with respect to outsourced activities, including effective supervision of those activities and of their risks within the applicant;
(d) the adequate business continuity of outsourced activities.
For the purposes of point (d) of the first subparagraph, the applicant shall provide information on the business continuity arrangements of the third party service provider, including the applicant’s assessment of the quality of those business continuity arrangements and, where needed, any improvements to those business continuity arrangements that have been requested by the applicant.
(5)   Where the third-party service provider is supervised by a regulatory authority, the application for registration shall also contain information demonstrating that the third-party service provider cooperates with that authority in connection with outsourced activities.

Article 22

Security

(1)   An application for registration as a securitisation repository shall contain proof of the following:
(a) that its information technology systems are protected from misuse or unauthorised access;
(b) that its information systems as defined in Article 2(a) of Directive 2013/40/EU of the European Parliament and of the Council (12) are protected against attacks;
(c) that unauthorised disclosure of confidential information is prevented;
(d) that the security and integrity of the information received by it under Regulation (EU) 2017/2402 is ensured.
(2)   The application shall contain proof that the applicant has arrangements in place to identify and manage the risks referred to in paragraph 1 in a prompt and timely manner.
(3)   With respect to breaches in the physical and electronic security measures referred to in paragraphs 1 and 2, the application shall contain proof that the applicant has arrangements in place to do the following in a prompt and timely manner:
(a) to notify ESMA of the incident giving rise to the breach;
(b) to provide ESMA with an incident report, indicating the nature and details of the incident, the measures adopted to cope with the incident and the initiatives taken to prevent similar incidents;
(c) to notify its users of the incident where they have been affected by the breach.

Article 23

Verification procedures

(1)   An application for registration as a securitisation repository shall contain a description of the policies and procedures put in place by the applicant to:
(a) authenticate the identity of the user accessing the applicant’s systems;
(b) authorise and permit the recording of information received by the applicant under Regulation (EU) 2017/2402 for the relevant securitisation;
(c) comply with Articles 2 to 4 of Delegated Regulation (EU) 2020/1229;
(d) verify and highlight duplicate submissions;
(e) identify information not received by it where there is an obligation to make that information available under Article 7(1) of Regulation (EU) 2017/2402.
(2)   The application shall also contain documentation providing several detailed example test cases, including graphics, that demonstrate the applicant’s ability to comply with the obligations set out in paragraph 1. With regard to point (c) of paragraph 1, several detailed example test cases shall be provided for each of the verifications listed in Article 4 of Delegated Regulation (EU) 2020/1229.

Article 24

Quality of information produced

With respect to information produced by the applicant pursuant to Delegated Regulation (EU) 2020/1229, an application for registration as a securitisation repository shall contain a detailed description of the procedures put in place by the applicant to ensure that it accurately makes available the information received from reporting entities, without itself introducing any errors or omitting information.

Article 25

Confidentiality

(1)   An application for registration as a securitisation repository shall contain a detailed description of the internal policies, procedures and mechanisms preventing:
(a) any use of the information maintained by the applicant for illegitimate purposes;
(b) disclosure of confidential information;
(c) the commercial use of information maintained by the applicant where such use is prohibited.
(2)   The description referred to in paragraph 1 shall contain a description of the internal procedures on staff permissions for using passwords to access the information, specifying the staff purpose and the scope of the information being viewed and any restrictions on the use of information.
(3)   Applicants shall provide ESMA with information on the processes to keep a log identifying each staff member accessing the information maintained by the applicant, the time of access, the nature of the information accessed and the purpose.

Article 26

Record-keeping policy

(1)   An application for registration as a securitisation repository shall contain the following information:
(a) the record-keeping systems, policies and procedures that are used in order to ensure that the information made available by a reporting entity under Regulation (EU) 2017/2402 by means of the applicant is recorded and maintained by the applicant in accordance with Article 80(3) of Regulation (EU) No 648/2012, as applied by Article 10(2) of Regulation (EU) 2017/2402;
(b) a detailed description of the record-keeping systems, policies and procedures that are used in order to ensure that information made available by a reporting entity under Regulation (EU) 2017/2402 by means of the applicant is modified appropriately and in accordance with relevant legislative or regulatory requirements;
(c) information about the receipt and administration of information made available by a reporting entity under Regulation (EU) 2017/2402 by means of the applicant, including a description of any policies and procedures put in place by the applicant to ensure the following:
(i) the timely and accurate recording of the information received;
(ii) the record-keeping of all information received that relates to the receipt, modification or termination of a securitisation transaction in a reporting log;
(iii) that the information is maintained both online and offline;
(iv) that the information is adequately copied for business continuity purposes.
(2)   The application for registration shall also include the applicant’s policies and procedures to promptly record, and maintain for at least 10 years following the termination of the securitisation, the verifications, validations and information produced by the applicant under Delegated Regulation (EU) 2020/1229.

Article 27

Payment of fees

An application for registration as a securitisation repository shall contain proof of payment of the registration fees referred to in Article 16 of Regulation (EU) 2017/2402.

Article 28

Verification of the accuracy and completeness of the application

(1)   Any information submitted to ESMA during the registration process shall be accompanied by a letter signed by a member of the board of the applicant and a member of the applicant’s senior management, attesting that the information submitted is accurate and complete to the best of their knowledge, as of the date of submission.
(2)   The information shall also be accompanied, where relevant and available, with the relevant corporate legal documentation certifying the accuracy of the application information.

Article 29

Information requirements for a registered trade repository seeking to provide core securitisation services

(1)   An application under Article 10(5)(b) of Regulation (EU) 2017/2402 for an extension of registration for the purposes of Article 7 of that Regulation shall contain the information and documentation required by the following provisions of this Regulation:
(a) Article 2, except point (d) of paragraph 2;
(b) Article 3;
(c) Article 5, except point (d) of paragraph 2;
(d) Article 6;
(e) Article 9;
(f) Article 10(b);
(g) Article 12;
(h) Article 13(2);
(i) Articles 14, 15 and 16;
(j) Article 17(b) and Article 17(e);
(k) Articles 18 to 24;
(l) Article 25(2);
(m) Articles 26, 27 and 28.
(2)   Information and documentation required by any provisions of this Regulation that are not covered by paragraph 1 shall be included in an application only insofar as there is a difference in the content of that particular information or documentation as at the time when the application is made, compared with the content as last provided to ESMA most recently prior to that time under Chapter 1 of Title VI of Regulation (EU) No 648/2012 or Chapter III of Regulation (EU) 2015/2365, as applicable.
(3)   For the purposes of this Article, references in paragraphs 3 and 4 of Article 2 and in Articles 3 to 28 to an application for registration shall be taken to include reference to an application for an extension of registration.

Article 30

Entry into force

This Regulation shall enter into force on the twentieth day following its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 29 November 2019.
For the Commission
The President
Jean-Claude JUNCKER
(1)  
OJ L 347, 28.12.2017, p. 35
.
(2)  Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (
OJ L 201, 27.7.2012, p. 1
).
(3)  Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse and amending Regulation (EU) No 648/2012 (
OJ L 337, 23.12.2015, p. 1
).
(4)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (
OJ L 331, 15.12.2010, p. 84
).
(5)  Regulation (EC) No 1606/2002 of the European Parliament and of the Council of 19 July 2002 on the application of international accounting standards (
OJ L 243, 11.9.2002, p. 1
).
(6)  Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Council Directives 78/660/EEC and 83/349/EEC (
OJ L 182, 29.6.2013, p. 19
).
(7)  Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC (
OJ L 157, 9.6.2006, p. 87
).
(8)  Commission Delegated Regulation (EU) 2020/1229 of 29 November 2019 supplementing Regulation (EU) 2017/2402 of the European Parliament and of the Council with regard to regulatory technical standards on securitisation repository operational standards for data collection, aggregation, comparison, access and verification of completeness and consistency (see page 335 of this Official Journal).
(9)  Commission Implementing Regulation 2020/1225 of 29 October 2019 laying down implementing technical standards with regard to the format and standardised templates for making available the information and details of a securitisation by the originator, sponsor and SSPE (see page 217 of this Official Journal).
(10)  Commission Implementing Regulation 2020/1227 of 12 November 2019 laying down implementing technical standards with regard to templates for the provision of information in accordance with the STS notification requirements (see page 315 of this Official Journal).
(11)  Commission Delegated Regulation (EU) 2020/1224 of 16 October 2019 supplementing Regulation (EU) 2017/2402 of the European Parliament and of the Council with regard to regulatory technical standards specifying the information and the details of a securitisation to be made available by the originator, sponsor and SSPE (See page 1 of this Official Journal).
(12)  Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (
OJ L 218, 14.8.2013, p. 8
).
Markierungen
Leseansicht