Status: Please note you should read all Brexit changes to the FCA Handbook and BTS alongside the main FCA transitional directions. Where these directions apply the 'standstill', firms have the choice between complying with the pre-IP completion day rules, or the post-IP completion day rules. To see a full list of Handbook modules affected, please see Annex B to the main FCA transitional directions.

Article 22 Security

  1. (1)

    An application for registration as a securitisation repository shall contain proof of the following:

    1. (a)

      that its information technology systems are protected from misuse or unauthorised access;

    2. (b)

      that its information systems are protected against attacks; ‘information systems’ means a device or group of interconnected or related devices, one or more of which, pursuant to a programme, automatically processes computer data, as well as computer data stored, process, retrieved or transmitted by that device or group of devices for the purpose of its or their operation, use, protection and maintenance;

    3. (c)

      that unauthorised disclosure of confidential information is prevented;

    4. (d)

      that the security and integrity of the information received by it under Regulation (EU) 2017/2402 is ensured.

  2. (2)

    The application shall contain proof that the applicant has arrangements in place to identify and manage the risks referred to in paragraph 1 in a prompt and timely manner.

  3. (3)

    With respect to breaches in the physical and electronic security measures referred to in paragraphs 1 and 2, the application shall contain proof that the applicant has arrangements in place to do the following in a prompt and timely manner:

    1. (a)

      to notify the FCA of the incident giving rise to the breach;

    2. (b)

      to provide the FCA with an incident report, indicating the nature and details of the incident, the measures adopted to cope with the incident and the initiatives taken to prevent similar incidents;

    3. (c)

      to notify its users of the incident where they have been affected by the breach.