Skip to main content

Thomas Murray’s Financial Market Infrastructure (FMI) team was approached by a European central securities depository (CSD) for a risk assessment. As CSDs are a key component of the global marketplace, such an assessment requires specialist knowledge and a level of detail even beyond that which goes into scrutinising a bank.

Gary King and Weronika Kruk performed the evaluation and were kind enough to answer our questions about how the whole process works and what’s involved. (And, yes, they do tell us which CSD it was!)

Gary King
Gary King

Associate Director | Asia Pacific specialist

Weronika Kruk
Weronika Kruk

Market Specialist | Financial Market Infrastructure

How often do you get the chance to evaluate a CSD from scratch?

Not very often at all. Thomas Murray currently has around 145 ‘live’ CSDs that we monitor, and most of those were first evaluated by us some years ago. To start an evaluation with a fresh sheet was a bit of a novelty.

Did that make it harder or easier than assessing a CSD that Thomas Murray has been evaluating for years?

The degree of difficulty and the amount of work varies every time you do one of these assessments, regardless of the length of the relationship, so it’s hard to say. On the one hand, the CSD approached us for the assessment – that’s fairly rare, as usually we evaluate CSDs at the request of a client – so they were very forthcoming with any information we asked for.

On the other hand, because they asked for the assessment, we still had to do the usual rigorous check of everything they told us to make sure we weren’t getting only the most favourable versions of the answers.

How do you check that?

We use a combination of things – there’s a lot of detective work involved and it’s a very forensic approach. Publicly available information – the CSD’s own website, for example, or stories in the trade press – can be quite helpful but it all needs corroboration. For that we’ll go to support banks, the local custodians that we have contacts in, and to official bodies like regulators and central banks. They can offer an unvarnished view of how the CSD is performing and what its risk management is like.

What that means in practice, usually, is the smaller market, the harder it is to gather information. This CSD is in a small market, so the store of readily accessible evidence just wasn’t there.

But that’s why, with all CSD evaluations, we do daily monitoring for contradictions between what the CSD has told us and what evidence is appearing elsewhere. Quite often those are entirely innocent discrepancies – the CSD has changed its software service provider at some point after it sent us its initial response, for example, or maybe there’s been a process change – though it all needs to be checked out and verified.

It sounds like these evaluations have long timelines.

It depends. Sometimes the CSD is quite open with you and very responsive, as in this case, and other times you might have to be persistent in getting replies. An evaluation could take a few months or a couple of years.

A couple of years?

Theoretically. It hasn’t yet, touch wood, but hypothetically it could. Remember that these evaluations are far more detailed than bank assessments. It’s pretty common for the evaluation of just the operational risk of a CSD to take two or three months.

On that note, what risks do you look for?

There are eight key risks that we evaluate. Operational risk is one. The others are asset commitment, liquidity, counterparty, asset safety, financial, asset servicing, and ESG/oversight and transparency risk. Each of those risks is assigned key criteria that are evaluated separately to create an overall risk grade.

There are some risks beyond a CSD’s control. We rule out investment, legal, macroeconomic, and political risks, and social trend analysis.

Can you give examples of the key criteria of the eight risk factors and the weights you assign to them?

Are you a Thomas Murray client?

No, I just work here.

Then we’re afraid not.

I appreciate that. Are you allowed to tell me if there’s anything else that you make allowances for?

Market size is a relevant factor, for sure. And there’s no set way for a CSD to operate, so what will be a perfectly acceptable approach to managing a particular risk in one CSD’s market could be totally inappropriate for a CSD in another market.

And how does Thomas Murray’s methodology accommodate those differences?

Our methodology is based on best practices, not standard practices. The benefit of that approach is that we can focus on assessing the risks associated with the CSD right in front of us. It’s a bespoke, tailored process. Our job is to determine the extent to which the depository minimises risk and maximises asset safety for participants and investors. It’s that simple, and that complicated.

So, let’s say a few months – or a couple of years – have gone by and your evaluation is done. Do you give your findings to the client and/or the CSD and move on to the next one?

No, this is the bit where we get to talk about the Risk Committee! Because presenting the evaluation to the Risk Committee is the final step, and it can be quite tough. There’s a lot of accumulated knowledge around that table or on that Teams call, and it is common to have the grades and assessments challenged, or for another Committee member to raise a question you’ve not thought of. When that happens you need to go back to the CSD for more information. Then you can re-present to the Risk Committee for sign-off.

Final question – what is this CSD you’ve evaluated?

Are you a client yet? OK, fine. It was North Macedonia, but don’t tell anyone.

Your secrets are safe with me.


Orbit Intelligence

Orbit Intelligence

Centralise your monitoring and reporting, access Thomas Murray risk assessments and third-party data feeds.

Learn more