Joint Standard: Requirements and Duties of a Trade Repository

Page 1 of 14 JOINT STANDARD FINANCIAL MARKETS ACT 19 OF 2012 REQUIREMENTS AND DUTIES OF A TRADE REPOSITORY Under sections 55(1)(c) and 57(3) of the Financial Markets Act, 2012 (Act No. 19 of 2012), the Authority and the Prudential Authority, hereby prescribe requirements for an applicant for a trade repository licence or an applicant for an external trade repository licence and a licensed trade repository or a licensed external trade repository as well as additional duties of a licensed trade repository or licensed external trade repository as set out in the Joint Standard. AUTHORITY PRUDENTIAL AUTHORITY

Page 2 of 14

1. Definition In this Joint Standard “the Act” means the Financial Markets Act, 2012 (Act No. 19 of 2012), and “the Regulations” means the Regulations prescribed under section 5(1)(c) of the Act and any word or expression to which a meaning has been assigned in the Act or the Regulations, bears the meaning so assigned to it, unless the context indicates otherwise; and “users” means reporting entities as specified in the conduct standard: reporting obligations in respect of transactions in over-the-counter derivatives “user requirements” means requirements for access and participation as contemplated in section 55(1)(g) of the Act.
2. Application and interpretation (1) This Joint Standard applies to an applicant for a trade repository licence, an applicant for an external trade repository licence, a licensed trade repository and licensed external trade repository and a reference to an applicant for a trade repository licence and a licensed trade repository includes an applicant for an external trade repository licence and a licensed external trade repository. (2) The Joint Standard must be complied with in addition to the requirements prescribed in Board Notice 97 of 31 May 2013 (Determination of fit and proper requirements for market infrastructures).
3. Legal basis (1) To establish a legal basis for its duties, an applicant for a trade repository licence and a licensed trade repository must have written policies, procedures, or contracts that – (a) are clear about the legal status of the transaction data that it stores; (b) define the rights and interests of users and other relevant stakeholders with respect to the transaction data stored in the trade repository’s systems; and (c) are enforceable when the trade repository is implementing its plans for recovery or orderly winding-up as contemplated in paragraph 4(6). (2) An applicant for a trade repository licence and a licensed trade repository must identify and mitigate any legal risks or conflicts of interest associated with any ancillary services that it may provide. (3) An applicant for a trade repository licence and a licensed trade repository must – (a) analyse any foreign legal requirements applicable to the rendering of its duties;

Page 3 of 14 (b) identify the extent to which those requirements are, or may potentially be, in conflict with the Act and other applicable South African legislation; and (c) develop a policy describing how conflicting or potentially conflicting provisions will be resolved in full compliance with the Act and other applicable legislation. 4. Governance (1) An applicant for a trade repository licence and a licensed trade repository must have robust and publicly disclosed governance arrangements, which must include – (a) the role, responsibilities, term and composition of the controlling body and any committees; (b) processes to identify, assess, and manage potential conflicts of interest of members of the controlling body, managers, employees or any related party of the controlling body; (c) clear and direct lines of responsibility and accountability, particularly between management and the controlling body; (d) sufficient authority, independence, resources and access to the controlling body for key functions such as risk management, internal control, and audit; (e) an effective internal audit function, with sufficient resources and independence from management to provide, among other activities, a rigorous and independent assessment of the effectiveness of the trade repository’s risk-management and control processes; (f) the role, responsibilities and structure of senior management; (g) the shareholding structure; (h) the internal governance policy; (i) the design of risk management, compliance and internal controls that includes the trade repository’s risk-tolerance policy, assigns responsibilities and accountability for risk decisions, and addresses decision making in crises and emergencies; (j) the procedures for the appointment, performance evaluation and removal of members of the controlling body and senior management; (k) oversight of outsourcing arrangements; (l) processes for ensuring performance accountability to stakeholders; and (m) a stakeholder inclusive approach to governance. (2) An applicant for a trade repository licence and a licensed trade repository must ensure that the governance arrangements are disclosed to the Authority, shareholders and where appropriate, its users and the public. (3) An applicant for a trade repository licence and a licensed trade repository must have a controlling body which must be sufficiently independent.

Page 4 of 14 (4) The compensation of the independent and other non-executive members of the controlling body may not be linked to the business performance of the trade repository. (5) An applicant for a trade repository licence and a licensed trade repository may not share human resources with other group entities unless under the terms of an outsourcing arrangement. (6) An applicant for a trade repository licence and a licensed trade repository must have at least a risk, compliance and information technology function under the direction of a chief risk officer, a chief compliance officer and a chief information technology officer respectively, to ensure that the trade repository operates with the necessary level of human resources to meet all of its obligations. (7) The risk and information technology functions must report to the controlling body either directly or through the chair of the risk committee. The internal audit function must report directly to the controlling body. (8) An applicant for a trade repository licence and a licensed trade repository must establish adequate policies and procedures sufficient to ensure its compliance, including compliance by its senior managers and employees, with all the provisions of this Joint Standard. 5. Risk management (1) An applicant for a trade repository licence and a licensed trade repository must establish, implement, maintain and enforce an effective risk management framework, approved by its controlling body to – (a) manage its risks, including business and operational risk, with appropriate systems, policies, procedures and controls; (b) provide for formal change-management and project-management processes to mitigate operational risk arising from modifications to operations, policies, procedures, and controls; (c) record, report, analyse, and resolve all operational incidents; and (d) provide for comprehensive physical and information security policies that address all potential vulnerabilities and threats. (2) The risk management framework must enable an applicant for a trade repository licence and a licensed trade repository to – (a) identify, monitor and manage the potential sources of risk, taking into account past loss events and financial projections; (b) assess and understand its risk profile and the potential effect that this risk could have on its cash flows, liquidity, and capital positions, so that it is able to assess its ability either to-

Page 5 of 14 (i) avoid, reduce or transfer specific business risks; or (ii) accept and manage those risks; (c) measure and monitor identified risks on an on-going basis and to develop appropriate information processing systems; and (d) minimise and mitigate the probability of business-related losses and their impact on its operations across a range of adverse business and market conditions, including the scenario that its viability as a going concern is questioned. (3) An applicant for a trade repository licence and a licensed a trade repository must have adequate management controls, such as setting operational standards, measuring and reviewing performance, and correcting deficiencies. (4) A trade repository must – (a) develop and maintain- (i) adequate internal controls over its systems; and (ii) adequate information technology general controls, including controls relating to information systems operations, information security and integrity, change management, incident management, network support and system software support. (b) in accordance with prudent business practice, on a reasonably frequent basis and, in any event, at least annually – (i) make reasonable current and future capacity estimates; and (ii) conduct capacity stress tests to determine the ability of those systems to process transactions in an accurate, timely and efficient manner, and (c) promptly notify the Authority of any material system’s failure, malfunction, delay or other disruptive incident, or any breach of data security, integrity or confidentiality, and provide a post-incident report that includes a root-cause analysis as soon as practicable. (5) A trade repository must test its business continuity policy and its disaster recovery plan as contemplated in section 55(1)(i) of the Act at least annually. (6) A trade repository must establish, implement, maintain and enforce plans designed to – (a) identify scenarios that may potentially prevent the trade repository from being able to provide reporting services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-up; (b) provide for the recovery or orderly winding-up of the trade repository’s critical operations or services based on the results of the assessment referred to in sub￾paragraph 5(6)(a); and

Page 6 of 14 (c) provide, in the event of recovery or orderly winding-up, for the manner in which all the existing data must be transferred to another trade repository or to the relevant authorities which will allow reporting entities the choice to report to any other trade repository going forward. (7) For each of its systems for collecting and maintaining reports of data, a trade repository must annually appoint a qualified independent third party, as agreed to by the Authority, to conduct an independent review and prepare a report in accordance with established audit standards. (8) A trade repository must provide a copy of the report resulting from the review conducted under sub-paragraph 5(7) to – (a) its controlling body and audit committee upon the report's completion; and (b) the Authority not later than five working days after providing the report to its controlling body or audit committee. 6. Compliance function (1) An applicant for a trade repository licence and a licensed trade repository must establish and maintain a permanent and effective compliance function which operates independently from the other functions of the trade repository with the necessary authority, resources, expertise and access to all relevant information. (2) When establishing its compliance function, an applicant for a trade repository licence and a licensed trade repository must take into account the nature, scale and complexity of its business, and the nature and range of the functions undertaken in the course of that business. (3) The compliance function must – (a) monitor and, on a regular basis, assess the adequacy and effectiveness of the measures put in place and the actions taken to address any deficiencies in the trade repository’s compliance with its obligations; (b) administer the compliance policies and procedures established by senior management and the controlling body; (c) advise and assist the persons responsible for carrying out the trade repository’s functions to comply with its obligations under the Act, this Joint Standard and other regulatory requirements, where applicable; (d) report on a quarterly basis, to the controlling body on compliance by the trade repository and its employees with the Act and this Joint Standard; (e) report annually to the Authority on compliance by the trade repository and its employees with the Act and this Joint Standard; (f) establish procedures for the effective remediation of instances of non-compliance; and

Page 7 of 14 (g) ensure that any person involved in the compliance function is not involved in the performance of the services or activities which that person monitors and that any conflicts of interest of such a person are properly identified and eliminated. 7. Related parties, subsidiaries and associates (1) The Authority must be satisfied that any relationship between a trade repository and a related party of that trade repository will not prevent the effective exercise of the supervisory functions of the Authority. (2) A trade repository may not acquire or establish subsidiaries or associates, without prior written approval of the Authority and the Prudential Auhority 8. Additional business Subject to section 61 of the Act, where a trade repository offers ancillary services such as trade confirmation, trade matching, credit event servicing, portfolio reconciliation or portfolio compression services, the trade repository must maintain those ancillary services operationally separate from the trade repository’s duty of centrally collecting and maintaining records of derivative transactions. 9. Outsourcing (1) A trade repository must – (a) establish, implement, maintain and enforce written policies and procedures for the selection of its service providers, including a service provider that is an associate or affiliate of the trade repository, to which key services and systems may be outsourced and for the evaluation and approval of the outsourcing arrangements; (b) identify and provide a written report to its controlling body regarding any conflicts of interest between the trade repository and the service provider to which key services and systems are outsourced, and establish, implement, maintain and enforce written policies and procedures, as approved by its controlling body, to mitigate and manage those conflicts of interest; (c) enter into a written service agreement with the service provider that is appropriate for the materiality and nature of the outsourced activities and that provides for adequate termination procedures; (d) ensure that the trade repository has direct access to the relevant information of the outsourced functions;

Page 8 of 14 (e) ensure that nothing contained in the service agreement with the provider, nor any obligations in terms thereof, will result in non-compliance by the trade repository with the provisions of this Joint Standard, the Act and any other legislation; (f) ensure that the Authority has the same access and within the same periods to all data, books, records, information and systems maintained by the service provider on behalf of the trade repository that it would have in the absence of the outsourcing arrangements; (g) ensure that all persons conducting audits or independent reviews of the trade repository under this Joint Standard have appropriate access to all relevant data, books, records, information and systems maintained by the service provider on behalf of the trade repository that such persons would have in the absence of the outsourcing arrangements; (h) take appropriate measures to – (i) determine that a service provider to which key services or systems are outsourced establishes an equivalent business continuity plan including a disaster recovery plan to that, which the trade repository must fulfil under this Joint Standard; (ii) determine that a service provider to which key services or systems are outsourced maintains and periodically tests its business continuity plan, including a disaster recovery plan; and (iii) ensure that the service provider protects the trade repository users' confidential information. (i) establish, implement, maintain and enforce written policies and procedures to regularly review the performance of the service provider under the outsourcing arrangements; (j) ensure that the relationship and obligations of the trade repository towards its users are not altered; (k) ensure that the conditions for authorisation of the trade repository do not effectively change; (l) ensure that outsourcing does not result in depriving the trade repository from the necessary systems and controls to manage the risks it faces; (m) ensure that the trade repository retains the necessary expertise and resources to supervise the outsourced functions effectively and manage the risks associated with the outsourcing on an on-going basis; (n) ensure that the service provider protects any confidential information relating to the trade repository and its users and clients or, where that service provider is established in a country other than the Republic, ensures that the data protection standards of that country, or those set out in the agreement between the service provider and the trade

Page 9 of 14 repository, are comparable to the data protection standards in effect in the Republic; and (o) confirm in writing to the Authority the extent of outsourcing and that the conditions set out in (a) to (n) will be adhered to. (2) A trade repository must submit a copy of the written service agreement which clearly reflects the rights and obligations of the trade repository and the service provider to the Authority. (3) A trade repository must make all the necessary information available to the Authority , upon request, to enable the Authority to assess the compliance of the performance of the outsourced activities with this Joint Standard. 10. Access (1) A trade repository must – (a) subject to the reporting obligations prescribed by the Authority have objective, non￾discriminatory, publicly disclosed user requirements as contemplated in section 55(1)(g) of the Act, that: (i) are risk-based; (ii) have the least-restrictive impact on access that circumstances permit; (iii) are adequate to ensure that its users meet operational, financial and legal requirements to allow them to fulfil their obligations to the trade repository and other users of the trade repository on a timely basis; (iv) where applicable, are designed to support interconnectivity with other market infrastructures and service providers; (v) are justified in terms of the safety and efficiency of the trade repository and the markets it serves; (vi) are tailored to and commensurate with the trade repository’s specific risks; and (vii) only restrict access to the extent that the objective of such restriction is to control the risk to the data maintained by a trade repository. (b) monitor compliance with its user requirements on an on-going basis; (c) allow the users to have access to their transaction data and to make necessary corrections to the information reported by the user in a timely manner; (d) grant service providers non-discriminatory access to information maintained by the trade repository, on condition that the relevant /users have provided their consent; (e) fully disclose the process for proposing and implementing changes to its user requirements and for informing users, the Authority and the Prudential Authority of these changes;

Page 10 of 14 (f) have clearly defined and publicly disclosed procedures for facilitating the suspension and orderly exit of a user that breaches, or no longer meets, the user requirements; (g) disclose any other information reasonably required by users to assess the risks and costs of participating in the trade repository; (h) provide all documentation, training, and any other information necessary to facilitate a user’s understanding of the trade repository’s rules and procedures and the risks it faces from participation as a user of the trade repository; (i) ensure that a new user receive training before using the system, and an existing user receive, as needed, additional periodic training, at least annually; (j) provide clear descriptions of priced services for comparability purpose; and (k) provide the Authority, its users and the public with at least 30 days’ notice prior to the implementation of any changes to its services and fees. (2) A trade repository must have policies, that – (a) clearly describe the design and operations of its systems for accepting, using, retaining and providing access to transaction data; (b) clearly disclose the degree of discretion that a trade repository can exercise over key decisions that directly affect the operation of its system, including in crises and emergencies; and (c) clearly set out the trade repository’s commitments in relation to minimum service levels and operational reliability. 11. Providing access to data by the Authority and supervisory authorities (1) A trade repository must – (a) provide continuous, direct and immediate electronic access to all transaction data in accordance with internationally acceptable communication procedures and standards for messaging to the Authority or any other relevant supervisory authoritiesif requested and at no charge; (b) comply with any reasonable requirement specified in the request contemplated in sub-paragraph 11(1)(a) to provide the transaction data – (i)on an ad hoc basis or each time a particular event occurs; or (ii) by a specified time; (c) notify the Authority of criminal proceedings, disciplinary action or material changes to regulatory requirements imposed on the trade repository by a supervisory authority; (d) as soon as practicable, notify the Authority of the occurrence of any of the following circumstances:

Page 11 of 14 (i) a disruption, delay in, suspension or termination of any of the trade repository’s systems, including as a result of a system failure; or (ii) a breach of security or confidentiality of the transaction data retained in the trade repository. (2) In relation to a designated authority that has entered into a supervisory cooperation arrangement with the Authority as contemplated in section 251 of the Financial Sector Regulation Act, a trade repository must provide access to the transaction data, relevant to that designated authority’s mandate and responsibilities. 12. Safeguarding and recording Subject to section 73 of the Act, a trade repository must – (a) establish, implement, maintain and enforce written policies and procedures reasonably designed to protect the privacy, integrity and confidentiality of the transaction data; (b) promptly record the transaction data received and maintain it for at least five years following the termination of the relevant derivatives contracts; (c) employ timely and efficient record keeping procedures to document changes to recorded transaction data; (d) set a service-level target to record to its central registry, transaction data it receives from users at least within one business day; (e) have adequate procedures and timelines for making transaction data available for any downstream processing, such as clearing and reporting; (f) implement quality controls to ensure the accuracy, validity, and integrity of the transaction data it stores and disseminates; (g) take all reasonable steps to prevent any misuse of the transaction data maintained in its systems; (h) ensure that any transaction data, that has not otherwise been disclosed, is not released for commercial or business purposes, unless the /users have expressly granted their written consent to use the transaction data to the trade repository. 13. Disclosure of transaction data by trade repositories (1) Subject to section 73, a trade repository must – (a) have objectives, policies and procedures that support the effective and appropriate disclosure of transaction data to the Authority, Prudential Authority, other supervisory authorities, and where applicable, the public and its users; (b) have robust information systems that provide accurate current and historical transaction data;

Page 12 of 14 (c) disclose information on its system design, as well as technology and communication procedures, that affect the costs of operating the trade repository; (d) have procedures to facilitate enhanced monitoring, supervision, regulation or enforcement proceedings by the Authority by making relevant information held by the trade repository available to the Authority in a timely and effective manner; (e) collect, store, and provide transaction data to the public and its users, in a timely manner and in a format that can facilitate prompt analysis; (f) make the transaction data and other relevant information it discloses readily available through generally accessible media, such as the Internet, in a language commonly used in financial markets in addition to an official language, which transaction data must be accompanied by explanatory documentation that enables users to understand and interpret the transaction data correctly; (g) complete and disclose publicly, responses to the Committee on Payment and Settlement Systems and the Technical Committee of the International Organisation of Securities Commissions: Disclosure Framework for Financial Market Infrastructures; https://www.bis.org/cpmi/publ/d101a.pdf https://www.bis.org/cpmi/publ/d106.pdf (h) update its responses to the Committee on Payment and Settlement Systems and the Technical Committee of the International Organisation of Securities Commissions: Disclosure Framework for Financial Market Infrastructures following material changes to the system or its environment; (i) at a minimum, review its responses to the Committee on Payment and Settlement Systems and the Technical Committee of the International Organisation of Securities Commissions: Disclosure Framework for Financial Market Infrastructures every two years to ensure continued accuracy and usefulness; (j) provide comprehensive and appropriately detailed disclosures to improve the overall transparency of the trade repository, its governance, operations, and risk-management framework. (2) A trade repository may only disclose the information under paragraph 14(a)(iii) and (iv) if such disclosure would not compromise the integrity or security of the trade repository or require the disclosure of commercially sensitive information.

Page 13 of 14 14. Publication of aggregate transaction data (1) A trade repository must publish the aggregate transaction data, where the OTC derivative provider, counterparty and client details are not disclosed, on a website which is easily accessible by the public – (2) )A trade repository must publish – a. the aggregate transaction data (open positions, transaction volumes and values per asset class) for the following asset classes – i. Commodities; ii. credit; iii. foreign exchange; iv. equity; v. interest rate; (3) A trade repository must publish the transaction data free of cost and must update the transaction data at least weekly. 15. Communication procedures and standards (1) A trade repository must – (a) use internationally accepted communication procedures and standards; or (b) where it does not itself use internationally accepted communication standards, accommodate systems that translate or convert transaction data from international standards into the domestic equivalent and vice versa. (2) A trade repository must – (a) support technologies that are widely accepted in the financial markets, including applicable market standards for reporting and recording trade information; (b) apply consistent application interfaces and communication links that enable technical interconnectivity with other market infrastructures and service providers; (c) use industry standards for transaction data representation, including those related to the unique identification of counterparties (such as legal entity identifiers), the unique identification of products and the unique identification of transactions to facilitate the use and aggregation of transaction data stored in the repository, especially by authorities; (d) make its final technology requirements regarding interfacing with or accessing the trade repository publicly available (at least on its web site) – (i) if operations have not begun, for at least three months immediately before operations begin, and

Page 14 of 14 (ii) if operations have begun, for at least three months before implementing a material change to its technology requirements. (e) after complying with sub-paragraph 15(1)(d), make testing facilities for interfacing with or accessing the trade repository available to potential users – (i) if operations have not begun, for at least two months immediately before operations begin; and (ii) if operations have begun, for at least two months before implementing a material change to its technology requirements. (3) A trade repository may not begin operations until it has complied with the requirements set out in paragraphs (2)(d)(i). (4) Paragraphs 15(2)(d)(ii) and 15(2)(e)(ii) are not applicable if the change must be made urgently to address a failure, malfunction or material delay of its systems or equipment and the trade repository – (a) immediately notifies the Authority of its intention to make the change, and (b) publishes the changed technology requirements as soon as practicable. 16. Commencement This Joint Standard comes into operation on a date of publication.