INFORMATION DISCLOSURE

NSD’s Information Disclosure Rules approved by the Bank of Russia (Order No. 14−6-22/9132 dated 20 September 2017) set out the procedure for information disclosure, i.e., provision of the following information to an indefinite or unlimited number of concerned parties:

• information to be disclosed by NSD in accordance with the Russian statutory requirements; and
• information disclosed by NSD on its own accord or upon request by a party concerned.

In particular, the Rules require that NSD act in accordance with the principle of transparency towards its shareholders, clients, business partners, counterparties, governmental authorities, employees, and other stakeholders. In accordance with the principle of transparency, the proper level of information disclosure is ensured by compliance with the following rules:

• Information disclosure practices must be consistent with NSD’s and Moscow Exchange Group’s development strategy (goals and objectives);
• Information disclosed must be accurate and accessible;
• Information must be disclosed in a timely fashion, regularly, and on a nondiscriminatory basis;
• A reasonable balance must be stricken between NSD’s transparency and NSD’s and Moscow Exchange Group’s commercial interests;
• The requirements of the Russian laws and other regulations concerning trade secrets, bank secrecy, or insider information, as well as the requirements of NSD’s internal regulations applicable to dealing with confidential information must be complied with;
• Standards of professional ethics must be complied with; and
• Information distribution channels must ensure free, easy, and inexpensive access by interested parties to any information disclosed.

To ensure compliance with the Rules, the Chairman of the Executive Board approved the Procedure for Preparation, Verification and Approval of Information to Be Disclosed by NSD as the Central Securities Depository. The Procedure sets out a list of information (data, facts, documents, and other informational materials) to be disclosed by NSD and designates employees responsible for the preparation, verification, and approval of the information to be disclosed.

In addition to conventional communication channels, NSD discloses information and communicates with counterparties via popular social media: Twitter and Facebook.

AUDIT

Internal Audit Commission

The Internal Audit Commission is the controlling body responsible for internal control over NSD’s financial and business activities. Members of the Internal Audit Commission are elected at annual General Meetings of Shareholders.

The members of the Internal Audit Commission are:

1. Olga Melentieva;
2. Maxim Nikonov;
3. Vladimir Sukhachev

The proceedings of NSD’s Internal Audit Commission are governed by the Regulations on the Internal Audit Commission approved by the General Meeting.

Material Aspects of Interaction with External Auditors

On 30 May 2019, NSD’s annual General Meeting of Shareholders resolved to approve the appointment of Deloitte & Touche CIS as NSD’s auditor to conduct audits under the Russian Accounting Standards (RAS) and the International Financial Reporting Standards (IFRS) for the period until NSD’s annual General Meeting of Shareholders to take place in 2020.

Deloitte & Touche CIS is authorized under Russian laws to conduct independent audits of NSD’s accounting system, financial statements (accounts), tax reports, financial results, and NSD’s internal control system, as well as to prepare and present an auditor’s report on NSD’s financial statements prepared under the RAS and IFRS, and, if any material shortcomings in the accounting or internal control system are identified, issue an information letter, describing the shortcomings, to NSD’s executives.

Deloitte & Touche CIS does not have any significant common interests with NSD or the Moscow Exchange Group.

Interaction with the external auditor is maintained under the Audit and Review Services Agreement. An audit is only intended to express an opinion on the validity of NSD’s financial statements and on whether the accounting records are maintained by NSD in compliance with applicable Russian law. Validity means the degree of accuracy of the data contained in the financial statements and whether it enables a user of such financial statements to draw conclusions, on the basis of such data, regarding NSD’s performance results, financial position, and assets, and to make informed decisions. During the audit period, the auditors also examine the tax accounting books and tax reports filed by NSD in the forms required (i.e., tax returns, tax calculations, etc.) and determine whether all tax reliefs were obtained lawfully. The purpose of a review is to express a conclusion whether, on the basis of the review, anything has come to the auditor’s attention that causes the auditor to believe that NSD’s interim financial statements for the first six months of the year are not prepared, in all material respects, in accordance with IAS 34 «Interim Financial Reporting».

Interaction with the auditor includes several phases:

• Phase 1: analysis of NSD’s information systems;
• Phase 2: review of the company’s IFRS interim financial statements for the first six months of the year;
• Phase 3: intermediate procedures: audit of the state of accounting and controls, account balances, and tax filings for the nine months of the financial year;
• Phase 4: final procedures: audit of the state of accounting and controls, account balances, RAS and IFRS financial statements and tax filings for 12 months of the financial year.

For the purposes of conducting an audit, NSD designates an employee to be in charge of liaising with NSD’s business units and ensuring that the information needed for the audit is delivered in a timely fashion.

Under the Audit and Review Services Agreement, the auditor undertakes to strictly comply with the laws of the Russian Federation and other regulations, including Federal Law No. 307-FZ dated 30 December 2008 «On Audit Activities», international standards on auditing, and federal standards on auditing adopted in the Russian Federation. Furthermore, the auditor is required to:

• ensure that any documents received by the auditor in the course of an audit are kept safe and returned in due course, and that their contents or any other information are not disclosed without NSD’s consent, except as provided by Russian law;
• if so requested by NSD, supply NSD with the necessary information on the requirements of the Russian laws with respect to the conduct of audits (including tax audits), and references to the regulations on which the auditor’s comments and conclusions are based; and
• inspect the documents related to NSD’s financial and business activities and the availability of any assets recorded in those documents.

Where the auditor discovers any breach of the tax laws or any material misstatements in NSD’s financial statements or tax reports, the auditor will notify NSD’s executives that they may be held liable for such breaches and that it is necessary to make amendments to the financial statements or make adjustments to the tax returns and calculations.

The auditor determines, at its own discretion, the forms and methods of the audit based on the requirements imposed by the applicable Russian laws and regulations, subject to the specific terms and conditions of the Audit and Review Services Agreement.

In the course of an audit, NSD undertakes to make the relevant arrangements and provide assistance to the auditor to ensure that the financial and tax audits are completed in a timely fashion and in full. NSD provides the auditor with all the information and documents requested and needed for the audit, provides full clarifications and confirmations as may be requested by the auditor, and requests any information necessary for the audit from third parties.

INTERNAL CONTROL

In compliance with the requirements set forth by Russian laws and Bank of Russia’s regulations, NSD implements internal controls that are appropriate to the nature and scope of NSD’s business (as the central securities depository and as a non-banking credit institution, professional securities market participant, clearing house, and trade repository), and to NSD’s risk profile.

Internal controls are implemented to ensure that NSD pursues the following objectives:

• ensure that NSD’s financial and commercial performance in the course of banking and any other operations and transactions is efficient and effective, and ensure the efficient management of assets and liabilities (including protection of assets) as well as efficient risk management;
• ensure that NSD’s financial statements, accounting, statistical, and other reports (both internal and external) are accurate, complete and objective and are prepared and submitted in a timely fashion, and maintain information security (safeguard the company’s interests and objectives in the information field defined as a totality of information, information infrastructure, parties involved in information collection, generation, distribution, and use, and the framework of regulation of resulting relations);
• ensure compliance with the applicable Russian laws, Bank of Russia’s regulations, self-regulatory organizations' standards, and NSD’s constitutional documents and internal regulations; and
• prevent NSD’s or its employees' involvement in illegal activities (including money laundering and terrorist financing), and ensure that relevant information is reported to competent authorities and the Bank of Russia in a timely fashion in accordance with the Russian laws.

NSD’s Supervisory Board, Executive Board, and Executive Board Chairman are actively involved in managing the internal control system. NSD has the Audit Committee, a standing advisory body of the Supervisory Board established to ensure the effectiveness of internal controls and internal audits, to assess the effectiveness of the risk management system, and to make recommendations to NSD’s Supervisory Board and executive bodies to enable them to take decisions on those matters in accordance with their authority.

NSD’s internal control system is based on the principle of three lines of defence, as required by the global best practices. The maturity level of the internal control system is confirmed by an independent auditor.

At NSD, there are two departments responsible for internal control on a continuous basis: the Internal Audit Department and the Internal Control Department.

The Internal Audit Department is responsible for assessing the reliability and effectiveness of internal controls, risk management, corporate governance, and business processes at NSD, provides NSD’s management bodies with information upon completion of internal audits, and gives advice on matters relating to internal controls.

The Internal Control Department is responsible for ongoing control over NSD’s operations, including NSD’s operations as CSD, clearing house, and trade repository, as well as over the work of the AML/CFT Officer and the Insider Trading Compliance Officer.

In 2019, in the field of AML/CFT, the main focus was on automation of processes amid changing requirements of Russian laws, and on preventing questionable transactions attempted to be made using new instruments or services.

Compliance efforts were focused on ensuring compliance with increasing regulatory requirements to NSD’s operations and foreign jurisdictions' requirements concerning tax risks (FATCA, The Common Reporting Standard), as well as on managing geopolitical risks.

• The Internal Control Department improves its control and monitoring tools on a continuous basis, including:
• monitoring of whether regulatory reports are submitted to the Bank of Russia in a timely fashion;
• access to insider information;
• quality of handling client enquiries that could be classified as complaints; and
• compliance with the AML/CFT requirements of the laws and Bank of Russia’s regulations.

In 2019, NSD’s key areas of business were audited by the Bank of Russia, without any material findings on non-compliance.

The multi-level internal control system enables NSD to effectively identify and manage risks in all areas of its business.

INFORMATION SECURITY

To deliver on its strategic objectives, it is crucial for NSD to implement information management and protection practices, as information protection is the overarching factor of effective and sustainable performance.

NSD has the status of central securities depository, its Payment System is nationally important, and NSD also provides banking, trade repository, clearing, and other services in the financial market. All these factors make information and cyber security one of NSD’s priorities.

The work to ensure information security (IS) at NSD is organized in accordance with the Russian laws, Bank of Russia’s requirements and recommendations, the package of standardization documents issued by the Bank of Russia (entitled «Ensuring Information Security at Organizations of the Banking Industry of the Russian Federation») (the «BR ISBS Package»), NSD’s Information Security Policy, and the best practices and international standards.

The focus of IS activities is to ensure the security of clients' assets, as well as the security of the company‘s banking, depository, settlement and information systems, to ensure NSD’s sustainable and effective performance, and to safeguard interests of NSD and its shareholders, investors, and clients against information security threats. The Information Security Division is responsible for putting in place an effective system to manage IS risks and conducting works designed to identify and counter any possible threats.

In accordance with the requirements of the Russian laws and the requirements set out in the BR ISBS Package, the Information Security Division is actively involved in analyzing business processes, drafting terms of reference, rolling out hardware and software, and performing an expert review of contracts and agreements. In addition, the Information Security Division regulates processes designed to separate users' access, sets up and maintains information protection tools, allocates access rights, and maintains key information.

Thanks to regular IS audits, NSD can objectively assess the current level of information security. On a quarterly basis, the Information Security Division issues a cyber security report describing the current security status of IT systems; reports are provided to the Executive Board, Executive Board Chairman, Risk Management Department, and Audit Committee of the Supervisory Board.

An independent audit of NSD for compliance with the requirements set out in Bank of Russia’s Regulations No. 382-P dated 9 June 2012 «On the Requirements to Information Security in the Course of Money Transfers and the Procedure for Monitoring by the Bank of Russia of Compliance with Such Requirements», which was conducted in 2019, confirmed that NSD complies with the Bank of Russia’s requirements and observes the international Principles for Financial Market Infrastructures, and showed an improvement in the IS level.

To maintain and raise its IS level, NSD took steps to improve its information protection tools and IS-related internal regulations and to enhance security of source codes of business IT systems under development.

In 2019, NSD’s Information Security Division paid specific attention to:

• ensure security of the company’s internal systems, focusing on those accessible online, by addressing vulnerabilities identified by penetration and other tests;
• update IS-related internal regulations;
• address vulnerabilities identified in NSD’s information infrastructure; and
• automate IS processes and procedures.

NSD took steps to improve the process of vulnerability management, which allowed the company to identify and address vulnerabilities in NSD’s information infrastructure before they have caused negative effects as a result of such vulnerabilities being exploited by intruders.

In the reporting year, the following measures were implemented:

• A list of IT systems covered by static code analysis to identify potential vulnerabilities was expanded; the process of mandatory audit of all IT systems to be deployed to the production environment was automated; and tools designed for security screening of third-party libraries and IT systems being tested were implemented. These steps will improve effectiveness and help further decrease the number of vulnerabilities against previous periods, which may be identified by subsequent penetration tests.
• IS-related internal regulations were updated as part of the personal data protection efforts.
• Thanks to the implementation of additional information protection tools, improvements were made to the access management and user account management processes.
• The account lifecycle management process was automated.

The Information Security Division continuously improves the methodological and technological support of its activities. In particular, the Information Security Division analyzes, on a regular basis, legislative and regulatory changes, including changes in Government Standard GOST 57580.1−2017 «Security of Financial (Banking) Operations. Information Protection at Financial Institutions. Basic Organizational and Technical Measures», providing the basis on which NSD can make necessary amendments to its internal regulations in a timely fashion, and implements and modernizes security and protection solutions.

NSD’S INTERESTS IN OTHER ENTITIES