EL COMITÉ EJECUTIVO DEL BANCO CENTRAL EUROPEO,
Visto el Tratado de Funcionamiento de la Unión Europea, y en particular su artículo 127, apartado 2, guiones primero y cuarto,
Vistos los Estatutos del Sistema Europeo de Bancos Centrales y del Banco Central Europeo, y en particular sus artículos 11.6, 17, 22 y 23,
Considerando lo siguiente:
(1) |
El 20 de julio de 2021, el Consejo de Gobierno modificó (1) la Orientación BCE/2012/27 del Banco Central Europeo (2), con el fin de: a) aclarar que los titulares de cuentas dedicadas de efectivo de TIPS y los titulares de cuentas dedicadas de efectivo de T2S estarán conectados a TARGET2 a través del Portal Único de Infraestructuras de Mercado del Eurosistema a partir de noviembre de 2021 y junio de 2022, respectivamente; b) aclarar y ampliar las normas sobre el cumplimiento de los requisitos de seguridad de punto final de TARGET2, con el fin de garantizar que TARGET2 siga evolucionando para hacer frente a las amenazas a la ciberseguridad; c) imponer a los titulares de cuentas del módulo de pagos, sus participantes indirectos y los titulares de BIC accesibles que se hayan adherido al Esquema de transferencia SEPA inmediata mediante la firma del acuerdo de adhesión correspondiente deben ser y permanecer constantemente accesibles en la plataforma de TIPS a través de una cuenta dedicada de efectivo de TIPS, para garantizar que los pagos inmediatos estén disponibles en toda la Unión; d) establecer transparencia en las modalidades de transferencia de saldos de las cuentas de los participantes en TARGET2 a las correspondientes cuentas sucesoras del futuro sistema TARGET, a fin de garantizar la seguridad jurídica, y e) aclarar y actualizar otros aspectos concretos de la Orientación BCE/2012/27. |
(2) |
Una vez operativo el proyecto de consolidación de T2-T2S, también será necesario garantizar la transparencia de las modalidades de transferencia de saldos de las cuentas de los participantes en TARGET2-ECB a las correspondientes cuentas sucesoras, a fin de garantizar la seguridad jurídica. |
(3) |
Las modificaciones realizadas a la Orientación BCE/2012/27 que afecten a las condiciones de TARGET2-ECB deben reflejarse en la Decisión BCE/2007/7 del Banco Central Europeo (3). |
(4) |
Debe modificarse en consecuencia la Decisión BCE/2007/7. |
HA ADOPTADO LA PRESENTE DECISIÓN:
Modificaciones
Los anexos I, II y III de la Decisión BCE/2007/7 se modifican con arreglo a los anexos de la presente Decisión.
La presente Decisión entrará en vigor el quinto día siguiente al de su publicación en el Diario Oficial de la Unión Europea.
Será aplicable a partir del 21 de noviembre de 2021, a excepción del apartado 1, letra c), y de los puntos 7 y 9 del anexo II de la presente Decisión, que se aplicarán a partir del 13 de junio de 2022.
Hecho en Fráncfort del Meno, el 21 de septiembre de 2021.
La Presidenta del BCE
Christine LAGARDE
(1) Orientación (UE) 2021/1759 del Banco Central Europeo, de 20 de julio de 2021, por la que se modifica la Orientación BCE/2012/27 sobre el sistema automatizado transeuropeo de transferencia urgente para la liquidación bruta en tiempo real (TARGET2) (BCE/2021/30) (véase la página 45 del presente Diario Oficial).
(2) Orientación BCE/2012/27 del Banco Central Europeo, de 5 de diciembre de 2012, sobre el sistema automatizado transeuropeo de transferencia urgente para la liquidación bruta en tiempo real (TARGET2) (DO L 30 de 30.1.2013, p. 1).
(3) Decisión BCE/2007/7 del Banco Central Europeo, de 24 de julio de 2007, relativa a las condiciones de TARGET2-ECB (DO L 237 de 8.9.2007, p. 71).
El anexo I de la Decisión BCE/2007/7 se modifica como sigue:
1) |
El artículo 1 se modifica como sigue:
|
2) |
En el artículo 2, se añade el texto siguiente en el apartado primero:
|
3) |
El artículo 3 se modifica como sigue:
|
4) |
El artículo 5 se sustituye por el texto siguiente: «Article 5 Direct participants PM account holders in TARGET2-ECB are direct participants and shall comply with the requirements set out in Article 8(1) and (2). They shall have at least one PM account with the ECB. PM account holders that have adhered to the SCT Inst scheme by signing the SEPA Instant Credit Transfer Adherence Agreement shall be and shall remain reachable in the TIPS Platform at all times, either as a TIPS DCA holder or as a reachable party via a TIPS DCA holder.». |
5) |
El artículo 22 se sustituye por el texto siguiente: «Article 22 Security Requirements and Control Procedures 1. Participants shall implement adequate security controls to protect their systems from unauthorised access and use. Participants shall be exclusively responsible for the adequate protection of the confidentiality, integrity and availability of their systems. 2. Participants shall inform the ECB of any security-related incidents in their technical infrastructure and, where appropriate, security-related incidents that occur in the technical infrastructure of the third party providers. The ECB may request further information about the incident and, if necessary, request that the participant take appropriate measures to prevent a recurrence of such an event. 3. The ECB may impose additional security requirements, in particular with regard to cybersecurity or the prevention of fraud, on all participants and/or on participants that are considered critical by the ECB. 4. Participants shall provide the ECB with: (i) permanent access to their attestation of adherence to their chosen network service provider’s endpoint security requirements, and (ii) on an annual basis the TARGET2 self-certification statement as published on the ECB’s website in English. 4a. The ECB shall assess the participant’s self-certification statement(s) on the participants level of compliance with each of the requirements set out in the TARGET2 self-certification requirements. These requirements are listed in Appendix VII, which in addition to the other Appendices listed in Article 2(1), shall form an integral part of these Conditions. 4b. The participant’s level of compliance with the requirements of the TARGET2 self-certification shall be categorised as follows, in increasing order of severity: ‘full compliance’; ‘minor non-compliance’; or ‘major non-compliance’. The following criteria apply: full compliance is reached where participants satisfy 100% of the requirements; minor non-compliance is where a participant satisfies less than 100% but at least 66% of the requirements and major non-compliance where a participant satisfies less than 66% of the requirements. If a participant demonstrates that a specific requirement is not applicable to it, it shall be considered as compliant with the respective requirement for the purposes of the categorisation. A participant which fails to reach ‘full compliance’ shall submit an action plan demonstrating how it intends to reach full compliance. The ECB shall inform the relevant supervisory authorities of the status of such participant’s compliance. 4c. If the participant refuses to grant permanent access to its attestation of adherence to their chosen NSPs endpoint security requirements or does not provide the TARGET2 self-certification the participant’s level of compliance shall be categorised as ‘major non-compliance’. 4d. The ECB shall reassess compliance of participants on an annual basis. 4e. The ECB may impose the following measures of redress on participants whose level of compliance was assessed as minor or major non-compliance, in increasing order of severity:
|
6) |
En el artículo 33, el apartado 1 se sustituye por el texto siguiente: «1. Participants shall be deemed to be aware of, shall comply with, and shall be able to demonstrate that compliance to the relevant competent authorities with all obligations on them relating to legislation on data protection. They shall be deemed to be aware of, and shall comply with all obligations on them relating to legislation on prevention of money laundering and the financing of terrorism, proliferation-sensitive nuclear activities and the development of nuclear weapons delivery systems, in particular in terms of implementing appropriate measures concerning any payments debited or credited on their PM accounts. Participants shall ensure that they are informed about the TARGET2 network service provider’s data retrieval policy prior to entering into the contractual relationship with the TARGET2 network service provider.». |
7) |
Se inserta el siguiente artículo 39 bis: «Article 39a Transitional provisions 1. Once the TARGET system is operational and TARGET2 has ceased operation, PM account balances shall be transferred to the account holder’s corresponding successor accounts in the TARGET system. 2. The requirement that PM account holders, indirect Participants and addressable BIC holders adhering to the SCT Inst scheme be reachable in the TIPS Platform pursuant to Article 5 shall apply as of 25 February 2022.». |
8) |
En el apéndice I, apartado 8, punto 4, la letra b) se sustituye por el texto siguiente:
|
9) |
En el apéndice IV, apartado 6, la letra g) se sustituye por el texto siguiente:
|
10) |
Se añade el siguiente apéndice VII: «Appendix VII Requirements regarding information security management and business continuity management Information security management These requirements are applicable to each participant, unless the participant demonstrates that a specific requirement is not applicable to it. In establishing the scope of application of the requirements within its infrastructure, the participant should identify the elements that are part of the Payment Transaction Chain (PTC). Specifically, the PTC starts at a Point of Entry (PoE), i.e. a system involved in the creation of transactions (e.g. workstations, front-office and back-office applications, middleware), and ends at the system responsible to send the message to SWIFT (e.g. SWIFT VPN Box) or Internet (with the latter applicable to Internet-based Access). Requirement 1.1: Information security policy The management shall set a clear policy direction in line with business objectives and demonstrate support for and commitment to information security through the issuance, approval and maintenance of an information security policy aiming at managing information security and cyber resilience across the organisation in terms of identification, assessment and treatment of information security and cyber resilience risks. The policy should contain at least the following sections: objectives, scope (including domains such as organisation, human resources, asset management etc.), principles and allocation of responsibilities. Requirement 1.2: Internal organisation An information security framework shall be established to implement the information security policy within the organisation. The management shall coordinate and review the establishment of the information security framework to ensure the implementation of the information security policy (as per Requirement 1.1) across the organisation, including the allocation of sufficient resources and assignment of security responsibilities for this purpose. Requirement 1.3: External parties The security of the organisation’s information and information processing facilities should not be reduced by the introduction of, and/or the dependence on, an external party/parties or products/services provided by them. Any access to the organisation’s information processing facilities by external parties shall be controlled. When external parties or products/services of external parties are required to access the organisation’s information processing facilities, a risk assessment shall be carried out to determine the security implications and control requirements. Controls shall be agreed and defined in an agreement with each relevant external party. Requirement 1.4: Asset management All information assets, the business processes and the underlying information systems, such as operating systems, infrastructures, business applications, off-the-shelf products, services and user-developed applications, in the scope of the Payment Transaction Chain shall be accounted for and have a nominated owner. The responsibility for the maintenance and the operation of appropriate controls in the business processes and the related IT components to safeguard the information assets shall be assigned. Note: the owner can delegate the implementation of specific controls as appropriate, but remains accountable for the proper protection of the assets. Requirement 1.5: Information assets classification Information assets shall be classified in terms of their criticality to the smooth delivery of the service by the participant. The classification shall indicate the need, priorities and degree of protection required when handling the information asset in the relevant business processes and shall also take into consideration the underlying IT components. An information asset classification scheme approved by the management shall be used to define an appropriate set of protection controls throughout the information asset lifecycle (including removal and destruction of information assets) and to communicate the need for specific handling measures. Requirement 1.6: Human resources security Security responsibilities shall be addressed prior to employment in adequate job descriptions and in terms and conditions of employment. All candidates for employment, contractors and third party users shall be adequately screened, especially for sensitive jobs. Employees, contractors and third party users of information processing facilities shall sign an agreement on their security roles and responsibilities. An adequate level of awareness shall be ensured among all employees, contractors and third party users, and education and training in security procedures and the correct use of information processing facilities shall be provided to them to minimise possible security risks. A formal disciplinary process for handling security breaches shall be established for employees. Responsibilities shall be in place to ensure that an employee’s, contractor’s or third party user’s exit from or transfer within the organisation is managed, and that the return of all equipment and the removal of all access rights are completed. Requirement 1.7: Physical and environmental security Critical or sensitive information processing facilities shall be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They shall be physically protected from unauthorised access, damage and interference. Access shall be granted only to individuals who fall within the scope of Requirement 1.6. Procedures and standards shall be established to protect physical media containing information assets when in transit. Equipment shall be protected from physical and environmental threats. Protection of equipment (including equipment used off-site) and against the removal of property is necessary to reduce the risk of unauthorised access to information and to guard against loss or damage of equipment or information. Special measures may be required to protect against physical threats and to safeguard supporting facilities such as the electrical supply and cabling infrastructure. Requirement 1.8: Operations management Responsibilities and procedures shall be established for the management and operation of information processing facilities covering all the underlying systems in the Payment Transaction Chain end-to-end. As regards operating procedures, including technical administration of IT systems, segregation of duties shall be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse. Where segregation of duties cannot be implemented due to documented objective reasons, compensatory controls shall be implemented following a formal risk analysis. Controls shall be established to prevent and detect the introduction of malicious code for systems in the Payment Transaction Chain. Controls shall be also established (including user awareness) to prevent, detect and remove malicious code. Mobile code shall be used only from trusted sources (e.g. signed Microsoft COM components and Java Applets). The configuration of the browser (e.g. the use of extensions and plugins) shall be strictly controlled. Data backup and recovery policies shall be implemented by the management; those recovery policies shall include a plan of the restoration process which is tested at regular intervals at least annually. Systems that are critical for the security of payments shall be monitored and events relevant to information security shall be recorded. Operator logs shall be used to ensure that information system problems are identified. Operator logs shall be regularly reviewed on a sample basis, based on the criticality of the operations. System monitoring shall be used to check the effectiveness of controls which are identified as critical for the security of payments and to verify conformity to an access policy model. Exchanges of information between organisations shall be based on a formal exchange policy, carried out in line with exchange agreements among the involved parties and shall be compliant with any relevant legislation. Third party software components employed in the exchange of information with TARGET2 (like software received from a Service Bureau in scenario 2 of the scope section of the TARGET2 self-certification arrangement document) must be used under a formal agreement with the third party. Requirement 1.9: Access control Access to information assets shall be justified on the basis of business requirements (need-to-know (1)) and according to the established framework of corporate policies (including the information security policy). Clear access control rules shall be defined based on the principle of least privilege (2) to reflect closely the needs of the corresponding business and IT processes. Where relevant (e.g. for backup management) logical access control should be consistent with physical access control unless there are adequate compensatory controls in place (e.g. encryption, personal data anonymisation). Formal and documented procedures shall be in place to control the allocation of access rights to information systems and services that fall within the scope of the Payment Transaction Chain. The procedures shall cover all stages in the lifecycle of user access, from the initial registration of new users to the final deregistration of users that no longer require access. Special attention shall be given, where appropriate, to the allocation of access rights of such criticality that the abuse of those access rights could lead to a severe adverse impact on the operations of the participant (e.g. access rights allowing system administration, override of system controls, direct access to business data). Appropriate controls shall be put in place to identify, authenticate and authorise users at specific points in the organisation’s network, e.g. for local and remote access to systems in the Payment Transaction Chain. Personal accounts shall not be shared in order to ensure accountability. For passwords, rules shall be established and enforced by specific controls to ensure that passwords cannot be easily guessed, e.g. complexity rules and limited-time validity. A safe password recovery and/or reset protocol shall be established. A policy shall be developed and implemented on the use of cryptographic controls to protect the confidentiality, authenticity and integrity of information. A key management policy shall be established to support the use of cryptographic controls. There shall be policy for viewing confidential information on screen or in print (e.g. a clear screen, a clear desk policy) to reduce the risk of unauthorised access. When working remotely, the risks of working in an unprotected environment shall be considered and appropriate technical and organisational controls shall be applied. Requirement 1.10: Information systems acquisition, development and maintenance Security requirements shall be identified and agreed prior to the development and/or implementation of information systems. Appropriate controls shall be built into applications, including user-developed applications, to ensure correct processing. These controls shall include the validation of input data, internal processing and output data. Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical information. Such controls shall be determined on the basis of security requirements and risk assessment according to the established policies (e.g. information security policy, cryptographic control policy). The operational requirements of new systems shall be established, documented and tested prior to their acceptance and use. As regards network security, appropriate controls, including segmentation and secure management, should be implemented based on the criticality of data flows and the level of risk of the network zones in the organisation. There shall be specific controls to protect sensitive information passing over public networks. Access to system files and program source code shall be controlled and IT projects and support activities conducted in a secure manner. Care shall be taken to avoid exposure of sensitive data in test environments. Project and support environments shall be strictly controlled. Deployment of changes in production shall be strictly controlled. A risk assessment of the major changes to be deployed in production shall be conducted. Regular security testing activities of systems in production shall also be conducted according to a predefined plan based on the outcome of a risk assessment, and security testing shall include, at least, vulnerability assessments. All of the shortcomings highlighted during the security testing activities shall be assessed and action plans to close any identified gap shall be prepared and followed up in a timely fashion. Requirement 1.11: Information security in supplier (3) relationships To ensure protection of the participant’s internal information systems that are accessible by suppliers, information security requirements for mitigating the risks associated with supplier’s access shall be documented and formally agreed upon with the supplier. Requirement 1.12: Management of information security incidents and improvements To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses, roles, responsibilities and procedures, at business and technical level, shall be established and tested to ensure a quick, effective and orderly and safely recover from information security incidents including scenarios related to a cyber-related cause (e.g. a fraud pursued by an external attacker or by an insider). Personnel involved in these procedures shall be adequately trained. Requirement 1.13: Technical compliance review A participant’s internal information systems (e.g. back office systems, internal networks and external network connectivity) shall be regularly assessed for compliance with the organisation’s established framework of policies (e.g. information security policy, cryptographic control policy). Requirement 1.14: Virtualisation Guest virtual machines shall comply with all the security controls that are set for physical hardware and systems (e.g. hardening, logging). Controls relating to hypervisors must include: hardening of the hypervisor and the hosting operating system, regular patching, strict separation of different environments (e.g. production and development). Centralised management, logging and monitoring as well as managing of access rights, in particular for high privileged accounts, shall be implemented based on a risk assessment. Guest virtual machines managed by the same hypervisor shall have a similar risk profile. Requirement 1.15: Cloud computing The usage of public and/or hybrid cloud solutions in the Payment Transaction Chain must be based on a formal risk assessment, taking into account the technical controls and the contractual clauses related to the cloud solution. If hybrid cloud solutions are used, it is understood that the criticality level of the overall system is the highest one of the connected systems. All on-premises components of the hybrid solutions must be segregated from the other on-premises systems. Business continuity management (applicable only to critical participants) The following requirements (2.1 to 2.6) relate to business continuity management. Each TARGET2 participant classified by the Eurosystem as being critical for the smooth functioning of the TARGET2 system shall have a business continuity strategy in place comprising the following elements.
|
(1) The need-to-know principle refers to the identification of the set of information that an individual needs access to in order to carry out her/his duties.
(2) The principle of least privilege refers to tailoring a subject’s access profile to an IT system in order to match the corresponding business role.
(3) A supplier in the context of this exercise should be understood as any third party (and its personnel) which is under contract (agreement), with the institution, to provide a service and under the service agreement the third party (and its personnel) is granted access, either remotely or on-site, to information and/or information systems and/or information processing facilities of the institution in scope or associated to the scope covered under the exercise of the TARGET2 self-certification.
El anexo II de la Decisión BCE/2007/7 se modifica como sigue:
1) |
El artículo 1 se modifica como sigue:
|
2) |
En el artículo 4, apartado 2, la letra f quater) se sustituye por el texto siguiente:
|
3) |
En el artículo 4, apartado 2, se inserta la letra f quinquies) siguiente:
|
4) |
En el artículo 4, el apartado 3 se sustituye por el texto siguiente: «3. TARGET2 provides real-time gross settlement for payments in euro, with settlement in central bank money across PM accounts, T2S DCAs and TIPS DCAs. TARGET2 is established and functions on the basis of the SSP through which payment orders are submitted and processed and through which payments are ultimately received in the same technical manner. As far as the technical operation of the T2S DCAs is concerned, TARGET2 is technically established and functions on the basis of the T2S Platform. As far as the technical operation of the TIPS DCAs and TIPS AS technical accounts is concerned, TARGET2 is technically established and functions on the basis of the TIPS Platform. The ECB is the provider of services under these Conditions. Acts and omissions of the SSP-providing NCBs and the 4CBs shall be considered acts and omissions of the ECB, for which it shall assume liability in accordance with Article 21 of this Annex. Participation pursuant to these Conditions shall not create a contractual relationship between T2S DCA holders and the SSP-providing NCBs or the 4CBs when any of the latter acts in that capacity. Instructions, messages or information which a T2S DCA holder receives from, or sends to, the SSP or T2S Platform in relation to the services provided under these Conditions are deemed to be received from, or sent to, the ECB.». |
5) |
En el artículo 8, el apartado 3 se sustituye por el texto siguiente: «3. Where the ECB has granted a request by a T2S DCA holder pursuant to paragraph 1, that T2S DCA holder is deemed to have given the participating CSD(s) a mandate to debit the T2S DCA with the amounts relating to securities transactions executed on those securities accounts.». |
6) |
En el artículo 28, el apartado 1 se sustituye por el texto siguiente: «1. T2S DCA holders shall be deemed to be aware of, shall comply with, and shall be able to demonstrate that compliance to the relevant competent authorities with all obligations on them relating to legislation on data protection. They shall be deemed to be aware of, and shall comply with all obligations on them relating to legislation on prevention of money laundering and the financing of terrorism, proliferation-sensitive nuclear activities and the development of nuclear weapons delivery systems, in particular in terms of implementing appropriate measures concerning any payments debited or credited on their T2S DCAs. Prior to entering into the contractual relationship with its T2S network service provider, T2S DCA holders shall ensure that they are informed about its data retrieval policy.». |
7) |
El artículo 30 se sustituye por el texto siguiente: «Article 30 Contractual relationship with an NSP 1. T2S DCA holders shall either:
2. The legal relationship between a T2S DCA holder and the NSP shall be exclusively governed by the terms and conditions of the separate contract concluded with an NSP as referred to in paragraph 1(a). 3. The services to be provided by the NSP shall not form part of the services to be performed by the ECB in respect of TARGET2. 4. The ECB shall not be liable for any acts, errors or omissions of the NSP (including its directors, staff and subcontractors), or for any acts, errors or omissions of third parties selected by participants to gain access to the NSP’s network.». |
8) |
Se inserta el siguiente artículo 34 bis: «Article 34a Transitional provisions Once the TARGET system is operational and TARGET2 has ceased operation, T2S DCA holders shall become T2S DCA holders in the TARGET system.». |
9) |
Las referencias a «proveedor del servicio de red de T2S» (en singular o plural) en el artículo 6, apartado 1, letra a), inciso i), el artículo 9, apartado 5, el artículo 10, apartado 6, el artículo 14, apartado 1, letra a), el artículo 22, apartados 1, 2 y 3, el artículo 27, apartado 5, el artículo 28, apartado 1, y el artículo 29, apartado 1, del anexo II, y el apartado 1 del apéndice I se sustituyen por referencias al «PSR». |
10) |
En el apéndice I, apartado 8, punto 4, la letra b) se sustituye por el texto siguiente:
|
El anexo III de la Decisión BCE/2007/7 se modifica como sigue:
1) |
Las referencias al «proveedor del servicio de red de TIPS» (en singular o plural) en este anexo se sustituyen por referencias al «PSR». |
2) |
El artículo 1 se modifica como sigue:
|
3) |
En el artículo 3, apartado 1, la referencia al «Apéndice V: Requisitos técnicos de conectividad a TIPS» se suprime. |
4) |
El artículo 4 se modifica como sigue:
|
5) |
En el artículo 6, apartado 1, letra a), el inciso i) se sustituye por el texto siguiente:
|
6) |
El artículo 9 se sustituye por el texto siguiente: «Article 9 Contractual relationship with an NSP 1. Participants shall either:
2. The legal relationship between a participant and the NSP shall be exclusively governed by the terms and conditions of their separate contract as referred to in paragraph 1(a). 3. The services to be provided by the NSP shall not form part of the services to be performed by the ECB in respect of TARGET2. 4. The ECB shall not be liable for any acts, errors or omissions by the NSP (including its directors, staff and subcontractors), or for any acts, errors or omissions by third parties selected by participants to gain access to the NSP’s network.». |
7) |
Se suprime el artículo 10. |
8) |
Se inserta el artículo 11 bis siguiente: «Article 11a MPL repository 1. The central MPL repository contains the proxy – IBAN mapping table for the purposes of the MPL service. 2. Each proxy may be linked to only one IBAN. An IBAN may be linked to one or multiple proxies. 3. Article 29 shall apply to the data contained in the MPL repository.». |
9) |
En el artículo 12 se suprime el apartado 9. |
10) |
El artículo 16 se sustituye por el texto siguiente: «Article 16 Types of payment orders in TIPS DCA The following are classified as payment orders for the purposes of the TIPS service:
|
11) |
En el artículo 18, el apartado 6 se sustituye por el texto siguiente: «6. After a TIPS DCA to PM liquidity transfer order, a TIPS DCA to TIPS AS technical account liquidity transfer order or a TIPS AS technical account to TIPS DCA liquidity transfer order has been accepted as referred to in Article 17, the TARGET2-ECB shall check whether sufficient funds are available on the payer's account. If sufficient funds are not available the liquidity transfer order shall be rejected. If sufficient funds are available the liquidity transfer order shall be settled immediately.». |
12) |
En el artículo 20, apartado 1, la letra b) se sustituye por el texto siguiente:
|
13) |
En el artículo 30, el apartado 1 se sustituye por el texto siguiente: «1. TIPS DCA holders shall be deemed to be aware of, shall comply with and shall be able to demonstrate that compliance to the relevant competent authorities with all obligations on them relating to legislation on data protection. They shall be deemed to be aware of, and shall comply with all obligations on them relating to legislation on prevention of money laundering and the financing of terrorism, proliferation-sensitive nuclear activities and the development of nuclear weapons delivery systems, in particular in terms of implementing appropriate measures concerning any payments debited or credited on their TIPS DCAs. TIPS DCA holders ensure that they are informed about their chosen NSP's data retrieval policy prior to entering into a contractual relationship with that NSP.». |
14) |
Se inserta el siguiente artículo 35 bis: «Article 35a Transitional provision Once the TARGET system is operational and the TARGET2 has ceased operation, TIPS DCA holders shall become TIPS DCA holders in the TARGET system.». |
15) |
En el apéndice I, el cuadro del apartado 2 se sustituye por el texto siguiente:
|
16) |
En el apéndice I, apartado 6, punto 1, la letra b) se sustituye por el texto siguiente:
|
17) |
En el apéndice IV, se suprime el apartado 2. |
18) |
Se suprime el apéndice V. |
Agencia Estatal Boletín Oficial del Estado
Avda. de Manoteras, 54 - 28050 Madrid