Article 5 Internal control

  1. (1)

    An application for registration as a securitisation repository shall contain detailed information about the internal control system of the applicant, including information regarding its compliance function, risk assessment, internal control mechanisms and the arrangements of its internal audit function.

  2. (2)

    The detailed information referred to in paragraph 1 shall contain:

    1. (a)

      the applicant's internal control policies and the procedures to ensure the consistent and effective implementation of those policies;

    2. (b)

      any policies, procedures and manuals for monitoring and evaluating the adequacy and effectiveness of the applicant's systems;

    3. (c)

      any policies, procedures and manuals for controlling and safeguarding the applicant's information processing systems;

    4. (d)

      the identity of the internal bodies in charge of evaluating any internal control findings.

  3. (3)

    An application for registration as a securitisation repository shall contain the following information with respect to the applicant's internal audit activities:

    1. (a)

      in case there is an Internal Audit Committee, its composition, competences and responsibilities;

    2. (b)

      its internal audit function charter, methodologies, standards and procedures;

    3. (c)

      an explanation of how its internal audit function charter, methodology and procedures are developed and applied, taking into account the nature and extent of the applicant's activities, complexities and risks;

    4. (d)

      a work plan for the Internal Audit Committee for the three years following the date of application, focusing on the nature and extent of the applicant's activities, complexities and risks.