Commission Delegated Regulation (EU) 2017/392Dangos y teitl llawn

SECTION 1 U.K. Identifying operational risks

Article 66U.K.General operational risks and their assessment

1.The operational risks referred to in Article 45(1) of Regulation (EU) No 909/2014 comprise the risks caused by deficiencies in information systems, internal processes, and personnel's performance or disruptions caused by external events that result in the reduction, deterioration or interruption of services provided by a CSD.

2.A CSD shall identify all potential single points of failure in its operations and assess the evolving nature of the operational risk that it faces, including pandemics and cyber-attacks, on an ongoing basis.

Article 67U.K.Operational risks that may be posed by key participants

1.A CSD shall, on an ongoing basis, identify the key participants in the securities settlement system that it operates based on the following factors:

(a)their transaction volumes and values;

(b)material dependencies between its participants and its participants' clients, where the clients are known to the CSD, that might affect the CSD;

(c)their potential impact on other participants and the securities settlement system of the CSD as a whole in the event of an operational problem affecting the smooth provision of services by the CSD.

For the purposes of point (b) in the first subparagraph, the CSD shall also identify the following:

2.A CSD shall review and keep the identification of the key participants up-to-date on an ongoing basis.

3.A CSD shall have clear and transparent criteria, methodologies and standards in order to ensure that key participants meet the operational requirements.

4.A CSD shall, on an ongoing basis, identify, monitor, and manage the operational risks that it faces from key participants.

For the purposes of the first subparagraph, the operational risk-management system referred to in Article 70 shall also provide for rules and procedures to gather all relevant information about their participants' clients. The CSD shall also include in the agreements with its participants all terms necessary to facilitate the gathering of that information.

Article 68U.K.Operational risks that may be posed by critical utilities and critical service providers

1.A CSD shall identify critical utilities providers and critical service providers that may pose risks to CSD's operations due to its dependency on them.

2.A CSD shall take appropriate actions to manage the dependencies referred to in paragraph 1 through adequate contractual and organisational arrangements, as well as through specific provisions in its business continuity policy and disaster recovery plan, before any relationship with those providers becomes operational.

3.A CSD shall ensure that its contractual arrangements with any providers identified in accordance with paragraph 1 require a prior approval of the CSD for the service provider to further subcontract any elements of the services provided to the CSD.

Where the service provider outsources its services in accordance with the first subparagraph, the CSD shall ensure that the level of service and its resilience is not impacted and full access by the CSD to the information necessary for the provision of the outsourced services is preserved.

4.A CSD shall establish clear lines of communication with the providers referred to in paragraph 1 to facilitate the exchange of information in both ordinary and exceptional circumstances.

5.A CSD shall inform its competent authority about any dependencies on utilities and service providers identified under paragraph 1 and take measures to ensure that authorities can obtain information about the performance of those providers, either directly from utilities or service providers or through the CSD.

Article 69U.K.Operational risks that may be posed by other CSDs or market infrastructures

1.A CSD shall ensure that its systems and communication arrangements with other CSDs or market infrastructures are reliable, secure and designed to minimise operational risks.

2.Any arrangement that a CSD enters into with another CSD or another market infrastructures shall provide that:

(a)the other CSD or other financial market infrastructure discloses to the CSD any critical service provider on which the other CSD or market infrastructure relies;

(b)the governance arrangements and management processes in the other CSD or other market infrastructure do not affect the smooth provision of services by the CSD, including the risk-management arrangements and the non-discriminatory access conditions.