slide 1 independent advisory group giovannini barrier 1 meeting 2 august 3rd, 2005

Independent Advisory GroupGiovannini Barrier 1Meeting 2

August 3rd, 2005

IAG_030805_v2.ppt Slide 2

Agenda Review of 19th July minutes

Protocol ‘shelf-life’

Focus on the Interface Layer

– Standards

– Security

– Service

Mandatory outsourcing of:

– Dispute resolution support service

– Commodity services

Any other business





– Standards

– Security

– Service




Any other business


Independent Advisory Group:Membership & Contact

CESAME members Attendee Chairman [email protected] [email protected]

[email protected] Amro [email protected] [email protected] [email protected] [email protected] Bank [email protected] Börse [email protected] [email protected] [email protected] [email protected] [email protected] Clearnet [email protected] Stanley [email protected] [email protected]

Exceptional inviteesFPL [email protected]

[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]


Review of 19/07 minutes‘Protocol, Standard & Syntax’

ProtocolProtocol: The protocol definition should go further than simply a : The protocol definition should go further than simply a technical protocol and should be a definition of the best practice technical protocol and should be a definition of the best practice business rules that govern the communication procedure business rules that govern the communication procedure between any two counterpartiesbetween any two counterparties

StandardStandard: A single standard practically relates to the use of a : A single standard practically relates to the use of a single business model with its associated single data dictionary single business model with its associated single data dictionary to enable translation between standards/syntaxes, thereby to enable translation between standards/syntaxes, thereby leveraging current investment in existing standards leveraging current investment in existing standards

SyntaxSyntax: There are some syntaxes which are also considered to : There are some syntaxes which are also considered to be standards and so at this level, the identification should be be standards and so at this level, the identification should be syntax/standard, not simply syntaxsyntax/standard, not simply syntax


Review of 19/07 minutes‘Protocol, Standard & Syntax’

End to end STP can be achieved via End to end STP can be achieved via interoperability of agreed standards interoperability of agreed standards (inc. market practices) within a best (inc. market practices) within a best practice protocolpractice protocol

Interoperability achieved through the Interoperability achieved through the adoption of a single data dictionaryadoption of a single data dictionary


Review of 19/07 minutes ‘Protocol scope’

Long term: the protocol should apply to all processes, all Long term: the protocol should apply to all processes, all instruments and all participantsinstruments and all participants

Short term: phasing of implementation of the protocol should be Short term: phasing of implementation of the protocol should be as follows:as follows:

– Instrument: Priority to Equities, Fixed Income and Instrument: Priority to Equities, Fixed Income and Exchange Traded Derivatives Exchange Traded Derivatives

– Participant: Priority to Broker Dealers, Clearing Houses Participant: Priority to Broker Dealers, Clearing Houses (CCP), Clearing Agents, Settlement Agents, Global (CCP), Clearing Agents, Settlement Agents, Global Custodians, Sub-Custodians and [I]CSD’sCustodians, Sub-Custodians and [I]CSD’s

– Market Sector: Priority to all post trade processes including Market Sector: Priority to all post trade processes including Asset Servicing/Custody on the sell side together with Asset Servicing/Custody on the sell side together with Clearing & Settlement plus Asset Servicing/Custody on the Clearing & Settlement plus Asset Servicing/Custody on the Buy sideBuy side


Review of 19/07 minutes ‘Protocol scope’

ExchangeExchange

VMU / ETCPVMU / ETCP

Tra

de

Dat

e

Sp

ace

1S

pac

e 1

Pre

-tra

de

/ T

rad

e

Sp

ace

3S

pac

e 3

Cle

arin

g &

S

ettl

emen

t

OrderTrade

IMI: Investment ManagerB/D: Broker DealerVMU: Virtual Matching UtilityGC: Global CustSC: Sub-CustSA: Settlement Agent (Clearer)CCP: Central CounterpartyICSD: (Int‘l) Central Securities Depository

Institutional (buy) Side Street (sell) Side

Sp

ace

2S

pac

e 2

Po

st T

rad

e /

Pre

-Set

tlem

ent

Tra

de

Dat

e +

X

GCGC

SASA

CCPCCP

SASA

IMIIMI B/DB/D

(I)CSD(I)CSD

SCSC

B/DB/D

Space 4Space 4 – Asset Servicing

Non Trade Related Activity

1

2

3

- Short Term- Long Term


Review of 19/07 minutes ‘Protocol framework’

The proposed 9 element framework The proposed 9 element framework correctly frames a potential correctly frames a potential communication protocolcommunication protocol

Network

Messaging

Data

Network

Messaging

DataSTANDARDS

SECURITY

SERVICES

Participant A Participant B

1

4

7

2

5

8

3

6

9


Review of 19/07 minutes Element 7: Network Standards

The minimum acceptable network The minimum acceptable network standard is the implementation of IP for standard is the implementation of IP for communication and routingcommunication and routing


Review of 19/07 minutes Element 8: Network Security

Security, at either the network or the Security, at either the network or the messaging layer, must be set at a level messaging layer, must be set at a level that satisfies business & regulatory that satisfies business & regulatory requirementsrequirements


Review of 19/07 minutes Element 9: Network Service

Service must satisfy business & Service must satisfy business & regulatory requirements for regulatory requirements for performance, resilience and network performance, resilience and network managementmanagement


Review of 19/07 minutesAccreditation of comms service providers

Specific accreditation is not required as Specific accreditation is not required as market forces will provide natural market forces will provide natural accreditationaccreditation





– Standards

– Security

– Service




Any other business


Protocol ‘shelf-life’:The problem

«the future protocol should include the possibility to be extended to include other mechanisms in line with future technology evolution and to transmit newly defined data standards when the business requires to»


Protocol ‘shelf-life’:Why is it a problem?

Technology development cycle = X months

vs Business decision

& implementation cycle = Y months

Result: New technologies & standards appear with random frequency & in the absence of market guidelines, participants adopt varying technologies according to internal business cycles

X=Y


Protocol ‘shelf-life’:To resolve this issue?

Establish a protocol with a fixed content & pre-set ‘shelf-life’

Fixing content & shelf-life may preclude the use of the latest technology but for all participants, it will:

– Provide a fixed technology target

– Allow a realistic timeframe for implementation

– Provide a reasonable period for amortisation of development costs - take-up incentive based on knowing development cost is not wasted


Protocol ‘shelf-life’:Potential problems?

Is a protocol with a pre-set ‘shelf-life’ or renewal cycle desirable?

If yes, do we accept that this may mean not using the latest technology?

If yes, what should the protocol renewal cycle be and who should renew it?

If no, what is the alternative?


Protocol ‘shelf-life’:Proposed Ratification

From the time of initial recommendation, the anticipated lifespan of the From the time of initial recommendation, the anticipated lifespan of the content of the protocol will be X years. This will provide:content of the protocol will be X years. This will provide:

– Provide a fixed protocol content targetProvide a fixed protocol content target

– Allow a realistic timeframe for implementationAllow a realistic timeframe for implementation

– Provide a reasonable period for amortisation of development Provide a reasonable period for amortisation of development costscosts

The lifecycle should comprise o 2 distinct elements;The lifecycle should comprise o 2 distinct elements;

– X1 = Implementation periodX1 = Implementation period

– X2 = Amortisation periodX2 = Amortisation period

The content of the protocol should be reviewed on a X year cycleThe content of the protocol should be reviewed on a X year cycle

This review should be conducted by XXXXXXThis review should be conducted by XXXXXX





– Standards

– Security

– Service




Any other business


Focus on the Messaging/Interface Layer

Clarifications

Standards

Security

Service


Focus on the Messaging/Interface LayerClarifications:

Provision of service elements

– The service elements and service levels referred to in the consultation document relate to the provider of communications services, not the user of those services

Needs vs Solutions

– Concerns raised at the confusion of needs vs solutions, e.g.

– Need = authentication and data integrity

– Solution = PKI


Focus on the Messaging/Interface LayerElement 4: Standards - Consultation content

An interface must offer: Message transfer service

File transfer service

Operator based service


Focus on the Messaging/Interface LayerElement 4: Standards - Consultation responses

Q4.2 generic responses

51 responses in total Agree

– 15 EU FI 13 – 87%

– 11 FI EU rep orgs 8 – 73%

– 7 EU C&S Infrastructures 5 – 71%

– Total (inc above) 34 – 67%


Focus on the Messaging/Interface LayerElement 4: Standards - Consultation responses

Additional points raised

– CSFB/SCFS: File & GUI mechanisms should be optional

– Deutsche Bank/Euroclear: Selection of appropriate mechanism to be agreed bilaterally


Focus on the Messaging/Interface LayerElement 4: Standards – Proposed ratification

A Giovannini compliant interface must offer:A Giovannini compliant interface must offer: Message transfer servicesMessage transfer services File transfer servicesFile transfer services Operator based servicesOperator based services

The selection of the service appropriate to a The selection of the service appropriate to a specific communication is agreed bilaterally specific communication is agreed bilaterally between participantsbetween participants


Focus on the Messaging/Interface LayerElement 5: Security - Consultation content

Minimum security needs: Authentication of source

Data integrity & confidentiality

Non-repudiation

Time stamping

PKI


Focus on the Messaging/Interface LayerElement 5 Security - Consultation responses

Q4.2 generic responses


– 15 EU FI 13 – 87%





Focus on the Messaging/Interface LayerElement 5: Security - Consultation responses

Q4.10 specific security responses

‘Is the minimum security level defined at the messaging layer appropriate to all communication?



Q4.10(a) Generic information, e.g. end of day pricing’


– 13 EU FI 7 – 54%




– Explicitly disagree 9 – 20%



Q4.10(b) Binding information, e.g. statements, status reports etc’


– 13 EU FI 9 – 69%







Q4.10(c) Business critical information, e.g. instructions & confirms’


– 13 EU FI 9 – 69%







Additional points raised answering Q4.10:– Security levels/non-repudiation should be determined by

activity type: AFTI, Citigroup, ECSA, SEB

– Is PKI the right answer? AFTI, ECSA, Euroclear

– Confusion between needs and solutions: Au/NZ NMPG, Euroclear

– Network provider must not be CA : AFTI

– Security & Service should be combined: Deutsche

– Bilateral & centralised security arrangements can co-exist: Euroclear


Focus on the Messaging/Interface LayerElement 5: Security – Questions to answer

Generic Binding Critical

Authentication

Data integrity

& confidentiality

Non-repudiation

Time stamping



Are the minimum security needs correctly defined?

– Authentication of source

– Data integrity & confidentiality

– Non-repudiation

– Time stamping

What are the correct definitions of the key types of communication?

– Generic, non binding: pricing } Business Confidential?

– Binding: statements, status, entitlements } Business

– Business Critical: instructions, confirmations} Critical?


Focus on the Messaging/Interface LayerElement 5: Security – Questions to answer How do you balance need vs cost? Total trading, clearing and settlement cost to investor :

AFTI 11/02 AFTI 11/02 2005 2005

Domestic X-border Tower TowerEurope Europe Dom X-B

Broker technical 6-15 6-15Custodian internal 6-12.5 6-12.5Custodian xs internal 0 9-18Custodian external* 1-2.5 10 0.4-0.8 0.6-35Total 13-30 31-55.5

Total message cost (inc security) 1.50-2.00 depending on matching, using local agents etc

* Local custodian plus local CSD

All costs in EUR, 30,000 Eur trade



Business

Confidential Business Critical

Generic BindingCritical

Authentication

Data integrity

& confidentiality

Non-repudiation

Time stamping



Is PKI the correct security mechanism?

How should the PKI service be offered?

– FI specific

– MI specific

– Comms Provider specific

– Market level single PKI scheme

– Interoperable PKI

PKI strength (key length, RA checks etc):

– What is the appropriate minimum level

– How will service providers prove this? Accreditation?

– Technical definition team?


Focus on the Messaging/Interface LayerElement 5: Security – Proposed ratification

A Giovannini compliant service must offer:A Giovannini compliant service must offer:– Authentication/data integrity (PKI) with liabilityAuthentication/data integrity (PKI) with liability– Non-repudiation with liabilityNon-repudiation with liability– Time stampingTime stamping

RA must implement KYC standards for Certificate issuanceRA must implement KYC standards for Certificate issuance

Market best practice minimum PKI strengthMarket best practice minimum PKI strength

These features are considered mandatory for the following types of These features are considered mandatory for the following types of communication:communication:

– Business critical (Changing ownership, moving value): ……..Business critical (Changing ownership, moving value): ……..– Business confidential (Entitlements, status reports, Business confidential (Entitlements, status reports,

statements): ………..statements): ………..– Other: ..........Other: ..........


Focus on the Messaging/Interface LayerElement 6: Service - Consultation content

Services and Service Levels

The minimum mandatory services that a messaging/interface layer must offer are:

– Message/file audit

– Message/file guaranteed delivery

– Message/file delivery once and only once


Focus on the Messaging/Interface LayerElement 6: Services - Consultation content

Optional services that a messaging/interface layer can offer are:

– Message/file archival & retrieval

– Message/file store and forward

– Message/file validation

– Message/file analysis

– Message/file delivery control

– SLA’s for provisioning, implementation etc

– Testing facilities

– Interface adapters


Focus on the Messaging/Interface LayerElement 6: Services - Consultation responses


– 15 EU FI 13 – 87%






Additional points raised:– AFTI:

– Optional delivery notification: AFTI– Euroclear:

– Messaging layer must use multiple networks– NCSD:

– Mandating service levels is not required as different users have different needs

– OMX:– Put confirmation of receipt requirement on receiver

– SEB:– Baseline set too high



Additional mandatory features recommended:– Mandatory archive (period?) & retrieval: AT NMPG, Bank of Valetta,

Merrill Lynch, Omgeo, ZA NMPG

– Mandatory testing facility: ABN, AFTI, CH NMPG, CSFB, UBS, ZA NMPG

– Mandatory replay : AT NMPG, BVI, ZA NMPG

– Mandatory store & forward : AT NMPG, BVI, ZA NMPG

– Mandatory validation : AT NMPG, AU/NZ NMPG

– Mandatory delivery control: AT NMPG

– Mandatory message cancellation: ECSA

– Mandatory resend: ABN



Q4.9 Should providers of messaging & network functionality police the quality of traffic against standards?

If yes, should they be empowered to stop traffic that does not conform or merely report on non-conformance

– Clarification: Validation of format/standards, not business content


– 14 EU FI 12 – 86%






BUTBUT


– Optional 13 – 25%

– Report only 10 – 20%

– Stop traffic 8 – 16%



Focus on the Messaging/Interface LayerElement 6: Services – Proposed ratification

A Giovannini compliant service must offer:A Giovannini compliant service must offer: Message/file audit, (inc. archival & retrieval?)Message/file audit, (inc. archival & retrieval?) Message/file guaranteed deliveryMessage/file guaranteed delivery Message/file delivery once and only onceMessage/file delivery once and only once

All other services remain optional value All other services remain optional value added services provided at the discretion of added services provided at the discretion of the Service Providerthe Service Provider


Focus on the Messaging/Interface LayerElement 6: Service Level - Consultation responses

Q4.3 Should a minimum set of performance standards be quantified for each service element?


– 15 EU FI 14 – 93%






Focus on the Messaging/Interface LayerElement 6: Service Level - Consultation responses

Most common service levels noted in the consultation:

24x7 Agree

– EU FI 6 – 40%

– FI EU rep orgs 3 – 27%

– EU C&S Infrastructures 2 – 22%


99.999% availability - continuity Agree

– EU FI 5 – 33%

– FI EU rep orgs 2 – 18%

– EU C&S Infrastructures 2 – 22%



Focus on the Messaging/Interface LayerElement 6: Service Level – Proposed ratification

From Network Layer, Element 9: Service must satisfy business & regulatory requirements for performance, resilience and network management

– Is this enough?

– Will it make a difference?

– Do we need to revisit the Network Layer?





– Standards

– Security

– Service




Any other business


Mandatory outsourcing of certain services:Consultation content

Q4.6 ‘What is your opinion on the mandatory outsourcing of dispute resolution and commodity services to the provider[s] of messaging and/or network services’

Clarification: To provide services which would be considered as the neutral evidence required to resolve an operational dispute, e.g. Time stamping


Mandatory outsourcing of services:Consultation content

Dispute resolution services, e.g. time stamping others?

52 responses in total Agree Disagree

– 13 EU FI 54% 15%

– 13 FI EU rep orgs 38% 31%

– 9 EU C&S Infrastructures 22% 67%

– Total (inc above) 35% 37%


Mandatory outsourcing of services:Consultation content

Commodity services, e.g. PKI, others?

PKI 52 responses in total Agree Disagree Agree

– 13 EU FI 54% 15% 31%

– 13 FI EU rep orgs 31% 31% 15%

– 9 EU C&S Infrastructures 11% 67% 0%

– Total (inc above) 33% 37% 17%


Mandatory outsourcing of services:Proposed ratification

Confirmation that at the security and service level:

– Time stamping is a neutral activity that should be performed by the Messaging/Network provider

– From an FI perspective, PKI should not be provided by Market Infrastructures





– Standards

– Security

– Service




Any other business


The next meeting is…..

23rd August at 11.00am

The subject will be the data layer

slide 1 independent advisory group giovannini barrier 1 meeting 2 august 3rd, 2005

Documents

minutes protocol framework

protocol definition

business slide

syntax slide

standard syntax protocol

technical protocol

routing slide

pretrade trade space