This volume is a product of the staff of the International Bank for Reconstruction and Development/The World Bank. The World Bank does not guarantee the accuracy of the data included in this work. The findings, interpretations, and conclusions expressed in this paper do not necessarily reflect the views of the Executive Directors of the World Bank or the governments they represent. The material in this publication is copyrighted. FINANCIAL SECTOR ASSESSMENT PROGRAM CHILE ASSESSMENT OF OBSERVANCE OF THE CPSS-IOSCO PRINCIPLES FOR FINANCIAL MARKET INFRASTRUCTURES DETAILED ASSESSMENT REPORT OF DCV, DEPÓSITO CENTRAL DE VALORES S.A. MAY 2016 This report was prepared in the context of a standards assessment mission in Chile during August 3-7 and September 21-October 2, 2015, overseen by the Finance & Markets Global Practice, World Bank and the Monetary and Capital Markets Department, IMF. THE WORLD BANK GROUP FINANCE & MARKETS GLOBAL PRACTICE CONTENTS I. EXECUTIVE SUMMARY ................................................................................................ 4 II. INTRODUCTION .............................................................................................................. 6 III. OVERVIEW OF THE PAYMENT, CLEARING AND SETTLEMENT LANDSCAPE 7 a. DCV.............................................................................................................................. 8 b. Regulatory, supervisory and oversight framework ...................................................... 9 c. Summary of major changes and reforms ...................................................................... 9 IV. SUMMARY ASSESSMENT ........................................................................................... 10 a. Summary assessment of observance of the principles ............................................... 10 b. Recommendations for DCV ....................................................................................... 11 V. DETAILED ASSESSMENT ............................................................................................ 13 Principle 1: Legal basis ............................................................................................................ 13 Principle 2: Governance ........................................................................................................... 16 Principle 3: Framework for the comprehensive management of risks .................................... 23 Principle 10: Physical Deliveries ............................................................................................. 27 Principle 11: Central Securities Depositories .......................................................................... 29 Principle 13: Participant-default rules and procedures ............................................................ 33 Principle 15: General business risk .......................................................................................... 34 Principle 16. Custody and investment risks ............................................................................. 37 Principle 17: Operational risk .................................................................................................. 39 Principle 18. Access and participation requirements ............................................................... 46 Principle 19. Tiered participation arrangements ...................................................................... 48 Principle 20. FMI links ............................................................................................................ 49 Principle 21: Efficiency and effectiveness ............................................................................... 52 Principle 22: Communication procedures and standards ......................................................... 54 Principle 23: Disclosure of rules, key procedures, and market data ........................................ 55 2 GLOSSARY ABIF Asociación de Bancos e Instituciones Financieras de Chile (association of banks and financial institutions) AFP Administradora de Fondos de Pensiones (pension fund management company) BCP Business Continuity Plan BCCh Banco Central de Chile (Central Bank of Chile) BCS Bolsa de Comercio de Santiago (Santiago Stock Exchange) BIA Business Impact Analysis CCP Central Counterparty CLP Chilean Peso CSD Central Securities Depository CPMI Committee on Payments and Market Infrastructure CPSS Committee on Payment and Settlement Systems DVP Delivery versus Payment FLI Facilidad de Liquidez Intradía (intraday liquidity facility) FMI Financial Market Infrastructure GRC Governance, Risk Management and Compliance IMF International Monetary Fund IOSCO International Organization of Securities Commission ISAE International Standard on Assurance Engagements ISO International Standards Organization KC Key Consideration LBTR Liquidación Bruta en Tiempo Real (real time gross settlement) MILA Mercado Integrado Latinoamericano (Integrated Latin American Market) MOF Ministry of Finance MOU Memorandum of Understanding NCG Norma de Carácter General (general rule) OLA Operational Level Agreement OTC Over the Counter PFMI Principles for Financial Market Infrastructures PS Payment System RPO Recovery Point Objective RTGS Real time gross settlement system RTO Recovery Time Objective SBIF Superintendencia de Bancos e Instituciones Financieras (superintendence of banks and financial institutions) SLA Service Level Agreement SP Superintendencia de Pensiones (superintendence of pensions) SRAD Sitio de Recuperación ante Desastres (disaster recovery site) SSS Securities Settlement System SVS Superintendencia de Valores y Seguros (superintendence of securities and insurance) SWIFT Society for Worldwide Interbank Financial Telecommunication UF Unidad de Fomento WBG World Bank Group 3 I. EXECUTIVE SUMMARY 1. Chile has fairly developed payment, clearing, and settlement infrastructures. Sistema LBTR is the Central-Bank operated real-time (interbank) gross settlement (RTGS) system, and the backbone of the national payments system, where final payments originating from the various markets are settled. Sistema LBTR is owned and operated by the Central Bank. The RTGS is not the only high-value funds transfers system in Chile: ComBanc S.A. operates as a net clearing system for participating banks (hereinafter ComBanc). CCLV Contraparte Central S.A – CCLV, a subsidiary of the Santiago Stock Exchange, clears and settles exchanged-traded debt securities, and also acts as a central counterparty for equities (cash market) and exchange-traded derivatives. More recently, ComDer, Contraparte Central S.A (hereinafter “ComDer”) was established as a central counterparty for over-the-counter derivatives. As the only authorized central securities depository in Chile, Deposito Central de Valores (DCV) holds all securities that are object of public offering and facilitates the transfer of these securities between its depositors. 2. Sistema LBTR is largely compliant with the Principles for Financial Market Infrastructures (PFMI), and is sound from an operations perspective. It is subject to comprehensive risk management, including credit, liquidity, and operational. Clear and transparent risk-management policies, procedures, and systems allow measuring, mitigating, and managing the range of risks that arise in the system’s operations and from its participants. All transactions settled in Sistema LBTR are deemed final and irrevocable. 3. However, some areas of improvement for Sistema LBTR have been identified and are summarized below. In particular, Sistema LBTR is exposed to some legal risk in that there is no explicit coverage of irrevocability and finality of payments at the level of statutory legislation. The urgency of this issue of concern is diminished in light of the special insolvency procedures of the Banking Law and the general normative powers of the BCCh in the field; however, these would not apply should non-banks be allowed to participate in the system. This issue impacts negatively settlement finality, and could have potential repercussions on credit and settlement risk. As for collateral in general and for the provision of liquidity into the Sistema LBTR in particular, the lack of express recognition of enforceability of repos might also jeopardize the soundness of system, although also this risk might be deemed to be reduced by the understanding of repos agreements under general principles of law. Sistema LBTR should establish mechanisms for the regular review of its efficiency and effectiveness vis-à-vis the needs of its participants. As the operator of the LBTR, the Central Bank could consider recommending that non-banks – provided that these comply with risk-based criteria – be allowed as participants in light of ensuring fair and open access to a critical infrastructure. 4. ComBanc has been also assessed as sound from a (financial, operational) risk management perspective. In providing real-time clearing services for twenty participating banks, ComBanc relies on bilateral and multilateral credit limits to manage its participants’ credit risk vis-à-vis each other, combined with collateral requirements to cover 1.15 times each participant’s maximum credit exposure. Payments are considered final and irrevocable once these are cleared in ComBanc. In case of failure of one or more members, ComBanc has set out two extraordinary settlement processes. Operational risk management is grounded in the General Risk Policy and the General Operational Risk Policy. 5. Additional steps to improve compliance of ComBanc with the PFMI are warranted, especially with regard to governance arrangements and management of investments risk. First, ComBanc is exposed to the same type of (potential) legal risk as the 4 Sistema LBTR. With regard to governance, comprehensive governance arrangements should include procedures to review the Board’s performance, and clear policies for the recruitment and termination of senior management. Combanc could consider diversifying its investment portfolio – i.e. invest in securities other than those issued by its shareholder banks. Broader, yet still risk-based, participation criteria should be allowed. Finally, ComBanc should address gaps in transparency. 6. DCV ensures the safekeeping and efficient transfer of securities. The assessment has found that the relevant legal and regulatory framework minimizes custody risk. At the operational level, securities holdings of customers are held in segregated accounts, either omnibus or at the level of the final beneficial owner. More than 96% of securities (in terms of value) held at DCV are dematerialized and this percentage has been growing over the years as legacy paper-based securities mature. 7. Nonetheless, DCV should improve compliance with the PFMI in a few areas. The area of biggest concern for DCV is general business risk. To date, DCV has not developed a recovery plan in connection with general business losses, and was found to hold liquid net assets sufficient to cover less than three months of operating expenses (as opposed to a minimum of 6 months prescribed by the PFMI). Although for the most part the company incorporates international standards and best practices with regard to governance, there is no formal mechanism to review its board performance. DCV should take a comprehensive approach to defining and addressing the various types of risks it faces: currently, although all such risks are de facto managed, DCV general risk management policy is focused on operational risk. 8. No serious issues of concerns were identified with regard to the operation of CCLV as a securities settlement system. On the other hand, there are gaps in the company’s governance arrangements that include: (i) the lack of a formal mechanism for reviewing the performance of the board, which it shares with the Santiago Stock Exchange as the holding company of CCLV, (ii) roles and responsibilities of senior management are not defined and documented at the level of the subsidiary (i.e. at the level of CCLV), and; (iii) no independent reporting line exists for the risk management function. The lack of a detailed plan for its financial recovery also raises concerns that could become serious if not addressed in a timely fashion. 9. CCLV as a central counterparty incorporates international standards in its risk management practices; issues of concern only arise as a result of the lack of coverage of segregation and portability in the legal framework. Although CCLV rules and contracts provide the mechanism for the segregation and portability of positions, and these arrangements are implemented in practice, in light of the gaps in the legal framework the relevant standards cannot be met. It is worth noting that FMIs in general – including CCLV – do not have access to central bank liquidity in the payments system (i.e. the intraday liquidity facility). As a result, CCLV must resort to other liquidity providers before first exhausting the collateral provided by the delayed/defaulted participant(s). Authorities should consider costs vs. benefits of providing FMIs with access to intraday liquidity facilities. 10. ComDer was established as a response of the banking system to the exponential growth of the over-the-counter (OTC) derivatives market and to achieve compliance with international standards and G20 expectations. In practice, ComDer was designed to abide by international best practices and observes most of the Principles. ComDer risk management practices are robust in general terms. In particular, ComDer uses good and conservative 5 practices with regard to collateral, e.g. it accepts only cash and debt securities issued by the Central Bank or the National Treasury as collateral, marks collateral and participant positions to market daily, and applies conservative haircuts that also incorporate crisis scenarios thus reducing the need for pro-cyclical adjustments. 11. However, ComDer has yet to fine-tune some aspects of its operations, namely its stress test programme. In addition, as noted above for CCLV, ComDer does not have access to routine Central Bank credit either; as a result, it must resort to its liquidity providers before first exhausting the collateral provided by the delayed/defaulted participant(s). Collateral in securities – although highly liquid – may not be readily available (within one or two hours), at least in part because ComDer uses a model of electronic pledge. Also, the same considerations that were made above with regard to the lack of legal underpinning of segregation and portability of positions and collateral apply to ComDer too, however, in this case and for the time being, the risk is not very material as long as ComDer only clear positions from direct participants. 12. Authorities’ powers are clearly defined with no overlap. However, when assessed at the jurisdictional level, there are a few gaps in the observance of the Responsibilities of Authorities. Observance is affected mainly by the following elements: i) with regard to payment systems, the Central Bank, though it has the necessary powers and the resources / processes in place, has not defined a comprehensive oversight policy for systemically important payment systems, while the Superintendencia de Bancos e Instituciones Financieras (SBIF) as the supervisor of ComBanc relies on the supervision framework set out for Sociedades de Apoyo al Giro which does not take into consideration the specific features and risk profile of ComBanc as a FMI; ii) although numerous steps are being taken in the direction of adopting the PFMI, there is no uniform recognition of the PFMI across authorities in Chile, and; iii) cooperation among authorities is efficient, but there are no effective procedures to ensure timely access to BBCh data on foreign exchange derivatives by other authorities. 13. In the context of this PFMI assessment, it is worth noting that there is no recognized trade repository (TR) in Chile, nor the legal and regulatory framework to cover TRs exist; therefore a formal assessment of TRs was not undertaken. At the international level, concerns about systemic risks in OTC derivatives markets have led to important changes in international standards and a G20 reform agenda to improve transparency that contemplates – among other things – mandatory reporting to TRs of all OTC derivatives contracts. The Central Bank operates a database (Base de Datos de Derivados Cambiarios, BDDC) where foreign exchange derivatives transactions are reported by banks, other financial institutions and certain non-financial entities, and publishes aggregate-level data. However, this infrastructure does not currently qualify as a TR. A plan of action to remove the existing barriers – legal and technological – to developing a TR function will enable Chilean authorities to meet international expectations and best practices in the global derivatives markets. II. INTRODUCTION 14. The Central Bank of Chile (Banco Central de Chile, BCCh) and Chile’s Ministry of Finance, in their letter of January 9th, 2015, requested the World Bank to undertake a stand- alone Review of Standards and Codes (ROSC) module of the Principles for Financial Market Infrastructures (PFMI) of the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commission (IOSCO). 6 15. A World Bank Group (WBG) team consisting of Jose Antonio Garcia (Senior Payment System Advisor and Team Leader), Corina Arteche (Senior Payment System Specialist), Maria Chiara Malaguti (Senior Legal Advisor) – supported remotely by Maria Teresa Chimienti (Payment System Specialist) - visited Chile from August 3-7 and from September 21-October 2, 2015 to assess Chile’s FMIs. 1 On the side of local authorities, the team included Catherine Tornel (Senior Economist) and Maria Jose Meléndez (Economist) from the BCCh, and Bernardita Palacios (Capital Markets Advisor) from the Ministry of Finance. 16. A total of five financial market infrastructures (FMIs) were assessed as part of this ROSC, although one of these operates both as a central counterparty (CCP) and as a securities settlement system (SSS) for different segments of the exchange-traded securities market, and as a result a total of six FMI assessments were produced by the team. In addition, the Responsibilities of Authorities for FMIs were assessed. 17. The main tool used by the assessment was the CPSS-IOSCO Assessment Methodology for the Principles for Financial Market Infrastructure and the Responsibilities of Authorities”. Each of the FMIs and Chilean authorities – the Banco Central de Chile (BCCh), the Superintendencia de Valores y Seguros (SVS) and the Superintendencia de Bancos e Instituciones Financieras (SBIF) – completed a self-assessment for the PFMI and the Responsibilities of Authorities, respectively. On this basis, the WBG team and the local team conducted detailed interviews with senior and mid-level managers of all the respective institutions, and prepared the assessment reports. 18. In addition to the self-assessments, other sources of information included the applicable laws and regulations, as well as each FMI’s main policies and internal documents (e.g. detailed policies, and processes and procedures for certain key areas) which were shared by the FMIs with the assessors, and other information available at each FMI’s website (e.g. statistics). The WBG and local teams also met with a number of users of these FMIs, including two large commercial banks and two brokers-dealers that are not part of local bank-lead conglomerates. III. OVERVIEW OF THE PAYMENT, CLEARING AND SETTLEMENT LANDSCAPE 19. Chile has a fairly developed payment, clearing and settlement infrastructure comprising: • Two systemically important payment systems – a Central Bank-operated real-time gross settlement system (Sistema LBTR), and a privately-owned clearinghouse for high-value interbank payments (ComBanc) • A central securities depository (CSD) for government and corporate securities (Depósito Central de Valores S.A. – DCV) • A securities settlement system (SSS) for debt securities and money market instruments, that also acts as a central counterparty (CCP) for corporate equities (CCLV Contraparte Central S.A - CCLV). Starting July 30th, 2015 CCLV also acts as a CCP for certain exchange-traded derivatives. • A CCP for over-the counter (OTC) derivatives (ComDer). 1 T. Khiaonarong and F. Wendt (IMF), and D. Delort and G. Srinivas (WBG) acted as peer-reviewers. 7 20. In addition, the BCCh operates a database (Base de Datos de Derivados Cambiarios, BDDC) in which foreign exchange (FX) derivatives transactions are reported by banks and other financial institutions, and certain non-financial institutions. 21. The assessment report covers the Responsibilities of central banks, market regulators, and other relevant authorities for the above-mentioned financial market infrastructures. 22. This assessment report covers DCV. a. DCV 23. DCV is the only authorized CSD in Chile. Its main role and objective is to hold in deposit those securities object of public offering, and to facilitate the transfer of those securities between its depositors. The main services it offers include domestic custody of securities, custody of foreign securities in certain markets, national securities numbering agency, and securities administration and transfer agent services (through its subsidiary “DCV Registros”). Moreover, DCV is interconnected with other FMIs in Chile. Through these interconnections it provides collateral management and supports DVP securities transfer services. 24. Its main shareholders are banks (30%), pension fund management companies-AFPs (30%), the Santiago Stock Exchange (24%), insurance companies (10%), the Electronic stock Exchange 6%), and the Valparaiso Stock Exchange (1%). 25. As of end-September 2015, total amount of securities deposited at DCV was equivalent to approximately USD 260 billion. Of that total, 99.6% was domestic custody and 0.4% was foreign custody. 26. As of that same date, 96.2% of securities were held in dematerialized form. The rest are still held in physical form and comprise certain fixed income securities, the majority of which are some debentures and “recognition bonds”. 2 These two types of securities represented 47.4% and 45% of the amount held in physical form, respectively. The share of securities held in physical form has been declining over time as those securities mature. 27. As of mid-2015 there were 188 depositors, including 40 brokers-dealers, 62 insurance companies, 24 mutual fund management companies, 24 commercial banks, 6 AFPs, 4 CSDs, 3 securities agents, 3 state companies, 3 stock exchanges and 19 miscellaneous depositors. 28. As mentioned earlier, DCV supports DVP securities transfer services. The securities settlement system is operated by a different FMI (i.e. CCLV). In parallel, DCV has developed a service jointly with ComBanc to enable DVP settlement of certain securities trades in central bank money (the so-called “switch mechanism”, which allows reaching the Sistema LBTR of the BCCh through ComBanc). Securities transactions that may be settled through this service are those not covered by CCLV, which are essentially some OTC trades. However, the “switch mechanism” is not considered a SSS by either DCV or by its regulators and supervisors. Reasons for this include that the “switch mechanism” is just one of the options available to market participants to settle their securities trades. In other words, the parties of an OTC securities trade may opt for using the “switch mechanism” or may freely decide to use other means that do not ensure DVP such as cheques, non-linked electronic funds transfers, etc. Further, section 11 of DCV’s rulebook states that DCV will act solely on the basis of instructions received and shall accept no responsibility for the operation of the “switch 2 Recognition bonds are securities issued in connection with the previous pension system in Chile. The rights acquired by individuals in that older system are reflected in “recognition bonds”, which mature once an individual is eligible for retirement. 8 mechanism” or any of the other settlement mechanisms. Its sole role in this context is to provide safe securities transfer systems to support the settlement process. 29. DCV also offers centralized registration services for forwards transactions made by its depositors. This service is not being assessed as a TR in this standalone ROSC. The main reason is that there is no legal or regulatory framework for TRs in Chile, and hence these are not recognized as a separate FMI. Other entities are already offering similar services. 30. Hence, DCV is hereby assessed solely as a CSD. b. Regulatory, supervisory and oversight framework 31. The BCCh is the regulator of payment and settlement systems in Chile. BCCh’s regulatory and oversight powers are grounded in its Organic Law (art. 3) and the Compendium of Financial Norms (CFN, chapters III.H III.J). The BCCh is also the regulator of the foreign exchange market. The BCCh is the overseer (and operator) of the Sistema LBTR. 32. Supervision of ComBanc and other privately-owned retail payment infrastructures is delegated to the banking supervisory agency (Superintendencia de Bancos e Instituciones Financieras, SBIF), based on article 82 of the BCCh Organic Law, and articles 12 and 75 of the Banking Law. 33. The securities regulator, Superintendencia de Valores y Seguros (SVS), is the regulator and supervisor of CSDs, SSSs, and CCPs. The objectives, functions, powers, and organization of the SVS are spelled out in its Organic Law (Law 3.583 of 1980). The legal basis for the operation of CSDs and SSSs in Chile are provided under Law 18.876 and Law 20.345, respectively. Consistently with its statutory powers and the laws mentioned above, the SVS supervises DCV, CCLV, and ComDer. However, Law 20.345 requires that any changes to the rulebooks of CCLV and ComDer be approved by the SVS also with the binding opinion of the BCCh and after hearing the opinion of the SBIF. 34. In addition to the applicable laws, the SBIF and SVS issue general rules (Normas de carácter general, NCG) to the FMIs under their regulatory purview. In a few cases, NCGs have been issued jointly to reflect the fact that in some of the FMIs supervised by the SVS some of the participants are banks. 35. The main instance of domestic cooperation among financial sector authorities is provided by the Financial Stability Council (Comité de Estabilidad Financiera – CEF). In addition, bilateral cooperation domestically and internationally is facilitated through memoranda of understanding (MoU). c. Summary of major changes and reforms 36. The most relevant changes and reforms in recent years derive from the enactment of Law 20.345. Recent changes, partly in response to this law and to international trends and developments, included the creation of ComDer, and CCLV’s becoming a CCP for equities and more recently for exchange-traded derivatives. Chilean financial sector authorities expect to undertake further reforms based on the outcomes of this CPSS-IOSCO PFMI ROSC. 37. In the specific case of DCV, at present there are no plans for legal or regulatory changes. DCV has engaged in a number of projects to provide more and better services to the Chilean market, as well as to support the integration of Chile with other securities market, especially Colombia, Mexico and Peru in the context of the Integrated Latin American Market (Mercado Integrado Latinoamericano, MILA) project. 9 IV. SUMMARY ASSESSMENT a. Summary assessment of observance of the principles 38. In general terms, DCV is a robust and sound FMI. It has adopted international best practices and standards with regard to corporate governance, operational risk management, efficiency and transparency, and fully observes many of the PFMIs that are applicable to it. 39. Four of the principles applicable to DCV have been assessed as “broadly observed”, and one has been assessed as “partly observed”. None were assessed as “not observed”. 40. The principles that were assessed as “partly observed” or “broadly observed” and the reasons for assigning the corresponding rating are described below: • Principle 2 (governance – broadly observed): DCV objectives support financial stability and for the most part the company incorporates best practices in its governance arrangements. However, at the level of the board, no mechanism are currently envisaged to review performance of the board as a whole or of board members individually. • Principle 3 (comprehensive management of risks – broadly observed): The general policy developed by DCV for the management of risks currently covers only operational risks. Other risks faced by DCV, such as legal, custody, general business or reputational are not covered by that policy, neither has a separate policy has been prepared to address those risks. However, such other risks are identified and managed in practice. • Principle 15 (general business risk – partly observed): DCV identifies general business risks and assesses and manages those risks on an ongoing basis. However, DCV has not developed a recovery plan in connection with general business losses. Hence, it has not determined the amount of liquid net assets funded by equity it will need to continue operations and services as a going concern in the event it incurs general business losses, or the length of time and associated operating costs of achieving a recovery from general business losses. As of end-2014 liquid net assets covered less than 3 months of operating expenses. It is currently working towards the objective of covering 6 months of expenses with such liquid net assets. • Principle 22 (communication procedures and standards – broadly observed): For domestic operations with depositors and FMIs in Chile, DCV uses internationally accepted procedures and standards. For cross-border operations, some processes are performed on the basis of faxes and physical letters. Automation of post-trade functions for MILA has been achieved only partially. • Principle 23 (disclosure – broadly observed): Although DCV prepared a recent self- assessment based on the CPMI-IOSCO assessment methodology (not available to the public), it has not yet completed the CPMI-IOSCO Disclosure Framework for FMIs. Table 1 Ratings Summary of the Principles Assessment category Principle Observed Principles 1, 10, 11, 16, 17, 18, 20 and 21 Broadly observed Principles 2, 3, 22 and 23 Partly observed Principle 15 Not observed Not applicable Principles 4, 5, 6, 7, 8, 9, 12, 13, 14, 19, and 24 10 b. Recommendations for DCV Table 2 Prioritized list of recommendations Principle Issue of concern or other gap or Recommendation action and comments Time frame for shortcoming addressing recommended action DCV has not developed a recovery plan in DCV to develop a recovery plan to deal With high priority (to be connection with general business losses. specifically with general business losses. completed as soon as Hence, it has not determined the amount of possible). liquid net assets funded by equity it will need As part of this plan, DCV should determine the to continue operations and services as a going amount of liquid net assets funded by equity it concern in the event it incurs general business will need to continue operations and services losses, or the length of time and associated as a going concern (in the specific event it operating costs of achieving a recovery from incurs general business losses), and the length general business losses. of time and operating costs for achieving a 15 recovery. As of end-2014 liquid net assets covered less than 3 months of operating expenses. Liquid net assets should cover at least 6 months of operating expenses. This situation is mitigated to some extent by the fact that DCV does not undertake any credit, market or liquidity risks in any of its lines of business and is the only CSD in the country. A mechanism to evaluate the performance of In a defined timeline (1 the board as a whole and the performance of year) No mechanisms to review board performance 2 individual board members should be are in place developed. 11 Table 2 Prioritized list of recommendations DCV should also develop a document In a defined timeline (1 Lack of transparency in handling changes in specifying the potential reasons and the year) senior management process for the removal of the CEO and other members of the senior management team. The general policy developed by DCV for the DCV should develop a comprehensive risk In a defined timeline (1 management of risks currently covers only management policy that covers not only year) operational risks, i.e. other risks faced by DCV operational risk but also other risks the 3 such as legal, custody, general business or company faces, such as legal, general business, reputational are not covered, neither has a reputational and custody. separate policy has been prepared to address those risks. In the case cross-border operations (e.g. DCV, together with other CSDs and other In a defined timeline (1-2 custody of foreign securities), some processes entities involved in MILA should continue on years, subject to agreements are performed on the basis of faxes and achieving the automation of post-trade with other CSDs) 22 physical letters. Automation of post-trade functions within a defined timeline. functions for MILA has been achieved only partially. DCV to complete the CPMI-IOSCO In a defined timeline (1 Disclosure Framework for FMIs and make it year) DCV has not completed the CPMI-IOSCO 23 available to the general public through its Disclosure Framework for FMIs website or other proper means. This should be updated at a minimum every two years. DCV, together with the SVS and other relevant In the normal course of authorities and securities issuers should keep on business A relatively small share of securities (less than working on the objective that all securities 10 4% in terms of amount) are still held in holdings at the DCV are dematerialized or physical form at DCV immobilized, with no possibilities for their re- materialization or physical delivery. 12 V. DETAILED ASSESSMENT Principle 1: Legal basis An FMI should have a well-founded, clear, transparent, and enforceable legal basis for each material aspect of its activities in all relevant jurisdictions. Key consideration 1 The legal basis should provide a high degree of certainty for each material aspect of an FMI’s activities in all relevant jurisdictions. Description Material aspects and relevant jurisdictions The DCV is a private limited liability company. As a central securities depository not involved in the operation of a securities settlement system, the material aspects for its operations include the finality of securities transfers, dematerialization of securities, and the protection of customer assets, including the segregation of the positions of depositors and those of their customers. Legal basis for each material aspect All material aspects are covered by statutory act and relevant regulations and contractual agreements. Law 18.876 on central securities depositories establishes relevant provisions as for legal value of deposit agreements. It covers the relationship between the CSD and its depositors, its duties against these, and its internal governance. It also covers segregation and protection of customer assets (art. 4 and 5). Law 18.876 also makes reference to the securities market law, Law 18.045 of 1985 (Ley de Mercado de Valores or LMV) as for book-entry rules in the event of dematerialization of securities and their enforceability. The SVS supervises the CSD and approves its operational rules and deposit agreements. To this end, the SVS issued Regulation 734 of 1991 (as amended in 2010) establishing all relevant standards to be satisfied by CSDs to govern risks, rules to protect depositors and transparency. DCV engages in foreign custody activities. For this purpose, DCV has links (i.e. holds accounts and vice versa) with CSDs in Chile, Mexico and Peru, as well as DTCC in the United Sates and with Euroclear. The contracts that investors in Chile sign with DCV for this purpose state that for transactions with securities held at foreign CSDs, the applicable law is that of the foreign CSD or foreign custodian. Key consideration 2 An FMI should have rules, procedures, and contracts that are clear, understandable, and consistent with relevant laws and regulations. Description DCV rules, procedures and contracts are clear and understandable, and have not been contested in any significant aspect by DCV participants. DCV rules, procedures and contracts are revised by legal experts (internal and external). Moreover, DCV’s rulebook was approved by the SVS based on Law 18.876, which gives assurance to DCV that its rules and procedures are consistent with applicable laws and regulations. Any changes to the rulebook also require the approval of the SVS. So far no relevant inconsistencies have been found in the procedures, rules and contracts used by DCV. Laws and regulations provide guidance on the minimum contents of the contracts between DCV and its participants (mainly the depositors of securities but also the issuers of securities). Key consideration 3 An FMI should be able to articulate the legal basis for its activities to relevant authorities, participants, and, where relevant, participants’ customers, in a clear and understandable way. Description Rules and procedures have been developed in the DCV rulebook, and these are clear and understandable. Changes to key rules and procedures are subject to consultations with stakeholders. Except for some minor issues, DCV participants have had no issues with these rules and procedures in the past. Rules and procedures are further developed in Circulars. DCV also publishes the rulebooks of foreign CSDs and the contracts signed with foreign custodians to further clarify what the applicable law(s) is in the international custody contracts signed by investors with DCV. All relevant documents are provided to all direct participants upon joining DCV and are considered part of the contract, and therefore are binding for all participants. The documents, as well as any updates, are also posted at DCV’s public website. Key consideration 4 An FMI should have rules, procedures, and contracts that are enforceable in all relevant jurisdictions. There should be a high degree of certainty that actions taken by the FMI under such rules and procedures will not be voided, reversed, or subject to stays. Description Enforceability of rules, procedures and contracts DCV’s rulebook was approved by the SVS consistent with laws 18.876 and 18.045, among others, and its provisions are therefore deemed fully enforceable for securities transactions made in Chile. DCV commissioned a legal opinion about the enforceability of its rules and procedures in connection with its foreign custody services – in particular, as regards providing deposit accounts for foreign CSDs. Based on this opinion, DCV does not have concerns regarding conflict-of-law issues or enforceability of its choice of law in relevant jurisdictions. Degree of certainty for rules and procedures All key rules and provisions in the rulebook are based on laws (especially Law 18.876) and on NCGs and other rules issued by the SVS. The only relevant jurisdiction for DCV is Chile. 14 There is no precedence of a DCV rule or procedure being revoked by any other competent authority. Key consideration 5 An FMI conducting business in multiple jurisdictions should identify and mitigate the risks arising from any potential conflict of laws across jurisdictions. Description In each of its contracts with foreign CSDs, the applicable law(s) is defined. For its international custody business, the applicable laws are those of the relevant foreign CSD or foreign international custodian. In this sense, in the relevant foreign jurisdiction DCV is treated just like any other depositor of a CSD or other custodian (i.e. has the same rights and obligations). Key conclusions All material aspects are covered by statutory act and the relevant regulations and internal rules of DCV Assessment of Principle 1 Observed. Recommendations and comments 15 Principle 2: Governance An FMI should have governance arrangements that are clear and transparent, promote the safety and efficiency of the FMI, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders. Key consideration 1 An FMI should have objectives that place a high priority on the safety and efficiency of the FMI and explicitly support financial stability and other relevant public interest considerations Description DCV’s mission statement is as follows: “operate as a provider of custody, settlement and other complementary services for the local and international securities market, under the highest standards of safety, availability, efficiency and quality”. Its by-laws state that the sole objective of the company is to receive securities in deposit and facilitate securities transfers according to legal and regulatory procedures. Every year DCV puts together a balanced scorecard, which reflects measurable objectives. Among those that are especially relevant for financial stability, DCV places strong emphasis on “operational quality”, including reliability, uptime of its technological infrastructure, fulfillment of SLAs with linked FMIs, etc. Key consideration 2 An FMI should have documented governance arrangements that provide clear and direct lines of responsibility and accountability. These arrangements should be disclosed to owners, relevant authorities, participants, and, at a more general level, the public. Description Governance arrangements Governance arrangements are documented in the by-laws, the rulebook and other internal documents, including board minutes. The organization is ruled by a board of directors, supported by four board committees (business issues, audit and operational risk, processes and technology, remunerations and human resources) and a CEO (“Gerente General”) reporting directly to the board. Below the CEO there are five senior managers (“Gerentes”), plus a legal advisor. The Compliance Manager is also responsible for internal audit (“Contraloría”). On an annual basis, DCV holds a General Shareholders Assembly to report on the activities performed throughout the year. Among other functions, the General Shareholders Assembly designates an External Auditor. The main accountability mechanism is the Oversight Committee (“Comité de Vigilancia”), which is provided for in Law 18.876. Members of this committee are elected by the Assembly of DCV depositors. This Oversight Committee reports solely to the Assembly of DCV depositors and to the regulator (i.e. the SVS). 16 Disclosure of governance arrangements DCV discloses its governance arrangements to the public through a combination of means, including its website, newsletters and direct mail to participants. In DCV’s website, the by-laws, rulebooks and minutes of the shareholders’ assembly are available. Additionally, in the website there is also a “corporate governance” and a “corporate information” section with specific information on these issues. Key consideration 3 The roles and responsibilities of an FMI’s board of directors (or equivalent) should be clearly specified, and there should be documented procedures for its functioning, including procedures to identify, address, and manage member conflicts of interest. The board should review both its overall performance and the performance of its individual board members regularly. Description Roles and responsibilities of the board According to the rulebook (section 2.1.1), the board is responsible for the sound operation and for the stability of DCV, as well as for the strict observance of laws and regulations that are applicable to it. The board is required to inform the Oversight Committee of any irregularities, violations or complaints that are formally presented to it. There are 10 board members which are elected by the General Shareholders Assembly for a two-year term and may be re-elected indefinitely. Board members do not need to be shareholders themselves, or executives of shareholder entities. Each board member has one vote. For some issues, which are specified in the by-laws (e.g. fees, designation and removal of the CEO, creation of new board committees, among others), seven or eight votes are required. The board meets every month on an ordinary basis (article 13 of the by- laws), and extraordinary board meetings may be convened as necessary by the Chairman of the board. The FMI’s board members are not expected to follow a code of conduct. However, there are procedures in place in order to manage a conflict of interest within the board. For example, members with a real or potential conflict of interest must inform the board of this situation and if determined by the board must recuse themselves from the corresponding decision- making. Detailed board procedures are disclosed to shareholders and the SVS. Only some of the more general procedures are disclosed to the general public. The functions of the board committees are as follows: • Audit and operational risk committee: supervise internal audit, approve risk management policies, procedures and mitigation plans with regard to operational risk and monitor their implementation to inform the 17 board, analyze observations made by external auditors and the SVS, analyze financial statements, and inform the board on conflicts of interest and of suspicious activities or conducts. This committee is made-up of three board members, one of which is designated by other members as the Chair, and meets at least ten times per year • Business issues committee: analyze and define the corporate mission, vision and corporate values, relevant business initiatives, changes to current services/practices, fee structure, follow-up of the business plan. This committee is made-up of three board members, one of which is designated by other members as the Chair, and meets every two months. • Processes and IT committee: analyze and define the technological vision of the company for the medium and long-term, any initiative for improvements in the technology area, propose priorities and allocation of resources for the various projects. This committee is made-up of three board members, one of which is designated by other members as the Chair, and an external advisor, and meets every two months. • Remunerations and human resources committee: analyze, define and approve remunerations and benefits to staff, to senior management, define the criteria for the annual plan of incentives for staff, review and approve the policies proposed by the Human Resources Manager. This committee is made-up of the Chairman and Vice Chairmen of the board and two other board members and meets twice a year. Review of performance Currently none of DCV’s internal documents make an explicit reference to mechanisms to review performance of the board. Key consideration 4 The board should contain suitable members with the appropriate skills and incentives to fulfill its multiple roles. This typically requires the inclusion of non-executive board member(s). Description There are no specific requirements for becoming a board member of DCV. DCV’s board of directors has an acceptable mix of skills, including mainly finance and economics, but also legal, IT, risk management and human resources. Board members are remunerated, and are entitled to an additional stipend for their participation as members in any of the board committees. Independent board members are defined by DCV as individuals that are not executives of any of the companies that are shareholders of the DCV. At present, three board members are considered by DCV as independent. There is no disclosure of board members that are regarded as independent. Representation in the board usually parallels the ownership structure, i.e. the various institution types (e.g. banks, exchanges, etc.) designate one or more board members on the basis of their stake as a group in DCV. This is not documented but is a common practice. 18 Key consideration 5 The roles and responsibilities of management should be clearly specified. An FMI’s management should have the appropriate experience, a mix of skills, and the integrity necessary to discharge their responsibilities for the operation and risk management of the FMI. Description Roles and responsibilities of management The roles and responsibilities of management are set by the board. Roles, responsibilities and functions for each of the senior managers are clearly defined in internal documentation. Those documents also state the preferred professional background, minimum experience and other desirable personal characteristics and attributes for each senior management position. Critical success factors and management indicators for each of the positions are also detailed in these documents. In addition to the CEO, there are currently five senior manager covering the following areas: Commercial and Legal; Compliance and Internal Audit; Finance, IT and Planning; Human Resources; Operations and Services. Two other positions that report to the Manager of Finance, IT and Planning are also considered part of the senior management team (i.e. Development and Architecture, and IT Operations). Experience, skills and integrity The senior management team has a good level of experience and mix of skills. Performance of the senior management team is assessed using key performance indicators (KPI), financial results, systems uptime and other variables. Critical success factors and management indicators have been specified for some of the senior management positions. Assessment of senior management and other staff takes place once a year. With regard to removal of management, the by-laws only specify that the CEO may be removed with the vote of at least seven board members. Other members of the senior management team may be removed by the CEO. Key consideration 6 The board should establish a clear, documented risk-management framework) that includes the FMI’s risk-tolerance policy, assigns responsibilities and accountability for risk decisions, and addresses decision making in crises and emergencies. Governance arrangements should ensure that the risk-management and internal control functions have sufficient authority, independence, resources, and access to the board. Description Risk management framework DCV has a documented risk management framework. The policy focuses on operational risk, which is the main risk faced by the company. The policy takes as a basis SVS Circular 1939 on operational risk management. 19 The policy describes the objectives, scope, and the key processes, as well as lines of responsibility and accountability with regard to risk management, and decision-making. The lines of responsibility include process owners as the first line of defense, the operational risk management area, the board of directors, and internal audit. Section 6 describes the risk tolerance policy: DCV accepts risks that are equivalent or less than “moderate risk” (the maximum impact level has a remote probability of materializing). The risk management policy is approved by the board of directors, including any changes thereafter. Senior management must make sure that the risk management framework is reviewed at least once a year. Authority and independence of risk management and audit functions Risk management and audit are given an important role through a specific committee that reports directly to the board. The Manager for Finance, IT and Planning has overall responsibility for operational risk management at DCV. The Deputy Manager for Operational Risk reports to the Manager for Finance, IT and Planning, but for certain issues also has a direct reporting line to the CEO. The Compliance and Audit Manager is responsible for internal audit. The main objectives of this department are to ensure the organization has a robust audit plan that focuses on the key risks, and provide an independent opinion on the effectiveness of controls over all operational processes of the organization. The Compliance and Audit Manager has a direct reporting line to the board. In addition, there is a yearly external audit and a permanent Oversight Committee. According to article 3.2.3 of the rulebook, the Oversight Committee is responsible for auditing both the operations of the company as well as the operations and transactions of depositors. This committee is also responsible for obtaining information on conflicts between depositors, claims against a depositor or against the company. The number of staff in the audit team(s) compared to the number of processes and procedures to audit is shown in the table below: Number of staff Number of processes in each team and procedures audited External audit 3 32 Internal audit 3 24 IT audit (internal 3 9 and external staff) 20 Key consideration 7 The board should ensure that the FMI’s design, rules, overall strategy, and major decisions reflect appropriately the legitimate interests of its direct and indirect participants and other relevant stakeholders. Major decisions should be clearly disclosed to relevant stakeholders and, where there is a broad market impact, the public. Description Identification and consideration of stakeholder interests DCV holds a general assembly of depositors on a yearly basis, and is accountable to the Oversight Committee which represents the interests of depositors. In addition, the management team uses the following mechanisms to gather the views and thoughts of the participants: participant/user survey, user groups, informal channels (networking, social media, etc.). Participant/user surveys are essentially customer satisfaction surveys and are performed every month to a randomly selected group of depositors. Disclosure Decisions of the General Shareholders Assembly are disclosed to the general public via DCV’s website. Other important decisions of the board are disclosed to the participants via newsletter or emails, and eventually are implemented through Circulars which are publicly available at DCV’s website. Key conclusions DCV’s objectives support financial stability. In general terms, DCV has incorporated best practices in its governance arrangements. Lines of responsibility and accountability are clear. At the level of the board, no mechanism are currently envisaged to review performance of the board as a whole or at the level of individual board members. Risk management and audit are given an important role through an independent committee (i.e. independent from management) that reports directly to the board. The Oversight Committee also performs an important role in this regard. The roles and responsibilities of management are clearly documented. There is a clearly documented risk management framework. Some comments on this framework are provided under principle 3. The interest of participants and other stakeholders are duly taken into account. Assessment of Principle 2 Broadly observed. 21 Recommendations A mechanism to evaluate the performance of the board as a whole and the and comments performance of individual board members should be developed in a defined timeline. DCV should also develop a document specifying the potential reasons and the process for the removal of the CEO and other members of the senior management team. 22 Principle 3: Framework for the comprehensive management of risks An FMI should have a sound risk-management framework for comprehensively managing legal, credit, liquidity, operational, and other risks. Key consideration 1 An FMI should have risk-management policies, procedures, and systems that enable it to identify, measure, monitor, and manage the range of risks that arise in or are borne by the FMI. Risk-management frameworks should be subject to periodic review. Description Risks that arise in or are borne by the FMI The risks that arise in or are borne by the FMI include: reputational, operational, custody, legal, and general business. The FMI identifies and monitors the following risks: Frequency of Risks monitoring Processing Monthly Cyber crime Monthly Fraud/crime Monthly Force majeure, political events Annually Business decisions/competition Ad-hoc basis System breakdown/business continuity Quarterly Outsourcing risk Every six months Asset servicing Ad-hoc basis Legal/regulation changes Every six months Intra-group contagion risk Ad-hoc basis Investment risk Monthly Risk management policies, procedures and systems DCV has a documented risk management framework, based on ISO 31.000. This framework covers only operational risk. Specific policies approved so far include on information security, on human resources, on custody of physical securities, on change management, and on financial investments. DCV identifies specific risks through process and procedure analysis, feedback from participants, and through audits (internal/external). With regard to processes and procedures, DCV has identified 149 processes and sub-processes according to their criticality. So far, automated monitoring and control tools have been developed for 136 of them. To manage custody risks, DCV has also obtained insurance policies. A GRC software is used to monitor and manage the risks identified. Internal electronic controls report on key processes daily. Review of risk management policies, procedures, systems 23 Proposals for improvement come from a number of feedback mechanisms, like internal/external audit, interactions with depositors and other FMIs, or requests from regulators. The person(s) responsible for signing off the risk controls are: risk officer, head of respective department, senior manager responsible for operational risk, and the CEO. DCV has developed a balanced scorecard and a number of additional KPIs to assess the effectiveness of its risk management policies, procedures and systems. The risk control mechanism is also reviewed yearly by the external auditor, and some aspects – particularly those that are associated with the custody and transfer of securities - are reviewed also by the Oversight Committee. The operational risk management policy is approved by the board of directors, including any changes thereafter. Senior management must make sure that the risk management framework is reviewed at least on a yearly basis. Key consideration 2 An FMI should provide incentives to participants and, where relevant, their customers to manage and contain the risks they pose to the FMI. Description DCV is not exposed to risks from depositors or securities issuers. Vis-à- vis the DCV, depositors and issuers are exposed solely to operational risks and custody risk. Custody risk is minimized. For example, securities holdings of depositors are legally and operationally segregated from any holdings of DCV (for additional details see principle 11). Depositors also hold segregated accounts for their own holdings and the holdings of their customers (accounts at the level of each beneficial owner are also possible, although these are not frequently used). DCV makes available risk-related information concerning the business/operations of the FMI via its website, annual report and newsletter. DCV depositors have real-time access to information on their securities holdings and on the transactions performed with those securities. Key consideration 3 An FMI should regularly review the material risks it bears from and poses to other entities (such as other FMIs, settlement banks, liquidity providers, and service providers) as a result of interdependencies and develop appropriate risk-management tools to address these risks. Description Material risks DCV has identified the material risks it bears from and poses to other entities in its business impact analysis (BIA). With regard to its custody and securities transfer services, DCV responds to instructions from other FMIs. While DCV does not face credit or liquidity risks from these interconnections, it may be exposed to 24 reputational risk in the event other interconnected FMIs are experiencing operational problems, as it may not be able to provide those services efficiently and reliably. With regard to its other services as a CSD, DCV is also exposed to risks in securities administration (e.g. administration of corporate event). In addition, the securities transfer service that DCV makes available to its depositors jointly with ComBanc (involving a connection with Sistema LBTR) could be affected by a failure of either of these two FMIs. DCV does not face risks from settlement banks or liquidity providers. DCV poses operational risks to other FMIs, including in particular the Sistema LBTR, ComDer and CCLV (both as a CCP and as a SSS). Those other FMIs may not be able to operate in case DCV experiences a failure: the Sistema LBTR, ComDer and CCLV would not be able to perform their collateral management activities. In addition, CCLV would not be able to transfer the ownership of securities for its activities as a SSS and as a CCP for the equities market. Risk management tools DCV monitors such risks on a continuous basis and reviews the risk management tools once a year. To manage risks the risks it poses to other FMIs, DCV has engaged in a number of bilateral business continuity tests. DCV is also a participant of the business continuity committee that is led by the BCCh and that brings together other FMIs like the Sistema LBTR, ComBanc, CCLV, etc. Key consideration 4 An FMI should identify scenarios that may potentially prevent it from being able to provide its critical operations and services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-down. An FMI should prepare appropriate plans for its recovery or orderly wind-down based on the results of that assessment. Where applicable, an FMI should also provide relevant authorities with the information needed for purposes of resolution planning. Description Scenarios that may prevent an FMI from providing critical operations and services The business continuity policy provides the framework for identifying risk scenarios that may affect the DCV and prevent it from providing critical operations and services. Scenarios identified include mainly the materialization of one or more of the identified operational risks (internal and/or external). General business risk has not been considered in these scenarios (see principle 15). Recovery or orderly wind-down plans 25 Through its BCP, DCV has defined strategies in order for it to recover its critical business units within a defined time set, based on the BIA. The sole focus of this plan is on recovery from disruptions originated from the materialization of operational risks. DCV is the sole CSD in the country and has not developed an orderly wind- down plan. However, Law 18.876 (articles 37-46) foresees an orderly wind-down procedure for CSDs in Chile. Key conclusions DCV has developed a framework for the management of risks, based on ISO 31.000, that describes the procedures and controls to identify, measure, treat, oversee and review the risks faced by the organization. The policy currently covers operational risks. Other risks faced by DCV, such as legal, general business or reputational are not covered by the policy, neither has a separate policy has been prepared to address those risks. However, such other risks are identified and managed in practice. DCV has also identified risks of interdependencies through a BIA. Risks, associated mitigation measures, scenarios and recovery plans are reviewed regularly, at least on an annual basis. Assessment of Principle 3 Broadly observed. Recommendations DCV should develop a comprehensive risk management policy, together and comments with procedures and systems, which covers not only operational risk but also other risks the company faces, such as legal, general business, reputational and custody. 26 Principle 10: Physical Deliveries An FMI should clearly state its obligations with respect to the delivery of physical instruments or commodities and should identify, monitor, and manage the risks associated with such physical deliveries. Key consideration 1 An FMI’s rules should clearly state its obligations with respect to the delivery of physical instruments or commodities. DCV holds certain physical securities on behalf of its depositors. The assets eligible for physical delivery are certain fixed income securities: debentures, recognition bonds, some fixed-term deposits and a few others. Of the total amount of securities held in physical form at DCV, the first three types represent 47, 45 and 5.5%, respectively. Moreover, certain dematerialized securities can be re-materialized and delivered physically. The responsibilities, with respect to the delivery of physical instruments, are established in the law and SVS regulations. The procedure for withdrawing physical securities is defined in section 10.9.1 of the rulebook. DCV’s responsibility is limited to handling the physical security to the owner (or its representative) upon collection. DCV has stated in its rulebook (section 2.2.1) and in its contracts with depositors that it will indemnify them for any losses incurred in the delivery of physical securities. DCV engages with its depositors through training sessions, regular circulars and newsletters in order to ensure that they have a clear understanding of their obligations and the procedures for effecting physical delivery of securities. Key consideration 2 An FMI should identify, monitor, and manage the risks and costs associated with the storage and delivery of physical instruments or commodities. The risks associated with the storage and delivery of physical instruments are identified in DCV’s risk matrix i.e. physical custody and physical delivery are two of the processes identified in the BIA. Main risks identified as operational, reputational and information security. The cost identified in relation to the storage and delivery of physical securities is considered significant by the company, representing over 1% of total monthly expenses. Section 10.2.6 of the rulebook specifies the processes, procedures and controls to monitor and manage these risks. Physical securities received by DCV are stored in vaults and must be kept following a pre-determined system to ensure easy access and identification. In this context, DCV has implemented security systems to prevent theft, fires and other potential events that could cause destruction of the physical securities. In addition, DCV has also implemented microfilm, electronic records and other similar mechanisms to, in case it becomes necessary, 27 ensure proper reconstitution of the physical securities. Additionally, DCV performs daily reconciliations of positions with physical securities with participants / issuers; there is separation of duties between handling physical securities and record-keeping; access restrictions to vaults and areas where physical securities are located. DCV can match receipt and delivery instructions of transactions related to physical securities. DCV does not perform surveillance to verify that its depositors have the necessary systems and resources to be able to fulfil their own physical delivery obligations. Key conclusions DCV clearly states its obligations in connection with the delivery of physical securities, which currently represent less than 4% of total securities in the DCV – and this share has been declining overtime. DCV has identified risks and costs associated with physical securities and has developed procedures and controls to address them. Assessment of Principle 10 Observed. Recommendations DCV, together with the SVS and other relevant authorities and securities and comments issuers should keep on working on the objective that all securities holdings at the DCV are dematerialized or immobilized, with no possibilities for their re-materialization or physical delivery. 28 Principle 11: Central Securities Depositories A CSD should have appropriate rules and procedures to help ensure the integrity of securities issues and minimize and manage the risks associated with the safekeeping and transfer of securities. A CSD should maintain securities in an immobilized or dematerialized form for their transfer by book entry. Key consideration 1 A CSD should have appropriate rules, procedures, and controls, including robust accounting practices, to safeguard the rights of securities issuers and holders, prevent the unauthorized creation or deletion of securities, and conduct periodic and at least daily reconciliation of securities issues it maintains. Safeguarding the rights of securities issuers and holders DCV rules, procedures, internal controls and IT systems safeguard the rights of securities issuers and holders. Securities holdings records at DCV are segregated from DCV’s own holdings. Holdings of financial institutions acting as depositors are segregated from the holdings of their customers in either omnibus accounts or individualized accounts (see KC 11.5). Debits and credits to accounts are processed in accordance with participants’ instructions, and/or instructions from recognized SSSs or CCPs. Securities are transferred by means of book entries, which are legally recognized as a means to transfer ownership. Whoever appears as the holder of securities in DCV is recognized as the legal owner of such securities. In the case of custody contracts by which DCV acts as direct participant with foreign CSDs (DTCC, Euroclear, CSDs of Colombia, Mexico and Peru), it is specified that all securities held as part of those arrangements belong to DCV’s clients. Each day, as part of its end-of-day processes DCV conciliates securities balances in the accounts of depositors. In particular, DCV verifies that the end-of-day balances of securities holdings are consistent with the previous day balances once the transactions performed during the day are taken into account (including new issuances and expiration/maturities). All transactions leave audit trails (user, date, hour, transaction type, types of securities, amounts, etc.). DCV has in place procedures to manage reconciliation breaks. DCV manages the outstanding securities until their full amortization/maturity. At this moment, securities are automatically deleted from the system. Both internal and external audit team review on an annual basis the CSDs procedures and controls used for safekeeping. The Oversight Committee that represents depositors also performs a reconciliation procedure every quarter to ensure that there are sufficient securities to satisfy the rights of each of DCV’s depositors. 29 Prevention of the unauthorized creation or deletion of securities Securities are created in DCV following a number of procedures. Among others, the issuer is required to provide DCV with an authorization for the latter to create securities. This document must be signed by authorized staff of the issuer (individuals with power of attorney are registered at DCV). This document is then reviewed by DCV’s legal department. Only after these steps have been successfully completed, the amount of the issuance may be loaded into DCV’s system. Securities allotted to the various depositors are then deducted from the initial amount. Periodic reconciliation of securities issues The outstanding amount of all issuances is verified daily with the issuers. In case of equities, this is verified with the registrars. Through these checks, together with internal audits and external audits, it is ensured that no securities have been unduly created or deleted. DCV also conciliates the balances of the securities accounts it holds with other CSDs and foreign custodians. Key consideration 2 A CSD should prohibit overdrafts and debit balances in securities accounts. Securities transfers can only be processed as long as there are enough securities in the corresponding securities deposit accounts. Likewise, DCV does not allow overdrafts or debit balances for any other type of transfer orders (e.g. transfer of securities conditional on the transfer of other securities). Key consideration 3 A CSD should maintain securities in an immobilised or dematerialised form for their transfer by book entry. Where appropriate, a CSD should provide incentives to immobilise or dematerialise securities. Of all securities held at the CSD, more than 96% are in dematerialized form and the rest in physical form. The share of physical securities has been declining over time as those securities mature. Approximately 99% of the total volume of transactions are performed on securities held in dematerialized form. For securities still held in physical form, it is possible to immobilize them and allow their holding and transfer in a book-entry system (article 7.2.2. of the rulebook). DCV provides the following incentives to immobilize and dematerialize securities: reduced safekeeping fees. Key consideration 4 A CSD should protect assets against custody risk through appropriate rules and procedures consistent with its legal framework. 30 Article 27 of Law 18.876 states the responsibilities of the CSD with regard to custody risk. DCV rules (article 2.2.1 of the rulebook) states provisions to protect depositors against custody risk in case of the following events: negligence, misuse of assets, fraud, poor administration, inadequate recordkeeping, authenticity and integrity of securities held under custody, etc. The rules and procedures related to custody risk are consistent with the applicable legal and regulatory framework. Apart from rigorous internal controls and internal and external supervision mechanisms, DCV has insurance policies to protect its depositors against misappropriation, destruction and theft of securities. These policies pay up to 0.1% of the total amount under custody (currently approximately USD 260 billion). Key consideration 5 A CSD should employ a robust system that ensures segregation between the CSD’s own assets and the securities of its participants and segregation among the securities of participants. Where supported by the legal framework, the CSD should also support operationally the segregation of securities belonging to a participant’s customers on the participant’s books and facilitate the transfer of customer holdings. Article 19 of Law 18.876 states that CSDs can hold securities of their own. These holdings should be individualized in their accounting system to ensure they can be clearly distinguished form the holdings of depositors. Depositors hold segregated accounts for their own holdings (“cuenta valores propios”) and the holdings of their customers (“cuenta de valores de terceros”). In the latter case, there are two types of accounts: omnibus accounts (“cuenta de mandante grupal”), and accounts at the level of the beneficial owner (“cuenta de mandante individual”). In practice, brokers- dealers are required to hold individualized accounts, while for banks and other financial institutions acting as depositors this is optional. Customer accounts can be transferred to other financial institutions acting as depositors as long as the latter and the customer have signed a contract stipulating a mandate from the customer for this purpose. Key consideration 6 A CSD should identify, measure, monitor, and manage its risks from other activities that it may perform; additional tools may be necessary in order to address these risks. Other than central safekeeping and administration of securities and supporting SSS, DCV provides registrar functions, trade repository services for forward contracts and OMGEO (essentially information services during the matching post-trade and pre-settlement processes, e.g. allocation, confirmation/affirmation, settlement notification, etc.). The latter two activities are detailed in chapter 18 and 19 of the rulebook, respectively. Risks identified for these activities are essentially operational risks. Such 31 risks are managed as part of DCV’s operational risk management policy. Key conclusions The rights of securities issuers and holders are adequately safeguarded at DCV. In particular, there is a robust legal and regulatory framework that minimizes custody risk. At the operational level, securities holdings of customers are held in segregated accounts, either omnibus accounts or in some cases at the level of each beneficial owner. DCV rules and its IT applications prohibit overdrafts or debit balances in securities accounts. More than 96% of securities (in terms of value) held at DCV are maintained in dematerialized form. Apart from the central safekeeping and administration of securities and settlement, DCV provides a few other services that are closely linked to its core lines of business. The overall risk profile of these other activities is low. Assessment of Principle 11 Observed. Recommendations and comments 32 Principle 13: Participant-default rules and procedures An FMI should have effective and clearly defined rules and procedures to manage a participant default. These rules and procedures should be designed to ensure that the FMI can take timely action to contain losses and liquidity pressures and continue to meet its obligations. Key consideration 1 An FMI should have default rules and procedures that enable the FMI to continue to meet its obligations in the event of a participant default and that address the replenishment of resources following a default. Description The DCV facilitates the transfer of securities through links with SSS, CCPs and payment systems. In this regard, DCV acts solely on the basis of the instructions received from those FMIs. In connection with other securities transfers, section 11 of DCV’s rulebook states that those transfer/settlement mechanisms shall be selected by the depositors. The DCV will act solely on the basis of instructions received and shall undertake no responsibility for the operation of such mechanisms. Its sole role in this context is to provide safe securities transfer systems to support the settlement process. On this basis, principle 13 is deemed not applicable to DCV. Key consideration 2 An FMI should be well prepared to implement its default rules and procedures, including any appropriate discretionary procedures provided for in its rules. Description As per KC 13.1, this principle is deemed to no applicable to DCV. Key consideration 3 An FMI should publicly disclose key aspects of its default rules and procedures. Description As per KC 13.1, this principle is deemed to no applicable to DCV. Key consideration 4 An FMI should involve its participants and other stakeholders in the testing and review of the FMI’s default procedures, including any close-out procedures. Such testing and review should be conducted at least annually or following material changes to the rules and procedures to ensure that they are practical and effective. Description As per KC 13.1, this principle is deemed to no applicable to DCV. Key conclusions This principle is deemed not applicable to DCV. Assessment of Principle 13 Not applicable Recommendations and comments 33 Principle 15: General business risk An FMI should identify, monitor, and manage its general business risk and hold sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialize. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations and services. Key consideration 1 An FMI should have robust management and control systems to identify, monitor, and manage general business risks, including losses from poor execution of business strategy, negative cash flows, or unexpected and excessively large operating expenses. Description To identify business risks, DCV uses qualitative operational analysis, business and strategic analysis, in-house financial analysis, in-house legal analysis. Risks are included in the risk matrix as part of the BIA. Main general business risks identified include investment risk (own resources), poor business decisions, poor financial planning, impact of legal and regulatory changes, force majeure and political events, among others. As a private company, its business risk assessment considers the potential negative effects of these risks in its cash flow and capital. In general, DCV monitors and manages its general business risks on an ongoing basis, just as any other risk the entity is exposed to (e.g. see principle 17). To monitor business risks it uses automatic alerts and controls, its GRC/enterprise risk-management program, and participant feedback. To manage these risks, it uses cost/project management policies, KPIs, insurance, risk training and awareness, follow-up of audit/regulator recommendations related to general business risks, etc. DCV also uses the balanced score card methodology to support strategic planning over a 1- year horizon. Key consideration 2 An FMI should hold liquid net assets funded by equity (such as common stock, disclosed reserves, or other retained earnings) so that it can continue operations and services as a going concern if it incurs general business losses. The amount of liquid net assets funded by equity an FMI should hold should be determined by its general business risk profile and the length of time required to achieve a recovery or orderly wind-down, as appropriate, of its critical operations and services if such action is taken. Description As DCV does not undertake any credit, market or liquidity risks in any of its business lines, the organization’s equity basically supports general business risk (and operational risk). Net liquid funds are therefore not part of any other fund to face credit or liquidity exposures. As of end-2014, total liquid assets (cash, investment portfolio, accounts receivable) amounted to approximately USD 9 million and represented nearly 55% of total assets. On the other hand, short and long-term liabilities were equivalent to 28.2 and 10.3% of total assets, respectively. Equity was equivalent to 61.5% of total assets. 34 DCV has not determined the amount of liquid net assets funded by equity it will need to continue operations and services as a going concern in the event it incurs general business losses. However, it is currently working towards the objective of covering 6 months of expenses with such liquid net assets (see KC 15.3). DCV has not determined the length of time and associated operating costs of achieving a recovery from general business losses or an orderly wind- down of its operations and services. Key consideration 3 An FMI should maintain a viable recovery or orderly wind-down plan and should hold sufficient liquid net assets funded by equity to implement this plan. At a minimum, an FMI should hold liquid net assets funded by equity equal to at least six months of current operating expenses. These assets are in addition to resources held to cover participant defaults or other risks covered under the financial resources principles. However, equity held under international risk- based capital standards can be included where relevant and appropriate to avoid duplicate capital requirements. Description Recovery or orderly wind-down plan DCV has developed a recovery plan as part of its business continuity management framework. However, this recovery plan addresses scenarios derived from the materialization of operational risks, but not general business losses. Law 18.876 provides a mechanism for the orderly wind-down of CSDs. Resources As at end-2014, DCV held approximately USD 4.2 million of liquid net assets - defined by the assessor as short-term assets minus short-term liabilities as there is no such definition from DCV. Annual operating expenses during that year were nearly USD 20 million. Hence, liquid net assets, as defined by the assessor, would cover less than 3 months of operating expenses. As mentioned under KC 15.1, DCV equity basically supports general business risk and operational risk losses. Key consideration 4 Assets held to cover general business risk should be of high quality and sufficiently liquid in order to allow the FMI to meet its current and projected operating expenses under a range of scenarios, including in adverse market conditions. Description DCV’s liquid net assets are divided into “Cash and equivalent”, which are assets with maturities of less than 90 days, and “Other financial assets”. These are invested in current accounts and term deposit accounts at licensed commercial banks and low-risk mutual funds. Other financial assets include mainly term deposits at licensed commercial banks, and a small portion invested in securities issued by the BCCh. 35 DCV has a documented Investment Policy which regulated the quality and liquidity of its investments (see principle 16). Key consideration 5 An FMI should maintain a viable plan for raising additional equity should its equity fall close to or below the amount needed. This plan should be approved by the board of directors and updated regularly. Description DCV has a plan in place to raise additional equity, which follows the protocol established in Law 18.876 (mainly article 36-37). The law requires the board of directors to convene an extraordinary shareholders assembly to raise additional equity in order to observe the minimum regulatory requirement. Due to DCV’s ownership structure, whereby the depositors are also the shareholders, it is likely that the shareholders will have an incentive to provide additional equity so that they can continue to benefit from using the FMI. Key conclusions DCV identifies general business risks and assesses and manages those risks on an ongoing basis. DCV has not developed a recovery plan in connection with general business losses. Hence, it has not determined the amount of liquid net assets funded by equity it will need to continue operations and services as a going concern in the event it incurs general business losses, or the length of time and associated operating costs of achieving a recovery from general business losses. As of end-2014 liquid net assets covered less than 3 months of operating expenses. Assessment of Principle 15 Partly observed. Recommendations DCV does not observe several aspects of principle 15. This is mitigated and comments somehow by the fact that DCV does not undertake any credit, market or liquidity risks in any of its lines of business and is the only CSD in the country – potential competitors would find it very difficult to participate in this market given DCV’s current economies of scale and economies of scope. Nevertheless, DCV should develop with high priority a recovery plan to deal specifically with general business losses, including having liquid net assets that would allow it to cover at least 6 months of operating expenses. 36 Principle 16. Custody and investment risks An FMI should safeguard its own and its participants’ assets and minimise the risk of loss on and delay in access to these assets. An FMI’s investments should be in instruments with minimal credit, market, and liquidity risks. Key consideration 1 An FMI should hold its own and its participants’ assets at supervised and regulated entities that have robust accounting practices, safekeeping procedures, and internal controls that fully protect these assets. Description DCV has a documented Investments Policy. For securities holdings (e.g. securitized fixed-term deposits), DCV holds those securities in its own CSD system, in a customer account where it is the beneficial owner. Any physical securities are to be kept at DCV’s own premises, though on a separate vault from that used for safekeeping customer physical securities. Other investments should be kept at licensed commercial banks, in a customer account where DCV is the beneficial owner. DCV does not hold collateral on behalf of its participants, be them issuers of depositors. DCV holds securities on behalf of investors as part of its arrangements for the custody of foreign securities, such as in MILA or with DTCC and Euroclear. For this purpose, DCV is a direct participant in these CSDs. Key consideration 2 An FMI should have prompt access to its assets and the assets provided by participants, when required. Description DCV does not hold collateral on behalf of its participants. DCV manages its investment portfolio by itself. To ensure it will have prompt access to its own assets, DCV has defined eligible custodians and types of investments in its Investment Policy. It has immediate access to investment securities it holds in its own system. Likewise, it has immediate access to its bank accounts (to the funds in current accounts). With regard to the assets it holds for third parties in foreign CSDs/foreign custodians, DCV is a direct participant in foreign CSDs and, as stated in the respective contracts, is subject to the same rules than other participants. These other CSDs are licensed and are regulated and supervised in their respective jurisdictions. Key consideration 3 An FMI should evaluate and understand its exposures to its custodian banks, taking into account the full scope of its relationships with each. Description DCV holds current accounts in numerous banks, and some of its portfolio investments are also managed by banks. There are no other financial exposures with banks as these only play the role of depositors or securities issuers vis-à-vis DCV. Key consideration 4 An FMI’s investment strategy should be consistent with its overall risk-management strategy and fully disclosed to its participants, and investments should be secured by, or be claims on, high-quality 37 obligors. These investments should allow for quick liquidation with little, if any, adverse price effect. Description Investment strategy In its Investments Policy, DCV states that for investments with own resources it shall use only financial instruments that: • Are consistent with the risk profile of the company • That enable the company to obtain a reasonably stable return for liquidity surpluses and for its long-term assets • That enable the company to manage its financial resources on the basis of its operational needs The policy enumerates the specific securities/instruments that may be used. With regard to the quality of obligors, the policy states that all instruments must have a credit rating of BBB+ or above (all above investment grade rating). Risk characteristics of investments Concentration of investments, in terms of credit rating, must abide by the following guidelines: • Government: up to 100% • Securities/issuers rated AA/AAA: up to 50% • Securities/issuers rated A-/AA: up to 15% • Securities/issuers rated BBB+: up to 10% Other limits are set on the basis on the size of the liquid funds that the company has available for making financial investments. These limits refer to the type of instrument, its duration and diversification. The DCV does not invest participant assets. DCV’s investment policy and strategy is disclosed in stakeholders’ special reports. The investment plan is reviewed every two years. Key conclusions DCV does not manage third-party assets. It holds securities on behalf of participants in foreign CSDs. Its own liquid assets are invested in regulated financial institutions and high quality instruments, which guarantees safety and prompt access. DCV’s investment strategy is conservative and is therefore consistent with the overall risk profile of the company. Assessment of Principle 16 Observed. Recommendations and comments 38 Principle 17: Operational risk An FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfillment of the FMI’s obligations, including in the event of a wide- scale or major disruption. Key consideration 1 An FMI should establish a robust operational risk-management framework with appropriate systems, policies, procedures, and controls to identify, monitor, and manage operational risks. Description Identification of operational risk Operational risk management is one of the main focus areas of DCV. DCV has a documented risk management framework that focuses on operational risk. The policy takes as a basis SVS Circular 1939 on operational risk management. The areas that the risk policy covers include staff, relationships with third- parties (e.g. through contractual relationships), processes, IT and technology, and external risks/dependencies. The identification of plausible sources of operational risk is embedded in the detailed activities and systems, and is part of overall strategic planning at DCV. Management of operational risk The policy describes the objectives, scope, and the key processes that are covered by the policy, as well as lines of responsibility and accountability with regard to risk management, and decision-making. In addition to the policy, DCV has developed a detailed Methodology for the assessment of operational risk. Based on the latter, DCV applies an ongoing process to set the context, identify, analyze and measure risks (e.g. through a BIA), and on this basis decide on a treatment strategy. These are complemented by ongoing monitoring and communication. In practice, the vast majority of DCV processes are automated. Internal electronic controls report on key operational processes daily. Policies, processes and controls The risk management policy and the Methodology for the assessment of operational risk are based on international standards, e.g. ISO 31000 and ISO 27000. DCV has developed policies for the various sources of operational risks that have been identified: • Information security policy • IT infrastructure capacity management policy • Human resources policy 39 • Business continuity policy With regard to human resources, DCV’s policy provides for issues such as staff selection criteria, ensuring initial and ongoing training to staff (e.g. an annual training plan) and in general promoting that people are satisfied with their professional development, in order to reduce personnel turnover. Both individual and team work are assessed. All applicants must pass screening tests and checks (e.g. psychological tests, background checks, etc.). The policy also places emphasis on avoiding conflict of interest and situations that may give rise to weak controls or potential fraud. With regard to change management, when DCV is implementing software changes, upgrades, improvements to code and/or bug fixes, it follows specific procedures in order to assure that no disruption to the service emerges as a result of the changes made. There is a documented Policy on Risk Assessment for New Project. Procedures include initial impact analysis of changes proposed/made, quality assurance test, participant involvement. Key consideration 2 An FMI’s board of directors should clearly define the roles and responsibilities for addressing operational risk and should endorse the FMI’s operational risk-management framework. Systems, operational policies, procedures, and controls should be reviewed, audited, and tested periodically and after significant changes. Description Roles, responsibilities and framework The lines of responsibility include process owners as the first line of defense, the operational risk management area, senior management, the audit and operational risk committee and the board of directors, complemented by internal audit. Specific responsibilities and duties are outlined for each of these. The operational risk management policy is approved by the board of directors, including any changes thereafter. Senior management must make sure that the risk management framework is reviewed at least on a yearly basis. Review, audit and testing More than 80% of the processes, sub-processes and procedures have a defined operational guideline or manual. Operational guidelines and manuals are reviewed every year. The scope of the internal audit includes: physical security, reporting, corporate events, accounting and other admin processes. The internal audit team reviews critical processes and procedures, and monitors key risks areas once every six months or less, and non-critical ones every two years. DCV has an ISAE 3402 type 2 kind of operational audit. 40 External audits also cover operational risk and are conducted once a year. The scope of the external audit includes: physical security, instruction processing, settlement processing, reporting, and corporate events. IT audits are conducted once a year. The scope of the IT audit includes: physical security of IT, access and account controls, operational procedures, operational controls. Key consideration 3 An FMI should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives. Description DCV has clearly defined operational reliability objectives. In its 2015 balanced score card DCV has defined several specific objectives. These include: • Response to participant queries to applications/interfaces in less than 2 seconds – 98% • Fulfillment of SLA with BCCh – 99% • Up-time of operational platforms – 99.95% DCV’s RTO is set at 2 hours (see KC 17.6 for additional details). The reliability objectives set by the management team are disclosed to the board of directors, the regulator, and internal and external auditors. These objectives are reviewed once a year. DCV publishes its operational reliability objectives in its annual report. An FMI should ensure that it has scalable capacity adequate to handle increasing stress volumes and to achieve its service-level objectives. Description DCV has an IT Capacity Management Policy. Scope of this policy includes: technological resources; processing times; current business volumes; and, impact of new businesses. DCV assesses its capacity utilization monthly basis. The policy states that, on average, usage of the installed capacity should remain at or below 35%. At present, usage of the installed capacity for on-line systems is estimated at 35% (including peaks). In the case of batch processing, the policy states that installed capacity should be sufficient to allow total batch processing to be performed twice in the allotted time period. With regard to other systems (e.g. those that do not directly affect operations with clients), usage should not exceed 60-70% of installed capacity. DCV’s IT team has a mid and long-term investment plan to address systems capacity needs. 41 DCV tests its systems capacity simulating conditions of market stress. This is done at least once every year. The results of the systems’ capacity test are disclosed to the risk officer, management team, IT auditor, external auditor, internal auditor, and board of directors. Key consideration 5 An FMI should have comprehensive physical and information security policies that address all potential vulnerabilities and threats. Description Physical security DCV has a physical security and safety plan in place. The security plans include procedures to prevent, mitigate, contain and/or manage fire, flooding, earthquake, terrorism attack, fraud and theft, social upraising, war/violent conflict. The security and safety plan is prepared jointly by DCV’s security department and an external consultant. The security plan is approved by the board of directors and is reviewed once a year. The measures that DCV takes to limit individuals’ physical access to its IT systems and physical securities include the use of building security / guards, ID card. In order to protect equipment and premises from fire, flooding or natural disasters, DCV has in place vaults, seismic-resistant building, gas-based fire suppression system, fire extinguishers, water sprinklers, etc. Information security DCV undertakes a security penetration test once a year. The results of that test are shown to the IT department, IT manager, management team, and to the Processes and IT committee of the board. Logical security measures applicable to DCV staff members include individual user names and passwords, roles based limitations, remote access limitations. In terms of wide IT security measures, DCV has in place firewalls, malware, spyware and anti-virus applications, intrusion detection system, etc. The IT security policies are reflected in DCV’s General Policy on Information Security, while physical security policies are reflected in the Business Continuity Policy. Key consideration 6 An FMI should have a business continuity plan that addresses events posing a significant risk of disrupting operations, including events that could cause a wide-scale or major disruption. The plan should incorporate the use of a secondary site and should be designed to ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events. The plan should be designed to enable the FMI to complete settlement by the end of the day of the disruption, even in case of extreme circumstances. The FMI should regularly test these arrangements. 42 Description Objectives of business continuity plan DCV’s has a documented business continuity policy and a disaster recovery plan. The objective of the plan is to maintain service and quality levels and to minimize any negative impact of a disruption on the operation of the company. As an ultimate objective, the DCV has stated that “it should be the last component of the financial system still standing regardless of the incident or catastrophe, and the first one to recover from such an event.” Design of business continuity plan The BCP is based on ISO 22301. The redundancies and other steps taken by the FMI to secure continuous operations include mirror disks, multiple serves (clusters), dual external power suppliers, dual external power supply lines, generators, dual cable/fiber optics connections. Down-time tolerance threshold is 0.1% of total daily operating hours. This is measured every month. Over the last 12 months, the FMI’s systems down-time averaged 0.1% of daily operating hours. RTO is set at 2 hours. Data is replicated in real-time between the main and back-up servers to minimize potential data losses. Recovery point objective (RPO) is set at 5 minutes. In order to protect the equipment in processing sites from fire, flooding or natural disasters, DCV has in place seismic-resistant building, gas-based fire suppression system, and fire extinguishers. Other business continuity arrangements include staff working from home. DCV has agreed on SLAs with all of its relevant service providers. These covers telecommunications and data processing, among others. Secondary site DCV has two alternate processing sites. Both are TIER 3-certified and are located at a sufficient geographic distance from the primary site and from each other such that they have a distinct risk profile. Access to both alternate sites is basically structured as remote access. Operations can be switched from the primary to the secondary site in less than one hour. In a catastrophic scenario that involves the loss of the primary and secondary sites, then RTO with the third site (the disaster recovery site or “SRAD”) is set at 2 hours. 43 Participants are required to maintain an active connection to the primary and secondary processing sites. Switching between these two sites is transparent to the participants. The third processing site is accessed via the Internet. Review and testing Business continuity and technological contingency plans are tested at least once a year following ISO 22301. DCV has obtained certification on this standard and also on BS 25999. Disaster recovery readiness and connectivity tests are conducted once a year. Tests have involved depositors as well as other FMIs operating from their main site and from their alternate processing site, and ensuring connectivity with DCV’s primary and alternate processing sites. The primary and secondary sites are rotated periodically. DCV tests its remote access system weekly. DCV is a participant of the business continuity committee that is led by the BCCh and that brings together other FMIs in Chile. In the context of this committee, a series of continuity tests involving all FMIs in Chile is being performed on a quarterly basis since mid-2014. Key consideration 7 An FMI should identify, monitor, and manage the risks that key participants, other FMIs, and service and utility providers might pose to its operations. In addition, an FMI should identify, monitor, and manage the risks its operations might pose to other FMIs. Description Risks to the FMI’s own operations With regard to its custody and securities transfer services, DCV responds to instructions from other FMIs. DCV may be exposed to reputational risk in the event other FMIs interconnected are experiencing operational problems, as it may not be able to provide those services efficiently and reliably. With regard to its other services as a CSD, DCV is also exposed to some risks as part of its securities administration activities. In addition, the securities transfer service that DCV makes available to its depositors jointly with ComBanc (involving a connection with Sistema LBTR) could be affected by a failure of either of these two FMIs. The software of DCV’s service platforms was designed in-house. Hardware support, including telecommunications, is provided by the manufacturers/operators of the facilities, including the alternate processing sites. SLAs have been agreed in the respective contracts. In order to monitor risk exposures generated by other parties, DCV uses market data (e.g. financial indicators, balances, exposures, etc.), automatic 44 alerts and controls, participant feedback. The FMI monitors such risks on a continuous basis and reviews the risk management tools once a year. Risks posed to other FMIs DCV poses operational risks to other FMIs, including in particular the Sistema LBTR, ComDer and CCLV (both as a CCP and as a SSS). Those other FMIs may not be able to operate in case DCV experiences a failure: the Sistema LBTR, ComDer and CCLV would not be able to perform their collateral management activities. In addition, CCLV would not be able to transfer the ownership of securities for its activities as a SSS and as a CCP for the equities market. DCV has signed SLAs with the other FMIs. DCV is a participant of the business continuity committee that is led by the BCCh and that brings together other FMIs like the Sistema LBTR, ComBanc, etc. Key conclusions DCV has established best practices and standards for the management of operational risks. Policies and procedures are comprehensive and are properly documented, and specific plans have been developed to address the identified risks. DCV places a strong emphasis on continuity, reliability and information security. It performs business continuity tests with its depositors and with interconnected FMIs regularly. Assessment of Principle 17 Observed. Recommendations and comments 45 Principle 18. Access and participation requirements An FMI should have objective, risk-based, and publicly disclosed criteria for participation, which permit fair and open access. Key consideration 1 An FMI should allow for fair and open access to its services, including by direct and, where relevant, indirect participants and other FMIs, based on reasonable risk-related participation requirements. Description Participation criteria and requirements Law 18.876 (article 2) and section 4 of the rulebook specify the entities that can become depositors in DCV. The list is relatively long, and includes a provision stating “any others that the CSD may approve”. The rulebook also regards securities issuers as participants. All issuers of securities object of public offering as well as banks and government entities in their role as issuers of securities are therefore regarded also as DCV participants. Yet another type of participants considered in the rulebook are other FMIs and entities that an issuer of securities designates as its payer in connection with corporate actions, coupon payment, etc. Participation requirements are essentially related to ensuring adequate connectivity with DCV’s technological platform (section 5.7 of the rulebook). Participants are required to maintain an active connection to the primary and secondary processing sites, and ensure connection to the third site (SRAD) via the Internet. The DCV can open account at the level of the beneficial owner. However, the accounts are always operated by one of the participants defined in the law or the rulebook, acting as nominees. As of mid-2015 there were a total of 188 depositors (with transactional access to DCV’s systems). All participants must pay an entry fee equivalent to approximately USD 13,500, plus a fixed monthly of USD 600. Access to trade repositories Not applicable. Key consideration 2 An FMI’s participation requirements should be justified in terms of the safety and efficiency of the FMI and the markets it serves, be tailored to and commensurate with the FMI’s specific risks, and be publicly disclosed. Subject to maintaining acceptable risk control standards, an FMI should endeavour to set requirements that have the least-restrictive impact on access that circumstances permit. Description Justification and rationale of participation criteria 46 DCV’s participation requirements are limited to ensuring adequate connectivity with DCV’s technological platform, which is an essential requirement to ensure safe and efficient operations. Least restrictive access The connectivity requirement ensures least restrictive access. Disclosure of criteria Criteria for becoming a participant in DCV are specified in the rulebook, which is publicly available through DCV’s website. Key consideration 3 An FMI should monitor compliance with its participation requirements on an ongoing basis and have clearly defined and publicly disclosed procedures for facilitating the suspension and orderly exit of a participant that breaches, or no longer meets, the participation requirements. Description Monitoring compliance DCV can monitor on-line participant’s ongoing compliance with the access criteria. Suspension and orderly exit Section 21 of the rulebook addresses sanctions to DCV participants. A participant that recurrently violates a law, regulations, the rulebook, DCV Circulars and/or the contract signed with DCV may be excluded. In particular, if a participant incurs in the same violation three times it shall be suspended 15 days and will not be able to operate in DCV’s technological platform. In case of an additional violation of the same kind, or a violation that is considered severe, the participant may be excluded permanently. Key Conclusions DCV has clear, risk-based access and participation requirements that ensure least restrictive access. There is evidence that participation is very broad and that current requirements do not have any significant impact on access. DCV can monitor in real time the ongoing fulfillment of these requirements. DCV rules state the conditions under which a participant may be suspended or excluded. Assessment of principle 18 Observed. Recommendations and comments 47 Principle 19. Tiered participation arrangements An FMI should identify, monitor, and manage the material risks to the FMI arising from tiered participation arrangements. Key consideration 1 An FMI should ensure that its rules, procedures, and agreements allow it to gather basic information about indirect participation in order to identify, monitor, and manage any material risks to the FMI arising from such tiered participation arrangements. Description There is no tiered participation at the DCV. DCV depositors keep their own securities holdings and those of their customers in separate accounts, which are readily identifiable to DCV. On this basis, principle 19 is deemed not applicable to DCV. Key consideration 2 An FMI should identify material dependencies between direct and indirect participants that might affect the FMI. Description On this basis of what explained under KC 19.1 this principle is deemed not applicable to DCV. Key consideration 3 An FMI should identify indirect participants responsible for a significant proportion of transactions processed by the FMI and indirect participants whose transaction volumes or values are large relative to the capacity of the direct participants through which they access the FMI in order to manage the risks arising from these transactions. Description On this basis of what explained under KC 19.1 this principle is deemed not applicable to DCV. Key consideration 4 An FMI should regularly review risks arising from tiered participation arrangements and should take mitigating action when appropriate. Description On this basis of what explained under KC 19.1 this principle is deemed not applicable to DCV. Key conclusions This principle is currently deemed not applicable to DCV. Assessment of Principle 19 Not applicable. Recommendations and comments 48 Principle 20. FMI links An FMI that establishes a link with one or more FMIs should identify, monitor, and manage link- related risks. Key consideration 1 Before entering into a link arrangement and on an ongoing basis once the link is established, an FMI should identify, monitor, and manage all potential sources of risk arising from the link arrangement. Link arrangements should be designed such that each FMI is able to observe the other principles in this report. Description When deciding on establishing a link, DCV analyses and takes into consideration legal risks, custody risks and operational risks. In order to establish the link, these risks should be consistent with the company’s tolerance for risk. DCV also takes into account whether the link will be profitable from a financial standpoint. At present, the DCV has links with the following FMIs: • CCLV • ComDer • ComBanc • Sistema LBTR • CAVALI (CSD in Peru) • DECEVAL (CSD for private securities in Colombia) • INDEVAL (CSD in Mexico) • DTCC • Euroclear Links with other FMIs in Chile include technical links that support interoperability with the respective technological platforms. Links with foreign CSDs consist of cross-holdings of deposit accounts in the respective systems in order to be able to perform custody of foreign securities for local depositors/investors. Links with other FMIs enable DCV to remain observant of other principles. DCV reviews the identified risks annually and whenever changes arise. Key consideration 2 A link should have a well-founded legal basis, in all relevant jurisdictions, that supports its design and provides adequate protection to the FMIs involved in the link. Description In Chile, DCV has established links only in Chile with other regulated and supervised FMIs. Contract supporting these links have been revised and approved by the respective regulators. Links with foreign FMIs are based on contracts. The contracts specify the applicable law: with regard to the principles of finality, irrevocability, protection of rights and protection of the transactions processed through these foreign systems, the contracts state that all these principles shall be governed by the laws and regulations of the CSD of issuance. 49 Before establishing a link, DCV performs due diligence to ensure that the link has a well-founded legal basis. DCV’s rulebook, which was approved by the SVS, opens the possibility to DCV to interact with foreign CSD/global custodians (section 16) to offer custody services of foreign securities to local residents. SVS regulations provide a legal basis for the links established by DCV in other jurisdictions. Key consideration 3 Linked CSDs should measure, monitor, and manage the credit and liquidity risks arising from each other. Any credit extensions between CSDs should be covered fully with high quality collateral and be subject to limits. Description No credit extensions or overdrafts are allowed in any of DCV’s contracts with other CSDs, nor does DCV provide any liquidity facilities as part of these arrangements. Transactions take place if and only if actual securities/funds are available and are transferable Key consideration 4 Provisional transfers of securities between linked CSDs should be prohibited or, at a minimum, the retransfer of provisionally transferred securities should be prohibited prior to the transfer becoming final. Description DCV does not allow for the provisional transfer of securities in any of its links with other CSDs. Key consideration 5 An investor CSD should only establish a link with an issuer CSD if the arrangement provides a high level of protection for the rights of the investor CSD’s participants. Description For all links in which DCV acts as an investor CSD, the link is operated in practice by DCV holding an account at the issuer CSD. DCV appears as the owner of the securities in the holdings of the issuer CSD. However, in all contracts with other CSDs it is specified that securities holdings belong to DCV’s customers and that in no case these securities can be used to fund or support in any way an obligation or liability of DCV or of the other CSD. The contracts also provide for protecting customer rights with regard to corporate actions and representation. To further ensure that customer rights are being handled appropriately, DCV makes a daily reconciliation of its internal records of customer holdings of foreign securities with the total balances available in its omnibus accounts with foreign CSDs. Key consideration 6 An investor CSD that uses an intermediary to operate a link with an issuer CSD should measure, monitor, and manage the additional risks (including custody, credit, legal, and operational risks) arising from the use of the intermediary. Description Not applicable. Key consideration 7 Before entering into a link with another CCP, a CCP should identify and manage the potential spill-over effects from the default of the linked CCP. If a link has three or more CCPs, each CCP should 50 identify, assess, and manage the risks of the collective link arrangement. Description Not applicable. Key consideration 8 Each CCP in a CCP link arrangement should be able to cover, at least on a daily basis, its current and potential future exposures to the linked CCP and its participants, if any, fully with a high degree of confidence without reducing the CCP’s ability to fulfil its obligations to its own participants at any time. Description Not applicable. Key consideration 9 A TR should carefully assess the additional operational risks related to its links to ensure the scalability and reliability of IT and related resources. Description Not applicable. Key conclusions The possibility for DCV to enter into links with other CSDs and other FMIs is provided for in its rulebook, which is approved by the SVS. The rights and obligations of DCV, its customers in connection with this specific service and those of the linked CSDs are established in contracts. These contracts provide an appropriate level of protection for the rights of DCV’s customers. DCV does not provide credit or liquidity services as part of these links. DCV monitors and manages the risks of its links with other CSDs on an ongoing basis, including through daily conciliations of securities balances with individual customer positions considering transactions performed during the day. Assessment of Principle 20 Observed. Recommendations and comments 51 Principle 21: Efficiency and effectiveness An FMI should be efficient and effective in meeting the requirements of its participants and the markets it serves. Key consideration 1 An FMI should be designed to meet the needs of its participants and the markets it serves, in particular, with regard to choice of a clearing and settlement arrangement; operating structure; scope of products cleared, settled, or recorded; and use of technology and procedures. Description DCV was created and designed to address a market need: safe and efficient custody and transfer of securities. When it was designed, DCV took into account the needs of its participants and the market in relation to operating structure, delivery systems and technologies. Since then, DCV has been continuously adapting to changes in the market, both from the perspective of new types of investors, new types of securities, of clearing and settlement, etc. In order to assess whether DCV is continuously meeting the requirements and needs of its participants and other users, it uses the following tools and feedback mechanisms: • Specific user group meetings, which are held quarterly. • A general assembly of depositors held annually and when major changes are proposed. • Recommendations by the Oversight Committee • Customer satisfaction surveys conducted quarterly. Key consideration 2 An FMI should have clearly defined goals and objectives that are measurable and achievable, such as in the areas of minimum service levels, risk-management expectations, and business priorities. Description As mentioned under KC 3.1, DCV has developed a balanced scorecard and a number of additional KPIs to assess the effectiveness of its operations (along with measuring the effectiveness of risk management policies, procedures and systems). The balanced scorecard covers the following items, with measurable and achievable goals for each of them: • Financial performance: revenues, efficiency in spending • Client-product-market: customer satisfaction, operational quality, income by business line with a special focus on new businesses, etc. • Internal organization issues (e.g. engagement, training) • Risk management Fulfillment of goals and objectives is reviewed by the committees of the board, the board of directors, internal and external audit. Key consideration 3 An FMI should have established mechanisms for the regular review of its efficiency and effectiveness. Description Indicators are measured on a monthly basis and feed the quality assurance system and the internal controls system to foster continuous improvement 52 of processes. A report on progress with regard to the balanced scorecard is provided to the board of directors. In addition, evaluation by external professionals (e.g. auditors, regulator, consultants) takes place annually. Key conclusions DCV was created and designed to address a market need. Since its creation, DCV has been generally effective in accommodating the needs of Chilean financial institutions and other market participants. Mechanisms have been implemented to promote, together with market participants, the ongoing improvement of DCV. DCV has been profitable for a number of years. Assessment of Principle 21 Observed. Recommendations and comments 53 Principle 22: Communication procedures and standards An FMI should use, or at a minimum accommodate, relevant internationally accepted communication procedures and standards in order to facilitate efficient payment, clearing, settlement, and recording. Key consideration 1 An FMI should use, or at a minimum accommodate, internationally accepted communication procedures and standards. Description Communication procedures and standards For its communications with its depositors, DCV uses a proprietary messaging system. Messaging is based on ISO 15022. For its communications with other FMIs in Chile (i.e. ComBanc, ComDer and Sistema LBTR), DCV uses SWIFT messages. DCV conducts some cross-border operations, specifically custody of foreign securities in foreign CSDs. It also provides accounts to foreign CSDs for them to provide custody services of Chilean securities. For communications related to its cross-border operations, DCV uses SWIFT messages for certain processes, complemented with faxes or physical letters. Key conclusions For domestic operations with depositors and FMIs in Chile, DCV uses internationally accepted procedures and standards. For cross-border operations, some processes are performed on the basis of faxes and physical letters. Automation of post-trade functions for MILA has been achieved only partially. Assessment of Principle 22 Broadly observed. Recommendations DCV, together with other CSDs and other entities involved in MILA and comments should continue on achieving the automation of post-trade functions within a defined timeline. 54 Principle 23: Disclosure of rules, key procedures, and market data An FMI should have clear and comprehensive rules and procedures and should provide sufficient information to enable participants to have an accurate understanding of the risks, fees, and other material costs they incur by participating in the FMI. All relevant rules and key procedures should be publicly disclosed. Key consideration 1 An FMI should adopt clear and comprehensive rules and procedures that are fully disclosed to participants. Relevant rules and key procedures should also be publicly disclosed. Description Rules and procedures The rulebook, internal circulars and contracts with depositors, issuers and other FMIs comprise DCV’s rules and key procedures. The rulebook has been approved by regulators. Circulars articulate the contents of several key aspects of the rulebook, thereby providing further clarifications and defining specific mechanisms and courses of action. DCV has not had to amend its rules and procedures as a result of adverse legal outcomes. Disclosure The rulebook and other detailed procedures and circulars provide information on the procedures that DCV will follow, including discretionary actions, in non-routine or critical events. Changes to key rules and procedures are subject to consultations with stakeholders (and the new rulebook would require SVS approval). The organizations included in the consultation process include: shareholders, depositors, regulators, other FMIs. On average the consultation process last between three and six months. In order to announce that a consultation process has started or is going to take place, DCV uses newsletter (email) and physical letter. DCV collects the consultation feedback through physical letters or via email. The rulebook and circulars are publicly available. Key consideration 2 An FMI should disclose clear descriptions of the system’s design and operations, as well as the FMI’s and participants’ rights and obligations, so that participants can assess the risks they would incur by participating in the FMI. Description The rulebook contains detailed information about the system’s design and operation. Moreover, in its website DCV has uploaded a number of corporate presentations with detailed information about the overall design of the CSD, what services are provided and on what basis, risks and their management, and other relevant aspects. The rulebook and especially circulars describe the few cases and areas in which DCV may exercise discretion and the approach it will follow in such circumstances. It should be noted that in connection with settlements, 55 DCV exercises no discretion at all as it simply follows the orders received from other FMIs or orders entered directly by depositors. Rights and obligations as well as the risks participants incur through participation in DCV are explained throughout the rulebook, and are further specified in the contracts that depositors sign with DCV. Key consideration 3 An FMI should provide all necessary and appropriate documentation and training to facilitate participants’ understanding of the FMI’s rules and procedures and the risks they face from participating in the FMI. Description Upon becoming a depositor at DCV, participants are provided with the relevant rules and procedures, operational guidelines, and technical information about DCV’s technological platform, including a detailed users’ manual. The means described above are generally sufficient to ensure a participant’s good understanding of the rules, procedures and the risks they face form participating as depositors in DCV. The mechanisms that DCV uses to address a participants understanding of the FMI's rules and procedures include periodical training and provision of e-learning materials. Key consideration 4 An FMI should publicly disclose its fees at the level of individual services it offers as well as its policies on any available discounts. The FMI should provide clear descriptions of priced services for comparability purposes. Description DCV’s fee structure is described in detail in section 20 of its rulebook, which is a public document. The fee structure may also be accessed directly in DCV’s website. The individual services include: • General charges (e.g. monthly fee, custody charges, etc.) • Charges for deposit accounts, including securities transfer services • Charges for inventory accounts • Charges for trade repository services • Charges for the electronic recording of pledges • Charges for operating mutual funds shares The information for each of the services is very detailed, differentiating by type of security, type of transaction, etc. Information on discounts is also provided – discounts are regulated in section 20.10 of the rulebook. There are no other CSDs in Chile with which charges applied by DCV may be compared, although international comparisons are possible. 56 Changes to the fee structure of to the level of the various fees have to be approved by the board of directors and shall start to apply 30 days after the participants have been informed of the change. Key consideration 5 An FMI should complete regularly and disclose publicly responses to the CPSS-IOSCO disclosure framework for financial market infrastructures. An FMI also should, at a minimum, disclose basic data on transaction volumes and values. Description DCV has not completed the CPMI-IOSCO Disclosure Framework for Financial Market Infrastructures. DCV publishes some statistical reports in its website. These include monthly reports showing total securities holdings by securities type and whether the securities are dematerialized or not; a monthly report with volume of transactions (i.e. securities transfers) by type of security. In addition to the rulebook and statistics, the following relevant documents are also publicly available at DCVs website (some information is also available in English): • Corporate information • General description of the DCV • Sanctions and fines to participants • Fee study Key conclusions DCV makes extensive disclosure of its rules, key procedures and its fee structure to participants. The rulebook and essential information about the company and some operational data are also disclosed to the general public via its website. DCV provides training materials on the rules and procedures and on the use of customer applications to new participants. Training is also provided every time a major change/improvement is developed. Although DCV prepared a recent self-assessment based on the CPMI- IOSCO assessment methodology (not available to the public), it has not yet completed the CPMI-IOSCO Disclosure Framework for Financial Market Infrastructures. Assessment of Principle 23 Broadly observed. Recommendations DCV should complete the CPMI-IOSCO Disclosure Framework for and comments Financial Market Infrastructures in a defined timeline and make it available to the general public through its website or other proper means. This should be updated at a minimum every two years. 57