[Federal Register Volume 87, Number 185 (Monday, September 26, 2022)]
[Notices]
[Pages 58409-58425]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-20728]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-95842; File No. SR-OCC-2022-010]


Self-Regulatory Organizations; the Options Clearing Corporation 
Notice of Filing of Proposed Rule Change by the Options Clearing 
Corporation Concerning a Risk Management Framework and Corporate Risk 
Management Policy

September 20, 2022.
    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 
(``Exchange Act'' or ``Act''),\1\ and Rule 19b-4 thereunder,\2\ notice 
is hereby given that on September 6, 2022, the Options Clearing 
Corporation (``OCC'') filed with the Securities and Exchange Commission 
(``SEC'' or ``Commission'') the proposed rule change as described in 
Items I, II, and III below, which Items have been prepared by OCC. The 
Commission is publishing this notice to solicit comments on the 
proposed rule change from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------

I. Clearing Agency's Statement of the Terms of Substance of the 
Proposed Rule Change

    OCC files this proposed rule change to adopt a revised Risk 
Management Framework (``RMF'') as well as a new Corporate Risk 
Management Policy (``CRMP''). The RMF and CRMP are provided as in 
Exhibits 5A and 5B of File No. SR-OCC-2022-010. The RMF and CRMP would 
replace the current OCC Risk Management Framework Policy (``RMF 
Policy''). These documents are being submitted without marking to 
improve readability and are being submitted in their entirety as new 
rule text. The RMF Policy, provided as Exhibit 5C of File No. SR-OCC-
2022-010, is submitted entirely in strikethrough text to indicate its 
retirement. In addition, OCC submits corresponding changes to its 
Clearing Fund Methodology Policy, Collateral Risk Management Policy, 
Default Management Policy, Margin Policy, Model Risk Management Policy, 
Recovery and Orderly Wind-Down Plan, and Third-Party Risk Management 
Framework (``TPRMF'') (collectively, the ``OCC Risk Policies'') to 
update any reference to the RMF Policy to refer instead to the proposed 
RMF. The OCC Risk Policies are provided as Exhibits 5D-5J of File SR-
OCC-2022-010. OCC submitted Exhibits 5D through 5I subject to a 
confidential treatment request under SEC Rule 24b-2.\3\
---------------------------------------------------------------------------

    \3\ 17 CFR 240.24b-2.
---------------------------------------------------------------------------

    The proposed rule change does not require any changes to the text 
of OCC's By-Laws or Rules. All terms with initial capitalization that 
are not otherwise defined herein have the same meaning as set forth in 
the OCC By-Laws and Rules.\4\
---------------------------------------------------------------------------

    \4\ OCC's By-Laws and Rules can be found on OCC's website: 
https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules.
---------------------------------------------------------------------------

II. Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

    In its filing with the Commission, OCC included statements 
concerning the purpose of and basis for the proposed rule change and 
discussed any comments it received on the proposed

[[Page 58410]]

rule change. The text of these statements may be examined at the places 
specified in Item IV below. OCC has prepared summaries, set forth in 
sections (A), (B), and (C) below, of the most significant aspects of 
these statements.

(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

(1) Purpose
    OCC maintains various documents designed to define a comprehensive 
framework for managing OCC's various risks, including financial risks, 
legal, and operational risks. OCC's RMF Policy serves as an umbrella 
document describing OCC's framework for managing risk at a high level. 
As required by SEC Rule 17Ad.22(e)(3)(i), OCC routinely reviews its 
policies and procedures for potential improvements, such as providing 
more comprehensive descriptions and definitions as well as making the 
documents more clear, internally consistent, and well organized. Based 
on its routine review of the existing RMF Policy, OCC believes it 
should replace its current RMF Policy with two, more detailed 
documents. By making this change, described in detail below, OCC 
intends to enhance the clarity and transparency of its overall risk 
management framework. The change to OCC's documents will not affect 
OCC's members or other market participants. Rather, it is intended to 
better describe and strengthen OCC's internal risk management 
processes.
Background
    OCC proposes to amend its existing RMF Policy \5\ by establishing 
the RMF and CRMP. OCC believes the revised documents enhance the 
clarity and transparency of its overall risk management framework and 
once approved, OCC plans to make the RMF and CRMP publicly available on 
its website (www.theocc.com). OCC believes the proposed revised RMF 
would continue to provide a foundation to support and describe the risk 
management policies, procedures, and systems that make up OCC's sound 
risk management framework.
---------------------------------------------------------------------------

    \5\ See Exchange Act Release No. 34-82232 (Dec. 7, 2017), 82 FR 
58662 (Dec. 13, 2017) (File No. SR-OCC-2017-005).
---------------------------------------------------------------------------

    In undertaking this revision of the RMF Policy, OCC is seeking to 
present its approach to risk management more clearly. The RMF Policy 
presents detailed information about OCC's second line functions, while 
also summarizing information about other risk management functions at 
OCC. OCC believes that the proposed RMF presents a clear summary of 
OCC's overall approach to risk management across its three lines of 
defense and, if necessary, its planning for recovery and wind-down. 
Consistent with the presentation of OCC's risk management across its 
three lines of defense, the RMF would refer to the CRMP, which would 
contain the detail behind OCC's second line corporate risk management 
program. OCC believes this is consistent with its approach to providing 
detailed information about its various functions in documents that 
stand separate from, but support and provide detail about the risk 
management activities summarized in, its proposed RMF.\6\
---------------------------------------------------------------------------

    \6\ For example, the RMF addresses risks managed by OCC's first 
line of defense through supporting policies and procedures, 
including, among other rule-filed policies, the Margin Policy, 
Collateral Risk Management Policy, Liquidity Risk Management 
Framework, and the Default Management Policy.
---------------------------------------------------------------------------

    The proposed RMF would provide an overview of risk management at 
OCC. The proposed RMF introduces the categories of risk OCC faces and 
then explains how OCC manages these risks. The proposed RMF includes an 
overview of OCC's risk universe, descriptions of risk management 
practices across OCC's three lines of defense model, a discussion of 
how OCC is also prepared, if necessary, with tools to manage both 
recovery and orderly wind-down, and the requirement to escalate 
exceptions to and deviations from OCC's risk management frameworks and 
policies to OCC's Corporate Risk Management and Compliance departments.
    The proposed CRMP would support the proposed RMF by explaining in 
greater detail OCC's risk management activities related to the second 
line of defense corporate risk management program. The proposed CRMP 
would explain that the OCC Corporate Risk Management department 
(``Corporate Risk''), formerly referred to as the Enterprise Risk 
Management department (``ERM''),\7\ evaluates risks that may affect 
OCC's ability to perform the functions detailed in the proposed RMF. As 
discussed below, the proposed CRMP would provide an overview of the 
activities overseen by Corporate Risk to identify, measure, monitor, 
manage, report, and escalate risks. Certain of this information is 
currently included in the RMF Policy, but OCC believes, consistent with 
other areas of risk managed by OCC, the details about its corporate 
risk management program should reside in the proposed CRMP. Other 
information would be new, including sections to describe Corporate 
Risk's risk monitoring, risk treatment, and risk escalation and 
training processes. Exhibit 3 to File No. SR-OCC-2022-010 summarizes 
the proposed reorganization of the RMF Policy into the RMF and CRMP.
---------------------------------------------------------------------------

    \7\ As part of the proposed rule change, OCC would reflect that 
OCC has renamed its ERM department as Corporate Risk and make 
conforming changes throughout the OCC Risk Policies. In addition to 
functions specific to enterprise risk monitoring, Corporate Risk 
includes other functions such as Model Risk Management and Third-
Party Risk Management.
---------------------------------------------------------------------------

Proposed Changes to Risk Management Framework Policy
    The proposed revisions to the RMF Policy are designed to present 
OCC's approach to risk management more clearly. For example, the RMF 
Policy currently presents detailed information about both the financial 
and corporate risk management functions at OCC. OCC proposes to adopt a 
new RMF to more clearly describe its overall risk framework. OCC also 
proposes to adopt a new CRMP to describe its approach to corporate risk 
management in more detail. The proposed changes to the current RMF 
Policy are discussed in detail below.
Purpose Section
    The purpose section of the RMF Policy would be replaced with 
purpose and introduction sections of the new RMF and CRMP, 
respectively. These sections would be revised to reflect the 
reorganization of content in the RMF Policy in the new RMF and CRMP, 
focusing on the purpose and intent of each of the newly proposed 
documents. For example, the purpose of the proposed RMF would be to: 
(i) describe how OCC manages risk while providing efficient and 
effective clearing and settlement services to the markets it serves; 
(ii) explain how OCC's governance model and three lines of defense 
facilitate risk management; and (iii) address OCC's ability to employ 
recovery tools and facilitate an orderly wind-down. The purpose of the 
proposed CRMP would be to describe OCC's corporate risk management 
approach, including activities to identify, measure, monitor, manage, 
report, and escalate risks to inform decision-making.
Context for Risk Management Framework and Risk Management Philosophy
    OCC proposes to delete the Context for Risk Management Framework 
and Risk Management Philosophy sections of the RMF Policy from the 
proposed RMF. OCC believes these sections provide history and 
background

[[Page 58411]]

information about OCC and its purpose in the financial markets, but do 
not contain rules of OCC. Additionally, OCC believes the information 
presented in the Risk Management Philosophy section serves as an 
additional purpose section and that all items highlighted in this 
section are covered in the proposed RMF or CRMP. For example, OCC's 
approach relative to risk appetite is mentioned in the Risk Management 
Philosophy section but is covered in more comprehensive detail in the 
CRMP.
Risk Appetite Framework and Tolerance
    The RMF Policy describes OCC's risk appetite framework, including 
descriptions of OCC's use of a risk universe, risk appetites,\8\ and 
risk tolerances.\9\ The RMF Policy also describes the use of Key Risks 
\10\ and Risk Sub-categories to define the universe of risks faced by 
OCC and the Risk Appetite Statements \11\ assigned to such risks. OCC 
proposes to relocate this information to the Risk Governance section of 
the proposed CRMP. However, an overview of OCC's risk universe would be 
retained in the RMF, including a description of the main risk 
categories and that, pursuant to the CRMP, these categories are broken 
down to risk-subcategories and risk statements, as described below, 
which comprise OCC's risk universe that OCC manages through the three 
lines of defense model to maintain effective clearing and settlement 
operations.
---------------------------------------------------------------------------

    \8\ Risk appetites are qualitative articulations of the amount 
of risk OCC is willing to accept and establish expectations for 
OCC's risk management.
    \9\ Risk tolerances are qualitative or quantitative measures 
that help inform whether risks are within risk appetites.
    \10\ The RMF Policy defines Key Risk to mean risk that is 
related to the foundational aspects of CCP clearing, settlement, and 
risk management services.
    \11\ The RMF Policy defines Risk Appetite Statement to mean a 
statement that expresses OCC's judgment, for each of OCC's Key 
Risks, regarding the level of risk OCC is willing to accept related 
to the provision of CCP services.
---------------------------------------------------------------------------

    The proposed CRMP would state that the establishment and 
maintenance of OCC's risk universe, risk appetites, risk tolerances, 
and risk rating scales is facilitated by Corporate Risk and used across 
OCC to create a transparent means to manage risk. The proposed CRMP 
would also state that Corporate Risk establishes the risk universe, 
which organizes OCC's risks into the following three layers to classify 
and aggregate risks:
     Risk categories, which are the highest-level groups of 
risk aggregation;
     Risk sub-categories, which further classify risks within 
risk categories into detailed groups; and
     Risk statements, which are descriptions of the drivers, 
events, and consequences of risks.

The terms ``risk categories,'' ``risk sub-categories,'' and ``risk 
statements'' essentially represent the Key Risks, Sub-categories, and 
Definitions that are discussed in the current RMF Policy. OCC believes 
the proposed terms better describe the elements that comprise OCC's 
risk universe and the relationship between them.
    Risk categories, sub-categories, appetites, and tolerances would 
continue to be reviewed on at least an annual basis. Under the current 
RMF, Key Risks are approved by OCC's Board and risk appetites for Key 
Risks are set by the business departments responsible for those risk in 
cooperation with ERM. Under the proposed CRMP, the risk universe would 
be owned and approved by the Chief Risk Officer (``CRO'') and provided 
to the Management Committee. OCC believes the Chief Risk Officer, who 
is responsible for OCC's corporate risk management function, is the 
officer best situated to manage the risk universe. Changes to the RMF 
to reflect any changes to risk categories would continue to require 
Board approval. In addition, the Board or the Risk Committee, if the 
Board has delegated the Risk Committee such authority,\12\ would 
ultimately be responsible for approving risk appetites, which establish 
the type and amount of risk OCC is willing to accept. OCC believes that 
the Board or Risk Committee are best positioned to approve risk 
appetites because of their oversight role with respect to OCC's risk 
management. Additionally, the Board or Risk Committee would continue to 
be responsible for approving risk tolerances.
---------------------------------------------------------------------------

    \12\ The Board has approved such delegation of authority to the 
Risk Committee. See Exchange Act Release No. 94988 (May 26, 2022); 
87 FR 33535 (June 2, 2022) (File No. SR-OCC-2022-002).
---------------------------------------------------------------------------

    The proposed CRMP would also provide additional details around the 
internal governance process for reviewing and approving risk 
categories, appetites, and tolerances and for monitoring risk 
tolerances. For example, the proposed CRMP would state that at least 
every twelve months, Corporate Risk determines whether updates to the 
risk universe are necessary to better align risk categories, sub-
categories, and statements with OCC's clearance, settlement and risk 
management services. The proposed CRMP would require that risk category 
and sub-category updates are approved by the CRO while risk statements 
are approved by Corporate Risk management. The proposed CRMP would 
further provide that the Management Committee and Board are then 
notified of updates to risk categories and sub-categories.
    The proposed CRMP would state that at least every twelve months, 
risk appetites are established at a risk sub-category level and 
presented by the CRO to the Management Committee for recommendation to 
the Board or Risk Committee for approval. The proposed CRMP would 
require that Risk Owners manage the level of risk exposure posed by a 
process against risk appetites.\13\ The proposed CRMP would state that 
Corporate Risk monitors risks to identify breaches of risk appetite. 
The proposed CRMP would also provide that risk appetite breaches are 
escalated by the CRO to the Management Committee, Risk Committee, and 
Board. The proposed CRMP would state that Risk Owners, with input from 
relevant business areas, develop and execute risk treatment plans to 
reduce risks that exceed OCC's risk appetites.\14\ The proposed CRMP 
would state that at least every twelve months, Corporate Risk and Risk 
Owners review risk appetites and, where necessary, make adjustments to 
align with OCC's clearance, settlement and risk management services. 
The proposed CRMP would state that the CRO reviews and presents changes 
to risk appetites to the Management Committee for recommendation to the 
Board for approval. OCC proposes to remove the more general risk 
appetite statement definitions (i.e., no appetite, low appetite, 
moderate appetite, and high appetite), which are currently described in 
the RMF Policy, and would instead use more detailed qualitative risk 
appetite statements for each risk sub-category following the governance 
process described above.
---------------------------------------------------------------------------

    \13\ The proposed CRMP defines ``Risk Owner'' to mean an 
employee with the accountability and authority to manage the risk.
    \14\ The proposed CRMP would state that risk treatment is the 
process to manage a risk through avoidance, mitigation, 
transference, or acceptance.
---------------------------------------------------------------------------

    With respect to risk tolerances, the proposed CRMP would state that 
Risk Owners are responsible for managing applicable risks within 
established tolerances and developing risk treatment plans to resolve 
breaches of risk tolerance. The proposed CRMP would require that risk 
tolerance breaches are escalated by the CRO to the Management 
Committee, Risk Committee, and Board. The proposed CRMP would state 
that at least every twelve months, Corporate Risk and Risk Owners 
review risk tolerances and, where necessary, make adjustments to align 
with OCC's services. The proposed

[[Page 58412]]

CRMP would state that the CRO reviews and presents changes to risk 
tolerances to the Management Committee for recommendation to the Board 
for approval. As discussed below in connection with the monitoring of 
key risk indicators, the CRO would also monitor and report risk, 
including risk tolerance breaches, to the Board at each regularly 
scheduled meeting. OCC notes that it also proposes to change the 
reporting cadence to align with the timing of Board meetings to reflect 
that Board meetings typically, but do not always, occur on a quarterly 
schedule.\15\
---------------------------------------------------------------------------

    \15\ See, e.g., Exchange Act Release No. 94988, 87 FR at 33539 
(updating cadence of certain Board reporting to reflect that such 
reporting occurs at regular Board meetings).
---------------------------------------------------------------------------

    The proposed CRMP would also introduce the concept of risk rating 
scales, which provide an assessment of risk from an impact and 
likelihood perspective consistently across OCC. The proposed CRMP would 
state that OCC's risk rating scales rate the magnitude of impact an 
event will have on a process and the likelihood an event will occur. 
The proposed CRMP would state that the impact risk rating scale 
considers operational, internal financial, external financial, legal 
and regulatory, and reputational impacts. The proposed CRMP would state 
that the likelihood risk rating scale considers a 10-year financial 
cycle and yearly corporate planning activities. The proposed CRMP would 
state that these risk rating scales are used to measure inherent and 
residual risk at a risk statement level. The proposed CRMP would state 
that inherent risk is the level of risk exposure posed by a process 
absent any controls to reduce the likelihood or severity of an event. 
The proposed CRMP would state that residual risk is the level of risk 
exposure posed by a process or activity after the application of 
controls or other risk-mitigating factors. The proposed CRMP would 
state that at least every twelve months, Corporate Risk and Risk Owners 
perform a review of the risk rating scales. The proposed CRMP would 
state that the CRO reviews and approves changes to the risk scales. The 
proposed CRMP would state that the Management Committee and Board are 
notified of changes to the risk rating scales.
    OCC believes the proposed CRMP would provide a more comprehensive 
overview of OCC's risk governance framework and would include changes 
intended to improve certain processes therein. The proposed CRMP would 
provide additional details around the internal governance process for 
reviewing and approving risk categories, appetites, and tolerances and 
for monitoring risk tolerances and would describe OCC's risk rating 
scale process. The proposed changes would also improve the governance 
process for the risk universe by allowing the CRO to modify risk 
categories as needed, with oversight of Management Committee, the Risk 
Committee and the Board, and provide the Board or Risk Committee with 
more direct responsibility for setting the appetites for those risks.
Risk Management Governance
    OCC proposes to relocate the Risk Management Governance section of 
the current RMF Policy to a new Governance section of the proposed RMF 
with certain modifications. OCC proposes to update the description of 
the responsibilities of the Board, which are generally already 
addressed in the Board of Directors Charter and Corporate Governance 
Principles (``Board Charter''),\16\ which is filed with the Commission 
as a rule of OCC.\17\ The proposed RMF would state that the Board is 
responsible for advising and overseeing management. The proposed RMF 
would state that pursuant to the OCC Board of Directors Charter and 
Corporate Governance Principles, the CRO presents a review of the RMF 
to the Board for approval at least annually. The proposed RMF would 
state that the Board may delegate the oversight of specific risks to 
Board-level committees (``Committees'').\18\ The proposed RMF would 
state that the Board may form or disband committees, including 
subcommittees to manage specific risks, as it from time to time deems 
appropriate, and may delegate authority to one or more designated 
members of such committees. The proposed RMF would state that the 
responsibilities of Board committees regarding managing risks are 
outlined in committee charters.
---------------------------------------------------------------------------

    \16\ The Board Charter can be found on OCC's public website: 
https://www.theocc.com/about/corporate-information/board-charter.
    \17\ See, e.g., Exchange Act Release No. 84473 (Oct. 23, 2018), 
83 FR 54385 (Oct. 29, 2018) (File No. SR-OCC-2018-012).
    \18\ The Board has delegated oversight of specific risks to 
Committees through the Committee Charters. For example, the Board 
has delegated oversight of OCC's financial, collateral, risk model 
and third-party risk management processes to the Risk Committee. See 
Exchange Act Release No. 94988, 87 FR at 33539 (File No. SR-OCC-
2022-002).
---------------------------------------------------------------------------

    OCC also proposes to update the description of the responsibilities 
of the Management Committee and working groups in the new RMF. The 
proposed RMF would state that OCC's Management Committee supports the 
management and conduct of its business in accordance with policy 
directives from the Board. The proposed RMF would state that the 
Management Committee includes officers \19\ responsible for ensuring 
that its actions and decisions are consistent with OCC's mission, Code 
of Conduct, Rules and By-Laws, policies, procedures, and general 
principles of sound corporate governance. The proposed RMF would state 
that the CRO is a member of the Management Committee and reports to the 
Risk Committee. The proposed RMF would state that the Management 
Committee may form and delegate authority to subcommittees and working 
groups of employees to conduct certain of its activities. The proposed 
RMF would state that subcommittees and working groups are responsible 
for reporting and escalating information as may be appropriate. This 
would replace the current description in the RMF Policy, which 
primarily relates to the committee's role and responsibilities in 
reviewing and recommending changes to OCC's risk universe, including 
risk appetites and tolerances, and escalating breaches of such to the 
Board. These responsibilities would now be addressed in the proposed 
CRMP (as discussed in the Risk Appetite Framework and Tolerance section 
above).
---------------------------------------------------------------------------

    \19\ The proposed RMF would state that The Management Committee 
may include, but is not limited to the following officers: Executive 
Chairman, Chief Executive Officer, Chief Operating Officer, Chief 
Financial Risk Officer, Chief External Relations Officer, Chief Risk 
Officer, Chief Audit Executive, Chief Compliance Officer, Chief 
Financial Officer, Chief Human Resources Officer, Chief Information 
Officer, Chief Security Officer, Chief Legal Officer and General 
Counsel, Chief Clearing and Settlement Services Officer, and Chief 
Regulatory Counsel.
---------------------------------------------------------------------------

    The Governance section of the proposed RMF would also be updated to 
include a description of the responsibilities of OCC employees. The 
proposed RMF would state that OCC considers risk management during 
employee recruitment, development, training, and succession planning. 
The proposed RMF would state that OCC recruits and retains personnel 
with appropriate risk management knowledge, skills, and competencies. 
The proposed RMF would state that OCC also identifies successors for 
designated officers based on knowledge and experience. The proposed RMF 
would state that OCC provides internal and external development 
opportunities including required training related to risk, compliance, 
security, conflicts of interest, escalation of concerns, and the OCC 
Code of Conduct. The proposed RMF would state that OCC provides outlets 
for employees to anonymously report concerns that are reviewed by

[[Page 58413]]

OCC's Compliance, Human Resources, and Legal departments.
Identification of Key Risks
    The RMF Policy currently contains an Identification of Key Risks 
section that defines OCC's Key Risks and provides a brief description 
of OCC's policies and procedures for managing each of those Key Risk 
and their respective Risk Sub-Categories. OCC proposes to replace the 
Identification of Key Risks section with a new OCC Risk Management 
section of the proposed RMF, which would be reorganized to focus on the 
three lines of defense model currently described in the RMF Policy and 
describe the types of risks managed by each line of defense. The new 
OCC Risk Management section of the RMF would: (i) restate existing 
content of the RMF; (ii) introduce new content not currently contained 
in OCC's RMF Policy; and (iii) delete certain aspects of the RMF 
Policy. The changes are discussed in detail below.
    The proposed RMF would state that OCC employs a three lines of 
defense model. The proposed RMF would state that the model clarifies 
ownership and accountability and enhances communication for 
expectations around risk management throughout the organization. The 
proposed RMF would state that the first line of defense maintains 
policies, procedures, processes, and controls established for day-to-
day risk management. The proposed RMF would state that the second line 
of defense evaluates and provides effective challenge to the first line 
by executing critical analysis to identify process limitations and 
recommending changes to relevant policies, procedures, processes, 
systems, and controls. Lastly, the proposed RMF would state that the 
third line of defense is an internal audit function that reviews and 
provides objective assurance to the first and second lines. The 
proposed RMF would state that OCC employees report to members of the 
Management Committee. Consistent with the OCC Employee Code of Conduct, 
employees are expected to escalate risk information through their 
reporting line or to other members of management. The proposed RMF 
would state that risks identified at OCC are reported to the Management 
Committee and Board consistent with relevant charters and policies.
First Line of Defense
    The proposed RMF would state that the risk inherent in OCC's 
clearing and settlement services is managed by the first line of 
defense, which is responsible for owning and managing risks by 
maintaining policies, procedures, processes, systems, and controls that 
manage relevant risks. The proposed RMF would state that the first line 
of defense is comprised of OCC's operational business units, including 
Financial Risk Management (``FRM''), Business Operations, Information 
Technology, and Corporate Finance, and also includes corporate 
functions such as human resources and project management. The proposed 
RMF would state that the first line of defense is also accountable for 
maintaining internal controls, control self-testing, and implementing 
corrective action to address control deficiencies. The proposed RMF 
would state that the first line of defense maintains policies and 
associated procedures that detail the processes and controls 
implemented across business units which are used to execute risk 
management related to the clearing and settlement services detailed 
below.
Membership Standards
    The proposed RMF would state that Membership standards are 
established by the Board and risk managed by OCC's Business Operations, 
FRM and Information Technology in accordance with OCC's TPRMF. The 
proposed RMF would state that OCC has risk-based clearing membership 
standards to manage the risks arising from Clearing Members. The 
proposed RMF would state that these requirements include applicable 
registrations, net capital requirements, creditworthiness, adequate 
operational capabilities, and maintaining qualified personnel. The 
proposed RMF would state that the Risk Committee reviews these 
standards to ensure OCC provides fair and open access to clearing and 
settlement services. The proposed RMF would state that Clearing Members 
that fail to meet the membership standards face the possibility of 
consequences up to and including suspension.
Credit
    The proposed RMF would state that OCC's credit risk is managed by 
Business Operations, FRM, and Corporate Finance. The proposed RMF would 
state that OCC is exposed to credit risk based on its role as guarantor 
of cleared contracts. The proposed RMF would state that OCC has credit 
risk related to Clearing Members and manages this exposure by 
collecting margin and Clearing Fund resources based on a Clearing 
Member's risk profile. The proposed RMF would state that OCC also faces 
credit risk from other financial institutions that facilitate payment, 
clearing, and settlement activities (e.g., clearing banks, custodians, 
and linked financial market utilities). The proposed RMF would state 
that FRM monitors its credit risk related to Clearing Members and 
financial institutions consistent with the TPRMF. The proposed RMF 
would state that FRM analyzes the creditworthiness of each financial 
institution, in addition to other information that could impact the 
financial institution's ability to facilitate payment, clearing, and 
settlement services.
Clearing Fund
    The proposed RMF would state that OCC's Clearing Fund is managed by 
FRM and Business Operations. The proposed RMF would state that OCC 
maintains a Clearing Fund comprised of high-quality liquid assets to 
cover its credit risk exposure from Clearing Members in accordance with 
OCC's confidential Clearing Fund Methodology Policy and Chapter X of 
OCC's Rules. The proposed RMF would state that FRM uses stress tests to 
project the Clearing Fund size necessary to maintain prefunded 
financial resources to cover losses arising from the default of the two 
Clearing Member Groups that would potentially cause the largest 
aggregate credit exposure to OCC in extreme but plausible market 
conditions. The proposed RMF would state that FRM also uses stress test 
results to determine the sufficiency of the Clearing Fund size and 
determine whether to issue calls for additional collateral or perform 
an intra-month Clearing Fund resizing. The proposed RMF would state 
that FRM reviews the adequacy of its Clearing Fund models through 
sensitivity analysis and an analysis of its parameters and assumptions. 
The proposed RMF would state that FRM reports the results of Clearing 
Fund model reviews to the Board.
Margin
    The proposed RMF would state that OCC's margin is managed by FRM 
and Business Operations. The proposed RMF would state that FRM utilizes 
a risk-based margin methodology to calculate Clearing Member margin 
requirements in accordance with OCC's confidential Margin Policy and 
Chapter VI of OCC's Rules. The proposed RMF would state that FRM 
calculates margin daily for Clearing Member accounts. The proposed RMF 
would state that Intra-day margin calls may also be made for accounts 
incurring significant losses. The proposed RMF would state that FRM 
reviews the adequacy of its margin models through sensitivity analysis, 
backtests, and an analysis of its

[[Page 58414]]

parameters and assumptions. The proposed RMF would state that FRM 
reports the results of margin model reviews to the Board.
Collateral
    The proposed RMF would state that OCC's collateral risk is managed 
by Business Operations, Corporate Finance, and FRM in accordance with 
OCC's confidential Collateral Risk Policy and OCC Rules 604 and 1002. 
The proposed RMF would state that OCC requires its Clearing Members to 
deposit collateral as margin and Clearing Fund. The proposed RMF would 
state that OCC limits acceptable assets to those with low credit, 
market, and liquidity risks, and employs other risk mitigation tools, 
including collateral concentration limits. The proposed RMF would state 
that FRM applies risk-based haircuts and Business Operations revalues 
collateral daily to ensure margin and Clearing Fund requirements are 
met.
Default Management
    The proposed RMF would state that OCC's default management risk is 
managed by FRM in accordance with OCC's confidential Default Management 
Policy and Chapter XI of OCC's Rules. The proposed RMF would state that 
in the event of a Clearing Member default, OCC takes timely action to 
contain losses and liquidity pressures and continue to meet its 
obligations. The proposed RMF would state that OCC closes open 
positions in an orderly manner, which may include performing auctions, 
utilizing liquidation agents, or applying hedges. The proposed RMF 
would state that Margin and Clearing Fund deposits of the defaulting 
Clearing Member are used to offset these losses, followed by other 
financial resources. The proposed RMF would state that OCC performs 
default testing with the participation of designated Clearing Members 
and other stakeholders to evaluate its processes and systems, including 
close-out processes.
    The newly proposed Membership Standards, Credit, Clearing Fund, 
Margin, Collateral, and Default Management sections of the RMF would 
effectively replace the Credit Risk Management Framework section of 
OCC's RMF Policy and refer to the same OCC Risk Policies currently 
maintained by OCC (and described in the RMF) to address such risks and 
which are currently filed with the Commission as rules of OCC (e.g., 
the Margin Policy,\20\ Clearing Fund Methodology Policy,\21\ Collateral 
Risk Management Policy,\22\ Default Management Policy,\23\ and TPRMF 
\24\).
---------------------------------------------------------------------------

    \20\ See, e.g., Exchange Act Release No. 82355 (Dec. 19, 2017), 
82 FR 61058 (Dec. 26, 2017) (File No. SR-OCC-2017-007).
    \21\ See, e.g., Exchange Act Release No. 83735 (July 27, 2018), 
83 FR 37855 (Aug. 2, 2018) (File No. SR-OCC-2018-008).
    \22\ See, e.g., Exchange Act Release No. 82311 (Dec. 13, 2017), 
82 FR 60252 (Dec. 19, 2017) (File No. SR-OCC-2017-008).
    \23\ See, e.g., Exchange Act Release No. 82310 (Dec. 13, 2017), 
82 FR 60265 (Dec. 19, 2017) (File No. SR-OCC-2017-010).
    \24\ See, e.g., Exchange Act Release No. 90797 (Dec. 23, 2020), 
85 FR 86592 (Dec. 30, 2020) (File No. SR-OCC-2020-014).
---------------------------------------------------------------------------

Liquidity
    The proposed RMF would state that OCC's liquidity risk is managed 
by FRM and Corporate Finance. The proposed RMF would state that OCC 
manages its liquidity risk in accordance with its confidential 
Liquidity Risk Management Framework by maintaining a reliable and 
diverse set of committed resources and liquidity providers, 
establishing a contingent funding plan to collect additional resources, 
and performing stress testing that covers a wide range of scenarios 
that include the default of the Clearing Member Group that would 
generate the largest aggregate liquidity obligation in extreme but 
plausible market conditions. The proposed RMF would state that FRM also 
tests the sufficiency of its resources by forecasting daily settlement 
under normal and stressed market conditions and compares these results 
to the liquid resources maintained. The proposed RMF would state that 
FRM reports the results of these reviews to the Board. The new 
Liquidity section of the proposed RMF would replace the Liquidity Risk 
Management Framework section of the current RMF Policy and would 
summarize and refer to OCC's Liquidity Risk Management Framework as the 
governing document for managing OCC's liquidity risks while removing 
certain summary information that is more specifically addressed in the 
Liquidity Risk Management Framework.\25\
---------------------------------------------------------------------------

    \25\ See, e.g., Exchange Act Release 89014 (June 4, 2020), 85 FR 
35446 (June 10, 2020) (File No. SR-OCC-2020-003).
---------------------------------------------------------------------------

Settlement
    The proposed RMF would add a new section specifically discussing 
settlement risk (which is currently addressed indirectly in the 
Operational Risk section of the RMF Policy). The proposed RMF would 
state that OCC's settlement risk is managed by Business Operations in 
accordance with Chapters V and IX of OCC's Rules. The proposed RMF 
would state that OCC uses clearing banks to facilitate settlements on 
at least a daily basis. The proposed RMF would state that OCC issues 
instructions to clearing banks to debit or credit the account of a 
Clearing Member, and correspondingly debit or credit OCC's account, 
with a specific dollar amount by a specified time. The proposed RMF 
would state that settlement finality occurs when a clearing bank 
confirms the settlement instruction or is silent past the applicable 
deadline.
Custody and Investment
    The proposed RMF would state that OCC's custody and investment risk 
is managed by its Corporate Finance department, Business Operations, 
and FRM in accordance with OCC Rules 604 and 1002(b). The proposed RMF 
would state that OCC holds its own and its Clearing Members' assets at 
settlement and custodian banks, as well as at other financial market 
utilities. The proposed RMF would state that OCC requires settlement 
and custodian banks to meet minimum financial and operational 
requirements. The proposed RMF would state that OCC complies with 
applicable customer protection and segregation requirements for the 
handling of customer funds. The proposed RMF would state that OCC 
maintains working capital and non-invested Clearing Member cash in 
accounts that minimize delays in access to funds. The proposed RMF 
would state that OCC maintains accounts at the Federal Reserve to 
custody funds. The proposed RMF would state that OCC invests in 
instruments with minimal credit, market, and liquidity risks. The new 
Custody and Investment section of the proposed RMF would effectively 
replace the Investment Risk section of the RMF Policy, which also 
discusses OCC's use of Federal Reserve bank accounts and the investment 
of funds not held at the Federal Reserve.
General Business
    The proposed RMF would state that OCC's general business risk is 
managed by Corporate Finance, Information Technology, Business 
Operations and Financial Risk Management. The proposed RMF would state 
that Corporate Finance performs financial planning and analysis, 
reviews operating budgets and fee structures, and reviews business 
performance. The proposed RMF would state that OCC maintains liquid net 
assets funded by equity sufficient to cover potential general business 
losses and comply with financial resource requirements in accordance 
with its confidential Capital

[[Page 58415]]

Management Policy.\26\ Furthermore, the proposed RMF would state that 
Information Technology reviews OCC's ability to maintain its critical 
services under a range of scenarios, including adverse market 
conditions. The proposed RMF would state that Business Operations and 
Financial Risk Management also perform assessments to determine if 
potential new business opportunities fit within OCC's models and risk 
management systems. The new General Business section of the proposed 
RMF would replace the General Business Risk section (and in part, the 
Reputational Risk section) of the current RMF Policy, continue to refer 
to OCC's Capital Management Policy as the governing document for 
managing OCC's general business risks, and remove certain summary 
information that is more specifically addressed in OCC's Capital 
Management Policy.\27\
---------------------------------------------------------------------------

    \26\ See, e.g., Exchange Act Release 88029 (Jan. 24, 2020), 85 
FR 5500 (Jan. 30, 2020) (File No. SR-OCC-2019-007).
    \27\ See id.
---------------------------------------------------------------------------

Technology
    The proposed RMF would state that OCC's technology risk is managed 
by OCC's Information Technology. The proposed RMF would state that OCC 
uses technology solutions to manage risk and facilitate clearing and 
settlement by utilizing systems that have adequate levels of 
availability, security, resiliency, integrity, and adequate, scalable 
capacity based on their criticality. The proposed RMF would state that 
Information Technology manages technology risk by utilizing a 
structured technology delivery approach that provides for consistency 
and establishes responsibilities and requirements. The proposed RMF 
would state that Information Technology monitors and evaluates 
technology performance in part based on service levels related to data 
integrity, system availability, data timeliness, and data quality to 
manage technology risk. The proposed RMF would state that to achieve 
these service levels, Information Technology manages OCC's efforts 
across technology incidents, changes, configurations, system capacity, 
and evaluates system recoverability through disaster recovery testing. 
The Technology section of the proposed RMF, along with the Security 
section (discussed below), are intended to replace the Operational 
Risk--Information Technology section of the RMF Policy. These general 
details in the RMF would replace more specific information concerning 
OCC's quality standards program, cybersecurity program, and system 
functionality and capacity.\28\
---------------------------------------------------------------------------

    \28\ OCC intends to include a detailed discussion of these 
aspects of its operational risk management in a new Operational Risk 
Management Framework document, which is currently being finalized by 
OCC and will be filed with the Commission when it is complete.
---------------------------------------------------------------------------

Legal
    The proposed RMF would state that OCC's legal risk is managed 
through efforts across OCC that are advised by OCC's Legal department 
(``Legal''). The proposed RMF would state that OCC manages its legal 
risk by establishing, implementing and enforcing written documents that 
are reasonably designed to provide a well-founded, clear, transparent, 
and enforceable legal basis for each aspect of OCC's activities in all 
relevant jurisdictions and comply with applicable legal and regulatory 
requirements. The proposed RMF would state that in order to manage 
legal risk across OCC, employees are required to consult with Legal on 
legal and regulatory matters, including but not limited to 
interpretation of laws and regulations applicable to OCC, including 
OCC's Rules and By-Laws, legal claims against OCC, government or 
regulatory requests or inspections, and matters that may be the subject 
of a proposed rule change filing. The Legal section of the proposed RMF 
would replace, in part, the Legal Risk section of the RMF Policy, 
including by replacing a specific sub-section discussing OCC's 
maintenance of contracts with more general requirements that OCC 
establish, implement, and enforce written documents, including legal 
agreements, and maintain documents that are reasonably designed to 
provide a well-founded, clear, transparent, and enforceable legal basis 
for each aspect of OCC's activities, which would include any contracts 
regarding the material aspects of OCC's clearing, settlement, and risk 
management activities as discussed in the RMF Policy.
Second Line of Defense
    The proposed RMF would state that OCC's second line of defense 
includes compliance, corporate risk, third-party risk, model risk 
management, security, and business continuity. The proposed RMF would 
state that the second line has no operational authority or 
responsibility for the first line to prevent conflicts of interest. The 
proposed RMF would state that the second line provides objective 
analysis to identify potential enhancements and improvements to first 
line processes to help ensure compliance with applicable laws and 
regulations and prudent risk management. The proposed RMF would state 
that second line management reports to Board committees and has the 
authority to escalate information to the first line, Management 
Committee, and the Board. Additionally, the proposed RMF would state 
that second line management provides reports to the Board at least 
quarterly at its scheduled meetings.
Compliance
    The proposed RMF would state that OCC's Compliance department 
(``Compliance'') oversees OCC's management of compliance risk by 
adhering to applicable rules and regulations, policies, procedures, 
processes, controls, and standards of conduct. The proposed RMF would 
state that Compliance manages compliance risk by establishing processes 
to prevent, detect, respond to, and report on compliance risk. The 
proposed RMF would state that Compliance supports and assesses the 
management of compliance risk through advising, monitoring, reporting, 
testing, and training activities and maintains mechanisms for reporting 
unethical or fraudulent behavior or misconduct. The Compliance section 
of the proposed RMF would replace the Regulatory Compliance section of 
the RMF Policy and reframe this section based on the Compliance 
department's role in helping OCC manage compliance risk.
Corporate Risk
    The proposed RMF would state that Corporate Risk evaluates 
enterprise risk by identifying, measuring, monitoring, managing, 
reporting, and escalating risks to inform decision-making in accordance 
with the CRMP. The proposed RMF would state that Corporate Risk 
evaluates enterprise risk to provide an understanding of inherent and 
residual risks as compared against Board-approved levels.
Third-Party Risk
    The proposed RMF would state that OCC's Third-Party Risk Management 
business unit evaluates risks posed to OCC by third parties by 
identifying, measuring, monitoring, managing, reporting, and escalating 
risks as described in the TPRMF. The proposed RMF would state that 
Third-Party Risk Management aggregates information about the risks 
presented by third parties based on their relationships to OCC. The new 
Third-Party Risk section of the proposed RMF would replace the Third-
Party Monitoring Program section of the RMF Policy and remove certain

[[Page 58416]]

details which are more comprehensively addressed in the TPRMF.\29\
---------------------------------------------------------------------------

    \29\ See supra note 24.
---------------------------------------------------------------------------

Model Risk Management
    The proposed RMF would state that Model Risk Management performs 
independent model validation, evaluates model parameters and 
assumptions, assesses mitigating factors, and provides effective and 
independent challenge throughout OCC's model lifecycle in accordance 
with its confidential Model Risk Management Policy. The proposed RMF 
would state that Models are governed and independently assessed and 
certified to determine adequate performance. The proposed RMF would 
state that this includes model testing and performance monitoring 
(e.g., backtesting, sensitivity analysis). The new Model Risk 
Management section of the proposed RMF would replace the Model Risk 
section of the RMF Policy. This new section of the RMF would focus on 
Model Risk Management's role in helping OCC manage model risk and would 
remove certain details that are more comprehensively addressed in the 
Model Risk Management Policy.\30\
---------------------------------------------------------------------------

    \30\ See, e.g., Exchange Act Release No. 82785 (Feb. 27, 2018), 
83 FR 9345 (Mar. 5, 2018) (File No. SR-OCC-2017-011).
---------------------------------------------------------------------------

Security
    The proposed RMF would include new rule text stating that OCC's 
Security department (``Security'') manages information, physical, and 
personnel security risk to safeguard the confidentiality, integrity, 
and availability of corporate information systems and data assets 
implemented and maintained by Information Technology. The proposed RMF 
would state that Security employs a risk-based methodology and controls 
to manage information governance, system resiliency, and cyber 
security. In addition, the proposed RMF would state that Security 
maintains policies and procedures that require appropriate protective 
controls and event detection via security monitoring. The proposed RMF 
would state that Security evaluates its processes and controls through 
internal and external testing, scanning for threats and 
vulnerabilities, and benchmarking against industry standards.
    In addition, the proposed RMF would incorporate an existing portion 
of the RMF Policy concerning IT risk assessments conducted by Security 
prior to the procurement, development, installation and operation of IT 
services and systems, including the triggers that may change IT risks 
at OCC.\31\ Cross-references found in the RMF Policy to procedures that 
outline IT risk assessments at a procedural level would be removed. OCC 
does not believe that identifying the underlying procedure is necessary 
for understanding the process at a policy level.
---------------------------------------------------------------------------

    \31\ This discussion would replace the IT Risk Assessment 
section of the current RMF Policy. OCC intends to include a detailed 
discussion of its IT risk assessment in a new Operational Risk 
Management Framework document, which is currently being finalized by 
OCC and will be filed with the Commission when it is complete.
---------------------------------------------------------------------------

Business Continuity
    The proposed RMF would state that Business Continuity maintains a 
business continuity program that establishes OCC's plan for maintaining 
backup and recovery capabilities that are sufficiently resilient and 
geographically diverse to address both internal and external events 
that could impact OCC's operations.\32\
---------------------------------------------------------------------------

    \32\ The Business Continuity section of the RMF would replace 
the Business Continuity Program section of the current RMF Policy. 
OCC intends to include a detailed discussion of its Business 
Continuity Program in a new Operational Risk Management Framework 
document, which is currently being finalized by OCC and will be 
filed with the Commission when it is complete.
---------------------------------------------------------------------------

Third Line of Defense
    The proposed RMF would state that OCC's third line of defense 
consists of Internal Audit. Internal Audit is independent and reports 
directly to the Audit Committee of the Board (``Audit Committee'') to 
ensure this independence; the Audit Committee oversees the activities 
performed by Internal Audit in accordance with the Audit Committee 
Charter. The proposed RMF would state that Internal Audit has no 
responsibility for first- or second-line functions. The proposed RMF 
would state that Internal Audit designs, implements, and maintains an 
audit program that provides the Management Committee and Audit 
Committee independent and objective assurance related to the quality of 
OCC's risk management, governance, compliance, controls, and business 
processes in accordance with the confidential Internal Audit Policy. 
The proposed RMF would state that Internal Audit issues independent 
reports to the first and second line as well as the Audit Committee and 
Board. This section of the RMF would replace a discussion of the third 
line of defense in OCC's current RMF Policy and would remove certain 
details that are more comprehensively addressed in the Internal Audit 
Policy.\33\
---------------------------------------------------------------------------

    \33\ Such details include requirements related to the diversity 
and skills of Internal Audit personnel and the external standards of 
professionalism pursuant to which Internal Audit performs its 
functions.
---------------------------------------------------------------------------

Risk Management Practice
    The RMF Policy currently contains a Risk Management Practice 
section that describes OCC's three lines of defense model and 
Enterprise Risk Assessment program. As discussed above, OCC would 
relocate the discussion of its three lines of defense model to the new 
RMF. In addition, OCC proposes to relocate the discussion of its 
Enterprise Risk Assessment program to the new CRMP. OCC also proposes 
to relocate the Risk Reporting section of the RMF Policy to the CRMP. 
Additionally, OCC would eliminate the specific Compliance Risk 
Assessment section of the RMF Policy.
Enterprise Risk Assessment and Scenario Analysis Program
    The RMF Policy currently describes the Enterprise Risk Assessment 
process conducted by the first line and Corporate Risk. The RMF Policy 
provides that Enterprise Risk Assessments shall analyze Inherent 
Risk,\34\ the quality of risk management, and Residual Risk \35\ of the 
sub-categories of Key Risks and use analysis of Residual Risk in 
conjunction with metrics related to risk tolerances to develop a risk 
profile and determine whether a Key Risk is within its risk appetite. 
The RMF Policy also requires that Corporate Risk's analysis of Residual 
Risk be provided to the Management Committee and Board (or committee 
thereof) to inform them on the quantity of risk in a certain functional 
area or business area, and provide a mechanism to prioritize risk 
mitigation activities.
---------------------------------------------------------------------------

    \34\ The RMF Policy defines ``Inherent Risk'' to mean the 
absolute level of risk exposure posed by a process or activity prior 
to the application of controls or other risk-mitigating factors.
    \35\ The RMF Policy defines ``Residual Risk'' to mean the level 
of risk exposure posed to a process or activity after the 
application of controls or other risk-mitigating factors.
---------------------------------------------------------------------------

    The proposed CRMP would revise this description to more accurately 
and completely describe the risk assessment, monitoring, and reporting 
processes conducted by Corporate Risk. The proposed CRMP would state 
that enterprise risk assessments are a quarterly activity where the 
control environment is evaluated to determine its effectiveness in 
preventing or mitigating inherent risks identified to arrive at a 
residual risk rating for each risk statement. The proposed CRMP would 
state that Corporate Risk (and not Compliance, as specified in the RMF 
Policy) maintains an inventory of all

[[Page 58417]]

business processes, risks, and associated controls in a database used 
by OCC to manage Enterprise Governance, Risk and Compliance. The CRMP 
would state that Corporate Risk uses data from a variety of sources 
(e.g., risk events, Internal Audit findings, security risk assessments 
and observations, third-party observations, control design assessments, 
management control self-testing results, and business impact analyses) 
to rate the impact and likelihood of a risk and assess the quality of 
the control environment. The proposed CRMP would state that enterprise 
risk assessments are conducted through workshops across the first and 
second lines of defense and are supplemented by including information 
from emerging risk surveys (top-down), process-based risk assessments 
(bottom-up), and enterprise technology assessments. The proposed CRMP 
would state that quarterly, the results of the enterprise risk 
assessment (the levels of residual risk) are aggregated and provided to 
the CRO for approval and presented to the Management Committee and 
Board by the CRO. The CRMP would also elaborate on the use of residual 
risk, risk tolerances, and risk ratings and associated reporting as 
discussed in the Risk Governance section of the proposed CRMP and would 
also provide details on Corporate Risk's risk monitoring and risk 
treatment activities in new sections of the CRMP (as discussed further 
below).
    The RMF Policy also describes OCC's Scenario Analysis Program, 
which is an industry-standard method of identifying operational risks 
that may not be otherwise captured by the Enterprise Risk Assessment 
program. Pursuant to the RMF Policy, Corporate Risk and the first line 
design simulations of potential business disruptions, and business unit 
staff shall use such simulations to identify risks that may not have 
been previously uncovered or identify weaknesses in current controls. 
Corporate Risk includes the potential risks identified through the 
Scenario Analysis Program in its analysis of, and reporting on, the 
quantity of risk within a certain Key Risk and whether the Key Risk is 
within its risk appetite.
    OCC proposes to relocate the discussion of its Scenario Analysis 
Program to the CRMP with revisions designed to more accurately and 
completely describe the scenario analysis process. The proposed CRMP 
would state that operational scenario analysis is the process of 
leveraging OCC subject matter expertise to identify potential 
operational risks and assess the potential outcomes of stressed 
operations. The proposed CRMP would state that operational scenarios 
consider both internal and external scenarios that may impact OCC's 
ability to perform its clearance, settlement and risk management 
services. The proposed CRMP would state that Corporate Risk, through 
workshops with the first and second lines of defense, designs 
operational scenarios utilizing available information (e.g., annual 
top-risk survey conducted by Corporate Risk, Management Committee 
recommendation, enterprise risk assessments). The proposed CRMP would 
state that the workshops are designed to identify risks that may not 
have been previously uncovered or weaknesses in current controls. The 
proposed CRMP would state that operational scenarios are used to assess 
the potential that future extreme but plausible business disruptions 
may impact OCC's clearance, settlement and risk management services and 
are inputs in OCC's target capital requirements and recovery and wind-
down planning. The proposed CRMP would state that Risk Owners use 
scenarios to identify new and existing risks and identify weaknesses in 
current controls. The proposed CRMP would state that Corporate Risk 
includes potential risks identified through operational scenario 
analysis when analyzing and reporting across risk categories and sub-
categories.
Risk Reporting
    The proposed CRMP would contain a revised Risk Reporting section. 
The proposed CRMP would state that risk reporting provides a view of 
OCC's risks to facilitate risk management and inform decision-making. 
The proposed CRMP would state that Corporate Risk reports risks based 
on its risk identification, measurement, and monitoring activities to 
assist in the understanding of the risks OCC faces and whether these 
risks are being managed within OCC's risk tolerances and appetites. The 
proposed CRMP would state that quarterly, the CRO reports risks (e.g., 
risk appetite or risk tolerance breaches, material operational risk 
events, summary of risk acceptances, and risk mitigation) to the 
Management Committee, Board, and relevant Board committees.
Compliance Risk Assessment
    OCC proposes to remove a section of the RMF Policy specifically 
dedicated to the Compliance Risk Assessment program. This section 
currently provides a brief discussion of the Compliance department's 
program used to identify and measure the risks faced by OCC regarding 
regulatory compliance and prioritize the testing and training 
activities associated with such risks. OCC believes this section is 
appropriately addressed in the Compliance section of the proposed RMF 
(discussed in detail above), which provides that Compliance manages 
compliance risk by establishing processes to prevent, detect, respond 
to, and report on compliance risk and assesses the management of 
compliance risk through advising, monitoring, reporting, testing, and 
training activities and maintains mechanisms for reporting unethical or 
fraudulent behavior or misconduct. This would include the activities 
performed by Compliance in the Compliance Risk Assessment program.
Control Activities
    OCC proposes to eliminate the Control Activities section of the RMF 
Policy, which describes certain activities performed by OCC's 
Compliance department relating to the maintenance of business process 
and control inventories and annual training of OCC staff. This would be 
replaced by more general descriptions of Compliance's responsibilities 
under the proposed RMF. As discussed above, the RMF would more 
generally describe the department's responsibilities for the management 
of compliance risk, including by: (i) establishing processes to 
prevent, detect, respond to, and report on compliance risk; (ii) 
assessing the management of compliance risk through advising, 
monitoring, reporting, testing, and training activities; and (iii) 
maintaining mechanisms for reporting unethical or fraudulent behavior 
or misconduct. Additionally, as noted above, the proposed CRMP would 
transfer responsibility for maintaining OCC's inventory of all business 
processes, risks, and associated controls from Compliance to Corporate 
Risk.
Policy Exceptions and Violations
    OCC proposes to replace the Policy Exceptions and Violations 
sections in the current RMF Policy with a new Risk Acceptances and 
Deviations section in the RMF. The RMF would require that risk 
acceptances,\36\ including exceptions to OCC's risk management 
frameworks and policies, shall be escalated to Corporate Risk in 
accordance with the CRMP. In addition, the RMF would

[[Page 58418]]

require that deviations from OCC's risk management frameworks and 
policies shall be escalated to Compliance in accordance with the Policy 
Governance Policy (``PGP'').\37\ By including this generally applicable 
provision in the RMF, OCC would no longer include this information in 
each individual policy and procedure. Policy exceptions would continue 
to be escalated as part of OCC's risk acceptance process and policy 
violations would be escalated as part of OCC's PGP document deviation 
risk event process. The proposed change would allow OCC to remain 
consistent with this practice in its policies and procedures without 
requiring each to have its own individual Policy Exceptions and 
Violations sections that would need to be updated as OCC's process for 
escalating exceptions and deviations develops and matures.
---------------------------------------------------------------------------

    \36\ As discussed in more detail below with respect to the 
proposed Risk Treatment section of the CRMP, acceptance is a risk 
treatment method that may be used to acknowledge when the cost or 
complexity of avoiding, mitigating, or transferring the risk exceeds 
the potential impact (e.g., OCC accepts a risk temporarily and 
implements short-term mitigants, knowing that a long-term solution 
is planned).
    \37\ OCC proposes to use the term ``deviation'' rather than 
``violation'' as found in the current RMF Policy to align with the 
terminology used in the PGP.
---------------------------------------------------------------------------

Other Deleted Sections of the RMF Policy
Project Management, Budgeting, and Training Changes
    OCC proposes to delete from its rules certain sections of the RMF 
Policy related to project management, corporate planning and budgeting, 
and Human Resources and Compliance Training and Policies. OCC believes 
that these sections deal with policies and practices that are 
administrative in nature and do not constitute material aspects of the 
operation of the facilities of OCC.\38\ OCC would not maintain these 
details in the RMF or CRMP; however, OCC would continue to maintain and 
update these details when necessary in other internal policies, 
procedures, or OCC documentation maintained for such purposes.
---------------------------------------------------------------------------

    \38\ Section 19(b)(1) of the Exchange Act requires a self-
regulatory organization (``SRO'') such as OCC to file with the 
Commission any proposed rule or any proposed change in, addition to, 
or deletion from the rules of such SRO. See 15 U.S.C. 78s(b)(1). 
Section 3(a)(27) of the Exchange Act defines ``rules of a clearing 
agency'' to mean its (1) constitution, (2) articles of 
incorporation, (3) bylaws, (4) rules, (5) instruments corresponding 
to the foregoing and (6) such ``stated policies, practices and 
interpretations'' (``SPPI'') as the Commission may determine by 
rule. See 15 U.S.C. 78c(a)(27). Exchange Act Rule 19b-4(a)(6) 
defines the term ``SPPI'' to include (i) any material aspect of the 
operation of the facilities of an SRO and (ii) statements made 
generally available to membership of, to all participants in, or to 
persons having or seeking access to facilities of an SRO that 
establishes or changes certain standards, limits, or guidelines. See 
17 CFR 240.19b-4(a)(6). Rule 19b-4(c) provides, however, that an 
SPPI may not be deemed to be a proposed rule change if it is: (i) 
reasonably and fairly implied by an existing rule of the SRO or (ii) 
concerned solely with the administration of the SRO and is not an 
SPPI with respect to the meaning, administration, or enforcement of 
an existing rule the SRO. See 17 CFR 240.19b-4(c).
---------------------------------------------------------------------------

Risk Universe
    Finally, OCC proposes to remove the RMF Policy's Appendix: OCC's 
Key Risks with CCA, PFMI, and Reg SCI Mapping. The proposed CRMP would 
require that Corporate Risk continue to maintain the risk universe, and 
OCC has included its risk categories in Section II of the proposed RMF 
but proposes that the additional detailed documentation and mapping be 
maintained internally by Corporate Risk. OCC believes it may need to 
update the mapping and risks, as well as how OCC defines them, 
dynamically based on business and market factors. OCC believes by 
following the governance outlined in the proposed CRMP, proper scrutiny 
will be given to any revisions to this information. Moreover, OCC 
believes that the policies and processes maintained by OCC to 
establish, maintain, review and update its risk universe, which 
reflects the universe of risks that OCC must monitor and manage, 
constitute material aspects of the operation of the facilities of OCC, 
but the risk universe itself is the output of those processes and 
simply lists those risks that OCC has identified pursuant to the 
requirements of the RMF Policy (and the proposed CRMP).
New Sections in the RMF and CRMP
    OCC proposes to add new sections to its RMF and CRMP to describe 
certain aspects of its risk management framework and approach to 
enterprise risk management, which are discussed in detail below.
RMF: Recovery and Orderly Wind-Down Plan
    The proposed RMF would include a new section discussing OCC's 
Recovery and Orderly Wind-Down Plan. The proposed RMF would state that 
in the event of extreme financial, operational, or general business 
stress, Corporate Risk maintains a confidential Recovery and Orderly 
Wind-Down Plan which details the departments responsible for executing 
the plan. The proposed RMF would state that OCC employs a set of 
recovery tools in the event of severe financial, operational, or 
general business stress, to continue to provide critical clearing and 
settlement services. The proposed RMF would state that should OCC's 
recovery efforts be unsuccessful or if, based on facts and 
circumstances, it is determined that its recovery tools would be 
insufficient, OCC has a wind-down plan that provides for the orderly 
resolution of the firm.
CRMP: Risk Monitoring
    The CRMP would introduce a new section to describe Corporate Risk's 
Risk Monitoring process, including key risk indicator monitoring and 
operational risk even monitoring. The proposed CRMP would state that 
Corporate Risk and Risk Owners monitor internal and external risks to 
determine whether OCC's risk management practices continue to operate 
effectively. The proposed CRMP would state that the information 
gathered during this monitoring is used to inform enterprise risk 
assessments.
Key Risk Indicator Monitoring
    The proposed CRMP would state that key risk indicators (``KRIs'') 
are qualitative or quantitative metrics designed to identify changes to 
risks. The proposed CRMP would state that Corporate Risk and Risk 
Owners utilize KRIs to measure and monitor levels of risk against risk 
appetite and risk tolerances. The proposed CRMP would state that KRIs 
are established at a risk sub-category level. KRIs include three 
thresholds: green, amber, and red. The proposed CRMP would state that 
green indicates a low risk of breaching tolerance, amber indicates a 
moderate risk of breaching tolerance, and red indicates a breach of 
tolerance. The proposed CRMP would state that amber and red thresholds 
are points of escalation to the CRO, Management Committee, and the 
Board.
    The proposed CRMP would state that Risk Owners, in collaboration 
with Corporate Risk, develop KRIs by considering business (e.g., 
process and controls) and regulatory requirements. The proposed CRMP 
would state that Corporate Risk facilitates identifying, modifying, and 
reviewing KRIs with a designated Management Committee member, including 
defining and reviewing the risk tolerance and risk thresholds for the 
KRI. The proposed CRMP would state that KRIs that breach the red 
threshold result in the development and execution of risk treatment 
plans by Risk Owners. The proposed CRMP would state that Corporate Risk 
reports against red, amber, and green thresholds to the CRO and 
Management Committee on a quarterly basis and to the Board at each 
regularly scheduled meeting.
Operational Risk Event Monitoring
    The proposed CRMP would state that an operational risk event is an 
event which results in a financial loss or an adverse impact to OCC or 
its ability to deliver its services. The proposed CRMP would state that 
such events arise from

[[Page 58419]]

failed or inadequate internal processes, people, systems, or exposure 
to external events. The proposed CRMP would state that Risk Owners are 
responsible for identifying, assessing, and escalating operational risk 
events. The proposed CRMP would provide that Corporate Risk is 
responsible for ensuring that material operational risk events, as well 
as identified trends, are reported to the CRO and Management Committee 
on a quarterly basis and to the Board at each regularly scheduled 
meeting. The proposed CRMP would state that Risk Owners perform root 
cause analysis and enhance or develop processes that would reduce the 
impact or likelihood of similar events occurring in the future. The 
proposed CRMP would state that Risk Owners are responsible for 
escalating operational risk events causing serious and extended 
disruptions in production operations. The proposed CRMP would state 
that risk events that have a major or extreme impact to OCC's ability 
to perform its clearance, settlement and risk management services are 
immediately reported to the Management Committee and Board.
CRMP: Risk Treatment
    The CRMP would introduce a new section to describe OCC's risk 
treatment process, which is the process by which Risk Owners manage 
risk exposures by utilizing risk treatment methods to remain within 
risk appetites and tolerances. The proposed CRMP would state that risk 
treatment methods are implemented by Risk Owners and include the 
decision to mitigate, avoid, transfer, or accept an identified risk. 
The proposed CRMP would state that mitigation is a risk treatment 
method where controls including policies, procedures, processes, and 
systems can be implemented to manage a risk within established risk 
appetites and tolerances (e.g., OCC creates a procedure to document a 
process including implementing controls to mitigate a risk).
    The proposed CRMP would state that avoidance is a risk treatment 
method that may be used when controls are ineffective at preventing or 
mitigating a risk within approved risk appetites or tolerances (e.g., 
OCC does not onboard a clearing member due to poor financial health). 
The proposed CRMP would state that transference is a risk treatment 
method where risks are moved to a third-party usually through the 
purchase of insurance (e.g., fraud, general liability, and employment 
insurance). Insurance covered would be coordinated by the Corporate 
Finance team, with involvement from other first and second line 
stakeholders, and subject to review by the Management Committee and the 
Board.
    The proposed CRMP would state that acceptance is a risk treatment 
method that may be used to acknowledge when the cost or complexity of 
avoiding, mitigating, or transferring the risk exceeds the potential 
impact (e.g., OCC accepts a risk temporarily and implements short-term 
mitigants, knowing that a long-term solution is planned). The proposed 
CRMP would state that Corporate Risk evaluates risk acceptances 
submitted by Risk Owners. The proposed CRMP would state that any risks 
presented for acceptance that are outside of risk appetite or risk 
tolerance must be approved by the Management Committee annually. The 
proposed CRMP would state that Corporate Risk reports on risks accepted 
above approved risk appetite or risk tolerance to the CRO, Management 
Committee, and Board.
CRMP: Risk Escalation, and Training
    The proposed CRMP would also describe Corporate Risk's process for 
escalating risks to the CRO, Management Committee, and Board and 
training employees about risk to support risk management and decision-
making.
Escalation
    The proposed CRMP would state that OCC employees are responsible 
for escalating risks through timely identification and reporting. The 
proposed CRMP would state that in accordance with OCC's Employee 
Handbook and Policy Governance Policy, OCC employees are expected to 
escalate risks through their reporting line, OCC's internal working 
groups, or to the Management Committee. The proposed CRMP would state 
that quarterly, Corporate Risk, through the CRO, escalates breaches of 
risk appetites and risk tolerances to the Management Committee, Board, 
and relevant Board committees. The proposed CRMP would state that 
escalation occurs (i) consistent with obligations established in the 
Management Committee Charter, Board Charter, Board Committee Charters, 
policies, and procedures, or (ii) anytime through the CRO directly to 
the Board.
Training
    The proposed CRMP would state that OCC employees are trained to 
promote a culture of risk and control awareness. The proposed CRMP 
would state that Corporate Risk collaborates with other OCC departments 
to create and disseminate training to enable accountability, empower 
decision-making, promote risk awareness, and detail escalation. The 
proposed CRMP would state that this training promotes awareness of 
OCC's regulatory requirements, policies, procedures, processes, 
controls, and standards of conduct.
Conforming Changes to OCC Risk Policies
    Finally, OCC proposes to update other OCC Risk Policies to be 
consistent with the proposed RMF. Specifically, OCC would update 
references to the RMF Policy, including the summary of the RMF Policy 
in the Recovery and Orderly Wind-Down Plan, to refer to the RMF and 
CRMP. References to the ``Enterprise Risk Management'' department or 
``ERM'' would be changed to ``Corporate Risk Management'' or 
``Corporate Risk'' to reflect that department's name. In the case of 
the Collateral Risk Management Policy, OCC would delete reference to 
the Enterprise Risk Management Policy's annual review of concentration 
limits because that review is conducted by the Model Risk Management, 
which is part of Corporate Risk. The OCC Risk Policies would be further 
conformed to reflect that what was formerly referred to as OCC's Model 
Validation Group is now referred to as Model Risk Management. OCC would 
also remove the Policy Exceptions and Violations sections of the 
applicable OCC Risk Policies as the exception and violation processes 
for all of the OCC Risk Policies would be covered by the new Risk 
Acceptances and Deviations section of the proposed RMF (as discussed 
above).
    OCC also propose to make administrative updates to cross-references 
to other internal OCC policies and procedures and other administrative 
changes arising from OCC's annual review of its risk management 
frameworks and procedures. Specifically, OCC would also revise the 
TPRMF to:
     include General Business Risk as a type of risk that may 
be presented by third-party relationships;
     Revise the introduction of the on-boarding and off-
boarding monitoring of counterparties with multiple relationships with 
OCC to reference the respective procedures and work groups in the 
Third-Party Relationship Management section, which as evident from the 
existing TPRMF is not limited to monitoring by the Credit and Liquidity 
Risk Working Group, as that current introduction suggests;
     Delete reference to specific OCC Rules in favor of 
reference to Chapters of OCC's Rulebook because the specific Rules 
currently identified are not a

[[Page 58420]]

complete list of those in the identified Chapters that give OCC 
authority to act to protect OCC from exposure presented by a Clearing 
Member.
    Make other administrative changes to business unit names
(2) Statutory Basis
    OCC believes the proposed rule change is consistent with Section 
17A of the Exchange Act \39\ and Rule 17Ad-22(e)(3). Section 
17A(b)(3)(F) of the Act \40\ requires, in part, that the rules of a 
clearing agency be designed to promote the prompt and accurate 
clearance and settlement of securities transactions, to assure the 
safeguarding of securities and funds in the custody or control of the 
clearing agency or for which it is responsible, and in general, to 
protect investors and the public interest. Rule 17Ad-22(e)(3)(i) \41\ 
requires, in part, that a covered clearing agency establish, implement, 
maintain and enforce written policies and procedures reasonably 
designed to maintain a sound risk management framework for 
comprehensively managing legal, credit, liquidity, operational, general 
business, investment, custody, and other risks that arise in or are 
borne by the covered clearing agency, which includes risk management 
policies, procedures, and systems designed to identify, measure, 
monitor, and manage the range of risks that arise in or are borne by 
the covered clearing agency, that are subject to review on a specified 
periodic basis and approved by the board of directors annually. For the 
reasons addressed below, OCC believe the proposed changes are 
consistent with these requirements.
---------------------------------------------------------------------------

    \39\ 15 U.S.C. 78q-1.
    \40\ 15 U.S.C. 78q-1(b)(3)(F).
    \41\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

Consistency With Section 17A(b)(3)(F) of the Exchange Act
    The proposed RMF and associated policies, including the CRMP, would 
be the foundation for a risk management framework designed to promote 
the prompt and accurate clearance and settlement of securities 
transactions, assure the safeguarding of securities and funds in the 
OCC's custody or control, and in general, protect investors and the 
public interest. Risk management is the means by which OCC guards 
against disruption to OCC's clearance and settlement services and loss 
of financial resources necessary to maintain OCC as a going concern or 
in OCC's custody or control to address member defaults and liquidity 
shortfalls. As a clearing agency that has been designated a 
systemically important financial market utility by the Federal 
Stability Oversight Counsel, such disruption or losses may present 
systemic risks to the markets OCC serves, OCC's Clearing Members, and 
other market participants, including investors, thereby harming the 
public interest.
    As described above, the proposed RMF would be designed to provide a 
foundation to support the risk management policies, procedures, and 
systems that make up OCC's sound risk management framework. The 
proposed RMF would describe OCC's overall framework for comprehensive 
risk management, including OCC's framework to identify, measure, 
monitor and manage the risks faced by OCC in the provision of clearing, 
settlement and risk management services. The proposed RMF would provide 
the context for OCC's risk management framework, identify OCC's risk 
categories, describe the governance arrangements that implement risk 
management, and describe OCC's program for risk management, including 
the three lines of defense structure. In addition, the proposed CRMP 
would support the proposed RMF by explaining OCC's risk management 
activities related to enterprise risk. These changes are not meant to 
significantly alter OCC's approach to risk management, but rather to 
present OCC's approach to enterprise risk in a standalone policy, 
similar to OCC's approach with OCC's risk management. OCC believes that 
more clearly delineating its overall approach to risk management and 
its approach to enterprise risk through two separate policies helps 
support risk management processes designed to promote the prompt and 
accurate clearance and settlement of securities transactions, assure 
the safeguarding of securities and funds in OCC's custody, and in 
general, protect investors and the public interest. Accordingly, OCC 
believes that establishing the RMF and CRMP is consistent with Section 
17A(b)(3)(F) of the Act.\42\
---------------------------------------------------------------------------

    \42\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    The proposed RMF and CRMP would also make a number of substantive 
changes to OCC's rules beyond the reorganization and restatement of 
existing OCC rules. Consistency of these changes with Section 
17A(b)(3)(F) of the Act \43\ are discussed below.
---------------------------------------------------------------------------

    \43\ Id.
---------------------------------------------------------------------------

RMF Policy: Purpose Section
    The purpose section of the RMF Policy would be revised to reflect 
the reorganization of content in the RMF Policy in the new RMF and 
CRMP, focusing on the purpose and intent of each of the newly proposed 
documents. The proposed change is designed to clearly explain the 
purpose of the proposed RMF and CRMP and their place in OCC's overall 
framework for comprehensively managing legal, credit, liquidity, 
operational, general business, investment, custody, and other risks 
that arise in or are borne. OCC believes that providing this enhanced 
clarity in two of its key risk management policies would strengthen 
risk management processes designed to promote the prompt and accurate 
clearance and settlement of securities transactions, assure the 
safeguarding of securities and funds in OCC's custody or control or for 
which it is responsible, and in general, protect investors and the 
public interest. Accordingly, OCC believes the proposed changes are 
consistent with Section 17A(b)(3)(F) of the Act.\44\
---------------------------------------------------------------------------

    \44\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

RMF Policy: Context for Risk Management Framework and Risk Management 
Philosophy
    OCC would delete the Context for Risk Management Framework and Risk 
Management Philosophy sections of the RMF Policy from the proposed RMF. 
These sections provide history and background information about OCC and 
its purpose in the financial market, but do not contain rules of OCC. 
Additionally, the information presented in the Risk Management 
Philosophy section serves as an additional purpose section and all 
items highlighted in this section are covered in the proposed RMF and 
CRMP. OCC believes that removing this extraneous information would 
enhance the clarity of these risk policies by focusing on the rules 
governing OCC's overall risk framework and corporate risk management 
program and would strengthen risk management processes designed to 
promote the prompt and accurate clearance and settlement of securities 
transactions, assure the safeguarding of securities and funds in OCC's 
custody or control or for which it is responsible, and in general, 
protect investors and the public interest. Accordingly, OCC believes 
that revising the purposes changes are consistent with Section 
17A(b)(3)(F) of the Act.\45\
---------------------------------------------------------------------------

    \45\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

RMF Policy: Risk Appetite Framework and Tolerance
    OCC proposes to make certain modifications to the description of 
its risk appetite framework, including descriptions of OCC's use of a 
risk universe, risk appetites and risk tolerances, in the new CRMP. As

[[Page 58421]]

described above, the proposed CRMP would revise certain terminology in 
OCC's risk universe, such as organizing the universe into ``risk 
categories,'' ``risk sub-categories,'' and ``risk statements'' to 
effectively represent the Key Risks, Sub-categories, and Definitions 
that are discussed in the current RMF Policy. OCC would also modify 
certain governance requirements for the risk universe. Under the 
current RMF, Key Risks are approved by OCC's Board and risk appetites 
for Key Risks are set by the business departments responsible for those 
risk in cooperation with Corporate Risk. Under the proposed CRMP, the 
risk universe would be owned and approved by OCC's CRO and provided to 
the Management Committee and Board. The Board or the Risk Committee 
would ultimately be responsible for approving risk appetites and would 
continue to approve risk tolerances. The proposed CRMP would also 
provide additional details around the internal governance process for 
reviewing and approving risk categories, appetites, and tolerances and 
for monitoring risk tolerances. OCC would also remove the more general 
risk appetite statement definitions (i.e., no appetite, low appetite, 
moderate appetite, and high appetite), which are currently described in 
the RMF Policy, enabling OCC to use more detailed, qualitative risk 
appetite statements for each risk sub-category following the governance 
processes described above. In addition, OCC would change the cadence of 
risk reporting, including risk tolerance breaches, to align with the 
timing of OCC's regular Board meetings. The proposed CRMP would also 
introduce the concept of risk rating scales, which provide an 
assessment of risk from an impact and likelihood perspective 
consistently across OCC and would be used to measure inherent and 
residual risk at a risk statement level.
    OCC believes the proposed CRMP would provide a more comprehensive 
overview of the governance of OCC's risk universe and enhance certain 
processes therein. The proposed CRMP would provide additional details 
around the internal governance process for reviewing and approving risk 
categories, appetites, and tolerances and for monitoring risk 
tolerances and improve the governance process for the risk universe by 
allowing the CRO to modify risk categories as needed, with oversight of 
Management Committee and Board, and provide the Board or Risk Committee 
with more direct responsibility for setting the appetites for those 
risk. For these reasons, OCC believes the proposed changes would 
strengthen risk management processes designed to promote the prompt and 
accurate clearance and settlement of securities transactions, assure 
the safeguarding of securities and funds in OCC's custody or control or 
for which it is responsible, and in general, protect investors and the 
public interest. Accordingly, OCC believes that the proposed changes 
are consistent with Section 17A(b)(3)(F) of the Act.\46\
---------------------------------------------------------------------------

    \46\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

RMF Policy: Risk Management Governance
    OCC proposes to modify certain descriptions of its risk management 
governance arrangements in the new RMF. For example, OCC would update 
and streamline the description of the responsibilities of its Board as 
they are generally already addressed in the Board Charter.\47\ OCC also 
proposes to update the description of the responsibilities of the 
Management Committee, which primarily relates to the committee's role 
and responsibilities in reviewing and recommending changes to OCC's 
risk universe, as this would not be addressed in the proposed CRMP (as 
discussed above). OCC would also update the discussion of working 
groups and their responsibilities and include a description of the 
responsibilities of and development opportunities for OCC employees. 
OCC believes the proposed changes would improve OCC's risk framework by 
presenting a more concise, clear, and transparent description of OCC's 
risk management governance and thereby promote the prompt and accurate 
clearance and settlement of securities transactions, assure the 
safeguarding of securities and funds in OCC's custody or control or for 
which it is responsible, and in general, protect investors and the 
public interest. Accordingly, OCC believes that the proposed changes 
are consistent with Section 17A(b)(3)(F) of the Act.\48\
---------------------------------------------------------------------------

    \47\ See supra notes 16 and 17.
    \48\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

RMF Policy: Identification of Key Risks
    OCC proposes to replace the Identification of Key Risks section of 
the RMF Policy, which provides a brief description of OCC's policies 
and procedures for managing each of those Key Risk and their respective 
Risk Sub-Categories, with a new OCC Risk Management section of the 
proposed RMF. The proposed RMF would reorganize the focus of this 
description to align with the three lines of defense model currently 
described in the RMF Policy and describe the types of risks managed by 
each line of defense. The new OCC Risk Management section of the RMF 
would: (i) restate existing content of the RMF; (ii) introduce new 
content not currently contained in OCC's RMF Policy; and (iii) delete 
certain aspects of the RMF Policy. The proposed RMF would continue to 
refer to the same rules and OCC Risk Policies currently maintained by 
OCC (and described in the RMF) to address such risks and which are 
currently filed with the Commission as rules of OCC.\49\
---------------------------------------------------------------------------

    \49\ See supra notes 20-26 and associated text.
---------------------------------------------------------------------------

    OCC also proposes to remove certain details concerning its 
management of operational risk (e.g., quality standards program, 
cybersecurity program, system functionality and capacity, and business 
continuity program) as these aspects of its operational risk management 
would be contained in a new Operational Risk Management Framework 
document, which is currently being finalized by OCC, and will contain a 
more detailed and comprehensive overview of OCC's framework for 
managing operational risk.
    OCC believes these proposed changes would present a comprehensive, 
clear, and transparent description of the key risks faced by OCC and 
the assignment of responsibility for managing such risk, thereby 
strengthening risk management processes designed to promote the prompt 
and accurate clearance and settlement of securities transactions, 
assure the safeguarding of securities and funds in OCC's custody or 
control or for which it is responsible, and in general, protect 
investors and the public interest. Accordingly, OCC believes that the 
proposed changes are consistent with Section 17A(b)(3)(F) of the 
Act.\50\
---------------------------------------------------------------------------

    \50\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

RMF Policy: Risk Management Practice
    OCC proposes to relocate the discussion of its enterprise risk 
assessments, scenario analysis program, and risk reporting process to 
the new CRMP. As discussed above, the proposed CRMP is designed to more 
accurately and completely describe the risk assessment, monitoring, and 
reporting processes conducted by Corporate Risk. Additionally, OCC 
would eliminate the specific IT Risk Assessment section of the RMF 
Policy, as these details would be more appropriately addressed in the 
forthcoming Operational Risk Management Framework document, and would 
also remove the Compliance Risk Assessment section of the RMF Policy 
because this information is appropriately covered in the Compliance 
section of the proposed

[[Page 58422]]

RMF. OCC believes the proposed changes would result in an improved 
description of Corporate Risk's risk assessment, scenario analysis, and 
risk reporting responsibilities and thereby strengthen risk management 
processes designed to promote the prompt and accurate clearance and 
settlement of securities transactions, assure the safeguarding of 
securities and funds in OCC's custody or control or for which it is 
responsible, and in general, protect investors and the public interest. 
Accordingly, OCC believes the proposed changes are consistent with 
Section 17A(b)(3)(F) of the Act.\51\
---------------------------------------------------------------------------

    \51\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

RMF Policy: Control Activities
    OCC proposes to replace the Control Activities section of the RMF 
Policy with more general and broader descriptions of Compliance's 
responsibilities in the proposed RMF. In addition, under the proposed 
CRMP, responsibility for maintaining OCC's inventory of all business 
processes, risks, and associated controls would move from Compliance to 
Corporate Risk. As such, Corporate Risk would be responsible for 
reviewing the design of controls. Compliance would continue to perform 
design testing. OCC believes that assigning responsibility for 
reviewing control design to Corporate Risk is appropriate given its 
responsibilities in the enterprise risk assessment process, as part of 
which Corporate Risk leads quarterly workshops that assess the 
likelihood and impact of risks by reviewing data from across OCC, 
including risk events, Internal Audit findings, security risk 
assessments and observations, third-party observations, control design 
assessments, management control self-testing results, and business 
impact analyses, supplemented by information from emerging risk surveys 
(top-down), process-based risk assessments (bottom-up), and enterprise 
technology assessments. This enterprise risk assessment process affords 
Corporate Risk a holistic view of risk and controls, which OCC believes 
puts Corporate Risk in a unique position to review and improve control 
design with respect to controls intended to promote the prompt and 
accurate clearance and settlement of securities transactions, assure 
the safeguarding of securities and funds in OCC's custody or control or 
for which it is responsible, and in general, protect investors and the 
public interest. Accordingly, OCC believes the proposed changes are 
consistent with Section 17A(b)(3)(F) of the Act.\52\
---------------------------------------------------------------------------

    \52\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

RMF Policy: Exceptions and Violations
    OCC proposes to replace the individual Policy Exceptions and 
Violations sections in the current RMF Policy and other OCC Risk 
Policies with a new Risk Acceptances and Deviations section in the RMF. 
The proposed change would provide for a single framework for risk 
acceptances, exceptions, deviations, and the escalation of deviations 
across OCC's filed policies rather than requiring each policy to have 
its own individual Policy Exceptions and Violations sections, which may 
over time become inconsistent as policies are updated at different 
times. Such inconsistency could create confusion about escalation 
obligations and procedures, which could in turn lead to failure to 
escalate issues appropriately. Accordingly, OCC believes that improving 
the documentation for its escalation process would strengthen risk 
management processes designed to promote the prompt and accurate 
clearance and settlement of securities transactions, assure the 
safeguarding of securities and funds in OCC's custody or control or for 
which it is responsible, and in general, protect investors and the 
public interest. Accordingly, OCC believes that the proposed changes 
are consistent with Section 17A(b)(3)(F) of the Act.\53\
---------------------------------------------------------------------------

    \53\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

New Sections in Proposed RMF and CRMP
    OCC proposes to add new sections to the proposed RMF and CRMP to 
provide additional details concerning its overall framework for 
managing risk and its approach to enterprise risk management. For 
example, the proposed RMF would include a new section discussing OCC's 
Recovery and Orderly Wind-Down Plan. In addition, the CRMP would 
introduce a new section to describe Corporate Risk's Risk Monitoring 
process, including key risk indicator monitoring and operational risk 
even monitoring. The CRMP would also introduce a new section to 
describe OCC's risk treatment process, which is the process by which 
Risk Owners manage risk exposures by utilizing risk treatment methods 
to remain within risk appetites and tolerances. Additionally, the 
proposed CRMP would also describe Corporate Risk's process for 
escalating risks to the CRO, Management Committee, and Board and 
training employees about risk to support risk management and decision-
making. The proposed changes would provide a more comprehensive and 
transparent discussion of OCC's overall framework for managing risk and 
its approach to enterprise risk management. OCC believes the proposed 
enhancements to its risk management documentation would serve to 
promote the prompt and accurate clearance and settlement of securities 
transactions, assure the safeguarding of securities and funds in OCC's 
custody or control or for which it is responsible, and in general, 
protect investors and the public interest. Accordingly, OCC believes 
that the proposed changes are consistent with Section 17A(b)(3)(F) of 
the Act.\54\
---------------------------------------------------------------------------

    \54\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    For the reasons set forth above, OCC believes the proposed rule 
change would promote the prompt and accurate clearance and settlement 
of securities transactions, assure the safeguarding of securities and 
funds in the custody or control of the clearing agency or for which it 
is responsible, and in general, to protect investors and the public 
interest in accordance with Section 17A(b)(3)(F) of the Act.\55\
---------------------------------------------------------------------------

    \55\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

Consistency With Rule 17Ad-22 Under the Exchange Act
    OCC believes that the proposed rule change is generally consistent 
with Rule 17Ad-22(e)(3)(i) \56\ because the proposed RMF would describe 
OCC's comprehensive framework for identifying, measuring, monitoring 
and managing the risks that arise within OCC or are borne by it, 
including legal, credit, liquidity, operational, general business, 
investment and custody risk. Moreover, the proposed CRMP would explain 
that Corporate Risk evaluates risks that may affect OCC's ability to 
perform the services detailed in the proposed RMF. The proposed RMF 
would explain how OCC employs established practices, such as the three 
lines of defense model for enterprise-wide risk management, to ensure 
that OCC maintains and operates a resilient, effective and reliable 
risk management and internal control infrastructure that assures risk 
management and processing outcomes expected by OCC stakeholders. The 
proposed CRMP would describe how OCC's second line of defense monitors 
the risks that arise in or are borne by OCC through a variety of risk 
assessment, risk reporting, evaluation and internal control management 
activities, consistent with the requirements of Rule 17Ad-
22(e)(3)(i).\57\
---------------------------------------------------------------------------

    \56\ Id.
    \57\ Id.
---------------------------------------------------------------------------

    The proposed CRMP would describe OCC's use of risk appetites and 
risk tolerances to evaluate OCC's risks across

[[Page 58423]]

its risk universe to ensure that OCC sets appropriate levels and types 
risk that OCC is willing and able to assume in accordance with OCC's 
mission as a systemically important financial market utility. For 
example, the use of risk appetites allows OCC to carefully calibrate 
the levels of risk it accepts in a manner consistent with OCC's core 
mission of promoting financial stability in the markets it serves. In 
addition, the use of risk tolerances helps to inform whether risks are 
within Board-approved risk appetites. As a result, OCC believes the 
proposed RMF, as supported by the CRMP, is reasonably designed to 
provide for a sound, comprehensive framework for identifying, 
measuring, monitoring and managing the range of risks that arise in or 
are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).\58\
---------------------------------------------------------------------------

    \58\ Id.
---------------------------------------------------------------------------

RMF Policy: Risk Appetite Framework and Tolerance
    As described herein, OCC proposes to make certain modifications to 
the description of its risk appetite framework, including descriptions 
of OCC's use of a risk universe, risk appetites and risk tolerances and 
the governance process for maintain the risk universe, in the proposed 
CRMP. The proposed CRMP would also introduce the concept of risk rating 
scales, which provide an assessment of risk from an impact and 
likelihood perspective consistently across OCC and would be used to 
measure inherent and residual risk at a risk statement level. OCC 
believes the proposed CRMP would provide a more comprehensive overview 
of the governance of OCC's risk universe and enhance certain processes 
therein. The proposed CRMP would also provide additional details around 
the internal governance process for reviewing and approving risk 
categories, appetites, and tolerances and for monitoring risk 
tolerances and improve the governance process for the risk universe by 
allowing the CRO to modify risk categories as needed, with oversight of 
Management Committee and Board, and provide the Board or Risk Committee 
with more direct responsibility for setting the appetites for those 
risk. OCC believes the propose changes are reasonably designed to 
provide for a sound, comprehensive framework for identifying, 
measuring, monitoring and managing the range of risks that arise in or 
are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).\59\
---------------------------------------------------------------------------

    \59\ Id.
---------------------------------------------------------------------------

RMF Policy: Risk Management Governance
    Rules 17Ad-22(e)(2)(i) and (ii) \60\ require that a covered 
clearing agency establish, implement, maintain and enforce written 
policies and procedures reasonably designed to provide for governance 
arrangements that (i) are clear and transparent and (ii) clearly 
prioritize the safety and efficiency of the covered clearing agency. As 
discussed above, OCC proposes to modify certain descriptions of its 
risk management governance arrangements in the new RMF, including the 
roles and responsibilities of the Board, Management Committee, and 
OCC's internal working groups. OCC believes the proposed changes would 
improve OCC's risk framework by presenting a more clear, concise, and 
transparent description of OCC's governance arrangements as they relate 
to the management of risk within OCC. As a result, OCC believes the 
proposed changes are reasonably designed to provide for governance 
arrangements that (i) are clear and transparent and (ii) clearly 
prioritize the safety and efficiency of the covered clearing agency in 
accordance with Rules 17Ad-22(e)(2)(i) and (ii).\61\
---------------------------------------------------------------------------

    \60\ 17 CFR 240.17Ad-22(e)(2)(i) and (ii).
    \61\ Id.
---------------------------------------------------------------------------

RMF Policy: Identification of Key Risks
    As described above, OCC proposes to replace the Identification of 
Key Risks section of the RMF Policy with a new OCC Risk Management 
section of the proposed RMF. The proposed RMF would reorganize the 
focus of this description to align with the three lines of defense 
model currently described in the RMF Policy and describe the types of 
risks managed by each line of defense. As described herein, the new OCC 
Risk Management section of the RMF would: (i) restate existing content 
of the RMF; (ii) introduce new content not currently contained in OCC's 
RMF Policy; and (iii) delete certain aspects of the RMF Policy. The 
proposed RMF would continue to refer to the same rules and OCC Risk 
Policies currently maintained by OCC (and described in the RMF) to 
address such risks and which are currently filed with the Commission as 
rules of OCC.\62\ OCC believes the proposed changes would present a 
more comprehensive, clear, and transparent description of the key risks 
faced by OCC and the assignment of responsibility for managing such 
risks. As a result, OCC believes the proposed RMF, as supported by the 
CRMP, is reasonably designed to provide for a sound, comprehensive 
framework for identifying, measuring, monitoring and managing the range 
of risks that arise in or are borne by OCC in a manner consistent with 
Rule 17Ad-22(e)(3)(i).\63\
---------------------------------------------------------------------------

    \62\ See supra notes 20-26 and associated text.
    \63\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

RMF Policy: Risk Management Practice
    OCC proposes to relocate the discussion of its enterprise risk 
assessments, scenario analysis program, and risk reporting process to 
the new CRMP. As discussed above, the proposed CRMP is designed to more 
accurately and completely describe the risk assessment, monitoring, and 
reporting processes conducted by Corporate Risk. OCC believes the 
proposed changes would result in an improved description of Corporate 
Risk's risk assessment, scenario analysis, and risk reporting 
responsibilities and is therefore reasonably designed to support a 
sound, comprehensive framework for identifying, measuring, monitoring 
and managing the range of risks that arise in or are borne by OCC in a 
manner consistent with Rule 17Ad-22(e)(3)(i).\64\
---------------------------------------------------------------------------

    \64\ Id.
---------------------------------------------------------------------------

RMF Policy: Exceptions and Violations
    OCC proposes to replace the individual Policy Exceptions and 
Violations sections in the current RMF Policy and other OCC Risk 
Policies with a new Risk Acceptances and Deviations section in the RMF. 
The proposed change would provide for a single framework for risk 
acceptances and deviations, and the escalation of deviations across 
OCC's filed policies rather than requiring each policy to have its own 
individual Policy Exceptions and Violations sections, which may over 
time become inconsistent as OCC's individual risk policies evolve. This 
single framework would help to avoid ambiguities or confusion about 
escalation obligations or procedures that might otherwise arise if 
changes to such procedures were not applied consistently. The change 
would also reduce the administrative burden of having to update each 
document within OCC's universe of policies and procedures as OCC's 
process for escalating risk acceptance and deviations from those 
policies and procedures matures over time. OCC believes that improving 
the documentation for its escalation processes is reasonably designed 
to support its comprehensive framework for identifying, measuring, 
monitoring and managing the range of risks that arise in or are borne 
by OCC in a

[[Page 58424]]

manner consistent with Rule 17Ad-22(e)(3)(i).\65\
---------------------------------------------------------------------------

    \65\ Id.
---------------------------------------------------------------------------

New Sections in Proposed RMF and CRMP
    OCC proposes to add new sections to the proposed RMF and CRMP to 
provide additional details concerning its overall framework for 
managing risk and its approach to enterprise risk management. For 
example, the proposed RMF would include a new section discussing OCC's 
Recovery and Orderly Wind-Down Plan \66\ and introduce a new section to 
describe Corporate Risk's Risk Monitoring process, including key risk 
indicator monitoring and operational risk even monitoring. The CRMP 
would also introduce a new section to describe OCC's risk treatment 
process and would also describe Corporate Risk's process for escalating 
risks to the CRO, Management Committee, and Board and training 
employees about risk to support risk management and decision-making. 
The proposed changes would provide a more comprehensive and transparent 
discussion of OCC's overall framework for managing risk and its 
approach to enterprise risk management. OCC believes the proposed 
changes are therefore reasonably designed to provide for a sound, 
comprehensive framework for identifying, measuring, monitoring and 
managing the range of risks that arise in or are borne by OCC in a 
manner consistent with Rule 17Ad-22(e)(3)(i).\67\
---------------------------------------------------------------------------

    \66\ OCC believes this proposed change also supports compliance 
with Exchange Act Rule 17Ad-22(e)(3)(ii), which requires a covered 
clearing agency to maintain a sound risk management framework for 
comprehensively managing legal, credit, liquidity, operational, 
general business, investment, custody, and other risks that arise in 
or are borne by the covered clearing agency, which includes plans 
for the recovery and orderly wind-down of the covered clearing 
agency necessitated by credit losses, liquidity shortfalls, losses 
from general business risk, or any other losses. See 17 CFR 
240.17Ad-22(e)(3)(ii).
    \67\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

Consistency With Section 19(b) of the Exchange Act
    Section 19(b)(1) of the Act \68\ and Rule 19b-4 \69\ thereunder set 
forth the requirements for SRO proposed rule changes, including the 
regulatory filing requirements for ``stated policies, practices and 
interpretations.'' \70\ OCC proposes to retire its existing RMF Policy, 
which was, in part, previously filed as an OCC ``rule'' with the 
Commission, as the RMF and CRMP would replace the RMF Policy in its 
entirety. Under the proposal, the material aspects of OCC's overall 
risk management framework and Corporate Risk program would be contained 
in the proposed RMF and CRMP described herein. As described in detail 
herein, various details in the current RMF Policy would no longer be 
OCC rule text following adoption of the RMF and CRMP. Specifically, OCC 
believes the removing the following sections of the current RMF Policy 
from OCC's rule text are consistent with Section 19(b)(1) of the Act 
and Rule 19b-4 because they are administrative in nature and do not 
address material aspects of the of the operation of the facilities of 
OCC:
---------------------------------------------------------------------------

    \68\ 15 U.S.C. 78s(b)(1).
    \69\ 17 CFR 240.19b-4.
    \70\ See supra note 38.
---------------------------------------------------------------------------

     The Context for Risk Management Framework and Risk 
Management Philosophy sections providing history and background 
information about OCC and its purpose in the financial markets; \71\
---------------------------------------------------------------------------

    \71\ Additionally, OCC believes the information presented in the 
Risk Management Philosophy section serves as an additional purpose 
section and that all items highlighted in this section would be 
covered in, or otherwise reasonably and fairly implied by, the 
proposed RMF and CRMP.
---------------------------------------------------------------------------

     Sections of the RMF Policy related to project planning, 
corporate budgeting, and Human Resources and Compliance training; and
     The Risk Universe, which reflects the output of policies 
and processes described in the RMF Policy (and eventually, the proposed 
CRMP).
    Accordingly, OCC believes the proposed changes would be consistent 
with the requirements of Section 19(b)(1) of the Act and Rule 19b-4 
thereunder.\72\
---------------------------------------------------------------------------

    \72\ See 15 U.S.C. 78s(b)(1) and 17 CFR 240.19b-4.
---------------------------------------------------------------------------

(B) Clearing Agency's Statement on Burden on Competition

    Section 17A(b)(3)(I) of the Act \73\ requires that the rules of a 
clearing agency not impose any burden on competition not necessary or 
appropriate in furtherance of the purposes of the Act. OCC does not 
believe that the proposed rule changes would impact or impose any 
burden on competition. The proposed rule change clearly and 
transparently presents the framework OCC uses to identify, monitor and 
manage its risks. While the proposed rule change would enhance OCC's 
framework of risk management documentation, these updates do not affect 
Clearing Members' access to OCC's services or impose any direct burdens 
on Clearing Members. Accordingly, the proposed rule change would not 
unfairly inhibit access to OCC's services or disadvantage or favor any 
particular user in relationship to another user.
---------------------------------------------------------------------------

    \73\ 15 U.S.C. 78q-1(b)(3)(I).
---------------------------------------------------------------------------

    For the foregoing reasons, OCC believes that the proposed rule 
change is in the public interest, would be consistent with the 
requirements of the Act applicable to clearing agencies, and would not 
impact or impose a burden on competition.

(C) Clearing Agency's Statement on Comments on the Proposed Rule Change 
Received From Members, Participants or Others

    Written comments on the proposed rule change were not and are not 
intended to be solicited with respect to the proposed rule change and 
none have been received.

III. Date of Effectiveness of the Proposed Rule Change and Timing for 
Commission Action

    Within 45 days of the date of publication of this notice in the 
Federal Register or within such longer period up to 90 days (i) as the 
Commission may designate if it finds such longer period to be 
appropriate and publishes its reasons for so finding or (ii) as to 
which the self regulatory organization consents, the Commission will: 
(A) by order approve or disapprove such proposed rule change, or (B) 
institute proceedings to determine whether the proposed rule change 
should be disapproved. The proposal shall not take effect until all 
regulatory actions required with respect to the proposal are completed.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
change is consistent with the Act. Comments may be submitted by any of 
the following methods:

Electronic Comments

     Use the Commission's internet comment form (http://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
File Number SR-OCC-2022-010 on the subject line.

Paper Comments

     Send paper comments in triplicate to Vanessa Countryman, 
Secretary, Securities and Exchange Commission, 100 F Street NE, 
Washington, DC 20549-1090.

All submissions should refer to File Number SR-OCC-2022-010. This file 
number should be included on the subject line if email is used. To help 
the Commission process and review your

[[Page 58425]]

comments more efficiently, please use only one method. The Commission 
will post all comments on the Commission's internet website (http://www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent 
amendments, all written statements with respect to the proposed rule 
change that are filed with the Commission, and all written 
communications relating to the proposed rule change between the 
Commission and any person, other than those that may be withheld from 
the public in accordance with the provisions of 5 U.S.C. 552, will be 
available for website viewing and printing in the Commission's Public 
Reference Room, 100 F Street NE, Washington, DC 20549, on official 
business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of 
such filing also will be available for inspection and copying at the 
principal office of OCC and on OCC's website at https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules.
    All comments received will be posted without change. Persons 
submitting comments are cautioned that we do not redact or edit 
personal identifying information from comment submissions. You should 
submit only information that you wish to make available publicly.
    All submissions should refer to File Number SR-OCC-2022-010 and 
should be submitted on or before October 17, 2022.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\74\
---------------------------------------------------------------------------

    \74\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2022-20728 Filed 9-23-22; 8:45 am]
BILLING CODE 8011-01-P