[Federal Register Volume 87, Number 72 (Thursday, April 14, 2022)]
[Notices]
[Pages 22273-22276]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-07950]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-94649; File No. SR-ICEEU-2022-008]


Self-Regulatory Organizations; ICE Clear Europe Limited; Notice 
of Filing of Proposed Rule Change Relating to Amendments to the ICE 
Clear Europe Operational Risk Management Policy and Risk Identification 
Framework

April 8, 2022.
    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 
(``Act''),\1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that 
on March 31, 2022, ICE Clear Europe Limited (``ICE Clear Europe'' or 
the ``Clearing House'') filed with the Securities and Exchange 
Commission (``Commission'') the proposed rule changes described in 
Items I, II and III below, which Items have been prepared primarily by 
ICE Clear Europe. The Commission is publishing this notice to solicit 
comments on the proposed rule change from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------

I. Clearing Agency's Statement of the Terms of Substance of the 
Proposed Rule Change

    The principal purpose of the proposed amendments is for ICE Clear 
Europe to (i) modify its Operational Risk Management Policy (the 
``Operational Risk Management Policy'') to update the Clearing House's 
operational risk management practices, and (ii) adding to the Clearing 
House's rule framework the Risk Identification Framework (``Risk 
Identification Framework'') which is a document that provides ICE Clear 
Europe with a structure to explore, identify and monitor risks. The 
updates would also make certain other amendments to remove outdated 
provisions and to make certain other non-substantive amendments.

II. Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

    In its filing with the Commission, ICE Clear Europe included 
statements concerning the purpose of and basis for the proposed rule 
change and discussed any comments it received on the proposed rule 
change. The text of these statements may be examined at the places 
specified in Item IV below. ICE Clear Europe has prepared summaries, 
set forth in sections (A), (B), and (C) below, of the most significant 
aspects of such statements.

(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

(a) Purpose
    ICE Clear Europe is proposing to amend its Operational Risk 
Management Policy to make certain clarifications and enhancements to 
(i) ICE Clear Europe's approach to remediating identified control 
vulnerabilities and monitoring, (ii) transition to dynamic risk 
assessment where each risk would be assessed at least annually via a 
rolling review process, and (iii) the operational risk review process 
by linking it with the Enterprise Risk Register (described further 
below), as well as descriptive updates to the Enterprise Risk Register. 
The appendices to the Operational Risk Management Policy would also be 
updated to provide certain additional descriptive detail relating to 
current practices, including titles and impact guidelines and guidance 
charts in Appendix C. Various other typographical, clarificatory and 
stylistic improvements would also be made.
    ICE Clear Europe is also proposing to add to the Clearing House's 
set of rules the Risk Identification Framework which would provide the 
Board with a structure to assist it in exploring, identifying and 
monitoring risks, as described below.
I. Operational Risk Management Policy
    The overall description of operational risk management contained in 
Section 3 would be clarified to include management as well as 
identification, management [sic], monitoring and reporting of risk. The 
same section would also provide that risks would be documented within 
the Enterprise Risk Register.
    Section 3.1 (previously titled ``Risk Identification'') would be 
deleted in its entirety and replaced with a new section titled 
``Enterprise Risk Register''. The section would describe the Enterprise 
Risk Register (attached to the policy as Appendix A, and also referred 
to as the Risk Register Dashboard) which would serve as an inventory of 
the material risks faced by the Clearing House, incorporating the Risk 
Taxonomy (as discussed below). The section would also describe the 
purpose of the Enterprise Risk Register, which would be to strengthen 
the businesses' understanding of their risks and allow them to 
demonstrate to the relevant risk committees and the Board that the 
risks are managed. The section would also describe the responsibilities 
with respect to the Enterprise Register, including that the Risk Owners 
would be responsible for updating and

[[Page 22274]]

maintaining their assigned risks in the Enterprise Risk Register, as 
well as discuss the responsibilities of the Risk Oversight Department 
(``ROD''), the Executive Risk Committee (``ERC'') and the Board Risk 
Committee (``BRC''). The section would also describe the register (as 
attached as Appendix A to the policy) which would be a dynamically 
updated living statement of the Clearing House's risks that form part 
of the ERC and BRC standing agenda. Each risk would be assessed at 
least annually through a rolling review process.
    Section 3.2 (Risk Assessment) would be updated to describe the 
following five components for facilitating the effective management of 
enterprise risk: (1) Risk Identification, (2) Level 3 Risk 
Assessment,\3\ (3) Risk Management, (4) Risk Monitoring and (5) Risk 
Reporting, as described further below. Stylistic and formatting updates 
would be made to this section to clarify that the five aforementioned 
components fall under the umbrella of risk assessment.
---------------------------------------------------------------------------

    \3\ The risk level (Level 1, 2 or 3) represents a hierarchy of 
risks with Level 3 being the level at which risks are assessed by 
the relevant Risk Owners. Level 1 and 2 risks are aggregated from 
Level 3 risk ratings and are listed in the Enterprise Risk Register.
---------------------------------------------------------------------------

    Firstly, a new subsection 3.2.1 (Risk Identification) would be 
added and would describe risk identification as the process by which 
each department identifies risks which should be documented within the 
Risk Taxonomy and the Enterprise Risk Register. The Risk Taxonomy is 
the list of risks that the Clearing House is exposed to which is 
reviewed annually for completeness; those risks (and the related 
control assessment of those risks) are reflected in the Enterprise Risk 
Register. The amendments would also add that the risk identification 
could be performed more frequently than annually as part of a dynamic 
update.
    The substance of previous Section 3.3 (Risk Response) would be 
replaced by new subsections 3.2.2, 3.2.3 and 3.2.3, as described 
herein. However, the ownership and nature of the Clearing House's risk 
responses would be substantively unchanged. New subsection 3.2.2. 
(Control Assessment) would provide descriptions of the Clearing House's 
risk assessment policies and processes, including the roles of Risk 
Owners. Risk Owners would be required to assess the expected level of 
mitigation that each control is expected to provide (High/Medium/Low--
more information would be provided in Appendix D), as well as the 
effectiveness of each control (Satisfactory/Needs Improvement/
Unsatisfactory). Key controls would be considered for control 
monitoring to further review effectiveness of controls. The amendments 
provide that the control assessment process should be performed at 
least once a year or more frequently as part of a dynamic control 
assessment. Dynamic control assessments would be performed to reflect 
material risk changes. Enterprise Risk Management (``ERM'') would be 
responsible for providing review and challenge of the Risk Owners 
control assessment. The `Worst-of Principle' would be applied to Level 
1 and 2 ratings, where the parent overall control rating would adopt 
the `worst-of' overall control rating of the level below.
    The subsection describing the Clearing House's risk assessment 
processes (now Section 3.2.3) would be updated to provide the role of 
inherent and residual risk assessments (attached as Appendix C to the 
policy). In the absence of mitigating controls risks identified are 
assessed by Risk Owners on an Inherent Risk basis and a Residual Risk 
basis (taking into consideration mitigating controls) at Level 3. To 
determine the Residual Risk, Risk Owners would take account of key risk 
data points.
    The risk assessment process would be performed at least once a year 
through a rolling review process or more frequently as part of a 
dynamic risk assessments which are performed to reflect material risk 
changes. ERM would be responsible for providing review and challenge of 
the Risk Owners risk assessment. The `Worst-of Principle' would be 
applied to Level 1 and 2 ratings, where the Parent Overall Control 
Rating would adopt the `worst-of' rating of the level below across both 
inherent and residual risk.
    New subsection 3.2.4 (Risk Management) would describe the Clearing 
House's risk management policies. Residual risks above agreed 
thresholds would require remediation actions to address the control 
vulnerability and reduce the level of residual risk to an acceptable 
level. Such thresholds refer to the Board-approved risk appetite 
metrics which are currently set as Medium (see Appendix B for Risk 
Assessment Ratings Grid). Any Risks assessed by the Risk Owners as High 
or Very High would require remediation actions, which will depend on 
the particular circumstances and risks involved. Proposed remediations 
would be escalated to senior management and applicable risk committees 
or Board. In certain circumstances, risk acceptance may be deemed 
appropriate dependent upon the Clearing House's risk appetite and Board 
approval. Recommendations would be assigned a priority rating and 
remediation timeline as a function of the expected level of risk 
mitigation and the control effective rating (attached as Appendix E). 
Remediation recommendations would be entered in the Issue Problems and 
Threat workflow unless already formally tracked.
    The section describing risk monitoring (now subsection 3.2.5) would 
be updated to provide that in order to ensure that controls identified 
during the assessment are operating effectively and performing in line 
with the assessed control ratings; the Clearing House would perform 
periodic control monitoring on controls considered as ``Key'' which 
would be ``High'' mitigating controls mapped against ``Very High'' or 
``High'' Inherent Risks. ERM would coordinate with the First, Second 
and Third Lines to develop control monitoring plans for key controls 
(described further in Appendix D).
    Additionally, a new paragraph would be added providing that to 
ensure that key controls identified during the assessment are operating 
effectively, the Clearing House would perform control monitoring, and 
include a description of such processes. Control monitoring would be 
performed by either the First Line (Clearing Risk Team), the Second 
Line (Risk Oversight Department), the Clearing House's internal audit 
team or independent third parties. The results would be reviewed by the 
Chief Risk Officer and presented to the senior management team and 
other governance committees as appropriate.
    The amendments would provide that Risk Owners would monitor 
operational risks on an on-going rather than a daily basis. They would 
also clarify that the Risk Oversight Department (``ROD'') would monitor 
risks daily or monthly (rather than only daily) and would monitor 
operational incidents raised by the Risk Owners.
    The section describing risk reporting (now subsection 3.2.6) would 
be revised to include a new paragraph that describes the approval 
process for the Enterprise Risk Register as being approved monthly at 
each ERC and reported to each BRC and Board meeting. Stylistic changes 
would also be made to this section to replace certain terms with their 
acronym in order to aid with readability. Additionally, information 
regarding the roles of the Board, ERC and other groups that has been 
moved to other sections the document would be deleted from this section 
in order to avoid superfluousness.
    Section 4.3 (Oversight of the Policy) would be updated to provide 
that the

[[Page 22275]]

document would be subject to the oversight of the ROD (and not also the 
Audit Committee).
    Descriptive titles would be added to the appendices in order to aid 
with readability. Additionally, a table would be added to Appendix C 
that would describe the meaning of certain impact guidelines (severe/
major/moderate/minor/incidental), the numerical score assigned to such 
guidelines, and the guidance applied with respect to the risk posed to 
such impact. A description would be added to Appendix G--Risk 
Mitigation to provide that the methodology to determine ICE Clear 
Europe's residual risk involves assessing the impact of ICE Clear 
Europe's control landscape on its inherent risks as shows by the matrix 
set out in the appendix.
II. Risk Identification Framework
    The amendments would include the formal adoption of the Risk 
Identification Framework that are intended to formalize certain 
practices relating to the identification of risks. Section 1 
(Introduction) of the Risk Identification Framework would provide an 
overarching description of the document and its purpose. The purpose of 
the Risk Identification Framework is to provide the Board with a 
structure to explore, identify and monitor risks as well as ensure that 
risk tolerance is articulated and documented, with responsibilities and 
accountabilities clearly assigned, as described further below. This 
framework would also support the Board in risk avoidance, mitigation or 
acceptance.
    Section 2 (Components of the Risk Identification Framework) would 
describe the four components of the Risk Identification Framework: Risk 
Taxonomy, which provides a single universal risk structure, terminology 
and hierarchy; Enterprise Risk Register, which serves as an inventory 
of the material risks faced by the Clearing House; Risk Assessment, 
which requires risk owners to rate inherent risk, overall control 
rating and residual risk for each level 3 risk; and Emerging Risk 
Assessment, which facilitates ongoing identification, discussion and 
mitigation of emerging risks as Board and executive level. The 
subsections that follow would provide further descriptions of each 
component and the responsibilities and frequency relating to review of 
each.
    Section 3 (Review and Governance) would describe the documentation 
ownership and governance processes in respect of the Risk 
Identification Framework. The document would be owned by the Chief Risk 
Officer, any material changes to the document would require Executive 
Risk Committee and Board Approval. The Executive Risk Committee and 
Board would review the Risk Identification Framework annually.
    The appendices referenced throughout the document would follow and 
would include appendices providing for a risk register dashboard, 
rating guidance impact and likelihood and emerging business risks.
(b) Statutory Basis
    ICE Clear Europe believes that the proposed amendments to the 
Operational Risk Management Policy and the adoption of the Risk 
Identification Framework are consistent with the requirements of 
Section 17A of the Act \4\ and the regulations thereunder applicable to 
it. In particular, Section 17A(b)(3)(F) of the Act \5\ requires, among 
other things, that the rules of a clearing agency be designed to 
promote the prompt and accurate clearance and settlement of securities 
transactions and, to the extent applicable, derivative agreements, 
contracts, and transactions, the safeguarding of securities and funds 
in the custody or control of the clearing agency or for which it is 
responsible, and the protection of investors and the public interest.
---------------------------------------------------------------------------

    \4\ 15 U.S.C. 78q-1.
    \5\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    The proposed changes to the Operational Risk Management Policy and 
the adoption of the Risk Identification Framework are designed to 
strengthen ICE Clear Europe's tools to manage the risk of losses 
resulting from operational errors or failures. The amendments and 
adoption would update and clarify the processes, controls and 
escalations with respect to the testing and reviewing of the Clearing 
House's operations as well as outline the responsibilities of the 
Clearing House's committees, management and the Board in relation to 
each document. Through better managing risks in operational failure 
scenarios providing the policies and framework to identify, manage and 
monitor such risks, the proposed amendments to the Operational Risk 
Management Policy and the adoption of the Risk Identification Framework 
would promote the stability of the Clearing House and the prompt and 
accurate clearance and settlement of cleared contracts. The enhanced 
risk management is therefore also generally consistent with the 
protection of investors and the public interest in the safe operation 
of the Clearing House. (ICE Clear Europe would not expect the 
amendments to affect the safeguarding of securities and funds in ICE 
Clear Europe's custody or control or for which it is responsible.) 
Accordingly, the amendments satisfy the requirements of Section 
17A(b)(3)(F).\6\
---------------------------------------------------------------------------

    \6\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    The amendments to the Operational Risk Management Policy and the 
adoption of the Risk Identification Framework are also consistent with 
relevant provisions of Rule 17Ad-22.\7\ Rule 17Ad-22(e)(3)(i) provides 
that ``[e]ach covered clearing agency shall establish, implement, 
maintain and enforce written policies and procedures reasonable 
designed to, as applicable [. . .] identify, measure, monitor and 
manage the range of risks that arise in or are borne by the covered 
clearing agency''.\8\ As set forth above, the amendments to the 
Operational Risk Management Policy are intended to clarify and enhance 
the Clearing House's policies and practices that address operational 
and other risks, including with respect to the ongoing review, 
categorization and assessment of risks faced by the Clearing House. The 
adoption of the Risk Identification Framework would assist the Board in 
evaluation of risks and consequently facilitate risk avoidance, 
mitigation or acceptance by the Clearing House. The amendments would 
thus strengthen the management of operational risks and risk management 
more generally. In ICE Clear Europe's view, the amendments are 
therefore consistent with the requirements of Rule 17Ad-22(e)(3)(i).\9\
---------------------------------------------------------------------------

    \7\ 17 CFR 240.17Ad-22.
    \8\ 17 CFR 240.17Ad-22(e)(3)(i).
    \9\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(2) provides that ``[e]ach covered clearing agency 
shall establish, implement, maintain and enforce written policies and 
procedures reasonable designed to, as applicable [. . .] provide for 
governance arrangements that are clear and transparent'' \10\ and 
``[s]pecify clear and direct lines of responsibility''.\11\ The 
amendments to the Operational Risk Management Policy and the adoption 
of the Risk Identification Framework each would clarify or provide the 
responsibilities of the Clearing House's committees, management and the 
Board in relation to each such document. In ICE Clear Europe's view, 
the amendments are therefore consistent with the requirements of Rule 
17Ad-22(e)(2).\12\
---------------------------------------------------------------------------

    \10\ 17 CFR 240.17Ad-22(e)(2)(i).
    \11\ 17 CFR 240.17Ad-22(e)(2)(v).
    \12\ 17 CFR 240.17Ad-22(e)(2).
---------------------------------------------------------------------------

    The proposed amendments are also consistent with Rule 17Ad-
22(e)(17)(i),

[[Page 22276]]

which provides that ``[e]ach covered clearing agency shall establish, 
implement, maintain and enforce written policies and procedures 
reasonable designed to, as applicable [. . .] manage the clearing 
agency's operational risks by identifying the plausible sources of 
operational risk, both internal and external, and mitigating their 
impact through the use of appropriate systems, policies, procedures, 
and controls''.\13\ The amendments to the Operational Risk Management 
Policy facilitate ongoing identification of operational risks and 
better mitigate their impact through improved procedures and controls 
resulting from more detailed governance and review processes with 
respect to risk identification, assessment, management, monitoring and 
reporting. In ICE Clear Europe's view, the amendments are therefore 
consistent with the requirements of Rule 17Ad-22(e)(17)(i).\14\
---------------------------------------------------------------------------

    \13\ 17 CFR 240.17Ad-22(e)(17)(i).
    \14\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------

(B) Clearing Agency's Statement on Burden on Competition

    ICE Clear Europe does not believe the proposed amendments would 
have any impact, or impose any burden, on competition not necessary or 
appropriate in furtherance of the purposes of the Act. The amendments 
are being adopted to update and clarify the Clearing House's 
Operational Risk Management Policy and to adopt the Risk Identification 
Framework, all of which relate to the Clearing House's internal 
processes for operational risk management. ICE Clear Europe does not 
believe the amendments and adoption would affect the costs of clearing, 
the ability of market participants to access clearing, or the market 
for clearing services generally. Therefore, ICE Clear Europe does not 
believe the proposed rule change imposes any burden on competition that 
is inappropriate in furtherance of the purposes of the Act.

(C) Clearing Agency's Statement on Comments on the Proposed Rule Change 
Received From Members, Participants or Others

    Written comments relating to the proposed amendments have not been 
solicited or received by ICE Clear Europe. ICE Clear Europe will notify 
the Commission of any written comments received with respect to the 
proposed rule change and adoption.

III. Date of Effectiveness of the Proposed Rule Change and Timing for 
Commission Action

    Within 45 days of the date of publication of this notice in the 
Federal Register or within such longer period up to 90 days (i) as the 
Commission may designate if it finds such longer period to be 
appropriate and publishes its reasons for so finding or (ii) as to 
which the self-regulatory organization consents, the Commission will:
    (A) By order approve or disapprove such proposed rule change, or
    (B) institute proceedings to determine whether the proposed rule 
change should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views, and 
arguments concerning the foregoing, including whether the proposed rule 
change is consistent with the Act. Comments may be submitted by any of 
the following methods:

Electronic Comments

     Use the Commission's internet comment form (http://www.sec.gov/rules/sro.shtml) or
     Send an email to [email protected]. Please include 
File Number SR-ICEEU-2022-008 on the subject line.

Paper Comments

     Send paper comments in triplicate to Secretary, Securities 
and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to File Number SR-ICEEU-2022-008. This 
file number should be included on the subject line if email is used. To 
help the Commission process and review your comments more efficiently, 
please use only one method. The Commission will post all comments on 
the Commission's internet website (http://www.sec.gov/rules/sro.shtml). 
Copies of the submission, all subsequent amendments, all written 
statements with respect to the proposed rule change that are filed with 
the Commission, and all written communications relating to the proposed 
rule change between the Commission and any person, other than those 
that may be withheld from the public in accordance with the provisions 
of 5 U.S.C. 552, will be available for website viewing and printing in 
the Commission's Public Reference Room, 100 F Street NE, Washington, DC 
20549, on official business days between the hours of 10:00 a.m. and 
3:00 p.m. Copies of such filings will also be available for inspection 
and copying at the principal office of ICE Clear Europe and on ICE 
Clear Europe's website at https://www.theice.com/clear-europe/regulation. All comments received will be posted without change. 
Persons submitting comments are cautioned that we do not redact or edit 
personal identifying information from comment submissions. You should 
submit only information that you wish to make available publicly. All 
submissions should refer to File Number SR-ICEEU-2022-008 and should be 
submitted on or before May 5, 2022.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\15\
---------------------------------------------------------------------------

    \15\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2022-07950 Filed 4-13-22; 8:45 am]
BILLING CODE 8011-01-P