MiFID IT Maturity Assessment

Provide descriptive responses for questions 1.01, 3.03, 6.02 and 6.04. For the rest of the questions, select the appropriate
Instructions response from the drop down menu. If you need to provide any additional information regarding your responses, please use
the comments section at the bottom of this form.

Section 1 Questions Responses

Please describe the key changes to your IT environment that

will support the change in permissions that you are seeking (if
1.01
no changes have been required please note this and provide an
explanation as to why).

Section 2 Questions Responses

Is the governance of the IT function well defined? (e.g.
Governance terms of reference, operating model, organisation
1.01 Select
charts, job responsibilities, and the terms of reference of any
committees)?

Is there a mechanism for identifying and assessing IT risk, and

1.02 determining appropriate mitigating actions? Select

Can you confirm that the development and testing of the

2.01 systems relevant to the application in question have been Select
completed and accepted as satisfactory for launch?
Have the systems relating to this application reviewed in the
last 12 months, or will they have been reviewed in the 12
2.02 Select
months before launch by internal audit, external audit, or an
independent and qualified third party?
Please provide a schedule of reviews / audit / self-assessments /
validation / reviews for the systems related to this application, as well
as a list of any issues identified, with current high-level remediation
status included.
3.03
If no internal audit reviews have been performed, please provide detail
on any independent assurance that your organisation has obtained over
the relevant systems.
Please describe the change management procedures in place
4.01 that support the effectiveness and robustness of the systems Select
related to this application.
 Can you confirm that testing of the systems related to this
application has been completed including full functional and non
functional testing of technical infrastructure and software;
stress and performance testing of the live environment to levels
well beyond forecast levels of activity; testing of operational
4.02 Select
systems and interfaces and testing of business continuity
failovers (including between data centres, of individual
redundant components and communication links)? Can you also
confirm that all significant issues arising from the above testing
have been corrected?

Are key components duplicated to eliminate single points of

failure that could cause interruptions resulting in unacceptable
5.01 harm to customers? (Consider power suppliers, communications Select
lines, processors, disk drives, routers, switches, air
conditioning, etc.)
Are procedures and processes in place to log and monitor actual
5.02 or potential availability, system performance, capacity problems Select
or market abuse and manage them?
Please describe the extent to which your organisation has
5.03 processes and procedures in place to ensure continuity and Select
regularity in service provision.
Please describe the disaster recovery processes in place within
5.04 Select
your organisation.
Please describe the maturity of security controls in place to
5.05 prevent unauthorised access to or disclosure of sensitive Select
information.
Do you have a formal process documented to perform stress
testing at least annually to test critical systems' ability to
5.06 accommodate at least twice the historical peak [or twice the Select
projected peak if a new system] of activity and resolve any
issues in a timely manner?
Has an independent external and internal penetration test of
the network been carried out in the past 12 months (and will
6.01 Select
they be carried out annually)? Have all all significant
weaknesses been corrected?
Please attach a copy of the independent penetration test report and
6.02 any supporting materials that demonstrate the work to fix significant
weaknesses.

Is logical access to applications granted on the principle of least

privilege, and is it given in a way that enforces segregation of
6.03 duties? (i.e. does it ensure that separate persons can access Select
functions that need to be separate for control purposes, e.g.
inputting and releasing payments?).

Describe appropriate procedures to handle security breaches

6.04

Please describe the extent of your oversight and/or control over

7.01 Select
critical activities performed by outsource providers.
 Can you confirm that your firm has implemented systems and
controls to ensure that it can meet its regulatory requirements
7.02 for authorisation, including recruiting and training staff, Select
implementing the necessary tools, managing third party
providers and fully documenting procedures?
Do you have mechanisms to perform appropriate on boarding /
due-diligence process for clients / members that connect / use
8.01 Select
your systems or any other interfaces that your systems may
integrate with.

9.01 Comments Enter additional information (if required)

Applicant firms are reminded that irrespective of the outcome of this questionnaire the onus remains with applicant firms to demonstrate to the FCA that it has appropriate
systems in place which are fit for purpose to conduct regulated activities and have been formally approved by the directors/board of the applicant firms. The FCA reserves the
right to request applicant firms to provide evidence to support its application.