KOR has a shared controls model that refers to a collaborative approach between the client and KOR’s platform in managing and implementing security and compliance controls. In this model, both parties share responsibility for various aspects of security, compliance, and risk management related to the regulatory reporting solution.
KOR Responsibilities
Maintaining a secure and compliant regulatory reporting system is a top priority for KOR. Here are the steps we take to ensure the security and compliance of our platform.
- Access Control: Implement stringent access control mechanisms to authenticate users and restrict unauthorized access to the system. This includes multi-factor authentication, role-based access controls, and session management.
- Data Backup and Recovery: Maintain backups of client data stored within the system to prevent data loss in the event of system failures or disasters. Implement robust data recovery processes to restore data quickly and minimize downtime.
- Security Monitoring: Utilize continuous security monitoring tools and techniques to detect and mitigate potential security threats or vulnerabilities within the system. This includes intrusion detection systems, log monitoring, and threat intelligence feeds.
- Compliance Management: Ensure that the system complies with relevant regulatory requirements and industry standards. Implement controls and procedures to facilitate compliance audits and certifications.
- Secure Software Development: Adhere to secure coding practices and conduct regular security assessments and code reviews to identify and remediate software vulnerabilities. This helps prevent security flaws from being introduced into the system during development.
- Incident Response: Establish an incident response plan to effectively manage and respond to security incidents or data breaches. This includes procedures for incident detection, containment, eradication, and recovery, as well as communication with affected parties.
- Data Encryption: The system should employ robust encryption protocols to safeguard sensitive data transmitted between the client's devices and the system's servers. This ensures data confidentiality and integrity.
- Data Invalidation: KOR has established systems and user access restrictions reasonably designed to prevent any provision in valid data from being invalidated or modified through its verification or recording process. Every action taken by an internal or external user in a KOR system is recorded in an audit log. In order for external Users to have permission to submit and update data, their Administrative User must first grant their User access to a role that allows for the submission of data. Internal KOR User roles do not allow for the modification of data without the explicit written approval of the CCO and/or CEO. Such permissions are for a limited time and scope and are well documented.
- Maintain Security Audits: KOR diligently upholds its commitment to security through regular audits conducted in accordance with industry-leading standards. These audits include SOC 2 Type 2 and ISO 27001 assessments, which rigorously evaluate our systems, processes, and controls to ensure the highest levels of security and compliance are maintained. By adhering to these stringent audit protocols, KOR demonstrates its unwavering dedication to safeguarding client data and maintaining the integrity of our services.
- Client Communication: KOR places a premium on transparent and proactive communication with our clients. We pledge to keep our clients informed about any planned upgrades, system enhancements, or maintenance activities that may impact their user experience. Additionally, in the event of unforeseen outages or security incidents, KOR is committed to promptly notifying affected clients and providing timely updates and resolutions. By fostering open channels of communication, we aim to cultivate trust with our clients, ensuring their needs and concerns are addressed with the utmost priority and transparency.
- Regulatory Expertise: We maintain a team of regulatory experts who continuously monitor changes in regulatory requirements worldwide. This ensures that our platform remains up-to-date and compliant with evolving regulations.
Client Responsibilities
While KOR provides robust assistance with regulatory reporting, clients must establish additional procedures to monitor their compliance effectively. Below are recommended controls clients should have in place, along with how KOR assists, followed by additional measures clients should consider.
- Eligibility: By conducting comprehensive eligibility checks and implementing robust controls, market participants can mitigate the risk of over or under reporting when submitting trade data to trade repositories.
- KOR offers integration with Droit’s Adept Platform to enhance eligibility checks for comprehensive trade reporting. Through this integration, clients can leverage Droit’s advanced capabilities to ensure accurate and compliant reporting of trade data.
- KOR/Droit Offering:
- Counterparty Identification: Verify if the trade is applicable by jurisdiction based on counterparty attributes.
- Product Classification: Confirm that the reported trade matches the eligible products specified by regulatory authorities. This includes verifying the product type, asset class, and specific instrument characteristics against regulatory guidelines.
- Message Type Verification: It is important that the Client’s designation per jurisdiction and the applicable jurisdiction regulations are accounted for so that all public, transaction, valuation, and collateral messages are either submitted or suppressed.
- Client duties to ensure Eligibility checks and be properly run:
- Client Onboarding Procedures: KOR recommends Clients put in place robust counterparty onboarding procedures to capture and submit all fields necessary for determining trade eligibility. Counterparty onboarding procedures should involve a thorough assessment of the reporting requirements mandated by regulatory authorities. This includes identifying the essential identification fields necessary for reporting, such as Legal Entity Identifiers (LEIs), and specific details by relevant jurisdiction.
- Product Onboarding Procedures: Product onboarding procedures should include a thorough review of the reporting requirements for each product or instrument traded by the client. This involves identifying the specific data attributes required for trade reporting, such as product type, asset class, maturity date, currency, and any additional regulatory-specific fields.
- KOR/Droit Offering:
- KOR offers integration with Droit’s Adept Platform to enhance eligibility checks for comprehensive trade reporting. Through this integration, clients can leverage Droit’s advanced capabilities to ensure accurate and compliant reporting of trade data.
Clients should verify that their internal systems are configured to capture and store all required reporting attributes accurately. This may involve customization or configuration changes to ensure alignment with regulatory reporting requirements.
By implementing robust product onboarding procedures, clients can streamline the process of configuring their internal systems for trade reporting and ensure compliance with regulatory mandates. This proactive approach helps mitigate the risk of reporting errors or omissions and facilitates seamless integration with external reporting platforms or service providers.
- Validation Checks: Implement validation checks to ensure that reported data adheres to regulatory requirements and formatting standards. These checks can help identify errors or inconsistencies before submission to the TR.
- Field-Level Validations: KOR offers field-level validations that adhere to published regulatory requirements. These validations ensure that each message submitted meets the regulatory standards set forth by governing bodies. In instances where a message does not meet these standards, KOR rejects the submission and provides detailed feedback to the client in real-time.
- Client Monitoring and Maintenance: Clients are responsible for monitoring rejections and issues related to their submissions. It is crucial for clients to establish processes to track and address these rejections promptly. To maintain clarity and effectiveness in managing outstanding issues and rejections, clients should adopt a standard practice of keeping the Issues and Rejections UI/Reports clear.
- Resubmission or Status Update: Clients must take corrective action when faced with rejected messages. This can include re-submitting a corrected message or updating the status of the rejected message to "ignored" if it is determined that the submission should not have been made. By implementing these measures, clients can ensure that their reporting remains accurate, compliant, and free from unresolved issues or rejections.
- Correct Sequencing of lifecycle events: KOR has implemented the concept of "Parked" messages to address situations where a new event is reported for a trade while the previous event has been rejected and remains unresolved. This feature ensures that messages are reported in the correct chronological order to the Trade Repository.
- Field-Level Validations: KOR offers field-level validations that adhere to published regulatory requirements. These validations ensure that each message submitted meets the regulatory standards set forth by governing bodies. In instances where a message does not meet these standards, KOR rejects the submission and provides detailed feedback to the client in real-time.
When a previous event for a trade has been rejected and not yet resolved, any subsequent events related to that trade are temporarily parked until the rejection issue is addressed. This prevents out-of-sequence reporting and helps maintain the integrity and accuracy of trade data submitted to the Trade Repository.
By introducing the "Parked" messages functionality, KOR enables clients to manage rejected events more effectively and ensures that subsequent events are reported in the correct sequence. This proactive approach minimizes reporting errors, reduces regulatory compliance risks, and enhances the overall reliability of trade reporting processes.
- Duplicate Trade Detection: KOR has implemented mechanisms to detect and prevent the submission of duplicate trade reports to the trade repository. Duplicate reports are considered over reporting and as such should not be sent to the Trade Repository.
- Timeliness Monitoring: Monitor and enforce deadlines for reporting trades to the TR to ensure compliance with regulatory reporting requirements. Implement processes to identify and address any delays in reporting promptly.
- Timeliness Calculation and Reporting: KOR calculates the timeliness of every message submitted and provides this information to users via the user interface (UI) and on all trade detail reports. This enables clients to track the timeliness of their submissions and take corrective actions as needed.
- Dashboard Overview: KOR offers a comprehensive dashboard that displays a high-level overview of the timeliness of submissions over time. This dashboard provides clients with insights into their reporting performance and allows them to identify trends and areas for improvement.
- Timeliness Deadlines on Rejected Messages: KOR provides timeliness deadlines on rejected messages, enabling clients' operations teams to prioritize addressing messages that are nearing lateness or are already late. This proactive approach helps mitigate the risk of late reporting and ensures timely resolution of issues.
- Reporting on Late Submissions: KOR generates reports on transactions that have been submitted late, allowing clients to identify instances of late reporting and take corrective actions. We recommend that clients' compliance teams download and review these reports regularly to ensure timely reporting and compliance with regulatory requirements.
- Monitoring submission feedback: Monitoring submission feedback is crucial for clients to ensure the accuracy and integrity of their data within the KOR system. KOR facilitates this by providing instant API feedback on all API messages submitted, promptly indicating whether an acknowledgment (ack) or non-acknowledgment (nack) has been received.
- Reference "Ingestion Controls" page
Clients should establish processes to monitor their feeds into the KOR system and promptly address any nacks received. Nacks indicate that there was an issue with the submitted message, such as invalid data or missing required fields. It is essential for clients' operations and technical teams to promptly investigate and resolve these issues to maintain data accuracy and compliance with regulatory requirements.
By actively monitoring submission feedback and promptly addressing nacks, clients can ensure the reliability and integrity of their data within the KOR system, minimize reporting errors, and mitigate regulatory compliance risks.
- Reconciliation: KOR offers reconciliation services to Clients. Implementing reconciliation practices between their internal systems and the trade repository they report to is crucial for market participants for several reasons.
- Data Accuracy Assurance: Reconciliation helps ensure that the data reported to the trade repository matches the data stored in the participant's internal systems. Any discrepancies identified during reconciliation can be investigated and corrected promptly, enhancing the accuracy and integrity of reported trade data.
- Compliance Verification: Regulatory authorities often require market participants to submit accurate and complete trade data to trade repositories within specified deadlines. Reconciliation allows participants to verify compliance with regulatory reporting requirements by confirming that all required trades have been reported accurately and on time.
- Risk Management: Reconciliation helps market participants identify and mitigate operational risks associated with trade reporting, such as data entry errors, missing or duplicate submissions, and inconsistencies between internal systems and the trade repository. By reconciling trade data regularly, participants can proactively manage these risks and maintain data integrity.
- Dispute Resolution: In cases where discrepancies arise between the data reported to the trade repository and the participant's internal records, reconciliation practices provide a basis for resolving disputes and discrepancies efficiently. This can help prevent regulatory penalties, fines, or reputational damage resulting from inaccurate or incomplete trade reporting.
- Operational Efficiency: Implementing automated reconciliation processes streamlines the trade reporting workflow, reducing manual effort and improving operational efficiency. By automating data comparison and validation tasks, participants can identify and resolve discrepancies more quickly, enabling them to focus on value-added activities.
Clients should establish reconciliation frequencies based on their individual compliance needs and the nature of their trading activities. Reconciliation ensures that the data compiled into KOR for reporting accurately reflects the transactions captured by their trade capture systems. It is essential that data flowing into KOR undergoes minimal manipulation before submission to maintain data integrity and accuracy.
- Documentation and Recordkeeping: Maintain comprehensive documentation of all reported trades, including relevant trade details, timestamps, and any modifications or corrections made after initial submission. This documentation should be readily accessible for audit purposes.
- KOR maintains a comprehensive audit log history of all submissions into the KOR system in accordance with the KOR Data Retention table.
The audit log captures detailed information about each submission, including the date and time of submission, the identity of the user or system submitting the data, the specific data elements submitted, and any relevant metadata associated with the submission.
This audit trail provides a complete record of all activities within the KOR system, enabling users to track the lifecycle of submitted data, identify any changes or modifications made to the data over time, and facilitate compliance with regulatory requirements.
By maintaining a full audit log history of submissions, KOR ensures transparency, accountability, and data integrity within the system, thereby enhancing trust and confidence among users and stakeholders.
- Staff Involvement: It is crucial that the right personnel from the client's organization are actively involved in reviewing and monitoring both the setup of KOR configurations and the ongoing day-to-day operations.
- Configuration Setup Review: The initial setup of KOR configurations is foundational to the accuracy and effectiveness of regulatory reporting. Having the right personnel involved ensures that configurations align with the client's specific reporting requirements, regulatory obligations, and internal processes. This review process helps identify any discrepancies or gaps early on and allows for adjustments to be made before reporting begins.
- Ongoing Operations Monitoring: Regulatory reporting is a dynamic process that requires continuous monitoring to ensure data accuracy, timeliness, and compliance. The right personnel should be responsible for overseeing day-to-day operations, including data submissions, error resolution, reconciliation, and compliance with regulatory deadlines. This ongoing monitoring helps identify and address issues promptly, minimizing the risk of reporting errors and regulatory non-compliance.
- Subject Matter Expertise: The personnel responsible for reviewing configurations and monitoring operations should possess adequate subject matter expertise in regulatory reporting requirements, financial instruments, trading activities, and relevant technology platforms. This expertise enables them to make informed decisions, troubleshoot issues effectively, and ensure compliance with regulatory standards.
- Cross-Functional Collaboration: Regulatory reporting often involves multiple stakeholders across different departments within the client's organization, including compliance, operations, IT, and legal. Having the right personnel involved ensures effective communication and collaboration among these stakeholders, facilitating the implementation of best practices and the resolution of complex issues.
- Staff Training and Awareness: Provide training and guidance to staff responsible for trade reporting to ensure they understand their obligations and can accurately report trades to the TR. Foster awareness of regulatory requirements and updates among relevant personnel.
- KOR provides a Knowledge Base that serves as a centralized repository of information, continually updated with client inquiries and industry best practices.
This Knowledge Base is a valuable resource for clients, offering access to a comprehensive collection of frequently asked questions, troubleshooting guides, instructional articles, and industry insights. It covers a wide range of topics related to KOR's services, functionalities, and regulatory requirements, empowering clients with the information they need to effectively navigate and utilize the KOR platform.
The Knowledge Base is regularly updated to reflect the latest developments, client inquiries, and industry trends. It is curated by a dedicated team of experts who ensure that the content remains accurate, relevant, and up-to-date.
By providing a robust Knowledge Base, KOR enables clients to find answers to their questions quickly, troubleshoot issues independently, and stay informed about industry best practices. This proactive approach enhances client satisfaction, reduces support requests, and fosters a collaborative partnership between KOR and its clients.
- Quality Assurance Processes: Implement quality assurance processes to periodically review reported data for accuracy, completeness, and compliance with regulatory requirements. Address any issues identified through these reviews promptly.
- UAT Environment for Production Code Testing: KOR facilitates a User Acceptance Testing (UAT) environment where clients can thoroughly test the current production code. This environment is invaluable for clients making changes to their internal systems, allowing them to validate any modifications before deployment into the production environment. By providing a dedicated UAT environment, KOR ensures that clients have the necessary infrastructure to conduct comprehensive testing, reducing the risk of errors or disruptions when implementing changes.
- UAT Environment for New Releases and Regulatory Changes: Additionally, KOR offers a UAT environment specifically tailored for testing new releases and validations related to regulatory changes. This environment enables clients to evaluate the impact of upcoming regulatory requirements and ensure compliance before deploying changes into production. It is imperative that clients establish procedures to complete testing in advance of regulatory changes, leveraging the UAT environment provided by KOR to validate system readiness and address any issues proactively.
By providing dedicated UAT environments for both production code testing and regulatory change validation, KOR empowers clients to mitigate risks, maintain compliance, and ensure the seamless integration of system changes into their operational environment.
- Controls and Oversight: Clients should implement robust internal controls and oversight mechanisms to monitor trade reporting activities effectively. This includes conducting periodic reviews by compliance or internal audit functions to identify any potential compliance issues or risks. These reviews help ensure that reporting processes are conducted in accordance with regulatory requirements and internal policies, mitigating the risk of non-compliance and regulatory sanctions.
- Reports: KOR offers a comprehensive set of reports that can be configured to meet the specific needs of each client. These reports are accessible to all users after a report template has been created, and clients can access prior report history for reference. Clients have the flexibility to download these reports from the user interface or set up automated API runs, facilitating efficient data retrieval and analysis.
- Dashboard: KOR provides dashboard overviews that offer insights into overall submission performance, accuracy, and timeliness of trade reporting. These dashboards are valuable tools for managers and compliance teams to monitor day-to-day compliance with reporting obligations. However, clients should establish procedures to define the frequency of dashboard review to ensure timely identification of any issues or trends requiring attention.
- Access Monitoring: Access monitoring is a critical component of ensuring the security and integrity of the regulatory reporting process. Here's how KOR facilitates access monitoring for clients and the importance of implementing procedures around it:
- User Access Management: KOR provides clients with the capability to manage user access to the platform, allowing them to assign different levels of access based on roles and responsibilities within the organization. This ensures that only authorized personnel have access to sensitive regulatory reporting data.
- Access Control Procedures: Clients should establish procedures for adding, removing, and adjusting user access levels as needed. These procedures should include protocols for requesting access, approving access requests, and periodically reviewing and updating access levels to align with changes in personnel roles or organizational requirements.
- Audit Trails and Reports: KOR offers audit trails and reports that allow clients to track user access activities and review access levels. These reports provide transparency and accountability, enabling clients to monitor user activity, identify unauthorized access attempts, and ensure compliance with internal policies and regulatory requirements.
- Regular Access Reviews: Clients should conduct regular reviews of user access levels as part of their audit procedures. This helps ensure that access privileges are appropriate and aligned with job responsibilities, minimizing the risk of unauthorized access and data breaches.