Instructions for completion of Template - Questionnaire for prospective UPI Service Providers

General Instructions
This Excel template is published alongside an Explanatory Note. Please ensure you fully understand, and comply with, all e
applies to the questions in Part A of this template and may also inform your responses to the questions in Part B.

The FSB invites prospective UPI Service Providers to complete the self-assessment and provide their responses by the due
providers” in the e-mail subject line.

Submitters are asked to use the Questionnaire template published alongside this Explanatory Note. They may also submit
of such material should be selective and should be directed at answering specific questions posed. In all such cases adequa

Confidentiality: All responses will be treated confidentially to the extent permitted by law. Responses will be considered by
necessary for the designation process, members of the FSB Plenary. All such persons are official sector employees or cont
the FSB’s secure extranet.

If there are elements of your submission that in your view require a heightened level of confidentiality, please identify the
faith.

Encryption: If you wish to encrypt your Questionnaire response, please contact the Secretariat to agree a means to commu

Instructions for Part A: Governance

Please answer the questions by providing a concise narrative response. If the question is not relevant or not applicable, ple
Instructions for Part B: Technical aspects

To meet the needs of the authorities that use the data from trade repositories (TRs) and, in particular, to facilitate the consistent globa
CPMI-IOSCO Technical Guidance for the Harmonisation of the Unique Product Identifier 1. These principles, in combination with opera
technical requirements for a UPI service provider.

Applicants are expected to already be familiar with the UPI Technical Guidance and the PFMI. Applicants are expected to provide a se
which the Applicant proposes to support these requirements,. Applicants are also expected to attach any other relevant documentatio

Each question asks for a self assessment rating based on the CPSS-IOSCO PFMI: disclosure framework and assessment methodology 3.

Observed: The candidate observes the principle. Any identified gaps and shortcomings are not issues of concern and are minor, mana
Broadly observed: The candidate broadly observes the principle. The assessment has identified one or more issues of concern that th

Partly observed: The candidate partly observes the principle. The assessment has identified one or more issues of concern that could
Not observed: The candidate does not observe the principle. The assessment has identified one or more serious issues of concern tha
1
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD580.pdf
2
https://www.bis.org/cpmi/publ/d101a.pdf
3
https://www.bis.org/cpmi/publ/d106.pdf
Part A - Governance questions
Q#
Q1.

Q2.

Q3.

Q4.

Q5.

Q6.

Q7.

Q8.

Q9.

Q10.

Q11.

Q12.

Q13.

Q14.

Q15.

Q16.
Q17.

Q18.

Q19.

Q20.

Q21.

Q22.

Q23.

Q24.

Q25.

Q26.
Q27.

Q28.

Q29.

Q30.

Q31.
Part A - Governance questions
Question
How will your plan for the provision of the UPI Services ensure that you can provide service across various time zones, incl
services that can accommodate all relevant jurisdictions? [1]

[1] At a minimum, this would include the jurisdictions that (i) are members of the CPMI or IOSCO; and (ii) that have require
reporting OTC derivatives trade data to TRs which refer to the UPI as a data element that is required to be reported for som
transactions.

Where applicable, please specify (a) the current level of preparedness of the Respondent to provide the UPI Services; (b) t
proposed stages of development (e.g., recruitment, system upgrades, establishment of governance structures, etc.) should
designated as a UPI Service Provider; and (c) for all such future stages, (i) the proposed timeline to achieve those stages an
anticipate being able to deliver UPI Services, and (ii) any major dependencies that may delay reaching those stages.

Does your business plan envisage and provide for use cases for the UPI other than for regulatory purposes? If so, please de
other use cases.
How would your proposal fulfil the Public interest criterion? Please explain how the systems, controls, procedures and reso
information technology and expertise) proposed to be deployed would fulfil this criterion.
Please explain how your proposal takes into account that the UPI Governance Arrangements must meet the Consultative c
criterion and the Change only as needed criterion?
Is any governance body of your organisation (such as the board of directors) subject to any requirement to include custom
external stakeholders? If so, describe the source of that requirement and how you are satisfying it.
Do you have one or more advisory committees, governing boards, or other structures that are designed to incorporate vie
of UPI Services or other external stakeholders? Such a structure could be used, by way of example and not of limitation, to
decisions on product taxonomies, fees, or technological issues.

If the answer to question 7 is ‘yes’: (a) describe any such structure(s) and the scope of its remit; (b) describe whether it ha
making powers or is used for consultation purposes only; (c) describe the size and composition of any such structure(s); (d
persons are selected to sit on any such structure(s); and (e) describe any policies and procedures for promoting the inclusi
cross-section (whether by business type, geography, etc.) of representation on any such structure(s).

If there is no such structure, please indicate whether you would create one and if so how you would address the points in

How would your proposal fulfil the Economic sustainability criterion? Please explain how the systems, controls, procedure
(human, IT and expertise) proposed to be deployed would fulfil this criterion.
What is your estimated annual budget (including both revenue and expenses) for the first 3 years of operating as a UPI Ser
Please include separately costed estimates for the various functions of the UPI Service Provider detailed in Annex 2 [of the
Note].

If relevant, please specify any outstanding open issues regarding the overall governance arrangements that may impact on
the first 3 years. If relevant, describe the assumptions on such open issues that underlie your budget, and provide a sensiti
your budget to those assumptions.

How would your proposal fulfil the Open access governance criterion? Please explain how the systems, controls, procedur
(human, IT and expertise) proposed to be deployed would fulfil this criterion.
Please describe how, in terms of technical aspects such as speed, capacity, and means of access, users in all relevant jurisd
have access to your UPI Services.[1] [1] See footnote 5 of the Explanatory Note.
How would your proposal fulfil the Cost criterion? Please explain how the systems, controls, procedures and resources (hu
expertise) proposed to be deployed would fulfil this criterion.
Would you have substantial representation in your operational oversight from entities from whom you will seek to impose
recovery? If so, please describe.
Do you intend to provide value-added products or services that incorporate any UPI Data? If so: (a) please describe any su
services and the terms on which users could obtain them from you; (b) please explain how those products or services coul
while still ensuring that access to your UPI Services meet the Open access and Cost recovery criteria for all users.  

How would you plan to charge fees for users? For what type of services would you assess fees (such as generation of a new
to Reference Data, etc.)? To what extent do you plan to charge fees based on (i) type and robustness of connectivity (e.g.,
connection versus simple internet access); (ii) per message or per use (e.g., size and/or number of uploads/downloads); an
considerations? Please describe the proposed fee structure and policies in detail.

Please enumerate and describe the tiers/categories you intend to incorporate in your fee structure, with a view to allocati
across stakeholders.
Please describe any policies and procedures that would allow a user to contest fees that you believe should be assessed ag

If, in a given year, fees collected in respect of your activities as a UPI Service Provider exceed costs you incur in respect of t
what would you intend to do with respect to the excess (e.g. rebates, fee reductions, etc.)? If you would employ such a me
describe the circumstances that would trigger such a measure and how it would be allocated amongst your users.

If you are designated as a UPI Service Provider, you will be tasked with collecting and processing a library of Data Elements
values pertaining to a large number of OTC derivatives products, and assigning UPI Codes to each. In carrying out this func
property in this data could be created by or accrue to you. How would your proposal fulfil the Intellectual property criterio

If designated as a UPI Service Provider, would you be willing and able to convey to the FSB (or such other body as it may de
intellectual property owned, created by, or accruing to you when carrying out your functions as a UPI Service Provider? Un
which you are organised, is there any impediment to making such a conveyance to the FSB (or such other body as it may d
effective? Would you be willing to provide an opinion of counsel stating that such a conveyance would be effective?

Please describe (i) how you intend to identify the assets underlying OTC derivatives products and (ii) how such identificatio
would be consistent with the Intellectual property criterion. Please ensure your answer addresses at least the following int
issues relating to Data Elements within the UPI Reference Data Library:
• Some values currently being utilised to identify underlying assets are owned by third parties. For example, a publicly kno
index name may be subject to licensing and usage restrictions.
• Access to a proprietary identifier and its corresponding proprietary data could require a separate licensing agreement be
identifier’s issuer and a market participant accessing the UPI Reference Data Library. This should not restrict access by use
Reference Data Library in their capacity as such to publicly known identifier data (e.g. debt issuer name, index name, etc.)
with such a proprietary identifier.
• An underlier identifier used in the UPI Reference Data Library might contain—or might need to contain— more than one
that obtained by subscribers to certain services for use in trading OTC derivatives transaction in order to satisfy different u
underlier identifiers that have been established in different jurisdictions.

How would your proposal fulfil the Conflicts of interest criterion? Describe any policies and procedures you have that are d
identify, manage and/or eliminate conflicts of interest relating to the provision of the UPI Services.
If you were designated as a UPI Service Provider, would you or a related legal entity engage in any business activity other t
UPI Services? If so, please (a) describe generally any such business activities and the extent to which such activities would
data; (b) indicate whether you or any relevant affiliate would ring-fence the UPI Services from those other business activiti
answer to part (b) is affirmative, describe what sort of corporate, legal, and/or accounting structures or mechanisms you w
effect such an arrangement?
If you were designated as a UPI Service Provider, would you or a related legal entity provide value-added products or servi
incorporate any UPI data? If so, please describe any such products or services and the terms on which users could obtain t
any relevant affiliate.

Describe any policies and procedures you have that are designed to identify and eliminate and/or address any instances w
affiliates, clients, other business units operating within the same legal entity as the UPI Service Provider, or other persons t
your UPI Services on a more favourable basis than any other similarly situated user.

If more than one UPI Service Provider is designated, how would you propose to interact with other UPI Service Provider(s)
for a centralised UPI Reference Data Library? Do you envisage any challenges to such interaction?
How would you establish / contribute to the business continuity of the UPI System (beyond business continuity as dealt wi
parts of the questionnaire) if you ceased to be a UPI Service Provider? Please describe any relevant arrangements (e.g. rec
“living will,” etc.) that you have or intend to put in place.[1] Please describe your preparedness to provide relevant Author
and information, including strategy and scenario analysis, required for purposes of resolution planning on a timely basis.

[1] For these purposes, you may wish to make reference to CPMI and IOSCO guidance on the principles and key considerati
Principles for Financial Market Infrastructures (PFMI) that relate to recovery planning (see https://www.bis.org/cpmi/publ
suitable modifications.

If you have any plans for developing human readable aliases that pertain to individual UPI codes, please describe them.
Answer
Part B1 Support of Technical Principles for the UPI
Q#

1.1.1

1.1.2

1.2.1

1.2.2

1.3.1

1.4.1
1.5.1

1.6.1
Part B1 Support of Technical Principles for the UPI
Question

1.1 Data Interchange and Standardisation (Principles 3.1, 3.7, and 3.10)
Principles 3.1 3.7, and 3.10 of the UPI Technical Guidance outline technical requirements related to the exchange of data and
standardization of data values that support jurisdiction neutrality, ease of assignment, retrieval and query, and compatibility
with existing automated systems.

Please describe the data-interchange formats (e.g., FIX, FpML, ISO 20022 XML, JSON) and related infrastructure that the
Applicant intends to support, including how the Applicant will be able to translate values from that format to the agreed
standardized values (e.g., ISO 20022 codelists and ISO 10962 (Classification of Financial Instruments) attribute values).

Please describe other assignment/retrieval/query mechanisms and related infrastructure such as GUI and file upload/downloa
that the Applicant intends to support.

1.2 Support for Multiple Identifiers for Assets and Benchmarks (Principles 3.1 and 3.2)
Principle 3.1 of jurisdiction neutrality and Principle 3.2 of uniqueness, taken together, suggest that the UPI reference data
elements for a given UPI may need to include multiple identifiers pertaining to the given underlier in order to satisfy regulator
requirements relating to the identification of underliers in each jurisdiction where the UPI is used for reporting purposes.

Please describe how the Applicant intends to support the use of multiple identifiers for the same underlier. Please include
descriptions of external reference data sources that may be required to provide such support.
Please describe how the Applicant would guarantee uniqueness should there be multiple UPI Service Providers. Please includ
scenarios where only one Service Provider exists for a particular asset class, where more than one Service Provider exists for a
particular asset class, and where multiple Service Providers exist for multiple asset classes.

1.3 Data Governance and Integrity (Principles 3.3 and 3.4)

Taken together, Principle 3.3 of consistency and Principle 3.4 of persistence provide that a UPI service provider should be able
govern UPI reference data elements and should maintain the UPI reference data in a way that supports the persistence of UPI
over time.

Please describe systems and processes that will support data governance and integrity.
1.4 Data Maintenance and Change Management (Principles 3.5 and 3.8)
Principle 3.5 of adaptability and Principle 3.8 of long-term viability provide requirements for durability and change manageme

Please describe systems and processes that will support change management (such as swift adaptation to market changes and
innovations, and the evolving aggregation needs of authorities in response to those changes) and durability (i.e., validity over
years, independent of changes in technology, market practice or legal setting) of the UPI system.
1.5 Creation of a Human Readable Product Description (Principle 3.14)
A UPI service provider may support Principle 3.14 of public dissemination by including among the UPI reference data elements
human readable description of the product including its underlying asset(s) or benchmark(s).

Please describe the feasibility and potential processes by which a human readable product description might be created.

1.6 Documentation (Principle 3.6)

Principle 3.6 of clarity requires freely available documentation to support the UPI.

Please describe systems and processes for governance, creation and distribution of timely documentation including, but not
limited to; data dictionaries, connectivity and data-interchange.
Response
Self Assessment Rating
2 Suggested UPI Assignment and Retrieval Processes.

Annex 1 of the CPMI-IOSCO UPI Technical Guidance describes the suggested processes for assignment and retrieval of UPI
Q#

2.1.1

2.1.2

2.3.1

2.4.1
2 Suggested UPI Assignment and Retrieval Processes.

Annex 1 of the CPMI-IOSCO UPI Technical Guidance describes the suggested processes for assignment and retrieval of UPIs and U
Question
2.1 Suggested UPI assignment process
In order to obtain a UPI code for a given OTC derivative product, an entity that wants to initiate activity in a product for wh
has not undertaken any prior activity would be required to provide a UPI service provider with a relevant set of OTC produ
reference data element values that represent a unique combination of the instrument’s and underlier’s characteristics for
product.

Please describe systems and processes that will support the suggested process, or recommend and describe support for an
alternative process. If the Applicant is applying to be a service provider for a specific asset class(es), please describe how t
process would integrate with service providers for other asset classes including having a single of point of user access for a
asset classes and a central reference data library.

2.2 Suggested UPI Reference Data Retrieval Process

In order to retrieve the reference data associated with a given a UPI code for a given OTC derivative product, an entity wou
have to provide a UPI service provider with an existing UPI code.

Please describe systems and processes that will support the suggested process, or recommend and describe support for an
alternative process. If the Applicant is applying to be a service provider for a specific asset class(es), please describe how t
process would integrate with service providers for other asset classes including having a single of point of user access for a
asset classes and a central reference data library.

2.3 Multi-Asset Class Products

Some products may have underliers from more than one asset class. Some jurisdictions may have rules for designating a
primary and secondary asset class. The UPI Technicial Guidance does not specifically suggest a process for identifying such
products. One possible approach is to require the suggested UPI Reference Data Elements as needed from each applicable
class for UPI assignment.

Please propose a process for the assignment of a UPI code and the retrieval its corresponding reference data for a product
having multiple asset classes. If the Applicant is applying to be a service provider for a specific asset class(es), please desc
how the process would integrate with service providers for other asset classes including having a single of point of user ac
for all asset classes and a central reference data library.

2.4 UPI Codes

UPI Codes
Please share your estimate of the numbers of UPI Codes to be assigned for each asset class. If necessary, please describe t
assumptions underlying your estimate.
nd UPI Reference Data in detail
Response
Self Assessment Rating
3 Operational Technology Capability
Question
The CPMI-IOSCO Principles for Financial Market Infrastructures (PFMI) identifies the following oversight expectations applicable to critical
providers:

1. Risk identification and management

A critical service provider is expected to identify and manage relevant operational and financial risk

2. Information security
A critical service provider is expected to implement and maintain appropriate policies and procedures, and devote sufficient resources to e
confidentiality and integrity of information and the availability of its critical services in order to fulfil the terms of its relationship with an FM

3. Reliability and resilience

A critical service provider is expected to implement appropriate policies and procedures, and devote sufficient resources to ensure that its
services are available, reliable, and resilient. Its business continuity management and disaster recovery plans should therefore support the
resumption of its critical services in the event of an outage so that the service provided fulfils the terms of its agreement with an FMI.
4. Technology planning
The critical provider is expected to have in place robust methods to plan for the entire lifecycle of the use of technologies and the selectio
technological standards.

5. Communication with users

A critical service provider is expected to be transparent to its users and provide them sufficient information to enable users to understand
their roles and responsibilities in managing risks related to their use of a critical service provider.

These expectations span multiple operational and technical areas that have been identified in the following sections.
Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific doc
requested, please provide any other policies, procedures, standards or guidelines, plans, independent assessments (including internal aud
results, and representations that will assist in assessing the compliance of your platform and related supporting systems with the followin

3.1 Operational Risk Controls

3.1.1 Establishment and maintenance program for risk analysis and oversight to identify and minimize sources of operationa
Please describe your establishment and maintenance program of risk analysis and oversight to identify and minimize sources o
operational risk through the development of appropriate controls and procedures and the development of automated system
reliable, secure, and have adequate scalable capacity.

3.1.2 Establishment and maintenance of emergency procedures, backup facilities, and a plan for disaster recovery
Please describe your establishment and maintenance of emergency procedures, backup facilities, and a plan for disaster recov
allow for the timely recovery and resumption of operations and the fulfillment of the responsibilities and obligations of the UP
provider

3.1.3 Periodic testing to verify that backup resources are sufficient

Please describe your periodic testing to verify that backup resources are sufficient to ensure continued operations, surveillanc
maintenance of a comprehensive and accurate audit trail of backups.

3.2 Organizational Structure, System Description, Facility Locations, and Geographic Distribution of Staff and Equipment
3.2.1 High-level organization charts and staffing level information
Please provide high-level organization charts and staffing level information for all groups that are directly involved in supportin
development, operation and maintenance of the systems, including systems development, quality assurance, system operatio
management, market operations, network and telecommunications, information security, capacity planning, contingency plan
(including disaster recovery), market surveillance, and investigation.

3.2.2 Locations of all facilities

Please describe or provide a diagram showing the locations of all facilities that house the staff described above and the equipm
which your systems operate. Please indicate the nature of the facilities (e.g., headquarters, primary and backup data centers,
and backup market operations centers, etc.), and a description of your rationale for the distribution of staff and system compo
across those facilities.

3.2.3 High-level application flow diagrams

Please provide a high-level application flow diagram and the specific information requested below for all systems that perform
support operations, surveillance, and investigation:

3.2.3.1 System description and overview

3.2.3.2 Logical diagram of the software components
A logical diagram of the software components, including the following information for each component:

a) Name;
b) Functional description; and
c) Upstream and downstream feeds.

3.2.3.3 Physical diagram of the hardware components

A representative physical diagram of the hardware components (servers and communications equipment) that exist at both th
and backup data centers, and for each representative hardware component, provide the following information:

a. Device type (e.g., switch, server, SAN, etc.);

b. Device O/S;
c. Functional description;
d. Internal redundancies (e.g., power supplies, RAID); and
e. External redundancies (e.g., mirroring, clustering).

3.2.3.4 Physical diagram of the network topology within and between data centers and external entities
A physical diagram of the network topology within and between data centers and external entities, and for each connection p
following information:
a. Purpose(s) of connection;
b. Type and bandwidth of each connection; and
c. Identification of carrier.

3.3 Risk Analysis and Oversight

3.3.1 Assessment and management of operational risks
Please describe your IT department’s approach for assessing and managing the risks associated with the operation of and chan
your technology infrastructure.
3.3.2 Enterprise Risk Management program as it relates to IT
Please describe your Enterprise Risk Management program as it relates to IT.

3.3.3 Internal audit program

Please describe your internal audit program, including:

a. Organizational structure of internal audit;

b. Audit staff qualifications and use of external staff;
c. Controls that ensure independence;
d. Process for development of IT audit plan, including prioritization and allocation of audit resources; and
e. Follow up and resolution of IT audit findings and recommendations.

3.3.4 Recent audit or other risk assessment documents

Please provide your most recent audit or other risk assessment documents for each of the following areas, including complete
(not only executive summaries), management’s responses, and mitigation plans and results for addressing findings:

a. Risk management;
b. Systems Development Methodology (including quality assurance and outsourcing);
c. Information security;
d. System Operations, including hardware and software change management, patch management, and event and problem
management;
e. Capacity and Performance Planning;
f. Data centers – including physical security, environmental controls, and facilities management; and
Business Continuity and Disaster Recovery.

3.3.5 Results of the two most recent internal or 3rd party vulnerability scans
Please provide the results of the two most recent internal or 3rd party vulnerability scans (for our assessment of progress mad
including complete reports (not only summaries), management’s responses, and mitigation plans and results for addressing fin

3.3.6 Results of the two most recent internal or 3rd party penetration tests
Please provide the results of the two most recent internal or 3rd party penetration tests (for our assessment of progress made
including complete reports (not only summaries), management’s responses, and mitigation plans and results for addressing fin

3.3.7 Plans and schedule for ongoing independent audits, other risk assessments, and tests
Please describe your plans and schedule for ongoing independent audits, other risk assessments, and tests.

3.4 System Operations

3.4.1 Configuration Management
Please provide information regarding the controls and procedures that will be used to ensure:

a. Consistent inventory maintenance of hardware and software ;

b. Adherence to standards for baseline configuration, including hardening;
c. Pre-installation testing and authorization; and
d. Post-installation monitoring.

3.4.2 System software change management

Please provide information regarding the controls and procedures that will be used to ensure the reliability of system software
including:

a. Testing;
b. Independent review for quality assurance;
c. Approval for production installation;
d. Post-change monitoring;
e. Separation of duties; and
f. Controlled access to code libraries.

3.4.3 Patch management

Please provide information regarding the controls and procedures that will be used to ensure the timely application of essenti
patches, including:

a. Staffing;
b. Awareness;
c. Analysis;
d. Testing and Approval;
e. Implementation and fallback procedures; and
f. Communication and reporting.

3.4.4 Event and problem management

Please provide information regarding the controls and procedures that will be used to ensure the timely notification about op
events and resolution of operational problems, including:

a. Staffing;
b. Use of monitoring systems;
c. Tracking and escalation;
d. Resolution; and
e. Reporting.
3.4.5 Security incident handling program
Please provide information about your security incident handling program, including:
a. Staffing;
b. Training;
c. Procedures (including detection, analysis, containment, and recovery);
d. Communication/notification and reporting; and
e. Testing.

3.5 Systems Development Methodology

3.5.1 Process, including roles and responsibilities, for identifying and approving functional, security, and capacity/performan
requirements
Please describe your process, including roles and responsibilities, for identifying and approving functional, security, and
capacity/performance requirements.

3.5.2 Software change management process, including quality assurance and issue tracking and resolution
Please describe your software change management process, including quality assurance and issue tracking and resolution.

a. Please provide information regarding the testing methodology, including management controls, used to verify the system’s
perform as intended (regarding functionality, security, and capacity and performance requirements).

b. Please provide copies of current representative samples of your test results documentation.

c. Please identify what group is responsible for recording, correcting, and retesting errors, and detail their procedures for thos
activities.

3.5.3 Documentation required during the development of new software and as part of the software release package
Please describe the documentation required during the development of new software and as part of the software release pac
installation, operation, and maintenance.

3.5.4 Controls in place for promotion of application software into the production environment
Please describe the controls in place for promotion of application software into the production environment, including approv
controls, and post-implementation monitoring.

3.5.5 Service agreements for IT development or support

Please provide a copy of each service agreement for IT development or support currently in place.

3.5.6 Monitoring the performance of those development or support agreements

Describe your process for monitoring the performance of those development or support agreements, including roles and
responsibilities, frequency of review, and remediation of identified deficiencies.

3.6 Information Security and Cyber Resilience

(Applicants may provide proof of current ISO 27000 certification as an exhibit where appropriate in response to the questions
section)
3.6.1 Documentation of an ongoing information security program
Please provide documentation (policies, standards, guidelines) that attests to the development of and adherence to an ongoin
information security program.

3.6.2 Logical security architecture diagram and description

Please provide a logical security architecture diagram and description.

3.6.3 Personnel controls and procedures

Please provide information regarding the controls and procedures that will be used to ensure that:

a. Appropriate background investigations, including credit checking, are conducted prior to assigning personnel to sensitive ro
they may have access to confidential information about market participants and their activities;

b. Periodic recurring background investigations, including credit checking, are conducted for staff in sensitive roles; and

c. Personnel are aware of, receive appropriate training for, and formally acknowledge their security responsibilities.

3.6.4 Security Awareness Training

To what groups (e.g., technical staff, senior executives) do you provide basic security awareness training before authorizing ac
the system?

3.6.5 Security Awareness Training Renewal

How often do you require refresher training?
3.6.6 Information Security Personnel Roles and Responsibilities
Please identify the roles of personnel that have significant information system security responsibilities and describe the inform
security training they are required to complete before being authorized to perform their assigned duties.

3.6.7 User Information Security Training

Please describe the information security training that is provided for the users of the system.
3.6.8 Access controls and procedures
Please provide information regarding the access controls and procedures that are used to ensure the identification, authorizati
authentication of system users.

3.6.9 Account management

Please provide information regarding the procedures that are used to ensure proper account management, including:

a. Establishing, changing, reviewing and removing accounts (including emergency and other temporary accounts).

b. Maintaining user awareness of the authorized uses of the system.

3.6.10 Administrative procedures

Please provide information regarding the administrative procedures (such as adherence to least privilege and separation of du
concepts) and automated systems that will be employed to prevent and detect the unauthorized use of the system.
3.6.11 Use and management of safeguards and security tools
Please provide information (including specific products used, guidelines for use, and roles and responsibilities) regarding the u
management of safeguards and security tools used to protect the critical data and system components, including:

a. Encryption and data compression;

b. Denial of service protection;
c. Firewalls;
d. Routers;
e. DMZs and network segmentation;
f. Intrusion detection;
g. Event logging and log analysis, including:

1. Scope of log coverage (e.g., production/development; servers/firewalls);

2. Focus of event details captured (e.g., unauthorized activities, system issues);
3. Monitoring of system logging alerts (e.g., log failure alert); and
4. Frequency and level of log review, analysis, and reporting.

h. Virus protection;
i. Encryption and control of portable mobile devices;
j. Encryption and control of portable external media (e.g., USB drives, optical media, external hard drives, etc.); and
k. Data Loss Prevention (DLP) tools.

3.6.12 Procedures for authorization and use of remote access capabilities

Please provide policies, guidelines, and procedures for authorization and use of remote access capabilities to manage the syst
including hardware and software tools that protect the information and system while using those capabilities.

3.6.13 Sanitization of equipment and media

Please provide information about your procedures for sanitization of equipment and media.

3.6.14 Vulnerability scanning

Please provide information regarding your use of vulnerability scanning to identify and eliminate vulnerabilities in the configur
your computing and communications equipment. Please address each of the following:

a. Frequency of use;
b. Methodology and tools;
c. Distribution of reports;
d. Remediation of findings; and
e. Tracking of mitigation activities.
3.6.15 Penetration testing
Please provide information regarding your use of penetration testing to identify and eliminate vulnerabilities in the architectu
configuration of your computing and communications equipment. Please address each of the following:

a. Frequency of use;
b. Methodology and tools;
c. Distribution of reports;
d. Remediation of findings; and
e. Tracking of mitigation activities.

3.6.16 Internal password scanning

Please provide information about any internal password scanning you perform, including:
a. Frequency of use;
b. Tools used;
c. Scope; and
d. Follow-up.

3.6.17 Manual and automated audit processes

Please provide information regarding the manual and automated processes that will ensure:

a. proper use of platform

b. your ability to detect and investigate persons suspected of violating platform rules; and
c. that information that could be necessary to detect, investigate, and prevent customer and market abuses (i.e., audit trail
information) is captured and securely stored for five years.

1. Identify the specific audit trail information captured.

2. Describe the controls that provide for reliable collection of audit information, including those that ensure sufficient capacity
alerting of audit failures.

3. For each copy of the audit trail information, describe the processes that protect the information from unauthorized alterati
accidental erasure or other loss prior to its planned disposal. Include information about:

i. Access controls (physical and logical);

ii. Environmental controls (e.g., fire protection) provided at storage locations;
iii. Schedule and procedures for secure movement of information;
iv. Retention period; and
v. Distance between storage locations.

3.7 Physical Security and Environmental Controls

3.7.1 Physical security controls
Please provide information regarding the physical security controls used in the communications and central computer facilitie
protect system components and critical infrastructure. In your response, please address:

a. Perimeter and external building controls and monitoring, including:

1. Lights;
2. Cameras;
3. Motion detectors;
4. Guards;
5. Fences, gates, and other barriers; and
6. Building entrances, including loading docks.

b. Internal building controls and monitoring, including:

1. Engineering and physical security staffing, including shift coverage, minimum qualifications and training;
2. Metal detectors;
3. Door locks;
4. Visitor controls, including scheduling, identification, logbooks, and escort requirements;
5. Compartmentalization of computing, communications, and building infrastructure equipment;
6. Cameras, video recording, and monitoring stations;
7. Access authorization and review procedures; and
8. Mail and package handling procedures.
3.7.2 Environmental controls
Please provide information regarding the environmental controls used in the communications and central computer facilities t
reliable availability of system components and critical infrastructure. Please address redundancy, monitoring, maintenance, an
of:

a. Electrical supply, including:

1. Sources and paths of commercial power;

2. Generators (and associated on-site fuel supply and fuel delivery contracts);
3. Power distribution units;
4. Uninterruptible Power Supply units; and
5. Emergency shutoff controls.

b. Cooling equipment, including:

1. HVAC units;
2. Air handlers;
3. Chillers; and
4. Other associated items such as water supply and humidifiers.

c. Fire control equipment, including:

1. Smoke and heat detection;

2. Fire suppression; and
3. Water damage protection.

3.8 Capacity Planning and Testing

3.8.1 Capacity levels and associated performance by activity
Please provide estimated capacity levels and associated performance (i.e., response time) for each of the following system acti
including target, average daily, historical high, and system stress-tested sustained and peak levels:

a. UPI Code Assignment

b. UPI Code Retrieval
c. UPI Reference Data Retrieval and
d. Data mirroring transactions.

3.8.2 Review of capacity and performance levels

Please describe any formal process you employ for the ongoing review of capacity and performance levels.

3.8.3 Addition of new system resources to ensure adequate capacity and performance
Please describe at what levels the addition of new system resources would be triggered to ensure adequate capacity and perf
3.8.4 Activation of capacity and performance resources in emergency situations
Please describe the methods by which additional capacity and performance resources could be activated in an emergency situ
state how long those processes would take.

3.9 Business Continuity and Disaster Recovery (“BC-DR”)

3.9.1 Description of DR sites
Please provide a description of your DR sites, including the following information for each site:

a. State of readiness (hot, warm, cold);

b. Whether a commercial or self-managed site; and
c. Distance from production site.

3.9.2 Description of the public infrastructure supporting each BC-DR site

Please provide a description of the public infrastructure (e.g., water, electric) supporting each of your BC-DR sites, including
redundancy, resilience, and physical security.

3.9.3 List of the mission-critical systems that each BC-DR site will support on a non-disaster basis
Please provide a list of the mission-critical systems that each BC-DR site will support on a routine, non-disaster basis, and a de
of your reasons for this overall data center strategy.

3.9.4 List of the mission-critical systems that each BC-DR site will support in the event of a disaster
Please provide a list of the mission-critical systems that each of your BC-DR sites will support in the event of a disaster.

3.9.5 Copies of all agreements, including service level agreements, with third parties related to BC-DR
Please provide copies of all agreements, including service level agreements, with third parties to provide services in support o
DR plans.

3.9.6 Strategy for ensuring the availability of essential software and data
Please provide a description of your strategy for ensuring the availability of essential software and data, including security and
of backups.

3.9.7 Assessment of the maximum potential data loss

Please provide a description or assessment of the maximum potential data loss in the event of a disaster.

3.9.8 Strategy for staffing DR sites in the event of a disaster

Please provide a description of your strategy for staffing DR sites in the event of a disaster, including a pandemic.

3.9.9 Remote management and operation of your primary or DR sites

Please provide a description of any plans or capabilities for remote management and operation of your primary or DR sites in
that they become inaccessible but remain functional.

3.9.10 Briefing materials for senior management

Please provide briefing materials for senior management regarding BC-DR and pandemic plans.
3.9.11 Training materials prepared for employees
Please provide BC-DR and pandemic training materials prepared for employees.

3.9.12 Essential documentation currency and availability plans

Please provide a description of your procedures for ensuring the currency and availability to team members of essential
documentation.

3.9.13 Technology-related BC-DR plans

Please provide your technology-related BC-DR plans, including roles and responsibilities, staffing assignments, recovery proced
plans, external dependencies and any pandemic plans.

3.9.14 Emergency Communications Plan

Please provide your Emergency Communications Plan, including emergency contact information.

3.9.15 Communications to users about the BC-DR plans

Please provide a description of communications to users about the BC-DR plans.

3.9.16 BC-DR plan coordination with users’ BC-DR plans

Please provide a description of how your BC-DR plan is coordinated with users’ BC-DR plans.

3.9.17 Strategy for testing DR sites

Please provide a description of your strategy for testing your DR sites, including frequency, types of tests, and scope of staff an
participant involvement.

3.9.18 SSAE16 Type II reports

Please provide a copy of the most recent SSAE16 Type II reports for each of your data centers, including, if applicable, any acti
to remediate findings in the report.

3.9.19 Three most recent operational tests

Please provide documentation from the three most recent operational tests conducted with respect to your DR sites, includin
plan, the results report, and the mitigation plan and results.

3.9.20 Participation in the most recent industry wide test

Please provide documentation from your participation in the most recent industry wide test relating to BC-DR matters, includi
test plan, the results report, and the mitigation plan and results.

3.9.21 Instances of activation of BC-DR plans

Please provide a description of any instances of activation of your BC-DR plans, including the results report and the mitigation
results.
3.9.22 Recovery time objectives
What is your recovery time objective (“RTO”) for each of the following:

a. Resumption of operations
b. Completed roll-back of uncompleted operations executed prior to disruption.
c. Resumption of surveillance.
d. Access to audit trail information.

3.10 Data Quality Assurance and Control

3.10.1 Data Quality Related Systems and Processes
Please describe your systems and processes for:
a. Validation of reference data submitted by market participants.
b. Correction of erroneous reference data submitted by market participants.
c. Validation of data created during the UPI code assignment process including prevention of creating duplicate UPI codes.
d. Detection, correction and notification of erroneously assigned reference data or code(s) disseminated to market participant

3.10.2 Data Quality Policies and Standards

Please provide your data quality policies or references to industry best practices including relevant metrics.
3.10.3 Data Quality Personnel
Please provide descriptions of skills, roles and responsibilities of your personnel involved in ensuring data quality.
Response
Self Assessment Rating
Observed
Broadly observed
Partly observed
Not observed