Clearstream Banking TARGET2-Securities DCP T2S Access Right Model - - PowerPoint PPT Presentation
TARGET2-Securities DCP T2S Access Right Model April 2016 TARGET2-Securities DCP T2S Access Right Model April 2016 Clearstream Banking TARGET2-Securities DCP T2S Access Right Model April 2016 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 TARGET2-Securities – DCP T2S Access Right Model – April 2016
TARGET2-Securities DCP – T2S Access Right Model
April 2016
Clearstream Banking
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 2
DCP – T2S Access Right Model
1 Setup Tasks by CBF Introduction Privileges Classes Roles 4-Eyes Mode 2 Setup Tasks by DCP 3 Data Scope Adjustments 4 Power of Attorney Concept
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 3
‒ On CBF side, two models how to use T2S in a DCP mode1) can be supported, e.g. ‒ DCPs may want to use all U2A and A2A services
directly into the T2S platform ‒ DCPs may want to use only a subset of T2S services in DCP mode, mainly to query instruction status, positions and static data in U2A mode, but without plans to instruct directly into T2S T2S Definition CBF Service ‒ A DCP is a CSD Participant which directly interacts with the T2S platform ‒ Inbound by submitting instructions, configurations or queries into T2S (A2A or U2A) ‒ Outbound by subscribing to messages or configuring reports, so that T2S directly sends messages or reports to the CSD Participant or to a third party
1) A CBF business partner / institution may have several DCP parties on T2S. For every DCP party, CBF will assign privileges and set up Admin Users
“Full DCPs” can use all DCP functions offered by T2S, in U2A as well as in A2A mode “GUI DCPs” can access positions, instructions and static data via the T2S GUI, but they cannot send settlement instructions
DCP Customer Setup
CBF differentiates between “Full DCP” and “GUI DCP”
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 4
DCP Customer Setup
Introduction – Setup follows a two step approach
CBF will pre-configure the DCP and its Admin Users ‒ CBF sets up the DCP customers’ T2S Parties ‒ CBF links the DCP’s PTAs with Network Services ‒ CBF configures at least two Admin Users per DCP Party in T2S ‒ CBF assigns privileges and pre-defined roles to the DCP Party DCP can configure users and access rights with maximum flexibility ‒ Admin Users complete their setup by granting themselves additional privileges, as CSDs can only grant six basic admin privileges ‒ Admin Users set up additional users ‒ Admin Users assign privileges and roles of their DCP Party to users as needed ‒ Dedicated users complete the configuration, e.g. by defining message subscriptions and report configuration
DCP Tasks CBF Tasks
Please note: ‒ Administrator access rights will be granted in 4-Eyes mode, the remaining access rights in 2-Eyes mode
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ A DCP party can be addressed with ‒ BIC of CBF (DAKVDEFFXXX) as Parent BIC and ‒ BIC of the DCP party as related BIC (e.g BANKDEFFXXX) ‒ The party name on T2S will be the same as the account master name of the corresponding account master in KUSTA ‒ Per DCP party there will be at least one Party Technical Address (PTA) from the customer ‒ PTAs of the DCPs will be linked to Network Services as requested by customers
5
DCP Customer Setup
CBF sets up all DCP Parties
1 2 3 1 2 3
Please note all screenshots in this presentation refer to T2S GUI version 00.16.194 (EAC environment)
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Used to steer what a T2S Actor, in this case a DCP, is allowed to do on T2S ‒ A T2S User can only invoke a certain function in T2S if he is granted the related privilege
6
Privileges
Definition
Privileges Privilege types
‒ System privilege: Does not apply to a specific static or dynamic data object, e.g. privilege to use a specific ISO transaction code ‒ Object privilege: Applies to a specific static or dynamic data
to send a settlement instruction (on own SACs)
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 7
‒ Granting privileges follows a multi-step process CBF DCP Party Admin User DCP Users ‒ CBF will grant to the DCP Party all available DCP privileges ‒ Admin users can grant privileges that were granted to their party to users of this party ‒ This will give the DCPs maximum flexibility to configure their users in T2S according to their needs
Privileges
High level concept
CBF DAKVDEFFXXX DCP A (7999) BANKDEFFXXX
User A3 Grant DCP privileges Grant basic admin privileges Admin A1 Admin A2 Grant privileges to users
DCP B
User of B
Please note: ‒ CBF will not support Third Party privileges (Admin flag set to “FALSE”) ‒ DCP cannot grant privileges to other DCPs ‒ CBF will not grant privileges to DCPs in other CSDs or NCBs (cross-entity)
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
Privileges
Detailed process
b) Party gets all other DCP privileges from CBF
(4-Eyes related role) from CBF
privileges previously given to the DCP party (in 4-Eyes mode)
in 4-Eyes mode
CBF DAKVDEFFXXX DCP A (7999) BANKDEFFXXX Sett user A3 All DCP privileges 6 basic admin privileges + 2 data change privileges Admin A1 Admin A2 Additional admin privileges Settlement and query privileges 1 2 4 4 3 Config user A4 Configuration and query privileges 4
8
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 9
Privileges
Granting privileges in the T2S GUI
Granting privileges to a user
Static Data Grant / Revoke Privilege Click “User“ and select the user you want to grant the privilege to Move privileges to be granted from the left side (all available privileges granted by CBF) to the right side (already granted privileges)
1 2 3 1 2 3
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 10
Classes
Definition of T2S privilege classes
‒ In T2S there are about 150 privileges that can be granted to DCP
‒ T2S has grouped privileges into so called classes for better overview ‒ Single privileges from a class can be assigned individually, or all privileges from a class can be granted as set ‒ Single privileges override privileges granted in a role1)
1) For example, if a privilege is granted in 2-Eyes mode in a role, it can be additionally granted in 4-Eyes mode as a single privilege. The user can then only use the respective privilege in 4-Eyes mode.
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ CBF will group privileges into roles. In some areas, the roles defined by CBF are in line with the classes defined by T2S, but in other areas CBF roles and T2S classes deviate ‒ Roles can only be defined by CSDs, but DCPs can re-use the roles defined by their CSD ‒ CBF plans to group the 150 DCP privileges in 15 roles1) ‒ Once a role is created, filled with certain privileges and granted to a DCP party, the Admin Users of the DCP can grant this role to their Users
11
Please note: Admin Users will initially have two roles: ‒ Access Rights Administrator – Basic (6 basic privileges) ‒ Administrator 4-Eyes Configuration To complete their setup, Admin Users must also grant themselves the roles ‒ Access Rights Administrator – Advanced ‒ Access Rights Administrator – Queries and confirm the change in 4-Eyes mode
Roles
Roles on T2S defined by CBF
1) More details can be found in the appendix
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ In addition, CBF will grant to all Admin Users the roles “Access Rights Administrator – Basic” and “Administrator 4- Eyes Configuration” ‒ CBF will grant every privilege granted to a DCP party as part of a role also as individual privilege (except admin privileges) ‒ Admin User can choose whether they prefer granting roles or granting privileges individually ‒ Single privileges
granted in a role
12
Roles
Roles on T2S defined by CBF – Overview
CBF will grant to each DCP Party a set up roles1) Full DCP GUI DCP Access Rights Administrator – Advanced Y Y Access Rights Administrator – Queries Y Y 4-Eyes Configuration Y Y Configuration Manager Y N Configuration Reading Y N Report Configuration Y Y Message Management Y N Static Data Queries Y Y Settlement Queries Y Y Report and Queries Y Y Send Instructions Y N Settlement ISO Codes Y N Settlement General Y Y
1) More details can be found in the appendix
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 13
Roles
Process of granting roles in the T2S GUI
Granting roles to a user Static Data Grant / Revoke Role Click “User“ and select the user you want to grant the role to Move roles to be granted from the left side (all available roles) to the right side (already granted roles)
1 2 3 1 2 3
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Administrator privileges will be granted in 4-Eyes mode only ‒ Admin activities (create user, grant privilege / role, etc.) must be approved by a second Admin User ‒ All other privileges granted on party level will be granted in 2-Eyes mode ‒ This way the Admin Users can decide if they want to grant privileges to their users in 2-Eyes mode or in 4-Eyes mode ‒ In order to approve in 4-Eyes mode an action performed by another Admin User, two privileges are required: ‒ Data Changes – Business Object List Query (to see actions to be approved) ‒ Data Changes – Business Object Detail Query (required to actually approve an action)
14
4-Eyes Mode
Introduction
Please note: ‒ If it is intended to grant privileges in 4-Eyes mode, it is recommended to grant the two 4-Eyes privileges first ‒ CBF has defined two roles for 4-Eyes mode, one specifically for Admin Users, and
can only have one
(privileges within a role must be mutually exclusive)
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ T2S only allows six basic admin privileges to be granted to Admin Users directly, other privileges cannot be granted directly to the Admin Users by the CSD ‒ 4-Eyes privileges are not part of the six basic privileges, but Admin Users need them to approve changes in 4-Eyes mode
1. Define a new role “Administrator 4-Eyes Configuration” 2. Grant this role (with no privileges) to the Admin Users of the DCPs 3. Add the 4-Eyes privileges to the role ‒
‒ When additional Admin Users for an existing DCP Party are configured, CBF will only grant them the six basic admin privileges The initial Admin Users can grant the 4-Eyes privileges to these additional Admin Users
15
4-Eyes Mode
Approach for setup of Admin Users in 4-Eyes mode
Please note: ‒ CBF recommends that the initial Admin Users additionally grant the 4-Eyes privileges to themselves as single privileges. Otherwise the initial Admin Users might temporarily not be able to apply 4-Eyes approvals during CBF setup activities for new DCP Parties (when CBF must temporarily remove the privileges from the role “Administrator 4- Eyes Configuration”, grant the role to the new Admin Users and then re-add the privileges to this role)
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 16
1 Setup Tasks by CBF 2 Setup Tasks by DCP Introduction Admin Users – First Steps User Setup Message Subscription Report Configuration Routing Configuration 3 Data Scope Adjustments 4 Power of Attorney Concept
DCP – T2S Access Right Model
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ With the initial configuration applied by CBF, the Admin Users are able to: ‒ Create new T2S Users for the respective Party ‒ Link Certificate DNs to the respective users ‒ Grant access rights and / or roles to the respective users (2-Eyes or 4-Eyes). The customer needs to follow different steps in a specific process ‒ In particular, the Admin User can define specific “Configuration Users” that are able to: ‒ Create Message Subscriptions ‒ Create Report Configurations ‒ Create Default and Conditional Routing Configurations
17
Setup Tasks by DCP
Introduction
Please note ‒ CBF recommends to create specific T2S Users for such purposes, and to separate Admin Users (responsible for user definition and access rights) from other user types
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ In the login screen, the party administrator (physical user) can choose between the different Admin Users that are connected to his Certificate DN ‒ The linking of Admin Users to certificate DNs is done by CBF based
‒ The Login Name and System User Reference of Admin Users will be defined by CBF in a standardized format: “CBFG-xxxx-Loginyyy” where ‒ xxxx represents the four digit number of the account master in CBF ‒ yyy represents a three digit number between 000 and 999
18
Admin Users – First Steps
Login
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
Initially, the Admin User has only three options in the T2S GUI − granting roles − granting privileges − approving data changes
19
Admin Users – First Steps
Granting advanced administrator privileges
‒ The Admin User must grant to all administrator users of his party (including himself) the roles “Advanced“ and “Queries“ ‒ The “Advanced” role enables the Admin User to create users and link them to Certificate DNs ‒ The Admin User should grant themselves the 4-Eyes privileges as single privileges
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ In the section SERVICES in the T2S GUI, the user can choose “Data Changes“ ‒ There are several query parameters to choose from in order to find a change done by another user
20
Admin Users – First Steps
Approval by the second Admin User
‒ After the search a specific change can be viewed with all details ‒ Approval is required separately for every change done by another user in 4-Eyes mode
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
Users on T2S have the following attributes
1
Parent BIC / Party BIC Each belongs to a T2S Party which is allocated to a CSD / NCB
2
Login Name Appears on the Login Screen
3
Name Appears on the top right of the T2S GUI screen
4
System User Reference The name is listed with every change made by user
5
Lockout Status since Defines when the lock-out was applied
6
Lockout Defines the lock-out status of a user
21
Please note ‒ Admin Users may want to define a common naming standard at least for all users of the same party 2 3 1 1 4 5 6
User Setup
Creation of a new T2S User
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Every user in T2S must be linked to at least one Certificate DN ‒ Certificate DNs are Token IDs which are usually connected to a single physical user1) Linking DCP users to Certificate DNs is a very critical step
22
User Setup
Linking a user to an existing Certificate DN (1/2)
DCP A (7999) BANKDEFFXXX Certificate DNs User A3 Physical users
Token Ou=T2S, O=prod,
DCP Party T2S User of DCP ‒ T2S users can be linked to any Certificate DN (also to DNs belonging to other DCPs, CSDs, NCBs or Payment Banks) ‒ The owner of the Certificate DN can login with the user of the DCP and perform actions in the name
‒ Linkage of a User to a DN shall be done very carefully
1) Upper and lower cases as well as spaces and special characters need to be considered while entering the Certificate DN
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Several T2S Users can be linked to the same Certificate DN ‒ This way the same physical user can operate different T2S users; T2S Users might belong to a different T2S Party, potentially even in a different NCB / CSD ‒ In the example, ‒ Physical user “Settlement Operations“ can log in as user A3 of DCP A or as user B3 of DCP B ‒ Physical user “Admin1“ can log in as Admin User A1 of DCP A or as Admin User B1 of DCP B
23
User Setup
Linking a user to an existing Certificate DN (2/2)
DCP A (7999) BANKDEFFXXX Admin A1 Admin A2 Certificate DNs User A3 Physical users
Token
Ou=T2S, O=prod,
Ou=T2S, O=prod,
Ou=T2S, O=prod,
DCP Party T2S User of DCP Admin1 Admin2 Settlement Operations DCP B (1234) TESTDEFFXXX CBF Admin B1 Admin B2 User B3
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Granting privileges to DCP users can only be done by Admin Users in 4-Eyes mode ‒ Privileges can be granted individually and / or as part of a role. If a privilege shall be granted individually and as part of a role, then the role needs to be granted to the user first ‒ CBF recommends to the Admin User a clear separation of responsibilities in T2S ‒ Admin User should only be granted admin privileges ‒ A separate “Configuration User” should be granted the roles related to message subscription and report configuration (“Full DCP” only) ‒ Settlement users should only be granted roles related to settlement instructions ‒ More users having yet different responsibilities might be required (e.g. access to specific accounts only, use of a subset of ISO codes only)
24
User Setup
Granting privileges and roles to DCP users
Role Admin User Configuration User Settlement User
Access Rights Administrator – Basic Y N N Access Rights Administrator – Advanced Y N N Settlement ISO Codes N N Y Configuration Manager N Y N
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ CBF recommends to set up specific “Configuration Users“ just for the purpose of setting up message subscriptions ‒ DCPs can use message subscriptions to get status messages, settlement confirmations and allegements from T2S, as well as copies of instructions submitted by an account operator or by CBF on an account of the DCP, e.g.: ‒ Stock exchange trades ‒ CCP instructions ‒ Corporate actions instructions ‒ Message subscription can be done on a very granular level using subscription rules ‒ Message subscription rules can be defined as ‒ Positive rules: T2S sends a specific message if the rule is met ‒ Negative rules: T2S does not send a message if the rule is met
25
Message Subscription
Subscription options for the Configuration User
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Messages related to a specific T2S party and related accounts can only be subscribed to by the Configuration Users of the account owner DCP ‒ The receiver of the message (“Interested Party”) must be the own party of the Configuration User ‒ See T2S Validation Rule DRCE005: “When performing a Message Subscription Rule Set Party creation request, the Party Id specified must belong to a Party in the default data scope of the requestor.”
26
Message Subscription
Receiver of the messages
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Once a message subscription rule set was defined, specific subscription rules must be added ‒ In every message subscription rule the message type to be subscribed must be defined ‒ In addition, other subscription parameters can be selected on a very granular level ‒ Further limitations could be made, e.g. the message would only be generated if the instruction type would be DvP or the instruction would be in a specific ISIN ‒ Sample: A DCP subscribes to allegements from T2S
27
Message Subscription
Message subscription rules
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Positive Rules; subscriptions for the following message types (without additional parameters) ‒ Negative Rules to avoid messages in the following context ‒ Copies of sese.023 / semt.013 sent by the own party apply negative subscription rule for all sese.023 and semt.013 copies where System User Reference = DCP’s own A2A users (refer to T2S CR5131)) ‒ Copies of the second leg of already matched sese.023 messages: apply negative subscription rule for all already matched sese.023 copies which are receipt instructions (RFOP, RVP, RWP, PFOD DBIT)
28
Message Subscription
Message subscription rule set recommended by CBF
Business Day
camt.019 - ReturnBusinessDayInformation
Settlement Instructions
sese.023 - SecuritiesSettlement TransactionInstruction sese.024 - SecuritiesSettlement TransactionStatusAdvice sese.025 - SecuritiesSettlement TransactionConfirmation sese.032 - SecuritiesSettlement TransactionGenerationNotificat
Allegements
sese.028 - SecuritiesSettlement TransactionAllegementNotificat sese.029 - SecuritiesSettlement AllegementRemovalAdvice semt.020 - Securities MessageCancellationAdvice
Intra Position M ovements
semt.013 - IntraPositionMovement semt.014 - IntraPosition MovementStatusAdvice semt.015 - IntraPosition MovementConfirmation
Cancellation / M odification
sese.027 - SecuritiesTransaction CancellationRequestStatusAdvice sese.031 - SecuritiesSettlement ConditionModificationStatusAdvice
1) https://www.ecb.europa.eu/paym/t2s/progress/pdf/suburd/cr/t2s_0513_sys.pdf
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ It can be defined at which time / event T2S shall create a certain report ‒ Event triggers can be start of NTS, start of RTS etc., but also EESR1) ‒ The same report can be generated several times a day ‒ Reports cannot be subscribed to on a weekly / monthly / irregular basis ‒ In this case, a separate configuration is required for every day ‒ Reports must be configured for a minimum of two consecutive days One of the days can be on a weekend
29
Report Configuration
Configuration options
T2S Triggers T2S Definition Delta / Full Reports Push / Pull Mode ‒ Reports provide consolidated information about positions, instructions or static data, e.g. Statement of Hold, Securities Transactions Pending, Securities Transactions Posting ‒ Delta reports list the changes compared to the last business day or intraday compared to the last reporting period, e.g. list of settled transactions or changes in positions ‒ Full reports provide a complete snapshot, e.g. list of pending instructions or of positions ‒ In push mode, T2S sends the report to the party specified once the report is generated ‒ In pull mode, the DCP must actively request the report after it was generated
1) EESR (“EoD Extract Data for Statements and Reports”) is a T2S business event during the End of Day period 2) http://www.ecb.europa.eu/paym/t2s/progress/pdf/tg/crg/crg58/04.t2s_0577_sys.pdf
Please note ‒ T2S CR577 was raised to allow the configuration of reports for one day
currently pending and on the list of potential CRs for T2S Release 2.0)2)
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ DCPs can only configure reports related to their T2S parties and related accounts in such a way that the DCP itself is recipient of the report ‒ If a report related to one party shall be sent to another party, it has to be requested at CBF ‒ Alternatively, the PTA of the intended recipient can be added to the party data of the account owner ‒ This way, another party than the account owner could be defined as receiver of a report ‒ For this a conditional routing is required
30
Report Configuration
Receiver of the reports
Please note ‒ T2S CR578 was raised to enable DCPs to apply such configurations without the interaction of a CSD / NCB1)
1) http://www.ecb.europa.eu/paym/t2s/progress/pdf/tg/crg/crg58/04.t2s_0578_sys.pdf
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 31
Report Configuration
Report configuration recommended by CBF
Report Configuration Report Configuration Party Links Configuration Name Description Delta Mode Parent BIC BIC Report Name Parent BIC BIC Valid From Push Mode Event type Statement of Holdings semt.002
NO DAKVDEFFXXX DCP BIC Statement of Holdings DAKVDEFFXXX DCP BIC 06/02/2017 YES EESR Statement of settled SI semt.017
YES DAKVDEFFXXX DCP BIC Statement of Transactions DAKVDEFFXXX DCP BIC 06/02/2017 YES EESR Statement of Pending SI semt.018
YES DAKVDEFFXXX DCP BIC Statement of Pending Instructions DAKVDEFFXXX DCP BIC 06/02/2017 YES EESR Statement of settled SR semt.016
YES DAKVDEFFXXX DCP BIC Statement of Settled Intra-Position Movements DAKVDEFFXXX DCP BIC 06/02/2017 YES EESR Statement of Pending SR semt.034
YES DAKVDEFFXXX DCP BIC Statement of Pending Intra-Position Movements DAKVDEFFXXX DCP BIC 06/02/2017 YES EESR Statement of allegements semt.019
YES DAKVDEFFXXX DCP BIC Statement of Settlement Allegements DAKVDEFFXXX DCP BIC 06/02/2017 YES EESR Securities Activity Advice reda.009
NO DAKVDEFFXXX DCP BIC Statement of Static Data for Securities DAKVDEFFXXX DCP BIC 06/02/2017 YES EESR
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Per Network Service (NS) a Party Technical Address (PTA) must be defined which T2S is using when sending messages and reports to a specific PTA
‒ T2S differentiates between four different NS channels ‒ Real time messages and real time files ‒ Store and forward messages and store and forward files ‒ All four channels are provided by SWIFT and by SIA-Colt ‒ For each channel that will be used, a corresponding PTA must be linked. This can be the same PTA for all channels ‒ Currently links between PTA and NS must be established by the CSDs. If DCPs require a change in their NSP or NS channels, a configuration change would have to be requested at CBF1)
32
Routing Configuration
CBF will link the PTA to a Network Service
1) T2S CR578 was raised to enable DCPs to apply such configurations without the interaction of a CSD / NCB: http://www.ecb.europa.eu/paym/t2s/progress/pdf/tg/crg/crg58/04.t2s_0578_sys.pdf
PTA to NS link can only be created after the T2S party edit screen of the related party was
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 33
Routing Configuration
DCP has to define the default routing
‒ T2S applies a mandatory routing for the following outbound communication (i.e. to the same Network Service and PTA used for the inbound communication): ‒ Acknowledgment of receipt ‒ Reactions on erroneous inbound messages ‒ Query results ‒ For all other types of outbound communication, the Configuration User of a DCP must define a related routing configuration: ‒ either a default configuration only (applicable for all outbound communication of a specific network service), e.g. in case only one PTA is linked to a NS ‒
(to be used by T2S on the basis of a given set of parameters), e.g. in case various PTAs are linked to a NS ‒ Those configurations have to be compliant with network service usage as per UDFS Version 2.1 (please refer to section 1.3.1.5).
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 34
Routing Configuration
Additionally, DCP can define conditional routing
‒ Conditional routing can only be configured after the default routing (to a default PTA) for a given Network Service was defined ‒ Conditional routing can be used, e.g. ‒ If different compression should be used for different flows within the same PTA ‒ If a DCP wants to use two or more PTAs for a given Network Service, where some message types and reports shall not be sent to the default PTA but to a different PTA ‒ As conditional routing parameters the message type, the file size and the currency of a message / file can be used ‒ Conditional routing can be set up using positive and negative rules ‒ For positive rules, T2S will use a given PTA and NS if the rule applies ‒ For negative rules, T2S will not use a given PTA and NS if the rule applies
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 35
1 Setup Tasks by CBF 2 Setup Tasks by DCP 3 Data Scope Adjustments 4 Power of Attorney Concept
DCP – T2S Access Right Model
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 36
Data Scope Adjustments
Introduction
CBF DCP Customer
‒ Per default, DCPs can instruct on all their accounts ‒ However, sub-accounts opened for dedicated services available in CBF may not be instructed in DCP mode, but only in ICP mode (e.g. TEFRA D release) or by CBF systems (e.g. Xemac) ‒ CBF will reflect these limitations on T2S by configuring data scope reductions for such sub-accounts ‒ The concept of data scope extension or reduction can also applied by DCPs, if they want to fine tune access rights of their users, e.g. so that they can access only certain accounts of the DCP
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ In the T2S default setup, object privileges cover the party and all accounts of the owner of the privilege, e.g. if DCP party A has the object privilege Send Settlement Instruction, instructions can be submitted on all accounts owned by this specific party ‒ Additionally, the scope of an object privilege can be reduced or extended to cover also
‒ For DCPs there are approx. 30 object privileges from the following classes which can be adjusted
37
Data Scope Adjustments
Data scope adjustments on T2S object privileges
‒ Send / amend / cancel settlement instruction ‒ Query positions, instructions and static data
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ Data scope adjustments can only be configured on single object privileges but not on privileges that are part of a role. The data scope of a single object privilege always
‒ Granting object privileges with data scope adjustments is a multi-step process 1. CBF grants an object privilege as single privilege to a DCP party 2. CBF extends the data scope of the privilege (e.g. in case PoA was requested)
3. The Admin User grants the object privilege to a user as single privilege 4. The Admin User reduces the data scope of the privilege given to the user further
extensions granted also on party level
38
Data Scope Adjustments
Setting up data scope adjustments on party and user level
Please note ‒ The cascading effect of data scope adjustments is described in T2S CR554 ‒ This CR is foreseen for Release 1.2 (prior to CBF migration), but it will not yet be deployed
environments at start of CBF simulation phase
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ For dedicated sub-accounts, the data scope of certain settlement privileges will be reduced by CBF, i.e. send / amend / hold / release / cancel settlement instruction
39 27 April 2016
Data Scope Reductions
Specific reductions applied by CBF
‒ Hence, the DCP will not be able to submit, modify or cancel instructions on these accounts in DCP mode. This can only be done in ICP mode or by CBF systems ‒ Nevertheless, DCPs will be able to use all query options (e.g. see positions and instructions, receive reports, etc.) for these accounts
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 40
‒ When an object privilege is granted to a party, role or user, it has a default data
by the party or only some of them. T2S foresees functionality to reduce or extend the data scope ‒ Currently, if the data scope is reduced on Party Level, this is not cascaded down to user level. In other words with the current setup any customer can instruct on any subaccount, for example debit collateral accounts, or blocking accounts ‒ CBF considers this issue as showstopper which might block the migration of the German market to T2S ‒ For any object privilege, T2S must ensure that the data scope of a user is always a subset of the data scope of the party of the user. T2S must ensure that the restricted object is also removed from the data scope of said object privilege for all users of this party ‒ The same must be applied in case a data scope extension is revoked on party level ‒ In the PMG TelCo (12 February 2016), it was concluded that the CR will be anticipated with other CRs from Release 1.2 ‒ Delivery into Eurosystem Acceptance environment planned for 27 May 2016 ‒ This CR enables CSDs to restrict or extend the data scope of CSD participants on user level. This is a pre-condition for CBF’s migration to T2S
Background Scope Status Customer Benefit
T2S Change Requests – CR T2S-0554-SYS
“Data scope reduction on party level should also reduce data scope on user level”
https://www.ecb.europa.eu/paym/t2s/progress/pdf/suburd/cr/t2s_0554_sys.pdf
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 41
1 Setup Tasks by CBF 2 Setup Tasks by DCP 3 Data Scope Adjustments 4 Power of Attorney Concept Introduction DCP PoA Setup via Linkage to Certificate DN
DCP – T2S Access Right Model
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ With Power of Attorney (PoA) an account owner grants another actor the right to operate the accounts of the account owner on his behalf ‒ The account owner is referred to as PoA Giver ‒ The account operator is referred to as PoA Taker ‒ A PoA always requires a legal agreement between the PoA Giver and a PoA Taker ‒ CBF must to be informed about PoA setups between CBF account masters even if CBF does not have to be actively involved to implement the PoA ‒ It needs to be differentiated between ICP technical PoA setups and DCP PoA setups ‒ ICP technical PoA setups are in place in CBF today. These existing PoA setups will remain valid with T2S for the ICP straight-through-processing channels ‒ DCP PoA setups enable one DCP party to operate accounts of another T2S Party in DCP mode ‒ DCP PoA setups will be independent from existing ICP PoA setups
42
Power of Attorney Concept
Introduction
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 43
Power of Attorney Concept
CBF supports two types of DCP PoA Setups
‒ PoA Taker and PoA Giver are CBF customers acting in full DCP mode ‒ In this setup the PoA Giver creates a T2S user which will be linked to a DN of the PoA Taker ‒ This scenario offers the most flexibility and does not require setup activities by CBF for the access rights configuration ‒ CBF needs to be informed about every existing PoA setup between CBF Account Holders ‒ PoA Taker is a CCP or trading platform acting in full DCP mode ‒ CBF extends the data scope of the CCP by main accounts of CCP customers ‒ CCP customers (PoA Giver) can be CBF customers in ICP or DCP mode ‒ CCP may instruct on accounts of the PoA Giver but cannot query information ‒ For details on this setup, please refer to the appendix
DCP PoA Setup via Data Scope Extension (for CCPs) ‒ DCP PoA Setup via Linkage to Certificate DN
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ In this setup the PoA Giver B creates a T2S user to be operated by the PoA Taker A ‒ The PoA Giver B grants to this user all privileges which shall be available for the PoA Taker A ‒ The PoA Giver B links this user to a Certificate DN of the PoA Taker A
Identification: A PoA Taker User will be identified in T2S through his specific System User Reference (SUR). Preferably this SUR reflects the PoA relation, e.g. “A on behalf of B”
44
DCP PoA Setup via Linkage to Certificate DN
Setup recommended by CBF (1/2)
DCP B (7999) POAGIVERXXX Admin B1 Admin B2 Certificate DNs User B3 Physical users
Token
Ou=T2S, O=prod,
Ou=T2S, O=prod,
DCP Party T2S User of DCP Settlement Operations B Settlement Operations A DCP A (6789) POATAKERXXX CBF Admin A1 Admin A2 User A3 User B4 for A
Please refer to appendix to find an alternative solution
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ With this setup, the extent of the PoA setup can easily be defined by PoA Giver B via different profiles which can then be passed to PoA Taker A: ‒ Full account administration profile with all settlement privileges ‒ Settlement only profile which enables PoA Taker A to instruct and cancel on accounts of PoA Giver B, but not to query instructions and positions ‒ Read-only profile which allows PoA Taker A to query certain information on accounts of PoA Giver B, but not to submit or amend settlement instructions. ‒ Other profiles with even more granular definition of privileges ‒ This PoA setup is possible only if both parties are CBF customers acting in full DCP mode ‒ It may apply between two DCP parties owned by the same bank, but can apply between DCP parties owned by different banks as well ‒ In case of a PoA relation between two different legal entities CBF needs to be informed about this relation if not already happened through previous PoA relations
45
DCP PoA Setup via Linkage to Certificate DN
Setup recommended by CBF (2/2)
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 46
DCP PoA Setup via Linkage to Certificate DN
Instruction details and filling of BAH
Please note For A2A mode: ‒ Every T2S party (and connected SACs) can only be instructed using the instructing party BIC
T2S party and also the unique A2A User specifically
setup ‒ The identification of the instructing physical user/system is possible through the System User Reference
‒ Access for U2A mode: Physical user of A (PoA Taker) can login as user of B (PoA Giver). He can then send settlement instructions in the name of B as well as query instructions and position details on accounts of B ‒ Operating in A2A mode: PoA Taker A has to populate the BAH of an ISO20022 message with the System User Reference of the T2S User that B has created for him, but with the technical signature relating to the Certificate of A to which the T2S User was linked. In addition, the BIC of B (PoA Giver) has to be entered as Instructing Party
Header (head.001) <Fr><FlId> <FinInstnId> <BICFI>POAGIVERXXX</BICFI> <ClrSysMmbId> <MmbId>POATakerOnBehalfOfPOAGiver</MmbId> </ClrSysMmbId> </FinInstnId> </FlId></Fr> <To> (e.g. CBF @ T2S) <Sgntr>Digital signature of the Certificate DN owned by PoA Taker</Sgntr> <Payload> (e.g. sese.023)
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 47
DCP PoA Setup via Linkage to Certificate DN
Message subscription and report configuration
If a differentiation can be made on message
types should be sent to PoA Giver or PoA Taker, CBF is not directly involved. ‒ The Party Technical Address (PTA) of PoA Taker is also stored as party attribute of PoA Giver ‒ Configuration User of PoA Giver first configures in the Message Subscriptions and in the Report Configuration which messages and reports shall be sent in general ‒ Configuration User of PoA Giver then configures in the Routing Configuration whether a given message type should be sent to the PTA of PoA Taker or PoA Giver Assumption: This setup will mainly apply to report configuration. If both PoA Taker and PoA Giver need to receive messages of a given type, CBF must support the preparation of the related configuration. ‒ Message Subscriptions: CBF will prepare two generic message subscription rule sets for interested party PoA Taker (one positive rule set, one negative rule set)1) Configuration User of PoA Giver can then add the required detailed rules for this specific combination, so that PoA Taker receives all required messages ‒ Report Configuration: Each report must be assigned separately to a given party by CBF1) Assumption: This setup will mainly apply to message subscriptions. PoA Taker and PoA Giver should receive messages of a given type from T2S
1) This setup must be requested through a corresponding request form
PoA Taker or PoA Giver should receive messages of a given type from T2S
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ In order to clearly differentiate messages submitted by PoA Taker, CBF suggests to incorporate the name of PoA Taker already in the Login Name and in the System User Reference of the specific user to be linked to PoA Taker, e.g. ‒ “7899 on behalf of 7000” ‒ “John Sample on behalf of PoA Giver” ‒ In this way all messages instructed by PoA Taker can be clearly assigned to PoA Taker, which is also important for tracking / revision / audit trail purposes ‒ If the PoA Giver wants to see whether an instruction was initiated by PoA Giver
instructing user will be specified together with the other instruction details ‒ Alternatively, the instructing user can also be found in the copy of sese.023 Securities Settlement Transaction Instruction, if PoA Giver is interested in subscribing for this T2S message type
48
DCP PoA Setup via Linkage to Certificate DN
Identification of messages from PoA Taker
Clearstream Banking For further information, please contact: T2S EGR Team § Tel. +49 (0) 69 / 211 18 27 8 § Fax. +49 (0) 69 / 211 60 80 60 § T2S Mailbox – T2S-Support@clearstream.com
Thank you
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ The basic administrator role will be granted to each Admin User directly. The privileges will be granted in 4-Eyes mode with Admin flag set to “FALSE”. The privileges will not be granted as individual privileges ‒ In addition, the Administrator specific 4-Eyes role is granted to the Admin User
51
List of all Privileges and related Roles
Roles granted to the Admin Users
CBF role T2S privilege class Privilege name Access Rights Administrator – Basic Access Rights Management ARM_AdministerParty ARM_GrantRole ARM_GrantPrivilege Access Rights Queries ARQ_GrantObjectPrivilegesListQuery ARQ_GrantedRolesListQuery ARQ_GrantedSysPrivilegesListQuery Administrator 4-Eyes Configuration Dynamic Data Queries DDQ_DataChan-BusinessObjDetailQuery DDQ_DataChan-BusinessObjListQuery
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ The advanced administrator role will be granted to each DCP party. The privileges will be granted in 4-Eyes mode with Admin flag set to “FALSE”. The privileges will also be granted as individual privileges ‒ The Administrator Query privileges will be granted in 2-Eyes mode, as all other DCP query privileges
52
List of all Privileges and related Roles
Further administrator roles granted to each DCP Party
Access Rights Administrator – Advanced Access Rights Management ARM_CreateUser ARM_UpdateUser ARM_DeleteUser ARM_CreateCertificateDN ARM_DeleteCertificateDN ARM_CreateUserCertificDNLink ARM_DeleteUserCertificDNLink ARM_RevokePrivilege Access Rights Administrator – Queries Access Rights Queries ARQ_PrivilegeQuery ARQ_T2SSysUserQueryT2SActorQuery ARQ_RoleListQuery ARQ_CertificateDNQuery ARQ_UserCertifDNLinkQuery CBF role T2S privilege class Privilege name
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ All query privileges will be granted in 2-Eyes mode with Admin flag set to “FALSE”
53
List of all Privileges and related Roles
Query privileges granted to each DCP Party (1/4)
CBF role T2S privilege class Privilege name Report & Queries Dynamic Data Queries DDQ_BroadcastQuery DDQ_InboundFilesDetailsQuery DDQ_InboundFilesListQuery DDQ_InboundMessDetailsQuery DDQ_InboundMessListQuery DDQ_OutboundFilesDetailsQuery DDQ_OutboundFilesListQuery DDQ_OutboundMessDetailsQuery DDQ_OutboundMessListQuery Network Configuration Queries NCQ_T2SBICQuery Report Queries RCO_ReportDetailsQuery RCO_ReportListQuery
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 54
List of all Privileges and related Roles
Query privileges granted to each DCP Party (2/4)
CBF role T2S privilege class Privilege name Settlement Queries Dynamic Data Queries DDQ_AllegementQuery DDQ_AmdInsIntrPosMovSetInsAudTrDetQ DDQ_AmdInsIntrPosMovSetInsAudTrLisQ DDQ_AmendInstrQIntraPosMov+SetInstr DDQ_CancInstrIntraPosMovAudTrDetQ DDQ_CancInstrIntraPosMovAudTrLisQ DDQ_CancInstrForSI+IntraPosMovQuery DDQ_HoldReleInstrAuditTrailLisQuery DDQ_HoldReleInstrAuditTrailDetQuery DDQ_IntraPosMovAuditTrailDetQuery DDQ_IntraPosMovAuditTrailListQuery DDQ_IntraPosMovQuery DDQ_MaintForIntraPosMov+SettlInstrQ DDQ_SecuritiesAccountPositionQuery DDQ_SecuritiesPostingQuery DDQ_SecurPosDetailedRestrDetailsQue DDQ_SettlInstructAuditTrailQuery DDQ_SettlInstructCurrentStatusQuery DDQ_SettlInstructQuery DDQ_SettlInstructStatusAuditTrailQu
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 55
List of all Privileges and related Roles
Query privileges granted to each DCP Party (3/4)
CBF role T2S privilege class Privilege name Static Data Queries MSA Data Queries MSA_AttributeDomainDetailsQuery MSA_AttributeDomainListQuery MSA_DisplayAttribDomainRefDetQuery MSA_DisplayAttribDomainRefListQuery MSA_ConditSecDeliveryRuleQuery MSA_ConditSecDeliveryRuleSetQuery MSA_Market-SpecAttributeDetailQuery MSA_Market-SpecAttributeQuery MSA_Market-SpecRestrictListQuery MSA_Market-SpecRestrictDetailQuery MSA_MarkSpecRestrTypeRuleParamDetQ MSA_MarkSpecRestrTypeRuleSetListQue Party Data Queries PDQ_PartyListQuery PDQ_PartyReferDataQuery PDQ_RestrictedPartyQuery SAC Data Queries SAQ_DisplayCMBSecAccLinkListQuery SAQ_SecuritiesAccountListQuery SAQ_SecuritiesAccReferenceDataQuery
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 56
List of all Privileges and related Roles
Query privileges granted to each DCP Party (4/4)
CBF role T2S privilege class Privilege name Static Data Queries Scheduling Queries Closing Day Query Current Status of the T2S Settlement Day Default Event Schedule Details Query Event Type Details Query Event Type List Query T2S Calendar Query T2S Diary Query Security Data Queries Eligible Counterpart CSD Details Query Eligible Counterpart CSD List Query ISIN List Query Securities CSD Link Query Securities Deviating Nominal Query Securities Reference Data Query Static Data Queries SDQ_CountryQuery SDQ_CurrencyQuery SDQ_PartialSettlThresholdQuery SDQ_ResidualStaticDataAudTrailQuery SDQ_SystemEntityQuery SDQ_ToleranceAmountQuery
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 57
List of all Privileges and related Roles
Report Configuration, 4-Eyes privileges and some Settlement Privileges (except instruction privilege) are granted to each DCP Party
Report Configuration Report Configuration Queries RCO_ReportConfigDetailQuery RCO_ReportConfigListQuery Report Configuration RCO_CreateReportConfiguration RCO_DeleteReportConfiguration RCO_UpdateReportConfiguration CBF role T2S privilege class Privilege name Settlement Settlement General SIG_AMNPI Amend Process Indicator of a Settlement Instruction/ Settlement Restriction on Securities on a Securities Account SIG_CANCI Cancel Settlement Instruction / Settlement Restriction on Securities on a Securities Account SIG_LIPRP Link to an Instruction / Pool Reference belonging to a specific Party SIG_PTYHI Party Hold Settlement Instruction on a Securities Account SIG_RPTYH Release Party Hold Settlement Instruction on a Securities Account CBF role T2S class Privilege name 4-Eyes Configuration Dynamic Data Queries DDQ_DataChan-BusinessObjDetailQuery DDQ_DataChan-BusinessObjListQuery CBF role T2S privilege class Privilege name
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ The following roles will be granted to full DCP parties but not to GUI-only DCPs. The privileges will be granted in 2-Eyes mode with Admin flag set to “FALSE”. The privileges will also be granted as individual privileges ‒ Most important difference is that only full DCPs can send settlement instructions ‒ In addition, only full DCPs can re-send messages, or need to apply network configuration and message subscriptions
58
List of all Privileges and related Roles
Roles granted to full DCP Parties only (1/4)
Send Instruction Settlement General SIG_SIUIP Send new instruction using a specific Instructing Party SIG_SNDSI Send New Settlement Instruction/Settlement Restriction on Securities on a Securities Account
CBF role T2S class Privilege name CBF role T2S privilege class Privilege name
Message Management Message Management MMA_Resend Communication
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 59
List of all Privileges and related Roles
Roles granted to full DCP Parties only (2/4)
CBF role T2S privilege class Privilege name Configuration Reading Message Subscription Queries MSQ_MessSubscrRuleListQuery MSQ_MessSubscrRuleSetDetailQuery MSQ_MessSubscrRuleSetListQuery Network Configuration Queries NCQ_NetworkServiceListquery NCQ_RoutingListQuery NCQ_DisplayTechAddressNetSerLink Configuration Manager Message Subscription MSU_CreateMessageSubscriptionRule MSU_CreateMessSubsRuleSet MSU_DeleteMessageSubscriptionRule MSU_DeleteMessSubscriptionRuleSet MSU_UpdateMessageSubscriptionRule MSU_UpdateMessSubscriptionRuleSet Network Configuration NCO_CreateRouting NCO_DeleteRouting NCO_UpdateRouting CBF role T2S privilege class Privilege name
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 60
List of all Privileges and related Roles
Roles granted to full DCP Parties only (3/4)
CBF role T2S class Privilege name Settlemen t ISO Codes Settleme nt ISO Codes SII_UBSBK Buy Sell Back SII_UCOLI Collateral In SII_UCOLO Collateral Out SII_UETFT Exchange Traded Funds SII_UFCTA Factor Update SII_UINSP Move Of Stock SII_UMKDW Mark Down SII_UMKUP Mark Up SII_UNETT Netting SII_UNSYN Non Syndicated SII_UOWNE External Account Transfer SII_UOWNI Internal Account Transfer SII_UPAIR Pair Off SII_UPLAC Placement SII_UREDM Redemption SII_URELE Depository Receipt Release Cancellation
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016 61
List of all Privileges and related Roles
Roles granted to full DCP Parties only (4/4)
CBF role T2S class Privilege name Settlemen t ISO Codes Settleme nt ISO Codes SII_UREPU Repo SII_URODE Return Delivery Without Matching SII_URVPO Reverse Repo SII_USBBK Sell Buy Back SII_USECB Securities Borrowing SII_USECL Securities Lending SII_USUBS Subscription SII_USYND Syndicate Underwriters SII_UTBAC TBA Closing SII_UTRAD Trade SII_UTRPO Triparty Repo SII_UTRVO Triparty Reverse Repo SII_UTURN Turnaround
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ CBF also allows to already link the Admin Users of PoA Giver to a token of PoA Taker. This way PoA Giver does not need to perform any action in the T2S GUI (all DCP configurations related to PoA Giver can be done by PoA Taker) ‒ On the other hand PoA Giver does not have the option to instruct in DCP mode nor control the DCP PoA Giver has given to PoA Taker
62
DCP PoA Setup via Linkage to Certificate DN
Alternative solution
DCP B (7999) POAGIVERXXX Admin B1 for A Admin B2 for A Certificate DNs Physical users
Token
Ou=T2S, O=prod,
Ou=T2S, O=prod,
DCP Party T2S User of DCP Admin A2 Admin A1 DCP A (6789) POATAKERXXX CBF Admin A1 Admin A2 User A3 User B3 for A
Ou=T2S, O=prod,
Settlement Operations A
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ In this setup CBF extends the data scope of the CCP by the main account of the CCP client ‒ Only settlement related object privileges will be extended (send/amend/cancel/hold/release instr.) ‒ CCP administrator users have to pass the data scope extension on to all other relevant CCP users ‒ CCP can instruct on accounts of his client using the T2S user connected to the CCP party ‒ To enable a CCP to operate accounts of another customer in DCP mode, CBF requires an official PoA to grant the data scope extensions on T2S. A new CBF form for the DCP PoA setup shall be used
63
DCP PoA Setup via Data Scope Extension
PoA for potential CCPs acting in DCP mode
ICP B (7999) POAGIVERXXX Admin A1 Admin A2 Certificate DNs Physical users
Token
Ou=T2S, O=prod,
Ou=T2S, O=prod,
T2S Party T2S User of DCP Admin A2 Admin A1 CCP A (6789) POATAKERXXX CBF User A3
Ou=T2S, O=prod,
Settlement Operations A
Extend data scope
Privileges with extended data scope
ICP B (7999) POAGIVERXXX
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016
‒ CCP instructs on behalf of the client ‒ CCP receives status updates (sese.024) and settlement confirmation (sese.025) ‒ CCP cannot query the instruction in DCP mode, neither in A2A nor in U2A mode ‒ CCP can amend / hold / release / cancel the instruction in DCP mode using the T2S Actor Ref ‒ CCP cannot see or amend the instruction in ICP mode, except a separate CASCADE PoA was provided to CBF ‒ Client can see the instruction in T2S as well as in CASCADE ‒ It depends on the “ModificationCancellationAllowed” flag if the CCP client can modify/cancel the Instructions. However, this would only work in DCP mode. Currently, cancellation by the client in ICP mode is not implemented in CASCADE ‒ Client instructs (no CCP involvement) ‒ CCP can neither query nor amend/cancel the instruction in DCP mode ‒ CCP can neither query nor amend/cancel the instruction in ICP mode, except a separate CASCADE PoA was provided to CBF
64
DCP PoA Setup via Data Scope Extension
Instruction scenarios in case CCP is acting in DCP mode
TARGET2-Securities – DCP T2S Access Right Model – April 2016 27 April 2016