Guideline on risk management and other aspects of internal control in central securities depository

until further notice 1 (11) Applicable to central securities depositories Guideline on risk management and other aspects of internal control in central securities depository By virtue of section 4, paragraph 2, of the Act on the Financial Supervision Authority, the Financial Supervision Authority issues the following guideline on risk management and other aspects of internal control in central securities depository.

until further notice 2 (11) CONTENTS Page 1 Introduction... 3 2 Definition of the concept of internal control and risk management... 4 2.1 Internal control... 4 2.2 Risk management... 4 3 Responsibility for internal control and risk management... 5 4 General principles of internal control... 6 5 Principles relating to risk management... 7 6 Principles relating to the organization of a central securities intermediary... 7 7 Principles relating to accounting and information systems... 8 8 Principles relating to IT systems... 8 9 Internal audit function... 10 9.1 Tasks of internal audit... 10 9.2 Role of internal audit... 11

until further notice 3 (11) 1 Introduction The smooth operation of a central securities depository is essential for the operation and stability of markets. Therefore, the Financial Supervision Authority (FSA) has decided to issue this guideline on risk management and other aspects of internal control to the central securities depository. In this guideline, the Financial Supervision Authority lays down minimum requirements for adequate risk management and other aspects of internal control. The basic principle is that the risk management and other aspects of internal control exercised by a central securities depository should be of adequate standard with regard to the nature and scope of operations. Adequate risk management and other aspects of internal control must be applied in all business operations carried out by an authorized central securities depository. This guideline documents generally accepted principles that represent the common view of financial supervisors in EU and EEA countries. Internal control and risk management are defined in Chapter 2. These definitions describe the aims of both processes but are not intended as a comprehensive specification of how these processes are to be organized. Responsibility for organizing risk management and other internal control is discussed in Chapter 3. The minimum requirements in respect of this responsibility are presented in this chapter. General principles of internal control and risk management are presented in Chapters 4 and 5. Principles related to the organization of a central securities depository as regards risk management and internal control are discussed in Chapter 6. Principles relating to accounting and information systems as well as to IT systems as regards internal control and risk management are discussed in Chapters 7 and 8. The tasks and role of internal control and risk management within a depository are discussed in the final chapter of this guideline, Chapter 9.

until further notice 4 (11) 2 Definition of the concept of internal control and risk management 2.1 Internal control Internal control is a process aimed at: a) accomplishment of stated goals and objectives; b) economical and efficient use of resources; c) adequate control of the risks inherent in operations; d) reliability and integrity of financial and other management information; e) compliance with laws and regulations, strategies, plans, internal rules and procedures. According to this definition, internal control comprises all such controls, financial or otherwise, as are effected by the board of directors, managing director and other staff. 2.2 Risk management Risk management refers to the identification, assessment, limitation and control 1 of risks that arise from and are essentially related to business. In a central securities depository, risk management is an integral part of the internal control system. Adequate risk management must cover at least the following risks (but is not limited to these): - credit risk (including counterparty risk) - financial risks - operative risk - legal risk - strategic risk. Adequate risk management must cover risk areas that are essential to the continuation of core businesses of a central securities depository (but is not limited to these). 1 The use of risk limits for the measurement and limitation of risks applies to measurable risks only.

until further notice 5 (11) 3 Responsibility for internal control and risk management A central securities depository s board of directors has a key role in defining and monitoring the principles and procedures of internal control. A central securities depository s board of directors is responsible for defining risk taking principles and ensuring that that the risk management and control systems of the central securities depository are adequate with regard to the nature and scope of operations. A central securities depository s board of directors and managing director are responsible for ensuring that internal control is applied in all operations. If a central securities depository belongs to a consolidation group, some tasks of internal control and risk management may be within the remit of the board of directors and managing director of the parent undertaking under the internal allocation of responsibilities of the consolidation group. However, the central securities depository s board of directors and managing director always have the primary responsibility for the operation and adequacy of the central securities depository s risk management and internal control. A central securities depository s board of directors and managing director must especially 1) determine the central securities depository s organizational structure; ensure an appropriate allocation of responsibilities and decision-making powers; and see to it that internal control and risk management cover all activities of the central securities depository and are commensurate with the risks inherent in its different operations; 2) establish quantitative and qualitative objectives for each field of operation and monitor their implementation; 3) approve the central securities depository s risk-taking principles; establish policies for risk limitation and supervise compliance with such policies; 4) ensure that staff have the requisite skills and are suitable for their tasks and that they have access to the information required to perform their tasks; 5) ensure that procedures for key operations are documented in writing; 6) ensure that the central securities depository maintains information and accounting systems that are adequate for decision-making and assessment of operations; 7) ensure that the central securities depository maintains IT systems that are adequate with regard to its activities and organized in an appropriate fashion;

until further notice 6 (11) 8) ensure that the central securities depository s staff do not handle, in their capacity as representatives of the investment firm, any business transactions of their own or concerning persons with whom they are closely related, or otherwise influence any decisions relating to such business transactions; 9) ensure that the internal audit function is organized in an appropriate fashion and operates in accordance with good internal audit practice; 10) ensure that the board of directors are informed of material findings made by the internal audit function, the auditors and the authorities; 11) ensure that the organization of the internal audit function supports the fulfilment of the aims of risk management; 12) ensure that the central securities depository has a risk management function that is independent of the risk-taking function or profit-earning function; 13) review internal control and the adequacy of risk management on a regular basis and always when - operations expand into new markets; - new products are introduced; - there are or will be material changes in the operating environment; or - businesses are reorganized; 14) establishing procedures to ensure that control systems are revised when deficiencies are detected or control fails completely. 4 General principles of internal control The following principles are common to all aspects of internal control: a) Internal control must promote a corporate culture that accepts internal control as a normal and necessary element of business. b) Internal control must cover all activities of a central securities depository. Such control needs to be commensurate with the risks inherent in different operations. Particular attention needs to be focused on new products, new business areas and cross-border operations. c) A central securities depository must see to it that adequate internal control is exercised by all undertakings in its consolidation group. d) If a central securities depository purchases services from other firms or units in its consolidation group, this must not lead to any deterioration in the central securities depository s internal control.

until further notice 7 (11) e) Internal control must include risk management systems that enable identification, assessment and control of all essential risks relating to the activities of a central securities depository. f) Internal control must prevent acts of fraud, embezzlement and other malpractices. Internal control preventing other malpractices include eg monitoring the securities trading of staff of the central securities depository and the rules applicable thereto. g) A central securities depository must ensure that it has in place updated guidelines for key operations, including internal control of operations. h) Internal control should also include contingency planning so as to ensure the continuity of the central securities depository s operations in the event of disruptions. Contingency plans must be tested to ensure they can be implemented when the need arises. 5 Principles relating to risk management Key principles of risk management are: a) Set operational limits for quantifiable risks and defined procedures for limitation of non-quantifiable risks are put in writing. b) Risk management systems incorporate decision-making procedures for engaging in new activities. All individuals involved are briefed, in respect of their own spheres of responsibility, of the risks associated with the new activity and the ways in which the risk management procedures for the new activity will be implemented. c) Compliance with risk limits and procedures is monitored on a continuous basis. When operational limits are exceeded or risk management procedures are not followed, the incident should be promptly reported and assessed. Clear follow-up procedures for violation are established. d) Risk management limits and procedures are reviewed periodically so that they correspond to adopted operational modes and the current market situation. 6 Principles relating to the organization of a central securities intermediary A central securities depository must be organized in accordance with its operations and the inherent risks. The following principles need to be considered when structuring an organization:

until further notice 8 (11) a) Effective segregation of duties performed by the organization must be established both to improve control and to avoid the risks of malpractice and error. b) The organization must have adequate depth to assure the competence and availability of replacement staff. Management must further assure that any staff member designated as an alternate is indeed capable of performing the tasks related to the position. c) Each operational process should incorporate its own control procedures to ensure that all transactions are duly authorized, implemented and recorded. d) Access to assets and confidential information should be restricted to authorized personnel in accordance with individual job descriptions and areas of responsibility. 7 Principles relating to accounting and information systems Accounting and information systems enable the recording of transactions and the flow of related information needed for internal decision-making and internal control as well as for external purposes. Information provided by such systems must give a true and fair view of all the central securities depository s operations. To ensure the existence of effective accounting and information systems, the following principles should be observed: a) Every transaction is recorded promptly and accurately with the correct time and date and sufficient detail. The audit trail must be complete starting from the original document. b) Management and other personnel have prompt access to sufficient information to properly perform their duties. c) Information is released to the authorities at appointed times without delay. d) Information provided for external use (annual accounts, supervisory reporting, etc) complies with the relevant statutes and regulations. 8 Principles relating to IT systems A central securities depository needs to have the necessary expertise, organization and internal control procedures to maintain and process information in an electronic form. For internal control, this implies compliance with the principles identified below in points a k. These principles also apply in situations where data are handled in a decentralized manner, ie business units besides the IT department handle and process data. A central securities depository should further ensure that their suppliers of IT systems and services apply similar principles.

until further notice 9 (11) A central securities depository must comply with the following principles in the pursuit of its own operations only to the extent that these principles apply to its operations. a) Approval by the board of directors of IT strategy and budget that accord with the central securities depository s current and estimated future needs to ensure the integrity and support of the technical environment. b) Policies, standards, procedures and controls for the various spheres of IT activity should be defined so as to enable cooperation among business units and in-house providers of IT services. Operational models, standards, procedures and controls should serve as a basis for management planning, control and evaluation of IT activities. c) User operations and technical operations should be kept separate. The IT department should carry responsibility for development and operation of computer systems; users should carry responsibility for correctness and accuracy of data they enter or otherwise handle. d) There should also be further segregation of systems development and computer operation responsibilities so that individuals performing tasks in either of these spheres can only access information in the other sphere through controlled standard procedures. Duties of the personnel in charge of information system implementation and maintenance, granting and revoking access, and database administration should also be segregated. e) The internal audit function should be capable of evaluating the adequacy and effectiveness of IT internal controls. f) The IT department should implement and provide on-going support of systems development and quality assurance procedures to ensure that systems perform the functions for which they were designed as well as oversee the production of standardized documentation to support current users and future development tasks. g) The procedures to be followed in acquisition or approval of software and hardware, as well as in procuring services from independent providers should be decided. There should further be means to evaluate that an acquisition or contracted service corresponds to the central securities depository s needs and its established standards, and is backed by continued technical support. h) Information systems should incorporate controls and violation detection capabilities with full traceability so that it is possible to assure the legitimacy and correctness of input and output data and determine that the data were input or accessed by individuals with proper authorization. In the event of disturbances, it should be possible to fully restore processes without loss of transaction records in order to assure a complete audit trail.

until further notice 10 (11) i) Authorizations for access to data and software as well as system administrator authorizations should be granted in accordance with consistent principles approved by management. Access to data and programmes must be restricted to authorized individuals through a variety of technical means (user IDs, passwords, etc). A system for tracing and dealing with unauthorized access attempts and violations should be in place. j) The risks of interruption and loss of access to IT systems due to eg fire, flood, electricity supply, must be minimized through appropriate physical security measures. Access to networks, devices and sensitive materials (storage media, documentation, etc) must be restricted to authorized individuals. k) Plans to assure the continuity of vital operations under all circumstances should be in place. In the event of unexpected disturbances or downtime, it should be possible to re-establish normal operation within a reasonable time. Such continuity plans should be updated and tested at regular intervals. 9 Internal audit function 9.1 Tasks of internal audit The internal audit function refers to an independent group of specialists within an organization that is generally directly subordinate to the managing director of the undertaking or the parent undertaking of a consolidated group. The task of this group is to analyze the operational processes of the organization and issue recommendations or statements on the basis of its findings. Due to the importance of a central securities depository for the smooth operation and stability of the securities markets, it must be subject to effective internal auditing. If the internal audit group reports directly to the managing director of a consolidation group, the central securities depository s board of directors and managing director must ensure that the internal control of the central securities depository is sufficient for carrying out the tasks and fulfilling the aims set out in this guideline. A central securities depository s board of directors should decide on internal audit tasks, authority and responsibilities as well as on general principles to be observed in the planning of audits and in the reporting of findings. It is generally recognized that the objectives and tasks of internal audit include the following: a) regular appraisals of the scope, adequacy, effectiveness and efficiency of internal control, including supervision of compliance with policies and procedures approved by management; b) control and review of the operation of risk management systems;

until further notice 11 (11) c) evaluation of the reliability and integrity of accounting systems, computer systems and other systems involved in the measurement, classification and reporting of financial and operative data; and d) testing for the correctness and legitimacy of transactions and the operation of related internal controls. Given their importance in internal control, the central securities depository s management should ensure that the tasks listed above are performed. 9.2 Role of internal audit The internal audit function should apply the following general principles: a) Independence from all other functions to be audited. b) Unlimited access to all operations to ensure that auditing covers all aspects of a central securities depository s activities. c) Adequate dimensioning to cope with the size and activities of the central securities depository; internal audit staff must possess adequate qualifications and experience. d) Standing within the organization to ensure due processing of audit reports and recommendations presented therein by the board of directors.