Transcript SWIFT Securities stand

Independent Advisory Group
Giovannini Barrier 1
Meeting 2
August 3rd, 2005
Slide 1
Agenda

Review of 19th July minutes

Protocol ‘shelf-life’

Focus on the Interface Layer
– Standards
– Security
– Service

Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services

Any other business
IAG_030805_v2.ppt
Slide 2
Agenda

Review of 19th July minutes

Protocol ‘shelf-life’

Focus on the Interface Layer
– Standards
– Security
– Service

Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services

Any other business
IAG_030805_v2.ppt
Slide 3
Independent Advisory Group:
Membership & Contact
CESAME members
Chairman
Secretariat
ABN Amro
Alternate
BNP
Citigroup
Deutsche Bank
Deutsche Börse
ECSDA
FBE
Euroclear
Alternate
LCH Clearnet
Morgan Stanley
NCSD
Attendee
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Exceptional invitees
FPL
[email protected]
[email protected]
ISSA
[email protected]
SMPG
[email protected]
Alternate
[email protected]
SW IFT
[email protected]
Alternate
[email protected]
Observer
ECB
[email protected]
Alternate
[email protected]
EU
[email protected]
IAG_030805_v2.ppt
Slide 4
Review of 19/07 minutes
‘Protocol, Standard & Syntax’

Protocol: The protocol definition should go further than simply a
technical protocol and should be a definition of the best practice
business rules that govern the communication procedure
between any two counterparties

Standard: A single standard practically relates to the use of a
single business model with its associated single data dictionary
to enable translation between standards/syntaxes, thereby
leveraging current investment in existing standards

Syntax: There are some syntaxes which are also considered to
be standards and so at this level, the identification should be
syntax/standard, not simply syntax
IAG_030805_v2.ppt
Slide 5
Review of 19/07 minutes
‘Protocol, Standard & Syntax’
 End
to end STP can be achieved via
interoperability of agreed standards
(inc. market practices) within a best
practice protocol
 Interoperability
achieved through the
adoption of a single data dictionary
IAG_030805_v2.ppt
Slide 6
Review of 19/07 minutes
‘Protocol scope’

Long term: the protocol should apply to all processes, all
instruments and all participants

Short term: phasing of implementation of the protocol should be
as follows:
– Instrument: Priority to Equities, Fixed Income and
Exchange Traded Derivatives
– Participant: Priority to Broker Dealers, Clearing Houses
(CCP), Clearing Agents, Settlement Agents, Global
Custodians, Sub-Custodians and [I]CSD’s
– Market Sector: Priority to all post trade processes including
Asset Servicing/Custody on the sell side together with
Clearing & Settlement plus Asset Servicing/Custody on the
Buy side
IAG_030805_v2.ppt
Slide 7
Review of 19/07 minutes
‘Protocol scope’ - Short
Long Term
Term
Trade Date
IMI
Trade Date + X
Space 3
Clearing &
Settlement
Space 2
Post Trade /
Pre-Settlement
Space 1
Pre-trade
/ Trade
Institutional (buy) Side
Order
Street (sell) Side
B/D
Trade
B/D
Exchange
1
VMU /
ETCP
CCP
2
GC
SC
SA
SA
IMI: Investment
Manager
B/D: Broker Dealer
VMU: Virtual
Matching Utility
GC: Global Cust
SC: Sub-Cust
SA: Settlement
Agent (Clearer)
CCP: Central
Counterparty
ICSD: (Int‘l)
Central Securities
Depository
(I)CSD
Non Trade Related Activity
3
Space 4 – Asset Servicing
IAG_030805_v2.ppt
Slide 8
Review of 19/07 minutes
‘Protocol framework’
 The
proposed 9 element framework
correctly frames a potential
communication protocol
Participant B
Participant A
Data
Messaging
Network
IAG_030805_v2.ppt
S1
T
A
N
D4
A
R
D
S7
S2
E
C
U
R5
I
T
Y
8
S3
E
R
V
I 6
C
E
S
9
Data
Messaging
Network
Slide 9
Review of 19/07 minutes
Element 7: Network Standards
 The
minimum acceptable network
standard is the implementation of IP for
communication and routing
IAG_030805_v2.ppt
Slide 10
Review of 19/07 minutes
Element 8: Network Security
 Security,
at either the network or the
messaging layer, must be set at a level
that satisfies business & regulatory
requirements
IAG_030805_v2.ppt
Slide 11
Review of 19/07 minutes
Element 9: Network Service
 Service
must satisfy business &
regulatory requirements for
performance, resilience and network
management
IAG_030805_v2.ppt
Slide 12
Review of 19/07 minutes
Accreditation of comms service providers
 Specific
accreditation is not required as
market forces will provide natural
accreditation
IAG_030805_v2.ppt
Slide 13
Agenda

Review of 19th July minutes

Protocol ‘shelf-life’

Focus on the Interface Layer
– Standards
– Security
– Service

Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services

Any other business
IAG_030805_v2.ppt
Slide 14
Protocol ‘shelf-life’:
The problem
 «the
future protocol should include the
possibility to be extended to include
other mechanisms in line with future
technology evolution and to transmit
newly defined data standards when the
business requires to»
IAG_030805_v2.ppt
Slide 15
Protocol ‘shelf-life’:
Why is it a problem?
 Technology
development
cycle = X months
vs
 Business
decision
& implementation
cycle = Y months
X=Y
 Result:
New technologies & standards
appear with random frequency & in the
absence of market guidelines, participants
adopt varying technologies according to
internal business cycles
IAG_030805_v2.ppt
Slide 16
Protocol ‘shelf-life’:
To resolve this issue?

Establish a protocol with a fixed content & pre-set
‘shelf-life’

Fixing content & shelf-life may preclude the use of the
latest technology but for all participants, it will:
– Provide a fixed technology target
– Allow a realistic timeframe for implementation
– Provide a reasonable period for amortisation of
development costs - take-up incentive based on
knowing development cost is not wasted
IAG_030805_v2.ppt
Slide 17
Protocol ‘shelf-life’:
Potential problems?

Is a protocol with a pre-set ‘shelf-life’ or renewal cycle
desirable?

If yes, do we accept that this may mean not using the
latest technology?

If yes, what should the protocol renewal cycle be and
who should renew it?

If no, what is the alternative?
IAG_030805_v2.ppt
Slide 18
Protocol ‘shelf-life’:
Proposed Ratification

From the time of initial recommendation, the anticipated lifespan
of the content of the protocol will be X years. This will provide:
– Provide a fixed protocol content target
– Allow a realistic timeframe for implementation
– Provide a reasonable period for amortisation of
development costs

The lifecycle should comprise o 2 distinct elements;
– X1 = Implementation period
– X2 = Amortisation period

The content of the protocol should be reviewed on a X year cycle

This review should be conducted by XXXXXX
IAG_030805_v2.ppt
Slide 19
Agenda

Review of 19th July minutes

Protocol ‘shelf-life’

Focus on the Interface Layer
– Standards
– Security
– Service

Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services

Any other business
IAG_030805_v2.ppt
Slide 20
Focus on the Messaging/Interface Layer
 Clarifications
 Standards
 Security
 Service
IAG_030805_v2.ppt
Slide 21
Focus on the Messaging/Interface Layer
Clarifications:

Provision of service elements
– The service elements and service levels
referred to in the consultation document
relate to the provider of communications
services, not the user of those services

Needs vs Solutions
– Concerns raised at the confusion of needs vs
solutions, e.g.
– Need = authentication and data integrity
– Solution = PKI
IAG_030805_v2.ppt
Slide 22
Focus on the Messaging/Interface Layer
Element 4: Standards - Consultation content
An interface must offer:
 Message
 File
transfer service
 Operator
IAG_030805_v2.ppt
transfer service
based service
Slide 23
Focus on the Messaging/Interface Layer
Element 4: Standards - Consultation responses
 Q4.2
 51
generic responses
responses in total
Agree
– 15 EU FI
13
– 87%
– 11 FI EU rep orgs
8
– 73%
– 7 EU C&S Infrastructures
5
– 71%
– Total (inc above)
34
– 67%
IAG_030805_v2.ppt
Slide 24
Focus on the Messaging/Interface Layer
Element 4: Standards - Consultation responses
 Additional
points raised
– CSFB/SCFS: File & GUI mechanisms
should be optional
– Deutsche Bank/Euroclear: Selection
of appropriate mechanism to be
agreed bilaterally
IAG_030805_v2.ppt
Slide 25
Focus on the Messaging/Interface Layer
Element 4: Standards – Proposed ratification
A Giovannini compliant interface must offer:
 Message
 File
transfer services
transfer services
 Operator
based services
 The
selection of the service appropriate to a
specific communication is agreed bilaterally
between participants
IAG_030805_v2.ppt
Slide 26
Focus on the Messaging/Interface Layer
Element 5: Security - Consultation content
Minimum security needs:
 Authentication of source
 Data
PKI
integrity & confidentiality
 Non-repudiation
 Time
IAG_030805_v2.ppt
stamping
Slide 27
Focus on the Messaging/Interface Layer
Element 5 Security - Consultation responses
 Q4.2
 51
generic responses
responses in total
Agree
– 15 EU FI
13
– 87%
– 11 FI EU rep orgs
8
– 73%
– 7 EU C&S Infrastructures
5
– 71%
– Total (inc above)
34
– 67%
IAG_030805_v2.ppt
Slide 28
Focus on the Messaging/Interface Layer
Element 5: Security - Consultation responses
 Q4.10
specific security responses
 ‘Is
the minimum security level defined at
the messaging layer appropriate to all
communication?
IAG_030805_v2.ppt
Slide 29
Focus on the Messaging/Interface Layer
Element 5: Security - Consultation responses

Q4.10(a) Generic information, e.g. end of day pricing’

45 responses in total
Agree
– 13 EU FI
7
– 54%
– 10 FI EU rep orgs
5
– 50%
– 8 EU C&S Infrastructures
3
– 38%
– Total (inc above)
21
– 47%
– Explicitly disagree
9
– 20%
IAG_030805_v2.ppt
Slide 30
Focus on the Messaging/Interface Layer
Element 5: Security - Consultation responses

Q4.10(b) Binding information, e.g. statements, status
reports etc’

45 responses in total
– 13 EU FI
– 10 FI EU rep orgs
– 8 EU C&S Infrastructures
– Total (inc above)
– Explicitly disagree
IAG_030805_v2.ppt
Agree
9
– 69%
7
– 70%
4
– 50%
28
– 62%
2
– 4%
Slide 31
Focus on the Messaging/Interface Layer
Element 5: Security - Consultation responses

Q4.10(c) Business critical information, e.g. instructions &
confirms’

45 responses in total
– 13 EU FI
– 10 FI EU rep orgs
– 8 EU C&S Infrastructures
– Total (inc above)
– Explicitly disagree
IAG_030805_v2.ppt
Agree
9
– 69%
8
– 80%
4
– 50%
28
– 62%
2
– 4%
Slide 32
Focus on the Messaging/Interface Layer
Element 5: Security - Consultation responses

Additional points raised answering Q4.10:
– Security levels/non-repudiation should be determined by
activity type: AFTI, Citigroup, ECSA, SEB
– Is PKI the right answer? AFTI, ECSA, Euroclear
– Confusion between needs and solutions: Au/NZ NMPG,
Euroclear
– Network provider must not be CA : AFTI
– Security & Service should be combined: Deutsche
– Bilateral & centralised security arrangements can co-exist:
Euroclear
IAG_030805_v2.ppt
Slide 33
Focus on the Messaging/Interface Layer
Element 5: Security – Questions to answer
Generic
Binding
Critical
Authentication
Data integrity
& confidentiality
Non-repudiation
Time stamping
IAG_030805_v2.ppt
Slide 34
Focus on the Messaging/Interface Layer
Element 5: Security – Questions to answer

Are the minimum security needs correctly defined?
– Authentication of source
– Data integrity & confidentiality
– Non-repudiation
– Time stamping

What are the correct definitions of the key types of
communication?
– Generic, non binding: pricing } Business Confidential?
– Binding: statements, status, entitlements
} Business
– Business Critical: instructions, confirmations} Critical?
IAG_030805_v2.ppt
Slide 35
Focus on the Messaging/Interface Layer
Element 5: Security – Questions to answer
How do you balance need vs cost?
 Total trading, clearing and settlement cost to investor :
AFTI 11/02
AFTI 11/02
Domestic
X-border
Europe
Europe
Broker technical
6-15
6-15
Custodian internal
6-12.5
6-12.5
Custodian xs internal
0
9-18
Custodian external*
1-2.5
10
Total
13-30
31-55.5

Total message cost (inc security)
2005
Tower
Dom
2005
Tower
X-B
0.4-0.8 0.6-35
1.50-2.00 depending on matching, using local
agents etc
* Local custodian plus local CSD
IAG_030805_v2.ppt
All costs in EUR, 30,000 Eur trade
Slide 36
Focus on the Messaging/Interface Layer
Element 5: Security – Questions to answer
Business
Confidential
Generic
Business Critical
Binding
Critical
Authentication
Data integrity
& confidentiality
Non-repudiation
Time stamping
IAG_030805_v2.ppt
Slide 37
Focus on the Messaging/Interface Layer
Element 5: Security – Questions to answer

Is PKI the correct security mechanism?

How should the PKI service be offered?
– FI specific
– MI specific
– Comms Provider specific
– Market level single PKI scheme
– Interoperable PKI

PKI strength (key length, RA checks etc):
– What is the appropriate minimum level
– How will service providers prove this? Accreditation?
– Technical definition team?
IAG_030805_v2.ppt
Slide 38
Focus on the Messaging/Interface Layer
Element 5: Security – Proposed ratification

A Giovannini compliant service must offer:
– Authentication/data integrity (PKI) with liability
– Non-repudiation with liability
– Time stamping

RA must implement KYC standards for Certificate issuance

Market best practice minimum PKI strength

These features are considered mandatory for the following types of
communication:
– Business critical (Changing ownership, moving value): ……..
– Business confidential (Entitlements, status reports,
statements): ………..
– Other: ..........
IAG_030805_v2.ppt
Slide 39
Focus on the Messaging/Interface Layer
Element 6: Service - Consultation content
 Services
and Service Levels
 The
minimum mandatory services that a
messaging/interface layer must offer are:
– Message/file audit
– Message/file guaranteed delivery
– Message/file delivery once and only once
IAG_030805_v2.ppt
Slide 40
Focus on the Messaging/Interface Layer
Element 6: Services - Consultation content

Optional services that a messaging/interface layer
can offer are:
– Message/file archival & retrieval
– Message/file store and forward
– Message/file validation
– Message/file analysis
– Message/file delivery control
– SLA’s for provisioning, implementation etc
– Testing facilities
– Interface adapters
IAG_030805_v2.ppt
Slide 41
Focus on the Messaging/Interface Layer
Element 6: Services - Consultation responses
 51
responses in total
Agree
– 15 EU FI
13
– 87%
– 11 FI EU rep orgs
8
– 73%
– 7 EU C&S Infrastructures
5
– 71%
– Total (inc above)
34
– 67%
IAG_030805_v2.ppt
Slide 42
Focus on the Messaging/Interface Layer
Element 6: Services - Consultation responses

Additional points raised:
– AFTI:
– Optional delivery notification: AFTI
– Euroclear:
– Messaging layer must use multiple networks
– NCSD:
– Mandating service levels is not required as different
users have different needs
– OMX:
– Put confirmation of receipt requirement on receiver
– SEB:
– Baseline set too high
IAG_030805_v2.ppt
Slide 43
Focus on the Messaging/Interface Layer
Element 6: Services - Consultation responses

Additional mandatory features recommended:
–
Mandatory archive (period?) & retrieval: AT NMPG, Bank of Valetta,
Merrill Lynch, Omgeo, ZA NMPG
–
Mandatory testing facility: ABN, AFTI, CH NMPG, CSFB, UBS, ZA
NMPG
–
Mandatory replay : AT NMPG, BVI, ZA NMPG
–
Mandatory store & forward : AT NMPG, BVI, ZA NMPG
–
Mandatory validation : AT NMPG, AU/NZ NMPG
–
Mandatory delivery control: AT NMPG
–
Mandatory message cancellation: ECSA
–
Mandatory resend: ABN
IAG_030805_v2.ppt
Slide 44
Focus on the Messaging/Interface Layer
Element 6: Services - Consultation responses



Q4.9 Should providers of messaging & network
functionality police the quality of traffic against standards?
If yes, should they be empowered to stop traffic that does
not conform or merely report on non-conformance
– Clarification: Validation of format/standards, not
business content
51 responses in total
– 14 EU FI
– 12 FI EU rep orgs
– 9 EU C&S Infrastructures
– Total (inc above)
IAG_030805_v2.ppt
Agree
12
– 86%
8
– 67%
7
– 78%
37
– 73%
Slide 45
Focus on the Messaging/Interface Layer
Element 6: Services - Consultation responses
 BUT
 51
responses in total
– Optional
– Report only
– Stop traffic
Agree
13 – 25%
10 – 20%
8
– 16%
– Explicitly disagree
12
IAG_030805_v2.ppt
– 24%
Slide 46
Focus on the Messaging/Interface Layer
Element 6: Services – Proposed ratification
A Giovannini compliant service must offer:
 Message/file
audit, (inc. archival & retrieval?)
 Message/file
guaranteed delivery
 Message/file
delivery once and only once
 All
other services remain optional value
added services provided at the discretion of
the Service Provider
IAG_030805_v2.ppt
Slide 47
Focus on the Messaging/Interface Layer
Element 6: Service Level - Consultation responses

Q4.3 Should a minimum set of performance standards be
quantified for each service element?

49 responses in total
– 15 EU FI
– 11 FI EU rep orgs
– 9 EU C&S Infrastructures
– Total (inc above)
– Explicitly disagree
IAG_030805_v2.ppt
Agree
14
– 93%
7
– 64%
8
– 89%
39
– 80%
7
– 14%
Slide 48
Focus on the Messaging/Interface Layer
Element 6: Service Level - Consultation responses
Most common service levels noted in the consultation:


24x7
– EU FI
– FI EU rep orgs
– EU C&S Infrastructures
– Total (inc above)
Agree
6
3
2
15
– 40%
– 27%
– 22%
– 31%
99.999% availability - continuity
– EU FI
– FI EU rep orgs
– EU C&S Infrastructures
– Total (inc above)
Agree
5
2
2
11
– 33%
– 18%
– 22%
– 22%
IAG_030805_v2.ppt
Slide 49
Focus on the Messaging/Interface Layer
Element 6: Service Level – Proposed ratification
 From
Network Layer, Element 9: Service
must satisfy business & regulatory
requirements for performance, resilience
and network management
– Is this enough?
– Will it make a difference?
– Do we need to revisit the Network
Layer?
IAG_030805_v2.ppt
Slide 50
Agenda

Review of 19th July minutes

Protocol ‘shelf-life’

Focus on the Interface Layer
– Standards
– Security
– Service

Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services

Any other business
IAG_030805_v2.ppt
Slide 51
Mandatory outsourcing of certain services:
Consultation content
 Q4.6
‘What is your opinion on the
mandatory outsourcing of dispute
resolution and commodity services to the
provider[s] of messaging and/or network
services’
 Clarification:
To provide services which
would be considered as the neutral
evidence required to resolve an
operational dispute, e.g. Time stamping
IAG_030805_v2.ppt
Slide 52
Mandatory outsourcing of services:
Consultation content
 Dispute
resolution services, e.g. time stamping
others?
 52
responses in total
Agree
Disagree
– 13 EU FI
54%
15%
– 13 FI EU rep orgs
38%
31%
– 9 EU C&S Infrastructures
22%
67%
– Total (inc above)
35%
37%
IAG_030805_v2.ppt
Slide 53
Mandatory outsourcing of services:
Consultation content


Commodity services, e.g. PKI, others?
52 responses in total
Agree Disagree
– 13 EU FI
54% 15%
– 13 FI EU rep orgs
31% 31%
– 9 EU C&S Infrastructures 11% 67%
– Total (inc above)
33% 37%
IAG_030805_v2.ppt
PKI
Agree
31%
15%
0%
17%
Slide 54
Mandatory outsourcing of services:
Proposed ratification
 Confirmation
that at the security and
service level:
– Time stamping is a neutral activity
that should be performed by the
Messaging/Network provider
– From an FI perspective, PKI should
not be provided by Market
Infrastructures
IAG_030805_v2.ppt
Slide 55
Agenda

Review of 19th July minutes

Protocol ‘shelf-life’

Focus on the Interface Layer
– Standards
– Security
– Service

Mandatory outsourcing of:
– Dispute resolution support service
– Commodity services

Any other business
IAG_030805_v2.ppt
Slide 56
The next meeting is…..
 23rd
August at 11.00am
 The
subject will be the data layer
IAG_030805_v2.ppt
Slide 57