Our approach to Gate 2 assessment
The Bank’s Gate 2 assessment is designed to be proportionate and risk-based. In our review of entrants’ Gate 2 applications, we will focus our assurance work on the following key risks:
- Breaches to firm-specific DSS limits – limits are the main mitigant against financial stability risks in the DSS. Breaches could arise from a lack of effective governance and/or controls (including technology controls).
- Cyber contagion – the Bank will require assurance that cyber risks will not be introduced to the rest of the financial system due to weaknesses in sandbox entrants’ cyber security capabilities. This includes spreading contagion to participants of DSDs and other FMIs, eg through business emails (ie so-called phishing attacks).
- Significant asset losses – loss of assets may impact market integrity and/or confidence in the DSS. This risk could crystallise through data corruption, theft of assets or weak controls around the segregation of assets.
Sandbox entrants will have to demonstrate that these risks can be managed during normal business operations, under stress and in the event of wind-down. The Bank will carefully review entrants’ wind-down plans to ensure that this is the case.
What documents must sandbox entrants submit to the Bank when making a Gate 2 application as a standalone DSD?
The three documents that the Bank asks firms to provide at the outset of Gate 2 application process are the Gate 2 Questionnaire, DSS Cyber Resilience Questionnaire (CQUEST) Self-Assessment, and Self-Attestation template. The Bank will not start reviewing an entrant’s application until all of these have been submitted.
Please note, these documents are designed for firms applying as standalone DSDs.
Gate 2 questionnaire
Entrants are required to complete the Gate 2 questionnaire to provide the Bank with an overview of their business and operating models, including the risks that they involve. This questionnaire is designed to help the Bank understand entrants’ approach to managing risks, including those relating to developing technologies.
DSS Cyber resilience questionnaire (CQUEST) self-assessment
Alongside the Gate 2 questionnaire, firms are required to complete and submit the DSS CQUEST self-assessment. The general CQUEST is used by the Bank, PRA and FCA to help assess cyber risk and resilience across the financial sector.
We have produced this modified version of the CQUEST for the DSS to ensure that it can be used by sandbox entrants. We have provided supporting notes to help firms complete the CQUEST which includes guidance on how to reflect DLT-based operating models in CQUEST responses. Firms are required to provide a rationale for each of their responses in the DSS CQUEST.
Self-attestation
Entrants are required to complete a line-by-line self-attestation against the DSS Gate 2 Rules, providing a brief explanation on how they meet each rule. This will help the Bank assess the entrant’s compliance with the DSS Gate 2 rules. Please note that this focuses on certain rules relevant at Gate 2 and is not an exhaustive list of all the rules and requirements that sandbox entrants will be subject to after passing Gate 2.
A self-attestation template is provided for firms. If entrants are not fully compliant with the Bank’s DSS Gate 2 Rules at the time of initial submission, they may indicate any areas where compliance is pending and outline the actions they plan to take to achieve full compliance. A final self-attestation confirming full compliance will be required before an entrant can pass through Gate 2.
Once the final attestation is complete, entrants must submit a cover letter signed by their CEO and, where applicable1, the Chair of the Board. This cover letter must confirm their approval of the compliance analysis and that the firm adheres to all applicable rules and requirements under the DSS.
We are not requiring entrants to submit supporting documentation as evidence of rule compliance at Gate 2. However, the Bank may request such documentation after reviewing responses, including during the Gate 2 assessment, and after an entrant has passed Gate 2, where necessary using the Bank’s information gathering powers under the DSS Regulations.
What will the Gate 2 assessment process involve?
Targeted follow-up engagement
After reviewing the Gate 2 questionnaire, DSS CQUEST self-assessment, and self-attestation, the Bank will hold targeted follow-up discussions with entrants and may ask for further information to be submitted based on the entrant’s responses. This should involve key personnel and subject matter experts to help the Bank gain assurance that the entrant has appropriately considered and mitigated key risks within the DSS, as outlined in the DSS Guidance.
Timeline for Gate 2 assessment
The Bank aims to make a decision on DSD applications within four months of their receipt. This is dependent on entrants submitting a high-quality, well-considered application and maintaining timely and open communication with the Bank throughout the assessment process.
Please note that incomplete or low-quality applications, or delays in providing requested information, are likely to result in longer assessment timeframes. We will update this webpage with further details in due course.
Other considerations for firms
We encourage firms to closely review the relevant requirements and guidance for the activities, including ancillary services, they plan to undertake in the DSS before applying to Gate 2. Firms should carefully consider whether the scope of their proposed activities may require additional regulatory permissions, such as those under Part 4A of the Financial Services and Markets Act 2000. Failure to do so may extend the timeframe for processing the Gate 2 application.
Similarly, where firms intend to apply for settlement finality designation under the Settlement Finality Regulation (SFR), this should be sought alongside the Gate 2 application process. Sufficient time should be allotted by entrants to complete both application processes, particularly where firms seek to be designated under the SFR ahead of going live in the DSS.
Required documents
Once firms have passed Gate 1, the Bank will provide instructions on how to submit these required documents as part of the Gate 2 application process.
Upcoming guidance for hybrid entities
We will update this page in the coming months with materials for entrants applying as hybrid entities, ie those that combine trading activity with settlement, notary, or maintenance activity. These will be aimed at reducing the regulatory burden for hybrid entrants which are applying in parallel for trading venue permissions from the FCA. The Bank will look to leverage some of the material provided through that application.
In the meantime, hybrid entities should refer to the FCA’s website to apply for authorisation to operate a trading venue and should still find the below required documents for DSD applicants at Gate 2 informative regarding the Bank’s priorities during the Gate 2 assessment process. These priorities will remain the same for hybrid entities.
1 - We recognise that some entrants may not have a Chair in place at Gate 2.
Webinar
On Friday 31 January 2025 at 11am to 12pm regulators will host a webinar to provide an overview of the application process for Gate 2 of the DSS. The webinar is aimed at firms considering applying to enter Gate 2 of the DSS.
The content will primarily cover the application forms for DSD only applications. However, we consider this event may also be useful for firms considering a hybrid application, potential applicants to the DSS, their advisors, and relevant industry bodies, who would like more clarity on the overall application process to gain authorisation to conduct live activity within the DSS (Gate 2 entry approval).
See further details and how to register for the event.
This page was last updated 07 January 2025