Commission Delegated Regulation (EU) 2020/1230 of 29 November 2019 supplementing Regulation (EU) 2017/2402 of the European Parliament and of the Council with regard to regulatory technical standards specifying the details of the application for registration of a securitisation repository and the details of the simplified application for an extension of registration of a trade repository (Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012 (1), and in particular the third subparagraph of Article 10(7) thereof insofar as it relates to points (b) and (c) of the first subparagraph of that paragraph,

Whereas:

(1) Article 7(2) of Regulation (EU) 2017/2402 requires the information for a securitisation transaction to be made available by means of a securitisation repository or, where no such repository is registered in accordance with Article 10 of that Regulation, by means of a website meeting certain requirements. Article 10 of Regulation (EU) 2017/2402 sets out the conditions and procedure for the registration of securitisation repositories, including the requirement to submit either an application for registration or, in the case of trade repositories already registered under Chapter 1 of Title VI of Regulation (EU) No 648/2012 of the European Parliament and of the Council (2) or under Chapter III of Regulation (EU) 2015/2365 of the European Parliament and of the Council (3), an application for extension of registration for the purposes of Article 7 of Regulation (EU) 2017/2402.

(2) In order to minimise additional operational costs for market participants, the rules for the registration of securitisation repositories, including the rules for registration by means of an extension of registration for the purposes of Article 7 of Regulation (EU) 2017/2402, should build on existing infrastructures, operational processes and formats introduced in connection with the reporting of securities financing transactions and derivative contracts. The rules on registration should, however, also reflect the specificities of securitisations, including complexities associated with hosting securitisation data and documentation and should reflect recent market developments, such as the common use of Legal Entity Identifiers, which improves the organisation and classification of information on legal entities to be provided in the application. For clarity and ease of reference for applicants, it is also desirable for the rules on registration to follow the order of the relevant requirements in Regulation (EU) 2017/2402.

(3) Securitisations are highly complex instruments involving many different types of information, including information on the features of underlying exposures, information on their cash flows, information on the structure of the securitisation and information on the legal and operational arrangements entered into with third parties. It is therefore important that a prospective securitisation repository is able to demonstrate sufficient knowledge and working experience with securitisations, and the capacity to receive, process and make available the relevant information set out in Regulation (EU) 2017/2402. Prospective securitisation repositories should also be able to demonstrate that their staff, systems, controls and procedures are adequate for ensuring compliance with the requirements set out in Regulation (EU) 2017/2402.

(4) Securitisation repositories may provide services, referred to as ‘ancillary securitisation services’, which are directly related to and arise from the delivery of services for which registration as a securitisation repository is required under Regulation (EU) 2017/2402 (referred to as ‘core securitisation services’). For example, securitisation repositories may provide research or consultancy services to a prospective securitisation issuer which make use of the securitisation data available to the securitisation repository. Securitisation repositories may also provide ancillary services that are neither directly related to, nor arise from the delivery of core securitisation services (ancillary non-securitisation services). However, the use of common resources within a securitisation repository for the provision of both core securitisation services and ancillary securitisation services, or indeed ancillary non-securitisation services, could lead to contagion of operational risks across those services. Services involving the validation, reconciliation, processing or record-keeping of information may therefore require an effective means of operational separation in order to avoid such contagion. On the other hand, practices such as common front-end systems, a common access point to information or use of the same staff working in sales, compliance or a client services helpdesk may be considered less prone to contagion and hence will not necessarily require operational separation. Applicants for registration as a securitisation repository should therefore be required to demonstrate that they have established an appropriate level of operational separation between the resources, systems and procedures used in those business lines that are involved in the provision of core securitisation services and the resources, systems and procedures used in other business lines involved in the provision of ancillary services, regardless of whether those other business lines are run by the securitisation repository, an affiliated entity, or another entity.

(5) Article 10(5) of Regulation (EU) 2017/2402 envisages a simplified application for an extension of registration, where trade repositories registered under Regulation (EU) No 648/2012 or under Regulation (EU) 2015/2365 apply for their existing registration as a trade repository to be extended for the purposes of Article 7 of Regulation (EU) 2017/2402. Therefore, to avoid any duplication of requirements, the information to be provided by a trade repository applying for an extension of registration should be confined to details about the adaptations necessary to ensure compliance with Regulation (EU) 2017/2402.

(6) This Regulation is based on the draft regulatory technical standards submitted by the European Securities and Markets Authority (ESMA) to the Commission.

(7) In accordance with Article 10 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4), ESMA has conducted an open public consultation on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Securities and Markets Stakeholder Group established by Article 37 of that Regulation,

HAS ADOPTED THIS REGULATION:

Article 1

Definitions

For the purposes of this Regulation, the following definitions shall apply:

(2) ‘reporting entity’ means the entity designated in accordance with the first subparagraph of Article 7(2) of Regulation (EU) 2017/2402;

(3) ‘core securitisation services’ means services for which registration as a securitisation repository is required under Regulation (EU) 2017/2402;

(4) ‘ancillary securitisation services’ means services provided by a securitisation repository that are directly related to and arise from the delivery of core securitisation services provided by that securitisation repository;

(5) ‘ancillary non-securitisation services’ means services that are neither core securitisation services nor ancillary securitisation services;

(7) ‘senior management’ means the person or persons who effectively direct the business of the securitisation repository, and the executive member or members of its board.

Article 2

Identification, legal status and type of securitisation

(1) An application for registration as a securitisation repository shall identify the applicant and the activities that the applicant intends to carry out for which registration as a securitisation repository is required.

(2) For the purposes of paragraph 1, the application shall in particular contain the following:

(a) the corporate name of the applicant, its legal address within the Union and the corporate name and legal address of any subsidiaries and branches of the applicant;

(b) the applicant’s legal entity identifier (LEI) registered with the Global Legal Entity Identifier Foundation;

(c) the uniform resource locator (URL) of the applicant’s website;

(d) an excerpt from the relevant commercial or court register showing the place of incorporation and scope of business activity of the applicant, or some other form of certified evidence of the place of incorporation and scope of business activity of the applicant, valid in either case as at the date of the application for registration as a securitisation repository;

(e) the securitisation types (ABCP transaction or non-ABCP transaction), risk transfer methods (traditional securitisation or synthetic securitisation) and underlying exposure types (residential real estate, commercial real estate, corporate, leasing, consumer, automobile, credit card, esoteric) for which the applicant wishes to be registered;

(f) whether the applicant is authorised or registered by a competent authority in the Member State where it is established and, if so, the name of the competent authority and any reference number related to the authorisation or registration;

(g) the articles of incorporation or equivalent terms of establishment and, where relevant, other statutory documentation stating that the applicant is to conduct core securitisation services;

(h) the name and contact details of the person(s) responsible for compliance, or any other staff involved in compliance assessments for the applicant, in relation to its provision of core securitisation services;

(i) the name and contact details of the contact person for the purposes of the application;

(j) the programme of operations, including the location of the main business activities of the applicant;

(k) any ancillary securitisation or ancillary non-securitisation service that the applicant provides or intends to provide;

(l) any information on any pending judicial, administrative, arbitration or any other litigation proceedings irrespective of their type, that the applicant may be party to, particularly as regards tax and insolvency matters and where significant financial or reputational costs may be incurred, or any non-pending proceedings, that may still have any material impact on securitisation repository costs.

(3) Upon request, the applicant shall provide ESMA with additional information during the examination of the application for registration where such information is needed for the assessment of the applicant’s ability to comply with the applicable requirements of Regulation (EU) 2017/2402 and for ESMA to duly interpret and analyse the documentation to be submitted or already submitted.

(4) Where an applicant considers that a requirement of this Regulation is not applicable to it, it shall clearly indicate that requirement in its application and explain why that requirement does not apply.

Article 3

Organisational chart

(1) An application for registration as a securitisation repository shall contain a chart detailing the organisational structure of the applicant, including that of any ancillary securitisation services and of any ancillary non-securitisation services.

(2) The chart referred to in paragraph 1 chart shall include information about the identity of the person responsible for each significant role, including the identity of each member of its senior management and of persons who effectively direct the business of any subsidiaries and branches.

Article 4

Corporate governance

(1) An application for registration as a securitisation repository shall contain information regarding the applicant’s internal corporate governance policies and the procedures and terms of reference which govern its senior management, including the board, its non-executive members and, where established, committees.

(2) The information referred to in paragraph 1 shall describe the selection process, appointment, performance evaluation and removal of senior management.

(3) Where the applicant adheres to a recognised corporate governance code of conduct, the application for registration as a securitisation repository shall identify the code and provide an explanation for any situations where the applicant deviates from that code.

Article 5

Internal control

(1) An application for registration as a securitisation repository shall contain detailed information about the internal control system of the applicant, including information regarding its compliance function, risk assessment, internal control mechanisms and the arrangements of its internal audit function.

(2) The detailed information referred to in paragraph 1 shall contain:

(a) the applicant’s internal control policies and the procedures to ensure the consistent and effective implementation of those policies;

(b) any policies, procedures and manuals for monitoring and evaluating the adequacy and effectiveness of the applicant’s systems;

(c) any policies, procedures and manuals for controlling and safeguarding the applicant’s information processing systems;

(d) the identity of the internal bodies in charge of evaluating any internal control findings.

(3) An application for registration as a securitisation repository shall contain the following information with respect to the applicant’s internal audit activities:

(a) in case there is an Internal Audit Committee, its composition, competences and responsibilities;

(b) its internal audit function charter, methodologies, standards and procedures;

(c) an explanation of how its internal audit function charter, methodology and procedures are developed and applied, taking into account the nature and extent of the applicant’s activities, complexities and risks;

(d) a work plan for the Internal Audit Committee for the three years following the date of application, focusing on the nature and extent of the applicant’s activities, complexities and risks.

Article 6

Conflicts of interest

(1) An application for registration as a securitisation repository shall contain the following information on the policies and procedures put in place by the applicant to manage conflicts of interest:

(a) policies and procedures with respect to the identification, management, elimination, mitigation and disclosure of conflicts of interest without delay;

(b) a description of the process used to ensure that the relevant persons are aware of the policies and procedures referred to in point (a);

(d) any other measures and controls put in place to ensure the policies and procedures referred to in point (a) with respect to conflicts of interest management and the process referred to in point (b) are followed.

(2) An application for registration as a securitisation repository shall contain an up-to-date inventory, at the time of the application, of existing and potential material conflicts of interest in relation to any core or ancillary securitisation services as well as any ancillary non-securitisation services provided or received by the applicant and a description of how those conflicts are, or will be managed. The inventory shall include conflicts of interest arising from the following situations:

(a) any situation where the applicant may realise a financial gain or avoid a financial loss, to the detriment of a client;

(b) any situation where the applicant may have an interest in the outcome of a service provided to a client, which is distinct from the client’s interest in that outcome;

(c) any situation where the applicant may have an incentive to prioritise its own interests or the interest of another user or group of users rather than the interests of the client to whom a service is provided;

(d) any situation where the applicant receives or may receive an incentive from any person other than the client, in relation to a service provided to the client, in the form of money, goods or services, but excluding incentives by way of commission or fees received for the service.

(3) Where an applicant is part of a group, the inventory shall include any existing and potential material conflicts of interest arising from other undertakings within the group and how those conflicts are being managed and mitigated.

Article 7

Ownership of the securitisation repository

(1) An application for registration as a securitisation repository shall contain:

(a) a list containing the name of each person or entity who directly or indirectly holds 5 % or more of the applicant’s capital or of its voting rights or whose holding makes it possible to exercise a significant influence over the applicant’s management;

(b) a list of any undertakings in which a person referred to in point (a) holds 5 % or more of the capital or voting rights or over whose management they exercise a significant influence.

(2) Where the applicant has a parent undertaking or an ultimate parent undertaking, the applicant shall:

(a) identify the LEI registered with the Global Legal Entity Identifier Foundation, and legal address of the parent undertaking or the ultimate parent undertaking;

(b) indicate whether the parent undertaking or ultimate parent undertaking is authorised or registered and subject to supervision and, when this is the case, state any reference number and the name of the responsible supervisory authority.

Article 8

Ownership chart

(1) An application for registration as a securitisation repository shall contain a chart showing the ownership links within the applicant’s group, including between the ultimate parent undertaking, parent undertaking, subsidiaries and any other associated entities or branches.

(2) The undertakings in the chart referred to in paragraph 1 shall be identified by their full name, legal status, legal address and LEI registered with the Global Legal Entity Identifier Foundation.

Article 9

Policies and procedures

Policies and procedures that are to be provided as part of an application for registration as a securitisation repository shall contain the following:

(a) evidence that the board approves the policies and that senior management approves the procedures and is responsible for the implementation and maintenance of those policies and procedures;

(b) a description of how those policies and procedures are communicated within the applicant’s organisation, how compliance with those policies and procedures is ensured and monitored on a day-to-day basis, and who is responsible for compliance with those policies and procedures;

(c) any records indicating that staff members and staff members who are operating under any outsourcing arrangement are aware of those policies and procedures;

(d) a description of the measures to be taken in the event of a breach of those policies and procedures;

(e) a description of the procedure for reporting to ESMA any material breach of the policies or procedures which may result in a breach of the conditions for registration;

(f) a description of the arrangements for notifying ESMA promptly of any planned material changes to the applicant’s information technology systems, prior to their implementation.

Article 10

Regulatory compliance