1. Slide 1 Independent Advisory Group Giovannini Barrier 1 Meeting 3 August 23rd, 2005

2. IAG_230805_v1.pptSlide 2 Agenda  Review of 3 rd August minutes  Focus on the Data Layer –Standards –Security –Service  Any other business

3. IAG_230805_v1.pptSlide 3 Agenda  Review of 3 rd August minutes  Focus on the Data Layer –Standards –Security –Service  Any other business

4. IAG_230805_v1.pptSlide 4 Review of 3/08 minutes Protocol shelf life recommendation  The protocol will have a fixed ‘shelf-life’ that is made up of 2 periods: –X1 = An agreed implementation period –X2 = A fixed period of general usage to allow amortisation of development cost  Period length will be agreed when the full protocol content is finalised  Fixing content & shelf-life may preclude the use of the latest technology but for all participants, it will provide; –A minimum technical target –A realistic timeframe for implementation –A reasonable period for amortisation of development cost providing a take up incentive based on knowing development cost is not wasted  Protocol content should be reviewed (X1+X2) - 1year to allow continuity

5. IAG_230805_v1.pptSlide 5 Protocol framework Transfer Data Transfer Data STANDARDSSTANDARDS SECURITYSECURITY SERVICESSERVICES 1414  The proposed 9 element framework should be collapsed into 6 elements and 2 layers 3636 2525

6. IAG_230805_v1.pptSlide 6 Review of 3/08 minutes Element 4 – Transfer Layer Standards  A Giovannini compliant service must use: –Structured messages and file formats where they exist –Internet Protocol (IP) for communication & routing –Data transfer services based on: – Messages and/or – File and/or – Operator based (GUI)  The selection of the transfer service appropriate to a specific communication is agreed bilaterally between participants  The Giovannini protocol should apply to domestic as well as cross border transactions  The Transfer Layer can be provided by single or multiple providers

7. IAG_230805_v1.pptSlide 7 Review of 3/08 minutes Element 5 – Transfer Layer Security  A Giovannini compliant service must offer (subject to further incremental cost research) for message/file transfer communication: –Authentication/data integrity (PKI) with liability (from zero to full) –Non-repudiation with liability –Time stamping  If the incremental cost of offering all elements for all communication is considered too high, differentiation between the types of communication will be required to determine the applicability of different types of security  Certificate Registration Authority must implement ISO 21188 PKI Public Key Infrastructure Policy and Practices Framework standards for Certificate issuance  Market best practice minimum key strength (to be identified)

8. IAG_230805_v1.pptSlide 8 Review of 3/08 minutes Element 6 – Transfer Layer Service  Transfer Layer service providers should ensure their services are available during TARGET opening hours as a mandatory minimum  Transfer Layer service providers must satisfy business & regulatory requirements for performance, resilience and network management  In addition to security services listed previously, minimum mandatory Transfer Layer services are: –Message/file audit log –Message/file guaranteed delivery –Message/file delivery once and only once

9. IAG_230805_v1.pptSlide 9 Review of 3/08 minutes Action Items  ADouglas to research the cost implications of adding all security to all messaging using SWIFT as a proxy for a generic solution  For typical SWIFT services, –PKI cost = –Non-repudiation = 10-20% of transmission cost –Time stamping

10. IAG_230805_v1.pptSlide 10 Review of 3/08 minutes Action Items  ADouglas to research the current industry best practice in regards of PKI strength. This to form part of the final recommendation  International Standard ISO 21188 PKI Public Key Infrastructure Policy and Practices Framework. –Covers control objectives & procedures to ensure that a CA is performing accordingly to its Certificate Practice Statement. –Draft submitted with recommendation to approve, closing date of ballot 30/8 –National Standards bodies to be balloted are: – Czech Republic – France – Germany – Italy – Netherlands – Sweden – Switzerland – United Kingdom

11. IAG_230805_v1.pptSlide 11 Agenda  Review of 3 rd August minutes  Focus on the Data Layer –Clarification –Standards –Security –Service  Any other business

12. IAG_230805_v1.pptSlide 12 Focus on the Data Layer Clarification:  Process model vs Business model –A common process model is not a common business model –A process model seeks to define expected input and outputs associated with a particular business process, it does not define how that process should be implemented and used –To achieve a common business model requires an understanding of both market practice and internal participant structure, neither of which are within the scope of this project

13. IAG_230805_v1.pptSlide 13 Focus on the Data Layer: How far from common data standards are we?  2003, MI’s surveyed on use of key data standards in both Cross Border & Domestic Clearing & Settlement processing –15 CSD’s plus 2 ICSD’s –Responses from 12 countries/ICSD’s  Survey predated inclusion of 10 Accession states into the EU  Responses included intended use as well as actual use. Therefore results should be considered ‘optimistic’

14. IAG_230805_v1.pptSlide 14 Focus on the Data Layer: How far from common data standards are we? Note, this reflects the position as at the end of 2004 when the current SWIFT migration to IP network architecture will be completed. Available Standard Infrastructure use – Cross border Infrastructure use – DomesticCross Border Community Use* BIC52100% ISIN1110100% Account NumberNo StandardProprietaryNo Standard ISO Currency Code10 100% ISO Country Code11 100% Certificate IDNo StandardProprietaryNo Standard ISO 15022 Data Dictionary92100% ISO 15022 Message syntax83100% ISO 15022 Message Set41100% SMPG (local) Message Set74As Appropriate IP Network11 100% Centrally Managed Architecture11 100% Dedicated Network10 100%

15. IAG_230805_v1.pptSlide 15 Focus on the Data Layer Element 1: Standards - Consultation Content  Common process model agrees, for a single process: –key players, data elements, how to logically group data elements and when to send data, i.e. identification of business triggers  Common data dictionary: –Common repository accessible by all participants  Common syntax: –Arrangement of data into specific messages  Business and syntax synonyms: –Allows translation between syntaxes and forms part of the data dictionary

16. IAG_230805_v1.pptSlide 16 Focus on the Data Layer Element 1: Standards - Consultation comments  BVI –‘The protocol needs, at least for a certain period, to provide for the continued use of existing messages’ –‘We would like to stress … the importance that all market participants are required to use ISO standards for the identification of [counter]parties, securities and accounts…in particular ISIN, BIC and MIC as well as working on International Business Entity Identifier, IBEI’ –‘…the use of non ISO compliant national or proprietary identification codes should be discouraged under the protocol’  DESSUG –‘We insist that the proposal for the co-existence of ISO 15022 and ISO 20022 be applied’

17. IAG_230805_v1.pptSlide 17 Focus on the Data Layer Element 1: Standards - Consultation comments  Deutsche Bank –‘it is absolutely mandatory that all parties have the same understanding of the data elements and their content’  ECSA –‘translation is an important element of any solution, especially in the context of protecting existing investment in the ISO15022 standards’  Euroclear –‘Investments made by the industry in supporting ISO 15022 must be preserved’

18. IAG_230805_v1.pptSlide 18 Focus on the Data Layer Element 1: Standards - Consultation comments  LSE –‘there is a core set [of processes] that need to be standardised, and others that could remain non-standard’  OMX –‘interpretations of Barrier 1 have simply gone too far when stating that it is necessary to have one common, mandatory business model for all financial post-trade activities’  UBS –‘To fully remove barrier 1, process modelling is only necessary for business processes where no industry accepted message standard exists’

19. IAG_230805_v1.pptSlide 19 Focus on the Data Layer Element 1: Standards - Consultation responses  Q4.2 generic responses  51 responses in totalAgree –15 EU FI13 – 87% –11 FI EU rep orgs8 – 73% –7 EU C&S Infrastructures5 – 71% –Total (inc above) 34– 67%

20. IAG_230805_v1.pptSlide 20 Focus on the Data Layer Element 1: Standards - Consultation responses  Q5.5 –What is the industry view on the standards co- existence requirement? –Does such a strategy support the ongoing improvement of the Clearing & Settlement process? –If not, what alternatives exist?

21. IAG_230805_v1.pptSlide 21 Focus on the Data Layer Element 1: Standards - Consultation responses  Q5.5 Agree with the need for co-existence?  51 responses in totalAgree –15 EU FI14 – 93% –12 FI EU rep orgs11 – 92% –8 EU C&S Infrastructures6 – 75% –Total (inc above) 44– 86%

22. IAG_230805_v1.pptSlide 22 Focus on the Data Layer Element 1: Standards - Consultation responses  Q5.5 Need to leverage ISO15022?  51 responses in totalAgree –15 EU FI9 – 60% –12 FI EU rep orgs7 – 58% –8 EU C&S Infrastructures4– 50%

23. IAG_230805_v1.pptSlide 23 Focus on the Data Layer Element 1: Protocol, Standard and Syntax Protocol Standard Syntax

24. IAG_230805_v1.pptSlide 24 Agreement of terms: ‘Protocol, Standard & Syntax’ Step 1  Cash Equities, Fixed Income inc listed funds –All EU Securities Settlement Systems and Clearing & Settlement infrastructures must provide an ISO15022 and ISO20022 market practice compliant entry and/or exit point for existing messages, with co-existence solutions where relevant, within 2 years, for Clearing, Settlement and Asset Servicing –In parallel, a gap analysis of ISO Standards must be completed by SWIFT Standards for the 25 EU States (plus other countries as necessary) to discover which functionality is missing. The standards must then be extended to include that functionality  Exchange traded derivatives –Relevant expert bodies (e.g Eurex, FIA, CME, LCH Clearnet) should consult on the feasibility and if appropriate recommend a plan to achieve compliance with Step 2

25. IAG_230805_v1.pptSlide 25 Agreement of terms: ‘Protocol, Standard & Syntax’ Step 2  For EU Cash Equities and Fixed Income Clearing and Settlement plus Asset Servicing, ISO15022/20022 must be implemented in compliance with existing market practices by all participants within 5 years

26. IAG_230805_v1.pptSlide 26 Focus on the Data Layer Element 1: Standards – Proposed ratification  Where an ISO standard exists,it is the preferred option. Today, this includes: –ISO 3166 - Country Codes –ISO 4217 - Currency codes –ISO 6166 - ISIN –ISO 8601 - Date/time format –ISO 9362 - BIC –ISO 10383 - MIC –ISO 10962 - CFI –ISO 13616 - IBAN –ISO 16732 - IBEI (Provisionally) –ISO 20022 - Financial services data dictionary = ‘The Standard’  Ultimately, these recommendations must apply to domestic as well as cross border activity

27. IAG_230805_v1.pptSlide 27 Focus on the Data Layer Element 2: Security – Consultation content  Not application security  Role Based Access Control –Build into application –Build into transfer layer

28. IAG_230805_v1.pptSlide 28 Focus on the Data Layer Element 2: Security - Consultation comments  ABN –‘It is extremely important that the particpants can rely on the fact that data trhey send is actually received in good order and the messages/data are not interfered with by 3 rd parties’  AFTI –‘According to the level of security required for each message type, different ranges of profiles must be considered to reduce costs. A participant could so have multiple roles according to the type of message exchanged’

29. IAG_230805_v1.pptSlide 29 Focus on the Data Layer Element 2: Security - Consultation comments  Deutsche Bank –‘It has to be ensured that only the respective parties will have access to their data and their functionality according to their role in the process’  Euroclear –‘We believe that role based access control can only be built at the application level, not at the level of the messaging interface as suggested, because in many cases it required knowledge of the contents of the message and understanding of the business context’

30. IAG_230805_v1.pptSlide 30 Focus on the Data Layer Element 2: Security – Proposed ratification  The Giovannini protocol concerns the transfer of data between counterparties. The security of data during transfer is the responsibility of the Transfer Layer  Data Security is therefore already covered in the element 5, Transfer Layer Security  Application security is out of scope of the protocol

31. IAG_230805_v1.pptSlide 31 Focus on the Data Layer Element 3: Service – Consultation content  At the data layer, the key goal of Barrier 1 is the establishment and then maintenance of interoperability of Standards [syntaxes?]  This requires a commitment from application providers and users to implement data standards changes within an agreed timeframe to prevent divergence and ensure continued compliance  Such commitments would form the basis of a mandatory compliance requirement

32. IAG_230805_v1.pptSlide 32 Focus on the Data Layer Element 3: Service - Consultation responses  Q4.5 –What is your opinion on the need to implement a market wide Data Standards compliance commitment, i.e. when new data standards are published, all participants agree to implement within specific timeframes –If you agree, is a 6 month mandatory compliance window appropriate? i.e. compliance with the standard is mandatory within 6 months of publication

33. IAG_230805_v1.pptSlide 33 Focus on the Data Layer Element 3: Service - Consultation responses  Q4.5 Agree with the need for mandatory compliance window?  54 responses in totalAgree –15 EU FI13 – 87% –12 FI EU rep orgs9 – 75% –10 EU C&S Infrastructures8 – 80% –Total (inc above) 42– 78% –Explicitly disagree4 – 7%

34. IAG_230805_v1.pptSlide 34 Focus on the Data Layer Element 3: Service - Consultation responses  Q4.5 If you agree, what is an appropriate timeframe?  Agree –Variable16 – 30% –6 months4 – 7% –>6 months11 – 20% –12 months 2– 4% –> 1yr11 – 20%  Instead of a minimum, should there be a maximum compliance time?

35. IAG_230805_v1.pptSlide 35 Focus on the Data Layer Element 3: Service - Consultation comments  ABN –‘The implementation of a market wide data standard is a key issue……the period depends on the environment and the complexity of the changes…’  BNP –‘…it is difficult to decide a unique timeframe as the ‘‘gap to fill’’ might be very different in each case…’  Clearstream –We mainly disagree with the proposal to have a mandatory compliance with a new standard within 6 months of publication –Not all business areas justify mandatory compliance at this time, e.g. collateral – New standards should only be produced when there is a business case – Only if a new standard can be justified by issues above, the obligation to support new messages within a given timeframe should be put on MI’s providing the service – Nevertheless, there should be market approval on which standards should be developed and on timeframes in which they become mandatory for MI’s’

36. IAG_230805_v1.pptSlide 36 Focus on the Data Layer Element 3: Service - Consultation comments  Credit Suisse –‘…the timeframe needs to be specified on a case by case basis…’  Euroclear –‘The final report should include both – a recommendation for the approach, governance and timeframe for the development of new standards – A recommendation and agreed approach to implementation by the industry  Euronext –‘Mandatory compliance is necessary otherwise there is a risk that evolution would be blocked by some participants’

37. IAG_230805_v1.pptSlide 37 Focus on the Data Layer Element 3: Service - Consultation comments  JP Morgan Chase –‘Without [a market wide compliance commitment] there is the likelihood of diversity around the common standards that effectively erodes efficiency…’  NCSD –‘It is not feasible to to set up one maximum lead time fitting all possible scenarios of change’  UBS –‘Strongly supports the concept of the SWIFT-FIN service which defines 2 usage classes of messaging: – In general use – In closed user groups’

38. IAG_230805_v1.pptSlide 38 Focus on the Data Layer Element 3: Service - Consultation comments  Virt-X –‘…it is clear that there will not always be a definitive cost benefit for all participants to adopt new standards simultaneously. This could be handled by timelines being set in line with majority adoption…it is unclear at this stage how this could be policed…could create divergence and impose restrictions on interoperability which would be counterproductive to the whole initiative’  Respondent C –‘The word ‘Standard’ implies mandatory compliance otherwise it is not a standard’

39. IAG_230805_v1.pptSlide 39 Focus on the Data Layer Element 3: Service – Proposed ratification  For innovation of processes and instruments, custom messages can be created using extensibility tools and rules provided by the standards authority, pending incorporation into the Standard

40. IAG_230805_v1.pptSlide 40 Agenda  Review of 3 rd August minutes  Focus on the Data Layer –Clarification –Standards –Security –Service  Any other business

41. IAG_230805_v1.pptSlide 41 The next meeting is…..  12 th September at 11.00am  The subjects will be –‘Acid test’ of recommendations –Implementation guidelines