mobile search


CCASS/3 is the Central Clearing And Settlement System implemented by Hong Kong Exchanges and Clearing Limited (HKEX). It is built on an open, robust, secure and flexible modularised architecture with full fledged services that meets the business needs of market participants. It is designed to provide efficient and dynamic clearing and settlement by adhering to international standards for securities messages and providing interactive communication with market participants through a standard message-based application programming interface.

CCASS Overview1

CCASS/3 Host is the database server for keeping the CCASS operation data to support batch processing.

The middle-tier between participant terminals and CCASS/3 Host supports access methods, such as web interface and Application Program Interface (API). Security servers and Lightweight Directory Access Protocol (LDAP) servers are employed to provide a centralised authentication and authorisation service for controlling participant access.

The Securities and Derivatives Network (SDNet) is a robust and high efficiency closed user group network based on Optical Ethernet technology. It adopts the TCP/IP protocols with high security protection by means of firewall and intrusion detection system.

Participants can access the CCASS/3 system through two channels:

- CCASS/3 Terminal
- Participant Gateway

CCASS/3 Terminal

Participants can access CCASS/3 through a browser-based terminal, the CCASS/3 Terminal (C3T), which uses market standard Internet technology. Any PC running HKEX supported versions of Microsoft Windows, Internet Explorer and Java Runtime Environment is able to access all CCASS functions. All participant functions will be provided with an HTML (windows) based presentation. This standard graphical user interface will provide a user-friendly interface and will reduce training needs for participants.

Participant Gateway

Participant Gateway (PG) is a technical device to provide an access point through which a Participant Supplied System (PSS) can access CCASS/3.

In order to reduce the development efforts of participants, Java-based application programming interfaces are provided to participants’ PSS to communicate with CCASS/3 through the PG. The application program is a custom-built Java library that will assist the connection and handle all the subsequent message interactions between participants’ back office system and CCASS/3 Host.

Hypertext Transfer Protocol Secure (HTTPS) is used for communication between PG and CCASS/3 middle tier. Socket is the communication method between PG and PSS. The message format follows the industrial standards ISO 15022.

Network Communication Layer

The SDNet will ensure the reliable transmission of input between the user device and the host. The network will control the transmission of all information within the CCASS/3 system and will help to achieve the shortest possible response time even at the highest data through-put rates, ensuring fast and efficient clearing and settlement services at all times.

Security Measures

Security is a primary concern in the system design of CCASS/3. The following security measures are employed in CCASS/3 to ensure confidentiality and security:

Pre-defined User Group Authority
All participant functions are grouped into a member of user groups. The availability of user groups for participants is pre-defined by the system. CCASS/3 allows the delegation of administrative privileges to organisational administrators, allowing them to manage user privileges and benefits within their organisations.

CCASS/3 Terminal Level
Access to the CCASS/3 Terminal is authenticated by a smartcard as the security token using digital certificate X.509 format.

Message Level
Encryption is implemented through standard browser functions, using 128-bit Secure Sockets Layer (SSL) key to prevent transactions from being exposed to eavesdropping, tampering or message forgery risks.

Participant Gateway Level
As with the CCASS/3 Terminal and message level of security, access to PG is also authenticated by smartcard and all data exchange between the PG and CCASS/3 Host are encrypted using 128-bits SSL keys.

Network Level
Firewalls, routers and intrusion detection devices are used to protect the CCASS/3 network from unauthorised access through the public internet.

Updated 20 Apr 2020