IETA1 position paper on registry security as response to

EU stakeholder meeting on 15 March 2011 on registry security

31 March 2011

Key messages

1. Immediate measures required to restore market confidence:

a. minimum safety standards on all registries by mid-April
b. publish a central list of stolen allowances after carefully assessing risks and
benefits until a freezing mechanism can be implemented within the CITL
c. fast notice procedures for companies affected by a theft
d. detailed Know-Your-Customer checks on existing/new accounts within 60 days
e. annual security audit for registries or face liability for thefts
f. work out compensation schemes for victims
g. work on harmonizing legal status of allowances and clarifying title of transfer

2. Support introduction of a ‘safe’ compliance account and concept of differentiated

accounts granting flexibility in implementation of transfer limits, delays and restricting
accounts for transfers (masterdata concept), accompanied by a monitoring mechanism.

3. Support introduction of at least 4 (operating) hour delay mechanism for transactions on

all accounts in all registries in combination with ‘out-of-band’ notification. This delay
should not apply for automated transfers within an exchange settlement infrastructure,
allocation and surrender, and in very specific circumstances. The need for a delivery
delay must be reviewed upon introduction of the Union Registry.

4. Does not support anonymized transactions unless the legal status of an allegedly stolen
emission allowance is clarified EU-wide, and a notification process, a freezing
mechanism and compensation procedures for victims of the theft are in place. Non-
disclosure would also prevent market participants from doing compulsory reporting.

5. Consider that certain aspects related to registry security such as who is entitled to
participate in this market should be part of the review of market oversight rules.

6. Build up of user forum working towards implementation of safe and functional EU ETS
infrastructure. Representation should be self selected by various relevant business
groupings.

1 1
IETA is the leading voice of the international business community on the subject of emissions trading with over 160
member companies from across the carbon cycle. IETA supports efforts to address the pressing environmental
challenge of climate change, and is dedicated to the establishment of environmentally effective market-based
emissions trading systems that generate reductions at least cost to the community. For more information:
www.ieta.org

IETA - Climate Challenges, Market Solutions

24, Rue Merle d’Aubigné Boite 27 1730 Rhode Island Ave., NW, 100 King Street West, Suite
Geneva, 1207, Switzerland Rue de la Loi 235 Suite 802, Washington, DC 5700, Toronto, Ontario
Tel: +41 (22) 737 0500 Brussels, 1040, Belgium 20036 USA M5X 1C7, Canada
Tel: +32 (0)22 30 11 60 Tel: +1 (202) 629-5980 Tel. +1 (416) 913 0135
Reg. 0889.072.702
 Urgent measures

Following the stakeholder meeting on registry security on 15 March, IETA thanks the
Commission for the opportunity to provide comments on the revision of the registry regulation.

Measures proposed at the ECCP stakeholder meeting on 15th March mainly targeted security
improvements on the functioning of the Union registry, to be implemented in 2012. While these
are welcome, IETA is also concerned that more immediate steps are needed to help the market
return to a more normal situation and to restore confidence that the problems which have
paralysed the spot market are being appropriately addressed. This means first and foremost,
enhancing security levels across all registries and to get them operate at the commercial
standards that would adequately protect the value at stake:2

♦ Minimum safety standards on all registries: introduce double authorization, two-factor

identification and a 4-hour minimum delay for transactions on all registries combined with
‘out-of-band’ notification and subject to exemptions outlined in section III, and open the
remaining registries at the latest by mid-April. IT security measures are established in e-
banking and solutions can be relatively easily understood and built by IT service providers
(or bought off-the-shelf). There is no reason why such measures should not be
communicated to account holders, as far as they concern the user interface.

♦ Transparency: If a careful evaluation of risks/benefits concludes positively, provide a

regularly updated central list of ‘allegedly’ stolen allowances on the CITL, with appropriate
disclaimers. At the same time, work should advance on a process to automatically freeze
stolen allowances at registry level upon submission of an emergency notification protocol at
the level of the CITL, together with compensation measures

♦ Fast notice: Establish emergency notification protocols allowing companies to notify a theft
instantly by submitting an online form to national authorities and registry operators
available from the CITL. Introduce a telephone hotline operating during trading hours for all
registries and at EU level. Publish registry trading hours with details of national holidays.

♦ Clean up and monitor: Require registries to run detailed Know-Your Customer (KYC) checks
on all existing and new registry accounts within 60 days and copy the Danish Registry
example of asking for motivations for holding accounts and involve anti-crime authorities in
the process. Clarify practical implementation difficulties (‘tipping off’) in registry regulation
for how national registries can deny or suspend accounts3 to those that do not pass the KYC
process. KYC processes should be designed as per Anti Money Laundering standards.

2
That will entail significant ramping up of resources in certain registries and as part of this dearly needed effort could
imply a review of registries’ fees arrangements towards adequate but moderate levels. See annex 1 for the current
fee structure on EU ETS registries.
3
An appeal route is however required, in particular if new processes are implemented which restrict access to certain
accounts. The appeal mechanism foreseen in the registry regulation will need to deal with such cases.
2
♦ Clarify and take responsibilities: There should be a clear obligation on registries to undergo
annual audits to certify the appropriateness of security levels and the way KYC checking is
organized and implemented. The Commission should mandate an independent auditor to
review all the annual registry audits and publish a public report. Where a registry has not
performed appropriate KYC checks and/or security requirements are not met, the registry
subject to the theft and the registry receiving the fraudulent transaction must be held liable
for the consequences of any unlawful transfers (where the end user has taken necessary
precautions). Companies also have a duty to enhance internal security procedures, regularly
check their accounts, have traders trained in doing KYC checks on counterparties and
regularly change passwords. But not all the risk can be borne by companies. Registry
operators should issue best practice guidance to account holders.

♦ Compensate: A mechanism must be devised to compensate the victim of a theft and

provide the current holders of allegedly stolen allowances bought in good faith with
tradable replacements. Political leadership is required as industry installations have no
choice but to participate in the EU ETS and there are victims that bought ‘allegedly’ stolen
allowances in good faith. Member States, alongside the Commission, are individually and
collectively responsible for the good operation of national registries and must assume that
duty. IETA in this paper proposes that Member States set up a mutual pool of allowances to
compensate affected parties. Victims of a theft could either receive financial
recompensation or a virtual entry of compliance; whereas legitimate holders could swap
affected allowances against entitlement notes to ‘clean’ phase III allowances.

♦ Claims: If the market was to return back to normal, the legal character of an EUA cannot
remain further unaddressed. Achieving consistency across Member States is vital for the
future of this market and must be addressed in parallel before the end of phase 2. IETA also
proposes to discuss the introduction in the registry regulation of unified title transfer rules
specifically for EUA trading. Such rules might facilitate taking ownership and trading of
carbon allowances in good faith (see section IV.1). This remains an issue of vital importance
for the future of this market and must be addressed in parallel, through issuance of an EU
decision before the end of phase 2. Given the intricacies, IETA calls upon the Commission to
immediately investigate these possibilities and discuss with lawyers from different
jurisdictions to pool views about what can be done to improve matters.

Many of these points could not be addressed in full length during the stakeholder meeting. IETA
therefore repeats its suggestion that, following this first very successful exchange of views, the
Commission in conjunction with main European business and trade associations should set up a
permanent user forum on registry questions. Such fora exist at national level but not in all
Member States. The exchange of information and consultation of market participants should
not be kept to national fora only. This EU ETS forum would consist of a group of experts
including business representatives, Commission and Member States officials that would work on
enhancing user features in the registries and would allow ‘market testing’ for any new concepts
before putting them to use. This forum could also provide support in training national registry
operators in better monitoring and flagging unusual transactions. Minutes of forum meetings
should be published along the lines for minutes of the Climate Change Committee meetings.
3
 Comments on Commission Proposals

I. Introductory comments

The theft of allowances has deeply affected confidence and liquidity in the EU ETS, undermining
market functioning not only in the spot market but also in derivatives markets. One can already
observe that companies that provide liquidity, but that are market participants for financial
rather than for compliance purposes, are having second thoughts about their involvement in
this type of activity. Such involvement has been a crucial factor supporting the successful
development of the ETS and is dearly needed as the market enters its third trading phase and
their withdrawal could come at a significant cost to the remainder of the market.

This is why IETA is supporting measures in this paper which might have not received approval
across the membership just a couple of months ago, as they change the fundamental nature of
this market and add regulatory layers that might not have been necessary if security was
maintained at adequate levels across all registries. IETA will monitor the situation and upon
implementation of the Union registry reassess the conditions needed to ensure a good market
functioning.

IETA considers that the Commission and the Member States as the “owners of the ETS” must
ensure the full security for an industry operator’s assets and provide compensation for losses
incurred as a consequence of an insecure operating system, given due diligence on the side of
the affected operator. In the same way, if a party can demonstrate it was in compliance with
reasonable and proportionate KYC requirements and due diligence checks and, through no fault
of its own, now holds potentially stolen allowances, there needs to be a swift remedy to the
situation including compensatory measures. An option for setting up compensation schemes is
further elaborated in this paper (see section IV.3).

IETA would like to emphasize that no single measure is sufficient by itself and the
effectiveness of individual measures will depend on how they interact with other measures.
Thus the following comments cannot be seen in isolation, as they are intrinsically linked. For
instance, the publication of a central list of ‘allegedly’ stolen allowances also requires
establishing a process on how to reliably but efficiently update such a list, a registry telephone
hotline, details on opening hours, and procedures for reporting a theft.

Moreover, it is important to consider that certain aspects related to registry security such as
who is entitled to participate in this market should be part of the forthcoming review of market
oversight rules for the EU ETS. This is meant to encompass both the auctioning and trade of
emission allowances.

II. Differentiation of account categories

The objectives of introducing the differentiation of accounts are to:

4
 1. Make it more difficult to steal allowances if and when security has been breached
allowing accounts to be accessed fraudulently.
2. Make it more difficult to quickly transfer/launder the stolen allowances.

Addressing both of these objectives is important.

• Do you support the introduction of differentiated account categories?

IETA supports the introduction of differentiated account categories or security tiers, based on
certain conditions, as set out below. IETA believes it is very important that in creating such
categories, we do not inadvertently restrict access by any party with a legitimate interest in
trading allowances.

An important complementary measure to account differentiation that may be considered is to

require registry operators to establish an automated monitoring system of all transactions. By
applying certain non-disclosed criteria (e.g. unusual trading pattern in terms of volumes and
frequency, unusual recipient accounts, (financial) size of the companies etc.), this would allow
registries to investigate specific suspicious trades that might indicate unauthorised access to an
account or fraudulent trading activity.

To further reinforce the barriers to entry by fraudsters, separate “out of band” confirmation
system (such as SMS/ TAN message or e-token confirmation) for transfer proposals must be set-
up for all accounts. Processing transfers via two independent communications systems adds a
significant entry-barrier for cyber fraudsters as they would need to gain physical access to the
separate confirmation system i.e. the mobile phones or e-tokens of account operators.

• How many different account categories should be created and under what conditions
should more flexible account categories be allowed?

Two main account categories may be created:

- A standard compliance account enabling only transfers for allocation and surrender and
between entities of the same group and giving maximum security to account holders.
- A flexible account with individual options of limitations and conditions on transfers and
volumes and some horizontal restrictions including:
o The Masterdata concept, i.e. the use of individual pre-approved list of accounts
to which transfers are authorized, is a very effective way to keep fraudsters out
and should be applied to all accounts. Establishing new relationships takes
days/weeks of internal documentation and hence setting-up new correspond-
dent accounts under Masterdata will not unduly lengthen trading processes.4
o appropriate & uniform transaction delays.

4
However, a process needs to be set up allowing prompt removal of accounts should information be received which
might indicate a change in status of a previously « approved » account, for example on the basis of SMS/TAN or e-
token confirmation and 2-persons authorization. Adding accounts should only be possible by written procedure and
co-signed by the two authorized representatives, followed by request for confirmation by registry authorities.
5
To be eligible to a flexible account, a participant must demonstrate that it meets the predefined
set of criteria of a standardised, unified KYC process through a Commission accredited auditor
resembling the Anti Money-Laundering recommendations published by almost all national
financial regulators (see annex 2 for some non exhaustive examples for KYC processes). The
assessment against such criteria could for instance include some form of credit point system.
This combined with other measures should sufficiently mitigate the risk that holders of flexible
accounts may be involved in criminal activity. This mechanism would also require an appropriate
body to undertake the assessment or oversee assessments performed by specialised service
providers.

III. Delivery delay mechanism

• Do you support the introduction of such a delivery delay mechanism?

• What is the appropriate delay that should be considered?

In terms of principles, where delivery delay is set, this should not affect compliance postings
(e.g. surrender and allocation of allowances). Moreover, there is no point in implementing a
delay as a stand-alone measure. It must come with (a) provision of information on the
transaction to the account holder via sms; (b) possibility for account holder to undo the
transaction before it is completed. We would like to see on the CITL an updated list of operating
hours of all registries and the hotline numbers to call in case of an emergency.

Members have different views on the appropriate length but, as an emergency measure, a 4
hour delay during operating hours5 could be sufficient, introduced right now in all registries
until establishment of the Union Registry, and then be reassessed. Longer delays would require
expensive changes to trading systems. While the transfer entering or exiting the exchange
settlement infrastructure would be subject to a delay (either handled by a general clearing
member (GCM), CCP or an exchange), no delay shall apply within it (illustration below):

Party A
DELAY
Exchange Infrastructure*
DELAY
Party B

*(exchanges, CCP or any allowance account under the supervision of the CCP or the exchange)

But a delay mechanism only works if a company is also able to interfere and stop a transfer.
For this, each registry will need to provide a telephone hotline during operation hours. This does
not relieve registries of the obligation to introduce appropriate security levels both at registry
and company level and in particular, automatic and immediate notification of the account
holder via SMS that a transaction command has been made on their account.

The feasibility of non-delayed deliveries shall also be maintained for specific circumstances.
For instance, even though this is not the most common market practice, active market
participants need to stay able to adjust immediately their balance, for instance on exchange-set

5 Need for careful definition (does this relate to CET/GMT, and how deal with different national bank holidays).
6
and market-customary expiry dates of forward contracts6. A balance needs to be maintained
between preventing abuse of such opt-out and ensuring good market functioning.

IV. Display of serial numbers

• Do you support the discontinuation of displaying serial numbers in the single registry?

IETA does not support hiding of serial numbers, unless this would be combined with:
- legal clarification of status and transfer of title for EUAs with a view to allow for a bona
fide purchase of EUAs;
- freezing mechanism in CITL that would stop any transfer of allegedly stolen EUAs;
- compensation procedures for victims of the theft.

These three points are further elaborated below.

IV. 1 Issue of legal status

On the one side, we have seen that the display of serial numbers can lead to market
fragmentation when stolen allowances are put into circulation, e.g. while the theft has only
affected a very small number of allowances, this has fragmented the market – as
(a) their status is not clarified and unwitting recipients of allegedly stolen allowances run the risk
of suffering loss or, at worst, criminal liability arising from merely participating in the EU ETS as
some jurisdictions require disclosure of any potential trading irregularities.;
(b) there are moral and reputational aspects to using someone else’s stolen goods.

Yet the key problem in the proposed anonymization of serial numbers resides in the uncertain
legal situation regarding ownership of ‘allegedly’ stolen allowances. For instance under English
law, unless a product is a negotiated instrument, it is irrelevant whether you have transacted in
good faith: if the allowance is stolen, then you have no good title. As a result, in this
jurisdiction, hiding serial numbers may well be counterproductive: not only don’t you have good
title, but you cannot do anything to prevent delivery of allowances that are known to be under
investigation. In other words, the law does not protect you and you cannot protect yourself.

Based on above consideration, market participants require identification of allegedly stolen

EUAs to allow for appropriate risk management:
- hiding serial numbers is not helping to restore confidence that allegedly stolen EUAs are
not on one’s account;
- enshrining the compliance usability of allegedly stolen EUAs does not alleviate the
financial or criminal liability of holding allegedly stolen EUAs;
- non-disclosure would also prevent market participants from doing ‘due diligence’
reporting on suspicious activity.

6Instant deliveries are also needed for reconciliation in cases the counterparty has not delivered, but onwards
delivery is due, one must purchase instantly replacement units to deliver on a supply contract. Otherwise there is a
high risk that this liability triggers down the supply chain and affects market liquidity.
7
At the same time, it may be easier to pursue the asset rather than the thief. Thieves are hard to
track down: while complicit accounts were opened to facilitate the laundering of proceeds, the
account holders disappeared. Yet the stolen allowances are visible throughout the laundering
chain. In previous fraud cases, companies that published stolen allowances had a much better
chance of recovering parts of the losses and gained much higher publicity, thereby accelerating
the judiciary procedures. If serial numbers are kept anonymous there should be clear timelines
for judiciary procedures in cases of theft, and obligatory instant sharing of the information with
policy and legal authorities across the EU through notification of Europol.

IV. 2 Freezing mechanism

The introduction of a CITL check that would allow the freezing and recovery of allegedly stolen
allowances could prevent paralysis of the entire market (with or without visibility of serial
numbers). This mechanism could be activated on the basis of a request backed by a national
police report detailing the good grounds for belief that allowances had been stolen, see box 1
below. The CITL should automatically check EUAs proposed for transfer versus the current, CITL
administered, list of allegedly stolen allowances. However, there is also a need to ensure that
those that bought these EUAs in good faith are not disadvantaged but have speedy access to
redress.

Box 1. Activation process freezing mechanism

1. A fraud victim would notify national registry operators of the loss through an emergency
notification protocol7 within 8-12 (operating/business) hours of the loss. In conjunction with
an instant sms notification system for accounting holders following execution of transaction
commands this, or a similar time delay, should be considered sufficient;
2. Registry operators to report serial numbers to CITL as stolen;
3. CITL to immediately block these from further transfers and inform all other national
registries by circulating the emergency notification protocol subject to a confidentiality
agreement about the identity of the (alleged) victim;
4. Effective blockage to take place within hours, not days;
5. Immediate information to the account holder who has allegedly stolen EUAs on its account
and request to provide evidence for due diligence process in acquiring allowances.
6. Fraud victim to provide within 5 working days a police report as sufficient evidence that it
has officially declared being the victim of theft.
7. Fraud victim to take full responsibility for false/ erroneous claim of stolen EUA (limited to
market price at time of call for blockage, no consequential losses). The CITL to publish all
successful applications to freeze allowances.
8.

7
The Commission and Member States need to develop a consistent set of emergency notification protocols and
enhance intervention capacity to prevent transfer of allowances in case emergency notifications are filed. These
would enable: (a) victims of an alleged incident of theft to immediately alert relevant EU ETS authorities; and (b)
those authorities to in turn notify market participants and the national registry administrators.
8
IV.3 Compensation

There are different options to ensure that compensation is addressing both the victim of the
theft and the last legitimate holder of the frozen allegedly stolen allowance. The proposal of a
mutual pool is just one of many options which might merit further exploring.

A “mutual pool” could be set up by the regulator through pooling national allocation of emission
allowances (Member States and Commission).

The mutual pool could

♦ Pay the account from which they were stolen if it is determined that the account holder
had no fault, and showed no negligence or if the victim is a compliant entity, provide
entitlement to ‘virtual compliance entry’;
♦ Pay the current holder if it is determined that they purchased in good faith or allow for a
swap of affected allowances against entitlement notes to ‘clean’ phase III allowances;
♦ Hold the registry liable if the illegal transfer took place as a result of insufficient registry
security measures;
♦ Pursue those that illegally transferred the units.

V. Disclosure of allegedly stolen allowances

- Should the disclosure of the serial numbers of allegedly stolen allowances be permitted or
should such disclosure be ruled out?

IETA has identified risks and benefits to the disclosure of allegedly stolen allowances:

Benefits
The list is needed for good internal risk management. In the current situation of multiple lists
published by different market players, judiciary authorities might consider that anyone ought to
know and refrain from trading the allowances appearing on publicly accessible lists, but there is
no single central access point and the lists are clearly incomplete as one registry has not
published serial numbers. With a single centrally available list at hand, companies could isolate
allowances on separate account and trade remaining units of the block. This would tackle
liability issue and minimize revenue risks. Companies could build a reference to the list into
delivery contracts and accept to make good if such an allowance should be delivered. A
reference list would also enhance confidence in the filtering by exchanges. Several incomplete
lists are now circulating and used by market participants. Hence, a central would enhance
confidence and market liquidity.

Risks
A centrally published list creates problems for the good functioning of the market, leading to an
effective halt of transactions as liability risks are perceived to sharply increase. It does not help
to know the serial numbers of allegedly stolen allowances as companies cannot react to this
information. Companies can return stolen allowances to sender, but only under tedious
procedures: they must open a new account to isolate the units if these are part of a block.
9
Publication would undermine trust in the market and give a sense of false security. Finally, the
Commission has clarified in its Q&A that any allowance is good for compliance, publication of
such a list would go against this principle. But as outlined above, in some jurisdictions the
surrender of allegedly stolen allowances for compliance purposes carries legal risks.

IETA therefore invites the Commission and Member States to carefully assess both risks and
benefits to the publication of a centralized list. If a central list is published, this should be for a
limited time of for instance 6 months and/or until any new system (including freezing
mechanism, monitoring measures and compensatory procedures) are established.

- If it was allowed, who should be entitled to disclose serial numbers?

National registries should be required:
- as soon as reported to any national registry operator, to notify a theft and the
serial numbers to all market participants. Through rss feed or equivalent
systems (+ dedicated newswires?) plus by e-mail to account holders in EU
national registries (automated cascading between the initial national registry
and the other EU registries).
- to publish a list of allegedly stolen allowances and to update this list on a daily
basis.

The CITL website should include notice of a fresh theft as soon as an alert is sent by a national
registry operator to be refreshed every day at noon.

This is also in line with good practices for market-relevant information, which should be made
available in a centralized and transparent manner and in a comprehensive format accessible to
all market participants to avoid market distortions.

- Under which conditions should serial numbers be disclosed?

The list could contain a disclaimer that notifies users that the list is neither to pre-judge ongoing
criminal investigations assessing if the allowances listed have actually been stolen, nor is the list
guaranteed to be exhaustive. The criteria used for adding EUAs to this list should be clearly set
out and could require submission of a police report.

- Who should assume the legal responsibility for the correctness of the information
The fraud victim is to take full responsibility for false/ erroneous claim of stolen EUA (limited to
market price at time of call for blockage, with no consequential losses) or if they do not produce
the required national police report within 48 hours. Registries will have the legal responsibility if
they fail to inform the CITL of a newly reported theft within 1 hour. The CITL will be responsible
for updating its central list within 1 hour of being informed by a registry operator.

Such a central list will make it more difficult for fraudsters to monetize allowances. In the
absence of such steps, market participants will be exposed to significant and continuing
uncertainty when acquiring EUAs on the spot and forward/futures markets.

10
ANNEX 1 Fee structure in EU registries
Source: CITL website and information provided by IETA members
OHA = operator holding accounts, PHA = personal holding accounts

Registry Fee info

Austria ?
Belgium PHA : 497euro/acc/y
Bulgaria ?
Cyprus ?
Cyprus CPO ?
Czech Republic ?
Denmark 600DKK per year and for opening, 0,26DKK per allocated allowance
Estonia no fee for account opening
EC ?
Finland 75euro/account period, 100-5200euro/acc/year
OHA: opening 500euro, 300euro/acc/y, 0.0095 euro/EUA allocated;
France PHA: opening 1500 euro; 2500 euro/acc/y
Germany ?
Greece ?
Hungary 35000ft/ev
Ireland ?
Italy no fees, but intention informally communicated to introduce some fees
Latvia ?
Liechtenstein ?
Lithuania ?
Luxembourg ?
Malta ?
Malta CPO ?
Netherlands ?
Norway ?
Poland ?
Opening and maintenance of personal holding accounts: 125 euros, opening and
Portugal
maintenance of operator holding accounts: 800 euros
Romania ?
Slovakia ?
Slovenia ?
Spain 100 euros - 0,0045 euros by assigned rights up to 12000 euros
Sweden ?
United Kingdom PHA: opening £190, 55 for new users

11
ANNEX 2

FATF recommendations on customer due diligence and record-keeping:

http://www.fatf-
gafi.org/document/28/0,3746,en_32250379_32236920_33658140_1_1_1_1,00.html
Recommendations 5, 6, 7, 8, 9, 10, 11, 12

Counterparty approval (Know-Your-Customer procedures) in a non-MiFID regulated entity

EXAMPLE 1

The process identifies and assesses the risks associated with a counterparty. The counterparty is
then assigned a risk rating (Low, Medium or High). The process is based on a ‘Balance of Risk’.
Each counterparty is assessed on the following basis:

Risk Assessment Areas Risk Assessment Parameters

1) Country of incorporation and/or trading
2) Counterparty Legal Form
3) Counterparty ownership
4) Counterparty organisation/control
5) Regulated and Market Status
6) Proposed contract type
7) Expected pattern/regularity of trading
8) Fit of proposed contract with
counterparty’s business
EU / EEA / FATF / Corruption Rating
Individual, Company, Gov’t Dep’t, Charity
investor or state owned, private or listed
Level of complexity and appropriateness
Regulated / Market Exchange member
Physical/financial, standard/bespoke
Ongoing / regular / irregular / one-off
core product / by product / no obvious link

The matrix is not definitive, there are certain special risk indicators that also need to be
considered:

 Entry on International Sanction List

 Significant Legal or Regulatory Action
 Crime/Corruption Concerns – especially VAT Fraud
 Higher Risk Countries – Countries with known corruption problems
 Bearer Shares - Unclear ownership/control
 Etc.

High Risk counterparties are only approved in exceptional cases (unavoidable counterparty) and
subject to regular review and involvement of: Trading Desk, Credit, Regulation and Settlement.
Contracts may include additional risk mitigation clauses that allow: suspension of trading or
termination of contract. Additional trading limits and/or guidance may be put in place.

12
EXAMPLE 2:

Request to provide:

 Certificate of Incorporation or equivalent

 Memorandum and Articles of Association or equivalent
 Full style of the Company with contact details (name, function, address, phone, fax, email,
etc.) and bank account details
 Confirmation of VAT registration
 List of ultimate shareholders/beneficiaries
 At least one (prefer two) Bank references from a reputable First Class Bank/Financial
Institution acceptable to the company
 At least one (prefer two) trade references from established market participants
 Last audited financial statements

In addition to that the identity of primary and secondary account holders should be established
(unless this is already undertaken for the opening of an account with the registry, required as of
1 January 2012 in the currently applicable registry regulation).

13