As we move forward with REMIT there seem to be a lot of entities with stars in their eyes that they want to become an RRM. RRM is the Regulatory Reporting Mechanism under ACER that facilitates the reporting of transactions. This seems like a fairly straightforward thing. Setup a facility to receive values from the TRUM (Trade Reporting User Manual) and go sign up some clients. Easy.
Anything but! Running this type of facility is not for amateurs. In short, there is zero tolerance for security holes. Frankly, we all need to think about what happens when this data gets hacked. Sorry to sound like a sour pill, but that’s the reality of the world we live in. Just ask Target.
Got SAS 70.
Can You Describe in Detail the Elements and Auditing of your NOC?
A NOC is a Network Operations Center. What you are looking for here is a SAS70 Type I or II audit. The SAS70 was put out by the AICPA in 1992. What you are really looking for here is a SAS70 Type II audit which is a “reporting on controls placed in operation” and “tests of operating effectiveness.“ That this assumes is that the RRM has a complete set of controls in place and that they have been tested. Many corporations maintain policies that only permit sending sensitive information only to SAS 70 Type II facilities.
Can You Please Identify Named Engineers, their Certifications, and contact Escalation Procedures?
When Armageddon happens, and we have to assume that it will, the last thing you want is to have a team sitting around wondering, “What do we do?” There should be an escalation procedure in case of a “major event” that your team can follow to ensure that you are not left at the end of the line. Likewise, certifications in a NOC are important. There is rigor around these programs and having a named set of engineers prevents the use of vague, 3d party, facilities that the RRM really has no idea how they operate.
Can You Please Describe Your Penetration Testing Policy and the Summary Results of Your Latest Test?
Penetration testing is the industry standard for figuring out whether a particular deployment has any holes in it. Generally a third party is engaged to “test hack” the infrastructure to determine whether there are any holes. It’s not bullet-proof but significantly diminishes the probability that some kid with a laptop can hack into the system.
Can You Please Provide the Details of Your Independent Compliance Program?
Satisfying the requirements of ACER is more than just shipping trades to a fancy database. There are an enormous amount of controls that need to be in place to safeguard the data you are sending to the RRM. One of the largest risks, besides hacking, is some type of an internal job where someone leaks information that they should not have been able to get at in the first place. The only way to control this is a serious implementation of a compliance program that oversees data access and its use. Part and parcel of this is the notification procedures in the event data is lost.
Regulatory compliance is one of those things firms wish to complete and move away from so they can focus on their core business. Problem is, you are shipping sensitive trade data and should be asking as many questions about this aspect of your preferred RRM or Trade Repository as you do about their service capabilities. Simply following the majority consensus may not your best bet.