1.   A CSD shall have adequate staff to meet its obligations. A CSD shall not share staff with other group entities, unless it does so under the terms of a written outsourcing arrangement in accordance with Article 30 of Regulation (EU) No 909/2014.

2.   The management body shall assume at least the following responsibilities:

(a)	establish well-documented policies, procedures and processes by which the management body, senior management and committees shall operate;

(b)	establish clear objectives and strategies for the CSD;

(c)	effectively monitor senior management;

(d)	establish adequate remuneration policies;

(e)	ensure the surveillance of the risk-management function and take the decisions related to risk management;

(f)	ensure the independence and adequate resources of the functions referred to in Article 47(3);

(g)	monitor outsourcing arrangements;

(h)	monitor and ensure compliance with all relevant regulatory and supervisory requirements;

(i)	be accountable to shareholders or other owners, employees, users and other relevant stakeholders;

(j)	approve internal audit planning and review;

(k)	review and update regularly the governance arrangements of the CSD.

Where the management body or its members delegate tasks, they shall retain the responsibility for decisions that may affect the smooth provision of services by the CSD.

The CSD's management body shall hold the final responsibility for managing the CSD's risks. The management body shall define, determine and document an appropriate level of risk tolerance and risk bearing capacity for the CSD and for all the services that the CSD provides. The management body and senior management shall ensure that the CSD's policies, procedures and controls are consistent with the CSD's risk tolerance and risk bearing capacity and that these policies, procedures and controls address how the CSD identifies, reports, monitors and manages risks.

3.   The senior management shall have at least the following responsibilities:

(a)	ensure consistency of the activities of the CSD with the objectives and strategy of the CSD as determined by the management body;

(b)	design and establish risk-management, technology, compliance and internal control procedures that promote the objectives of the CSD;

(c)	subject the risk-management, technology, compliance and internal control procedures to regular review and testing;

(d)	ensure that sufficient resources are devoted to risk management, technology, compliance and internal control, and internal audit.

4.   A CSD shall establish lines of responsibility that are clear, consistent and well-documented. A CSD shall have clear and direct reporting lines between the members of its management body and the senior management in order to ensure that the senior management is accountable for its performance. The reporting lines for the risk-management function, compliance and internal control function and internal audit function shall be clear and separate from those for the operations of the CSD.

5.   A CSD shall have a chief risk officer who shall implement the risk-management framework including the policies and procedures established by the management body.

6.   A CSD shall have a chief technology officer who shall implement the technology framework including the policies and procedures established by the management body.

7.   A CSD shall have a chief compliance officer who shall implement the compliance and internal control framework including the policies and procedures established by the management body.

8.   A CSD shall ensure that the functions of the chief risk officer, chief compliance officer and chief technology officer are carried out by different individuals, who shall be employees of the CSD or of an entity from the same group as the CSD. A single individual shall have the responsibility for each of these functions.

9.   The CSD shall establish procedures ensuring that the chief risk officer, the chief technology officer and the chief compliance officer have direct access to the management body.

10.   Persons appointed as chief risk officer, chief compliance officer or chief technology officer may undertake other duties within the CSD provided that specific procedures are put in place in the governance arrangements to identify and manage any conflict of interest that may arise from those duties.