[Federal Register Volume 87, Number 176 (Tuesday, September 13, 2022)]
[Notices]
[Pages 56129-56131]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-19679]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-95685; File No. SR-ICEEU-2022-014]


Self-Regulatory Organizations; ICE Clear Europe Limited; Order 
Approving Proposed Rule Change Relating to the ICE Clear Europe 
Outsourcing Policy

September 7, 2022.

I. Introduction

    On July 19, 2022, ICE Clear Europe Limited (``ICE Clear Europe'' or 
``ICEEU'') filed with the Securities and Exchange Commission 
(``Commission''), pursuant to Section 19(b)(1) of the Securities 
Exchange Act of 1934 (the ``Act''),\1\ and Rule 19b-4 thereunder,\2\ a 
proposed rule change to adopt an Outsourcing Policy. The proposed rule 
change was published for comment in the Federal Register on August 4, 
2022.\3\ The Commission did not receive comments regarding the proposed 
rule change. For the reasons discussed below, the Commission is 
approving the proposed rule change.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Self-Regulatory Organizations; ICE Clear Europe Limited; 
Notice of Filing of Proposed Rule Change Relating to the ICE Clear 
Europe Outsourcing Policy, Exchange Act Release No. 95394 (July 29, 
2022); 87 FR 47809 (Aug. 4, 2022) (File No. SR-ICEEU-2022-014) 
(``Notice'').
---------------------------------------------------------------------------

II. Description of the Proposed Rule Change

    The proposed rule change would create an Outsourcing Policy to 
describe, in a consolidated document, ICEEU's procedures for management 
of its outsourcing arrangements with third-party providers and 
affiliates, including how ICEEU's board maintains oversight of these 
outsourcing arrangements.\4\
---------------------------------------------------------------------------

    \4\ The description that follows is substantially excerpted from 
the Notice. Capitalized terms not otherwise defined herein have the 
meanings assigned to them in ICEEU's Outsourcing Policy or Rules, as 
applicable.
---------------------------------------------------------------------------

    The Outsourcing Policy, as a rule of the clearing agency, is 
designed to complement two of ICE Clear Europe's policies: the Vendor 
Management Policy (``VMP'') and the Outsourcing Operating Manual 
(``OOM''). The VMP describes certain group-wide policies of ICEEU's 
parent, Intercontinental Exchange, Inc., with respect to its 
outsourcing arrangements with third parties. The OOM sets out 
additional details concerning the steps it follows in order to 
introduce, amend and maintain outsourcing arrangements. Together with 
the VMP, the proposed Outsourcing Policy would document how the ICEEU 
assesses the risks of outsourcing certain functions. The Outsourcing 
Policy would not represent a change in the ICEEU's current practices, 
but rather more clearly document those practices in an overall policy.
    The Outsourcing Policy would include an introduction section that 
describes the differences between outsourcing and purchasing services, 
the former described as ICEEU's use of a service provider to perform an 
ongoing activity that would usually be performed by ICEEU and which 
often involves transferring or sharing related non-public proprietary 
information, and the latter being ICEEU's purchases of services, goods 
and facilities and which would typically not include any transfer of 
non-public proprietary information.
    The Outsourcing Policy would also differentiate ICEEU's outsourcing 
practices and purchasing arrangements with third-party providers from 
those with its affiliates. The Outsourcing Policy would state that 
outsourcing through its affiliates typically have a lower risk profile 
for ICEEU because affiliates tend to be regulated entities with the 
same or similar systems, risk appetites, standards and processes, among 
other commonalities, as ICE Clear Europe. The Outsourcing Policy would 
also set out ICEEU's overall objectives when considering outsourcing.
    The Outsourcing Policy would include a discussion of outsourcing to 
third parties and to ICEEU's affiliates. As mentioned, outsourcing to 
third parties is covered under the VMP, which covers due diligence, 
risk assessment, suitability, and performance management, among other 
topics. Outsourcing to affiliates of ICEEU would follow the same 
process and standards as under the VMP; however, assessments would be 
performed by ICEEU's senior management rather than the ICEEU's Vendor 
Management Office. ICEEU represented that, in all cases, it would look 
to ensure that all service provider-related incidents (such as service 
interruptions) are recorded, monitored, and escalated to ICEEU's

[[Page 56130]]

senior management in a consistent manner.\5\
---------------------------------------------------------------------------

    \5\ See Notice at 47809.
---------------------------------------------------------------------------

    The Outsourcing Policy would provide that ICEEU would consider, in 
its assessment of service providers, the lower risk associated in 
outsourcing functions to third parties that are also regulated or 
authorized. ICEEU would also consider in its assessment of a service 
provider how the service provider's presence in a different 
jurisdiction impacts the risks associated with outsourcing functions to 
that service providers.
    The Outsourcing Policy would also state that ICEEU would look to 
manage any potential or actual conflicts of interest resulting from its 
outsourcing arrangements, particularly in respect of outsourcing 
arrangements it has with its affiliates.
    Additionally, ICE Clear Europe proposes to include in the 
Outsourcing Policy that it looks to reserve independent audit rights to 
check compliance with legal and regulatory requirements and policies in 
its outsourcing agreements with third-party and affiliate service 
providers, as required.
    ICE Clear Europe also proposes to include in the Outsourcing Policy 
information about its cloud-based outsourcing arrangements. Outsourcing 
to the cloud is generally covered under the existing VMP. Relevant ICE 
Clear Europe and ICE Group policies, such as the Corporate Information 
Security Policy, would also be considered when engaging in cloud 
outsourcing arrangements. Adding a new or significantly changing an 
existing cloud outsource arrangement would be covered under the OOM.
    The Outsourcing Policy would include a section describing ICEEU's 
considerations when deciding whether to outsource a function considered 
``critical or important.'' A function is considered by ICEEU to be 
``critical or important'' where a defect or failure in its performance 
would materially impair the ICEEU's continuing compliance with the 
conditions and obligations or its authorizations or other obligations, 
financial performance, or the soundness or continuity of its services 
and activities.
    The Outsourcing Policy would include an acknowledgment by ICEEU 
that outsourcing ``critical or important'' functions could impact 
ICEEU's risk profile, ability to oversee the service provider and 
manage risks, business continuity measures, and performance of its 
business activities. Under the proposed Outsourcing Policy, ICEEU would 
ensure that such matters would be considered in the decision-making 
processes with respect to outsourcing. Additionally, ``critical or 
important'' functions would impact how an outsourcing arrangement is 
assessed, documented and managed by ICEEU (including by having an exit 
plan, if practical). Also, if a function to be outsourced is or would 
be a dependency to the delivery of one or more of ICEEU's important 
business services under its operational resilience framework, such 
function would be mapped accordingly with appropriate consideration 
given to potential vulnerabilities, resiliency, and impact to the 
relevant impact tolerances.
    The Outsourcing Policy would also include a discussion of 
additional considerations of particular importance to ICEEU, in light 
of its position as a systemically important financial market 
infrastructure and in alignment with its regulatory oversight. The 
proposed Outsourcing Policy would highlight the following additional 
items that ICEEU would consider with respect to its outsourcing 
arrangements: (i) business continuity arrangements, (ii) incident 
management responsiveness and reporting, (iii) independent assurances, 
and (iv) redundancies, notice periods and exit strategies. Regarding 
business continuity arrangements, the proposed rule change would state 
that, during the onboarding process and through periodic reviews and 
testing, ICEEU would assess the service provider's business continuity 
plans to ensure that they are fit for the relevant purposes. The 
proposal would state that incident management and responsiveness and 
timely reporting are important factors in ICEEU's outsourcing 
arrangements, given the services that ICEEU operates. Accordingly, the 
proposal would require that outsourcing providers have appropriate 
mechanisms for timely response and incident management. Regarding 
independent assurances, the proposal would state that where possible 
and practicable, ICEEU would look to collect independent assurances of 
the outsourcing providers' services, which may include but are not 
limited to SOC2 audits, Regulation SCI audits, and enterprise 
technology risk assessments. Finally, the proposed Outsourcing Policy 
would state that where possible and practicable, the ICEEU would look 
to mitigate the risk of disruption to its services from outsourcing 
providers ceasing to provide their services to ICEEU, through 
redundancies (the use of multiple providers), sufficient notice 
periods, or exit strategies.
    The proposed Outsourcing Policy would also include a section 
describing ICEEU's Board oversight of outsourcing arrangements. The 
Board oversees ICEEU's outsourcing arrangements through risk appetite 
metrics that include service and incident reporting, operational risk 
reporting that covers incidents observed in the relevant period, their 
resolution and other performance metrics, and an Annual Outsourcing 
Assessment Report.
    The proposed Outsourcing Policy would state that the COO or its 
delegate would prepare the Annual Outsourcing Assessment Report, which 
would be reviewed by the Board each year directly or via its 
committees. The Annual Outsourcing Assessment Report would cover the 
following topics: (i) the activities and services that are outsourced, 
(ii) the identities of the outsource providers, (iii) the performance 
of the outsourcing providers and their adherence to agreed service 
levels, (iv) where relevant, the security measures of the outsourcing 
providers, (v) risk reviews of the outsourcing providers, particularly 
those providing critical or important cloud outsourcing arrangements, 
(vi) exit strategies and contingency arrangements associated with 
outsourcing critical or important functions, and (vii) results and 
conclusions of additional assurance mechanisms (for example, SOC2 
audits) where applicable.
    Finally, the proposed Outsourcing Policy would describe governance 
and exception handling. The document owner would be responsible for 
ensuring that it remains up to date and reviewed in accordance with 
ICEEU's governance processes. Exceptions to the Outsourcing Policy 
would also be approved in accordance with such governance processes. 
Any deviations from the Outsourcing Policy would have to be 
appropriately escalated and reported in a timely manner by the document 
owner, and the document owner would also be responsible for reporting 
any material breaches or deviations to the President of ICE Clear 
Europe and the Risk Oversight Department in order to determine the 
appropriate governance escalation and notification requirements.

III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act directs the Commission to approve a 
proposed rule change of a self-regulatory organization if it finds that 
such proposed rule change is consistent with the requirements of the 
Act and the rules and regulations thereunder

[[Page 56131]]

applicable to such organization.\6\ For the reasons discussed below, 
the Commission finds that the proposed rule change is consistent with 
Section 17A(b)(3)(F) of the Act,\7\ and Rules 17Ad-22(e)(2)(v) and 
(e)(3)(i) thereunder.\8\
---------------------------------------------------------------------------

    \6\ 15 U.S.C. 78s(b)(2)(C).
    \7\ 15 U.S.C. 78q-1(b)(3)(F).
    \8\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(3)(i).
---------------------------------------------------------------------------

A. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires, among other things, that 
the rules of ICE Clear Europe be designed to promote the prompt and 
accurate clearance and settlement of securities transactions and, to 
the extent applicable, derivative agreements, contracts, and 
transactions.\9\ As noted above, the proposed rule change would create 
a consolidated policy-level document for managing outsourcing of 
services with both third-party providers and affiliates of ICEEU. 
Specifically, the proposed rule change would lay out in detail certain 
key considerations of ICEEU in outsourcing, including assessing service 
providers' operational capabilities, dependencies, resilience, 
financial, reputational, legal, and regulatory standing. The proposed 
rule change would also include an acknowledgment by ICEEU that 
outsourcing critical or important functions could impact its risk 
profile, ability to oversee the service provider and manage risks, 
business continuity measures, and performance of its business 
activities, and would be considered in outsourcing decisions. The 
proposed Outsourcing Policy would also include that ICEEU looks to 
manage any potential or actual conflicts of interest resulting from its 
outsourcing arrangements. The Commission believes that these 
overarching considerations, combined with a description of ICEEU's 
Board oversight of outsourcing arrangements, would enhance ICEEU's 
ability to manage risks associated with outsourcing as they arise as 
well as its ability to regularly assess outsourcing providers. The 
Commission believes that this in turn should strengthen ICEEU's ability 
to carry out its operations, thereby promoting the prompt and accurate 
clearance and settlement of securities transactions.
---------------------------------------------------------------------------

    \9\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    For these reasons, the Commission believes that the proposed rule 
change is consistent with Section 17A(b)(3)(F) of the Act.\10\
---------------------------------------------------------------------------

    \10\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

B. Consistency With Rule 17Ad-22(e)(2)(v) Under the Act

    Rule 17Ad-22(e)(2)(v) requires, in relevant part, that ICEEU 
establish, implement, maintain, and enforce written policies and 
procedures reasonably designed, as applicable, to provide for 
governance arrangements that specify clear and direct lines of 
responsibility.\11\
---------------------------------------------------------------------------

    \11\ 17 CFR 240.17 Ad-22(e)(2)(v).
---------------------------------------------------------------------------

    As noted above, the proposed Outsourcing Policy would explain the 
Board's role in overseeing outsourcing arrangements, including through 
utilization of risk metrics, operational risk reporting, and the review 
of the annual outsourcing assessment report (prepared by the COO). 
Further, the proposed rule change would state that the document owner 
is responsible for updating the proposed Outsourcing Policy, that any 
exceptions to the document would be escalated and reported by the 
document holder, and that the document owner would report any material 
breaches or deviations to the President of ICEEU and will notify the 
Risk Oversight Department in order to determine the appropriate 
governance escalation and notification requirements. The Commission 
believes that documenting the roles and responsibilities for managing 
the proposed Outsourcing Policy in this way provides for governance 
arrangements that specify clear and direct lines of responsibility.
    For these reasons, the Commission believes that the proposed rule 
change is consistent with Rule 17Ad-22(e)(2)(v).\12\
---------------------------------------------------------------------------

    \12\ 17 CFR 240.17 Ad-22(e)(2)(v).
---------------------------------------------------------------------------

C. Consistency With Rule 17Ad-22(e)(3)(i) Under the Act

    Rule 17Ad-22(e)(3)(i) requires that ICEEU establish, implement, 
maintain, and enforce written policies and procedures reasonably 
designed to, as applicable, maintain a sound risk management framework 
for comprehensively managing legal, credit, liquidity, operational, 
general business, investment, custody, and other risks that arise in or 
are borne by ICEEU, which includes risk management policies, 
procedures, and systems designed to identify, measure, monitor, and 
manage the range of risks that arise in or are borne by ICEEU, that are 
subject to review on a specified periodic basis and approved by ICEEU's 
board of directors annually.\13\
---------------------------------------------------------------------------

    \13\ 17 CFR 240.17 Ad-22(e)(3)(i).
---------------------------------------------------------------------------

    Because the proposed Outsourcing Policy described above sets forth 
considerations and approaches to measuring, monitoring, and identifying 
the risks related to outsourcing arrangements and lays out governance 
of this process on an annual basis, the Commission believes that it 
strengthens ICEEU's management of a range of risks borne by it which is 
also subject to periodic and annual Board review. For example, the 
Commission believes that the proposed procedures related to identifying 
critical functions (defining a function as ``critical or important''), 
the regular assessment of service providers (assessment of service 
provider's business continuity plans and timely response to incidents), 
and mitigation of risk (through redundancies, notice periods and exit 
strategies) from service providers, all support and strengthen ICEEU's 
ability to identify, monitor, and measure the risks related to 
outsourcing arrangements.
    For these reasons, the Commission believes that the proposed rule 
change is consistent with Rule 17Ad-22(e)(3)(i).\14\
---------------------------------------------------------------------------

    \14\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

IV. Conclusion

    On the basis of the foregoing, the Commission finds that the 
proposed rule change is consistent with the requirements of the Act, 
and in particular, with the requirements of Section 17A(b)(3)(F) of the 
Act,\15\ and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(3)(i).\16\
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 78q-1(b)(3)(F).
    \16\ 17 CFR 240.17Ad-22(e)(2)(i) and (v) and 17 CFR 240.17Ad-
22(e)(3)(i).
---------------------------------------------------------------------------

    It is therefore ordered pursuant to Section 19(b)(2) of the Act 
\17\ that the proposed rule change (SR-ICEEU-2022-014), be, and hereby 
is, approved.\18\
---------------------------------------------------------------------------

    \17\ 15 U.S.C. 78s(b)(2).
    \18\ In approving the proposed rule change, the Commission 
considered the proposal's impact on efficiency, competition, and 
capital formation. 15 U.S.C. 78c(f).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\19\
---------------------------------------------------------------------------

    \19\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2022-19679 Filed 9-12-22; 8:45 am]
BILLING CODE 8011-01-P