(1)

The provisions in this Regulation are closely linked, since they all deal with the supervisory requirements applicable to central securities depositories (CSDs). To ensure coherence between these provisions, which should enter into force at the same time, and to facilitate a comprehensive view and easy access by persons that are subject to these provisions, it is desirable to include all the regulatory technical standards concerning the supervisory requirements under Regulation (EU) No 909/2014 in a single Regulation.

(2)

In view of the global nature of financial markets and given the commitments undertaken by the Union in this field, due regard should be had to the Principles for Financial Market Infrastructures issued by the Committee on Payment and Settlement Systems and the International Organisation of Securities Commissions (CPSS-IOSCO Principles) in April 2012.

(3)

In order to ensure consistent application of rules concerning improving securities settlement in the Union, certain technical terms should be clearly defined.

(4)

It is important to ensure appropriate authorisation and supervision of a CSD. As such, a list of the relevant authorities issuing the most relevant Union currencies in which settlement takes place to be involved in the process of authorisation and supervision of a CSD should be defined. This should be based on the share of the currencies that those authorities issue in the total value of settlement instructions against payment settled annually by a CSD and on the share of settlement instructions against payment settled by a CSD in a Union currency compared to the total value of settlement instructions against payment settled in that currency across all CSDs in the Union.

(5)

In order to allow competent authorities to perform a thorough assessment, a CSD applying for authorisation should provide information on the structure of its internal controls and the independence of its governing bodies to enable the competent authority to assess whether the corporate governance structure ensures the independence of the CSD and whether that structure and its reporting lines, as well as the mechanisms adopted for managing possible conflicts of interest are adequate.

(6)

To enable the competent authority to assess the good reputation and the experience and skills of the CSD's senior management and members of the management body, an applicant CSD should provide all relevant information to perform that assessment.

(7)

Information on a CSD's branches and subsidiaries is necessary to enable the competent authority to clearly understand the CSD's organisational structure and evaluate any potential risk to the CSD due to the activity of those branches and subsidiaries.

(8)

A CSD applying for authorisation should provide the competent authority with the relevant information to demonstrate that it has the necessary financial resources at its disposal and adequate business continuity arrangements for the performance of its functions on an ongoing basis.

(9)

In addition to receiving information on the core activities, it is important for the competent authority to receive information on the ancillary services that the CSD applying for authorisation intends to offer to enable the competent authority to have a complete overview of the applicant CSD's services.

(10)

In order for the competent authority to assess the continuity and orderly functioning of technological systems of an applicant CSD, that CSD should provide the competent authority with descriptions of the relevant technological systems and how they are managed, including if they are outsourced.

(11)

Information concerning the fees associated with the core services provided by CSDs is important and should form part of the application for authorisation of a CSD in order to enable the competent authorities to verify whether those fees are proportionate, non-discriminatory and not bundled with the costs of other services.

(12)

In order to ensure that the investors' rights are protected, and that conflict of laws issues are adequately managed, when assessing the measures that a CSD intends to take to allow its users to comply with the national laws referred to in Article 49(1) of Regulation (EU) No 909/2014, the CSD should take into account both issuers and participants, as appropriate, in accordance with the respective national laws.

(13)

In order to secure fair and non-discriminatory access to the notary, central maintenance and securities settlement services within the financial market, issuers, other CSDs and other market infrastructures have been granted access to a CSD in accordance with Regulation (EU) No 909/2014. An applicant CSD should, therefore, provide the competent authority with information about its access policies and procedures.

(14)

In order to carry out its authorisation duties effectively, the competent authority should receive all information from CSDs applying for authorisation and related third parties, including third parties to whom applicant CSDs have outsourced operational functions and activities.

(15)

To ensure general transparency of governance rules of a CSD applying for authorisation, the competent authority should be provided with documents confirming that the applicant CSD has adopted the necessary arrangements for a non-discriminatory establishment of an independent user committee for each securities settlement system that it operates.

(16)

To secure the orderly functioning of core infrastructure services within the financial market, a CSD applying for authorisation should provide the competent authority with all necessary information to demonstrate that it has adequate policies and procedures for ensuring reliable record-keeping systems as well as effective mechanisms for CSD services, including in particular the measures for preventing and addressing settlements fails, and the rules concerning the integrity of the issue, the protection of securities of participants and those of their clients, settlement finality, participant default and transfer of participants and clients' assets in case of a withdrawal of authorisation.

(17)

The risk-management models associated with the services provided by an applicant CSD are a necessary item in its application for authorisation so as to enable the competent authority to evaluate the reliability and integrity of the adopted procedures and help market participants make an informed choice.

(18)

In order to verify the safety of the link arrangements of the CSD applying for authorisation, to assess the rules applied in the linked systems and evaluate the risks stemming from those links, the competent authority should receive from an applicant CSD any relevant information for the analysis, together with the CSD assessment of the link arrangements.

(19)

When granting the approval of a CSD's participation in the capital of another entity, the competent authority of the CSD should take into consideration the criteria that ensure that the participation does not increase significantly the CSD's risk profile. In order to ensure its safety and continuity of its services, a CSD should not assume unlimited financial liabilities as a result of its participation in the capital of legal persons other than those providing the services set out in Regulation (EU) No 909/2014. A CSD should fully capitalise the risks resulting from any participation in the capital of another entity.

(20)

In order for a CSD not to be dependent on other shareholders of the entities in which it holds a participation, including with regard to the risk-management policies, it should have full control of those entities. This requirement should also facilitate the exercise of supervisory and oversight functions by competent authorities and relevant authorities by allowing easy access to relevant information.

(21)

A CSD should have a clear strategic rationale for the participation beyond mere profit making, taking into account the interests of the issuers of securities issued with the CSD; its participants and its clients.

(22)

In order to properly quantify and outline the risks stemming from its participation in the capital of another legal person, a CSD should provide independent risk analyses, approved by an internal or external auditor, for the financial risks and liabilities of the CSD resulting from that participation.

(23)

Following the experience of the financial crisis, authorities should focus on ongoing rather than ex post supervision. It is, therefore, necessary to ensure that for each review and evaluation under Regulation (EU) No 909/2014, the competent authority has sufficient access to information on a continuous basis. In order to determine the scope of information to be delivered for each review and evaluation, the provisions of this Regulation should follow the requirements for authorisation with which a CSD has to comply under Regulation (EU) No 909/2014. This includes substantive changes to elements already submitted during the process of authorisation, information relating to periodic events and statistical data.

(24)

To promote an effective bilateral and multilateral exchange of information between competent authorities, the results of the review and evaluation by one authority of the activities of a CSD should be shared with other competent authorities where this information is likely to facilitate their tasks, without prejudice to confidentiality and data protection requirements and in addition to any cooperation arrangements provided in Regulation (EU) No 909/2014. An additional exchange of information among competent authorities and relevant authorities or authorities in charge of markets in financial instruments should be organised allowing for a sharing of the findings of the competent authority in the course of the process of review and evaluation.

(25)

Taking into account the possible burden of gathering and processing a vast amount of information related to the operation of a CSD, and in order to avoid duplications, only relevant modified documents should be provided in the context of the review and evaluation. Those documents should be delivered in a manner that enables the competent authority to identify all the relevant changes made to the arrangements, strategies, processes and mechanisms implemented by the CSD since authorisation or since the completion of the last review and evaluation.

(26)

Another category of information that is useful for the competent authority to have in order to be able to perform the review and evaluation refers to events that by nature occur on a periodic basis and which are related to the operation of the CSD and the provision of its services.

(27)

To carry out a comprehensive risk evaluation of a CSD, the competent authority will need to request statistical data on the scope of the CSD's business activities in order to evaluate the risks related to CSDs operation and to the smooth operation of securities markets. In addition, statistical data enable the competent authority to monitor the size and importance of securities transactions and settlements within the financial markets as well as to assess the ongoing and potential impact of a given CSD on the securities market as a whole.

(28)

For the competent authority to monitor and evaluate the risks to which the CSD is or may be exposed to and which may arise for the smooth functioning of securities markets, it should be able to request additional information on the risks and activities of a CSD. The competent authority should therefore be able to define and request on its own initiative, or following a request submitted to it by another authority, any additional information which it considers necessary for each review and evaluation of the activities of a CSD.

(29)

It is important to ensure that third-country CSDs that intend to provide the services pursuant to Regulation (EU) No 909/2014 do not disrupt the orderly functioning of Union markets.

(30)

The ongoing assessment of the full compliance of a third-country CSD with the prudential requirements of a third country is the duty of the third country competent authority. The information to be provided to the European Securities and Markets Authority (ESMA) by an applicant CSD should not have the objective of replicating the assessment of the third country competent authority, but ensuring that the applicant is subject to effective supervision and enforcement in that third country, thus guaranteeing a high degree of investor protection.

(31)

To allow ESMA to perform a complete assessment of the application for recognition, the information provided by the applicant should be complemented by the necessary information to assess the effectiveness of the ongoing supervision, enforcement powers and actions taken by the third country competent authority. That information should be provided under a cooperation arrangement established in accordance with Regulation (EU) No 909/2014. The cooperation arrangement should ensure that ESMA is informed in a timely manner of any supervisory or enforcement action against the third-country CSD applying for recognition and any change of the conditions under which authorisation was granted to the relevant CSD and on any relevant update of the information originally provided by the CSD under the recognition process.

(32)

In order to ensure that investors' rights are protected, and that conflict of laws issues are adequately managed, when assessing the measures that a third-country CSD intends to take to allow its users to comply with the national laws referred to in Article 49(1) of Regulation (EU) No 909/2014, that third-country CSD should take into account both issuers and participants, as appropriate, in accordance with the respective national laws referred to in Article 49(1) of that Regulation.

(33)

To establish a sound risk-management framework, a CSD should take an integrated and comprehensive view of all relevant risks. This should include the risks that the CSD bears from any other entities and the risks that it poses to third parties, including its users and to the extent practicable their clients, as well as linked CSDs, central counterparties, trading venues, payment systems, settlement banks, liquidity providers and investors.

(34)

To ensure that CSDs operate with the necessary level of human resources to meet all of their obligations and to ensure that competent authorities have the relevant contact points within the CSDs that they supervise, CSDs should have key dedicated staff that should be accountable for the CSD and their own individual performance, particularly at the level of senior management and management body.

(35)

To ensure an adequate control of the activities performed by CSDs, independent audits covering the operations of the CSD, risk-management processes, compliance and internal control mechanisms should be put in place and performed regularly. The independence of audits should not necessarily require the involvement of an external auditor, provided that the CSD demonstrates to the competent authority that the independence of its internal auditor is properly ensured. In order to ensure the independence of its internal audit function, the CSD should also establish an audit committee.

(36)

A CSD should set up a risk committee in order to ensure that the management body of the CSD is advised at the highest technical level on its overall current and future risk tolerance and strategy. To ensure its independence from the CSD's executive management and a high degree of competence, the risk committee should be composed of a majority of non-executive members and it should be chaired by a person with an appropriate experience on risk management.

(37)

When assessing potential conflicts of interest, a CSD should not only examine the members of the management body, senior management or staff of the CSD but also any person directly or indirectly linked to those individuals or to the CSD, whether it is a natural or legal person.

(38)

A CSD should have a chief risk officer, a chief compliance officer, a chief technology officer, as well as a risk-management function, a technology function, a compliance and internal control function, and internal audit function. A CSD should in any case be able to organise the internal structure of those functions according to its needs. Different persons should fulfil the roles of chief risk officer, chief compliance officer and chief technology officer given that those functions are usually fulfilled by persons with different academic and professional profiles. In this respect, the provisions set out in this Regulation closely follow the system established by Regulation (EU) No 648/2012 of the European Parliament and the Council (2) for other market infrastructures.

(39)

Records kept by a CSD should be structured and allow for easy access to the data stored by the competent authorities involved in the supervision of CSDs. A CSD should ensure that the data records it keeps, including the complete accounting of the securities it maintains, are accurate and up-to-date in order to serve as a reliable data source for supervision purposes.

(40)

To facilitate the reporting and recording of a consistent set of information under different requirements, records kept by CSDs should cover each individual service provided by the CSD in accordance with Regulation (EU) No 909/2014, and should include at least all the details to be reported under the rules on settlement discipline provided in that Regulation.

(41)

The preservation of the rights of issuers and investors is essential for the orderly functioning of a securities market. A CSD should therefore employ appropriate rules, procedures and controls to prevent the unauthorised creation or deletion of securities. It should also conduct at least daily reconciliation of the securities accounts that it maintains.

(42)

A CSD should maintain robust accounting practices and perform audits to verify that its records of securities are accurate and that its measures ensuring the integrity of securities issues are adequate.

(43)

In order to effectively ensure the integrity of the issue, the reconciliation measures provided in Regulation (EU) No 909/2014 should apply to all CSDs regardless of whether or not they provide the notary service or central maintenance service referred to in that Regulation in relation to a securities issue.

(44)

With regard to other entities involved in the reconciliation process, several scenarios should be distinguished depending on the role of those entities. The reconciliation measures should reflect the specific roles of those entities. According to the registrar model, the registrar maintains records of securities which are also recorded in a CSD. According to the transfer agent model, the fund manager or transfer agent is responsible for an account that maintains a part of a securities issue recorded in a CSD. According to the common depository model, the common depository is used by CSDs that establish an interoperable link and the common depository should be responsible for the overall integrity of the securities issues initially recorded or centrally maintained by the CSDs that have established an interoperable link.

(45)

In order to mitigate operational risks, which comprise the risks caused by deficiencies in information systems, internal processes, and personnel performance or disruptions caused by external events which result in the reduction, deterioration or breakdown of services provided by a CSD, CSDs should identify all risks and monitor their evolution, irrespective of their origin that may include, for instance, their users, providers of services to CSDs and other market infrastructures, including other CSDs. Operational risks should be managed in accordance to a well-documented and robust framework with clearly assigned roles and responsibilities. That framework should include operational targets, tracing features, assessment mechanisms and it should be integrated in the risk-management system of the CSD. In this context, a CSD chief risk officer should be responsible for the operational risk-management framework. CSDs should manage their risk internally. Where internal controls are insufficient or where eliminating certain risks is not a reasonably feasible option, a CSD should be able to take a financial coverage of those risks through insurance.

(46)

CSDs should not enter into investments that may affect their risk profile. CSDs should only enter into derivatives contracts if they are required to hedge a risk that they cannot reduce otherwise. The hedging should be subject to certain strict conditions that ensure that the derivatives are not used for purposes other than for covering risks and are not used for a realisation of profits.

(47)

The assets of CSDs should be held safely, be easily accessible and able to be liquidated promptly. A CSD should therefore ensure that its policies and procedures concerning prompt access to its own assets are based at least on the nature, size, quality, maturity and location of the assets. A CSD should also ensure that prompt access to its assets is not negatively affected by the outsourcing of custody or investment functions to a third party entity.

(48)

To manage its liquidity needs, a CSD should be able to access its cash assets immediately and also be able to access any securities that it holds under its own name on the same business day when a decision to liquidate the assets is taken.

(49)

To ensure a greater degree of protection of the assets of a CSD from the default of the intermediary, a CSD that accesses another CSD through a CSD link should maintain those assets in a segregated account at the linked CSD. This level of segregation should ensure that the assets of a CSD are segregated from those of other entities and protected appropriately. It is however necessary to allow the establishment of links with third-country CSDs even where individually segregated accounts are not available at the third-country CSD provided that assets of the requesting CSD are in any case adequately protected and competent authorities are informed of the risks resulting from the unavailability of individually segregated accounts and the adequate mitigation of such risks.

(50)

In order to ensure that a CSD invests its financial resources in highly liquid instruments with minimal market and credit risks and for these investments to be liquidated rapidly with minimal price effect, it should diversify its portfolio and establish appropriate concentration limits with respect to the issuers of the instruments in which it invests its resources.

(51)

In order to ensure the safety and efficiency of the link arrangement of a CSD with another CSD, a CSD should identify, monitor, and manage all potential sources of risk arising from the link arrangement. A CSD link should have a well-founded legal basis, in all relevant jurisdictions, that supports its design and provides adequate protection to the CSDs involved in the link. Linked CSDs should measure, monitor, and manage the credit and liquidity risks arising from each other.

(52)

A requesting CSD that uses an indirect CSD link or an intermediary to operate a CSD link with a receiving CSD should measure, monitor, and manage the additional risks, including custody, credit, legal, and operational risks, arising from the use of the intermediary in order to ensure the safety and the efficiency of the link arrangement.

(53)

In order to ensure the integrity of the issue, where securities are maintained in several CSDs through CSD links, CSDs should apply specific reconciliation measures and coordinate their actions.

(54)

CSDs should provide fair and open access to their services with due regard to the risks to financial stability and the orderliness of the market. They should control the risks arising from their participants and other users by setting risk-related criteria for the provision of their services. CSDs should ensure that their users, such as participants, any other CSDs, central counterparties (CCPs), trading venues or issuers that are granted access to their services meet the criteria and have the required operational capacity, financial resources, legal powers, and risk-management expertise in order to prevent the occurrence of risks for CSDs and other users.

(55)

In order to ensure the safety and efficiency of its securities settlement system, a CSD should monitor compliance with its access requirements on an ongoing basis and have clearly defined and publicly disclosed procedures for facilitating the suspension and orderly exit of a requesting party that breaches, or no longer meets, the access requirements.

(56)

For the purpose of the authorisation to provide banking-type ancillary services, a CSD should submit an application to the competent authority including all necessary elements to ensure that the provision of the banking-type ancillary services do not affect the smooth provision of core services of a CSD. Entities already authorised as CSDs should not be required to submit again any elements that were already submitted in the course of the process of application for being authorised as a CSD under Regulation (EU) No 909/2014.

(57)

With a view to ensuring legal certainty and a consistent application of the law, certain requirements provided for in this Regulation concerning settlement discipline measures should start to apply from the date of entry into force of those measures.

(58)

This Regulation is based on the draft regulatory technical standards submitted by ESMA to the Commission.

(59)

In drawing up the technical standards contained in this Regulation, ESMA has worked in close cooperation with the members of the European System of Central Banks and the European Banking Authority.

(60)

ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (3),