[Federal Register Volume 87, Number 72 (Thursday, April 14, 2022)]
[Notices]
[Pages 22273-22276]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-07950]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-94649; File No. SR-ICEEU-2022-008]
Self-Regulatory Organizations; ICE Clear Europe Limited; Notice
of Filing of Proposed Rule Change Relating to Amendments to the ICE
Clear Europe Operational Risk Management Policy and Risk Identification
Framework
April 8, 2022.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934
(``Act''),\1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that
on March 31, 2022, ICE Clear Europe Limited (``ICE Clear Europe'' or
the ``Clearing House'') filed with the Securities and Exchange
Commission (``Commission'') the proposed rule changes described in
Items I, II and III below, which Items have been prepared primarily by
ICE Clear Europe. The Commission is publishing this notice to solicit
comments on the proposed rule change from interested persons.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------
I. Clearing Agency's Statement of the Terms of Substance of the
Proposed Rule Change
The principal purpose of the proposed amendments is for ICE Clear
Europe to (i) modify its Operational Risk Management Policy (the
``Operational Risk Management Policy'') to update the Clearing House's
operational risk management practices, and (ii) adding to the Clearing
House's rule framework the Risk Identification Framework (``Risk
Identification Framework'') which is a document that provides ICE Clear
Europe with a structure to explore, identify and monitor risks. The
updates would also make certain other amendments to remove outdated
provisions and to make certain other non-substantive amendments.
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
In its filing with the Commission, ICE Clear Europe included
statements concerning the purpose of and basis for the proposed rule
change and discussed any comments it received on the proposed rule
change. The text of these statements may be examined at the places
specified in Item IV below. ICE Clear Europe has prepared summaries,
set forth in sections (A), (B), and (C) below, of the most significant
aspects of such statements.
(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
(a) Purpose
ICE Clear Europe is proposing to amend its Operational Risk
Management Policy to make certain clarifications and enhancements to
(i) ICE Clear Europe's approach to remediating identified control
vulnerabilities and monitoring, (ii) transition to dynamic risk
assessment where each risk would be assessed at least annually via a
rolling review process, and (iii) the operational risk review process
by linking it with the Enterprise Risk Register (described further
below), as well as descriptive updates to the Enterprise Risk Register.
The appendices to the Operational Risk Management Policy would also be
updated to provide certain additional descriptive detail relating to
current practices, including titles and impact guidelines and guidance
charts in Appendix C. Various other typographical, clarificatory and
stylistic improvements would also be made.
ICE Clear Europe is also proposing to add to the Clearing House's
set of rules the Risk Identification Framework which would provide the
Board with a structure to assist it in exploring, identifying and
monitoring risks, as described below.
I. Operational Risk Management Policy
The overall description of operational risk management contained in
Section 3 would be clarified to include management as well as
identification, management [sic], monitoring and reporting of risk. The
same section would also provide that risks would be documented within
the Enterprise Risk Register.
Section 3.1 (previously titled ``Risk Identification'') would be
deleted in its entirety and replaced with a new section titled
``Enterprise Risk Register''. The section would describe the Enterprise
Risk Register (attached to the policy as Appendix A, and also referred
to as the Risk Register Dashboard) which would serve as an inventory of
the material risks faced by the Clearing House, incorporating the Risk
Taxonomy (as discussed below). The section would also describe the
purpose of the Enterprise Risk Register, which would be to strengthen
the businesses' understanding of their risks and allow them to
demonstrate to the relevant risk committees and the Board that the
risks are managed. The section would also describe the responsibilities
with respect to the Enterprise Register, including that the Risk Owners
would be responsible for updating and
[[Page 22274]]
maintaining their assigned risks in the Enterprise Risk Register, as
well as discuss the responsibilities of the Risk Oversight Department
(``ROD''), the Executive Risk Committee (``ERC'') and the Board Risk
Committee (``BRC''). The section would also describe the register (as
attached as Appendix A to the policy) which would be a dynamically
updated living statement of the Clearing House's risks that form part
of the ERC and BRC standing agenda. Each risk would be assessed at
least annually through a rolling review process.
Section 3.2 (Risk Assessment) would be updated to describe the
following five components for facilitating the effective management of
enterprise risk: (1) Risk Identification, (2) Level 3 Risk
Assessment,\3\ (3) Risk Management, (4) Risk Monitoring and (5) Risk
Reporting, as described further below. Stylistic and formatting updates
would be made to this section to clarify that the five aforementioned
components fall under the umbrella of risk assessment.
---------------------------------------------------------------------------
\3\ The risk level (Level 1, 2 or 3) represents a hierarchy of
risks with Level 3 being the level at which risks are assessed by
the relevant Risk Owners. Level 1 and 2 risks are aggregated from
Level 3 risk ratings and are listed in the Enterprise Risk Register.
---------------------------------------------------------------------------
Firstly, a new subsection 3.2.1 (Risk Identification) would be
added and would describe risk identification as the process by which
each department identifies risks which should be documented within the
Risk Taxonomy and the Enterprise Risk Register. The Risk Taxonomy is
the list of risks that the Clearing House is exposed to which is
reviewed annually for completeness; those risks (and the related
control assessment of those risks) are reflected in the Enterprise Risk
Register. The amendments would also add that the risk identification
could be performed more frequently than annually as part of a dynamic
update.
The substance of previous Section 3.3 (Risk Response) would be
replaced by new subsections 3.2.2, 3.2.3 and 3.2.3, as described
herein. However, the ownership and nature of the Clearing House's risk
responses would be substantively unchanged. New subsection 3.2.2.
(Control Assessment) would provide descriptions of the Clearing House's
risk assessment policies and processes, including the roles of Risk
Owners. Risk Owners would be required to assess the expected level of
mitigation that each control is expected to provide (High/Medium/Low--
more information would be provided in Appendix D), as well as the
effectiveness of each control (Satisfactory/Needs Improvement/
Unsatisfactory). Key controls would be considered for control
monitoring to further review effectiveness of controls. The amendments
provide that the control assessment process should be performed at
least once a year or more frequently as part of a dynamic control
assessment. Dynamic control assessments would be performed to reflect
material risk changes. Enterprise Risk Management (``ERM'') would be
responsible for providing review and challenge of the Risk Owners
control assessment. The `Worst-of Principle' would be applied to Level
1 and 2 ratings, where the parent overall control rating would adopt
the `worst-of' overall control rating of the level below.
The subsection describing the Clearing House's risk assessment
processes (now Section 3.2.3) would be updated to provide the role of
inherent and residual risk assessments (attached as Appendix C to the
policy). In the absence of mitigating controls risks identified are
assessed by Risk Owners on an Inherent Risk basis and a Residual Risk
basis (taking into consideration mitigating controls) at Level 3. To
determine the Residual Risk, Risk Owners would take account of key risk
data points.
The risk assessment process would be performed at least once a year
through a rolling review process or more frequently as part of a
dynamic risk assessments which are performed to reflect material risk
changes. ERM would be responsible for providing review and challenge of
the Risk Owners risk assessment. The `Worst-of Principle' would be
applied to Level 1 and 2 ratings, where the Parent Overall Control
Rating would adopt the `worst-of' rating of the level below across both
inherent and residual risk.
New subsection 3.2.4 (Risk Management) would describe the Clearing
House's risk management policies. Residual risks above agreed
thresholds would require remediation actions to address the control
vulnerability and reduce the level of residual risk to an acceptable
level. Such thresholds refer to the Board-approved risk appetite
metrics which are currently set as Medium (see Appendix B for Risk
Assessment Ratings Grid). Any Risks assessed by the Risk Owners as High
or Very High would require remediation actions, which will depend on
the particular circumstances and risks involved. Proposed remediations
would be escalated to senior management and applicable risk committees
or Board. In certain circumstances, risk acceptance may be deemed
appropriate dependent upon the Clearing House's risk appetite and Board
approval. Recommendations would be assigned a priority rating and
remediation timeline as a function of the expected level of risk
mitigation and the control effective rating (attached as Appendix E).
Remediation recommendations would be entered in the Issue Problems and
Threat workflow unless already formally tracked.
The section describing risk monitoring (now subsection 3.2.5) would
be updated to provide that in order to ensure that controls identified
during the assessment are operating effectively and performing in line
with the assessed control ratings; the Clearing House would perform
periodic control monitoring on controls considered as ``Key'' which
would be ``High'' mitigating controls mapped against ``Very High'' or
``High'' Inherent Risks. ERM would coordinate with the First, Second
and Third Lines to develop control monitoring plans for key controls
(described further in Appendix D).
Additionally, a new paragraph would be added providing that to
ensure that key controls identified during the assessment are operating
effectively, the Clearing House would perform control monitoring, and
include a description of such processes. Control monitoring would be
performed by either the First Line (Clearing Risk Team), the Second
Line (Risk Oversight Department), the Clearing House's internal audit
team or independent third parties. The results would be reviewed by the
Chief Risk Officer and presented to the senior management team and
other governance committees as appropriate.
The amendments would provide that Risk Owners would monitor
operational risks on an on-going rather than a daily basis. They would
also clarify that the Risk Oversight Department (``ROD'') would monitor
risks daily or monthly (rather than only daily) and would monitor
operational incidents raised by the Risk Owners.
The section describing risk reporting (now subsection 3.2.6) would
be revised to include a new paragraph that describes the approval
process for the Enterprise Risk Register as being approved monthly at
each ERC and reported to each BRC and Board meeting. Stylistic changes
would also be made to this section to replace certain terms with their
acronym in order to aid with readability. Additionally, information
regarding the roles of the Board, ERC and other groups that has been
moved to other sections the document would be deleted from this section
in order to avoid superfluousness.
Section 4.3 (Oversight of the Policy) would be updated to provide
that the
[[Page 22275]]
document would be subject to the oversight of the ROD (and not also the
Audit Committee).
Descriptive titles would be added to the appendices in order to aid
with readability. Additionally, a table would be added to Appendix C
that would describe the meaning of certain impact guidelines (severe/
major/moderate/minor/incidental), the numerical score assigned to such
guidelines, and the guidance applied with respect to the risk posed to
such impact. A description would be added to Appendix G--Risk
Mitigation to provide that the methodology to determine ICE Clear
Europe's residual risk involves assessing the impact of ICE Clear
Europe's control landscape on its inherent risks as shows by the matrix
set out in the appendix.
II. Risk Identification Framework
The amendments would include the formal adoption of the Risk
Identification Framework that are intended to formalize certain
practices relating to the identification of risks. Section 1
(Introduction) of the Risk Identification Framework would provide an
overarching description of the document and its purpose. The purpose of
the Risk Identification Framework is to provide the Board with a
structure to explore, identify and monitor risks as well as ensure that
risk tolerance is articulated and documented, with responsibilities and
accountabilities clearly assigned, as described further below. This
framework would also support the Board in risk avoidance, mitigation or
acceptance.
Section 2 (Components of the Risk Identification Framework) would
describe the four components of the Risk Identification Framework: Risk
Taxonomy, which provides a single universal risk structure, terminology
and hierarchy; Enterprise Risk Register, which serves as an inventory
of the material risks faced by the Clearing House; Risk Assessment,
which requires risk owners to rate inherent risk, overall control
rating and residual risk for each level 3 risk; and Emerging Risk
Assessment, which facilitates ongoing identification, discussion and
mitigation of emerging risks as Board and executive level. The
subsections that follow would provide further descriptions of each
component and the responsibilities and frequency relating to review of
each.
Section 3 (Review and Governance) would describe the documentation
ownership and governance processes in respect of the Risk
Identification Framework. The document would be owned by the Chief Risk
Officer, any material changes to the document would require Executive
Risk Committee and Board Approval. The Executive Risk Committee and
Board would review the Risk Identification Framework annually.
The appendices referenced throughout the document would follow and
would include appendices providing for a risk register dashboard,
rating guidance impact and likelihood and emerging business risks.
(b) Statutory Basis
ICE Clear Europe believes that the proposed amendments to the
Operational Risk Management Policy and the adoption of the Risk
Identification Framework are consistent with the requirements of
Section 17A of the Act \4\ and the regulations thereunder applicable to
it. In particular, Section 17A(b)(3)(F) of the Act \5\ requires, among
other things, that the rules of a clearing agency be designed to
promote the prompt and accurate clearance and settlement of securities
transactions and, to the extent applicable, derivative agreements,
contracts, and transactions, the safeguarding of securities and funds
in the custody or control of the clearing agency or for which it is
responsible, and the protection of investors and the public interest.
---------------------------------------------------------------------------
\4\ 15 U.S.C. 78q-1.
\5\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
The proposed changes to the Operational Risk Management Policy and
the adoption of the Risk Identification Framework are designed to
strengthen ICE Clear Europe's tools to manage the risk of losses
resulting from operational errors or failures. The amendments and
adoption would update and clarify the processes, controls and
escalations with respect to the testing and reviewing of the Clearing
House's operations as well as outline the responsibilities of the
Clearing House's committees, management and the Board in relation to
each document. Through better managing risks in operational failure
scenarios providing the policies and framework to identify, manage and
monitor such risks, the proposed amendments to the Operational Risk
Management Policy and the adoption of the Risk Identification Framework
would promote the stability of the Clearing House and the prompt and
accurate clearance and settlement of cleared contracts. The enhanced
risk management is therefore also generally consistent with the
protection of investors and the public interest in the safe operation
of the Clearing House. (ICE Clear Europe would not expect the
amendments to affect the safeguarding of securities and funds in ICE
Clear Europe's custody or control or for which it is responsible.)
Accordingly, the amendments satisfy the requirements of Section
17A(b)(3)(F).\6\
---------------------------------------------------------------------------
\6\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
The amendments to the Operational Risk Management Policy and the
adoption of the Risk Identification Framework are also consistent with
relevant provisions of Rule 17Ad-22.\7\ Rule 17Ad-22(e)(3)(i) provides
that ``[e]ach covered clearing agency shall establish, implement,
maintain and enforce written policies and procedures reasonable
designed to, as applicable [. . .] identify, measure, monitor and
manage the range of risks that arise in or are borne by the covered
clearing agency''.\8\ As set forth above, the amendments to the
Operational Risk Management Policy are intended to clarify and enhance
the Clearing House's policies and practices that address operational
and other risks, including with respect to the ongoing review,
categorization and assessment of risks faced by the Clearing House. The
adoption of the Risk Identification Framework would assist the Board in
evaluation of risks and consequently facilitate risk avoidance,
mitigation or acceptance by the Clearing House. The amendments would
thus strengthen the management of operational risks and risk management
more generally. In ICE Clear Europe's view, the amendments are
therefore consistent with the requirements of Rule 17Ad-22(e)(3)(i).\9\
---------------------------------------------------------------------------
\7\ 17 CFR 240.17Ad-22.
\8\ 17 CFR 240.17Ad-22(e)(3)(i).
\9\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
Rule 17Ad-22(e)(2) provides that ``[e]ach covered clearing agency
shall establish, implement, maintain and enforce written policies and
procedures reasonable designed to, as applicable [. . .] provide for
governance arrangements that are clear and transparent'' \10\ and
``[s]pecify clear and direct lines of responsibility''.\11\ The
amendments to the Operational Risk Management Policy and the adoption
of the Risk Identification Framework each would clarify or provide the
responsibilities of the Clearing House's committees, management and the
Board in relation to each such document. In ICE Clear Europe's view,
the amendments are therefore consistent with the requirements of Rule
17Ad-22(e)(2).\12\
---------------------------------------------------------------------------
\10\ 17 CFR 240.17Ad-22(e)(2)(i).
\11\ 17 CFR 240.17Ad-22(e)(2)(v).
\12\ 17 CFR 240.17Ad-22(e)(2).
---------------------------------------------------------------------------
The proposed amendments are also consistent with Rule 17Ad-
22(e)(17)(i),
[[Page 22276]]
which provides that ``[e]ach covered clearing agency shall establish,
implement, maintain and enforce written policies and procedures
reasonable designed to, as applicable [. . .] manage the clearing
agency's operational risks by identifying the plausible sources of
operational risk, both internal and external, and mitigating their
impact through the use of appropriate systems, policies, procedures,
and controls''.\13\ The amendments to the Operational Risk Management
Policy facilitate ongoing identification of operational risks and
better mitigate their impact through improved procedures and controls
resulting from more detailed governance and review processes with
respect to risk identification, assessment, management, monitoring and
reporting. In ICE Clear Europe's view, the amendments are therefore
consistent with the requirements of Rule 17Ad-22(e)(17)(i).\14\
---------------------------------------------------------------------------
\13\ 17 CFR 240.17Ad-22(e)(17)(i).
\14\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------
(B) Clearing Agency's Statement on Burden on Competition
ICE Clear Europe does not believe the proposed amendments would
have any impact, or impose any burden, on competition not necessary or
appropriate in furtherance of the purposes of the Act. The amendments
are being adopted to update and clarify the Clearing House's
Operational Risk Management Policy and to adopt the Risk Identification
Framework, all of which relate to the Clearing House's internal
processes for operational risk management. ICE Clear Europe does not
believe the amendments and adoption would affect the costs of clearing,
the ability of market participants to access clearing, or the market
for clearing services generally. Therefore, ICE Clear Europe does not
believe the proposed rule change imposes any burden on competition that
is inappropriate in furtherance of the purposes of the Act.
(C) Clearing Agency's Statement on Comments on the Proposed Rule Change
Received From Members, Participants or Others
Written comments relating to the proposed amendments have not been
solicited or received by ICE Clear Europe. ICE Clear Europe will notify
the Commission of any written comments received with respect to the
proposed rule change and adoption.
III. Date of Effectiveness of the Proposed Rule Change and Timing for
Commission Action
Within 45 days of the date of publication of this notice in the
Federal Register or within such longer period up to 90 days (i) as the
Commission may designate if it finds such longer period to be
appropriate and publishes its reasons for so finding or (ii) as to
which the self-regulatory organization consents, the Commission will:
(A) By order approve or disapprove such proposed rule change, or
(B) institute proceedings to determine whether the proposed rule
change should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views, and
arguments concerning the foregoing, including whether the proposed rule
change is consistent with the Act. Comments may be submitted by any of
the following methods:
Electronic Comments
Use the Commission's internet comment form (http://www.sec.gov/rules/sro.shtml) or
Send an email to [email protected]. Please include
File Number SR-ICEEU-2022-008 on the subject line.
Paper Comments
Send paper comments in triplicate to Secretary, Securities
and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number SR-ICEEU-2022-008. This
file number should be included on the subject line if email is used. To
help the Commission process and review your comments more efficiently,
please use only one method. The Commission will post all comments on
the Commission's internet website (http://www.sec.gov/rules/sro.shtml).
Copies of the submission, all subsequent amendments, all written
statements with respect to the proposed rule change that are filed with
the Commission, and all written communications relating to the proposed
rule change between the Commission and any person, other than those
that may be withheld from the public in accordance with the provisions
of 5 U.S.C. 552, will be available for website viewing and printing in
the Commission's Public Reference Room, 100 F Street NE, Washington, DC
20549, on official business days between the hours of 10:00 a.m. and
3:00 p.m. Copies of such filings will also be available for inspection
and copying at the principal office of ICE Clear Europe and on ICE
Clear Europe's website at https://www.theice.com/clear-europe/regulation. All comments received will be posted without change.
Persons submitting comments are cautioned that we do not redact or edit
personal identifying information from comment submissions. You should
submit only information that you wish to make available publicly. All
submissions should refer to File Number SR-ICEEU-2022-008 and should be
submitted on or before May 5, 2022.
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\15\
---------------------------------------------------------------------------
\15\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2022-07950 Filed 4-13-22; 8:45 am]
BILLING CODE 8011-01-P