© NYSE Blue. All Rights Reserved.

NYSE Blue Security Concerns for Offset Registries

July 26, 2011

Security Framework for an Offset Program

Registry Technology

Know Your Client Procedures

Program Legal & Operational Rules

Training on User Best Practices

Registry Technology

Encrypted connection (HTTPS)

Disable user ID upon 3 incorrect logins

Ongoing vulnerability testing for registry

Later this year, introduction of two-factor authentication

Know Your Client Procedures

Identify clients and ascertain relevant information about their businesses

• Request copies of documents confirming identity of legal entity organization documents, memorandum of incorporation, bank accounts, utility bills

• Become familiar with the principals and ask for identification documents such as drivers license, passports, and birth certificates

• Review marketing materials and business plan

Perform OFAC / AML checks to ensure entities not found on Terrorist Watch lists.

Monitor activity to ensure it matches the company profile

Program Legal & Operational Rules

• Omnibus accounts– Only a regulated entity can maintain an omnibus account (and these regulated

entities must show proof of proper KYC procedures)– Certain unregulated entities can be given the ability to maintain omnibus

accounts

• Retirement of credits in omnibus accounts– Retirement of greater than 99 credits on behalf of a client must be done in an

specific client sub-account– Retirement of greater than 99k credits on behalf of a client must be made public

Registry User Best Practices

Use latest anti-virus protection programs

Update contact information for users/logins to their account

Users should not access The Reserve from public locations where others could capture their confidential information.

Diligent monitoring of account activity

Perform weekly/monthly account reviews to ensure data is correct

Users should pay close attention to the registry notifications for transfer confirmations.