With the delayed go-live date for the EU’s SFTR regulation less than a month away, the pressure is once again on as firms scramble to get ready for their new regulatory reporting requirements, pushed back from April 2020 due to coronavirus. And while most firms should be well into the testing phase by now, there are some concerns around grey areas – particularly around reference data and third party licensing – which could leave firms liable to repercussions down the line.
One of the key issues is the question of Legal Entity Identifiers (LEIs), which was mandatory under Article 4 of the original regulation. “The correct, consistent and universal reporting of LEI codes is paramount to ensure the efficiency and usefulness of reported information on SFTs. This also enables the achievement of the transparency objectives pursued by SFTR which underpin the monitoring of systemic risks to financial stability and the market surveillance,” insisted ESMA in January 2020. “The LEI code is needed for authorities to monitor the SFTs entered into by supervised entities and the consequent risk exposure. Transaction reports lacking a LEI or containing an incorrect one would likely cause inconsistencies or other data quality issues, which would in turn impede or hinder the attainment of these goals.”
Although the signification variation in LEI coverage between EU (88%) and non-EU countries (30%) led to a 12-month grace period for third-party issuers to obtain LEI codes, the pressure remains. “It’s a tough timeframe, but the regulator wants to see that firms are making the effort to become compliant, even if they aren’t there straight away,” notes Heiko Stuber, Senior Product Manager at SIX Financial Information, speaking to RegTech Insight. “There may be inconsistencies to start with, but you have to be able to show that you are taking it seriously.”
While many of the key SFTR requirements are already sorted, there are still some areas that need to be ironed out, specifically the approval from data sources. One central issue is getting approval from ratings agencies on security and collateral quality data, and the main index providers on security and collateral type data.
“If reporting entities in scope of the regulation are using data from indices or ratings agencies for reporting purposes without their approval, there will be difficulties ahead,” warns Stuber. “We have been in communication with the ratings agencies and the main index providers and have received their approval for deriving their data to be used in the SFTR reporting process. It is crucial right now for market participants pulled into the regulation to make sure that they are compliant in all aspects of the rules, including with rating agencies and the main index providers, before running tests to make sure they are all set for July 13th.”
The primary issue in this context is derived data. Reporting entities tend to veer towards a build or buy solution – and in some cases, may even already have the data, but find it cheaper to obtain it in processed form from a data vendor. “Before you can provide a service to the market, you must make sure that you are compliant with derived data terms and the conditions of your data sources,” stresses Stuber. “This includes security type, which is absolutely fundamental. You will probably need additional parameters to detect the main index, then you will need to look through its constituents to determine the security type. This is derived data, because you don’t have to provide the main index itself, but you still need approval from the main index provider.”
This condition also applies to security quality, which is mainly based on authorised or recognised ratings from authorised rating agencies. And yet many firms have not even begun to consider the implications of these requirements – not necessarily because they aren’t aware of them, but because the workload involved in preparing for the deadline is so large and the process for obtaining the data is so complex.
But the consequences can be severe – and top of the pile are the swingeing fines that can be imposed by service/data providers if they initiate external audits and discover areas of non-compliance.
“If you are using data you are not supposed to be using, you could get into real trouble,” warns Stuber. “In preparation for next month’s go-live, firms should be checking all of their external data sources, double checking the terms and conditions in the contract, and then testing, testing, testing. There are only weeks and days remaining, and not everyone is ready.”