You are viewing the version of the document as on 2024-12-23.

SECN 9.6 Details of the application for registration of a securitisation repository and the details of the simplified application for an extension of registration of a trade repository

Interpretation

SECN 9.6.1 D
  1. (1)

    1For the purposes of SECN 9.6, the following definitions apply:

    1. (a)

      ‘user’, in relation to a securitisation repository, means any of the following:

      1. (i)

        any entity listed in SECN 9.3;

      2. (ii)

        any reporting entity in relation to that securitisation repository; or

      3. (iii)

        any other client of the securitisation repository who uses core securitisation services provided by the securitisation repository;

    2. (b)

      ‘core securitisation services’ means services for which registration as a securitisation repository is required under SECN;

    3. (c)

      ‘ancillary securitisation services’ means services provided by a securitisation repository that are directly related to and arise from the delivery of core securitisation services provided by that securitisation repository;

    4. (d)

      ‘ancillary non-securitisation services’ means services that are neither core securitisation services nor ancillary securitisation services; and

    5. (e)

      ‘senior management’ means the person or persons who effectively direct the business of the securitisation repository, and the executive member or members of its board.

  2. (2)

    For the purposes of SECN 9.6, the following expressions have the meaning given to that expression in Article 2 of EMIR:

    1. (a)

      ‘group’;

    2. (b)

      ‘parent undertaking’;

    3. (c)

      ‘subsidiary’;

    4. (d)

      ‘capital’;

    5. (e)

      ‘board’.

Identification, legal status and type of securitisation

SECN 9.6.2 D
  1. (1)

    1An application for registration as a securitisation repository must identify the applicant and the activities that the applicant intends to carry out for which registration as a securitisation repository is required.

  2. (2)

    For the purposes of (1), the application must contain the following:

    1. (a)

      the corporate name of the applicant, its legal address within the United Kingdom and the corporate name and legal address of any subsidiaries and branches of the applicant;

    2. (b)

      the applicant’s LEI registered with the Global Legal Entity Identifier Foundation;

    3. (c)

      the uniform resource locator (URL) of the applicant’s website;

    4. (d)

      an excerpt from the relevant commercial or court register showing the place of incorporation and scope of business activity of the applicant, or some other form of certified evidence of the place of incorporation and scope of business activity of the applicant, valid in either case as at the date of the application for registration as a securitisation repository;

    5. (e)

      the securitisation types (ABCP transaction or non-ABCP securitisation), risk transfer methods (traditional securitisation or synthetic securitisation) and underlying exposure types (residential real estate, commercial real estate, corporate, leasing, consumer, automobile, credit card or esoteric) for which the applicant wishes to be registered;

    6. (f)

      whether the applicant is authorised or registered by the PRA or the FCA in the United Kingdom and, if so, any reference number(s) relating to the authorisation(s) or registration(s);

    7. (g)

      the articles of incorporation or equivalent terms of establishment and, where relevant, other statutory documentation stating that the applicant is to conduct core securitisation services;

    8. (h)

      the name and contact details of the person(s) responsible for compliance, or any other staff involved in compliance assessments for the applicant, in relation to its provision of core securitisation services;

    9. (i)

      the name and contact details of the contact person for the purposes of the application;

    10. (j)

      the programme of operations, including the location of the main business activities of the applicant;

    11. (k)

      any ancillary securitisation or ancillary non-securitisation service that the applicant provides or intends to provide; and

    12. (l)

      any information on any pending judicial, administrative, arbitration or any other litigation proceedings, irrespective of their type, that the applicant may be party to, particularly as regards tax and insolvency matters and where significant financial or reputational costs may be incurred, or any non-pending proceedings that may still have any material impact on securitisation repository costs.

  3. (3)

    On request, the applicant must provide the FCA with additional information during the examination of the application for registration where such information is needed for the assessment of the applicant’s ability to comply with the applicable requirements of SECN and for the FCA to duly interpret and analyse the documentation to be submitted or already submitted.

  4. (4)

    Where an applicant considers that a requirement under SECN does not apply to it, it must clearly indicate that requirement in its application and explain why that requirement does not apply.

Organisational chart

SECN 9.6.3 D
  1. (1)

    1An application for registration as a securitisation repository must contain a chart detailing the organisational structure of the applicant, including that of any ancillary securitisation services and of any ancillary non-securitisation services.

  2. (2)

    The chart referred to in (1) must include information about the identity of the person responsible for each significant role, including the identity of each member of its senior management and of persons who effectively direct the business of any subsidiaries and branches.

Corporate governance

SECN 9.6.4 D
  1. (1)

    1An application for registration as a securitisation repository must contain information regarding the applicant’s internal corporate governance policies and the procedures and terms of reference which govern its senior management, including the board, its non-executive members and, where established, committees.

  2. (2)

    The information referred to in (1) must describe the selection process, appointment, performance evaluation and removal of senior management.

  3. (3)

    Where the applicant adheres to a recognised corporate governance code of conduct, the application for registration as a securitisation repository must identify the code and provide an explanation for any situations where the applicant deviates from that code.

Internal control

SECN 9.6.5 D
  1. (1)

    1An application for registration as a securitisation repository must contain detailed information about the internal control system of the applicant, including information regarding its compliance function, risk assessment, internal control mechanisms and the arrangements of its internal audit function.

  2. (2)

    The detailed information referred to in (1) must contain:

    1. (a)

      the applicant’s internal control policies and the procedures to ensure the consistent and effective implementation of those policies;

    2. (b)

      any policies, procedures and manuals for monitoring and evaluating the adequacy and effectiveness of the applicant’s systems;

    3. (c)

      any policies, procedures and manuals for controlling and safeguarding the applicant’s information processing systems; and

    4. (d)

      the identity of the internal bodies in charge of evaluating any internal control findings.

  3. (3)

    An application for registration as a securitisation repository must contain the following information with respect to the applicant’s internal audit activities:

    1. (a)

      where there is an internal audit committee, its composition, competences and responsibilities;

    2. (b)

      its internal audit function charter, methodologies, standards and procedures;

    3. (c)

      an explanation of how its internal audit function charter, methodology and procedures are developed and applied, taking into account the nature and extent of the applicant’s activities, complexities and risks; and

    4. (d)

      a work plan for the internal audit committee for the 3 years following the date of application, focusing on the nature and extent of the applicant’s activities, complexities and risks.

Conflicts of interest

SECN 9.6.6 D
  1. (1)

    1An application for registration as a securitisation repository must contain the following information on the policies and procedures put in place by the applicant to manage conflicts of interest:

    1. (a)

      policies and procedures with respect to the identification, management, elimination, mitigation and disclosure of conflicts of interest without delay;

    2. (b)

      a description of the process used to ensure that the relevant persons are aware of the policies and procedures referred to in (a);

    3. (c)

      a description of the level and form of separation that exists between the various business functions within the applicant’s organisation, including a description of:

      1. (i)

        the measures taken to prevent or control the exchange of information between functions where a risk of a conflict of interest may arise; and

      2. (ii)

        the supervision of those whose main functions involve interests that are potentially in conflict with those of a client; and

    4. (d)

      any other measures and controls put in place to ensure the policies and procedures referred to in (a) with respect to conflicts of interest management and the process referred to in (b) are followed.

  2. (2)

    An application for registration as a securitisation repository must contain an up-to-date inventory, at the time of the application, of existing and potential material conflicts of interest in relation to any core or ancillary securitisation services as well as any ancillary non-securitisation services provided or received by the applicant and a description of how those conflicts are, or will be, managed. The inventory must include conflicts of interest arising from the following situations:

    1. (a)

      any situation where the applicant may realise a financial gain or avoid a financial loss to the detriment of a client;

    2. (b)

      any situation where the applicant may have an interest in the outcome of a service provided to a client, which is distinct from the client’s interest in that outcome;

    3. (c)

      any situation where the applicant may have an incentive to prioritise its own interests or the interests of another user or group of users rather than the interests of the client to whom a service is provided; and

    4. (d)

      any situation where the applicant receives or may receive an incentive from any person other than the client, in relation to a service provided to the client, in the form of money, goods or services, but excluding incentives by way of commission or fees received for the service.

  3. (3)

    Where an applicant is part of a group, the inventory must include any existing and potential material conflicts of interest arising from other undertakings within the group and how those conflicts are being managed and mitigated.

Ownership of the securitisation repository

SECN 9.6.7 D
  1. (1)

    1An application for registration as a securitisation repository must contain:

    1. (a)

      a list of the names of each person or entity who directly or indirectly holds 5% or more of the applicant’s capital or of its voting rights or whose holding makes it possible to exercise a significant influence over the applicant’s management; and

    2. (b)

      a list of any undertakings in which a person referred to in (a) holds 5% or more of the capital or voting rights or over whose management they exercise a significant influence.

  2. (2)

    Where the applicant has a parent undertaking or an ultimate parent undertaking, the applicant must:

    1. (a)

      identify the LEI registered with the Global Legal Entity Identifier Foundation and the legal address of the parent undertaking or the ultimate parent undertaking; and

    2. (b)

      indicate whether the parent undertaking or ultimate parent undertaking is authorised or registered and subject to supervision and, when this is the case, state any reference number and the name of the responsible supervisory authority.

Ownership chart

SECN 9.6.8 D
  1. (1)

    1An application for registration as a securitisation repository must contain a chart showing the ownership links within the applicant’s group, including between the ultimate parent undertaking, parent undertaking, subsidiaries and any other associated entities or branches.

  2. (2)

    The undertakings in the chart referred to in (1) must be identified by their full name, legal status, legal address and LEI registered with the Global Legal Entity Identifier Foundation.

Policies and procedures

SECN 9.6.9 D

1Policies and procedures that are to be provided as part of an application for registration as a securitisation repository must contain the following:

  1. (1)

    evidence that the board approves the policies and that senior management approves the procedures and is responsible for the implementation and maintenance of those policies and procedures;

  2. (2)

    a description of how those policies and procedures are communicated within the applicant’s organisation, how compliance with those policies and procedures is ensured and monitored on a day-to-day basis, and who is responsible for compliance with those policies and procedures;

  3. (3)

    any records indicating that staff members (including those operating under any outsourcing arrangement) are aware of those policies and procedures;

  4. (4)

    a description of the measures to be taken in the event of a breach of those policies and procedures;

  5. (5)

    a description of the procedure for reporting to the FCA any material breach of the policies or procedures which may result in a breach of the conditions for registration; and

  6. (6)

    a description of the arrangements for notifying the FCA promptly of any planned material changes to the applicant’s information technology systems, before their implementation.

Regulatory compliance

SECN 9.6.10 D

1An application for registration as a securitisation repository must contain the following regarding the applicant’s policies and procedures for ensuring compliance with SECN:

  1. (1)

    a description of the roles of the persons responsible for compliance and of any other staff involved in the compliance assessments, including a description of how the independence of the compliance function from the rest of the business is ensured;

  2. (2)

    the internal policies and procedures designed to ensure that the applicant, including its managers and employees, complies with SECN, including a description of the role of the board and senior management; and

  3. (3)

    where available, the most recent internal report on compliance with SECN prepared by the persons responsible for such compliance or by any other staff involved in such compliance assessments within the applicant’s organisation.

Staffing policies and procedures

SECN 9.6.11 D

1An application for registration as a securitisation repository must contain the following:

  1. (1)

    a copy of the remuneration policy for senior management, board members and staff employed in the risk and control functions of the applicant; and

  2. (2)

    a description of the measures put in place by the applicant to mitigate the risk of over-reliance on any individual employee.

Information about the applicant’s staff members involved in the provision of core securitisation services

SECN 9.6.12 D

An application for registration as a securitisation repository must contain the following information about the applicant’s staff members involved in the provision of core securitisation services:

  1. (1)

    1a general list of staff members directly employed by the applicant, including their role and qualifications per role;

  2. (2)

    a specific description of the information technology staff members directly employed to provide core securitisation services, including the role and the qualifications of each individual and written evidence of the information technology experience of at least 1 staff member responsible for information technology matters;

  3. (3)

    a description of the roles and qualifications of each individual who is responsible for internal audits, internal controls, compliance, risk assessments and internal reviews;

  4. (4)

    the identity of staff members and the identity of staff members who are operating under any outsourcing arrangement; and

  5. (5)

    details of training provided to staff members on the applicant’s policies and procedures as well as on the securitisation repository business, including any examination or other type of formal assessment required for staff members regarding the conduct of core securitisation services.

Financial reports and business plans

SECN 9.6.13 D
  1. (1)

    1An application for registration as a securitisation repository must contain the following financial information:

    1. (a)

      a complete set of financial statements of the applicant, prepared in conformity with:

      1. (i)

        UK-adopted international accounting standards; or

      2. (ii)

        UK accounting standards as defined by section 464 of the Companies Act 2006;

    2. (b)

      where the financial statements of the applicant are subject to an audit of annual accounts or consolidated accounts insofar as required by the law of the United Kingdom, the financial statements must contain the audit report on the annual and consolidated financial statements;

    3. (c)

      where the applicant is audited, the name and the national registration number of the external auditor.

  2. (2)

    Where the financial information referred to in paragraph (1) is not available, an application for registration as a securitisation repository must contain the following information about the applicant:

    1. (a)

      a pro-forma statement demonstrating proper resources and expected business status in the 6 months following registration as a securitisation repository;

    2. (b)

      an interim financial report where the financial statements are not yet available for the period of time required under the acts specified in paragraph (1); and

    3. (c)

      a statement of financial position, such as a balance sheet, income statement, changes in equity and of cash flows, a summary of accounting policies and other explanatory notes required under the acts specified in paragraph (1).

  3. (3)

    An application for registration as a securitisation repository must contain a financial business plan, containing different business scenarios for the provision of core securitisation services over a minimum 3-year reference period and including the following information for each scenario:

    1. (a)

      the expected revenue from each of the following categories of service provided by the applicant, stated separately for each category:

      1. (i)

        core securitisation services;

      2. (ii)

        ancillary securitisation services;

      3. (iii)

        core trade repository services of centrally collecting and maintaining the records of derivatives under EMIR;

      4. (iv)

        ancillary trade repository services that directly relate to and arise from centrally collecting and maintaining the records of derivatives under EMIR;

      5. (v)

        core trade repository services of centrally collecting and maintaining the records of securities financing transactions under the Securities Financing Transactions Regulation;

      6. (vi)

        ancillary trade repository services that directly relate to and arise from centrally collecting and maintaining the records of securities financing transactions under the Securities Financing Transactions Regulation;

      7. (vii)

        combined ancillary services that directly relate to and arise from each of the following combinations of service:

        1. (A)

          both core securitisation services and core trade repository services of centrally collecting and maintaining the records of derivatives under EMIR;

        2. (B)

          both core securitisation services and core trade repository services of centrally collecting and maintaining the records of securities financing transactions under the Securities Financing Transactions Regulation; and

        3. (C)

          both core trade repository services of centrally collecting and maintaining the records of derivatives under EMIR and core trade repository services of centrally collecting and maintaining the records of securities financing transactions under the Securities Financing Transactions Regulation; and

      8. (viii)

        any ancillary non-securitisation services, whether or not provided in the United Kingdom, that are subject to registration and to supervision by a public authority;

    2. (b)

      the number of securitisation transactions that the applicant expects to be made available to users listed in SECN 9.3; and

    3. (c)

      the fixed and variable costs for providing core securitisation services.

  4. (4)

    The different business scenarios identified in the financial business plan must include a base revenue scenario, positive and negative variations of at least 20% from that base revenue scenario, and positive and negative variations of at least 20% from the base expected number of securitisation transactions identified in the financial business plan.

  5. (5)

    An application for registration as a securitisation repository must contain the audited annual financial statements of any parent undertaking for the 3 financial years preceding the date of the application, where available.

  6. (6)

    An application for registration as a securitisation repository must contain the following information about the applicant:

    1. (a)

      a description of any future plans for the establishment of subsidiaries and the location of those subsidiaries; and

    2. (b)

      a description of planned business activities, including business activities of any subsidiaries or branches.

Information technology resources

SECN 9.6.14 D

1An application for registration as a securitisation repository must contain the following information about information technology resources:

  1. (1)

    a detailed description of the information technology system used by the applicant to provide core securitisation services, including a description of which information technology system will be used for which securitisation type and underlying exposure type as referred to in SECN 9.6.2D(2)(e);

  2. (2)

    the relevant business requirements, the functional and technical specifications, the storage capacity, the system scalability (both for performing its functions and handling increases in information to process and access requests), the maximum limits on the size of data submissions made in accordance with SECN 9.6, the architectural and technical design of the system, the data model and data flows and the operations and administrative procedures and manuals;

  3. (3)

    a detailed description of user facilities developed by the applicant in order to provide services to users;

  4. (4)

    the investment and renewal policies and procedures on information technology resources of the applicant, including the review and development cycle of the applicant’s systems and versioning and testing policies;

  5. (5)

    a document describing in detail how the applicant has implemented the reporting templates, via an extensible markup language (XML) schema, set out in the annexes to SECN 12, the annexes to SECN 2.7 and any additional XML messages, using the specifications made available by the FCA; and

  6. (6)

    the policies and procedures for handling any changes to the reporting templates set out in the annexes to SECN 12.

Information collection and availability mechanisms

SECN 9.6.15 D
  1. (1)

    1An application for registration as a securitisation repository must contain:

    1. (a)

      a detailed description of the procedure and of the resources, methods and channels that the applicant will use to ensure the timely, structured and comprehensive collection of data from reporting entities, including a copy of any reporting manual to be made available to reporting entities;

    2. (b)

      a description of the resources, methods and channels that the applicant will use to ensure direct and immediate access to the information referred to in SECN 11.3 to SECN 11.9 to the entities listed in SECN 9.3, including a copy of any user manual and internal procedures that are needed for obtaining such access; and

    3. (c)

      a description of the procedures that the applicant will use to calculate the data completeness scores referred to in SECN 9.5.3R and a description of the resources, methods and channels that the applicant will use to ensure direct and immediate access to those data completeness scores to the entities listed in SECN 9.3 in accordance with that section, including a copy of any user manual and internal procedures that are needed for obtaining such access.

  2. (2)

    The detailed description referred to in (1)(a) must:

    1. (a)

      distinguish between automated and manual resources, methods, and channels; and

    2. (b)

      where any of the resources, methods or channels are manual:

      1. (i)

        describe how those resources, methods or channels are scalable, as referred to in SECN 9.6.14D(2); and

      2. (ii)

        describe the specific procedures put in place by the applicant to ensure that those resources, methods and channels comply with SECN 9.6.24D.

Ancillary services

SECN 9.6.16 D

1Where an applicant for registration as a securitisation repository, an undertaking within the applicant’s group, or an undertaking with which the applicant has an agreement relating to core securitisation services, offers, or plans to offer, ancillary securitisation services or ancillary non-securitisation services, the application for registration must contain:

  1. (1)

    a description of the ancillary securitisation services or ancillary non-securitisation services that the applicant, or the undertaking within its group, performs or plans to perform, and a description of any agreement that the applicant may have with undertakings offering any such services, as well as copies of those agreements; and

  2. (2)

    the procedures and policies that will ensure the necessary level of operational separation in terms of resources, systems, information and procedures between the applicant’s core securitisation services and any ancillary securitisation or ancillary non-securitisation services, irrespective of whether that service is provided by the applicant, an undertaking within its group, or any other undertaking with which it has an agreement.

Senior management and members of the board

SECN 9.6.17 D
  1. (1)

    1An application for registration as a securitisation repository must contain the following information in respect of each member of the senior management:

    1. (a)

      a copy of the member’s curriculum vitae, including the following information to the extent relevant in assessing the adequacy of the member’s experience and knowledge for the purposes of performing their responsibilities:

      1. (i)

        an overview of the member’s post-secondary education;

      2. (ii)

        the member’s employment history with dates, identification of positions held and a description of the functions occupied; and

      3. (iii)

        any professional qualification held by the member, together with the date on which that qualification was acquired and the status of any membership in a relevant professional body;

    2. (b)

      detailed information on knowledge and experience on securitisation matters and on information technology management, operations and development;

    3. (c)

      details regarding any criminal convictions in connection with the provision of financial or data services or in relation to acts of fraud or embezzlement, in particular in the form of an official certificate, if available;

    4. (d)

      a declaration signed by the member that states whether they:

      1. (i)

        have been convicted of any criminal offence in connection with the provision of financial or data services or in relation to acts of fraud or embezzlement;

      2. (ii)

        have been subject to any adverse decision in any proceedings of a disciplinary nature brought by a regulatory authority or government body or agency or are the subject of any such proceedings which are not concluded;

      3. (iii)

        have been subject to an adverse judicial finding in civil proceedings before a court in connection with the provision of financial or data services, or for impropriety or fraud in the management of a business;

      4. (iv)

        have been part of the board or senior management of an undertaking whose registration or authorisation was withdrawn by a regulatory body;

      5. (v)

        have been refused the right to carry on activities which require registration or authorisation by a regulatory body;

      6. (vi)

        have been part of the board or senior management of an undertaking which has gone into insolvency or liquidation, either while the member was connected to the undertaking or within a year of the member’s ceasing to be connected to the undertaking;

      7. (vii)

        have been part of the board or senior management of an undertaking which was subject to an adverse decision or penalty by a regulatory body;

      8. (viii)

        have been otherwise fined, suspended, disqualified, or been subject to any other sanction in relation to fraud or embezzlement or in connection with the provision of financial or data services, by a government or regulatory or professional body; and

      9. (ix)

        have been disqualified from acting as a director, disqualified from acting in any managerial capacity, or dismissed from employment or other appointment in an undertaking as a consequence of misconduct or malpractice; and

    5. (e)

      a declaration of any potential conflicts of interests that the member may have in performing their duties and how these conflicts are managed.

Transparency of access rules

SECN 9.6.18 D
  1. (1)

    1An application for registration as a securitisation repository must contain:

    1. (a)

      the policies and procedures pursuant to which different types of user will report and access the information centrally collected, produced and maintained in the securitisation repository, including any process for users to access, view, consult or modify the information maintained by the securitisation repository, as well as the procedures used to authenticate the identity of users accessing the securitisation repository;

    2. (b)

      a copy of the terms and conditions which determine the rights and obligations of the different types of user in relation to information maintained by the securitisation repository;

    3. (c)

      a description of the different categories of access available to users;

    4. (d)

      a detailed description of the access policies and procedures to ensure that users have non-discriminatory access to information maintained by the securitisation repository, including:

      1. (i)

        any access restrictions;

      2. (ii)

        variations in access conditions or restrictions across reporting entities and across the different entities listed in SECN 9.3; and

      3. (iii)

        how the access policies and procedures ensure that access is restricted to the least possible extent and which procedures exist to question and reverse a restriction or denial of access;

    5. (e)

      a detailed description of the access policies and procedures pursuant to which other service providers have non-discriminatory access to information maintained by the securitisation repository where the relevant reporting entity has provided its written, voluntary and revocable consent, including:

      1. (i)

        any access restrictions;

      2. (ii)

        variations in access conditions or restrictions; and

      3. (iii)

        how the access policies and procedures ensure that access is restricted to the least possible extent and which procedures exist to question and reverse a restriction or denial of access; and

    6. (f)

      a description of the channels and mechanisms to publicly disclose to potential and actual users the procedures by which those users may ultimately access the information maintained by the securitisation repository and to publicly disclose to potential and actual reporting entities the procedures by which they may ultimately make available information via the applicant.

  2. (2)

    The information referred to in (1)(a) to (d) must be specified for each of the following categories of user:

    1. (a)

      staff and other personnel affiliated with the applicant, including within the same group;

    2. (b)

      originators, sponsors and SSPEs (as a single category);

    3. (c)

      the entities listed in SECN 9.3;

    4. (d)

      other service providers; and

    5. (e)

      each other category of user identified by the applicant (with the information specified separately for each such category).

Pricing policy transparency

SECN 9.6.19 D

1An application for registration as a securitisation repository must contain a description of the following:

  1. (1)

    the applicant’s pricing policy, including any existing discounts, rebates and conditions to benefit from such reductions;

  2. (2)

    the applicant’s fee structure for providing core and ancillary securitisation services, including the estimated cost of each of those services, along with the details of the methods used to account for the separate cost that the applicant may incur when providing core securitisation services and ancillary securitisation services, as well as the fees charged by the applicant for transferring information to another securitisation repository and for receiving information transferred from another securitisation repository; and

  3. (3)

    the methods used by the applicant to make the information referred to in (1) and (2) publicly available, including a copy of the fee structure separated according to core securitisation services and, where these are provided, ancillary securitisation services.

Operational risk

SECN 9.6.20 D
  1. (1)

    1An application for registration as a securitisation repository must contain:

    1. (a)

      a detailed description of the resources available and procedures designed to identify and mitigate operational risk and any other material risk to which the applicant is exposed, including a copy of any relevant policies, methodologies, internal procedures and manuals drawn up for that purpose;

    2. (b)

      a description of the liquid net assets funded by equity to cover potential general business losses in order to continue providing core securitisation services as a going concern;

    3. (c)

      an assessment of the sufficiency of the applicant’s financial resources to cover the operational costs of a wind-down or reorganisation of the critical operations and services over a period of at least 9 months;

    4. (d)

      the applicant’s business continuity plan and a description of the policy for updating that plan, including:

      1. (i)

        all business processes, resources, escalation procedures and related systems which are critical to ensuring the core securitisation services of the applicant, including any relevant outsourced service and the applicant’s strategy, policy and objectives for the continuity of those processes;

      2. (ii)

        any arrangements in place with other financial market infrastructure providers, including other securitisation repositories;

      3. (iii)

        the arrangements to ensure a minimum service level of the critical functions and the expected timing of the full recovery of those functions;

      4. (iv)

        the maximum acceptable recovery time for business processes and systems, taking into account the deadlines for reporting laid down in SECN 6.2 and the volume of information that the applicant needs to process within the quarterly period;

      5. (v)

        the procedures to deal with incident logging and reviews;

      6. (vi)

        a periodic testing programme, ensuring that sufficient tests will be carried out to cover an adequate range of possible scenarios, in the short and medium term, including but not limited to system failures, natural disasters, communication disruptions, loss of key staff and inability to use the premises regularly used and providing for the tests to identify how hardware, software and communications respond to potential threats, together with the results and follow-up actions resulting from any tests and those systems that have been shown to be unable to cope with the specific scenarios being tested;

      7. (vii)

        the number of alternative technical and operational sites available, their location, the resources of those sites when compared with the main site and the business continuity procedures in place in the event that alternate sites need to be used;

      8. (viii)

        information on access to a secondary business site to enable staff to ensure continuity of core securitisation services if a main office location is not available;

      9. (ix)

        plans, procedures and arrangements for handling emergencies and ensuring safety of staff;

      10. (x)

        plans, procedures and arrangements to manage crises, to coordinate the overall business continuity efforts and to determine their timely (within the recovery time objective set by the applicant) and effective activation, mobilisation and escalation capabilities;

      11. (xi)

        plans, procedures and arrangements to recover the applicant’s system, application and infrastructure components within the recovery time objective set by the applicant; and

      12. (xii)

        details on staff training on the operation of the business continuity arrangements, and individuals’ roles in that regard, including specific security operations staff ready to react immediately to a disruption of services;

    5. (e)

      a description of the arrangements for ensuring the applicant’s core securitisation services in case of disruption and the involvement of its users and other third parties in those arrangements;

    6. (f)

      a description of the applicant’s arrangements for publishing on its website and promptly informing the FCA and other users of any service interruptions or connection disruptions as well as the time estimated to be needed to resume regular service; and

    7. (g)

      a description of the applicant’s arrangements permitting its staff to continuously monitor in real time the performance of its information technology systems.

  2. (2)

    An application for registration as a securitisation repository must include a copy of policies and procedures to ensure the orderly transfer of information to other securitisation repositories and the redirection of reporting flows to other securitisation repositories.

Outsourcing

SECN 9.6.21 D
  1. (1)

    1An application for registration as a securitisation repository must demonstrate that, where an applicant arranges for activities to be performed on its behalf by third parties, including by undertakings with which it has close links, the applicant ensures that the third party has the ability and the capacity to perform those activities reliably and professionally.

  2. (2)

    The application for registration as a securitisation repository must specify or contain all of the following:

    1. (a)

      a description of the scope of the activities to be outsourced, as well as the detail and extent to which those activities are outsourced;

    2. (b)

      a copy of the relevant service level agreements, with clear roles and responsibilities, metrics and targets for every key requirement of the applicant that is outsourced, the methods employed to monitor the service level of the outsourced functions and the measures or actions to be taken in the event of service level targets not being met;

    3. (c)

      a copy of the contracts governing those service level agreements, including the identification of the third-party service provider;

    4. (d)

      a copy of any external reports on the outsourced activities, where available; and

    5. (e)

      details of the organisational measures and policies with respect to outsourcing and the risks posed by it as specified in (4).

  3. (3)

    The application for registration must demonstrate that the outsourcing does not reduce the applicant’s ability to perform senior management or management body functions.

  4. (4)

    The application for registration as a securitisation repository must contain information sufficient to demonstrate how the applicant remains responsible for any outsourced activity and a description of the organisational measures taken by the applicant to ensure the following:

    1. (a)

      that the third-party service provider is carrying out outsourced activities effectively and in compliance with applicable laws and regulatory requirements and that the third party service provider adequately addresses identified failures;

    2. (b)

      the identification by the applicant of risks in relation to outsourced activities and the adequate periodic monitoring of those risks;

    3. (c)

      that there are adequate control procedures with respect to outsourced activities, including effective supervision of those activities and of their risks within the applicant; and

    4. (d)

      the adequate business continuity of outsourced activities.

  5. (5)

    For the purposes of (4)(d), the applicant must provide information on the business continuity arrangements of the third-party service provider, including the applicant’s assessment of the quality of those business continuity arrangements and, where needed, any improvements to those business continuity arrangements that have been requested by the applicant.

  6. (6)

    Where the third-party service provider is supervised by a regulatory authority, the application for registration must also contain information demonstrating that the third-party service provider cooperates with that authority in connection with outsourced activities.

Security

SECN 9.6.22 D
  1. (1)

    1An application for registration as a securitisation repository must contain proof of the following:

    1. (a)

      that its information technology systems are protected from misuse or unauthorised access;

    2. (b)

      that its information systems are protected against attacks; ‘information systems’ means a device or group of interconnected or related devices, one or more of which, pursuant to a programme, automatically processes computer data, as well as computer data stored, processed, retrieved or transmitted by that device or group of devices for the purpose of its or their operation, use, protection and maintenance;

    3. (c)

      that unauthorised disclosure of confidential information is prevented; and

    4. (d)

      that the security and integrity of the information received by it under SECN is ensured.

  2. (2)

    The application must contain proof that the applicant has arrangements in place to identify and manage the risks referred to in (1) in a prompt and timely manner.

  3. (3)

    With respect to breaches in the physical and electronic security measures referred to in (1) and (2), the application must contain proof that the applicant has arrangements in place to do the following in a prompt and timely manner:

    1. (a)

      notify the FCA of the incident giving rise to the breach;

    2. (b)

      provide the FCA with an incident report, indicating the nature and details of the incident, the measures adopted to cope with the incident and the initiatives taken to prevent similar incidents; and

    3. (c)

      notify its users of the incident where they have been affected by the breach.

Verification procedure

SECN 9.6.23 D
  1. (1)

    1An application for registration as a securitisation repository must contain a description of the policies and procedures the applicant has put in place to:

    1. (a)

      authenticate the identity of the user accessing the applicant’s systems;

    2. (b)

      authorise and permit the recording of information received by the applicant under SECN for the relevant securitisation;

    3. (c)

      comply with SECN 9.5.2R to SECN 9.5.4R;

    4. (d)

      verify and highlight duplicate submissions; and

    5. (e)

      identify information not received by it where there is an obligation to make that information available under SECN 6.2.

  2. (2)

    The application must also contain documentation providing several detailed example test cases, including graphics, that demonstrate the applicant’s ability to comply with the obligations set out in (1). With regard to (1)(c), several detailed example test cases must be provided for each of the verifications listed in SECN 9.5.4R.

Quality of information produced

SECN 9.6.24 D

1With respect to information produced by the applicant pursuant to SECN 9.5, an application for registration as a securitisation repository must contain a detailed description of the procedures put in place by the applicant to ensure that it accurately makes available the information received from reporting entities, without itself introducing any errors or omitting information.

Confidentiality

SECN 9.6.25 D
  1. (1)

    1An application for registration as a securitisation repository must contain a detailed description of the internal policies, procedures and mechanisms that prevent:

    1. (a)

      any use of the information maintained by the applicant for illegitimate purposes;

    2. (b)

      the disclosure of confidential information; and

    3. (c)

      the commercial use of information maintained by the applicant where such use is prohibited.

  2. (2)

    The description referred to in (1) must contain a description of the internal procedures on staff permissions for using passwords to access the information, specifying the staff purpose and the scope of the information being viewed and any restrictions on the use of information.

  3. (3)

    Applicants must provide the FCA with information on the processes to keep a log identifying each staff member accessing the information maintained by the applicant, the time of access, the nature of the information accessed and the purpose.

Record-keeping policy

SECN 9.6.26 D
  1. (1)

    1An application for registration as a securitisation repository must contain the following information:

    1. (a)

      the record-keeping systems, policies and procedures that are used in order to ensure that the information made available by a reporting entity under SECN by means of the applicant is recorded and maintained by the applicant in accordance with Article 80(3) of EMIR, as applied by regulation 14(3) of the Securitisation Regulations 2024;

    2. (b)

      a detailed description of the record-keeping systems, policies and procedures that are used in order to ensure that information made available by a reporting entity under SECN by means of the applicant is modified appropriately and in accordance with relevant legislative or regulatory requirements; and

    3. (c)

      information about the receipt and administration of information made available by a reporting entity under SECN by means of the applicant, including a description of any policies and procedures put in place by the applicant to ensure the following:

      1. (i)

        the timely and accurate recording of the information received;

      2. (ii)

        the record-keeping of all information received that relates to the receipt, modification or termination of a securitisation transaction in a reporting log;

      3. (iii)

        that the information is maintained both online and offline; and

      4. (iv)

        that the information is adequately copied for business continuity purposes.

  2. (2)

    The application for registration must also include the applicant’s policies and procedures to promptly record, and maintain for at least 10 years following the termination of the securitisation, the verifications, validations and information produced by the applicant under SECN 9.5.

Payment of fees

SECN 9.6.27 D

1An application for registration as a securitisation repository must contain proof of payment of the registration fees referred to in FEES.

Verification of the accuracy and completeness of the application

SECN 9.6.28 D
  1. (1)

    1Any information submitted to the FCA during the registration process must be accompanied by a letter signed by a member of the board of the applicant and a member of the applicant’s senior management, attesting that the information submitted is accurate and complete to the best of their knowledge, as of the date of submission.

  2. (2)

    The information must also be accompanied, where relevant and available, with the relevant corporate legal documentation certifying the accuracy of the application information.

Information requirements for a registered trade repository seeking to provide core securitisation services

SECN 9.6.29 D
  1. (1)

    1An application under regulation 14(2) of the Securitisation Regulations 2024 for an extension of registration for the purposes of SECN 6 must contain the information and documentation required by the following provisions:

    1. (a)

      (a) SECN 9.6.2D, except SECN 9.6.2D(2)(d);

    2. (b)

      SECN 9.6.3D;

    3. (c)

      SECN 9.6.5D, except SECN 9.6.5D(2)(d);

    4. (d)

      SECN 9.6.6D;

    5. (e)

      SECN 9.6.9D;

    6. (f)

      SECN 9.6.10D(2);

    7. (g)

      SECN 9.6.12D;

    8. (h)

      SECN 9.6.13D(2);

    9. (i)

      SECN 9.6.14D, SECN 9.6.15D and SECN 9.6.16D;

    10. (j)

      SECN 9.6.17D(1)(b) and SECN 9.6.17D(1)(e);

    11. (k)

      SECN 9.6.18D to SECN 9.6.24D;

    12. (l)

      SECN 9.6.25D(2); and

    13. (m)

      SECN 9.6.26D, SECN 9.6.27D and SECN 9.6.28D.

  2. (2)

    Information and documentation required by any provisions of SECN 9.6 that are not covered by (1) must be included in an application only insofar as there is a difference in the content of that particular information or documentation as at the time when the application is made, compared with the content as last provided to the FCA most recently before that time under Chapter 1 of Title VI of EMIR or Chapter III of the Securities Financing Transactions Regulation, as applicable.

  3. (3)

    For the purposes of this section, references in SECN 9.6.2D(3), SECN 9.6.2D(4) and in SECN 9.6.3D to SECN 9.6.28D to an application for registration must be taken to include reference to an application for an extension of registration.