[Federal Register Volume 82, Number 155 (Monday, August 14, 2017)]
[Notices]
[Pages 37942-37946]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-17043]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-81338; File Nos. SR-DTC-2017-014; SR-FICC-2017-017; SR-
NSCC-2017-013]


Self-Regulatory Organizations; The Depository Trust Company; 
Fixed Income Clearing Corporation; National Securities Clearing 
Corporation; Notice of Filings of Proposed Rule Changes To Adopt the 
Clearing Agency Operational Risk Management Framework

DATE: August 8, 2017.
    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 
1934, as amended (``Act'') \1\ and Rule 19b-4 thereunder,\2\ notice is 
hereby given that on July 25, 2017, The Depository Trust Company 
(``DTC''), Fixed Income Clearing Corporation (``FICC''), and National 
Securities Clearing Corporation (``NSCC,'' and together with DTC and 
FICC, the ``Clearing Agencies'') filed with the Securities and Exchange 
Commission (``Commission'') the proposed rule changes as described in 
Items I and II below, which Items have been prepared primarily by the 
Clearing Agencies. The Commission is publishing this notice to solicit 
comments on the proposed rule changes from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------

I. Clearing Agencies' Statement of the Terms of Substance of the 
Proposed Rule Changes

    The proposed rule changes would adopt the Clearing Agency 
Operational Risk Management Framework (``Framework'') of the Clearing 
Agencies, described below. The Framework would apply to both of FICC's 
divisions, the Government Securities Division (``GSD'') and the 
Mortgage-Backed Securities Division (``MBSD''). The Framework would be 
maintained by the Clearing Agencies to support their compliance with 
Rule 17Ad-22(e)(17) under the Act, as described below.\3\
---------------------------------------------------------------------------

    \3\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    Although the Clearing Agencies would consider the Framework to be a 
rule, the proposed rule changes do not require any changes to the 
Rules, By-laws and Organization Certificate of DTC (``DTC Rules''), the 
Rulebook of GSD (``GSD Rules''), the Clearing Rules of MBSD (``MBSD 
Rules''), or the Rules & Procedures of NSCC (``NSCC Rules''), as the 
Framework would be a standalone document.\4\
---------------------------------------------------------------------------

    \4\ Capitalized terms not defined herein are defined in the DTC 
Rules, GSD Rules, MBSD Rules, or NSCC Rules, as applicable, 
available at http://dtcc.com/legal/rules-and-procedures.

---------------------------------------------------------------------------

[[Page 37943]]

II. Clearing Agencies' Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Changes

    In their filings with the Commission, the Clearing Agencies 
included statements concerning the purpose of and basis for the 
proposed rule changes and discussed any comments they received on the 
proposed rule changes. The text of these statements may be examined at 
the places specified in Item IV below. The Clearing Agencies have 
prepared summaries, set forth in sections A, B, and C below, of the 
most significant aspects of such statements.

(A) Clearing Agencies' Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Changes

1. Purpose
    The Clearing Agencies are proposing to adopt the Framework, which 
would describe the manner in which each of the Clearing Agencies 
manages operational risk, which is defined by the Clearing Agencies in 
the Framework as the risk of direct or indirect loss or reputational 
harm resulting from an event, internal or external, that is the result 
of inadequate or failed processes, people, and systems (``Operational 
Risk''). As described in more detail below, the Framework would set 
forth the manner in which the Clearing Agencies (1) generally manage 
Operational Risk; (2) more specifically manage their information 
technology risks; and (3) more specifically manage their business 
continuity risks. The processes and systems described in the Framework, 
and any policies, procedures or other documents created to support 
those processes, support the Clearing Agencies' compliance with the 
requirements of Rule 17Ad-22(e)(17).\5\ The Framework would be 
maintained by the DTCC Operational Risk Management group (``ORM''), on 
behalf of the Clearing Agencies.\6\
---------------------------------------------------------------------------

    \5\ 17 CFR 240.17Ad-22(e)(17).
    \6\ The parent company of the Clearing Agencies is The 
Depository Trust & Clearing Corporation (``DTCC''). DTCC operates on 
a shared services model with respect to the Clearing Agencies. Most 
corporate functions are established and managed on an enterprise-
wide basis pursuant to intercompany agreements under which it is 
generally DTCC that provides a relevant service to a Clearing 
Agency.
---------------------------------------------------------------------------

Operational Risk Management
    The Framework would describe how the Clearing Agencies generally 
manage their Operational Risks. The Framework would describe how ORM is 
specifically charged with establishing appropriate systems, policies, 
procedures, and controls to enable management to identify plausible 
sources of Operational Risk in order to mitigate their impact to the 
Clearing Agencies, including through the Risk Tolerance Statements and 
Risk Profiles, as described below.
    The Framework would describe how the Clearing Agencies identify key 
risks and set metrics to categorize such risks (from ``no impact'' to 
``severe impact'') through ``Risk Tolerance Statements.'' The Framework 
would describe how the Risk Tolerance Statements document the overall 
risk reduction or mitigation objectives for the Clearing Agencies with 
respect to identified risks to the Clearing Agencies. The Framework 
would also describe how the Risk Tolerance Statements document the risk 
controls and other measures used to manage such identified risks, 
including escalation requirements in the event of risk metric breaches. 
The Framework would state that each Risk Tolerance Statement is 
reviewed, revised, updated, and/or created, as necessary, by ORM on an 
annual basis.
    The Framework would also describe how the Clearing Agencies monitor 
key risks, including Operational Risk, through ``Risk Profiles,'' which 
document the assessment of risk for each of the Clearing Agencies' 
businesses and support areas (each a ``Clearing Agency Business'' and/
or ``Clearing Agency Support Area''). The risk assessment documented in 
these profiles includes (1) identification and assessment of inherent 
risk, which is risk without any mitigating controls; (2) identification 
of existing controls, and, as appropriate, any new additional controls, 
and evaluation of the same risk against the strength of such controls; 
and (3) identification of any residual risk and a determination to 
either further mitigate such risk or accept such risk by the applicable 
Clearing Agency Business or Clearing Agency Support Area.
    The Framework would also provide a description of the 
responsibilities of ORM, which is a part of the second line of defense 
within the Clearing Agencies' Three Lines of Defense approach to risk 
management.\7\ The Framework would identify some of those 
responsibilities as including, for example, management of the Risk 
Tolerance Statements and working with the Clearing Agency Businesses 
and Clearing Agency Support Areas to create and monitor Risk Profiles.
---------------------------------------------------------------------------

    \7\ The Three Lines of Defense approach to risk management 
identifies the roles and responsibilities of different Clearing 
Agency Businesses or Clearing Agency Support Areas in identifying, 
assessing, measuring, monitoring, mitigating, and reporting certain 
key risks faced by the Clearing Agencies. The Three Lines of Defense 
approach is more fully described in a separate framework, the 
Clearing Agency Risk Management Framework, maintained by the DTCC 
General Counsel's Office. See SR-DTC-2017-013, SR-FICC-2017-016, SR-
NSCC-2017-012, which was filed with the Commission but has not yet 
been published in the Federal Register. A copy of these proposed 
rule change filings is available at http://www.dtcc.com/legal/sec-rule-filings.
---------------------------------------------------------------------------

Information Technology Risk
    The Framework would describe how the Clearing Agencies address 
information technology risks. The Framework would state that the DTCC 
Technology Risk Management group (``TRM''), on behalf of the Clearing 
Agencies, is responsible for establishing appropriate programs, 
policies, procedures, and controls with respect to the Clearing 
Agencies' information technology risks to help management ensure that 
systems have a high degree of security, resiliency, operational 
reliability, and adequate, scalable capacity. The Framework would 
identify some of the recognized information technology standards that 
may be used by TRM, as applicable, in support of executing its 
responsibilities.
    The Framework would also identify some of TRM's responsibilities, 
which include, for example, (1) performing risk assessments to, among 
other things, facilitate the determination of the Clearing Agencies' 
investment and remediation priorities; (2) facilitating annual 
mandatory and periodic information security awareness, education, 
training, and communication to personnel of Clearing Agency Businesses 
and Clearing Agency Support Areas and relevant external parties; and 
(3) creating, implementing, and managing certain programs, including 
programs that (i) address information security throughout a system's 
lifecycle, (ii) facilitate compliance with evolving and established 
regulatory rules and guidelines that govern protection of the 
information assets of the Clearing Agencies and their participants, 
(iii) identify, prioritize, and manage the level of cyber threats to 
the Clearing Agencies, and (iv) assure that access to Clearing Agency 
information assets is appropriately authorized and authenticated based 
on current business need.
    The Framework would state that TRM's risk strategy is closely 
aligned to the Clearing Agencies' business drivers and future strategic 
direction, such that efforts to achieve information security threat 
mitigation objectives, resiliency of infrastructure supporting Clearing 
Agency critical business applications,

[[Page 37944]]

and operational reliability are prioritized. The Framework would state 
this is also accomplished through TRM's early and consistent 
involvement in initiatives to develop new products and systems. The 
Framework would state that, by involving TRM from the initial planning 
phase, through the design, build and operative phases of those 
initiatives, resiliency, operational effectiveness, reliability, and 
availability requirements are addressed and incorporated into design 
and execution from both a technology and cyber security perspective.
    The Framework would also describe the Clearing Agencies' security 
strategy and defense, and would state that the Clearing Agencies' 
network security framework and preventive controls are designed to 
support a reliable and robust tiered security strategy and defense. 
These controls include modern and technically advanced security 
firewalls, intrusion detection, system and data monitoring, and data 
protection tools. The Framework would describe the Clearing Agencies' 
enhanced security features and the standards they use to assess 
vulnerabilities and potential threats.
Business Continuity Risk
    Finally, the Framework would describe how the Clearing Agencies 
have established and maintain business continuity plans to address 
events that may pose a significant risk of disrupting their operations. 
The Framework would describe how the business continuity process for 
each Clearing Agency Business and Clearing Agency Support Area is 
ranked within a range of tiers, from 0 to 5, based on criticality to 
each applicable Clearing Agency's operations (each a ``Tier''), where 
Tier 0 equates to critical operations or support of such operations for 
which virtually no downtime is permitted under applicable regulatory 
standards, and Tier 5 equates to non-essential operations or support of 
such operations for which recovery times of greater than five days is 
permitted.
    The Framework would state that, on an annual basis, each Clearing 
Agency Business and Clearing Agency Support Area updates its own 
business continuity plan and reviews and ratifies its business impact 
analysis. These analyses are used by the DTCC Business Continuity 
Management department (``BCM''), on behalf of the Clearing Agencies, to 
validate that business' or area's current Tier ranking. The Framework 
would identify the key elements of these business impact analyses, 
which include (1) an assessment of the criticality of the applicable 
Clearing Agency Business or Clearing Agency Support Area, based on 
potential impact to the Clearing Agency; (2) an estimation of the 
maximum allowable downtime for the applicable Clearing Agency Business 
or Clearing Agency Support Area; and (3) the identification of 
dependencies, and ranking such dependencies to align with the process 
criticality for recovery, of the applicable Clearing Agency Business or 
Clearing Agency Support Area.
    The Framework would describe the Clearing Agencies' multiple data 
centers, and the emergency monitoring and back up systems available at 
each site. The Framework would describe the capacity of the various 
data centers. The Framework would also describe the Clearing Agencies' 
operating centers, and would describe how each Clearing Agency Business 
and Clearing Agency Support Area creates and deploys its own work area 
recovery strategy to mitigate the loss of primary workspace and/or 
associated desktop technology, as well as for purposes of social 
distancing among personnel. The Framework would describe how each of 
these work area recovery strategies is developed and executed, based on 
the applicable Clearing Agency Business' and Clearing Agency Support 
Area's current Tier ranking, as described above.
    The Framework would describe the responsibilities of BCM in 
managing a disruptive business event, which includes coordination with 
a team of representatives from each Clearing Agency Business and 
Clearing Agency Support Area. Finally, the Framework would describe how 
the Clearing Agencies conduct regular exercises used to simulate loss 
of Clearing Agency locations, and would describe some of the preventive 
measures the Clearing Agencies take with respect to business continuity 
risk management.
2. Statutory Basis
    The Clearing Agencies believe that the proposed rule changes are 
consistent with the requirements of the Act and the rules and 
regulations thereunder applicable to a registered clearing agency. In 
particular, the Clearing Agencies believe that the Framework is 
consistent with Section 17A(b)(3)(F) of the Act \8\ and the subsections 
cited below of Rule 17Ad-22(e)(17),\9\ promulgated under the Act, for 
the reasons described below.
---------------------------------------------------------------------------

    \8\ 15 U.S.C. 78q-1(b)(3)(F).
    \9\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    Section 17A(b)(3)(F) of the Act requires, in part, that the rules 
of a registered clearing agency be designed to promote the prompt and 
accurate clearance and settlement of securities transactions, and to 
assure the safeguarding of securities and funds which are in the 
custody or control of the clearing agency or for which it is 
responsible.\10\ As described above, the Framework would describe how 
the Clearing Agencies manage their Operational Risk, technology and 
information security risks, and their business continuity risks. The 
processes, systems, and controls used by the Clearing Agencies to 
identify, manage, and mitigate these risks, as described in the 
Framework, and the policies and procedures that support these 
activities, assist the Clearing Agencies to continue the prompt and 
accurate clearance and settlement of securities transactions and 
continue to assure the safeguarding of securities and funds which are 
in their custody or control or for which they are responsible 
notwithstanding the realization of these risks. Therefore, the Clearing 
Agencies believe the Framework is consistent with the requirements of 
Section 17A(b)(3)(F) of the Act.\11\
---------------------------------------------------------------------------

    \10\ 15 U.S.C. 78q-1(b)(3)(F).
    \11\ Id.
---------------------------------------------------------------------------

    The Clearing Agencies believe that the Framework is consistent with 
the requirements of each of the subsections of Rule 17Ad-22(e)(17),\12\ 
cited below, for the reasons described below.
---------------------------------------------------------------------------

    \12\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(17)(i) under the Act requires, in part, that each 
covered clearing agency establish, implement, maintain and enforce 
written policies and procedures reasonably designed to manage the 
covered clearing agency's operational risks by identifying the 
plausible sources of operational risk, both internal and external, and 
mitigating their impact through the use of appropriate systems, 
policies, procedures, and controls.\13\ The Framework would describe 
how the Risk Tolerance Statements and the Risk Profiles both assist the 
Clearing Agencies to identify the plausible sources of Operational 
Risk, both internal and external. As described above, the Risk 
Tolerance Statements identify both internal and external Clearing 
Agency risks, categorize the respective Clearing Agencies' tolerance 
for those risks, and then identify governance process applicable to any 
breach of those tolerances. In this way, the Risk Tolerance Statements 
allow the Clearing Agencies to identify and manage the risks they face. 
As described above, the Risk Profiles serve a similar

[[Page 37945]]

function, by serving as a tool for identifying and assessing inherent 
risks, and evaluating the controls around those risks. The Framework 
also describes the role of ORM, which includes oversight of the Risk 
Tolerance Statements and Risk Profiles. By describing the functions of 
the Risk Tolerance Statements and Risk Profiles, which, together, 
assist the Clearing Agencies in effectively managing their operational 
risks by identifying the plausible sources of operational risk, both 
internal and external, and by assisting the Clearing Agencies in 
mitigating the impact of those risks, and by describing the role of ORM 
in facilitating these tools, the Clearing Agencies believe the 
Framework is consistent with the requirements of Rule 17Ad-
22(e)(17)(i).\14\
---------------------------------------------------------------------------

    \13\ 17 CFR 240.17Ad-22(e)(17)(i).
    \14\ Id.
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(17)(ii) under the Act requires, in part, that each 
covered clearing agency establish, implement, maintain and enforce 
written policies and procedures reasonably designed to manage the 
covered clearing agency's operational risks by ensuring that systems 
have a high degree of security, resiliency, operational reliability, 
and adequate, scalable capacity.\15\ The Framework would describe the 
role, and some of the responsibilities, of TRM, in managing the 
Clearing Agencies' information technology risks and in helping the 
Clearing Agencies maintain systems with a high degree of security, 
resiliency, operational reliability, and adequate, scalable capacity. 
The Framework would also describe the programs, systems, and controls 
used by TRM in performing this function, and would identify some of the 
standards on information technology risk management that may be used by 
TRM in support of its responsibilities. The Framework would also 
describe TRM's role in product and project initiatives to address 
security issues through the lifecycle of an initiative. Therefore, by 
describing the role and responsibilities of TRM in managing the 
Clearing Agencies' information technology risks and in helping the 
Clearing Agencies maintain systems with a high degree of security, 
resiliency, operational reliability, and adequate, scalable capacity, 
the Clearing Agencies believe the Framework is consistent with the 
requirements of Rule 17Ad-22(e)(17)(ii).\16\
---------------------------------------------------------------------------

    \15\ 17 CFR 240.17Ad-22(e)(17)(ii).
    \16\ Id.
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(17)(iii) under the Act requires, in part, that each 
covered clearing agency establish, implement, maintain and enforce 
written policies and procedures reasonably designed to manage the 
covered clearing agency's operational risks by establishing and 
maintaining a business continuity plan that addresses events posing a 
significant risk of disrupting operations.\17\ The Framework would 
describe how the Clearing Agencies have established and maintain 
business continuity plans, and would describe the critical features of 
those plans to demonstrate how such plans address events posing a 
significant risk of disrupting the Clearing Agencies' operations. The 
Framework would also describe how each Clearing Agency Business and 
Clearing Agency Support Area reviews and ratifies its respective plan 
and its business impact analysis, relative to its assigned Tier. 
Therefore, through this description of the establishment, management 
and maintenance of the business continuity plans of the Clearing 
Agencies, the Clearing Agencies believe the Framework is consistent 
with the requirements of Rule 17Ad-22(e)(17)(iii).\18\
---------------------------------------------------------------------------

    \17\ 17 CFR 240.17Ad-22(e)(17)(iii).
    \18\ Id.
---------------------------------------------------------------------------

(B) Clearing Agencies' Statement on Burden on Competition

    None of the Clearing Agencies believe that the Framework would have 
any impact, or impose any burden, on competition because the proposed 
rule changes reflect some of the existing methods by which the Clearing 
Agencies manage Operational Risk, including their management of 
information technology and business continuity risks, and would not 
effectuate any changes to the Clearing Agencies' processes described 
therein as they currently apply to their respective participants.

(C) Clearing Agencies' Statement on Comments on the Proposed Rule 
Changes Received From Members, Participants, or Others

    The Clearing Agencies have not solicited or received any written 
comments relating to this proposal. The Clearing Agencies will notify 
the Commission of any written comments received by the Clearing 
Agencies.

III. Date of Effectiveness of the Proposed Rule Changes, and Timing for 
Commission Action

    Within 45 days of the date of publication of this notice in the 
Federal Register or within such longer period up to 90 days (i) as the 
Commission may designate if it finds such longer period to be 
appropriate and publishes its reasons for so finding or (ii) as to 
which the clearing agency consents, the Commission will:
    (A) By order approve or disapprove such proposed rule changes, or
    (B) institute proceedings to determine whether the proposed rule 
changes should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
changes are consistent with the Act. Comments may be submitted by any 
of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (http://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
File Number SR-DTC-2017-014, SR-FICC-2017-017, or SR-NSCC-2017-013 on 
the subject line.

Paper Comments

     Send paper comments in triplicate to Secretary, Securities 
and Exchange Commission, 100 F Street NE., Washington, DC 20549.

All submissions should refer to File Number SR-DTC-2017-014, SR-FICC-
2017-017, or SR-NSCC-2017-013. One of these file numbers should be 
included on the subject line if email is used. To help the Commission 
process and review your comments more efficiently, please use only one 
method. The Commission will post all comments on the Commission's 
Internet Web site (http://www.sec.gov/rules/sro.shtml). Copies of the 
submission, all subsequent amendments, all written statements with 
respect to the proposed rule changes that are filed with the 
Commission, and all written communications relating to the proposed 
rule changes between the Commission and any person, other than those 
that may be withheld from the public in accordance with the provisions 
of 5 U.S.C. 552, will be available for Web site viewing and printing in 
the Commission's Public Reference Room, 100 F Street NE., Washington, 
DC 20549 on official business days between the hours of 10:00 a.m. and 
3:00 p.m. Copies of the filing also will be available for inspection 
and copying at the principal office of the Clearing Agencies and on 
DTCC's Web site (http://dtcc.com/legal/sec-rule-filings.aspx). All 
comments received will be posted without change; the Commission does 
not edit personal identifying information from submissions. You should 
submit only

[[Page 37946]]

information that you wish to make available publicly. All submissions 
should refer to File Number SR-DTC-2017-014, SR-FICC-2017-017, or SR-
NSCC-2017-013 and should be submitted on or before September 5, 2017.
---------------------------------------------------------------------------

    \19\ 17 CFR 200.30-3(a)(12).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\19\
Eduardo A. Aleman,
Assistant Secretary.
[FR Doc. 2017-17043 Filed 8-11-17; 8:45 am]
 BILLING CODE 8011-01-P