A data reporting services provider shall operate and maintain effective administrative arrangements, designed to prevent conflicts of interest with clients using its services to meet their regulatory obligations and other entities purchasing data from data reporting services providers. Such arrangements shall include policies and procedures for identifying, managing and disclosing existing and potential conflicts of interest and shall contain:

1. (a)

   an inventory of existing and potential conflicts of interest, setting out their description, identification, prevention, management and disclosure;

2. (b)

   the separation of duties and business functions within the data reporting services provider including:

   1. (i)

      measures to prevent or control the exchange of information where a risk of conflicts of interest may arise;

   2. (ii)

      the separate supervision of relevant persons whose main functions involve interests that are potentially in conflict with those of a client;

3. (c)

   a description of the fee policy for determining fees charged by the data reporting services provider and undertakings to which the data reporting services provider has close links;

4. (d)

   a description of the remuneration policy for the members of the management body and senior management;

5. (e)

   the rules regarding the acceptance of money, gifts or favours by staff of the data reporting services provider and its management body.

The inventory of conflicts of interest as referred to in paragraph 1(a) shall include conflicts of interest arising from situations where the data reporting services provider:

1. (a)

   may realise a financial gain or avoid a financial loss, to the detriment of a client;

2. (b)

   may have an interest in the outcome of a service provided to a client, which is distinct from the client's interest in that outcome;

3. (c)

   may have an incentive to prioritise its own interests or the interest of another client or group of clients rather than the interests of a client to whom the service is provided;

4. (d)

   receive or may receive from any person other than a client, in relation to the service provided to a client, an incentive in the form of money, goods or services, other than commission or fees received for the service.

Where a data reporting services provider arranges for activities to be performed on its behalf by third parties, including undertakings with which it has close links, it shall ensure that the third party service provider has the ability and the capacity, to perform the activities reliably and professionally.

A data reporting services provider shall specify which of the activities are to be outsourced, including a specification of the level of human and technical resources needed to carry out each of those activities.

A data reporting services provider that outsources activities shall ensure that the outsourcing does not reduce its ability or power to perform senior management or management body functions.

A data reporting services provider shall remain responsible for any outsourced activity and shall adopt organisational measures to ensure:

1. (a)

   that it assesses whether the third party service provider is carrying out outsourced activities effectively and in compliance with applicable laws and regulatory requirements and adequately addresses identified failures;

2. (b)

   the identification of the risks in relation to outsourced activities and adequate periodic monitoring;

3. (c)

   adequate control procedures with respect to outsourced activities, including effectively supervising the activities and their risks within the data reporting services provider;

4. (d)

   adequate business continuity of outsourced activities;

For the purposes of point (d), the data reporting services provider shall obtain information on the business continuity arrangements of the third party service provider, assess its quality and, where needed, request improvements.

A data reporting services provider shall ensure that the third party service provider cooperates with the competent authority of the data reporting services provider in connection with outsourced activities.

Where a data reporting services provider outsources any critical function, it shall provide the competent authority with:

1. (a)

   the identification of the third party service provider;

2. (b)

   the organisational measures and policies with respect to outsourcing and the risks posed by it as specified in paragraph 4;

3. (c)

   internal or external reports on the outsourced activities.

For the purpose of the first sub paragraph 6, a function shall be regarded as critical if a defect or failure in its performance would materially impair the continuing compliance of the data reporting services provider with the conditions and obligations of its authorisation or its other obligations under the Data Reporting Services Regulations 2017.

A data reporting services provider shall use systems and facilities that are appropriate and robust enough to ensure continuity and regularity in the performance of the services provided referred to in the Data Reporting Services Regulations 2017.

A data reporting services provider shall conduct periodic reviews, at least annually, evaluating its technical infrastructures and associated policies and procedures, including business continuity arrangements. A data reporting services provider shall remedy any deficiencies identified during the review.

A data reporting services provider shall have effective business continuity arrangements in place to address disruptive incidents, including:

1. (a)

   the processes which are critical to ensuring the services of the data reporting services provider, including escalation procedures, relevant outsourced activities or dependencies on external providers;

2. (b)

   specific continuity arrangements, covering an adequate range of possible scenarios, in the short and medium term, including system failures, natural disasters, communication disruptions, loss of key staff and inability to use the premises regularly used;

3. (c)

   duplication of hardware components, allowing for failover to a back-up infrastructure, including network connectivity and communication channels;

4. (d)

   back-up of business-critical data and up-to-date information of the necessary contacts, ensuring communication within the data reporting services provider and with clients;

5. (e)

   the procedures for moving to and operating data reporting services from a back-up site;

6. (f)

   the target maximum recovery time for critical functions, which shall be as short as possible and in any case no longer than six hours in the case of approved publication arrangements (APAs) and consolidated tape providers (CTPs) and until the close of business of the next working day in the case of approved reporting mechanisms (ARMs);

7. (g)

   staff training on the operation of the business continuity arrangements, individuals' roles including specific security operations personnel ready to react immediately to a disruption of services;

A data reporting services provider shall set up a programme for periodically testing, reviewing and, where needed, modifying the business continuity arrangements.

A data reporting services provider shall publish on its website and promptly inform the competent authority and its clients of any service interruptions or connection disruptions as well as the time estimated to resume a regular service.

A data reporting services provider shall implement clearly delineated development and testing methodologies, ensuring that:

1. (a)

   the operation of the IT systems satisfies the data reporting services provider's regulatory obligations;

2. (b)

   compliance and risk management controls embedded in IT systems work as intended;

3. (c)

   the IT systems can continue to work effectively at all times.

A data reporting services provider shall also use the methodologies referred to in paragraph 1 prior to and following the deployment of any updates of the IT systems.

A data reporting services provider shall promptly notify the competent authority of any planned significant changes to the IT system prior to their implementation.

A data reporting services provider shall set up an on-going programme for periodically reviewing and, where needed, modifying the development and testing methodologies.

A data reporting services provider shall run stress tests periodically at least on an annual basis. A data reporting services provider shall include in the adverse scenarios of the stress test unexpected behaviour of critical constituent elements of its systems and communication lines. The stress testing shall identify how hardware, software and communications respond to potential threats, specifying systems unable to cope with the adverse scenarios. A data reporting services provider shall take measures to address identified shortcomings in those systems.

A data reporting services provider shall:

1. (a)

   have sufficient capacity to perform its functions without outages or failures, including missing or incorrect data;

2. (b)

   have sufficient scalability to accommodate without undue delay any increase in the amount of information to be processed and in the number of access requests from its clients.

A data reporting services provider shall set up and maintain procedures and arrangements for physical and electronic security designed to:

1. (a)

   protect its IT systems from misuse or unauthorised access;

2. (b)

   minimise the risks of attacks against the information systems;

3. (c)

   prevent unauthorised disclosure of confidential information;

4. (d)

   ensure the security and integrity of the data.

Where an investment firm ("reporting firm") uses a third party ("submitting firm") to submit information to an ARM on its behalf, an ARM shall have procedures and arrangements in place to ensure that the submitting firm does not have access to any other information about or submitted by the reporting firm to the ARM which may have been sent by the reporting firm directly to the ARM or via another submitting firm.

A data reporting services provider shall set up and maintain measures and arrangements to promptly identify and manage the risks identified in paragraph 1.

In respect of breaches in the physical and electronic security measures referred to in paragraphs 1, 2 and 3, a data reporting services provider shall promptly notify:

1. (a)

   the competent authority and provide an incident report, indicating the nature of the incident, the measures adopted to cope with the incident and the initiatives taken to prevent similar incidents;

2. (b)

   its clients that have been affected by the security breach.

APAs and CTPs shall set up and maintain appropriate arrangements to ensure that they accurately publish the trade reports received from investment firms and, in the case of CTPs, from trading venues and APAs, without themselves introducing any errors or omitting information and shall correct information where they have themselves caused the error or omission.

APAs and CTPs shall continuously monitor in real-time the performance of their IT systems ensuring that the trade reports they have received have been successfully published.

APAs and CTPs shall perform periodic reconciliations between the trade reports they receive and the trade reports that they publish, verifying the correct publication of the information.

An APA shall confirm the receipt of a trade report to the reporting investment firm, including the transaction identification code assigned by the APA. An APA shall refer to the transaction identification code in any subsequent communication with the reporting firm in relation to a specific trade report.

An APA shall set up and maintain appropriate arrangements to identify on receipt trade reports that are incomplete or contain information that is likely to be erroneous. These arrangements shall include automated price and volume alerts, taking into account:

1. (a)

   the sector and the segment in which the financial instrument is traded;

2. (b)

   liquidity levels, including historical trading levels;

3. (c)

   appropriate price and volume benchmarks;

4. (d)

   if needed, other parameters according to the characteristics of the financial instrument.

Where an APA determines that a trade report it receives is incomplete or contains information that is likely to be erroneous, it shall not publish that trade report and shall promptly alert the investment firm submitting the trade report.

In exceptional circumstances APAs and CTPs shall delete and amend information in a trade report upon request from the entity providing the information when that entity cannot delete or amend its own information for technical reasons.

APAs shall publish non-discretionary policies on information cancellation and amendments in trade reports which set out the penalties that APAs may impose on investment firms providing trade reports where the incomplete or erroneous information has led to the cancellation or amendment of trade reports.

An ARM shall set up and maintain appropriate arrangements to identify transaction reports that are incomplete or contain obvious errors caused by clients. An ARM shall perform validation of the transaction reports against the requirements established under Article 26 of Regulation (EU) No 600/2014 for field, format and content of fields in accordance with Table 1 of Annex I to Commission Delegated Regulation (EU) 2017/590.

An ARM shall set up and maintain appropriate arrangements to identify transaction reports which contain errors or omissions caused by that ARM itself and to correct, including deleting or amending, such errors or omissions. An ARM shall perform validation for field, format and content of fields in accordance with Table 1 of Annex I to Delegated Regulation (EU) 2017/590.

An ARM shall continuously monitor in real-time the performance of its systems ensuring that a transaction report it has received has been successfully reported to the competent authority in accordance with Article 26 of Regulation (EU) No 600/2014.

An ARM shall perform periodic reconciliations at the request of the competent authority between the information that the ARM receives from its client or generates on the client's behalf for transaction reporting purposes and data samples of the information provided by the competent authority.

Any corrections, including cancellations or amendments of transaction reports, that are not correcting errors or omissions caused by an ARM, shall only be made at the request of a client and per transaction report. Where an ARM cancels or amends a transaction report at the request of a client, it shall provide this updated transaction report to the client.

Where an ARM, before submitting the transaction report, identifies an error or omission caused by a client, it shall not submit that transaction report and shall promptly notify the investment firm of the details of the error or omission to enable the client to submit a corrected set of information.

Where an ARM becomes aware of errors or omissions caused by the ARM itself, it shall promptly submit a correct and complete report.

An ARM shall promptly notify the client of the details of the error or omission and provide an updated transaction report to the client. An ARM shall also promptly notify the competent authority about the error or omission.

The requirement to correct or cancel erroneous transaction reports or report omitted transactions shall not extend to errors or omissions which occurred more than five years before the date that the ARM became aware of such errors or omissions.

An ARM shall have in place policies, arrangements and technical capabilities to comply with the technical specification for the submission of transaction reports required by the competent authority.

An ARM shall have in place adequate policies, arrangements and technical capabilities to receive transaction reports from clients and to transmit information back to clients. The ARM shall provide the client with a copy of the transaction report which the ARM submitted to the competent authority on the client's behalf.

A CTP may provide the following additional services:

1. (a)

   provision of pre-trade transparency data;

2. (b)

   provision of historical data;

3. (c)

   provision of reference data;

4. (d)

   provision of research;

5. (e)

   processing, distribution and marketing of data and statistics on financial instruments, trading venues, and other market-related data;

6. (f)

   design, management, maintenance and marketing of software, hardware and networks in relation to the transmission of data and information.

A CTP may perform services other than those specified under paragraph 1 which increase the efficiency of the market, provided that such services do not create any risk affecting the quality of the consolidated tape or the independence of the CTP that cannot be adequately prevented or mitigated.