Site Feedback

Title 17

Displaying title 17, up to date as of 9/23/2021. Title 17 was last amended 9/01/2021.

Title 17

eCFR Content

The Code of Federal Regulations (CFR) is the official legal print publication containing the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government. The Electronic Code of Federal Regulations (eCFR) is a continuously updated online version of the CFR. It is not an official legal edition of the CFR.

Learn more about the eCFR, its status, and the editorial process.

PART 49 - SWAP DATA REPOSITORIES
Authority:

7 U.S.C. 1a, 2(a), 6r, 12a, and 24a, as amended by Title VII of the Wall Street Reform and Consumer Protection Act of 2010, Pub. L. 111-203, 124 Stat. 1376 (Jul. 21, 2010), unless otherwise noted.

Source:

76 FR 54575, Sept. 1, 2011, unless otherwise noted.

§ 49.1 Scope.

The provisions of this part apply to any swap data repository as defined under Section 1a(48) of the Act which is registered or is required to register as such with the Commission pursuant to Section 21(a) of the Act.

§ 49.2 Definitions.

(a) As used in this part:

Affiliate means a person that directly, or indirectly, controls, is controlled by, or is under common control with, the swap data repository.

As soon as technologically practicable means as soon as possible, taking into consideration the prevalence, implementation, and use of technology by comparable market participants.

Asset class means a broad category of commodities including, without limitation, any “excluded commodity” as defined in section 1a(19) of the Act, with common characteristics underlying a swap. The asset classes include interest rate, foreign exchange, credit, equity, other commodity, and such other asset classes as may be determined by the Commission.

Commercial use means the use of SDR data held and maintained by a swap data repository for a profit or business purposes. A swap data repository's use of SDR data for regulatory purposes and/or to perform its regulatory responsibilities would not be considered a commercial use regardless of whether the swap data repository charges a fee for reporting such SDR data.

Control (including the terms “controlled by” and “under common control with”) means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract, or otherwise.

Data validation acceptance message means a notification that SDR data satisfied the data validation procedures applied by a swap data repository.

Data validation error means that a specific data element of SDR data did not satisfy the data validation procedures applied by a swap data repository.

Data validation error message means a notification that SDR data contained one or more data validation error(s).

Data validation procedures procedures established by a swap data repository pursuant to § 49.10 to validate SDR data reported to the swap data repository.

Foreign regulator means a foreign futures authority as defined in section 1a(26) of the Act, foreign financial supervisors, foreign central banks, foreign ministries, and other foreign authorities.

Independent perspective means a viewpoint that is impartial regarding competitive, commercial, or industry concerns and contemplates the effect of a decision on all constituencies involved.

Market participant means any person participating in the swap market, including, but not limited to, designated contract markets, derivatives clearing organizations, swap execution facilities, swap dealers, major swap participants, and any other counterparty to a swap transaction.

Non-affiliated third party means any person except:

(1) The swap data repository;

(2) The swap data repository's affiliate; or

(3) A person jointly employed by a swap data repository and any entity that is not the swap data repository's affiliate (the term “non-affiliated third party” includes such entity that jointly employs the person).

Open swap means an executed swap transaction that has not reached maturity or expiration, and has not been fully exercised, closed out, or terminated.

Person associated with a swap data repository means:

(1) Any partner, officer, or director of such swap data repository (or any person occupying a similar status or performing similar functions);

(2) Any person directly or indirectly controlling, controlled by, or under common control with such swap data repository; or

(3) Any person employed by such swap data repository, including a jointly employed person.

Position means the gross and net notional amounts of open swap transactions aggregated by one or more attributes, including, but not limited to, the:

(1) Underlying instrument;

(2) Index, or reference entity;

(3) Counterparty;

(4) Asset class;

(5) Long risk of the underlying instrument, index, or reference entity; and

(6) Short risk of the underlying instrument, index, or reference entity.

Reporting counterparty means the counterparty required to report SDR data pursuant to part 43, 45, or 46 of this chapter.

SDR data means the specific data elements and information required to be reported to a swap data repository or disseminated by a swap data repository pursuant to two or more of parts 43, 45, 46, and/or 49 of this chapter, as applicable in the context.

SDR information means any information that the swap data repository receives or maintains related to the business of the swap data repository that is not SDR data.

Section 8 material means the business transactions, SDR data, or market positions of any person and trade secrets or names of customers.

Swap data means the specific data elements and information required to be reported to a swap data repository pursuant to part 45 of this chapter or made available to the Commission pursuant to this part, as applicable.

Swap transaction and pricing data means the specific data elements and information required to be reported to a swap data repository or publicly disseminated by a swap data repository pursuant to part 43 of this chapter, as applicable.

(b) Other defined terms. Terms not defined in this part have the meanings assigned to the terms in § 1.3 of this chapter.

[76 FR 54575, Sept. 1, 2011, as amended at 83 FR 27436, June 12, 2018; 85 FR 75595, 75656, Nov. 25, 2020]

§ 49.3 Procedures for registration.

(a) Application procedures.

(1) An applicant, person or entity desiring to be registered as a swap data repository shall file electronically an application for registration on Form SDR provided in appendix A to this part, with the Secretary of the Commission at its headquarters in Washington, DC in a format and in the manner specified by the Secretary of the Commission in accordance with the instructions contained therein.

(2) The application shall include information sufficient to demonstrate compliance with core principles specified in Section 21 of the Act and the regulations thereunder. Form SDR consists of instructions, general questions and a list of Exhibits (documents, information and evidence) required by the Commission in order to determine whether an applicant is able to comply with the core principles. An application will not be considered to be materially complete unless the applicant has submitted, at a minimum, the exhibits as required in Form SDR. If the application is not materially complete, the Commission shall notify the applicant that the application will not be deemed to have been submitted for purposes of the 180-day review procedures.

(3) 180-Day review procedures. The Commission will review the application for registration as a swap data repository within 180 days of the date of the filing of such application. In considering an application for registration as a swap data repository, the staff of the Commission shall include in its review, an applicant's past relevant submissions and compliance history. At or prior to the conclusion of the 180-day period, the Commission will either by order grant registration; extend, by order, the 180-day review period for good cause; or deny the application for registration as a swap data repository. The 180-day review period shall commence once a completed submission on Form SDR is submitted to the Commission. The determination of when such submission on Form SDR is complete shall be at the sole discretion of the Commission. If deemed appropriate, the Commission may grant registration as a swap data repository subject to conditions. If the Commission denies an application for registration as a swap data repository, it shall specify the grounds for such denial. In the event of a denial of registration for a swap data repository, any person so denied shall be afforded an opportunity for a hearing before the Commission.

(4) Standard for approval. The Commission shall grant the registration of a swap data repository if the Commission finds that such swap data repository is appropriately organized, and has the capacity: to ensure the prompt, accurate and reliable performance of its functions as a swap data repository; comply with any applicable provisions of the Act and regulations thereunder; carry out its functions in a manner consistent with the purposes of Section 21 of the Act and the regulations thereunder; and operate in a fair, equitable and consistent manner. The Commission shall deny registration of a swap data repository if it appears that the application is materially incomplete; fails in form or substance to meet the requirements of Section 21 of the Act and part 49; or is amended or supplemented in a manner that is inconsistent with this § 49.3. The Commission shall notify the applicant seeking registration that the Commission is denying the application setting forth the deficiencies in the application, and/or the manner in which the application fails to meet the requirements of this part.

(5) Amendments. If any information reported on Form SDR or in any amendment thereto is or becomes inaccurate for any reason, whether before or after the application for registration has been granted under this paragraph (a), the swap data repository shall promptly file an amendment on Form SDR updating such information.

(6) Service of process. Each swap data repository shall designate and authorize on Form SDR an agent in the United States, other than a Commission official, who shall accept any notice or service of process, pleadings, or other documents in any action or proceedings brought against the swap data repository to enforce the Act and the regulations thereunder.

(b) Provisional registration. The Commission, upon the request of an applicant, may grant provisional registration of a swap data repository if such applicant is in substantial compliance with the standards set forth in paragraph (a)(4) of this section and is able to demonstrate operational capability, real-time processing, multiple redundancy and robust security controls. Such provisional registration of a swap data repository shall expire on the earlier of: the date that the Commission grants or denies registration of the swap data repository; or the date that the Commission rescinds the temporary registration of the swap data repository. This paragraph (b) shall terminate within such time as determined by the Commission. A provisional registration granted by the Commission does not affect the right of the Commission to grant or deny permanent registration as provided under paragraph (a)(3) of this section.

(c) Withdrawal of application for registration. An applicant for registration may withdraw its application submitted pursuant to paragraph (a) of this section by filing with the Commission such a request. Withdrawal of an application for registration shall not affect any action taken or to be taken by the Commission based upon actions, activities, or events occurring during the time that the application for registration was pending with the Commission, and shall not prejudice the filing of a new application by such applicant.

(d) Reinstatement of dormant registration. Before accepting or re-accepting SDR data, a dormant swap data repository as defined in § 40.1 of this chapter shall reinstate its registration under the procedures set forth in paragraph (a) of this section; provided, however, that an application for reinstatement may rely upon previously submitted materials that still pertain to, and accurately describe, current conditions.

(e) Delegation of authority.

(1) The Commission hereby delegates, until it orders otherwise, to the Director of the Division of Market Oversight or the Director's delegates, with the consultation of the General Counsel or the General Counsel's delegates, the authority to notify an applicant seeking registration as a swap data repository pursuant to Section 21 of the Act that the application is materially incomplete and the 180-day period review period is extended.

(2) The Director of the Division of Market Oversight may submit to the Commission for its consideration any matter which has been delegated in this paragraph.

(3) Nothing in this paragraph prohibits the Commission, at its election, from exercising the authority delegated in paragraph (e)(1) of this section.

(f) Request for confidential treatment. An applicant for registration may request confidential treatment for materials submitted in its application as set forth in §§ 40.8 and 145.9 of this chapter. The applicant shall identify with particularity information in the application that will be subject to a request for confidential treatment.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75657, Nov. 25, 2020]

§ 49.4 Withdrawal from registration.

(a)

(1) A swap data repository may withdraw its registration by giving notice in writing to the Commission requesting that its registration as a swap data repository be withdrawn. Such notice shall be served at least 60 days prior to the date named therein as the date when the withdrawal of registration shall take effect. The request to withdraw shall be made by a person duly authorized by the swap data repository and shall specify:

(i) The name of the swap data repository for which withdrawal of registration is being requested;

(ii) The name, address and telephone number of the swap data repository that will have custody of data and records of the swap data repository; and

(iii) The address where such data and records will be located.

(2) Prior to filing a request to withdraw, a swap data repository shall execute an agreement with the custodial swap data repository governing the custody of the withdrawing swap data repository's data and records. The custodial swap data repository shall retain such records for at least as long as the remaining period of time the swap data repository withdrawing from registration would have been required to retain such records pursuant to this part.

(b) A notice of withdrawal from registration filed by a swap data repository shall become effective for all matters (except as provided in this paragraph (b)) on the 60th day after the filing thereof with the Commission, within such longer period of time as to which such swap data repository consents or which the Commission, by order, may determine as necessary or appropriate in the public interest.

(c) Revocation of registration for false application. If, after notice and opportunity for hearing, the Commission finds that any swap data repository has obtained its registration by making any false or misleading statements with respect to any material fact or has violated or failed to comply with any provision of the Act and regulations thereunder, the Commission, by order, may revoke the registration. Pending final determination whether any registration shall be revoked, the Commission, by order, may suspend such registration, if such suspension appears to the Commission, after notice and opportunity for hearing, to be necessary or appropriate and in the public interest.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75595, 75657, Nov. 25, 2020]

§ 49.5 Equity interest transfers.

(a) Equity interest transfer notification. A swap data repository shall file with the Commission a notification of each transaction involving the direct or indirect transfer of ten percent or more of the equity interest in the swap data repository. The Commission may, upon receiving such notification, request that the swap data repository provide supporting documentation of the transaction.

(b) Timing of notification. The equity interest transfer notice described in paragraph (a) of this section shall be filed electronically with the Secretary of the Commission at its Washington, DC headquarters at and the Division of Market Oversight at , at the earliest possible time but in no event later than the open of business ten business days following the date upon which a firm obligation is made to transfer, directly or indirectly, ten percent or more of the equity interest in the swap data repository.

(c) Certification. Upon a transfer, whether directly or indirectly, of an equity interest of ten percent or more in a swap data repository, the swap data repository shall file electronically with the Secretary of the Commission at its Washington, DC headquarters at and the Division of Market Oversight at , a certification that the swap data repository meets all of the requirements of section 21 of the Act and the Commission regulations in 17 CFR chapter I, no later than two business days following the date on which the equity interest of ten percent or more was acquired.

[85 FR 75657, Nov. 25, 2020]

§ 49.6 Request for transfer of registration.

(a) Request for approval. A swap data repository seeking to transfer its registration from its current legal entity to a new legal entity as a result of a corporate change shall file a request for approval to transfer such registration with the Secretary of the Commission in the form and manner specified by the Commission.

(b) Timing for filing a request for transfer of registration. A swap data repository shall file a request for transfer of registration as soon as practicable prior to the anticipated corporate change.

(c) Required information. The request for transfer of registration shall include the following:

(1) The underlying documentation that governs the corporate change;

(2) A description of the corporate change, including the reason for the change and its impact on the swap data repository, including the swap data repository's governance and operations, and its impact on the rights and obligations of market participants;

(3) A discussion of the transferee's ability to comply with the Act, including the core principles applicable to swap data repositories and the Commission's regulations;

(4) The governance documents adopted by the transferee, including a copy of any constitution; articles or certificate of incorporation, organization, formation, or association with all amendments thereto; partnership or limited liability agreements; and any existing bylaws, operating agreement, or rules or instruments corresponding thereto;

(5) The transferee's rules marked to show changes from the current rules of the swap data repository; and

(6) A representation by the transferee that it:

(i) Will be the surviving entity and successor-in-interest to the transferor swap data repository and will retain and assume the assets and liabilities of the transferor, except if otherwise indicated in the request;

(ii) Will assume responsibility for complying with all applicable provisions of the Act and the Commission's regulations; and

(iii) Will notify market participants of all changes to the transferor's rulebook prior to the transfer, including those changes that may affect the rights and obligations of market participants, and will further notify market participants of the concurrent transfer of the registration to the transferee upon Commission approval and issuance of an order permitting the transfer.

(d) Commission determination. Upon review of a request for transfer of registration, the Commission, as soon as practicable, shall issue an order either approving or denying the request for transfer of registration.

[85 FR 75657, Nov. 25, 2020]

§ 49.7 Swap data repositories located in foreign jurisdictions.

Any swap data repository located outside of the United States applying for registration pursuant to § 49.3 of this part shall certify on Form SDR and provide an opinion of counsel that the swap data repository, as a matter of law, is able to provide the Commission with prompt access to the books and records of such swap data repository and that the swap data repository can submit to onsite inspection and examination by the Commission.

§ 49.8 Procedures for implementing swap data repository rules.

(a) Request for Commission approval of rules. An applicant for registration as a swap data repository may request that the Commission approve under Section 5c(c) of the Act, any or all of its rules and subsequent amendments thereto, prior to their implementation or, notwithstanding the provisions of Section 5c(c)(2) of the Act, at anytime thereafter, under the procedures of § 40.5 of this chapter.

(b) Notwithstanding the timeline under § 40.5(c) of this chapter, the rules of a swap data repository that have been submitted for Commission approval at the same time as an application for registration under § 49.3 of this part or to reinstate the registration of a dormant swap data repository, as defined in § 40.1 of this chapter, will be deemed approved by the Commission no earlier than when the swap data repository is deemed to be registered or reinstated.

(c) Self-certification of rules. Rules of a swap data repository not voluntarily submitted for prior Commission approval pursuant to paragraph (a) of this section must be submitted to the Commission with a certification that the rule or rule amendment complies with the Act or rules thereunder pursuant to the procedures of § 40.6 of this chapter, as applicable.

§ 49.9 Open swaps reports provided to the Commission.

Each swap data repository shall provide reports of open swaps to the Commission in accordance with this section.

(a) Content of the open swaps report. In order to satisfy the requirements of this section, each swap data repository shall provide the Commission with open swaps reports that contain an accurate reflection, as of the time the swap data repository compiles the open swaps report, of the swap data maintained by the swap data repository for every swap data field required to be reported for swaps pursuant to part 45 of this chapter for every open swap. The report shall be organized by the unique identifier created pursuant to § 45.5 of this chapter that is associated with each open swap.

(b) Transmission of the open swaps report. Each swap data repository shall transmit all open swaps reports to the Commission as instructed by the Commission. Such instructions may include, but are not limited to, the method, timing, and frequency of transmission, as well as the format of the swap data to be transmitted.

[85 FR 75657, Nov. 25, 2020]

§ 49.10 Acceptance and validation of data.

(a) General requirements -

(1) Generally. A swap data repository shall establish, maintain, and enforce policies and procedures reasonably designed to facilitate the complete and accurate reporting of SDR data. A swap data repository shall promptly accept, validate, and record SDR data.

(2) Electronic connectivity. For the purpose of accepting SDR data, the swap data repository shall adopt policies and procedures, including technological protocols, which provide for electronic connectivity between the swap data repository and designated contract markets, derivatives clearing organizations, swap execution facilities, swap dealers, major swap participants and non-SD/MSP/DCO reporting counterparties who report such data. The technological protocols established by a swap data repository shall provide for the receipt of SDR data. The swap data repository shall ensure that its mechanisms for SDR data acceptance are reliable and secure.

(b) Duty to accept SDR data. A swap data repository shall set forth in its application for registration as described in § 49.3 the specific asset class or classes for which it will accept SDR data. If a swap data repository accepts SDR data of a particular asset class, then it shall accept SDR data from all swaps of that asset class, unless otherwise prescribed by the Commission.

(c) Duty to validate SDR data. A swap data repository shall validate SDR data as soon as technologically practicable after such data is accepted according to the validation conditions approved in writing by the Commission. A swap data repository shall validate SDR data by providing data validation acceptance messages and data validation error messages, as provided in this paragraph (c).

(1) Data validation acceptance message. A swap data repository shall validate each SDR data report submitted to the swap data repository and notify the reporting counterparty, swap execution facility, designated contract market, or third-party service provider submitting the report whether the report satisfied the data validation procedures of the swap data repository as soon as technologically practicable after accepting the SDR data report.

(2) Data validation error message. If SDR data contains one or more data validation errors, the swap data repository shall distribute a data validation error message to the designated contract market, swap execution facility, reporting counterparty, or third-party service provider that submitted such SDR data as soon as technologically practicable after acceptance of such data. Each data validation error message shall indicate which specific data validation error(s) was identified in the SDR data.

(3) Swap transaction and pricing data submitted with swap data. If a swap data repository allows for the joint submission of swap transaction and pricing data and swap data, the swap data repository shall validate the swap transaction and pricing data and swap data separately. Swap transaction and pricing data that satisfies the data validation procedures applied by a swap data repository shall not be deemed to contain a data validation error because it was submitted to the swap data repository jointly with swap data that contained a data validation error.

(d) Policies and procedures to prevent invalidation or modification. A swap data repository shall establish policies and procedures reasonably designed to prevent any provision in a valid swap from being invalidated or modified through the verification or recording process of the swap data repository. The policies and procedures shall ensure that the swap data repository's user agreements are designed to prevent any such invalidation or modification.

(e) Error corrections -

(1) Accepting corrections. A swap data repository shall accept error corrections for SDR data. Error corrections include corrections to errors and omissions in SDR data previously reported to the swap data repository pursuant to part 43, 45, or 46 of this chapter, as well as omissions in reporting SDR data for swaps that were not previously reported to a swap data repository as required under part 43, 45, or 46 of this chapter. The requirement to accept error corrections applies for all swaps, regardless of the state of the swap that is the subject of the SDR data. This includes swaps that have terminated, matured, or are otherwise no longer considered to be open swaps, provided that the record retention period under § 49.12(b)(2) has not expired as of the time the error correction is reported.

(2) Recording corrections. A swap data repository shall record the corrections, as soon as technologically practicable after the swap data repository accepts the error correction.

(3) Dissemination. A swap data repository shall disseminate corrected SDR data to the public and the Commission, as applicable, in accordance with this chapter, as soon as technologically practicable after the swap data repository records the corrected SDR data.

(4) Policies and procedures. A swap data repository shall establish, maintain, and enforce policies and procedures designed for the swap data repository to accept error corrections, to record the error corrections as soon as technologically practicable after the swap data repository accepts the error correction, and to disseminate corrected SDR data to the public and to the Commission, as applicable, in accordance with this chapter.

(f) Policies and procedures for resolving disputes regarding data accuracy. A swap data repository shall establish procedures and provide facilities for effectively resolving disputes over the accuracy of the SDR data and positions that are recorded in the swap data repository.

[85 FR 75595, Nov. 25, 2020, as amended at 85 FR 75657, Nov. 25, 2020]

§ 49.11 Verification of swap data accuracy.

(a) General requirement. Each swap data repository shall verify the accuracy and completeness of swap data that it receives from swap execution facilities, designated contract markets, reporting counterparties, or third-party service providers acting on their behalf, in accordance with paragraph (b) of this section.

(b) Verifying swap data accuracy and completeness -

(1) Swap data access. Each swap data repository shall provide a mechanism that allows each reporting counterparty that is a user of the swap data repository to access all swap data maintained by the swap data repository for each open swap for which the reporting counterparty is serving as the reporting counterparty, as specified in paragraph (b)(2) of this section. This mechanism shall allow sufficient access, provide sufficient information, and be in a form and manner to enable each reporting counterparty to perform swap data verification as required under § 45.14 of this chapter.

(2) Scope of swap data access. The swap data accessible through the mechanism provided by each swap data repository shall accurately reflect the most current swap data maintained by the swap data repository, as of the time the reporting counterparty accesses the swap data using the provided mechanism, for each data field that the reporting counterparty was required to report for each relevant open swap pursuant to part 45 of this chapter, except as provided in paragraph (b)(3) of this section. The swap data accessible through the mechanism provided by each swap data repository shall include sufficient information to allow reporting counterparties to successfully perform the swap data verification required under § 45.14 of this chapter.

(3) Confidentiality. The swap data access each swap data repository shall provide pursuant to this section is subject to all applicable confidentiality requirements of the Act and this chapter, including, but not limited to, § 49.17. The swap data accessible to any reporting counterparty shall not include any swap data that the relevant reporting counterparty is prohibited to access under any Commission regulation.

(4) Frequency of swap data access. Each swap data repository shall allow each reporting counterparty that is a user of the relevant swap data repository to utilize the mechanism as required under this section with at least sufficient frequency to allow each relevant reporting counterparty to perform the swap data verification required under § 45.14 of this chapter.

(5) Third-party service providers. If a reporting counterparty informs a swap data repository that the reporting counterparty will utilize a third-party service provider to perform verification as required pursuant to § 45.14 of this chapter, the swap data repository will satisfy its requirements under this section by providing the third-party service provider with the same access to the mechanism and the relevant swap data for the reporting counterparty under this section, as if the third-party service provider was the reporting counterparty. The access for the third-party service provider shall be in addition to the access for the reporting counterparty required under this section. The access for the third-party service provider under this paragraph shall continue until the reporting counterparty informs the swap data repository that the third-party service provider should no longer have access on behalf of the reporting counterparty. The policies and procedures each swap data repository adopts under paragraph (c) of this section shall include instructions detailing how each reporting counterparty can successfully inform the swap data repository regarding a third-party service provider.

(c) Policies and procedures -

(1) Contents. Each swap data repository shall establish, maintain, and enforce policies and procedures designed to ensure compliance with the requirements of this section. Such policies and procedures shall include, but are not limited to, instructions detailing how each reporting counterparty, or third-party service provider acting on behalf of a reporting counterparty, can successfully utilize the mechanism provided pursuant to this section to perform each reporting counterparty's verification responsibilities under § 45.14 of this chapter.

(2) Amendments. Each swap data repository shall comply with the requirements under part 40 of this chapter in adopting or amending the policies and procedures required by this section.

[85 FR 75658, Nov. 25, 2020]

§ 49.12 Swap data repository recordkeeping requirements.

(a) General requirement. A swap data repository shall keep full, complete, and systematic records, together with all pertinent data and memoranda, of all activities relating to the business of the swap data repository, including, but not limited to, all SDR information and all SDR data that is reported to the swap data repository pursuant to this chapter.

(b) Maintenance of records. A swap data repository shall maintain all records required to be kept by this section in accordance with this paragraph (b).

(1) A swap data repository shall maintain all SDR information, including, but not limited to, all documents, policies, and procedures required by the Act and the Commission's regulations, correspondence, memoranda, papers, books, notices, accounts, and other such records made or received by the swap data repository in the course of its business. All SDR information shall be maintained in accordance with § 1.31 of this chapter.

(2) A swap data repository shall maintain all SDR data and timestamps reported to or created by the swap data repository pursuant to this chapter, and all messages related to such reporting, throughout the existence of the swap that is the subject of the SDR data and for five years following final termination of the swap, during which time the records shall be readily accessible by the swap data repository and available to the Commission via real-time electronic access, and for a period of at least ten additional years in archival storage from which such records are retrievable by the swap data repository within three business days.

(c) Records of data errors and omissions. A swap data repository shall create and maintain records of data validation errors and SDR data reporting errors and omissions in accordance with this paragraph (c).

(1) A swap data repository shall create and maintain an accurate record of all reported SDR data that fails to satisfy the swap data repository's data validation procedures including, but not limited to, all SDR data reported to the swap data repository that fails to satisfy the data validation procedures, all data validation errors, and all related messages and timestamps. A swap data repository shall make these records available to the Commission on request.

(2) A swap data repository shall create and maintain an accurate record of all SDR data errors and omissions reported to the swap data repository and all corrections disseminated by the swap data repository pursuant to parts 43, 45, and 46 of this chapter and this part. A swap data repository shall make these records available to the Commission on request.

(d) Availability of records. All records required to be kept pursuant to this part shall be open to inspection upon request by any representative of the Commission or the United States Department of Justice in accordance with the provisions of § 1.31 of this chapter. A swap data repository required to keep, create, or maintain records pursuant to this section shall provide such records in accordance with the provisions of § 1.31 of this chapter, unless otherwise provided in this part.

(e) A swap data repository shall establish policies and procedures to calculate positions for position limits and any other purpose as required by the Commission, for all persons with swaps that have not expired maintained by the swap data repository.

[85 FR 75658, Nov. 25, 2020]

§ 49.13 Monitoring, screening and analyzing swap data.

(a) Duty to monitor, screen and analyze SDR data. A swap data repository shall monitor, screen, and analyze all relevant SDR data in its possession in such a manner as the Commission may require. A swap data repository shall routinely monitor, screen, and analyze SDR data for the purpose of any standing swap surveillance objectives that the Commission may establish as well as perform specific monitoring, screening, and analysis tasks based on ad hoc requests by the Commission.

(b) Capacity to monitor, screen and analyze SDR data. A swap data repository shall establish and maintain sufficient information technology, staff, and other resources to fulfill the requirements in this § 49.13 in a manner prescribed by the Commission. A swap data repository shall monitor the sufficiency of such resources at least annually, and adjust its resources as its responsibilities, or the volume of swap transactions subject to monitoring, screening, and analysis, increase.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75659, Nov. 25, 2020]

§ 49.14 Monitoring, screening and analyzing end-user clearing exemption claims by individual and affiliated entities.

A swap data repository shall have automated systems capable of identifying, aggregating, sorting, and filtering all swap transactions that are reported to it which are exempt from clearing pursuant to Section 2(h)(7) of the Act. Such capabilities shall be applicable to any information provided to a swap data repository by or on behalf of an end user regarding how such end user meets the requirements of Sections 2(h)(7)(A)(i), 2(h)(7)(A)(ii), and 2(h)(7)(A)(iii) of the Act and any Commission regulations thereunder.

§ 49.15 Real-time public reporting by swap data repositories.

(a) Scope. The provisions of this section apply to the real-time public reporting of swap transaction and pricing data submitted to a swap data repository pursuant to part 43 of this chapter.

(b) Systems to accept and disseminate data in connection with real-time public reporting. A swap data repository shall establish such electronic systems as are necessary to accept and publicly disseminate swap transaction and pricing data submitted to the swap data repository pursuant to part 43 of this chapter in order to meet the real-time public reporting obligations of part 43 of this chapter. Any electronic system established for this purpose shall be capable of accepting and ensuring the public dissemination of all data fields required by part 43 this chapter.

(c) Duty to notify the Commission of untimely data. A swap data repository shall notify the Commission of any swap transaction for which the real-time swap data was not received by the swap data repository in accordance with part 43 of this chapter.

[85 FR 75659, Nov. 25, 2020]

§ 49.16 Privacy and confidentiality requirements of swap data repositories.

(a) Each swap data repository shall:

(1) Establish, maintain, and enforce written policies and procedures reasonably designed to protect the privacy and confidentiality of any and all SDR information and all SDR data that is not swap transaction and pricing data disseminated under part 43 of this chapter. Such policies and procedures shall include, but are not limited to, policies and procedures to protect the privacy and confidentiality of any and all SDR information and all SDR data (except for swap transaction and pricing data disseminated under part 43 of this chapter) that the swap data repository shares with affiliates and non-affiliated third parties; and

(2) Establish and maintain safeguards, policies, and procedures reasonably designed to prevent the misappropriation or misuse, directly or indirectly, of:

(i) Section 8 material;

(ii) Other SDR information or SDR data; and/or

(iii) Intellectual property, such as trading strategies or portfolio positions, by the swap data repository or any person associated with a swap data repository. Such safeguards, policies, and procedures shall include, but are not limited to:

(A) Limiting access to such section 8 material, other SDR information or SDR data, and intellectual property;

(B) Standards controlling persons associated with a swap data repository trading for their personal benefit or the benefit of others; and

(C) Adequate oversight to ensure compliance with this paragraph (a)(2).

(b) A swap data repository shall not, as a condition of accepting SDR data from any swap execution facility, designated contract market, or reporting counterparty, require the waiver of any privacy rights by such swap execution facility, designated contract market, or reporting counterparty.

(c) Subject to section 8 of the Act, a swap data repository may disclose aggregated SDR data on a voluntary basis or as requested, in the form and manner prescribed by the Commission.

[85 FR 75659, Nov. 25, 2020]

§ 49.17 Access to SDR data.

(a) Purpose. This section provides a procedure by which the Commission, other domestic regulators and foreign regulators may obtain access to the SDR data held and maintained by registered SDR data repositories. Except as specifically set forth in this section, the Commission's duties and obligations regarding the confidentiality of business transactions or market positions of any person and trade secrets or names of customers identified in section 8 of the Act are not affected.

(b) Definitions. For purposes of this § 49.17, the following terms shall be defined as follows:

(1) Appropriate domestic regulator. The term “appropriate domestic regulator” shall mean:

(i) The Securities and Exchange Commission;

(ii) Each prudential regulator identified in Section 1a(39) of the Act with respect to requests related to any of such regulator's statutory authorities, without limitation to the activities listed for each regulator in Section 1a(39);

(iii) The Financial Stability Oversight Council;

(iv) The Department of Justice;

(v) Any Federal Reserve Bank;

(vi) The Office of Financial Research; and

(vii) Any other person the Commission determines to be appropriate pursuant to the process set forth in paragraph (h) of this section.

(2) Appropriate foreign regulator. The term “appropriate foreign regulator” shall mean those foreign regulators the Commission determines to be appropriate pursuant to the process set forth in paragraph (h) of this section.

(3) Direct electronic access. For the purposes of this section, the term “direct electronic access” shall mean an electronic system, platform, framework, or other technology that provides internet-based or other form of access to real-time SDR data that is acceptable to the Commission and also provides scheduled data transfers to Commission electronic systems.

(c) Commission access. A swap data repository shall provide access to the Commission for all SDR data maintained by the swap data repository pursuant to this chapter in accordance with this paragraph (c).

(1) Direct electronic access requirements. A swap data repository shall provide direct electronic access to the Commission or the Commission's designee, including another registered entity, in order for the Commission to carry out its legal and statutory responsibilities under the Act and the Commission's regulations in 17 CFR chapter I. A swap data repository shall maintain all SDR data reported to the swap data repository in a format acceptable to the Commission, and shall transmit all SDR data requested by the Commission to the Commission as instructed by the Commission. Such instructions may include, but are not limited to, the method, timing, and frequency of transmission, as well as the format and scope of the SDR data to be transmitted.

(2) Monitoring tools. A swap data repository is required to provide the Commission with proper tools for the monitoring, screening and analyzing of SDR data, including, but not limited to, Web-based services, services that provide automated transfer of SDR data to Commission systems, various software and access to the staff of the swap data repository and/or third-party service providers or agents familiar with the operations of the swap data repository, which can provide assistance to the Commission regarding data structure and content.

(3) Authorized users. The SDR data provided to the Commission by a swap data repository shall be accessible only by authorized users. The swap data repository shall maintain and provide a list of authorized users in the manner and frequency determined by the Commission.

(d) Other regulators -

(1) General procedure for gaining access to swap data repository data. Except as set forth in paragraph (d)(2) or (3) of this section -

(i) A person who is not an appropriate domestic regulator or an appropriate foreign regulator and who seeks to gain access to the swap data maintained by a swap data repository is required to first become an appropriate domestic regulator or appropriate foreign regulator through the process set forth in paragraph (h) of this section, and

(ii) Appropriate domestic regulators and appropriate foreign regulators seeking to gain access to the swap data maintained by a swap data repository are required to apply for access by filing a request for access with the swap data repository and certifying that it is acting within the scope of its jurisdiction, comply with paragraph (d)(6) of this section prior to receiving such access and, if applicable after receiving such access, comply with the notification requirement in paragraph (d)(4)(iii) of this section applicable to appropriate domestic regulators and appropriate foreign regulators.

(2) Domestic regulator with regulatory responsibility over a swap data repository. When a swap data repository that is registered with the Commission pursuant to this chapter is also registered with a domestic regulator pursuant to a separate statutory authority, and such domestic regulator seeks access to swap data that has been reported to such swap data repository pursuant to the domestic regulator's regulatory regime, such access is not subject to the requirements of sections 21(c)(7) or 21(d) of the Act, this paragraph (d) or § 49.18.

(3) Foreign regulator with regulatory responsibility over a swap data repository. When a swap data repository that is registered with the Commission pursuant to this chapter is also registered with, or recognized or otherwise authorized by, a foreign regulator that has supervisory authority over such swap data repository pursuant to foreign law and/or regulation, and such foreign regulator seeks access to swap data that has been reported to such swap data repository pursuant to the foreign regulator's regulatory regime, such access is not subject to the requirements of sections 21(c)(7) or 21(d) of the Act, this paragraph (d) or § 49.18.

(4) Obligations of the swap data repository in connection with appropriate domestic regulator or appropriate foreign regulator requests for swap data access.

(i) A swap data repository shall notify the Commission promptly after receiving an initial request from an appropriate domestic regulator or appropriate foreign regulator to gain access to swap data maintained by such swap data repository and promptly after receiving any request that does not comport with the scope of the appropriate domestic regulator's or appropriate foreign regulator's jurisdiction, as described and appended to the confidentiality arrangement required by § 49.18(a). Each swap data repository shall maintain records thereafter, pursuant to § 49.12, of the details of such initial request and of all subsequent requests by such appropriate domestic regulator or appropriate foreign regulator for such access.

(ii) The swap data repository shall notify the Commission electronically, in a format specified by the Secretary of the Commission, of the receipt of a request specified in paragraph (d)(4)(i) of this section.

(iii) The swap data repository shall not provide an appropriate domestic regulator or appropriate foreign regulator access to swap data maintained by the swap data repository unless the swap data repository has determined that the swap data to which the appropriate domestic regulator or appropriate foreign regulator seeks access is within the then-current scope of such appropriate domestic regulator's or appropriate foreign regulator's jurisdiction, as described and appended to the confidentiality arrangement required by § 49.18(a). An appropriate domestic regulator or appropriate foreign regulator that has executed a confidentiality arrangement with the Commission pursuant to § 49.18(a) and provided such confidentiality arrangement to one or more swap data repositories shall notify the Commission and each such swap data repository of any change to such appropriate domestic regulator's or appropriate foreign regulator's scope of jurisdiction as described in such confidentiality arrangement. The Commission may direct a swap data repository to suspend, limit, or revoke access to swap data maintained by such swap data repository based on any such change to such appropriate domestic regulator's or appropriate foreign regulator's scope of jurisdiction, and, if so directed in writing, such swap data repository shall so suspend, limit, or revoke such access.

(iv) The swap data repository need not make the determination required pursuant to paragraph (d)(4)(iii) of this section more than once with respect to a recurring swap data request. If such request changes, the swap data repository must make a new determination pursuant to paragraph (d)(4)(iii) of this section.

(5) Timing, limitation, suspension, or revocation of swap data access. Once a swap data repository has -

(i) Notified the Commission, pursuant to paragraphs (d)(4)(i) and (ii) of this section, of an initial request for swap data access by an appropriate domestic regulator or appropriate foreign regulator, as applicable, that was submitted pursuant to paragraph (d)(1) of this section,

(ii) Received from such appropriate domestic regulator or appropriate foreign regulator a confidentiality arrangement executed by the Commission and such appropriate domestic regulator or appropriate foreign regulator as required by § 49.18(a), and

(iii) Satisfied its obligations under paragraph (d)(4)(iii) of this section, such swap data repository shall provide access to the requested swap data; provided, however, that such swap data repository shall, if directed by the Commission in writing, limit, suspend or revoke such access should the Commission limit, suspend or revoke the appropriateness determination for such appropriate domestic regulator or appropriate foreign regulator or otherwise direct the swap data repository, in writing, to limit, suspend or revoke such access.

(6) Confidentiality arrangement. Consistent with § 49.18(a), the appropriate domestic regulator or appropriate foreign regulator shall, prior to receiving access to any requested swap data, execute the form of confidentiality arrangement set out in appendix B of this part with the Commission; provided, however, that the Commission may, in its discretion, agree to execute a confidentiality arrangement with an appropriate domestic regulator or appropriate foreign regulator that is not in the form set forth in appendix B of this part, if the confidentiality arrangement is consistent with the requirements set forth in § 49.18(b).

(e) Third-party service providers to a swap data repository. Access to the SDR data and SDR information maintained by a swap data repository may be necessary for certain third parties that provide various technology and data-related services to a swap data repository. Third-party access to the SDR data and SDR information maintained by a swap data repository is permissible subject to the following conditions:

(1) Both the swap data repository and the third party service provider shall have strict confidentiality procedures that protect SDR data and SDR information from improper disclosure.

(2) Prior to a swap data repository granting access to SDR data or SDR information to a third-party service provider, the third-party service provider and the swap data repository shall execute a confidentiality agreement setting forth minimum confidentiality procedures and permissible uses of the SDR data and SDR information maintained by the swap data repository that are equivalent to the privacy procedures for swap data repositories outlined in § 49.16.

(f) Access by market participants -

(1) General. Access by market participants to SDR data maintained by the swap data repository is prohibited other than as set forth in paragraph (f)(2) of this section.

(2) Exception. SDR data and SDR information related to a particular swap transaction that is maintained by the swap data repository may be accessed by either counterparty to that particular swap. However, the SDR data and SDR information maintained by the swap data repository that may be accessed by either counterparty to a particular swap shall not include the identity or the legal entity identifier (as such term is used in part 45 of this chapter) of the other counterparty to the swap, or the other counterparty's clearing member for the swap, if the swap is executed anonymously on a swap execution facility or designated contract market, and cleared in accordance with §§ 1.74, 23.610, and 39.12(b)(7) of this chapter.

(g) Commercial uses of SDR data accepted and maintained by the swap data repository prohibited. SDR data accepted and maintained by the swap data repository generally may not be used for commercial or business purposes by the swap data repository or any of its affiliated entities.

(1) The swap data repository is required to adopt and implement adequate “firewalls” or controls to protect the reported SDR data required to be maintained under § 49.12 of this part and Section 21(b) of the Act from any improper commercial use.

(2) Exception. (A) The swap execution facility, designated contract market, or reporting counterparty that submits the SDR data maintained by the swap data repository may permit the commercial or business use of that data by express written consent.

(B) Swap data repositories shall not as a condition of the reporting of SDR data require a swap execution facility, designated contract market, or reporting counterparty to consent to the use of any reported SDR data for commercial or business purposes.

(3) Swap data repositories responsible for the public dissemination of swap transaction and pricing data shall not make commercial use of such data prior to its public dissemination.

(h) Appropriateness determination process.

(1) Each person seeking an appropriateness determination pursuant to this paragraph shall file an application with the Commission.

(2) Each applicant seeking an appropriateness determination shall provide sufficient detail in its application to permit the Commission to analyze whether the applicant is acting within the scope of its jurisdiction in seeking access to swap data maintained by a swap data repository, and whether the applicant employs appropriate confidentiality safeguards to ensure that any swap data such applicant receives from a swap data repository will not, except as allowed for in the form of confidentiality arrangement set forth in appendix B to this part 49, be disclosed.

(3) If the Commission determines that an applicant pursuant to this paragraph is, conditionally or unconditionally, appropriate for purposes of section 21(c)(7) of the Act, the Commission shall issue an order setting forth its appropriateness determination. The Commission shall not determine that an applicant pursuant to this paragraph is appropriate unless the Commission is satisfied that -

(i) The applicant employs appropriate confidentiality safeguards to ensure that any swap data such applicant receives from a swap data repository will not be disclosed, except as allowed for in the form of confidentiality arrangement set forth in appendix B to this part 49 or, in the Commission's discretion as set forth in paragraph (d)(6) of this section, in a different form, provided that such confidentiality arrangement contains the elements required in § 49.18(b), and

(ii) Such applicant is acting within the scope of its jurisdiction in seeking access to swap data from a swap data repository.

(4) The Commission reserves the right, in connection with any appropriateness determination with respect to an appropriate domestic regulator or appropriate foreign regulator, to revisit, reassess, limit, suspend or revoke such determination consistent with the Act.

[76 FR 54575, Sept. 1, 2011, as amended at 83 FR 27436, June 12, 2018; 85 FR 75659, Nov. 25, 2020]

§ 49.18 Confidentiality arrangement.

(a) Confidentiality arrangement required prior to disclosure of swap data by a swap data repository to an appropriate domestic regulator or appropriate foreign regulator. Prior to a swap data repository providing access to swap data to any appropriate domestic regulator or appropriate foreign regulator, each as defined in § 49.17(b), the swap data repository shall receive from such appropriate domestic regulator or appropriate foreign regulator, pursuant to Section 21(d) of the Act, an executed confidentiality arrangement between the Commission and the appropriate domestic regulator or appropriate foreign regulator, as applicable, in the form set forth in appendix B to this part 49 or, in the Commission's discretion as set forth in § 49.17(d)(6), in a different form, provided that such confidentiality arrangement contains the elements required in paragraph (b) of this section. Such confidentiality arrangement must include, either as Exhibit A to the form set forth in appendix B of this part or similarly appended, a description of the appropriate domestic regulator's or appropriate foreign regulator's jurisdiction. Once a swap data repository is notified, in writing, that a confidentiality arrangement received from an appropriate domestic regulator or appropriate foreign regulator no longer is in effect, the swap data repository shall not provide access to swap data to such appropriate domestic regulator or appropriate foreign regulator.

(b) Elements of confidentiality arrangement. The confidentiality arrangement required pursuant to paragraph (a) of this section shall, at a minimum, include all elements included in the form of confidentiality arrangement set forth in appendix B of this part.

(c) Reporting failures to fulfill the terms of a confidentiality arrangement. A swap data repository shall immediately report to the Commission any known failure to fulfill the terms of a confidentiality arrangement that it receives pursuant to paragraph (a) of this section.

(d) Failures to fulfill the terms of the confidentiality arrangement. The Commission may, if an appropriate domestic regulator or appropriate foreign regulator fails to fulfill the terms of a confidentiality arrangement described in paragraph (a) of this section, direct, in writing, each swap data repository to limit, suspend or revoke such appropriate domestic regulator's or appropriate foreign regulator's access to swap data held by such swap data repository.

[83 FR 27438, June 12, 2018, as amended at 85 FR 75661, Nov. 25, 2020]

§ 49.19 Core principles applicable to swap data repositories.

(a) Compliance with core principles. To be registered, and maintain registration, a swap data repository shall comply with the core principles as described in this section. Unless otherwise determined by the Commission by rule or regulation, a swap data repository shall have reasonable discretion in establishing the manner in which the swap data repository complies with the core principles described in this section.

(b) Antitrust considerations (Core Principle 1). Unless necessary or appropriate to achieve the purposes of the Act, a swap data repository shall avoid adopting any rule or taking any action that results in any unreasonable restraint of trade; or imposing any material anticompetitive burden on trading, clearing or reporting swaps.

(c) Governance arrangements (Core Principle 2). Swap data repositories shall establish governance arrangements as set forth in § 49.20.

(d) Conflicts of interest (Core Principle 3). Swap data repositories shall manage and minimize conflicts of interest and establish processes for resolving such conflicts of interest as set forth in § 49.21.

(e) Additional duties (Core Principle 4). Swap data repositories shall also comply with the following additional duties:

(1) Financial resources. Swap data repositories shall maintain sufficient financial resources as set forth in § 49.25;

(2) Disclosure requirements of swap data repositories. Swap data repositories shall furnish an appropriate disclosure document setting forth the risks and costs of swap data repository services as detailed in § 49.26; and

(3) Access and Fees. Swap data repositories shall adhere to Commission requirements regarding fair and open access and the charging of any fees, dues or other similar type charges as detailed in § 49.27.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75661, Nov. 25, 2020]

§ 49.20 Governance arrangements (Core Principle 2).

(a) General.

(1) Each swap data repository shall establish governance arrangements that are transparent to fulfill public interest requirements, and to support the objectives of the Federal Government, owners, and participants.

(2) Each swap data repository shall establish governance arrangements that are well-defined and include a clear organizational structure with consistent lines of responsibility and effective internal controls, including with respect to administration, accounting, and the disclosure of confidential information. § 49.22 of this part contains rules on internal controls applicable to administration and accounting. § 49.16 of this part contains rules on internal controls applicable to the disclosure of confidential information.

(b) Transparency of governance arrangements.

(1) Each swap data repository shall state in its charter documents that its governance arrangements are transparent to support, among other things, the objectives of the Federal Government pursuant to Section 21(f)(2) of the Act.

(2) Each swap data repository shall, at a minimum, make the following information available to the public and relevant authorities, including the Commission:

(i) The mission statement of the swap data repository;

(ii) The mission statement and/or charter of the board of directors, as well as of each committee of the swap data repository that has:

(A) The authority to act on behalf of the board of directors or

(B) The authority to amend or constrain actions of the board of directors;

(iii) The board of directors nomination process for the swap data repository, as well as the process for assigning members of the board of directors or other persons to any committee referenced in paragraph (b)(2)(ii) of this section;

(iv) For the board of directors and each committee referenced in paragraph (b)(2)(ii) of this section, the names of all members;

(v) A description of the manner in which the board of directors, as well as any committee referenced in paragraph (b)(2)(ii) of this section, considers an independent perspective in its decision-making process, as § 49.2(a) defines such term;

(vi) The lines of responsibility and accountability for each operational unit of the swap data repository to any committee thereof and/or the board of directors; and

(vii) Summaries of significant decisions impacting the public interest, the rationale for such decisions, and the process for reaching such decisions. Such significant decisions shall include decisions relating to pricing of repository services, offering of ancillary services, access to SDR data, and use of section 8 material, SDR information, and intellectual property (as referenced in § 49.16). Such summaries of significant decisions shall not require the swap data repository to disclose section 8 material or, where appropriate, information that the swap data repository received on a confidential basis from a swap execution facility, designated contract market, or reporting counterparty.

(3) The swap data repository shall ensure that the information specified in paragraph (b)(2)(i) to (vii) of this section is current, accurate, clear, and readily accessible, for example, on its Web site. The swap data repository shall set forth such information in a language commonly used in the commodity futures and swap markets and at least one of the domestic language(s) of the jurisdiction in which the swap data repository is located.

(4) Furthermore, the swap data repository shall disclose the information specified in paragraph (b)(2)(vii) of this section in a sufficiently comprehensive and detailed fashion so as to permit the public and relevant authorities, including the Commission, to understand the policies or procedures of the swap data repository implicated and the manner in which the decision implements or amends such policies or procedures. A swap data repository shall not disclose minutes from meetings of its board of directors or committees to the public, although it shall disclose such minutes to the Commission upon request.

(c) The board of directors -

(1) General.

(i) Each swap data repository shall establish, maintain, and enforce (including, without limitation, pursuant to paragraph (c)(4) of this section) written policies or procedures:

(A) To ensure that its board of directors, as well as any committee that has:

(1) Authority to act on behalf of its board of directors or

(2) Authority to amend or constrain actions of its board of directors, adequately considers an independent perspective in its decision-making process;

(B) To ensure that the nominations process for such board of directors, as well as the process for assigning members of the board of directors or other persons to such committees, adequately incorporates an independent perspective; and

(C) To clearly articulate the roles and responsibilities of such board of directors, as well as such committees, especially with respect to the manner in which they ensure that a swap data repository complies with all statutory and regulatory responsibilities under the Act and the regulations promulgated thereunder.

(ii) Each swap data repository shall submit to the Commission, within thirty days after each election of its board of directors:

(A) For the board of directors, as well as each committee referenced in paragraph (c)(1)(i)(A) of this section, a list of all members;

(B) A description of the relationship, if any, between such members and the swap data repository or any swap execution facility, designated contract market, or reporting counterparty user thereof (or, in each case, affiliates thereof, as § 49.2(a) defines such term); and

(C) Any amendments to the written policies and procedures referenced in paragraph (c)(1)(i) of this section.

(2) Compensation. The compensation of non-executive members of the board of directors of a swap data repository shall not be linked to the business performance of such swap data repository.

(3) Annual self-review. The board of directors of a swap data repository shall review its performance and that of its individual members annually. It should consider periodically using external facilitators for such reviews.

(4) Board member removal. A swap data repository shall have procedures to remove a member from the board of directors, where the conduct of such member is likely to be prejudicial to the sound and prudent management of the swap data repository.

(5) Expertise. Each swap data repository shall ensure that members of its board of directors, members of any committee referenced in paragraph (c)(1)(i)(A) of this section, and its senior management, in each case, are of sufficiently good repute and possess the requisite skills and expertise to fulfill their responsibilities in the management and governance of the swap data repository, to have a clear understanding of such responsibilities, and to exercise sound judgment about the affairs of the swap data repository.

(d) Compliance with core principle. The chief compliance officer of the swap data repository shall review the compliance of the swap data repository with this core principle.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75661, Nov. 25, 2020]

§ 49.21 Conflicts of interest (Core Principle 3).

(a) General.

(1) Each swap data repository shall establish and enforce rules to minimize conflicts of interest in the decision-making process of the swap data repository, and establish a process for resolving such conflicts of interest.

(2) Nothing in this section shall supersede any requirement applicable to the swap data repository pursuant to § 49.20 of this part.

(b) Policies and procedures.

(1) Each swap data repository shall establish, maintain, and enforce written procedures to:

(i) Identify, on an ongoing basis, existing and potential conflicts of interest; and

(ii) Make decisions in the event of a conflict of interest. Such procedures shall include rules regarding the recusal, in applicable circumstances, of parties involved in the making of decisions.

(2) As further described in § 49.20 of this part, the chief compliance officer of the swap data repository shall, in consultation with the board of directors or a senior officer of the swap data repository, as applicable, resolve any such conflicts of interest.

(c) Compliance with core principle. The chief compliance officer of the swap data repository shall review the compliance of the swap data repository with this core principle.

§ 49.22 Chief compliance officer.

(a) Definition of board of directors. For purposes of this part 49, the term “board of directors” means the board of directors of a swap data repository, or for those swap data repositories whose organizational structure does not include a board of directors, a body performing a function similar to that of a board of directors.

(b) Designation and qualifications of chief compliance officer -

(1) Chief compliance officer required. Each swap data repository shall establish the position of chief compliance officer, and designate an individual to serve in that capacity.

(i) The position of chief compliance officer shall carry with it the authority and resources to develop and enforce policies and procedures necessary to fulfill the duties set forth for chief compliance officers in the Act and Commission regulations.

(ii) The chief compliance officer shall have supervisory authority over all staff acting at the direction of the chief compliance officer.

(2) Qualifications of chief compliance officer. The individual designated to serve as chief compliance officer shall have the background and skills appropriate for fulfilling the responsibilities of the position and shall be subject to the following requirements:

(i) No individual disqualified from registration pursuant to section 8a(2) or 8a(3) of the Act may serve as a chief compliance officer.

(ii) The chief compliance officer may not be a member of the swap data repository's legal department or serve as its general counsel.

(c) Appointment, supervision, and removal of chief compliance officer -

(1) Appointment and compensation of chief compliance officer determined by board of directors. A swap data repository's chief compliance officer shall be appointed by its board of directors. The board of directors shall also approve the compensation of the chief compliance officer and shall meet with the chief compliance officer at least annually. The appointment of the chief compliance officer and approval of the chief compliance officer's compensation shall require the approval of the board of directors. The senior officer of the swap data repository may fulfill these responsibilities. A swap data repository shall notify the Commission of the appointment of a new chief compliance officer within two business days of such appointment.

(2) Supervision of chief compliance officer. A swap data repository's chief compliance officer shall report directly to the board of directors or to the senior officer of the swap data repository, at the swap data repository's discretion.

(3) Removal of chief compliance officer by board of directors.

(i) Removal of a swap data repository's chief compliance officer shall require the approval of the swap data repository's board of directors. If the swap data repository does not have a board of directors, then the chief compliance officer may be removed by the senior officer of the swap data repository;

(ii) The swap data repository shall notify the Commission of such removal within two business days; and

(iii) The swap data repository shall notify the Commission within two business days of appointing any new chief compliance officer, whether interim or permanent.

(d) Duties of chief compliance officer. The chief compliance officer's duties shall include, but are not limited to, the following:

(1) Overseeing and reviewing the swap data repository's compliance with section 21 of the Act and any related rules adopted by the Commission;

(2) In consultation with the board of directors, a body performing a function similar to the board, or the senior officer of the swap data repository, resolving any conflicts of interest that may arise including:

(i) Conflicts between business considerations and compliance requirements;

(ii) Conflicts between business considerations and the requirement that the swap data repository provide fair and open access as set forth in § 49.27 of this part; and

(iii) Conflicts between a swap data repository's management and members of the board of directors;

(3) Establishing and administering written policies and procedures reasonably designed to prevent violation of the Act and any rules adopted by the Commission;

(4) Taking reasonable steps to ensure compliance with the Act and Commission regulations relating to agreements, contracts, or transactions, and with Commission regulations under section 21 of the Act, including confidentiality arrangements received by the chief compliance officer's registered swap depository pursuant to § 49.18(a);

(5) Establishing procedures for the remediation of noncompliance issues identified by the chief compliance officer through a compliance office review, look-back, internal or external audit finding, self-reported error, or validated complaint;

(6) Establishing and following appropriate procedures for the handling, management response, remediation, retesting, and closing of noncompliance issues; and

(7) Establishing and administering a written code of ethics designed to prevent ethical violations and to promote honesty and ethical conduct.

(e) Annual compliance report prepared by chief compliance officer. The chief compliance officer shall, not less than annually, prepare and sign an annual compliance report, that at a minimum, contains the following information covering the time period since the date on which the swap data repository became registered with the Commission or since the end of the period covered by a previously filed annual compliance report, as applicable:

(1) A description of the swap data repository's written policies and procedures, including the code of ethics and conflict of interest policies;

(2) A review of applicable Commission regulations and each subsection and core principle of section 21 of the Act, that, with respect to each:

(i) Identifies the policies and procedures that are designed to ensure compliance with each subsection and core principle, including each duty specified in section 21(c);

(ii) Provides a self-assessment as to the effectiveness of these policies and procedures; and

(iii) Discusses areas for improvement, and recommends potential or prospective changes or improvements to its compliance program and resources;

(3) A list of any material changes to compliance policies and procedures since the last annual compliance report;

(4) A description of the financial, managerial, and operational resources set aside for compliance with respect to the Act and Commission regulations;

(5) A description of any material compliance matters, including noncompliance issues identified through a compliance office review, look-back, internal or external audit finding, self-reported error, or validated complaint, and explains how they were resolved; and

(6) A certification by the chief compliance officer that, to the best of his or her knowledge and reasonable belief, and under penalty of law, the annual compliance report is accurate and complete.

(f) Submission of annual compliance report to the Commission.

(1) Prior to submission of the annual compliance report to the Commission, the chief compliance officer shall provide the annual compliance report to the board of the swap data repository for its review. If the swap data repository does not have a board, then the annual compliance report shall be provided to the senior officer for their review. Members of the board and the senior officer may not require the chief compliance officer to make any changes to the report. Submission of the report to the board or senior officer, and any subsequent discussion of the report, shall be recorded in board minutes or similar written record, as evidence of compliance with this requirement.

(2) The annual compliance report shall be provided electronically to the Commission not more than 60 days after the end of the swap data repository's fiscal year.

(3) Promptly upon discovery of any material error or omission made in a previously filed compliance report, the chief compliance officer shall file an amendment with the Commission to correct any material error or omission. An amendment shall contain the oath or certification required under paragraph (e)(6) of this section.

(4) A swap data repository may request the Commission for an extension of time to file its compliance report based on substantial, undue hardship. Extensions for the filing deadline may be granted at the discretion of the Commission.

(g) Recordkeeping.

(1) The swap data repository shall maintain:

(i) A copy of the written policies and procedures, including the code of ethics and conflicts of interest policies adopted in furtherance of compliance with the Act and Commission regulations;

(ii) Copies of all materials, including written reports provided to the board of directors or senior officer in connection with the review of the annual compliance report under paragraph (f)(1) of this section and the board minutes or similar written record of such review, that record the submission of the annual compliance report to the board of directors or senior officer; and

(iii) Any records relevant to the swap data repository's annual compliance report, including, but not limited to, work papers and other documents that form the basis of the report, and memoranda, correspondence, other documents, and records that are:

(A) Created, sent, or received in connection with the annual compliance report; and

(B) Contain conclusions, opinions, analyses, or financial data related to the annual compliance report.

(2) The swap data repository shall maintain records in accordance with § 1.31 of this chapter.

[76 FR 54575, Sept. 1, 2011, as amended at 83 FR 27439, June 12, 2018; 85 FR 75661, Nov. 25, 2020]

§ 49.23 Emergency authority policies and procedures.

(a) Emergency policies and procedures required. A swap data repository shall establish policies and procedures for the exercise of emergency authority in the event of any emergency, including but not limited to natural, man-made, and information technology emergencies. Such policies and procedures shall also require a swap data repository to exercise its emergency authority upon request by the Commission. A swap data repository's policies and procedures for the exercise of emergency authority shall be transparent to the Commission and to market participants whose SDR data resides at the swap data repository.

(b) Invocation of emergency authority. A swap data repository's policies and procedures for the exercise of emergency authority shall enumerate the circumstances under which the swap data repository is authorized to invoke its emergency authority and the procedures that it shall follow to declare an emergency. Such policies and procedures shall also address the range of measures that it is authorized to take when exercising such emergency authority.

(c) Designation of persons authorized to act in an emergency. A swap data repository shall designate one or more officials of the swap data repository as persons authorized to exercise emergency authority on its behalf. A swap data repository shall also establish a chain of command to be used in the event that the designated person(s) is unavailable. A swap data repository shall notify the Commission of the person(s) designated to exercise emergency authority.

(d) Conflicts of interest. A swap data repository's policies and procedures for the exercise of emergency authority shall include provisions to avoid conflicts of interest in any decisions made pursuant to emergency authority. Such policies and procedures shall also include provisions to consult the swap data repository's chief compliance officer in any emergency decision that may raise potential conflicts of interest.

(e) Notification to the Commission. A swap data repository's policies and procedures for the exercise of emergency authority shall include provisions to notify the Commission as soon as reasonably practicable regarding any invocation of emergency authority. When notifying the Commission of any exercise of emergency authority, a swap data repository shall explain the reasons for taking such emergency action, explain how conflicts of interest were minimized, and document the decision-making process. Underlying documentation shall be made available to the Commission upon request.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75661, Nov. 25, 2020]

§ 49.24 System safeguards.

(a) Each swap data repository shall, with respect to all SDR data in its custody:

(1) Establish and maintain a program of risk analysis and oversight to identify and minimize sources of operational risk through the development of appropriate controls and procedures and the development of automated systems that are reliable, secure, and have adequate scalable capacity;

(2) Establish and maintain emergency procedures, backup facilities, and a business continuity-disaster recovery plan that allow for the timely recovery and resumption of operations and the fulfillment of the duties and obligations of the swap data repository; and

(3) Periodically conduct tests to verify that backup resources are sufficient to ensure continued fulfillment of all duties of the swap data repository established by the Act or the Commission's regulations.

(b) A swap data repository's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:

(1) Enterprise risk management and governance. This category includes, but is not limited to: Assessment, mitigation, and monitoring of security and technology risk; security and technology capital planning and investment; board of directors and management oversight of technology and security; information technology audit and controls assessments; remediation of deficiencies; and any other elements of enterprise risk management and governance included in generally accepted best practices.

(2) Information security. This category includes, but is not limited to, controls relating to: Access to systems and data (including least privilege, separation of duties, account monitoring and control); user and device identification and authentication; security awareness training; audit log maintenance, monitoring, and analysis; media protection; personnel security and screening; automated system and communications protection (including network port control, boundary defenses, encryption); system and information integrity (including malware defenses, software integrity monitoring); vulnerability management; penetration testing; security incident response and management; and any other elements of information security included in generally accepted best practices.

(3) Business continuity-disaster recovery planning and resources. This category includes, but is not limited to: Regular, periodic testing and review of business continuity-disaster recovery capabilities, the controls and capabilities described in paragraph (a), (d), (e), (f), and (k) of this section; and any other elements of business continuity-disaster recovery planning and resources included in generally accepted best practices.

(4) Capacity and performance planning. This category includes, but is not limited to: Controls for monitoring the swap data repository's systems to ensure adequate scalable capacity (including testing, monitoring, and analysis of current and projected future capacity and performance, and of possible capacity degradation due to planned automated system changes); and any other elements of capacity and performance planning included in generally accepted best practices.

(5) Systems operations. This category includes, but is not limited to: System maintenance; configuration management (including baseline configuration, configuration change and patch management, least functionality, inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations included in generally accepted best practices.

(6) Systems development and quality assurance. This category includes, but is not limited to: Requirements development; pre-production and regression testing; change management procedures and approvals; outsourcing and vendor management; training in secure coding practices; and any other elements of systems development and quality assurance included in generally accepted best practices.

(7) Physical security and environmental controls. This category includes, but is not limited to: Physical access and monitoring; power, telecommunication, and environmental controls; fire protection; and any other elements of physical security and environmental controls included in generally accepted best practices.

(c) In addressing the categories of risk analysis and oversight required under paragraph (b) of this section, a swap data repository shall follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.

(d) A swap data repository shall maintain a business continuity-disaster recovery plan and business continuity-disaster recovery resources, emergency procedures, and backup facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its duties and obligations as a swap data repository following any disruption of its operations. Such duties and obligations include, without limitation, the duties set forth in §§ 49.10 through 49.18, 49.23, and the core principles set forth in §§ 49.19 through 49.21 and §§ 49.25 through 49.27, and maintenance of a comprehensive audit trail. The swap data repository's business continuity-disaster recovery plan and resources generally should enable resumption of the swap data repository's operations and resumption of ongoing fulfillment of the swap data repository's duties and obligation during the next business day following the disruption. A swap data repository shall update its business continuity-disaster recovery plan and emergency procedures at a frequency determined by an appropriate risk analysis, but at a minimum no less frequently than annually.

(e) Swap data repositories determined by the Commission to be critical swap data repositories are subject to more stringent requirements as set forth below.

(1) Each swap data repository that the Commission determines is critical must maintain a disaster recovery plan and business continuity and disaster recovery resources, including infrastructure and personnel, sufficient to enable it to achieve a same-day recovery time objective in the event that its normal capabilities become temporarily inoperable for any reason up to and including a wide-scale disruption.

(2) A same-day recovery time objective is a recovery time objective within the same business day on which normal capabilities become temporarily inoperable for any reason up to and including a wide-scale disruption.

(3) To ensure its ability to achieve a same-day recovery time objective in the event of a wide-scale disruption, each swap data repository that the Commission determines is critical must maintain a degree of geographic dispersal of both infrastructure and personnel such that:

(i) Infrastructure sufficient to enable the swap data repository to meet a same-day recovery time objective after interruption is located outside the relevant area of the infrastructure the entity normally relies upon to conduct activities necessary to the reporting, recordkeeping and/or dissemination of SDR data, and does not rely on the same critical transportation, telecommunications, power, water, or other critical infrastructure components the entity normally relies upon for such activities; and

(ii) Personnel sufficient to enable the swap data repository to meet a same-day recovery time objective, after interruption of normal SDR data reporting, recordkeeping and/or dissemination by a wide-scale disruption affecting the relevant area in which the personnel the entity normally relies upon to engage in such activities are located, live and work outside that relevant area.

(4) Each swap data repository that the Commission determines is critical must conduct regular, periodic tests of its business continuity and disaster recovery plans and resources and its capacity to achieve a same-day recovery time objective in the event of a wide-scale disruption. The swap data repository shall keep records of the results of such tests, and make the results available to the Commission upon request.

(f) A swap data repository that is not determined by the Commission to be a critical swap data repository satisfies the requirement to be able to resume operations and resume ongoing fulfillment of the swap data repository's duties and obligations during the next business day following a disruption by maintaining either:

(1) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations, duties and obligations as a swap data repository following any disruption of its operations; or

(2) Contractual arrangements with other swap data repositories or disaster recovery service providers, as appropriate, that are sufficient to ensure continued fulfillment of all of the swap data repository's duties and obligations following any disruption of its operations, both with respect to all swaps reported to the swap data repository and with respect to all SDR data contained in the swap data repository.

(g) A swap data repository shall notify Commission staff promptly of all:

(1) Systems malfunctions;

(2) Cyber security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and

(3) Any activation of the swap data repository's business continuity-disaster recovery plan.

(h) A swap data repository shall give Commission staff timely advance notice of all:

(1) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and

(2) Planned changes to the swap data repository's program of risk analysis and oversight.

(i) As part of a swap data repository's obligation to produce books and records in accordance with § 1.31 of this chapter, and § 49.12, a swap data repository shall provide to the Commission the following system safeguards-related books and records, promptly upon the request of any Commission representative:

(1) Current copies of its business continuity-disaster recovery plans and other emergency procedures;

(2) All assessments of its operational risks or system safeguards-related controls;

(3) All reports concerning system safeguards testing and assessment required by this chapter, whether performed by independent contractors or by employees of the swap data repository; and

(4) All other books and records requested by Commission staff in connection with Commission oversight of system safeguards pursuant to the Act or Commission regulations, or in connection with Commission maintenance of a current profile of the swap data repository's automated systems.

(5) Nothing in paragraph (i) of this section shall be interpreted as reducing or limiting in any way a swap data repository's obligation to comply with § 1.31 of this chapter, or with § 49.12.

(j) A swap data repository shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. It shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in this paragraph.

(1) Definitions. As used in this paragraph (j):

Controls means the safeguards or countermeasures employed by the swap data repository in order to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, and availability of its SDR data and SDR information, and in order to enable the swap data repository to fulfill its statutory and regulatory duties and responsibilities.

Controls testing means assessment of the swap data repository's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the swap data repository to meet the requirements established by this section.

Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to swap data repository operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, and availability of SDR data and SDR information or the reliability, security, or capacity of automated systems.

External penetration testing means attempts to penetrate the swap data repository's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.

Internal penetration testing means attempts to penetrate the swap data repository's automated systems from inside the systems' boundaries, to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.

Key controls means those controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.

Security incident means a cyber security or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality, or integrity of SDR data.

Security incident response plan means a written plan documenting the swap data repository's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.

Security incident response plan testing means testing of a swap data repository's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.

Vulnerability testing means testing of a swap data repository's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.

(2) Vulnerability testing. A swap data repository shall conduct vulnerability testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct such vulnerability testing at a frequency determined by an appropriate risk analysis, but no less frequently than quarterly.

(ii) Such vulnerability testing shall include automated vulnerability scanning, which shall follow generally accepted best practices.

(iii) A swap data repository shall conduct vulnerability testing by engaging independent contractors or by using employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being tested.

(3) External penetration testing. A swap data repository shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct such external penetration testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) A swap data repository shall engage independent contractors to conduct the required annual external penetration test. The swap data repository may conduct other external penetration testing by using employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being tested.

(4) Internal penetration testing. A swap data repository shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct such internal penetration testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) A swap data repository shall conduct internal penetration testing by engaging independent contractors, or by using employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being tested.

(5) Controls testing. A swap data repository shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct controls testing, which includes testing of each control included in its program of risk analysis and oversight, at a frequency determined by an appropriate risk analysis. Such testing may be conducted on a rolling basis. A swap data repository shall conduct testing of its key controls no less frequently than every three years. The swap data repository may conduct testing of its key controls on a rolling basis over the course of three years or the period determined by such risk analysis, whichever is shorter.

(ii) A swap data repository shall engage independent contractors to test and assess the key controls included in its program of risk analysis and oversight no less frequently than every three years. The swap data repository may conduct any other controls testing required by this section by using independent contractors or employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being tested.

(6) Security incident response plan testing. A swap data repository shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct such security incident response plan testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) A swap data repository's security incident response plan shall include, without limitation, the swap data repository's definition and classification of security incidents, its policies and procedures for reporting security incidents and for internal and external communication and information sharing regarding security incidents, and the hand-off and escalation points in its security incident response process.

(iii) A swap data repository may coordinate its security incident response plan testing with other testing required by this section or with testing of its other business continuity-disaster recovery and crisis management plans.

(iv) A swap data repository may conduct security incident response plan testing by engaging independent contractors or by using employees of the swap data repository.

(7) Enterprise technology risk assessment. A swap data repository shall conduct enterprise technology risk assessment of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct an enterprise technology risk assessment at a frequency determined by an appropriate risk analysis, but no less frequently than annually. A swap data repository that has conducted an enterprise technology risk assessment that complies with this section may conduct subsequent assessments by updating the previous assessment.

(ii) A swap data repository may conduct enterprise technology risk assessments by using independent contractors or employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being assessed.

(k) To the extent practicable, a swap data repository shall:

(1) Coordinate its business continuity-disaster recovery plan with those of swap execution facilities, designated contract markets, derivatives clearing organizations, swap dealers, and major swap participants who report SDR data to the swap data repository, and with those regulators identified in Section 21(c)(7) of the Act, in a manner adequate to enable effective resumption of the swap data repository's fulfillment of its duties and obligations following a disruption causing activation of the swap data repository's business continuity and disaster recovery plan;

(2) Participate in periodic, synchronized testing of its business continuity - disaster recovery plan and the business continuity - disaster recovery plans of swap execution facilities, designated contract markets, derivatives clearing organizations, swap dealers, and major swap participants who report SDR data to the swap data repository, and the business continuity - disaster recovery plans required by the regulators identified in Section 21(c)(7) of the Act; and

(3) Ensure that its business continuity - disaster recovery plan takes into account the business continuity - disaster recovery plans of its telecommunications, power, water, and other essential service providers.

(l) Scope of testing and assessment. The scope for all system safeguards testing and assessment required by this part shall be broad enough to include the testing of automated systems and controls that the swap data repository's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:

(1) Interfere with the swap data repository's operations or with fulfillment of its statutory and regulatory responsibilities;

(2) Impair or degrade the reliability, security, or adequate scalable capacity of the swap data repository's automated systems;

(3) Add to, delete, modify, exfiltrate, or compromise the integrity of any SDR data related to the swap data repository's regulated activities; or

(4) Undertake any other unauthorized action affecting the swap data repository's regulated activities or the hardware or software used in connection with those activities.

(m) Internal reporting and review. Both the senior management and the board of directors of a swap data repository shall receive and review reports setting forth the results of the testing and assessment required by this section. A swap data repository shall establish and follow appropriate procedures for the remediation of issues identified through such review, as provided in paragraph (n) of this section, and for evaluation of the effectiveness of testing and assessment protocols.

(n) Remediation. A swap data repository shall identify and document the vulnerabilities and deficiencies in its systems revealed by the testing and assessment required by this section. The swap data repository shall conduct and document an appropriate analysis of the risks presented by such vulnerabilities and deficiencies, to determine and document whether to remediate or accept the associated risk. When the swap data repository determines to remediate a vulnerability or deficiency, it must remediate in a timely manner given the nature and magnitude of the associated risk.

[76 FR 54575, Sept. 1, 2011, as amended at 81 FR 64315, Sept. 19, 2016; 85 FR 75661, Nov. 25, 2020]

§ 49.25 Financial resources.

(a) General rule.

(1) A swap data repository shall maintain sufficient financial resources to perform its statutory and regulatory duties set forth in this chapter.

(2) An entity that operates as both a swap data repository and a derivatives clearing organization shall also comply with the financial resource requirements applicable to derivatives clearing organizations under § 39.11 of this chapter.

(3) Financial resources shall be considered sufficient if their value is at least equal to a total amount that would enable the swap data repository, or applicant for registration, to cover its operating costs for a period of at least one year, calculated on a rolling basis.

(4) The financial resources described in this paragraph (a) must be independent and separately dedicated to ensure that assets and capital are not used for multiple purposes.

(b) Types of financial resources. Financial resources available to satisfy the requirements of paragraph (a) of this section may include:

(1) The swap data repository's own capital; and

(2) Any other financial resource deemed acceptable by the Commission.

(c) Computation of financial resource requirement. A swap data repository shall, on a quarterly basis, based upon its fiscal year, make a reasonable calculation of its projected operating costs over a 12-month period in order to determine the amount needed to meet the requirements of paragraph (a) of this section. The swap data repository shall have reasonable discretion in determining the methodology used to compute such projected operating costs. The Commission may review the methodology and require changes as appropriate.

(d) Valuation of financial resources. At appropriate intervals, but not less than quarterly, a swap data repository shall compute the current market value of each financial resource used to meet its obligations under paragraph (a) of this section. Reductions in value to reflect market and credit risk (haircuts) shall be applied as appropriate.

(e) Liquidity of financial resources. The financial resources allocated by the swap data repository to meet the requirements of paragraph (a) shall include unencumbered, liquid financial assets (i.e., cash and/or highly liquid securities) equal to at least six months' operating costs. If any portion of such financial resources is not sufficiently liquid, the swap data repository may take into account a committed line of credit or similar facility for the purpose of meeting this requirement.

(f) Reporting requirements.

(1) Each fiscal quarter, or at any time upon Commission request, a swap data repository shall report to the Commission the amount of financial resources necessary to meet the requirements of paragraph (a), the value of each financial resource available, computed in accordance with the requirements of paragraph (d); and provide the Commission with a financial statement, including the balance sheet, income statement, and statement of cash flows of the swap data repository or of its parent company. Financial statements shall be prepared in conformity with generally accepted accounting principles (GAAP) applied on a basis consistent with that of the preceding financial statement.

(2) The calculations required by this paragraph shall be made as of the last business day of the swap data repository's fiscal quarter.

(3) The report shall be filed not later than 17 business days after the end of the swap data repository's fiscal quarter, or at such later time as the Commission may permit, in its discretion, upon request by the swap data repository.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75662, Nov. 25, 2020]

§ 49.26 Disclosure requirements of swap data repositories.

Before accepting any SDR data from a swap execution facility, designated contract market, or reporting counterparty; or upon a swap execution facility's, designated contract market's, or reporting counterparty's request; a swap data repository shall furnish to the swap execution facility, designated contract market, or reporting counterparty a disclosure document that contains the following written information, which shall reasonably enable the swap execution facility, designated contract market, or reporting counterparty to identify and evaluate accurately the risks and costs associated with using the services of the swap data repository:

(a) The swap data repository's criteria for providing others with access to services offered and SDR data maintained by the swap data repository;

(b) The swap data repository's criteria for those seeking to connect to or link with the swap data repository;

(c) A description of the swap data repository's policies and procedures regarding its safeguarding of SDR data and operational reliability to protect the confidentiality and security of such data, as described in § 49.24;

(d) The swap data repository's policies and procedures reasonably designed to protect the privacy of any and all SDR data that the swap data repository receives from a swap execution facility, designated contract market, or reporting counterparty, as described in § 49.16;

(e) The swap data repository's policies and procedures regarding its non-commercial and/or commercial use of the SDR data that it receives from a swap execution facility, designated contract market, or reporting counterparty;

(f) The swap data repository's dispute resolution procedures;

(g) A description of all the swap data repository's services, including any ancillary services;

(h) The swap data repository's updated schedule of any fees, rates, dues, unbundled prices, or other charges for all of its services, including any ancillary services; any discounts or rebates offered; and the criteria to benefit from such discounts or rebates;

(i) A description of the swap data repository's governance arrangements; and

(j) The swap data repository's policies and procedures regarding the reporting of SDR data to the swap data repository, including the swap data repository's SDR data validation procedures, swap data verification procedures, and procedures for correcting SDR data errors and omissions.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75662, Nov. 25, 2020]

§ 49.27 Access and fees.

(a) Fair, open and equal access.

(1) A swap data repository, consistent with Section 21 of the Act, shall provide its services to market participants, including but not limited to designated contract markets, swap execution facilities, derivatives clearing organizations, swap dealers, major swap participants and any other counterparties, on a fair, open and equal basis. For this purpose, a swap data repository shall not provide access to its services on a discriminatory basis but is required to provide its services to all market participants for swaps it accepts in an asset class.

(2) Consistent with the principles of open access set forth in paragraph (a)(1) of this section, a swap data repository shall not tie or bundle the offering of mandated regulatory services with other ancillary services that a swap data repository may provide to market participants.

(b) Fees.

(1) Any fees or charges imposed by a swap data repository in connection with the reporting of SDR data and any other supplemental or ancillary services provided by such swap data repository shall be equitable and established in a uniform and non-discriminatory manner. Fees or charges shall not be used as an artificial barrier to access to the swap data repository. Swap data repositories shall not offer preferential pricing arrangements to any market participant on any basis, including volume discounts or reductions unless such discounts or reductions apply to all market participants uniformly and are not otherwise established in a manner that would effectively limit the application of such discount or reduction to a select number of market participants.

(2) All fees or charges are to be fully disclosed and transparent to market participants. At a minimum, the swap data repository shall provide a schedule of fees and charges that is accessible by all market participants on its Web site.

(3) The Commission notes that it will not specifically approve the fees charged by swap data repositories. However, any and all fees charged by swap data repositories must be consistent with the principles set forth in paragraph (b)(1) of this section.

[76 FR 54575, Sept. 1, 2011, as amended at 85 FR 75662, Nov. 25, 2020]

§ 49.28 Operating hours of swap data repositories.

(a) Except as otherwise provided in this paragraph (a), a swap data repository shall have systems in place to continuously accept and promptly record all SDR data reported to the swap data repository as required in this chapter and, as applicable, publicly disseminate all swap transaction and pricing data reported to the swap data repository as required in part 43 of this chapter.

(1) A swap data repository may establish normal closing hours to perform system maintenance during periods when, in the reasonable estimation of the swap data repository, the swap data repository typically receives the least amount of SDR data. A swap data repository shall provide reasonable advance notice of its normal closing hours to market participants and to the public.

(2) A swap data repository may declare, on an ad hoc basis, special closing hours to perform system maintenance that cannot wait until normal closing hours. A swap data repository shall schedule special closing hours during periods when, in the reasonable estimation of the swap data repository in the context of the circumstances prompting the special closing hours, the special closing hours will be the least disruptive to the swap data repository's SDR data reporting responsibilities. A swap data repository shall provide reasonable advance notice of its special closing hours to market participants and to the public whenever possible, and, if advance notice is not reasonably possible, shall provide notice of its special closing hours to market participants and to the public as soon as reasonably possible after declaring special closing hours.

(b) A swap data repository shall comply with the requirements under part 40 of this chapter in adopting or amending normal closing hours and special closing hours.

(c) During normal closing hours and special closing hours, a swap data repository shall have the capability to accept and hold in queue any and all SDR data reported to the swap data repository during the normal closing hours or special closing hours.

(1) Upon reopening after normal closing hours or special closing hours, a swap data repository shall promptly process all SDR data received during normal closing hours or special closing hours, as required pursuant to this chapter, and, pursuant to part 43 of this chapter, publicly disseminate all swap transaction and pricing data reported to the swap data repository that was held in queue during the normal closing hours or special closing hours.

(2) If at any time during normal closing hours or special closing hours a swap data repository is unable to receive and hold in queue any SDR data reported pursuant to this chapter, then the swap data repository shall immediately issue notice to all swap execution facilities, designated contract markets, reporting counterparties, and the public that it is unable to receive and hold in queue SDR data. Immediately upon reopening, the swap data repository shall issue notice to all swap execution facilities, designated contract markets, reporting counterparties, and the public that it has resumed normal operations. Any swap execution facility, designated contract market, or reporting counterparty that was obligated to report SDR data pursuant to this chapter to the swap data repository, but could not do so because of the swap data repository's inability to receive and hold in queue SDR data, shall report the SDR data to the swap data repository immediately after receiving such notice.

[85 FR 75662, Nov. 25, 2020]

§ 49.29 Information relating to swap data repository compliance.

(a) Requests for information. Upon the Commission's request, a swap data repository shall file with the Commission information related to its business as a swap data repository and such information as the Commission determines to be necessary or appropriate for the Commission to perform the duties of the Commission under the Act and regulations in 17 CFR chapter I. The swap data repository shall file the information requested in the form and manner and within the time period the Commission specifies in the request.

(b) Demonstration of compliance. Upon the Commission's request, a swap data repository shall file with the Commission a written demonstration, containing supporting data, information, and documents, that it is in compliance with its obligations under the Act and the Commission's regulations in 17 CFR chapter I, as the Commission specifies in the request. The swap data repository shall file the written demonstration in the form and manner and within the time period the Commission specifies in the request.

[85 FR 75663, Nov. 25, 2020]

§ 49.30 Form and manner of reporting and submitting information to the Commission.

Unless otherwise instructed by the Commission, a swap data repository shall submit SDR data reports and any other information required under this part to the Commission, within the time specified, using the format, coding structure, and electronic data transmission procedures approved in writing by the Commission.

[85 FR 75663, Nov. 25, 2020]

§ 49.31 Delegation of authority to the Director of the Division of Market Oversight relating to certain part 49 matters.

(a) The Commission hereby delegates, until such time as the Commission orders otherwise, the following functions to the Director of the Division of Market Oversight and to such members of the Commission staff acting under his or her direction as he or she may designate from time to time:

(1) All functions reserved to the Commission in § 49.5.

(2) All functions reserved to the Commission in § 49.9.

(3) All functions reserved to the Commission in § 49.10.

(4) All functions reserved to the Commission in § 49.12.

(5) All functions reserved to the Commission in § 49.13.

(6) All functions reserved to the Commission in § 49.16.

(7) All functions reserved to the Commission in § 49.17.

(8) All functions reserved to the Commission in § 49.18.

(9) All functions reserved to the Commission in § 49.22.

(10) All functions reserved to the Commission in § 49.23.

(11) All functions reserved to the Commission in § 49.24.

(12) All functions reserved to the Commission in § 49.25.

(13) All functions reserved to the Commission in § 49.29.

(14) All functions reserved to the Commission in § 49.30.

(b) The Director of the Division of Market Oversight may submit to the Commission for its consideration any matter that has been delegated under paragraph (a) of this section.

(c) Nothing in this section may prohibit the Commission, at its election, from exercising the authority delegated in this section.

[85 FR 75663, Nov. 25, 2020]

Appendix A to Part 49 - Form SDR

COMMODITY FUTURES TRADING COMMISSION FORM SDR

SWAP DATA REPOSITORY APPLICATION OR AMENDMENT TO APPLICATION FOR REGISTRATION

REGISTRATION INSTRUCTIONS

Intentional misstatements or omissions of material fact may constitute federal criminal violations (7 U.S.C. 13 and 18 U.S.C. 1001) or grounds for disqualification from registration.

DEFINITIONS

Unless the context requires otherwise, all terms used in this Form SDR have the same meaning as in the Commodity Exchange Act, as amended (“Act”), and in the General Rules and Regulations of the Commodity Futures Trading Commission (“Commission”) thereunder (17 CFR chapter I).

For the purposes of this Form SDR, the term “Applicant” shall include any applicant for registration as a swap data repository or any applicant amending a pending application.

GENERAL INSTRUCTIONS

1. This Form SDR, which includes instructions, a Cover Sheet, and required Exhibits (together “Form SDR”), is to be filed with the Commission by all Applicants, pursuant to section 21 of the Act and the Commission's regulations thereunder. Upon the filing of an application for registration in accordance with the instructions provided herein, the Commission will publish notice of the filing and afford interested persons an opportunity to submit written comments concerning such application. No application for registration shall be effective unless the Commission, by order, grants such registration.

2. Individuals' names, except the executing signature, shall be given in full (Last Name, First Name, Middle Name).

3. Signatures on all copies of the Form SDR filed with the Commission can be executed electronically. If this Form SDR is filed by a corporation, it shall be signed in the name of the corporation by a principal officer duly authorized; if filed by a limited liability company, it shall be signed in the name of the limited liability company by a manager or member duly authorized to sign on the limited liability company's behalf; if filed by a partnership, it shall be signed in the name of the partnership by a general partner duly authorized; if filed by an unincorporated organization or association that is not a partnership, it shall be signed in the name of such organization or association by the managing agent, i.e., a duly authorized person who directs manages or who participates in the directing or managing of its affairs.

4. If this Form SDR is being filed as an application for registration, all applicable items must be answered in full. If any item is inapplicable, indicate by “none,” “not applicable,” or “N/A,” as appropriate.

5. Under section 21 of the Act and the Commission's regulations thereunder, the Commission is authorized to solicit the information required to be supplied by this Form SDR from any Applicant seeking registration as a swap data repository. Disclosure by the Applicant of the information specified in this Form SDR is mandatory prior to the start of the processing of an application for registration as a swap data repository. The information provided in this Form SDR will be used for the principal purpose of determining whether the Commission should grant or deny registration to an Applicant. The Commission may determine that additional information is required from an Applicant in order to process its application. A Form SDR that is not prepared and executed in compliance with applicable requirements and instructions may be returned as not acceptable for filing. Acceptance of this Form SDR, however, shall not constitute a finding that the Form SDR has been filed as required or that the information submitted is true, current, or complete.

6. Except in cases where confidential treatment is requested by the Applicant and granted by the Commission pursuant to the Freedom of Information Act and Commission Regulation § 145.9, information supplied on this Form SDR will be included in the public files of the Commission and will be available for inspection by any interested person. The Applicant must identify with particularity the information in these exhibits that will be subject to a request for confidential treatment and supporting documentation for such request pursuant to Commission Regulations § 40.8 and § 145.9.

APPLICATION AMENDMENTS

1. An Applicant amending a pending application for registration as a swap data repository shall file an amended Form SDR electronically with the Secretary of the Commission in the manner specified by the Commission.

2. When filing this Form SDR for purposes of amending a pending application, an Applicant must re-file the entire Cover Sheet, amended if necessary, include an executing signature, and attach thereto revised Exhibits or other materials marked to show any amendments. The submission of an amendment to a pending application represents that all unamended items and Exhibits remain true, current, and complete as previously filed.

WHERE TO FILE

This Form SDR shall be filed electronically with the Secretary of the Commission in the manner specified by the Commission.

EXHIBITS INSTRUCTIONS

The following Exhibits must be included as part of Form SDR and filed with the Commission by each Applicant seeking registration as a swap data repository pursuant to section 21 of the Act and the Commission's regulations thereunder. Such Exhibits must be labeled according to the items specified in this Form SDR. If any Exhibit is inapplicable, please specify the Exhibit letter and indicate by “none,” “not applicable,” or “N/A,” as appropriate. The Applicant must identify with particularity the information in these Exhibits that will be subject to a request for confidential treatment and supporting documentation for such request pursuant to Commission Regulations § 40.8 and § 145.9.

If the Applicant is a newly formed enterprise and does not have the financial statements required pursuant to Items 27 and 28 of this form, the Applicant should provide pro forma financial statements for the most recent six months or since inception, whichever is less.

EXHIBITS I - BUSINESS ORGANIZATION

14. Attach as Exhibit A, any person who owns ten (10) percent or more of Applicant's equity or possesses voting power of any class, either directly or indirectly, through agreement or otherwise, in any other manner, may control or direct the management or policies of Applicant. “Control” for this purpose is defined in Commission Regulation § 49.2(a).

State in Exhibit A the full name and address of each such person and attach a copy of the agreement or, if there is none written, describe the agreement or basis upon which such person exercises or may exercise such control or direction.

15. Attach as Exhibit B, a narrative that sets forth the fitness standards for the board of directors and its composition including the number or percentage of public directors.

Attach a list of the present officers, directors (including an identification of the public directors), governors (and, if the Applicant is not a corporation, the members of all standing committees grouped by committee), or persons performing functions similar to any of the foregoing, of the swap data repository or of the entity identified in Item 16 that performs the swap data repository activities of the Applicant, indicating for each:

a. Name

b. Title

c. Date of commencement and, if appropriate, termination of present term of position

d. Length of time each present officer, director, or governor has held the same position

e. Brief account of the business experience of each officer and director over the last five (5) years

f. Any other business affiliations in the securities industry or OTC derivatives industry

g. A description of:

(1) any order of the Commission with respect to such person pursuant to section 5e of the Act;

(2) any conviction or injunction within the past 10 years;

(3) any disciplinary action with respect to such person within the last five (5) years;

(4) any disqualification under sections 8b and 8d of the Act;

(5) any disciplinary action under section 8c of the Act; and

(6) any violation pursuant to section 9 of the Act.

h. For directors, list any committees on which the director serves and any compensation received by virtue of their directorship.

16. Attach as Exhibit C, the following information about the chief compliance officer who has been appointed by the board of directors of the swap data repository or a person or group performing a function similar to such board of directors:

a. Name

b. Title

c. Dates of commencement and termination of present term of office or position

d. Length of time the chief compliance officer has held the same office or position

e. Brief account of the business experience of the chief compliance officer over the last five (5) years

f. Any other business affiliations in the derivatives/securities industry or swap data repository industry

g. A description of:

(1) any order of the Commission with respect to such person pursuant to section 5e of the Act;

(2) any conviction or injunction within the past 10 years;

(3) any disciplinary action with respect to such person within the last five (5) years;

(4) any disqualification under sections 8b and 8d of the Act;

(5) any disciplinary action under section 8c of the Act; and

(6) any violation pursuant to section 9 of the Act.

17. Attach as Exhibit D, a copy of documents relating to the governance arrangements of the Applicant, including, but not limited to:

a. The nomination and selection process of the members on the Applicant's board of directors, a person or group performing a function similar to a board of directors (collectively, “board”), or any committee that has the authority to act on behalf of the board, the responsibilities of each of the board and such committee, and the composition of each board and such committee;

b. a description of the manner in which the composition of the board allows the Applicant to comply with applicable core principles, regulations, as well as the rules of the Applicant; and

c. a description of the procedures to remove a member of the board of directors, where the conduct of such member is likely to be prejudicial to the sound and prudent management of the swap data repository.

18. Attach as Exhibit E, a narrative or graphic description of the organizational structure of the Applicant. Note: If the swap data repository activities are conducted primarily by a division, subdivision, or other segregable entity within the Applicant's corporation or organization, describe the relationship of such entity within the overall organizational structure and attach as Exhibit E only such description as applies to the segregable entity. Additionally, provide any relevant jurisdictional information, including any and all jurisdictions in which the Applicant or any affiliated entity is doing business and registration status, including pending application (e.g., country, regulator, registration category, date of registration). In addition, include a description of the lines of responsibility and accountability for each operational unit of the Applicant to (i) any committee thereof and/or (ii) the board.

19. Attach as Exhibit F, a copy of the conflicts of interest policies and procedures implemented by the Applicant to minimize conflicts of interest in the decision-making process of the swap data repository and to establish a process for the resolution of any such conflicts of interest.

20. Attach as Exhibit G, a list of all affiliates of the swap data repository and indicate the general nature of the affiliation. Provide a copy of any agreements entered into or to be entered by the swap data repository, including partnerships or joint ventures, or its participants, that will enable the Applicant to comply with the registration requirements and core principles specified in section 21 of the Act. With regard to an affiliate that is a parent company of the Applicant, if such parent controls the Applicant, an Applicant must provide (i) the board composition of the parent, including public directors, and (ii) all ownership information requested in Exhibit A for the parent. “Control” for this purpose is defined in Commission Regulation § 49.2(a).

21. Attach as Exhibit H, a copy of the constitution; articles of incorporation or association with all amendments thereto; existing by-laws, rules, or instruments corresponding thereto, of the Applicant. The Applicant shall also provide a certificate of good standing dated within one week of the date of the application.

22. Where the Applicant is a foreign entity seeking registration or filing an amendment to an existing registration, attach as Exhibit I, an opinion of counsel that the swap data repository, as a matter of law, is able to provide the Commission with prompt access to the books and records of such swap data repository and that the swap data repository can submit to onsite inspection and examination by the Commission.

23. Where the Applicant is a foreign entity seeking registration, attach as Exhibit I-1, a form that designates and authorizes an agent in the United States, other than a Commission official, to accept any notice or service of process, pleadings, or other documents in any action or proceedings brought against the swap data repository to enforce the Act and the regulations thereunder.

24. Attach as Exhibit J, a current copy of the Applicant's rules, as defined in Commission Regulation § 40.1, consisting of all the rules necessary to carry out the duties as a swap data repository.

25. Attach as Exhibit K, a description of the Applicant's internal disciplinary and enforcement protocols, tools, and procedures. Include the procedures for dispute resolution.

26. Attach as Exhibit L, a brief description of any material pending legal proceeding(s), other than ordinary and routine litigation incidental to the business, to which the Applicant or any of its affiliates is a party or to which any of its or their property is the subject. Include the name of the court or agency in which the proceeding(s) are pending, the date(s) instituted, and the principal parties thereto, a description of the factual basis alleged to underlie the proceeding(s) and the relief sought. Include similar information as to any such proceeding(s) known to be contemplated by the governmental agencies.

EXHIBITS II - FINANCIAL INFORMATION

27. Attach as Exhibit M, a balance sheet, statement of income and expenses, statement of sources and application of revenues, and all notes or schedules thereto, as of the most recent fiscal year of the Applicant. If a balance sheet and statements certified by an independent public accountant are available, such balance sheet and statement shall be submitted as Exhibit M.

28. Attach as Exhibit N, a balance sheet and an income and expense statement for each affiliate of the swap data repository that also engages in swap data repository activities as of the end of the most recent fiscal year of each such affiliate.

29. Attach as Exhibit O, the following:

a. A complete list of all dues, fees, and other charges imposed, or to be imposed, by or on behalf of Applicant for its swap data repository services and identify the service or services provided for each such due, fee, or other charge.

b. Furnish a description of the basis and methods used in determining the level and structure of the dues, fees, and other charges listed in paragraph a of this item.

c. If the Applicant differentiates, or proposes to differentiate, among its customers, or classes of customers in the amount of any dues, fees, or other charges imposed for the same or similar services, so state and indicate the amount of each differential. In addition, identify and describe any differences in the cost of providing such services, and any other factors, that account for such differentiations.

EXHIBITS III - OPERATIONAL CAPABILITY

30. Attach as Exhibit P, copies of all material contracts with any swap execution facility, designated contract market, clearing agency, central counterparty, or third party service provider. To the extent that form contracts are used by the Applicant, submit a sample of each type of form contract used. In addition, include a list of swap execution facilities, designated contract markets, clearing agencies, central counterparties, and third party service providers with whom the Applicant has entered into material contracts. Where swap data repository functions are performed by a third-party, attach any agreements between or among the Applicant and such third party, and identify the services that will be provided.

31. Attach as Exhibit Q, any technical manuals, other guides or instructions for users of, or participants in, the market.

32. Attach as Exhibit R, a description of system test procedures, test conducted or test results that will enable the Applicant to comply, or demonstrate the Applicant's ability to comply, with the core principles for swap data repositories.

33. Attach as Exhibit S, a description in narrative form, or by the inclusion of functional specifications, of each service or function performed as a swap data repository. Include in Exhibit S a description of all procedures utilized for the collection, processing, distribution, publication, and retention (e.g., magnetic tape) of information with respect to transactions or positions in, or the terms and conditions of, swaps entered into by market participants.

34. Attach as Exhibit T, a list of all computer hardware utilized by the Applicant to perform swap data repository functions, indicating where such equipment (terminals and other access devices) is physically located.

35. Attach as Exhibit U, a description of the personnel qualifications for each category of professional employees employed by the swap data repository or the division, subdivision, or other segregable entity within the swap data repository as described in Item 16.

36. Attach as Exhibit V, a description of the measures or procedures implemented by Applicant to provide for the security of any system employed to perform the functions of a swap data repository. Include a general description of any physical and operational safeguards designed to prevent unauthorized access (whether by input or retrieval) to the system. Describe any circumstances within the past year in which the described security measures or safeguards failed to prevent any such unauthorized access to the system and any measures taken to prevent a reoccurrence. Describe any measures used to verify the accuracy of information received or disseminated by the system.

37. Attach as Exhibit W, copies of emergency policies and procedures and Applicant's business continuity-disaster recovery plan. Include a general description of any business continuity-disaster recovery resources, emergency procedures, and backup facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its duties and obligations as a swap data repository following any disruption of its operations.

38. Where swap data repository functions are performed by automated facilities or systems, attach as Exhibit X a description of all backup systems or subsystems that are designed to prevent interruptions in the performance of any swap data repository function as a result of technical malfunctions or otherwise in the system itself, in any permitted input or output system connection, or as a result of any independent source. Include a narrative description of each type of interruption that has lasted for more than two minutes and has occurred within the six (6) months preceding the date of the filing, including the date of each interruption, the cause, and duration. Also state the total number of interruptions that have lasted two minutes or less.

39. Attach as Exhibit Y, the following:

a. For each of the swap data repository functions:

(1) Quantify in appropriate units of measure the limits on the swap data repository's capacity to receive (or collect), process, store, or display (or disseminate for display or other use) the data elements included within each function (e.g., number of inquiries from remote terminals);

(2) identify the factors (mechanical, electronic, or other) that account for the current limitations reported in answer to (1) on the swap data repository's capacity to receive (or collect), process, store, or display (or disseminate for display or other use) the data elements included within each function.

b. If the Applicant is able to employ, or presently employs, the central processing units of its system(s) for any use other than for performing the functions of a swap data repository, state the priorities of assignment of capacity between such functions and such other uses, and state the methods used or able to be used to divert capacity between such functions and such other uses.

EXHIBITS IV - ACCESS TO SERVICES

40. Attach as Exhibit Z, the following:

a. As to each swap data repository service that the Applicant provides, state the number of persons who presently utilize, or who have notified the Applicant of their intention to utilize, the services of the swap data repository.

b. For each instance during the past year in which any person has been prohibited or limited in respect of access to services offered by the Applicant as a swap data repository, indicate the name of each such person and the reason for the prohibition or limitation.

c. Define the data elements for purposes of the swap data repository's real-time public reporting obligation. Appendix A to Part 43 of the Commission's Regulations (Data Elements and Form for Real-Time Reporting for Particular Markets and Contracts) sets forth the specific data elements for real-time public reporting.

41. Attach as Exhibit AA, copies of any agreements governing the terms by which information may be shared by the swap data repository, including with market participants. To the extent that form contracts are used by the Applicant, submit a sample of each type of form contract used.

42. Attach as Exhibit BB, a description of any specifications, qualifications, or other criteria that limit, are interpreted to limit, or have the effect of limiting access to or use of any swap data repository services furnished by the Applicant and state the reasons for imposing such specifications, qualifications, or other criteria, including whether such specifications, qualifications, or other criteria are imposed.

43. Attach as Exhibit CC, any specifications, qualifications, or other criteria required of participants who utilize the services of the Applicant for collection, processing, preparing for distribution, or public dissemination by the Applicant.

44. Attach as Exhibit DD, any specifications, qualifications, or other criteria required of any person, including, but not limited to, regulators, market participants, market infrastructures, venues from which data could be submitted to the Applicant, and third party service providers who request access to data maintained by the Applicant.

45. Attach as Exhibit EE, policies and procedures implemented by the Applicant to review any prohibition or limitation of any person with respect to access to services offered or data maintained by the Applicant and to grant such person access to such services or data if such person has been discriminated against unfairly.

EXHIBITS V - OTHER POLICIES AND PROCEDURES

46. Attach as Exhibit FF, a narrative and supporting documents that may be provided under other Exhibits herein, that describes the manner in which the Applicant is able to comply with each core principle and other requirements pursuant to Commission Regulation § 49.19.

47. Attach as Exhibit GG, policies and procedures implemented by the Applicant to protect the privacy of any and all SDR data, section 8 material, and SDR information that the swap data repository receives from reporting entities.

48. Attach as Exhibit HH, a description of safeguards, policies, and procedures implemented by the Applicant to prevent the misappropriation or misuse of (a) any confidential information received by the Applicant, including, but not limited to, SDR data, section 8 material, and SDR information, about a market participant or any of its customers; and/or (b) intellectual property by Applicant or any person associated with the Applicant for their personal benefit or the benefit of others.

49. Attach as Exhibit II, policies and procedures implemented by the Applicant regarding its use of the SDR data, section 8 material, and SDR information that it receives from a market participant, any registered entity, or any person for non-commercial and/or commercial purposes.

50. Attach as Exhibit JJ, procedures and a description of facilities of the Applicant for effectively resolving disputes over the accuracy of the SDR data and positions that are maintained by the swap data repository.

51. Attach as Exhibit KK, policies and procedures relating to the Applicant's calculation of positions.

52. Attach as Exhibit LL, policies and procedures that are reasonably designed to prevent any provision in a valid swap from being invalidated or modified through the procedures or operations of the Applicant.

53. Attach as Exhibit MM, Applicant's policies and procedures that ensure that the SDR data that are maintained by the Applicant continues to be maintained after the Applicant withdraws from registration as a swap data repository, which shall include procedures for transferring the SDR data to the Commission or its designee (including another swap data repository).

[85 FR 75663, Nov. 25, 2020]

Appendix B to Part 49 - Confidentiality Arrangement for Appropriate Domestic Regulators and Appropriate Foreign Regulators to Obtain Access to Swap Data Maintained by Swap Data Respositories Pursuant to §§ 49.17(d)(6) and 49.18(a)

The U.S. Commodity Futures Trading Commission (“CFTC”) and the [name of foreign/domestic regulator (“ABC”)] (each an “Authority” and collectively the “Authorities”) have entered into this Confidentiality Arrangement (“Arrangement”) in connection with [whichever is applicable] [CFTC Regulation 49.17(b)(1)[(i)-(vi)]/the determination order issued by the CFTC to [ABC] (“Order”)] and any request for swap data by [ABC] to any swap data repository (“SDR”) registered or provisionally registered with the CFTC.

Article One: General Provisions

1. ABC is permitted to request and receive swap data directly from an SDR (“Swap Data”) on the terms and subject to the conditions of this Arrangement.

2. This Arrangement is entered into to fulfill the requirements under Section 21(d) of the Commodity Exchange Act (“Act”) and CFTC Regulation 49.18. Upon receipt by an SDR, this Arrangement will satisfy the requirement for a written agreement pursuant to Section 21(d) of the Act and CFTC Regulation 49.17(d)(6). This Arrangement does not apply to information that is [reported to an SDR pursuant to [ABC]'s regulatory regime where the SDR also is registered with [ABC] pursuant to separate statutory authority, even if such information also is reported pursuant to the Act and CFTC regulations][reported to an SDR pursuant to [ABC]'s regulatory regime where the SDR also is registered with, or recognized or otherwise authorized by, [ABC], which has supervisory authority over the repository pursuant to foreign law and/or regulation, even if such information also is reported pursuant to the Act and CFTC regulations.][1]

3. This Arrangement is not intended to limit or condition the discretion of an Authority in any way in the discharge of its regulatory responsibilities or to prejudice the individual responsibilities or autonomy of any Authority.

4. This Arrangement does not alter the terms and conditions of any existing arrangements.

Article Two: Confidentiality of Swap Data

5. ABC will be acting within the scope of its jurisdiction in requesting Swap Data and employs procedures to maintain the confidentiality of Swap Data and any information and analyses derived therefrom (collectively, the “Confidential Information”). ABC undertakes to notify the CFTC and each relevant SDR promptly of any change to ABC's scope of jurisdiction.

6. ABC undertakes to treat Confidential Information as confidential and will employ safeguards that:

a. To the maximum extent practicable, identify the Confidential Information and maintain it separately from other data and information;

b. Protect the Confidential Information from misappropriation and misuse;

c. Ensure that only authorized ABC personnel with a need to access particular Confidential Information to perform their job functions related to such Confidential Information have access thereto, and that such access is permitted only to the extent necessary to perform their job functions related to such particular Confidential Information;

d. Prevent the disclosure of aggregated Confidential Information; provided, however, that ABC is permitted to disclose any sufficiently aggregated Confidential Information that is anonymized to prevent identification, through disaggregation or otherwise, of a market participant's business transactions, trade data, market positions, customers, or counterparties;

e. Prohibit use of the Confidential Information by ABC personnel for any improper purpose, including in connection with trading for their personal benefit or for the benefit of others or with respect to any commercial or business purpose; and

f. Include a process for monitoring compliance with the confidentiality safeguards described herein and for promptly notifying the CFTC, and each SDR from which ABC has received Swap Data, of any violation of such safeguards or failure to fulfill the terms of this Arrangement.

7. Except as provided in Paragraphs 6.d. and 8, ABC will not onward share or otherwise disclose any Confidential Information.

8. ABC undertakes that:

a. If a department, central bank, or agency of the Government of the United States, it will not disclose Confidential Information except in an action or proceeding under the laws of the United States to which it, the CFTC, or the United States is a party;

b. If a department or agency of a State or political subdivision thereof, it will not disclose Confidential Information except in connection with an adjudicatory action or proceeding brought under the Act or the laws of [name of either the State or the State and political subdivision] to which it is a party; or

c. If a foreign futures authority or a department, central bank, ministry, or agency of a foreign government or subdivision thereof, or any other Foreign Regulator, as defined in Commission Regulation 49.2(a)(5), it will not disclose Confidential Information except in connection with an adjudicatory action or proceeding brought under the laws of [name of country, political subdivision, or (if a supranational organization) supranational lawmaking body] to which it is a party.

9. Prior to complying with any legally enforceable demand for Confidential Information, ABC will notify the CFTC of such demand in writing, assert all available appropriate legal exemptions or privileges with respect to such Confidential Information, and use its best efforts to protect the confidentiality of the Confidential Information.

10. ABC acknowledges that, if it does not fulfill the terms of this Arrangement, the CFTC may direct any SDR to suspend or revoke ABC's access to Swap Data.

11. ABC will comply with all applicable security-related requirements imposed by an SDR in connection with access to Swap Data maintained by the SDR, as such requirements may be revised from time to time.

12. ABC will promptly destroy all Confidential Information for which it no longer has a need or which no longer falls within the scope of its jurisdiction, and will certify to the CFTC, upon request, that ABC has destroyed such Confidential Information.

Article Three: Administrative Provisions

13. This Arrangement may be amended with the written consent of the Authorities.

14. The text of this Arrangement will be executed in English, and may be made available to the public.

15. On the date this Arrangement is signed by the Authorities, it will become effective and may be provided to any SDR that holds and maintains Swap Data that falls within the scope of ABC's jurisdiction.

16. This Arrangement will expire 30 days after any Authority gives written notice to the other Authority of its intention to terminate the Arrangement. In the event of termination of this Arrangement, Confidential Information will continue to remain confidential and will continue to be covered by this Arrangement.

This Arrangement is executed in duplicate, this ____day of ____.

[name of Chairman] [name of signatory]

Chairman, [title]

U.S. Commodity Futures Trading Commission [name of foreign/domestic regulator]

[Exhibit A: Description of Scope of Jurisdiction. If ABC is not enumerated in Commission Regulations 49.17(b)(1)(i)-(vi), it must attach the Determination Order received from the Commission pursuant to Commission Regulation 49.17(h). If ABC is enumerated in Commission Regulations 49.17(b)(1)(i)-(vi), it must attach a sufficiently detailed description of the scope of ABC's jurisdiction as it relates to Swap Data maintained by SDRs. In both cases, the description of the scope of jurisdiction must include elements allowing SDRs to establish, without undue obstacles, objective parameters for determining whether a particular Swap Data request falls within such scope of jurisdiction. Such elements could include legal entity identifiers of all jurisdictional entities and could also include unique product identifiers of all jurisdictional products or, if no CFTC-approved unique product identifier and product classification system is yet available, the internal product identifier or product description used by an SDR from which Swap Data is to be sought.]

[85 FR 75671, Nov. 25, 2020]