Embed Size (px)
Citation preview
January 2015 Page 1 of 13
CDIC Data and System Requirements By-law
Compliance Approach (2015)
Legal Framework Requirements under the By-law Subsection 5(2) of the Canada Deposit Insurance Corporation’s Data and System Requirements By-law (the “DSR By-law”) states that
In every premium year that begins on or after May 1, 2013, every member institution must certify whether or not it is in compliance with this By-law and must submit that certification with the Return of Insured Deposits that it submits under subsection 22(1) of the Act.
Subsection 5(1) of the DSR By-law states that
For the purpose of confirming that a member institution has the capabilities required by this By-law, the Corporation may request the institution to provide or make available to the Corporation the standardized data, or any portion of it, and evidence demonstrating that the member institution has the capability described in subsection 4(4). The member institution must provide or make available that data or evidence within 10 business days after receiving the request from the Corporation.
Consequences of non-compliance with the DSR By-law Failure to comply with the DSR By-law will have financial consequences for your institution. Generally speaking, for differential premium purposes, a member institution (MI) that has not implemented the data and system requirements as of April 30th, 2015, will be classified for the premium year that begins May 1st, 2015 in one premium category lower than it would otherwise have been classified. For more information please refer to s. 8.1 and s. 8.2 of the Differential Premiums By-law (the “DP By-law”).
Process Overview The following overview outlines 1) the evidence that CDIC proposes to use to test member institutions’ compliance with the DSR By-law in 2015; and 2) the process CDIC plans to follow for testing compliance. However, if for any reason CDIC does not complete the compliance testing process set out in this document for any member institution(s), CDIC may rely on an untested member institution’s certification; CDIC would nevertheless rely on the test results of those member institution(s) who would have already been tested. CDIC intends to periodically review the evidence it requests and its process, both of which may be modified based on CDIC’s experience in testing for compliance. CDIC also reserves the right to modify this document if, in CDIC's judgment, other evidence or another process would better test for compliance in certain circumstances.
January 2015 Page 2 of 13
Member Certification for 2015 As of June 30, 2013, member institutions are required to comply with the DSR By-law. Pursuant to Section 5(2) of the DSR By-law member institutions must annually certify compliance with the DSR By-law together with their annual Return of Insured Deposits. It should be noted that by certifying compliance, member institutions are confirming that the following obligations and requirements, among others, have been implemented:
Ability to implement and remove a channel hold;
Ability to satisfy the timelines (e.g. timing of extracts, application of holds) as specified in the Data and System Requirements and CDIC DSR By-Law;
The standardized data reflects the complete population of depositors with eligible and ineligible deposits held at the member institution;
The standardized data reflects the complete population of eligible and ineligible deposits at the member institution;
The interest accrued or payable on each deposit liability reflects the interest accrued or payable as at the determination date;
Ability to resume and restrict access to deposits through:
I. the Hold Instructions;
II. CDIC Partial Hold; and
III. CDIC Full Hold. Subject to any additional information that may be requested pursuant to Step 3 below, CDIC will not require member institutions to provide documentation supporting the certification at this time. However, CDIC would ask that member institutions ensure that such documentation is available should it be requested at a later date.
Testing Details The process CDIC plans to follow for testing compliance with the CDIC Data and System Requirements is as follows:
1. CDIC publishes Compliance Approach
a. CDIC will publish on its website the Compliance Approach for 2015 in January 2015.
2. Notice of Testing, Submission of Certification and Data Extract
a. In early April, 2015, CDIC will communicate to the MI whether or not it has been selected for testing. If an MI has been selected for testing, the MI will be required to provide the de-identified full production data extract that does not contain depositor personal information, produced on or before ’ April 301 (“full production extract”), for testing. Please refer to Appendix
1 MIs can opt for a date between April 1 and April 30, 2015.
January 2015 Page 3 of 13
A for further details. MIs not selected for testing are required to retain a full production data extract for future reference as necessary.
b. CDIC is revisiting the process for holds testing and does not intend to test MIs on Holds Validation in 2015.
c. De-identified data extract files are to be provided via Secure File Transfer Protocol (SFTP) (as
further detailed in Appendix B).
d. The full production extract can be submitted any time after May 1, 2015 but no later than June
30, 2015.
e. The certification of compliance is to be provided with the MI’s Return of Insured Deposits.
3. Commencement of Testing (“Initial Test”)
a. Testing will commence after July 15, 2015. CDIC will conduct an initial test of the full production extract at its own premises. For a sub-set of MIs, CDIC may conduct the initial test at the MI’s premises (“on-site testing”).
b. For MIs selected for on-site testing, CDIC will require and will test the MI’s identified April 30,
full production extract when it arrives for the scheduled on-site testing.
4. Communicating Results of the Initial Test a. CDIC will inform MIs of the results of the initial test within 5 business days of completion of
testing. b. If no deviations or errors are identified in the initial test, CDIC will conclude that the MI has met
the requirements of and is in compliance with the DSR By-law for the purposes of premium classification for the 2015 premium year. No further action by the MI will be required at this time.
c. If deviations or errors are identified in the initial test, the MI will have an opportunity to correct
all deviations and errors (see steps 5 and 6 below).
5. Pre-Test
a. Where deviations or errors have been identified in the initial test, the MI will undergo a pre-test.
The objective of the pre-test is to assist the MI in determining whether its efforts to correct all deviations and errors are on track.
b. For purposes of the pre-test, the MI must, within 60 calendar days from the date CDIC informs the MI of the results of the initial test:
I. upload via SFTP to CDIC a de-identified full production data extract ; and II. inform CDIC in writing that the required extract has been provided for purposes of the
pre-test.
January 2015 Page 4 of 13
c. CDIC will conduct a pre-test of the de-identified full production data extract at its own premises. CDIC will, within 5 business days of receipt of the data extract, provide the MI with the results of the pre-test.
d. If the pre-test results indicate that the MI has corrected all deviations and errors, CDIC will conclude that the MI has met the requirements of and is in compliance with the DSR By-law for the purposes of premium classification for the 2015 premium year. The MI will nevertheless be required to provide a confirmation signed by an authorized signing officer of the MI - not later than 5 business days following CDIC’s notification of the pre-test results - that it has (i) conducted its own testing for purposes of the pre-test and that the extract provided as at <DATE of “as at” extract for pre-test> represents the current state of the MI’s system, and (ii) concluded that all deviations and errors have been resolved.
e. If deviations or errors are identified in the pre-test, the MI will have 30 days following CDIC’s
notification of the pre-test results to correct all deviations and errors.
6. Final Test
a. Where deviations or errors have been identified in the pre-test, the MI will undergo a final test.
b. For purposes of the final test, the MI will, within 30 days following CDIC’s notification of the pre-test results:
I. Upload via SFTP to CDIC another de-identified full production data extract; II. inform CDIC in writing that the required extract has been provided for purposes of the
final test; and III. provide a confirmation signed by an authorized signing officer of the member institution
confirming that it has (i) conducted its own testing for purposes of the final test and that the extract provided as at <DATE of “as at” extract for the final test> represents the current state of the MI’s system and (ii) concluded that all deviations and errors have been resolved.
c. CDIC will conduct a final test of the MI’s de-identified full production data extract and will communicate the results within 5 business days of receipt of the above extract and confirmation.
d. If no deviations or errors are identified in the final test, CDIC will conclude that the MI has met the requirements of and is in compliance with the DSR By-law for the purposes of premium classification for the 2015 premium year.
e. If deviations or errors are identified in the final test, CDIC will conclude that the MI has not met the requirements of and therefore is not in compliance with the DSR By-law. The MI’s 2015 classification for differential premium purposes will be adjusted as detailed in the DP By-law.
f. Notwithstanding the foregoing, MIs should keep in mind that under the DSR By-law, CDIC may request a compliance test at any time.
Member institutions are reminded that additional guidance can be found in the Questions and Answers
relating to the Data and System Requirements found on CDIC’s website www.cdic.ca
January 2015 Page 5 of 13
Appendix A
Compliance 2015 - Creating Anonymous Data
Any standardized data extract transmitted to CDIC for compliance testing must be anonymous and must
not contain any personally identifiable information.
MIs must ensure that data elements listed in the table below are masked2, blanked out, or default values used before transmitting the data to CDIC. MIs must obtain CDIC’s consent if they want to mask any additional fields.
Table Column Name Action Required
0100 Depositor_Unique_ID Primary Key - must be masked and any uniqueness maintained. Uniqueness must not be case sensitive.
Name_Prefix May Mask, Blank Out, or use Default Value
Name May Mask, Blank Out, or use Default Value
First_Name May Mask, Blank Out, or use Default Value
Middle_Name May Mask, Blank Out, or use Default Value
Last_Name May Mask, Blank Out, or use Default Value
Name_Suffix May Mask, Blank Out, or use Default Value
Birth_Date Default Date - January 1st, 1950
Phone_1 May Mask, Blank Out, or use Default Value
Phone_2 May Mask, Blank Out, or use Default Value
Email May Mask, Blank Out, or use Default Value
0110 Depositor_Unique_ID Foreign Key - must be masked and relationships to table 0100 must be maintained
Identification_Number May Mask, Blank Out, or use Default Value
2 For the purpose of this document, masked means replacing the original value with a surrogate that cannot be
reverse engineered back to the original value.
January 2015 Page 6 of 13
Table Column Name Action Required
0120 Depositor_Unique_ID Foreign Key - must be masked and relationships to table 0100 must be maintained
Address_1 May Mask, Blank Out, or use Default Value
Address_2 May Mask, Blank Out, or use Default Value
City May Mask, Blank Out, or use Default Value
Province May Mask, Blank Out, or use Default Value
Postal_Code May Mask, Blank Out, or use Default Value
Country May Mask, Blank Out, or use Default Value
0130 Account_Unique_ID Primary Key - must be masked and any uniqueness maintained. Uniqueness must not be case sensitive.
Account_Number Foreign Key- must be masked, and relationship to table 600 must be maintained.
Registered_Plan_Number May Mask, Blank Out, or use Default Value
0400 Account_Unique_ID Foreign Key - must be masked, and relationships to table 0130 must be maintained
0500 Depositor_Unique_ID Foreign Key - must be masked, and relationships to table 0100 must be maintained
0500 Account_Unique_ID Foreign Key - must be masked, and relationships to table 0130 must be maintained
0600
Account_Unique_ID Foreign Key - must be masked, and relationships to table 0130 must be maintained
Account_Number Foreign Key- must be masked, and relationship to table 130 must be maintained.
0800 Account_Unique_ID Foreign Key - must be masked, and relationships to table 0130 must be maintained
January 2015 Page 7 of 13
Table Column Name Action Required
0900 Account_Unique_ID Foreign Key - must be masked, and relationships to table 0130 must be maintained
January 2015 Page 8 of 13
Appendix B
Secure File Transfer Protocol (SFTP)
Scope CDIC will use SFTP as a means of receiving data extracts for DEP/Compliance testing. This
document outlines how to connect to the CDIC SFTP server.
Note that our system does not support certificate authentication
Process 1. CDIC will courier your username and password in separate courier packages.
a. Your folder on SFTP can only be accessed by entering the username and
password provided by CDIC
2. Upon your first log on, you will be required to change the password provided by CDIC
a. Make note of your new password. Your new password must meet the following
minimum requirements:
i. Contain at least one special character (e.g.: #, $, %, ^, &)
ii. Contain at least one capital letter
iii. Contain at least one lower case letter
iv. Contain at least one number
v. Be at least 8 characters long
vi. Cannot be a password you have used on CDIC’s SFTP system in the
past.
vii. Note that the temporary password provided to you will have an expiry
date of 90 days
b. See Appendix I for instructions on how to change your password.
SFTP Pre-requisites In order to ensure you will be able to use SFTP and connect successfully to our SFTP site,
you will need to work with your IT department to ensure the following steps have been
performed:
1. Install and configure an SFTP Client of your choice a. Connecting to our SFTP site has been tested with FileZilla and PuTTY SFTP
clients 2. Open Port 22 (out bound only) 3. This port may be specifically opened to IP address 209.217.114.119
January 2015 Page 9 of 13
3. Use your preferred SFTP software to connect to CDIC. Steps to connect may vary
depending on the software you have installed, and how that software has been
configured. Refer to Appendix II for an example on how to connect to CDIC’s SFTP
server using FileZilla.
4. CDIC is not automatically notified when a file or document is posted. You must notify
CDIC when the data extract files are uploaded to your secure folder. When you post
files on CDIC’s SFTP server, please email [email protected].
Support To notify CDIC of issues when transferring or receiving files using SFTP, please contact your
Technical Support group, who in turn can contact the CDIC Service Desk at
January 2015 Page 10 of 13
APPENDIX I
Password Change
Open Internet Explorer and browse
to: https://sftp.cdic.ca
Enter your temporary username and
password when prompted.
Enter the temporary password
provided and enter a new password
and confirmation and click OK.
Note: Please refer to password rules
under Process when creating a new
password.
January 2015 Page 11 of 13
Click OK to verify the password
changed successfully.
The system will want you to log in
again.
Click Logout and exit the browser.
January 2015 Page 12 of 13
APPENDIX II
SFTP using FileZilla You or your administrator staff should have already configured the SFTP Client plug-in for your system. Launch FileZilla.
Enter Host
(sftp://sftp.cdic.ca),
Username, Password and
port (22) as shown.
Click Quickconnect
If this window appears,
please ensure the Fingerprint
in this document matches
the one shown on your
screen (If it does not, please
contact Technical Support.).
Select “Always trust this
host”
Click OK
January 2015 Page 13 of 13
Click and Drag files over as
needed.
Once all files have been
copied, click the disconnect
Icon as shown when done.
