Commission Delegated Regulation (EU) 2017/392Show full title

CHAPTER VIIU.K. RISK MONITORING TOOLS (Article 26(1) to (7) of Regulation (EU) No 909/2014)

Article 47U.K.Risk monitoring tools of CSDs

1.A CSD shall establish, as part of its governance arrangements, documented policies, procedures and systems that identify, measure, monitor, manage and enable reporting on the risks that the CSD may be exposed to and the risks that the CSD poses to any other entities including its participants and their clients, as well as linked CSDs, CCPs, trading venues, payment systems, settlement banks, liquidity providers and investors.

The CSD shall structure the policies, procedures and systems referred to in the first subparagraph so as to ensure that users and, where relevant, their clients properly manage and address the risks they pose to the CSD.

2.For the purposes of paragraph 1, the governance arrangements of the CSD shall include the following:

(a)the composition, role, responsibilities, procedures for appointment, performance assessment and accountability of the management body and of its risk monitoring committees;

(b)the structure, role, responsibilities, procedures for appointment and performance assessment of the senior management;

(c)the reporting lines between the senior management and the management body;

The governance arrangements referred to in the first subparagraph shall be clearly specified and well documented.

3.A CSD shall establish and specify the tasks of the following functions:

(a)a risk-management function;

(b)a technology function;

(c)a compliance and internal control function;

(d)an internal audit function.

Each function shall have a well-documented description of its tasks, the necessary authority, resources, expertise and access to all relevant information to carry out those tasks.

Each function shall operate independently from the other functions of the CSD.

Article 48U.K.Risk monitoring committees

1.A CSD shall establish the following committees:

(a)a risk committee responsible for advising the management body on the CSD's overall current and future risk tolerance and strategy;

(b)an audit committee responsible for advising the management body on the performance of the CSD's internal audit function, which it shall oversee;

(c)a remuneration committee responsible for advising the management body on the CSD's remuneration policy, which it shall oversee.

2.Each committee shall be chaired by a person who has appropriate experience in the field of competence of that committee and is independent from the CSD's executive members of the management body.

The majority of members of each committee shall not be executive members of the management board.

The CSD shall establish a clear and publicly available mandate and procedures for each committee, and shall ensure their access to external expert advice where necessary.

Article 49U.K.Responsibilities of key personnel in respect to the risks

1.A CSD shall have adequate staff to meet its obligations. A CSD shall not share staff with other group entities, unless it does so under the terms of a written outsourcing arrangement in accordance with Article 30 of Regulation (EU) No 909/2014.

2.The management body shall assume at least the following responsibilities:

(a)establish well-documented policies, procedures and processes by which the management body, senior management and committees shall operate;

(b)establish clear objectives and strategies for the CSD;

(c)effectively monitor senior management;

(d)establish adequate remuneration policies;

(e)ensure the surveillance of the risk-management function and take the decisions related to risk management;

(f)ensure the independence and adequate resources of the functions referred to in Article 47(3);

(g)monitor outsourcing arrangements;

(h)monitor and ensure compliance with all relevant regulatory and supervisory requirements;

(i)be accountable to shareholders or other owners, employees, users and other relevant stakeholders;

(j)approve internal audit planning and review;

(k)review and update regularly the governance arrangements of the CSD.

Where the management body or its members delegate tasks, they shall retain the responsibility for decisions that may affect the smooth provision of services by the CSD.

The CSD's management body shall hold the final responsibility for managing the CSD's risks. The management body shall define, determine and document an appropriate level of risk tolerance and risk bearing capacity for the CSD and for all the services that the CSD provides. The management body and senior management shall ensure that the CSD's policies, procedures and controls are consistent with the CSD's risk tolerance and risk bearing capacity and that these policies, procedures and controls address how the CSD identifies, reports, monitors and manages risks.

3.The senior management shall have at least the following responsibilities:

(a)ensure consistency of the activities of the CSD with the objectives and strategy of the CSD as determined by the management body;

(b)design and establish risk-management, technology, compliance and internal control procedures that promote the objectives of the CSD;

(c)subject the risk-management, technology, compliance and internal control procedures to regular review and testing;

(d)ensure that sufficient resources are devoted to risk management, technology, compliance and internal control, and internal audit.

4.A CSD shall establish lines of responsibility that are clear, consistent and well-documented. A CSD shall have clear and direct reporting lines between the members of its management body and the senior management in order to ensure that the senior management is accountable for its performance. The reporting lines for the risk-management function, compliance and internal control function and internal audit function shall be clear and separate from those for the operations of the CSD.

5.A CSD shall have a chief risk officer who shall implement the risk-management framework including the policies and procedures established by the management body.

6.A CSD shall have a chief technology officer who shall implement the technology framework including the policies and procedures established by the management body.

7.A CSD shall have a chief compliance officer who shall implement the compliance and internal control framework including the policies and procedures established by the management body.

8.A CSD shall ensure that the functions of the chief risk officer, chief compliance officer and chief technology officer are carried out by different individuals, who shall be employees of the CSD or of an entity from the same group as the CSD. A single individual shall have the responsibility for each of these functions.

9.The CSD shall establish procedures ensuring that the chief risk officer, the chief technology officer and the chief compliance officer have direct access to the management body.

10.Persons appointed as chief risk officer, chief compliance officer or chief technology officer may undertake other duties within the CSD provided that specific procedures are put in place in the governance arrangements to identify and manage any conflict of interest that may arise from those duties.

Article 50U.K.Conflicts of interest

1.A CSD shall put in place a policy in relation to conflicts of interest arising or affecting the CSD or its activities, including with respect to outsourcing arrangements.

2.Where a CSD is part of a group of undertakings, its organisational administrative arrangements shall take into account any circumstances, of which the CSD is or should be aware, which may give rise to a conflict of interest arising as a result of the structure and business activities of other undertakings of the same group.

3.Where a CSD shares the functions of chief risk officer, chief compliance officer, chief technology officer, or internal audit with other entities of the group, the governance arrangements shall ensure that related conflicts of interest at group level are appropriately managed.

4.The organisational and administrative arrangements referred to in Article 26(3) of Regulation (EU) No 909/2014 shall include a description of the circumstances which may give rise to a conflict of interest entailing a material risk of damage to the interests of one or more users of the CSD, or their clients, as well as the procedures to be followed and the measures to be adopted in order to manage those conflicts of interest.

5.The description of circumstances referred to in paragraph 4 shall take into account whether a member of the management body, senior management or staff of the CSD, or any person directly or indirectly linked to those individuals or to the CSD:

(a)has a personal interest in the use of the services, materials and equipment of the CSD for the purposes of another commercial activity;

(b)holds a personal or financial interest in another entity that enters into contracts with the CSD;

(c)holds a participation or a personal interest in another entity that provides services used by the CSD, including any entity to which the CSD outsources services or activities;

(d)has a personal interest in an entity that uses the service of the CSD;

(e)is related to any legal or natural person that has influence on the operations of any entity that provides the services used by the CSD or uses the services provided by the CSD;

(f)is member of the management body or any other bodies or committees of any entity that provides the services which are used by the CSD or uses the services provided for the CSD.

For the purposes of this paragraph, a direct or indirect link to a natural person shall comprise the spouse or legal partner, family members in direct ascending or descending line up to the second degree and their spouses or legal partners, the siblings and their spouse or legal partners, and any person having the same domicile or habitual residence as the employees, managers or members of the management body.

6.A CSD shall take all reasonable steps to prevent any misuse of the information held in its systems and shall prevent the use of that information for other business activities. A natural person who has access to information recorded in a CSD or a legal person that belongs to the same group as the CSD shall not use information recorded in that CSD for any commercial purposes without prior written consent of the person to whom the information refers.

Article 51U.K.Audit methods

1.The internal audit function of a CSD shall ensure the following:

(a)establish, implement and maintain an all-encompassing audit plan to examine and evaluate the adequacy and effectiveness of the CSD's systems, risk-management processes, internal control mechanisms, remuneration policies, governance arrangements, activities and operations, including outsourced activities;

(b)review and report the audit plan to the competent authority at least annually;

(c)establish a comprehensive risk-based audit;

(d)issue recommendations based on the result of work carried out in accordance with point (a) and verify compliance with those recommendations;

(e)report internal audit matters to the management body;

(f)be independent from the senior management and report directly to the management body;

(g)ensure that special audits may be performed at short notice on an event-driven basis.

2.Where the CSD belongs to a group, the internal audit function may be carried out at group level provided that the following requirements are complied with:

(a)it is separate and independent from other functions and activities of the group;

(b)it has a direct reporting line to the management body of the CSD;

(c)the arrangement concerning the operation of the internal audit function does not prevent the exercise of supervisory and oversight functions, including on-site access to acquire any relevant information needed to fulfil those functions.

3.The CSD shall assess the internal audit function.

Internal audit assessments shall include an on-going monitoring of the performance of the internal audit activity and periodic reviews performed through self-assessment carried out by the audit committee or by other persons within the CSD or the group with sufficient knowledge of internal audit practices.

An external assessment of the internal audit function shall be conducted by a qualified and independent assessor from outside the CSD and its group structure at least once every five years.

4.A CSD's operations, risk-management processes, internal control mechanisms and records shall be subject to regular internal or external audits.

The frequency of the audits shall be determined on the basis of a documented risk assessment. Audits referred to in the first subparagraph shall be carried out at least every two years.

5.A CSD's financial statement shall be prepared on an annual basis and be audited by statutory auditors or audit firms approved in accordance with Directive 2006/43/EC.

Article 52U.K.Sharing audit findings with the user committee

1.A CSD shall share audit findings with the user committee in any of the following cases:

(a)where the findings relate to the criteria for accepting issuers or users to their respective securities settlement systems operated by the CSDs;

(b)where the findings relate to any other aspect of the user committee's mandate;

(c)where the findings may impact the level of provision of services by a CSD, including ensuring business continuity.

2.Members of the user committee shall not be provided with information that may place those members at a competitive advantage.