DS-information DS/CWA 16745:2014 1. udgave 2014-04-22 Forbedring af gennemsigtigheden i finansiel og forretningsmæssig rapportering Container til metadata Improving transparency in financial and business reporting Metadata container
DS/CWA 16745:2014 København DS projekt: M286282 ICS: 35.240.40; 35.240.60 Første del af denne publikations betegnelse er: DS/CWA, hvilket betyder, at det er en europæisk CEN Workshop Agreement (CWA). Denne publikations overensstemmelse er: IDT med: CWA 16745:2014. DS-publikationen er på engelsk. DS-publikationstyper Dansk Standard udgiver forskellige publikationstyper. Typen på denne publikation fremgår af forsiden. Der kan være tale om: Dansk standard standard, der er udarbejdet på nationalt niveau, eller som er baseret på et andet lands nationale standard, eller standard, der er udarbejdet på internationalt og/eller europæisk niveau, og som har fået status som dansk standard DS-information publikation, der er udarbejdet på nationalt niveau, og som ikke har opnået status som standard, eller publikation, der er udarbejdet på internationalt og/eller europæisk niveau, og som ikke har fået status som standard, fx en teknisk rapport, eller europæisk præstandard DS-håndbog samling af standarder, eventuelt suppleret med informativt materiale DS-hæfte publikation med informativt materiale Til disse publikationstyper kan endvidere udgives tillæg og rettelsesblade DS-publikationsform Publikationstyperne udgives i forskellig form som henholdsvis fuldtekstpublikation (publikationen er trykt i sin helhed) godkendelsesblad (publikationen leveres i kopi med et trykt DS-omslag) elektronisk (publikationen leveres på et elektronisk medie) DS-betegnelse Alle DS-publikationers betegnelse begynder med DS efterfulgt af et eller flere præfikser og et nr., fx DS 383, DS/EN 5414 osv. Hvis der efter nr. er angivet et A eller Cor, betyder det, enten at det er et tillæg eller et rettelsesblad til hovedstandarden, eller at det er indført i hovedstandarden. DS-betegnelse angives på forsiden. Overensstemmelse med anden publikation: Overensstemmelse kan enten være IDT, EQV, NEQ eller MOD IDT: Når publikationen er identisk med en given publikation. EQV: Når publikationen teknisk er i overensstemmelse med en given publikation, men præsentationen er ændret. NEQ: Når publikationen teknisk eller præsentationsmæssigt ikke er i overensstemmelse med en given standard, men udarbejdet på baggrund af denne. MOD: Når publikationen er modificeret i forhold til en given publikation.
CEN WORKSHOP CWA 16745 April 2014 AGREEMENT ICS 35.240.40; 35.240.60 English version Improving transparency in financial and business reporting - Metadata container This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of which is indicated in the foreword of this Workshop Agreement. The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National Members of CEN but neither the National Members of CEN nor the CEN-CENELEC Management Centre can be held accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation. This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members. This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No.:CWA 16745:2014 E
Contents Foreword...4 Introduction... 6 1 Scope...7 2 Normative references...8 3 Terms and definitions...8 4 Files in containers...9 4.1 Introduction...9 4.2 Data files...9 4.3 Container control files... 10 4.3.1 Introduction... 10 4.3.2 Header file... 10 4.3.3 Container feedback files... 10 4.3.4 Instance feedback files... 10 4.4 ZIP compressed file... 10 4.5 Secured files... 10 4.5.1 Introduction... 10 4.5.2 Encrypted file... 10 4.5.3 Signed file... 10 4.6 File naming conventions... 10 4.6.1 Introduction... 10 4.6.2 Reserved file names... 11 4.6.3 Instance feedback file name... 11 4.6.4 Reserved file name suffixes... 11 4.6.5 Reserved extended suffixes... 11 5 Container... 11 5.1 Introduction... 11 5.2 Submission container... 12 5.3 Response container... 12 6 Primitive functions... 14 6.1 Introduction... 14 6.2 Compression functions... 14 6.2.1 General... 14 6.2.2 Creating a ZIP compressed file... 14 6.2.3 Expanding a ZIP compressed file... 15 6.3 Security functions... 15 6.3.1 General... 15 6.3.2 Encrypting a file... 15 6.3.3 File name changes upon encryption... 16 6.3.4 Decrypting a file... 17 6.3.5 Signing a file... 17 6.3.6 Requirements... 17 6.3.7 Electronic signature to use... 17 6.3.8 File name changes upon signature... 18 6.3.9 Validating and extracting a signed file... 19 6.4 Creating a submission container... 19 6.4.1 General... 19 6.4.2 Header schema structure... 19 6.4.3 Predefined standard use-cases of ExtendedHeader schema... 21 Page 2
6.4.4 Creating a specific ExtendedHeader schema... 22 6.4.5 Creating a header file... 22 6.5 Creating a response container... 23 6.5.1 General... 23 6.5.2 Creating a container feedback file... 23 6.5.3 Creating Instance feedback (Validation, usually only for XBRL)... 23 7 Exchange model... 23 7.1 Introduction... 23 7.2 Phase 1: the sender creates a submission container, applies all security mechanisms required and transmits it to the receiver... 23 7.3 Phase 2: the receiver processes the security layer(s) on the container and all the files within 7.4 Phase 3: receiver generates a positive / negative acknowledgement for the reception of the submission container... 24 7.5 Phase 4: the receiver processes the contents of the container... 25 7.6 Phase 5 (optional): the receiver returns the validation result of the data files in the response container... 25 Annex A (normative) Items that shall be defined in the instructions... 26 A.1 Introduction... 26 A.2 Container structure... 26 A.3 Header... 26 A.4 Lists of codes accepted... 28 Annex B (informative) Supplementary items that may be useful in the instructions... 29 Annex C (informative) Explanations on header schema... 30 Annex D (informative) Documentation of the container feedback schema... 38 Annex E (informative) Documentation of the instance feedback schema... 41 Annex F (informative) Guidelines on how to extend the basic header... 44 Annex G (informative) Use cases for this CWA... 45 G.1 Reporting entity to supervisor (1st level)... 45 G.2 Reporting entity to National Supervision Authority (NSA) to European Supervision Authority (ESA) (1st and 2nd level)... 45 G.2.1 General... 45 G.2.2 2-layer submission process with forwarding of information... 45 G.2.3 2-layer submission process with repackaging or regeneration... 46 Bibliography... 47 3
Foreword This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties on 2013-12-11, the constitution of which was supported by CEN following the public call for participation made on 2012-04-19. The individuals and organizations which supported the technical consensus represented by the CEN Workshop Agreement are: Name Aftab Ahmad Aitor Azcoaga Andreas Weller Anna-Maria Weber Anne Leslie-Bini Bartosz Ochocki Carlos Fernández Pazos Daniel Balsa Daniel Eidelman Derek De Brandt Eduardo Alejandro González Blanco Elina Koskentalo Emile Bartole ERIC JARRY Eugeniusz Tomaszewski Herm Fischer Hugh Wallis Ignacio Boixo Ignacio Santos Istvan Fabian Javi Mora Gonzálbez Jeff Smith John Dill Jürgen Diehl Katrin Schmehl Lourdes Martínez Sánchez-Redondo Maarten Peelen Maciej Piechocki Maria Mora Mark Creemers Martin DeVille Masatomo Goto Michal Piechocki Michał Skopowski Moira Lorenzo Varela Pablo Navarro Paul Snijders Paul van der Ark Pierre HAMON Organization Finanstilsynet (The Financial Supervisory Authority Of Norway) European Insurance and Occupational Pensions Authority (EIOPA) European Banking Authority Deutsche Bundesbank Invoke Business Reporting - Advisory Group Consulting Spain XBRL EUROPE Gonblan Consultores, S.L.P. TIEKE CSSF BANQUE DE FRANCE FQS Poland Sp. z o.o., Fujitsu Group Mark V Systems Limited IBM Canada Banco de España Banco de España Central bank of Hungary XBRL Spain HM Revenue & Customs The Bermuda Monetary Authority Deutsche Bundesbank Deutsche Bundesbank NEN BearingPoint CDP National Bank of Belgium UBPartner Fujitsu Business Reporting Advisory Group Business Reporting Advisory Group Semansys Technologies BV ECB Etxetera, XBRL France 4
Pieter Maillard Piotr MADZIAR Piotr Malczak Roland Homes Slawomir Skrzypek Thierry Declerck Thomas VERDIN Tom Staneke Vasilis Dimopoulos Venkatasubramani Sambandan Victoria Morante de Dios Wouter Braem Aguilonius European Commission GPM SYSTEMY sp. Rhocon Fujitsu DFKI GmbH THEIA Partners De Nederlandsche Bank Central Bank of Cyprus Deloitte Netherlands National Bank of Belgium This CWA is one of a series of related deliverables. The following deliverables have been produced in this series: CWA 16744 consists of the following parts, under the general title Improving transparency in financial and business reporting Harmonisation topics: Part 1: European Data Point Methodology for supervisory reporting. Part 2: Guidelines for Data Point Modelling Part 3: European XBRL Taxonomy Architecture Part 4: European Filing Rules Part 5: Mapping between DPM and MDM CWA 16745, Improving transparency in financial and business reporting Metadata container CWA 16746-1, Improving transparency in financial and business reporting Standard regulatory roll-out package for better adoption Part 1: XBRL Supervisory Roll-out Guide CWA 16746-2, Improving transparency in financial and business reporting Standard regulatory roll-out package for better adoption Part 2: XBRL Handbook for Declarers The formal process followed by the Workshop in the development of the CEN Workshop Agreement has been endorsed by the National Members of CEN but neither the National Members of CEN nor the CEN-CENELEC Management Centre can be held accountable for the technical content of the CEN Workshop Agreement or possible conflict with standards or legislation. This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its members. The final review/endorsement for this CWA was started on 2013-07-05 and was successfully closed on 2013-10-05. The final text of this CWA was submitted to CEN for publication on 2013-03-05. Comments or suggestions from the users of the CEN Workshop Agreement are welcome and should be addressed to the CEN-CENELEC Management Centre. 5
Introduction This CWA specifies a standard security envelope and an approach to integrate metadata usable for the European supervision authorities in order to receive reporting data in a standardised way. This standard has been elaborated over the years 2012 and 2013 and has been reviewed in a public consultation in the third quarter of 2013. 6
1 Scope The purpose of this CWA is to propose a standard for submitting data instances to financial regulators in accordance with the clause describing this CWA in the business plan [26]: ""Metadata container" to wrap a submitted XBRL instance document and compliance test. Provide a standard Metadata Container to enable XBRL sourcing, with in addition necessary compliance tools to enable all stakeholders to test and ensure full adherence to the technical standards. Metadata such as sender of the document, contact details, date and time of submission, version, digital signature, etc.. are not included in the taxonomies, because they really don't belong to the data model. On the other hand, and often for legal reasons, these data are required by national regulators. As a consequence, a variety of national protocols has been engineered, which complicates the life of cross-border institutions, but also prohibit the possibility to create a harmonized European collection system. Metadata are needed as well for financial reporting as for company legal and economical data. For the digital signature, existing solutions from the Business Registers, who have a deep expertise of the topic, may be generalized. In order to ensure compliance with the protocol, this project will deliver online tools for all stakeholders to use and to test compliance with the complete set (metadata container and XBRL instance document. This CWA will provide standard protocols and mechanisms for digital signature, administrative data such as identification of submitter, feedback parameters, versioning of subsequent submissions and encryption, as well as online collaborative tools to ensure compliance." This document specifies: a submission container structure to enable financial institutions to submit their regulatory reporting to the respective regulators in a standardised way; a metadata information structure (called «Header») that is part of the submission container structure; an adequate negative (or positive) acknowledgement to be returned by the regulator to indicate if the submission container was well received by the regulator (or not); a response container structure to allow the regulator to return content-related error messages for the data instances in case errors occurred during any validation phase. The main targeted authorities are the EBA (European Banking Authority) and EIOPA (European Insurance and Occupational Pensions Authority) as well as their related national supervision agencies, but the standard may also be used by other regulators. All container structures defined allow the packaging and securisation of data in a uniform way, which should lead to a greater transparency and interoperability between the declaring entities and the national and the European supervisory authorities. In the course of the specification process, supplementary requirements were added by stakeholders or authorities concerned, among which: The scope of the data instances to be supported has been extended from pure XBRL instances to any type of structured data instances, including XML, CSV, etc.; The possibility of a 2-layer (or even multi-layer) submission process: some data instances are to be processed by the receiving authority itself (e.g. a national authority), others may be forwarded to a subsequent authority (e.g. a European one); The possibility of using the structures of the present CWA in a secure environment i.e. an environment that has its own signature and/or encryption facilities; The possibility of adding non-standard metadata if required (extensibility of the metadata header). 7
An important development approach for this CWA is to be flexible enough to support many different uses in different environments. For this reason some aspects (e.g. types of identifiers for financial institutions) could not be fixed by this standard and they shall be determined for every specific use of this standard via complementary instructions. The present specification only defines the structures for the container itself, it does not define any transport aspects; the submission of a container may thus be freely combined with any type of transport protocol (submission via e-mail, (s)ftp, web portal, web services, ) in accordance with the local requirements. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 reporting entity entity submitted to financial reporting and legally responsible for it Note 1 to entry: (in many cases it uses internal resources to play the role of Content Producer and Technical Sender too). Also known as 'Declarer', 'Sender', '<ReportingEntity>'. Note 2 to entry: An authority may also play the role of a reporting entity, e.g. when a national authority is providing data to a subsequent European authority as level-2 reporting. 3.2 technical sender (potential) sub-contractor in charge of physically sending the data in respect of the present CWA (aware of containers, encryption, etc.) Note 1 to entry: Also known as '<TechnicalSender>'. 3.3 content producer (potential) sub-contractor in charge of the production of the content of the reporting and responsible for the accuracy of the content Note 1 to entry: Also known as '<ContentProducer>'. 3.4 receiver entity receiving reported data; also known as 'Authority' or 'Regulator' or 'Supervisor 3.5 security envelope XML structures surrounding the.zip file(s) after encryption and / or signature phase in accordance with the present CWA 3.6 negative acknowledge information to the sender that the submission container could not be accepted because of error conditions (usually an instance of the «ContainerFeedback» schema with the tag <ContainerValidationFlag> having the value false 8