Post on 14-Dec-2015
Slide 1
Independent Advisory GroupGiovannini Barrier 1Meeting 2
August 3rd, 2005
IAG_030805_v2.ppt Slide 2
Agenda Review of 19th July minutes
Protocol ‘shelf-life’
Focus on the Interface Layer
– Standards
– Security
– Service
Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services
Any other business
IAG_030805_v2.ppt Slide 3
Agenda Review of 19th July minutes
Protocol ‘shelf-life’
Focus on the Interface Layer
– Standards
– Security
– Service
Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services
Any other business
IAG_030805_v2.ppt Slide 4
Independent Advisory Group:Membership & Contact
CESAME members Attendee Chairman stephan.schuster@db.comSecretariat andrew.douglas@swift.com
ann.dormans@swift.comABN Amro ruud.sleenhoff@nl.abnamro.comAlternate chiel.steinvoort@nl.abnamro.comBNP pierre.willems@bnpparibas.comCitigroup brian.s.crabtree@citigroup.comDeutsche Bank stephen.lomas@db.comDeutsche Börse kvangestel.cb@clearstream.comECSDA joel.merere@euroclear.comFBE d.hermans@fbe.beEuroclear jan.sonck@euroclear.comAlternate luc.castan@euroclear.comLCH Clearnet pierre-dominique.renard@lchclearnet.comMorgan Stanley keith.berrett@morganstanley.comNCSD heikki.ylipekkala@ncsdgroup.com
Exceptional inviteesFPL kevin@altkb.com
peter.randall@fixprotocol.orgISSA thomas.rohr@ubs.comSMPG catherine.dias@citigroup.comAlternate alexandre.kech@swift.comSWIFT jamie.shay@swift.comAlternate juliette.kennel@swift.comObserverECB concetta.cerafogli@ecb.intAlternate daniela.russo@ecb.intEU salvatore.lo-giudice@cec.eu.int
IAG_030805_v2.ppt Slide 5
Review of 19/07 minutes‘Protocol, Standard & Syntax’
ProtocolProtocol: The protocol definition should go further than simply a : The protocol definition should go further than simply a technical protocol and should be a definition of the best practice technical protocol and should be a definition of the best practice business rules that govern the communication procedure business rules that govern the communication procedure between any two counterpartiesbetween any two counterparties
StandardStandard: A single standard practically relates to the use of a : A single standard practically relates to the use of a single business model with its associated single data dictionary single business model with its associated single data dictionary to enable translation between standards/syntaxes, thereby to enable translation between standards/syntaxes, thereby leveraging current investment in existing standards leveraging current investment in existing standards
SyntaxSyntax: There are some syntaxes which are also considered to : There are some syntaxes which are also considered to be standards and so at this level, the identification should be be standards and so at this level, the identification should be syntax/standard, not simply syntaxsyntax/standard, not simply syntax
IAG_030805_v2.ppt Slide 6
Review of 19/07 minutes‘Protocol, Standard & Syntax’
End to end STP can be achieved via End to end STP can be achieved via interoperability of agreed standards interoperability of agreed standards (inc. market practices) within a best (inc. market practices) within a best practice protocolpractice protocol
Interoperability achieved through the Interoperability achieved through the adoption of a single data dictionaryadoption of a single data dictionary
IAG_030805_v2.ppt Slide 7
Review of 19/07 minutes ‘Protocol scope’
Long term: the protocol should apply to all processes, all Long term: the protocol should apply to all processes, all instruments and all participantsinstruments and all participants
Short term: phasing of implementation of the protocol should be Short term: phasing of implementation of the protocol should be as follows:as follows:
– Instrument: Priority to Equities, Fixed Income and Instrument: Priority to Equities, Fixed Income and Exchange Traded Derivatives Exchange Traded Derivatives
– Participant: Priority to Broker Dealers, Clearing Houses Participant: Priority to Broker Dealers, Clearing Houses (CCP), Clearing Agents, Settlement Agents, Global (CCP), Clearing Agents, Settlement Agents, Global Custodians, Sub-Custodians and [I]CSD’sCustodians, Sub-Custodians and [I]CSD’s
– Market Sector: Priority to all post trade processes including Market Sector: Priority to all post trade processes including Asset Servicing/Custody on the sell side together with Asset Servicing/Custody on the sell side together with Clearing & Settlement plus Asset Servicing/Custody on the Clearing & Settlement plus Asset Servicing/Custody on the Buy sideBuy side
IAG_030805_v2.ppt Slide 8
Review of 19/07 minutes ‘Protocol scope’
ExchangeExchange
VMU / ETCPVMU / ETCP
Tra
de
Dat
e
Sp
ace
1S
pac
e 1
Pre
-tra
de
/ T
rad
e
Sp
ace
3S
pac
e 3
Cle
arin
g &
S
ettl
emen
t
OrderTrade
IMI: Investment ManagerB/D: Broker DealerVMU: Virtual Matching UtilityGC: Global CustSC: Sub-CustSA: Settlement Agent (Clearer)CCP: Central CounterpartyICSD: (Int‘l) Central Securities Depository
Institutional (buy) Side Street (sell) Side
Sp
ace
2S
pac
e 2
Po
st T
rad
e /
Pre
-Set
tlem
ent
Tra
de
Dat
e +
X
GCGC
SASA
CCPCCP
SASA
IMIIMI B/DB/D
(I)CSD(I)CSD
SCSC
B/DB/D
Space 4Space 4 – Asset Servicing
Non Trade Related Activity
1
2
3
- Short Term- Long Term
IAG_030805_v2.ppt Slide 9
Review of 19/07 minutes ‘Protocol framework’
The proposed 9 element framework The proposed 9 element framework correctly frames a potential correctly frames a potential communication protocolcommunication protocol
Network
Messaging
Data
Network
Messaging
DataSTANDARDS
SECURITY
SERVICES
Participant A Participant B
1
4
7
2
5
8
3
6
9
IAG_030805_v2.ppt Slide 10
Review of 19/07 minutes Element 7: Network Standards
The minimum acceptable network The minimum acceptable network standard is the implementation of IP for standard is the implementation of IP for communication and routingcommunication and routing
IAG_030805_v2.ppt Slide 11
Review of 19/07 minutes Element 8: Network Security
Security, at either the network or the Security, at either the network or the messaging layer, must be set at a level messaging layer, must be set at a level that satisfies business & regulatory that satisfies business & regulatory requirementsrequirements
IAG_030805_v2.ppt Slide 12
Review of 19/07 minutes Element 9: Network Service
Service must satisfy business & Service must satisfy business & regulatory requirements for regulatory requirements for performance, resilience and network performance, resilience and network managementmanagement
IAG_030805_v2.ppt Slide 13
Review of 19/07 minutesAccreditation of comms service providers
Specific accreditation is not required as Specific accreditation is not required as market forces will provide natural market forces will provide natural accreditationaccreditation
IAG_030805_v2.ppt Slide 14
Agenda Review of 19th July minutes
Protocol ‘shelf-life’
Focus on the Interface Layer
– Standards
– Security
– Service
Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services
Any other business
IAG_030805_v2.ppt Slide 15
Protocol ‘shelf-life’:The problem
«the future protocol should include the possibility to be extended to include other mechanisms in line with future technology evolution and to transmit newly defined data standards when the business requires to»
IAG_030805_v2.ppt Slide 16
Protocol ‘shelf-life’:Why is it a problem?
Technology development cycle = X months
vs Business decision
& implementation cycle = Y months
Result: New technologies & standards appear with random frequency & in the absence of market guidelines, participants adopt varying technologies according to internal business cycles
X=Y
IAG_030805_v2.ppt Slide 17
Protocol ‘shelf-life’:To resolve this issue?
Establish a protocol with a fixed content & pre-set ‘shelf-life’
Fixing content & shelf-life may preclude the use of the latest technology but for all participants, it will:
– Provide a fixed technology target
– Allow a realistic timeframe for implementation
– Provide a reasonable period for amortisation of development costs - take-up incentive based on knowing development cost is not wasted
IAG_030805_v2.ppt Slide 18
Protocol ‘shelf-life’:Potential problems?
Is a protocol with a pre-set ‘shelf-life’ or renewal cycle desirable?
If yes, do we accept that this may mean not using the latest technology?
If yes, what should the protocol renewal cycle be and who should renew it?
If no, what is the alternative?
IAG_030805_v2.ppt Slide 19
Protocol ‘shelf-life’:Proposed Ratification
From the time of initial recommendation, the anticipated lifespan of the From the time of initial recommendation, the anticipated lifespan of the content of the protocol will be X years. This will provide:content of the protocol will be X years. This will provide:
– Provide a fixed protocol content targetProvide a fixed protocol content target
– Allow a realistic timeframe for implementationAllow a realistic timeframe for implementation
– Provide a reasonable period for amortisation of development Provide a reasonable period for amortisation of development costscosts
The lifecycle should comprise o 2 distinct elements;The lifecycle should comprise o 2 distinct elements;
– X1 = Implementation periodX1 = Implementation period
– X2 = Amortisation periodX2 = Amortisation period
The content of the protocol should be reviewed on a X year cycleThe content of the protocol should be reviewed on a X year cycle
This review should be conducted by XXXXXXThis review should be conducted by XXXXXX
IAG_030805_v2.ppt Slide 20
Agenda Review of 19th July minutes
Protocol ‘shelf-life’
Focus on the Interface Layer
– Standards
– Security
– Service
Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services
Any other business
IAG_030805_v2.ppt Slide 21
Focus on the Messaging/Interface Layer
Clarifications
Standards
Security
Service
IAG_030805_v2.ppt Slide 22
Focus on the Messaging/Interface LayerClarifications:
Provision of service elements
– The service elements and service levels referred to in the consultation document relate to the provider of communications services, not the user of those services
Needs vs Solutions
– Concerns raised at the confusion of needs vs solutions, e.g.
– Need = authentication and data integrity
– Solution = PKI
IAG_030805_v2.ppt Slide 23
Focus on the Messaging/Interface LayerElement 4: Standards - Consultation content
An interface must offer: Message transfer service
File transfer service
Operator based service
IAG_030805_v2.ppt Slide 24
Focus on the Messaging/Interface LayerElement 4: Standards - Consultation responses
Q4.2 generic responses
51 responses in total Agree
– 15 EU FI 13 – 87%
– 11 FI EU rep orgs 8 – 73%
– 7 EU C&S Infrastructures 5 – 71%
– Total (inc above) 34 – 67%
IAG_030805_v2.ppt Slide 25
Focus on the Messaging/Interface LayerElement 4: Standards - Consultation responses
Additional points raised
– CSFB/SCFS: File & GUI mechanisms should be optional
– Deutsche Bank/Euroclear: Selection of appropriate mechanism to be agreed bilaterally
IAG_030805_v2.ppt Slide 26
Focus on the Messaging/Interface LayerElement 4: Standards – Proposed ratification
A Giovannini compliant interface must offer:A Giovannini compliant interface must offer: Message transfer servicesMessage transfer services File transfer servicesFile transfer services Operator based servicesOperator based services
The selection of the service appropriate to a The selection of the service appropriate to a specific communication is agreed bilaterally specific communication is agreed bilaterally between participantsbetween participants
IAG_030805_v2.ppt Slide 27
Focus on the Messaging/Interface LayerElement 5: Security - Consultation content
Minimum security needs: Authentication of source
Data integrity & confidentiality
Non-repudiation
Time stamping
PKI
IAG_030805_v2.ppt Slide 28
Focus on the Messaging/Interface LayerElement 5 Security - Consultation responses
Q4.2 generic responses
51 responses in total Agree
– 15 EU FI 13 – 87%
– 11 FI EU rep orgs 8 – 73%
– 7 EU C&S Infrastructures 5 – 71%
– Total (inc above) 34 – 67%
IAG_030805_v2.ppt Slide 29
Focus on the Messaging/Interface LayerElement 5: Security - Consultation responses
Q4.10 specific security responses
‘Is the minimum security level defined at the messaging layer appropriate to all communication?
IAG_030805_v2.ppt Slide 30
Focus on the Messaging/Interface LayerElement 5: Security - Consultation responses
Q4.10(a) Generic information, e.g. end of day pricing’
45 responses in total Agree
– 13 EU FI 7 – 54%
– 10 FI EU rep orgs 5 – 50%
– 8 EU C&S Infrastructures 3 – 38%
– Total (inc above) 21 – 47%
– Explicitly disagree 9 – 20%
IAG_030805_v2.ppt Slide 31
Focus on the Messaging/Interface LayerElement 5: Security - Consultation responses
Q4.10(b) Binding information, e.g. statements, status reports etc’
45 responses in total Agree
– 13 EU FI 9 – 69%
– 10 FI EU rep orgs 7 – 70%
– 8 EU C&S Infrastructures 4 – 50%
– Total (inc above) 28 – 62%
– Explicitly disagree 2 – 4%
IAG_030805_v2.ppt Slide 32
Focus on the Messaging/Interface LayerElement 5: Security - Consultation responses
Q4.10(c) Business critical information, e.g. instructions & confirms’
45 responses in total Agree
– 13 EU FI 9 – 69%
– 10 FI EU rep orgs 8 – 80%
– 8 EU C&S Infrastructures 4 – 50%
– Total (inc above) 28 – 62%
– Explicitly disagree 2 – 4%
IAG_030805_v2.ppt Slide 33
Focus on the Messaging/Interface LayerElement 5: Security - Consultation responses
Additional points raised answering Q4.10:– Security levels/non-repudiation should be determined by
activity type: AFTI, Citigroup, ECSA, SEB
– Is PKI the right answer? AFTI, ECSA, Euroclear
– Confusion between needs and solutions: Au/NZ NMPG, Euroclear
– Network provider must not be CA : AFTI
– Security & Service should be combined: Deutsche
– Bilateral & centralised security arrangements can co-exist: Euroclear
IAG_030805_v2.ppt Slide 34
Focus on the Messaging/Interface LayerElement 5: Security – Questions to answer
Generic Binding Critical
Authentication
Data integrity
& confidentiality
Non-repudiation
Time stamping
IAG_030805_v2.ppt Slide 35
Focus on the Messaging/Interface LayerElement 5: Security – Questions to answer
Are the minimum security needs correctly defined?
– Authentication of source
– Data integrity & confidentiality
– Non-repudiation
– Time stamping
What are the correct definitions of the key types of communication?
– Generic, non binding: pricing } Business Confidential?
– Binding: statements, status, entitlements } Business
– Business Critical: instructions, confirmations} Critical?
IAG_030805_v2.ppt Slide 36
Focus on the Messaging/Interface LayerElement 5: Security – Questions to answer How do you balance need vs cost? Total trading, clearing and settlement cost to investor :
AFTI 11/02 AFTI 11/02 2005 2005
Domestic X-border Tower TowerEurope Europe Dom X-B
Broker technical 6-15 6-15Custodian internal 6-12.5 6-12.5Custodian xs internal 0 9-18Custodian external* 1-2.5 10 0.4-0.8 0.6-35Total 13-30 31-55.5
Total message cost (inc security) 1.50-2.00 depending on matching, using local agents etc
* Local custodian plus local CSD
All costs in EUR, 30,000 Eur trade
IAG_030805_v2.ppt Slide 37
Focus on the Messaging/Interface LayerElement 5: Security – Questions to answer
Business
Confidential Business Critical
Generic BindingCritical
Authentication
Data integrity
& confidentiality
Non-repudiation
Time stamping
IAG_030805_v2.ppt Slide 38
Focus on the Messaging/Interface LayerElement 5: Security – Questions to answer
Is PKI the correct security mechanism?
How should the PKI service be offered?
– FI specific
– MI specific
– Comms Provider specific
– Market level single PKI scheme
– Interoperable PKI
PKI strength (key length, RA checks etc):
– What is the appropriate minimum level
– How will service providers prove this? Accreditation?
– Technical definition team?
IAG_030805_v2.ppt Slide 39
Focus on the Messaging/Interface LayerElement 5: Security – Proposed ratification
A Giovannini compliant service must offer:A Giovannini compliant service must offer:– Authentication/data integrity (PKI) with liabilityAuthentication/data integrity (PKI) with liability– Non-repudiation with liabilityNon-repudiation with liability– Time stampingTime stamping
RA must implement KYC standards for Certificate issuanceRA must implement KYC standards for Certificate issuance
Market best practice minimum PKI strengthMarket best practice minimum PKI strength
These features are considered mandatory for the following types of These features are considered mandatory for the following types of communication:communication:
– Business critical (Changing ownership, moving value): ……..Business critical (Changing ownership, moving value): ……..– Business confidential (Entitlements, status reports, Business confidential (Entitlements, status reports,
statements): ………..statements): ………..– Other: ..........Other: ..........
IAG_030805_v2.ppt Slide 40
Focus on the Messaging/Interface LayerElement 6: Service - Consultation content
Services and Service Levels
The minimum mandatory services that a messaging/interface layer must offer are:
– Message/file audit
– Message/file guaranteed delivery
– Message/file delivery once and only once
IAG_030805_v2.ppt Slide 41
Focus on the Messaging/Interface LayerElement 6: Services - Consultation content
Optional services that a messaging/interface layer can offer are:
– Message/file archival & retrieval
– Message/file store and forward
– Message/file validation
– Message/file analysis
– Message/file delivery control
– SLA’s for provisioning, implementation etc
– Testing facilities
– Interface adapters
IAG_030805_v2.ppt Slide 42
Focus on the Messaging/Interface LayerElement 6: Services - Consultation responses
51 responses in total Agree
– 15 EU FI 13 – 87%
– 11 FI EU rep orgs 8 – 73%
– 7 EU C&S Infrastructures 5 – 71%
– Total (inc above) 34 – 67%
IAG_030805_v2.ppt Slide 43
Focus on the Messaging/Interface LayerElement 6: Services - Consultation responses
Additional points raised:– AFTI:
– Optional delivery notification: AFTI– Euroclear:
– Messaging layer must use multiple networks– NCSD:
– Mandating service levels is not required as different users have different needs
– OMX:– Put confirmation of receipt requirement on receiver
– SEB:– Baseline set too high
IAG_030805_v2.ppt Slide 44
Focus on the Messaging/Interface LayerElement 6: Services - Consultation responses
Additional mandatory features recommended:– Mandatory archive (period?) & retrieval: AT NMPG, Bank of Valetta,
Merrill Lynch, Omgeo, ZA NMPG
– Mandatory testing facility: ABN, AFTI, CH NMPG, CSFB, UBS, ZA NMPG
– Mandatory replay : AT NMPG, BVI, ZA NMPG
– Mandatory store & forward : AT NMPG, BVI, ZA NMPG
– Mandatory validation : AT NMPG, AU/NZ NMPG
– Mandatory delivery control: AT NMPG
– Mandatory message cancellation: ECSA
– Mandatory resend: ABN
IAG_030805_v2.ppt Slide 45
Focus on the Messaging/Interface LayerElement 6: Services - Consultation responses
Q4.9 Should providers of messaging & network functionality police the quality of traffic against standards?
If yes, should they be empowered to stop traffic that does not conform or merely report on non-conformance
– Clarification: Validation of format/standards, not business content
51 responses in total Agree
– 14 EU FI 12 – 86%
– 12 FI EU rep orgs 8 – 67%
– 9 EU C&S Infrastructures 7 – 78%
– Total (inc above) 37 – 73%
IAG_030805_v2.ppt Slide 46
Focus on the Messaging/Interface LayerElement 6: Services - Consultation responses
BUTBUT
51 responses in total Agree
– Optional 13 – 25%
– Report only 10 – 20%
– Stop traffic 8 – 16%
– Explicitly disagree 12 – 24%
IAG_030805_v2.ppt Slide 47
Focus on the Messaging/Interface LayerElement 6: Services – Proposed ratification
A Giovannini compliant service must offer:A Giovannini compliant service must offer: Message/file audit, (inc. archival & retrieval?)Message/file audit, (inc. archival & retrieval?) Message/file guaranteed deliveryMessage/file guaranteed delivery Message/file delivery once and only onceMessage/file delivery once and only once
All other services remain optional value All other services remain optional value added services provided at the discretion of added services provided at the discretion of the Service Providerthe Service Provider
IAG_030805_v2.ppt Slide 48
Focus on the Messaging/Interface LayerElement 6: Service Level - Consultation responses
Q4.3 Should a minimum set of performance standards be quantified for each service element?
49 responses in total Agree
– 15 EU FI 14 – 93%
– 11 FI EU rep orgs 7 – 64%
– 9 EU C&S Infrastructures 8 – 89%
– Total (inc above) 39 – 80%
– Explicitly disagree 7 – 14%
IAG_030805_v2.ppt Slide 49
Focus on the Messaging/Interface LayerElement 6: Service Level - Consultation responses
Most common service levels noted in the consultation:
24x7 Agree
– EU FI 6 – 40%
– FI EU rep orgs 3 – 27%
– EU C&S Infrastructures 2 – 22%
– Total (inc above) 15 – 31%
99.999% availability - continuity Agree
– EU FI 5 – 33%
– FI EU rep orgs 2 – 18%
– EU C&S Infrastructures 2 – 22%
– Total (inc above) 11 – 22%
IAG_030805_v2.ppt Slide 50
Focus on the Messaging/Interface LayerElement 6: Service Level – Proposed ratification
From Network Layer, Element 9: Service must satisfy business & regulatory requirements for performance, resilience and network management
– Is this enough?
– Will it make a difference?
– Do we need to revisit the Network Layer?
IAG_030805_v2.ppt Slide 51
Agenda Review of 19th July minutes
Protocol ‘shelf-life’
Focus on the Interface Layer
– Standards
– Security
– Service
Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services
Any other business
IAG_030805_v2.ppt Slide 52
Mandatory outsourcing of certain services:Consultation content
Q4.6 ‘What is your opinion on the mandatory outsourcing of dispute resolution and commodity services to the provider[s] of messaging and/or network services’
Clarification: To provide services which would be considered as the neutral evidence required to resolve an operational dispute, e.g. Time stamping
IAG_030805_v2.ppt Slide 53
Mandatory outsourcing of services:Consultation content
Dispute resolution services, e.g. time stamping others?
52 responses in total Agree Disagree
– 13 EU FI 54% 15%
– 13 FI EU rep orgs 38% 31%
– 9 EU C&S Infrastructures 22% 67%
– Total (inc above) 35% 37%
IAG_030805_v2.ppt Slide 54
Mandatory outsourcing of services:Consultation content
Commodity services, e.g. PKI, others?
PKI 52 responses in total Agree Disagree Agree
– 13 EU FI 54% 15% 31%
– 13 FI EU rep orgs 31% 31% 15%
– 9 EU C&S Infrastructures 11% 67% 0%
– Total (inc above) 33% 37% 17%
IAG_030805_v2.ppt Slide 55
Mandatory outsourcing of services:Proposed ratification
Confirmation that at the security and service level:
– Time stamping is a neutral activity that should be performed by the Messaging/Network provider
– From an FI perspective, PKI should not be provided by Market Infrastructures
IAG_030805_v2.ppt Slide 56
Agenda Review of 19th July minutes
Protocol ‘shelf-life’
Focus on the Interface Layer
– Standards
– Security
– Service
Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services
Any other business
IAG_030805_v2.ppt Slide 57
The next meeting is…..
23rd August at 11.00am
The subject will be the data layer