Instructions For Completion of Template - Questionnaire For Prospective UPI Service Providers General Instructions
Instructions For Completion of Template - Questionnaire For Prospective UPI Service Providers General Instructions
Instructions For Completion of Template - Questionnaire For Prospective UPI Service Providers General Instructions
General Instructions
This Excel template is published alongside an Explanatory Note. Please ensure you fully understand, and comply with, all e
applies to the questions in Part A of this template and may also inform your responses to the questions in Part B.
The FSB invites prospective UPI Service Providers to complete the self-assessment and provide their responses by the due
providers” in the e-mail subject line.
Submitters are asked to use the Questionnaire template published alongside this Explanatory Note. They may also submit
of such material should be selective and should be directed at answering specific questions posed. In all such cases adequa
Confidentiality: All responses will be treated confidentially to the extent permitted by law. Responses will be considered by
necessary for the designation process, members of the FSB Plenary. All such persons are official sector employees or cont
the FSB’s secure extranet.
If there are elements of your submission that in your view require a heightened level of confidentiality, please identify the
faith.
Encryption: If you wish to encrypt your Questionnaire response, please contact the Secretariat to agree a means to commu
To meet the needs of the authorities that use the data from trade repositories (TRs) and, in particular, to facilitate the consistent globa
CPMI-IOSCO Technical Guidance for the Harmonisation of the Unique Product Identifier 1. These principles, in combination with opera
technical requirements for a UPI service provider.
Applicants are expected to already be familiar with the UPI Technical Guidance and the PFMI. Applicants are expected to provide a se
which the Applicant proposes to support these requirements,. Applicants are also expected to attach any other relevant documentatio
Each question asks for a self assessment rating based on the CPSS-IOSCO PFMI: disclosure framework and assessment methodology 3.
Observed: The candidate observes the principle. Any identified gaps and shortcomings are not issues of concern and are minor, mana
Broadly observed: The candidate broadly observes the principle. The assessment has identified one or more issues of concern that th
Partly observed: The candidate partly observes the principle. The assessment has identified one or more issues of concern that could
Not observed: The candidate does not observe the principle. The assessment has identified one or more serious issues of concern tha
1
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD580.pdf
2
https://www.bis.org/cpmi/publ/d101a.pdf
3
https://www.bis.org/cpmi/publ/d106.pdf
Part A - Governance questions
Q#
Q1.
Q2.
Q3.
Q4.
Q5.
Q6.
Q7.
Q8.
Q9.
Q10.
Q11.
Q12.
Q13.
Q14.
Q15.
Q16.
Q17.
Q18.
Q19.
Q20.
Q21.
Q22.
Q23.
Q24.
Q25.
Q26.
Q27.
Q28.
Q29.
Q30.
Q31.
Part A - Governance questions
Question
How will your plan for the provision of the UPI Services ensure that you can provide service across various time zones, incl
services that can accommodate all relevant jurisdictions? [1]
[1] At a minimum, this would include the jurisdictions that (i) are members of the CPMI or IOSCO; and (ii) that have require
reporting OTC derivatives trade data to TRs which refer to the UPI as a data element that is required to be reported for som
transactions.
Where applicable, please specify (a) the current level of preparedness of the Respondent to provide the UPI Services; (b) t
proposed stages of development (e.g., recruitment, system upgrades, establishment of governance structures, etc.) should
designated as a UPI Service Provider; and (c) for all such future stages, (i) the proposed timeline to achieve those stages an
anticipate being able to deliver UPI Services, and (ii) any major dependencies that may delay reaching those stages.
Does your business plan envisage and provide for use cases for the UPI other than for regulatory purposes? If so, please de
other use cases.
How would your proposal fulfil the Public interest criterion? Please explain how the systems, controls, procedures and reso
information technology and expertise) proposed to be deployed would fulfil this criterion.
Please explain how your proposal takes into account that the UPI Governance Arrangements must meet the Consultative c
criterion and the Change only as needed criterion?
Is any governance body of your organisation (such as the board of directors) subject to any requirement to include custom
external stakeholders? If so, describe the source of that requirement and how you are satisfying it.
Do you have one or more advisory committees, governing boards, or other structures that are designed to incorporate vie
of UPI Services or other external stakeholders? Such a structure could be used, by way of example and not of limitation, to
decisions on product taxonomies, fees, or technological issues.
If the answer to question 7 is ‘yes’: (a) describe any such structure(s) and the scope of its remit; (b) describe whether it ha
making powers or is used for consultation purposes only; (c) describe the size and composition of any such structure(s); (d
persons are selected to sit on any such structure(s); and (e) describe any policies and procedures for promoting the inclusi
cross-section (whether by business type, geography, etc.) of representation on any such structure(s).
If there is no such structure, please indicate whether you would create one and if so how you would address the points in
How would your proposal fulfil the Economic sustainability criterion? Please explain how the systems, controls, procedure
(human, IT and expertise) proposed to be deployed would fulfil this criterion.
What is your estimated annual budget (including both revenue and expenses) for the first 3 years of operating as a UPI Ser
Please include separately costed estimates for the various functions of the UPI Service Provider detailed in Annex 2 [of the
Note].
If relevant, please specify any outstanding open issues regarding the overall governance arrangements that may impact on
the first 3 years. If relevant, describe the assumptions on such open issues that underlie your budget, and provide a sensiti
your budget to those assumptions.
How would your proposal fulfil the Open access governance criterion? Please explain how the systems, controls, procedur
(human, IT and expertise) proposed to be deployed would fulfil this criterion.
Please describe how, in terms of technical aspects such as speed, capacity, and means of access, users in all relevant jurisd
have access to your UPI Services.[1] [1] See footnote 5 of the Explanatory Note.
How would your proposal fulfil the Cost criterion? Please explain how the systems, controls, procedures and resources (hu
expertise) proposed to be deployed would fulfil this criterion.
Would you have substantial representation in your operational oversight from entities from whom you will seek to impose
recovery? If so, please describe.
Do you intend to provide value-added products or services that incorporate any UPI Data? If so: (a) please describe any su
services and the terms on which users could obtain them from you; (b) please explain how those products or services coul
while still ensuring that access to your UPI Services meet the Open access and Cost recovery criteria for all users.
How would you plan to charge fees for users? For what type of services would you assess fees (such as generation of a new
to Reference Data, etc.)? To what extent do you plan to charge fees based on (i) type and robustness of connectivity (e.g.,
connection versus simple internet access); (ii) per message or per use (e.g., size and/or number of uploads/downloads); an
considerations? Please describe the proposed fee structure and policies in detail.
Please enumerate and describe the tiers/categories you intend to incorporate in your fee structure, with a view to allocati
across stakeholders.
Please describe any policies and procedures that would allow a user to contest fees that you believe should be assessed ag
If, in a given year, fees collected in respect of your activities as a UPI Service Provider exceed costs you incur in respect of t
what would you intend to do with respect to the excess (e.g. rebates, fee reductions, etc.)? If you would employ such a me
describe the circumstances that would trigger such a measure and how it would be allocated amongst your users.
If you are designated as a UPI Service Provider, you will be tasked with collecting and processing a library of Data Elements
values pertaining to a large number of OTC derivatives products, and assigning UPI Codes to each. In carrying out this func
property in this data could be created by or accrue to you. How would your proposal fulfil the Intellectual property criterio
If designated as a UPI Service Provider, would you be willing and able to convey to the FSB (or such other body as it may de
intellectual property owned, created by, or accruing to you when carrying out your functions as a UPI Service Provider? Un
which you are organised, is there any impediment to making such a conveyance to the FSB (or such other body as it may d
effective? Would you be willing to provide an opinion of counsel stating that such a conveyance would be effective?
Please describe (i) how you intend to identify the assets underlying OTC derivatives products and (ii) how such identificatio
would be consistent with the Intellectual property criterion. Please ensure your answer addresses at least the following int
issues relating to Data Elements within the UPI Reference Data Library:
• Some values currently being utilised to identify underlying assets are owned by third parties. For example, a publicly kno
index name may be subject to licensing and usage restrictions.
• Access to a proprietary identifier and its corresponding proprietary data could require a separate licensing agreement be
identifier’s issuer and a market participant accessing the UPI Reference Data Library. This should not restrict access by use
Reference Data Library in their capacity as such to publicly known identifier data (e.g. debt issuer name, index name, etc.)
with such a proprietary identifier.
• An underlier identifier used in the UPI Reference Data Library might contain—or might need to contain— more than one
that obtained by subscribers to certain services for use in trading OTC derivatives transaction in order to satisfy different u
underlier identifiers that have been established in different jurisdictions.
How would your proposal fulfil the Conflicts of interest criterion? Describe any policies and procedures you have that are d
identify, manage and/or eliminate conflicts of interest relating to the provision of the UPI Services.
If you were designated as a UPI Service Provider, would you or a related legal entity engage in any business activity other t
UPI Services? If so, please (a) describe generally any such business activities and the extent to which such activities would
data; (b) indicate whether you or any relevant affiliate would ring-fence the UPI Services from those other business activiti
answer to part (b) is affirmative, describe what sort of corporate, legal, and/or accounting structures or mechanisms you w
effect such an arrangement?
If you were designated as a UPI Service Provider, would you or a related legal entity provide value-added products or servi
incorporate any UPI data? If so, please describe any such products or services and the terms on which users could obtain t
any relevant affiliate.
Describe any policies and procedures you have that are designed to identify and eliminate and/or address any instances w
affiliates, clients, other business units operating within the same legal entity as the UPI Service Provider, or other persons t
your UPI Services on a more favourable basis than any other similarly situated user.
If more than one UPI Service Provider is designated, how would you propose to interact with other UPI Service Provider(s)
for a centralised UPI Reference Data Library? Do you envisage any challenges to such interaction?
How would you establish / contribute to the business continuity of the UPI System (beyond business continuity as dealt wi
parts of the questionnaire) if you ceased to be a UPI Service Provider? Please describe any relevant arrangements (e.g. rec
“living will,” etc.) that you have or intend to put in place.[1] Please describe your preparedness to provide relevant Author
and information, including strategy and scenario analysis, required for purposes of resolution planning on a timely basis.
[1] For these purposes, you may wish to make reference to CPMI and IOSCO guidance on the principles and key considerati
Principles for Financial Market Infrastructures (PFMI) that relate to recovery planning (see https://www.bis.org/cpmi/publ
suitable modifications.
If you have any plans for developing human readable aliases that pertain to individual UPI codes, please describe them.
Answer
Part B1 Support of Technical Principles for the UPI
Q#
1.1.1
1.1.2
1.2.1
1.2.2
1.3.1
1.4.1
1.5.1
1.6.1
Part B1 Support of Technical Principles for the UPI
Question
1.1 Data Interchange and Standardisation (Principles 3.1, 3.7, and 3.10)
Principles 3.1 3.7, and 3.10 of the UPI Technical Guidance outline technical requirements related to the exchange of data and
standardization of data values that support jurisdiction neutrality, ease of assignment, retrieval and query, and compatibility
with existing automated systems.
Please describe the data-interchange formats (e.g., FIX, FpML, ISO 20022 XML, JSON) and related infrastructure that the
Applicant intends to support, including how the Applicant will be able to translate values from that format to the agreed
standardized values (e.g., ISO 20022 codelists and ISO 10962 (Classification of Financial Instruments) attribute values).
Please describe other assignment/retrieval/query mechanisms and related infrastructure such as GUI and file upload/downloa
that the Applicant intends to support.
1.2 Support for Multiple Identifiers for Assets and Benchmarks (Principles 3.1 and 3.2)
Principle 3.1 of jurisdiction neutrality and Principle 3.2 of uniqueness, taken together, suggest that the UPI reference data
elements for a given UPI may need to include multiple identifiers pertaining to the given underlier in order to satisfy regulator
requirements relating to the identification of underliers in each jurisdiction where the UPI is used for reporting purposes.
Please describe how the Applicant intends to support the use of multiple identifiers for the same underlier. Please include
descriptions of external reference data sources that may be required to provide such support.
Please describe how the Applicant would guarantee uniqueness should there be multiple UPI Service Providers. Please includ
scenarios where only one Service Provider exists for a particular asset class, where more than one Service Provider exists for a
particular asset class, and where multiple Service Providers exist for multiple asset classes.
Please describe systems and processes that will support data governance and integrity.
1.4 Data Maintenance and Change Management (Principles 3.5 and 3.8)
Principle 3.5 of adaptability and Principle 3.8 of long-term viability provide requirements for durability and change manageme
Please describe systems and processes that will support change management (such as swift adaptation to market changes and
innovations, and the evolving aggregation needs of authorities in response to those changes) and durability (i.e., validity over
years, independent of changes in technology, market practice or legal setting) of the UPI system.
1.5 Creation of a Human Readable Product Description (Principle 3.14)
A UPI service provider may support Principle 3.14 of public dissemination by including among the UPI reference data elements
human readable description of the product including its underlying asset(s) or benchmark(s).
Please describe the feasibility and potential processes by which a human readable product description might be created.
Please describe systems and processes for governance, creation and distribution of timely documentation including, but not
limited to; data dictionaries, connectivity and data-interchange.
Response
Self Assessment Rating
2 Suggested UPI Assignment and Retrieval Processes.
Annex 1 of the CPMI-IOSCO UPI Technical Guidance describes the suggested processes for assignment and retrieval of UPI
Q#
2.1.1
2.1.2
2.3.1
2.4.1
2 Suggested UPI Assignment and Retrieval Processes.
Annex 1 of the CPMI-IOSCO UPI Technical Guidance describes the suggested processes for assignment and retrieval of UPIs and U
Question
2.1 Suggested UPI assignment process
In order to obtain a UPI code for a given OTC derivative product, an entity that wants to initiate activity in a product for wh
has not undertaken any prior activity would be required to provide a UPI service provider with a relevant set of OTC produ
reference data element values that represent a unique combination of the instrument’s and underlier’s characteristics for
product.
Please describe systems and processes that will support the suggested process, or recommend and describe support for an
alternative process. If the Applicant is applying to be a service provider for a specific asset class(es), please describe how t
process would integrate with service providers for other asset classes including having a single of point of user access for a
asset classes and a central reference data library.
Please describe systems and processes that will support the suggested process, or recommend and describe support for an
alternative process. If the Applicant is applying to be a service provider for a specific asset class(es), please describe how t
process would integrate with service providers for other asset classes including having a single of point of user access for a
asset classes and a central reference data library.
Please propose a process for the assignment of a UPI code and the retrieval its corresponding reference data for a product
having multiple asset classes. If the Applicant is applying to be a service provider for a specific asset class(es), please desc
how the process would integrate with service providers for other asset classes including having a single of point of user ac
for all asset classes and a central reference data library.
2. Information security
A critical service provider is expected to implement and maintain appropriate policies and procedures, and devote sufficient resources to e
confidentiality and integrity of information and the availability of its critical services in order to fulfil the terms of its relationship with an FM
These expectations span multiple operational and technical areas that have been identified in the following sections.
Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific doc
requested, please provide any other policies, procedures, standards or guidelines, plans, independent assessments (including internal aud
results, and representations that will assist in assessing the compliance of your platform and related supporting systems with the followin
3.1.2 Establishment and maintenance of emergency procedures, backup facilities, and a plan for disaster recovery
Please describe your establishment and maintenance of emergency procedures, backup facilities, and a plan for disaster recov
allow for the timely recovery and resumption of operations and the fulfillment of the responsibilities and obligations of the UP
provider
3.2 Organizational Structure, System Description, Facility Locations, and Geographic Distribution of Staff and Equipment
3.2.1 High-level organization charts and staffing level information
Please provide high-level organization charts and staffing level information for all groups that are directly involved in supportin
development, operation and maintenance of the systems, including systems development, quality assurance, system operatio
management, market operations, network and telecommunications, information security, capacity planning, contingency plan
(including disaster recovery), market surveillance, and investigation.
a) Name;
b) Functional description; and
c) Upstream and downstream feeds.
3.2.3.4 Physical diagram of the network topology within and between data centers and external entities
A physical diagram of the network topology within and between data centers and external entities, and for each connection p
following information:
a. Purpose(s) of connection;
b. Type and bandwidth of each connection; and
c. Identification of carrier.
a. Risk management;
b. Systems Development Methodology (including quality assurance and outsourcing);
c. Information security;
d. System Operations, including hardware and software change management, patch management, and event and problem
management;
e. Capacity and Performance Planning;
f. Data centers – including physical security, environmental controls, and facilities management; and
Business Continuity and Disaster Recovery.
3.3.5 Results of the two most recent internal or 3rd party vulnerability scans
Please provide the results of the two most recent internal or 3rd party vulnerability scans (for our assessment of progress mad
including complete reports (not only summaries), management’s responses, and mitigation plans and results for addressing fin
3.3.6 Results of the two most recent internal or 3rd party penetration tests
Please provide the results of the two most recent internal or 3rd party penetration tests (for our assessment of progress made
including complete reports (not only summaries), management’s responses, and mitigation plans and results for addressing fin
3.3.7 Plans and schedule for ongoing independent audits, other risk assessments, and tests
Please describe your plans and schedule for ongoing independent audits, other risk assessments, and tests.
a. Testing;
b. Independent review for quality assurance;
c. Approval for production installation;
d. Post-change monitoring;
e. Separation of duties; and
f. Controlled access to code libraries.
a. Staffing;
b. Awareness;
c. Analysis;
d. Testing and Approval;
e. Implementation and fallback procedures; and
f. Communication and reporting.
a. Staffing;
b. Use of monitoring systems;
c. Tracking and escalation;
d. Resolution; and
e. Reporting.
3.4.5 Security incident handling program
Please provide information about your security incident handling program, including:
a. Staffing;
b. Training;
c. Procedures (including detection, analysis, containment, and recovery);
d. Communication/notification and reporting; and
e. Testing.
3.5.2 Software change management process, including quality assurance and issue tracking and resolution
Please describe your software change management process, including quality assurance and issue tracking and resolution.
a. Please provide information regarding the testing methodology, including management controls, used to verify the system’s
perform as intended (regarding functionality, security, and capacity and performance requirements).
b. Please provide copies of current representative samples of your test results documentation.
c. Please identify what group is responsible for recording, correcting, and retesting errors, and detail their procedures for thos
activities.
3.5.3 Documentation required during the development of new software and as part of the software release package
Please describe the documentation required during the development of new software and as part of the software release pac
installation, operation, and maintenance.
3.5.4 Controls in place for promotion of application software into the production environment
Please describe the controls in place for promotion of application software into the production environment, including approv
controls, and post-implementation monitoring.
a. Appropriate background investigations, including credit checking, are conducted prior to assigning personnel to sensitive ro
they may have access to confidential information about market participants and their activities;
b. Periodic recurring background investigations, including credit checking, are conducted for staff in sensitive roles; and
c. Personnel are aware of, receive appropriate training for, and formally acknowledge their security responsibilities.
a. Establishing, changing, reviewing and removing accounts (including emergency and other temporary accounts).
h. Virus protection;
i. Encryption and control of portable mobile devices;
j. Encryption and control of portable external media (e.g., USB drives, optical media, external hard drives, etc.); and
k. Data Loss Prevention (DLP) tools.
a. Frequency of use;
b. Methodology and tools;
c. Distribution of reports;
d. Remediation of findings; and
e. Tracking of mitigation activities.
3.6.15 Penetration testing
Please provide information regarding your use of penetration testing to identify and eliminate vulnerabilities in the architectu
configuration of your computing and communications equipment. Please address each of the following:
a. Frequency of use;
b. Methodology and tools;
c. Distribution of reports;
d. Remediation of findings; and
e. Tracking of mitigation activities.
2. Describe the controls that provide for reliable collection of audit information, including those that ensure sufficient capacity
alerting of audit failures.
3. For each copy of the audit trail information, describe the processes that protect the information from unauthorized alterati
accidental erasure or other loss prior to its planned disposal. Include information about:
1. HVAC units;
2. Air handlers;
3. Chillers; and
4. Other associated items such as water supply and humidifiers.
3.8.3 Addition of new system resources to ensure adequate capacity and performance
Please describe at what levels the addition of new system resources would be triggered to ensure adequate capacity and perf
3.8.4 Activation of capacity and performance resources in emergency situations
Please describe the methods by which additional capacity and performance resources could be activated in an emergency situ
state how long those processes would take.
3.9.3 List of the mission-critical systems that each BC-DR site will support on a non-disaster basis
Please provide a list of the mission-critical systems that each BC-DR site will support on a routine, non-disaster basis, and a de
of your reasons for this overall data center strategy.
3.9.4 List of the mission-critical systems that each BC-DR site will support in the event of a disaster
Please provide a list of the mission-critical systems that each of your BC-DR sites will support in the event of a disaster.
3.9.5 Copies of all agreements, including service level agreements, with third parties related to BC-DR
Please provide copies of all agreements, including service level agreements, with third parties to provide services in support o
DR plans.
3.9.6 Strategy for ensuring the availability of essential software and data
Please provide a description of your strategy for ensuring the availability of essential software and data, including security and
of backups.
a. Resumption of operations
b. Completed roll-back of uncompleted operations executed prior to disruption.
c. Resumption of surveillance.
d. Access to audit trail information.