Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to regulatory technical standards on authorisation, supervisory and operational requirements for central securities depositories (Text with EEA relevance. )

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (1), and in particular Article 12(3), Article 17(9), Article 22(10), Article 25(12), Article 55(7), Article 18(4), Article 26(8), Article 29(3), Article 37(4), Article 45(7), Article 46(6), Article 33(5), Article 48(10), Article 49(5), Article 52(3), and Article 53(4) thereof,

Whereas:

(1) The provisions in this Regulation are closely linked, since they all deal with the supervisory requirements applicable to central securities depositories (CSDs). To ensure coherence between these provisions, which should enter into force at the same time, and to facilitate a comprehensive view and easy access by persons that are subject to these provisions, it is desirable to include all the regulatory technical standards concerning the supervisory requirements under Regulation (EU) No 909/2014 in a single Regulation.

(2) In view of the global nature of financial markets and given the commitments undertaken by the Union in this field, due regard should be had to the Principles for Financial Market Infrastructures issued by the Committee on Payment and Settlement Systems and the International Organisation of Securities Commissions (CPSS-IOSCO Principles) in April 2012.

(3) In order to ensure consistent application of rules concerning improving securities settlement in the Union, certain technical terms should be clearly defined.

(4) It is important to ensure appropriate authorisation and supervision of a CSD. As such, a list of the relevant authorities issuing the most relevant Union currencies in which settlement takes place to be involved in the process of authorisation and supervision of a CSD should be defined. This should be based on the share of the currencies that those authorities issue in the total value of settlement instructions against payment settled annually by a CSD and on the share of settlement instructions against payment settled by a CSD in a Union currency compared to the total value of settlement instructions against payment settled in that currency across all CSDs in the Union.

(5) In order to allow competent authorities to perform a thorough assessment, a CSD applying for authorisation should provide information on the structure of its internal controls and the independence of its governing bodies to enable the competent authority to assess whether the corporate governance structure ensures the independence of the CSD and whether that structure and its reporting lines, as well as the mechanisms adopted for managing possible conflicts of interest are adequate.

(6) To enable the competent authority to assess the good reputation and the experience and skills of the CSD's senior management and members of the management body, an applicant CSD should provide all relevant information to perform that assessment.

(7) Information on a CSD's branches and subsidiaries is necessary to enable the competent authority to clearly understand the CSD's organisational structure and evaluate any potential risk to the CSD due to the activity of those branches and subsidiaries.

(8) A CSD applying for authorisation should provide the competent authority with the relevant information to demonstrate that it has the necessary financial resources at its disposal and adequate business continuity arrangements for the performance of its functions on an ongoing basis.

(9) In addition to receiving information on the core activities, it is important for the competent authority to receive information on the ancillary services that the CSD applying for authorisation intends to offer to enable the competent authority to have a complete overview of the applicant CSD's services.

(10) In order for the competent authority to assess the continuity and orderly functioning of technological systems of an applicant CSD, that CSD should provide the competent authority with descriptions of the relevant technological systems and how they are managed, including if they are outsourced.

(11) Information concerning the fees associated with the core services provided by CSDs is important and should form part of the application for authorisation of a CSD in order to enable the competent authorities to verify whether those fees are proportionate, non-discriminatory and not bundled with the costs of other services.

(12) In order to ensure that the investors' rights are protected, and that conflict of laws issues are adequately managed, when assessing the measures that a CSD intends to take to allow its users to comply with the national laws referred to in Article 49(1) of Regulation (EU) No 909/2014, the CSD should take into account both issuers and participants, as appropriate, in accordance with the respective national laws.

(13) In order to secure fair and non-discriminatory access to the notary, central maintenance and securities settlement services within the financial market, issuers, other CSDs and other market infrastructures have been granted access to a CSD in accordance with Regulation (EU) No 909/2014. An applicant CSD should, therefore, provide the competent authority with information about its access policies and procedures.

(14) In order to carry out its authorisation duties effectively, the competent authority should receive all information from CSDs applying for authorisation and related third parties, including third parties to whom applicant CSDs have outsourced operational functions and activities.

(15) To ensure general transparency of governance rules of a CSD applying for authorisation, the competent authority should be provided with documents confirming that the applicant CSD has adopted the necessary arrangements for a non-discriminatory establishment of an independent user committee for each securities settlement system that it operates.

(16) To secure the orderly functioning of core infrastructure services within the financial market, a CSD applying for authorisation should provide the competent authority with all necessary information to demonstrate that it has adequate policies and procedures for ensuring reliable record-keeping systems as well as effective mechanisms for CSD services, including in particular the measures for preventing and addressing settlements fails, and the rules concerning the integrity of the issue, the protection of securities of participants and those of their clients, settlement finality, participant default and transfer of participants and clients' assets in case of a withdrawal of authorisation.

(17) The risk-management models associated with the services provided by an applicant CSD are a necessary item in its application for authorisation so as to enable the competent authority to evaluate the reliability and integrity of the adopted procedures and help market participants make an informed choice.

(18) In order to verify the safety of the link arrangements of the CSD applying for authorisation, to assess the rules applied in the linked systems and evaluate the risks stemming from those links, the competent authority should receive from an applicant CSD any relevant information for the analysis, together with the CSD assessment of the link arrangements.

(19) When granting the approval of a CSD's participation in the capital of another entity, the competent authority of the CSD should take into consideration the criteria that ensure that the participation does not increase significantly the CSD's risk profile. In order to ensure its safety and continuity of its services, a CSD should not assume unlimited financial liabilities as a result of its participation in the capital of legal persons other than those providing the services set out in Regulation (EU) No 909/2014. A CSD should fully capitalise the risks resulting from any participation in the capital of another entity.

(20) In order for a CSD not to be dependent on other shareholders of the entities in which it holds a participation, including with regard to the risk-management policies, it should have full control of those entities. This requirement should also facilitate the exercise of supervisory and oversight functions by competent authorities and relevant authorities by allowing easy access to relevant information.

(21) A CSD should have a clear strategic rationale for the participation beyond mere profit making, taking into account the interests of the issuers of securities issued with the CSD; its participants and its clients.

(22) In order to properly quantify and outline the risks stemming from its participation in the capital of another legal person, a CSD should provide independent risk analyses, approved by an internal or external auditor, for the financial risks and liabilities of the CSD resulting from that participation.

(23) Following the experience of the financial crisis, authorities should focus on ongoing rather than ex post supervision. It is, therefore, necessary to ensure that for each review and evaluation under Regulation (EU) No 909/2014, the competent authority has sufficient access to information on a continuous basis. In order to determine the scope of information to be delivered for each review and evaluation, the provisions of this Regulation should follow the requirements for authorisation with which a CSD has to comply under Regulation (EU) No 909/2014. This includes substantive changes to elements already submitted during the process of authorisation, information relating to periodic events and statistical data.

(24) To promote an effective bilateral and multilateral exchange of information between competent authorities, the results of the review and evaluation by one authority of the activities of a CSD should be shared with other competent authorities where this information is likely to facilitate their tasks, without prejudice to confidentiality and data protection requirements and in addition to any cooperation arrangements provided in Regulation (EU) No 909/2014. An additional exchange of information among competent authorities and relevant authorities or authorities in charge of markets in financial instruments should be organised allowing for a sharing of the findings of the competent authority in the course of the process of review and evaluation.

(25) Taking into account the possible burden of gathering and processing a vast amount of information related to the operation of a CSD, and in order to avoid duplications, only relevant modified documents should be provided in the context of the review and evaluation. Those documents should be delivered in a manner that enables the competent authority to identify all the relevant changes made to the arrangements, strategies, processes and mechanisms implemented by the CSD since authorisation or since the completion of the last review and evaluation.

(26) Another category of information that is useful for the competent authority to have in order to be able to perform the review and evaluation refers to events that by nature occur on a periodic basis and which are related to the operation of the CSD and the provision of its services.

(27) To carry out a comprehensive risk evaluation of a CSD, the competent authority will need to request statistical data on the scope of the CSD's business activities in order to evaluate the risks related to CSDs operation and to the smooth operation of securities markets. In addition, statistical data enable the competent authority to monitor the size and importance of securities transactions and settlements within the financial markets as well as to assess the ongoing and potential impact of a given CSD on the securities market as a whole.

(28) For the competent authority to monitor and evaluate the risks to which the CSD is or may be exposed to and which may arise for the smooth functioning of securities markets, it should be able to request additional information on the risks and activities of a CSD. The competent authority should therefore be able to define and request on its own initiative, or following a request submitted to it by another authority, any additional information which it considers necessary for each review and evaluation of the activities of a CSD.

(29) It is important to ensure that third-country CSDs that intend to provide the services pursuant to Regulation (EU) No 909/2014 do not disrupt the orderly functioning of Union markets.

(30) The ongoing assessment of the full compliance of a third-country CSD with the prudential requirements of a third country is the duty of the third country competent authority. The information to be provided to the European Securities and Markets Authority (ESMA) by an applicant CSD should not have the objective of replicating the assessment of the third country competent authority, but ensuring that the applicant is subject to effective supervision and enforcement in that third country, thus guaranteeing a high degree of investor protection.

(31) To allow ESMA to perform a complete assessment of the application for recognition, the information provided by the applicant should be complemented by the necessary information to assess the effectiveness of the ongoing supervision, enforcement powers and actions taken by the third country competent authority. That information should be provided under a cooperation arrangement established in accordance with Regulation (EU) No 909/2014. The cooperation arrangement should ensure that ESMA is informed in a timely manner of any supervisory or enforcement action against the third-country CSD applying for recognition and any change of the conditions under which authorisation was granted to the relevant CSD and on any relevant update of the information originally provided by the CSD under the recognition process.

(32) In order to ensure that investors' rights are protected, and that conflict of laws issues are adequately managed, when assessing the measures that a third-country CSD intends to take to allow its users to comply with the national laws referred to in Article 49(1) of Regulation (EU) No 909/2014, that third-country CSD should take into account both issuers and participants, as appropriate, in accordance with the respective national laws referred to in Article 49(1) of that Regulation.

(33) To establish a sound risk-management framework, a CSD should take an integrated and comprehensive view of all relevant risks. This should include the risks that the CSD bears from any other entities and the risks that it poses to third parties, including its users and to the extent practicable their clients, as well as linked CSDs, central counterparties, trading venues, payment systems, settlement banks, liquidity providers and investors.

(34) To ensure that CSDs operate with the necessary level of human resources to meet all of their obligations and to ensure that competent authorities have the relevant contact points within the CSDs that they supervise, CSDs should have key dedicated staff that should be accountable for the CSD and their own individual performance, particularly at the level of senior management and management body.

(35) To ensure an adequate control of the activities performed by CSDs, independent audits covering the operations of the CSD, risk-management processes, compliance and internal control mechanisms should be put in place and performed regularly. The independence of audits should not necessarily require the involvement of an external auditor, provided that the CSD demonstrates to the competent authority that the independence of its internal auditor is properly ensured. In order to ensure the independence of its internal audit function, the CSD should also establish an audit committee.

(36) A CSD should set up a risk committee in order to ensure that the management body of the CSD is advised at the highest technical level on its overall current and future risk tolerance and strategy. To ensure its independence from the CSD's executive management and a high degree of competence, the risk committee should be composed of a majority of non-executive members and it should be chaired by a person with an appropriate experience on risk management.

(37) When assessing potential conflicts of interest, a CSD should not only examine the members of the management body, senior management or staff of the CSD but also any person directly or indirectly linked to those individuals or to the CSD, whether it is a natural or legal person.

(38) A CSD should have a chief risk officer, a chief compliance officer, a chief technology officer, as well as a risk-management function, a technology function, a compliance and internal control function, and internal audit function. A CSD should in any case be able to organise the internal structure of those functions according to its needs. Different persons should fulfil the roles of chief risk officer, chief compliance officer and chief technology officer given that those functions are usually fulfilled by persons with different academic and professional profiles. In this respect, the provisions set out in this Regulation closely follow the system established by Regulation (EU) No 648/2012 of the European Parliament and the Council (2) for other market infrastructures.

(39) Records kept by a CSD should be structured and allow for easy access to the data stored by the competent authorities involved in the supervision of CSDs. A CSD should ensure that the data records it keeps, including the complete accounting of the securities it maintains, are accurate and up-to-date in order to serve as a reliable data source for supervision purposes.

(40) To facilitate the reporting and recording of a consistent set of information under different requirements, records kept by CSDs should cover each individual service provided by the CSD in accordance with Regulation (EU) No 909/2014, and should include at least all the details to be reported under the rules on settlement discipline provided in that Regulation.

(41) The preservation of the rights of issuers and investors is essential for the orderly functioning of a securities market. A CSD should therefore employ appropriate rules, procedures and controls to prevent the unauthorised creation or deletion of securities. It should also conduct at least daily reconciliation of the securities accounts that it maintains.

(42) A CSD should maintain robust accounting practices and perform audits to verify that its records of securities are accurate and that its measures ensuring the integrity of securities issues are adequate.

(43) In order to effectively ensure the integrity of the issue, the reconciliation measures provided in Regulation (EU) No 909/2014 should apply to all CSDs regardless of whether or not they provide the notary service or central maintenance service referred to in that Regulation in relation to a securities issue.