DTCC Robotic Processing Application Guidelines
DTCC’s brand promise is to stand at the forefront of innovation to mitigate risk, create market efficiencies and reduce costs. As part of our continued efforts to fulfill that promise, DTCC has been exploring standard practices that support the safe and effective use of Robotic Processing Applications (RPAs) to interact with our user interfaces (RPA is a software tool that mimic human interaction within a user interface by creating “bots” or programs which perform the everyday tasks performed manually by workers). The below provides guidance to Clients that are currently using or are considering pursuing the use of this technology.
- Digital workers must be registered with DTCC and where technically feasible, have discernable naming conventions that distinguish digital workers from staff workers;
- Each digital worker must be assigned an accountable person who, in the event of an outage or other abnormal operation, can perform the responsibilities of reporting and responding to events or inquiries;
- Contact information for the accountable person shall be updated and kept current with DTCC;
Access and Re-certification
- Robotics and other digital workers should be recertified in the same manner and timeframe as staff workers;
- IDs used by Robotics and other digital users must conform to the same security policies including password complexity and credentials expiration policies and follow/comply with DTCC’s acceptable use standards;
- Robotics or other digital workers should process transactions per second (throughput) not to exceed a) 1.5X (150%) from that of an average staff worker in any 24-hour period, nor b) process 2X (200%) the transactions per second (throughput) from that of an average staff worker in any 5-minute period;
- Robotics or other digital workers processing or transactions should be limited during the times of 1500-1900 (3PM to 7PM ET) not to exceed 1X (100%) of the speed of an average staff worker;
- Robotic processes should be designed and implemented to handle errors or exceptions appropriately to assure the integrity of the processes, including where appropriate manual intervention by responsible staff. In certain cases robotic processes should be terminated upon error or exception, and on such cases disabled or set aside until the exception can be resolved by the appropriate responsible staff;
Risk Management and Controls
- All Robotic processes should be monitored by the firm in accordance with it systems monitoring policies and practices, and all activities performed by RPA bots logged in a secure facility to support incident and problem response and the firm's and regulatory audit requirements in the relevant jurisdictions;
- Robotics and other digital worker processes, where technically feasible, should be quality tested to validate functional correctness and performance tested to verify the controls pertaining to processing speed, transaction load, time of day processing and exception management;
Disaster Recovery, Business Continuity and Access Termination
- Firms should have DR and BCP plans in place and conduct periodic recovery testing specific to RPA operations in accordance with the firms' resiliency policies and regulatory requirements to assure that business operations can be conducted and completed as needed in the event that the RPA systems fail;
- In the event that a digital worker places undue activity or burden on any DTCC system, DTCC may terminate access or connectivity to any user or source address, or any group of users or source addresses, as may be needed to restore or maintain Production operations;
- DTCC may enhance or otherwise modify its user interface applications without consultation with such firms or reference to the use of RPA, and that such changes to the UIs may affect the operation of RPA bots.
- Any exception to the above guidelines should be address to DTCC Relationship Management or the Client Support Center.