‘ANNEX IVa

TIPS SERVICE FOR ANCILLARY SYSTEMS SETTLING INSTANT PAYMENTS

1.   Definitions

For the purposes of this Annex and further to the definitions in Article 1 of Annex IIb:

(1)	“ancillary system central bank (ASCB)” means the Eurosystem CB with which the relevant ancillary system settling instant payments in its own books has a bilateral arrangement for the settlement of ancillary system instant payments;

(2)	“underlying gross volume” means the number of instant payments settled on the ancillary system’s own books and enabled by funds held on the TIPS AS technical account. It does not include instant payments to or from TIPS DCAs or other TIPS AS technical accounts;

(3)	“instructing party” means an entity which has been designated as such by an ancillary system and which is allowed to send payment orders to the TIPS Platform and/or receive payment orders from the TIPS Platform on behalf of that ancillary system or a reachable party of that ancillary system.

2.   Entry of payment orders into the system and their irrevocability

The application of Article 20 of Annex IIb, regarding the moment of entry of instant payment orders, positive recall answers and TIPS DCA to TIPS AS technical account liquidity transfer orders and TIPS AS technical account to TIPS DCA liquidity transfer orders in the relevant TARGET2 component system shall not have any effect on any rules of ancillary systems which stipulate a moment of entry into the ancillary system and/or irrevocability of transfer orders submitted to such ancillary system at a point in time earlier than the moment of entry of the respective payment order in the relevant TARGET2 component system.

3.   Accounts to support settlement of instant payments in ancillary systems own books

(1)	To support the settlement of instant payments related to ancillary systems in TIPS, one TIPS AS technical account shall be opened.

(2)

A TIPS AS technical account shall be identified by means of a unique account number of up to 34 characters and shall be structured as set out in the table:   Name Format Content Part A Account type 1 char. exactly ‘A’ for AS technical account Country code of the central bank 2 char. exactly ISO country code 3166-1 Currency code 3 char. exactly EUR Part B Account holder 11 char. exactly BIC Part C Sub-classification of the account Up to 17 char. Free text (alphanumeric) to be provided by the account holder.

(3)	TIPS AS technical accounts may only have a zero or positive balance during the day and may maintain a positive balance overnight. Overnight balance on the account shall be subject to the same remuneration rules that apply to Guarantee Funds pursuant to Article 11 of this Guideline.

4.   Settlement procedure

(1)	The ancillary system shall use a TIPS AS technical account to collect the necessary liquidity set aside by their clearing members to fund their positions.

(2)	Upon request, the ancillary system shall be notified of the crediting and debiting of their TIPS AS technical account.

(3)	An ancillary system may send instant payment orders, and positive recall answers to any TIPS DCA holder or TIPS ancillary system. An ancillary system shall receive and process instant payment orders, recall requests and positive recall answers from any TIPS DCA holder or TIPS ancillary system.

5.   User interface

(1)	The TIPS AS technical account holder shall access the TIPS Platform in A2A mode and may also connect in U2A mode either directly or via one or more instructing parties.

(2)	Access to the TIPS Platform allows TIPS AS technical account holders to: (a) access information relating to their accounts and to manage CMBs; (b) initiate TIPS AS technical account to TIPS DCA liquidity transfer orders; and (c) manage certain static data.

6.   Fee schedule and invoicing

(1)

An ancillary system in TIPS, shall be subject to both of the following: (a) a transaction fee calculated on the same basis as the schedule established for TIPS DCA holders in Appendix IV to Annex IIb; (b) a fee based on the underlying gross volume of instant payments settled in the ancillary system’s own platform and enabled by the pre-funded positions on the TIPS AS technical account. The fee shall be EUR 0.0005 per instant payment.

(2)

The underlying gross volume of the ancillary system's instant payments shall be calculated by the ASCB each month on the basis of the underlying gross volume during the previous month rounded down to the nearest ten thousand and reported by the ancillary system at the latest by the third business day of the following month. The calculated gross volume shall be applied for calculating the fee during the following month.

(3)

Each ancillary system shall receive an invoice from its ASCB for the previous month based on the fees referred to in point (1) of this paragraph, no later than the ninth business day of the following month. Payments shall be made no later than the 14th business day of the month in which the invoice is issued to the account specified by the ASCB or shall be debited from an account specified by the ancillary system.

(4)

For the purposes of fee schedules and invoicing pursuant to this Annex: (a) an ancillary system that has been designated as a system under Directive 98/26/EC shall be treated as a separate ancillary system, notwithstanding that it is operated by a legal entity that operates another ancillary system; (b) an ancillary system that has not been designated as a system under Directive 98/26/EC shall be treated as a separate ancillary system where it fulfils the following criteria: (i) it is a formal arrangement, in the form of a contract or a legislative instrument; (ii) it has more than one [member] [participant] [excluding the system operator of that system]; (iii) it is established for the purposes of clearing, netting and/or settlement of payments and/or securities between the participants; and (iv) it applies common rules and standardised arrangements to the clearing, netting and settlement of payments and securities between the participants.

(5)	The fees, for the purposes of invoicing pursuant to this Article for the period from 1 December 2021 to 28 February 2022, shall amount to the average of the total fees invoiced for the months of September, October and November 2021.

‘Appendix VIII

Requirements regarding information security management and business continuity management

Information security management

These requirements are applicable to each participant, unless the participant demonstrates that a specific requirement is not applicable to it. In establishing the scope of application of the requirements within its infrastructure, the participant should identify the elements that are part of the Payment Transaction Chain (PTC). Specifically, the PTC starts at a Point of Entry (PoE), i.e. a system involved in the creation of transactions (e.g. workstations, front-office and back-office applications, middleware), and ends at the system responsible to send the message to SWIFT (e.g. SWIFT VPN Box) or Internet (with the latter applicable to Internet-based Access).

Requirement 1.1: Information security policy

The management shall set a clear policy direction in line with business objectives and demonstrate support for and commitment to information security through the issuance, approval and maintenance of an information security policy aiming at managing information security and cyber resilience across the organisation in terms of identification, assessment and treatment of information security and cyber resilience risks. The policy should contain at least the following sections: objectives, scope (including domains such as organisation, human resources, asset management etc.), principles and allocation of responsibilities.

Requirement 1.2: Internal organisation

An information security framework shall be established to implement the information security policy within the organisation. The management shall coordinate and review the establishment of the information security framework to ensure the implementation of the information security policy (as per Requirement 1.1) across the organisation, including the allocation of sufficient resources and assignment of security responsibilities for this purpose.

Requirement 1.3: External parties

The security of the organisation’s information and information processing facilities should not be reduced by the introduction of, and/or the dependence on, an external party/parties or products/services provided by them. Any access to the organisation’s information processing facilities by external parties shall be controlled. When external parties or products/services of external parties are required to access the organisation’s information processing facilities, a risk assessment shall be carried out to determine the security implications and control requirements. Controls shall be agreed and defined in an agreement with each relevant external party.

Requirement 1.4: Asset management

All information assets, the business processes and the underlying information systems, such as operating systems, infrastructures, business applications, off-the-shelf products, services and user-developed applications, in the scope of the Payment Transaction Chain shall be accounted for and have a nominated owner. The responsibility for the maintenance and the operation of appropriate controls in the business processes and the related IT components to safeguard the information assets shall be assigned. Note: the owner can delegate the implementation of specific controls as appropriate, but remains accountable for the proper protection of the assets.

Requirement 1.5: Information assets classification

Information assets shall be classified in terms of their criticality to the smooth delivery of the service by the participant. The classification shall indicate the need, priorities and degree of protection required when handling the information asset in the relevant business processes and shall also take into consideration the underlying IT components. An information asset classification scheme approved by the management shall be used to define an appropriate set of protection controls throughout the information asset lifecycle (including removal and destruction of information assets) and to communicate the need for specific handling measures.

Requirement 1.6: Human resources security

Security responsibilities shall be addressed prior to employment in adequate job descriptions and in terms and conditions of employment. All candidates for employment, contractors and third party users shall be adequately screened, especially for sensitive jobs. Employees, contractors and third party users of information processing facilities shall sign an agreement on their security roles and responsibilities. An adequate level of awareness shall be ensured among all employees, contractors and third party users, and education and training in security procedures and the correct use of information processing facilities shall be provided to them to minimise possible security risks. A formal disciplinary process for handling security breaches shall be established for employees. Responsibilities shall be in place to ensure that an employee’s, contractor’s or third party user’s exit from or transfer within the organisation is managed, and that the return of all equipment and the removal of all access rights are completed.

Requirement 1.7: Physical and environmental security

Critical or sensitive information processing facilities shall be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They shall be physically protected from unauthorised access, damage and interference. Access shall be granted only to individuals who fall within the scope of Requirement 1.6. Procedures and standards shall be established to protect physical media containing information assets when in transit.

Equipment shall be protected from physical and environmental threats. Protection of equipment (including equipment used off-site) and against the removal of property is necessary to reduce the risk of unauthorised access to information and to guard against loss or damage of equipment or information. Special measures may be required to protect against physical threats and to safeguard supporting facilities such as the electrical supply and cabling infrastructure.

Requirement 1.8: Operations management

Responsibilities and procedures shall be established for the management and operation of information processing facilities covering all the underlying systems in the Payment Transaction Chain end-to-end.

As regards operating procedures, including technical administration of IT systems, segregation of duties shall be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse. Where segregation of duties cannot be implemented due to documented objective reasons, compensatory controls shall be implemented following a formal risk analysis. Controls shall be established to prevent and detect the introduction of malicious code for systems in the Payment Transaction Chain. Controls shall be also established (including user awareness) to prevent, detect and remove malicious code. Mobile code shall be used only from trusted sources (e.g. signed Microsoft COM components and Java Applets). The configuration of the browser (e.g. the use of extensions and plugins) shall be strictly controlled.

Data backup and recovery policies shall be implemented by the management; those recovery policies shall include a plan of the restoration process which is tested at regular intervals at least annually.

Systems that are critical for the security of payments shall be monitored and events relevant to information security shall be recorded. Operator logs shall be used to ensure that information system problems are identified. Operator logs shall be regularly reviewed on a sample basis, based on the criticality of the operations. System monitoring shall be used to check the effectiveness of controls which are identified as critical for the security of payments and to verify conformity to an access policy model.

Exchanges of information between organisations shall be based on a formal exchange policy, carried out in line with exchange agreements among the involved parties and shall be compliant with any relevant legislation. Third party software components employed in the exchange of information with TARGET2 (like software received from a Service Bureau in scenario 2 of the scope section of the TARGET2 self-certification arrangement document) must be used under a formal agreement with the third-party.

Requirement 1.9: Access control

Access to information assets shall be justified on the basis of business requirements (need-to-know (1)) and according to the established framework of corporate policies (including the information security policy). Clear access control rules shall be defined based on the principle of least privilege (2) to reflect closely the needs of the corresponding business and IT processes. Where relevant, (e.g. for backup management) logical access control should be consistent with physical access control unless there are adequate compensatory controls in place (e.g. encryption, personal data anonymisation).

Formal and documented procedures shall be in place to control the allocation of access rights to information systems and services that fall within the scope of the Payment Transaction Chain. The procedures shall cover all stages in the lifecycle of user access, from the initial registration of new users to the final deregistration of users that no longer require access.

Special attention shall be given, where appropriate, to the allocation of access rights of such criticality that the abuse of those access rights could lead to a severe adverse impact on the operations of the participant (e.g. access rights allowing system administration, override of system controls, direct access to business data).

Appropriate controls shall be put in place to identify, authenticate and authorise users at specific points in the organisation’s network, e.g. for local and remote access to systems in the Payment Transaction Chain. Personal accounts shall not be shared in order to ensure accountability.

For passwords, rules shall be established and enforced by specific controls to ensure that passwords cannot be easily guessed, e.g. complexity rules and limited-time validity. A safe password recovery and/or reset protocol shall be established.

A policy shall be developed and implemented on the use of cryptographic controls to protect the confidentiality, authenticity and integrity of information. A key management policy shall be established to support the use of cryptographic controls.

There shall be policy for viewing confidential information on screen or in print (e.g. a clear screen, a clear desk policy) to reduce the risk of unauthorised access.

When working remotely, the risks of working in an unprotected environment shall be considered and appropriate technical and organisational controls shall be applied.

Requirement 1.10: Information systems acquisition, development and maintenance

Security requirements shall be identified and agreed prior to the development and/or implementation of information systems.

Appropriate controls shall be built into applications, including user-developed applications, to ensure correct processing. These controls shall include the validation of input data, internal processing and output data. Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical information. Such controls shall be determined on the basis of security requirements and risk assessment according to the established policies (e.g. information security policy, cryptographic control policy).

The operational requirements of new systems shall be established, documented and tested prior to their acceptance and use. As regards network security, appropriate controls, including segmentation and secure management, should be implemented based on the criticality of data flows and the level of risk of the network zones in the organisation. There shall be specific controls to protect sensitive information passing over public networks.

Access to system files and program source code shall be controlled and IT projects and support activities conducted in a secure manner. Care shall be taken to avoid exposure of sensitive data in test environments. Project and support environments shall be strictly controlled. Deployment of changes in production shall be strictly controlled. A risk assessment of the major changes to be deployed in production shall be conducted.

Regular security testing activities of systems in production shall also be conducted according to a predefined plan based on the outcome of a risk-assessment, and security testing shall include, at least, vulnerability assessments. All of the shortcomings highlighted during the security testing activities shall be assessed and action plans to close any identified gap shall be prepared and followed-up in a timely fashion.

Requirement 1.11: Information security in supplier (3) relationships

To ensure protection of the participant’s internal information systems that are accessible by suppliers, information security requirements for mitigating the risks associated with supplier’s access shall be documented and formally agreed upon with the supplier.

Requirement 1.12: Management of information security incidents and improvements

To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses, roles, responsibilities and procedures, at business and technical level, shall be established and tested to ensure a quick, effective and orderly and safely recover from information security incidents including scenarios related to a cyber-related cause (e.g. a fraud pursued by an external attacker or by an insider). Personnel involved in these procedures shall be adequately trained.

Requirement 1.13: Technical compliance review

A participant’s internal information systems (e.g. back office systems, internal networks and external network connectivity) shall be regularly assessed for compliance with the organisation’s established framework of policies (e.g. information security policy, cryptographic control policy).

Requirement 1.14: Virtualisation

Guest virtual machines shall comply with all the security controls that are set for physical hardware and systems (e.g. hardening, logging). Controls relating to hypervisors must include: hardening of the hypervisor and the hosting operating system, regular patching, strict separation of different environments (e.g. production and development). Centralised management, logging and monitoring as well as managing of access rights, in particular for high privileged accounts, shall be implemented based on a risk assessment. Guest virtual machines managed by the same hypervisor shall have a similar risk profile.

Requirement 1.15: Cloud computing

The usage of public and/or hybrid cloud solutions in the Payment Transaction Chain must be based on a formal risk assessment, taking into account the technical controls and the contractual clauses related to the cloud solution.

If hybrid cloud solutions are used, it is understood that the criticality level of the overall system is the highest one of the connected systems. All on-premises components of the hybrid solutions must be segregated from the other on-premises systems.

Business continuity management (applicable only to critical participants)

The following requirements (2.1 to 2.6) relate to business continuity management. Each TARGET2 participant classified by the Eurosystem as being critical for the smooth functioning of the TARGET2 system shall have a business continuity strategy in place comprising the following elements.

Requirement 2.1	:	Business continuity plans shall be developed and procedures for maintaining them are in place.
Requirement 2.2	:	An alternate operational site shall be available.
Requirement 2.3	:	The risk profile of the alternate site shall be different from that of the primary site, in order to avoid that both sites are affected by the same event at the same time. For example, the alternate site shall be on a different power grid and central telecommunication circuit from those of the primary business location.
Requirement 2.4	:	In the event of a major operational disruption rendering the primary site inaccessible and/or critical staff unavailable, the critical participant shall be able to resume normal operations from the alternate site, where it shall be possible to properly close the business day and open the following business day(s).
Requirement 2.5	:	Procedures shall be in place to ensure that the processing of transactions is resumed from the alternate site within a reasonable timeframe after the initial disruption of service and commensurate to the criticality of the business that was disrupted.
Requirement 2.6	:	The ability to cope with operational disruptions shall be tested at least once a year and critical staff shall be aptly trained. The maximum period between tests shall not exceed one year.