Risk Management

Risk Management Policy

The Risk Management System of CDCP respects requirements stipulated by the applicable binding legal regulations, primarily the Act No 566/2001 Coll. on Securities and Investment Services and on amendments and supplements to certain laws, the Regulation  (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU, the Regulation No 236/2012 and relevant implementing acts.

The functional Risk Management System is one of pillars CDCP depends on when performing its activities. The Risk Management System consists of adequate organisational structure with precisely defined lines of responsibility, and effective procedures for identification, measuring, monitoring, reporting and managing of risks.

As regards the risk management, CDCP takes into consideration all known risks, which it is, or could be exposed to. Risk management of CDCP does not take into account only eventual economic loss of the Company, but also impact of service interruption to the participants in the securities settlement system and other clients. In order to ensure provision of services also in the case of emergency situations CDCP maintains framework of the Business Continuity and Business Recovery Plans, prepared for different types of operation disruption.

In compliance with requirements of binding regulation, all risks CDCP is exposed to, are covered with own capital in stipulated extent. Procedures for increasing own capital in case its level falls below required level have been prepared as well.

CDCP enables access to provided services or links to an applicant only after adequate assessment of risks the respective applicant can pose to the company, or to other subjects using CDCP services. On the other hand, adequate care is dedicated also to management of risks, which the participants and other clients are exposed to due to utilisation of CDCP services or established links. CDCP shall make accessible appropriate information to the clients, prospective clients or other entitled persons to allow them to assess their risks in necessary extent. Main principles and procedures applied by CDCP in area of risk management, and basic organisational framework as regards the risk management of the company are defined in Risk Management Policy.

 

IT and Operational Risks

The operational risks include risks arising primarily from shortcomings of internal processes and information systems.

CDCP manages and minimises the risk arising from shortcoming of the internal processes by implementation of formalised internal rules, organisational structure with clearly defined lines of responsibility, effective system of internal control and internal audit.

Protection of client’s assets is inseparably connected to protection of CDCP as such. Management of CDCP is fully aware of importance of data it is processing, and of necessity to ensure data protection at the highest possible level. The most important preventive measure applied in this area is the Information Security Management System. This system is implemented as the Information and Cyber Security Management System Policy and related internal regulations, and operated and further developed in compliance with the internationally accepted standard for Information Security Management – ISO/IEC 27001. The policy sets scope, requirements, principles, rules and reliabilities with respect to the information security management and cyber resilience. For that purpose CDCP adopted effective measures to protect processed data, information systems and all related information assets critical for performance of CDCP activities, particularly in a sense of securing confidentiality, integrity and availability of data processed electronically, or in other form.

Despite above-mentioned it is not possible to exclude temporary interruption of services due to circumstances that are out of adequate control of CDCP, regardless to adopted IT security and risk mitigating measures.

 

Assets security

Security of clients’ assets is one of the highest priorities of CDCP, whether the assets are financial instruments or protected information. The security of clients’ assets is inherent part of CDCP security as such.

Special attention is dedicated to the control mechanisms ensuring integrity of issues of book-entry securities registered in CDCP. These mechanisms guarantee to all entities, to which CDCP administers a securities account, that each security registered in their account is properly issued based on decision of respective issuer. In compliance with CSDR regulation CDCP adopted measures to maintain securities issue integrity, which include primarily:

  1. overdrawing of securities and debit balances in accounts and unauthorised creation of securities is forbidden,
  2. double entry accounting principles,
  3. multiple cross-controls of processed request against static data of respective security issue,
  4. daily check if the total amount of securities of respective securities issue registered on accounts opened in CDCP registry and members’ registries is equal to amount of securities issued for that securities issue,
  5. obligation of participants to reconcile regularly (on daily basis) data in the holder’s registry against data on securities held on the holder’s account opened for given participant.

CDCP provides its settlement services through the T2S Platform, and in T2S settlement currencies. The rules of CDCP settlement system clearly define the moments of entry, irrevocability and settlement finality (SF I, SF II, SF III), i.e. moments when the instruction may be revoked, or when the instruction becomes irrevocable, and when the settlement is concluded, i.e. final.

Inherent part of the assets security system create effective procedures implemented by CDCP for prevention and timely identification of illegal acts, mainly with respect to eventual fraud or unauthorised acquiring of protected data of the clients. CDCP respects also all legislative requirements aimed to prevention of legalisation of proceeds of criminal activity (AML) and terrorist financing. The Program of Own Activities implemented in connection with the AML protects reputation of CDCP and of its participants, and ensures compliance with requirements of the international community. 

 

Legal Risk

CDCP, in compliance with requirements of the CSDR regulation ensures that for the purpose of its authorisation and supervision, as well as for the information of its clients, and for all other provided services, its’ all rules, procedures and agreements are clear and understandable. CDCP ensures that its rules, procedures and agreements are enforceable in all relevant jurisdictions, including in the case of the default of a participant. Detailed information is included in:

The report containing information enabling to assess whether the rules, procedures and agreements of CDCP are clear, understandable and enforceable in all relevant jurisdictions pursuant to the article 43(1) and 43(2) of the CSDR Regulation.

Other documents enabling the clients to assess risks related to provision of CDCP services:

 

Questionnaires