| Celex Number | 32017R0571 |
| Coming into Force | 03 January 2018,03 September 2019,01 January 2019,20 April 2017 |
| End of Effective Date | 31 December 9999 |
| ELI | http://data.europa.eu/eli/reg_del/2017/571/oj |
| Published date | 31 March 2017 |
| Date | 02 June 2016 |
| Official Gazette Publication | Diario Oficial de la Unión Europea, L 87, 31 de marzo de 2017,Gazzetta ufficiale dell'Unione europea, L 87, 31 marzo 2017,Journal officiel de l'Union européenne, L 87, 31 mars 2017 |
L_2017087EN.01012601.xml
| 31.3.2017 | EN | Official Journal of the European Union | L 87/126 |
COMMISSION DELEGATED REGULATION (EU) 2017/571
of 2 June 2016
supplementing Directive 2014/65/EU of the European Parliament and of the Council with regard to regulatory technical standards on the authorisation, organisational requirements and the publication of transactions for data reporting services providers
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 2014/65/EU of 15 May 2014 of the European Parliament and of the Council on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (1), and in particular Article 61(4), Article 64(6) and (8), Article 65(6) and (8), and Article 66(5) thereof,
Whereas:
| (1) | In accordance with Directive 2014/65/EU data reporting services providers cover three different types of entities: approved reporting mechanisms (ARMs), approved publication arrangements (APAs) and consolidated tape providers (CTPs). Although those types of entities are engaged in different activities, Directive 2014/65/EU provides for a similar authorisation process for all of those entities. |
| (2) | An applicant seeking authorisation as a data reporting services provider should provide in its application for authorisation a programme of operations and an organisational chart. The organisational chart should identify who is responsible for the different activities to enable the competent authority to assess whether the data reporting services provider has sufficient human resources and oversight over its business. The organisational chart should not only cover the scope of the data reporting services, but should also include any other services that the entity provides as this may highlight areas which may affect the independence of the data reporting services provider and give rise to a conflict of interest. An applicant seeking authorisation as a data reporting services provider should also provide information on the composition, functioning and independence of its governing bodies in order for competent authorities to be able to assess whether the policies, procedures and corporate governance structure ensure the independence of the data reporting services provider and the avoidance of conflicts of interest. |
| (3) | Conflicts of interest can arise between the data reporting services provider and clients using its services to meet their regulatory obligations and other entities purchasing data from data reporting services providers. In particular, those conflicts may arise where the data reporting services provider is engaged in other activities such as acting as a market operator, investment firm or trade repository. If conflicts are left unaddressed, this could lead to a situation where the data reporting services provider has an incentive to delay publication or submission of data or to trade on the basis of the confidential information it has received. The data reporting services provider should therefore adopt a comprehensive approach to identifying, preventing and managing existing and potential conflicts of interest, including preparing an inventory of conflicts of interest and implementing appropriate policies and procedures to manage those conflicts and, where necessary, separate business functions and personnel to limit the flow of sensitive information between different business areas of the data reporting services provider. |
| (4) | All members of the management body of a data reporting services provider should be persons who are of sufficiently good repute and possess sufficient knowledge, skills and experience, as those persons play a key role in ensuring that the data reporting services provider meets its regulatory obligations and contribute to the business strategy of the data reporting services provider. It is therefore important for the data reporting services provider to demonstrate that it has a robust process for appointing and evaluating the performance of members of the management body and that clear reporting lines and regular reporting to the management body are in place. |
| (5) | The outsourcing of activities, in particular of critical functions, is capable of constituting a material change of the conditions for the authorisation of a data reporting services provider. To ensure that the outsourcing of activities does not impair the data reporting services provider's ability to meet its obligations under Directive 2014/65/EU or lead to conflicts of interest, the data reporting services provider should be able to demonstrate sufficient oversight and control over those activities. |
| (6) | The IT systems used by a data reporting services provider should be well adapted to the different types of activities those entities may perform, that is to publish trade reports, submit transaction reports or provide a consolidated tape, and robust enough to ensure continuity and regularity in the provision of those services. This includes ensuring that the data reporting services provider's IT systems are able to handle fluctuations in the amount of data which it must handle. Such fluctuations, particularly unexpected increases in data flow, may adversely impact the effectiveness of the data reporting services provider's systems and as a result, its ability to publish or report complete and accurate information within the required timeframes. In order to handle this, a data reporting services provider should periodically test its systems to ensure that they are robust enough to handle changes in operating conditions and sufficiently scalable. |
| (7) | The backup facilities and arrangements established by a data reporting services provider should be sufficient to enable the data reporting services provider to deliver its services, even in the event of a disruptive incident. A data reporting services provider should establish maximum acceptable recovery times for critical functions that would apply in the event of a disruptive incident, which should allow compliance with the deadlines for reporting and disclosing the information. |
| (8) | To ensure that the data reporting services provider can provide its services, it should undertake an analysis of which tasks and activities are critical to the delivery of its services and of possible scenarios that may give rise to a disruptive incident, including taking steps to prevent and mitigate those situations. |
| (9) | Where a service disruption occurs, a data reporting services provider should notify the competent authority of its home Member State, any other relevant competent authorities, clients and the public as the disruption could also mean that those parties would not be able to fulfil their own regulatory obligations such as the duty to forward transaction reports to other competent authorities or to make public the details of executed transactions. The notification should allow those parties to make alternative arrangements for meeting their obligations. |
| (10) | The deployment of any IT systems' updates may potentially impact the effectiveness and robustness of the systems used for data service provision. To prevent that the operation of its IT system is at any time incompatible with its regulatory obligations, in particular that of having a sound security mechanism in place designed to guarantee the security of the means of transfer of information, minimise the risk of data corruption and to prevent information leakage before publication, a data reporting services provider should make use of clearly delineated development and testing methodologies to ensure that compliance and risk management controls embedded in the systems work as intended and that the system can continue to work effectively in all conditions. Where a data reporting services provider undertakes a significant system change, it should notify the competent authority of its home Member State and other competent authorities, where relevant, so they can assess whether the update will impact their own systems and whether the conditions for authorisation continue to be met. |
| (11) | Premature public disclosure, in the case of trade reports, or unauthorised disclosure in the case of transaction reports could provide an indication of trading strategy or reveal sensitive information such as the identity of the data reporting services provider's clients. Therefore, physical controls, such as locked facilities, and electronic controls including firewalls and passwords should be put in place by the data reporting services provider to ensure that only authorised personnel have access to the data. |
| (12) | Breaches in the physical or electronic security of a data reporting services provider pose a threat to the confidentiality of client data. Consequently, where such a breach occurs, a data reporting services provider should promptly notify the relevant competent authority as well as any clients which have been affected by the breach. Notification to the competent authority of the home Member State is necessary to enable that competent authority to carry out its ongoing supervisory responsibilities with respect to whether the data reporting services provider is properly maintaining sound security mechanisms to guarantee the security of the information and to minimise the risk of data corruption and unauthorised access. Other competent authorities which have a technical interface with the data reporting services provider should also be notified as they may be adversely affected, particularly where the breach relates to the means of transferring information between the data reporting services provider and the competent authority. |
| (13) | An investment firm which has transaction reporting |
...
Get this document and AI-powered insights with a free trial of vLex and Vincent AI
