1.   The applicant CSD shall provide the competent authority with a description of the risk-management and control systems as well as the IT tools put in place by the applicant CSD to manage business risks in accordance with Article 44 of Regulation (EU) No 909/2014.

2.   Where the applicant CSD has obtained a risk rating from a third party, it shall provide it to the competent authority including any relevant information supporting that risk rating.