What are the key features of the internal controls covering operations and

security at the SSS (e.g. change controls or those covering remote access)?

The CSDL pays special attention to the integrity and security of operations. The Services to Participants

& Inspection Division of the CSDL is authorised to inspect the securities accounting systems of the SSS participants. The BoL monitors and inspects the SSS as it is obliged to do that pursuant to the Law on Settlement Finality in Payment and Securities Settlement Systems. The LSC as mentioned earlier has the right to inspect the CSDL with regard to legal compliance, SSS’ reliability and financial efficiency.

The CSDL has adopted the Instruction on Requirements for Safety of Accounting of Securities and Their Circulation, which establishes the principle technical and organisational requirements for safety of accounting of book-entry securities as well as the Procedure for the Liability and the Use of Confidential Information by the CSDL Employees. The Internal Auditor of the CSDL regularly provides audit reports on the activities of the CSDL, assessing safety of operations. Operational risk management facilities are described in the Rules of the SSS.

1. Please describe controls or security procedures in place to ensure that the SSS acts only on authentic settlement instructions from valid participants.

The internal safeguards ensuring that the SSS acts only on authentic settlement instructions from valid participants are the following: a reliable system for the placement and verification of electronic messages, provision and identification of passwords, the procedure for data checking by means of a programme, as well as training of participants and their inspection.

The participants send securities settlement instructions through the interbank Payment system “LITAS”, the basic safeguards are ensured in compliance with ISO/IEC 17799 requirements. The settlement instruction structure is based on ISO15022XML standard and the instructions are transferred through the messaging subsystem (MSS).

The system of digital signature, which ensures the integrity of the document within the participants’

network, its incontrovertible nature and unambiguous identification of the signatory, is applied. In order to avoid illegal access and manipulation of information, the SSS is located in a separate segment of local CSDL network (demilitarised zone), which is separated from the SSS participants and Depository’s local network. The access to the zone is subject to authorization, surveillance and monitoring.

The standardized means of access of the participants to the Payment system “LITAS” is the participant access station (PAS), which ensures secure interface with participant’s information system.

The password (identification code), smart card and digital certificate are used for authentication of the SSS participants.

In order to avoid interception and disclosure of information, it is encrypted in the network of the Payment system “LITAS”. The network is not connected to public Internet.

Other information i.e. confirmation of transactions is provided by the participants to the Depository through the Participants’ Secure Information Site (PSIS) managed by the Depository. Monitoring is available in the PSIS.

The CSDL provides the SSS participants with facilities ensuring data safety and authenticity for PSIS and for data transfer and receipt. These facilities are provided to the employees of the SSS participant, who have been authorised in writing to carry out operations with the electronic settlement instructions on behalf of the SSS participant concerned, who have been included in the list submitted to the CSDL, and who have appropriate qualification certificates issued or recognised as valid by the CSDL.

Only the correct combination of all the facilities ensuring safety and authenticity provides a possibility to place a settlement instruction with the CSDL and receive a CSDL information message.

The following facilities for ensuring data safety and authenticity are provided:

1) A unique identification code, assigned to identify the authorised employees of the account manager;

2) A password, which is comprised of a stable component, and a dynamically changing unique sequence of numbers, available in an electronic Secur ID card given to the account manager by the Central Depository;

3) A personal digital certificate;

4) Coding all the information transferred between the user and the server.

These facilities are sufficient for the identification of the supplier of data and protection of data from unauthorised use.

Upon the receipt of the settlement instruction, the CSDL immediately provides information concerning the settlement instruction received, including the date and time of its receipt, in the PSIS. An account manager may get information only on the settlement instructions that have been placed in his own name.

The presence of the above-mentioned information in the PSIS is a direct proof that the CSDL has received the settlement instruction concerned.

Having checked the participant’s instruction, the SSS sends back the result of the checking in real time.

The participants are informed about the concluded securities transfers also in real time.

2. Are internal operational and security controls included in the internal and/or external audits of the SSS?

The internal operational and security controls of the CSDL are included in both the external ant internal audits.

3. Are internal operational and security controls covered by regulatory requirements applicable to the SSS?

The internal operational and security controls of the CSDL are covered by regulatory requirements set by the LSC and CSDL applicable to the SSS and its participants.

D. Does the SSS impose minimum operational or performance standards on third parties (e.g. communications providers)?

The CSDL does not impose any operational or performance standards on third parties (e.g.

communication providers).

The organizational structure of the Central Securities Depository of Lithuania is attached.

APPROVED BY:

The Board meeting of

the Central Securities Depository of Lithuania, plc.

October 29, 2004 Minutes No. 6

Organizational structure of the Central Securities Depository of Lithuania, plc.

General Meeting of Shareholders

Board

President Vice-President

Securities & Cash Accounting &

Settlement Division

Services to Participants &

Inspection Division

Information Technologies Division

Attorney’s at Law Office External Auditor

Advisor for Operations &

Internal Audit

Bookkeeping& Personnel Division

Annex 2

APPROVED BY:

President of Central Securities Depository of Lithuania on December 23, 2008

ORDER NO 48

THE OPERATION TIME SCHEDULE OF THE CENTRAL SECURITIES DEPOSITORY OF