[Federal Register Volume 88, Number 209 (Tuesday, October 31, 2023)]
[Notices]
[Pages 74547-74550]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-23941]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-98799; File No. SR-ICEEU-2023-021]
Self-Regulatory Organizations; ICE Clear Europe Limited; Order
Approving Proposed Rule Change, as Modified by Amendment No. 1,
Relating to Amendments to its Operational Risk and Resilience Policy
October 25, 2023.
I. Introduction
On August 15, 2023, ICE Clear Europe Limited (``ICE Clear Europe''
or ``Clearing House'') filed with the Securities and Exchange
Commission (``Commission''), pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934 (the ``Act'') \1\ and Rule 19b-4
thereunder,\2\ a proposed rule change to amend its Operational Risk and
Resilience Policy (the ``Policy''). On August 24, 2023, ICE Clear
Europe filed Amendment No. 1 to the proposed rule change to make
certain changes to the Exhibits 5.\3\ Notice of the proposed rule
change, as modified by Amendment No. 1, was published for comment in
the Federal Register on September 5, 2023.\4\ On October 3, 2023, the
Commission designated a longer period for Commission action on the
proposed rule change until December 4, 2023.\5\ The Commission has not
received comments regarding the proposed rule change. For the reasons
discussed below, the Commission is approving the proposed rule change,
as modified by Amendment No. 1 (hereinafter ``the Proposed Rule
Change'').
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Amendment No. 1 corrects the presentation of changes in
Exhibit 5 by reflecting the deletion of the prior ``Oversight of the
Policy'' section as part of the updated governance and oversight
provisions. This amendment was filed with the Commission on August
24, 2023.
\4\ Self-Regulatory Organizations; ICE Clear Europe Limited;
Notice of Filing of Proposed Rule Change, as Modified by Amendment
No. 1, Relating to Amendments to its Operational Risk and Resilience
Policy, Exchange Act Release No. 98237 (Aug. 29, 2023); 88 FR 60727
(Sep. 5, 2023) (SR-ICEEU-2023-021) (``Notice'').
\5\ Self-Regulatory Organizations; ICE Clear Europe Limited;
Notice of Designation of Longer Period for Commission Action on
Proposed Rule Change, as Modified by Amendment No. 1, Relating to
Amendments to its Operational Risk and Resilience Policy; Exchange
Act Release No. 98573 (Sep. 27, 2023), 88 FR 68240 (Oct. 3, 2023)
(File No. SR-ICEEU-2023-021).
---------------------------------------------------------------------------
II. Description of the Proposed Rule Change
A. Background
ICE Clear Europe is registered with the Commission as a clearing
agency for
[[Page 74548]]
the purpose of clearing security-based swaps. In its role as a clearing
agency for security-based swaps, ICE Clear Europe maintains the Policy
to address how ICE Clear Europe identifies, assesses, manages,
monitors, and reports its operational risks. ICE Clear Europe is
proposing to amend the Policy to add new scenario analysis and testing
relating to operational risk and resilience, require that ICE Clear
Europe assess emerging risks, and update the review process for the
Policy. The Policy has five sections: (1) Introduction, (2) Operational
Risk and Resilience Framework, (3) Risk and Control Assessments, (4)
Governance and Oversight, and (5) Appendix. To effect these amendments,
the Proposed Rule Change would amend all sections except the
Introduction, renumber or relabel various provisions throughout the
Policy, and update the version history to reflect these changes.
B. Operational Risk and Resilience Framework
Section 2 of the Policy, ``Operational Risk and Resilience
Framework,'' describes the overall framework that ICE Clear Europe uses
to address operational risk \6\ and maintain operational resilience.
Specifically, ICE Clear Europe uses this framework to reduce the
likelihood of an operational disruption event within acceptable
tolerance, and mitigate and quickly recover from an operational
disruption event. In addition to the Policy itself, the policies and
procedures in the framework are: (i) the Incident Management Policy;
(ii) the Business Continuity & Disaster Recovery Policy; (iii) the
Information Security Policy and Cyber Security Strategy; (iv) the
Outsourcing Policy; and (v) the Vendor Management Policy.\7\
---------------------------------------------------------------------------
\6\ The Policy defines operational risk as the risk of an event
occurring which negatively impacts the achievement of business
objectives resulting from inadequate or failed internal operational
controls, people, systems, or external events.
\7\ See Self-Regulatory Organizations; ICE Clear Europe Limited;
Order Approving Proposed Rule Change Relating to ICE Clear Europe
Operational Risk and Resilience Policy, Exchange Act Release No.
96351 (Nov. 18, 2022); 87 FR 72553 (Nov. 25, 2022) (SR-ICEEU-2022-
015).
---------------------------------------------------------------------------
ICE Clear Europe proposes to update the description of the
operational risk and resilience framework to reflect the new name of
the Outsourcing Policy. ICE Clear Europe recently changed the name of
the Outsourcing Policy to the Outsourcing and Third Party Risk
Management Policy, and the Proposed Rule Change would reflect this
update.\8\ The Proposed Rule Change also would add language to reflect
that the updated policy has been approved by the Board and is pending
regulatory approval.\9\
---------------------------------------------------------------------------
\8\ For more information regarding the changes relating to the
Outsourcing and Third Party Risk Management Policy, See Self-
Regulatory Organizations; ICE Clear Europe Limited; Order Approving
Proposed Rule Change, as Modified by Amendment No. 1 and Partial
Amendment No. 2, Relating to Amendments to the Outsourcing Policy,
Exchange Act Release No. 98387 (Sep. 14, 2023); 88 FR 64953 (Sep.
20, 2023) (SR-ICEEU-2023-018).
\9\ Following publication of the Notice, the Commission approved
ICE Clear Europe's proposed change to the name of the Outsourcing
Policy, as well as other changes to the Outsourcing Policy. See
Self-Regulatory Organizations; ICE Clear Europe Limited; Order
Approving Proposed Rule Change, as Modified by Amendment No. 1 and
Partial Amendment No. 2, Relating to Amendments to the Outsourcing
Policy, Exchange Act Release No. 98387 (Sep. 14, 2023); 88 FR 64953
(Sep. 20, 2023) (SR-ICEEU-2023-019).
---------------------------------------------------------------------------
ICE Clear Europe proposes to update the description of its scenario
analysis and testing found in Section 2.6 of the Policy. As noted in
the Policy, ICE Clear Europe has scenario analysis and testing in place
to identity any operational resilience weakness, and it conducts such
testing on important business services to determine if it can remain
within the impact tolerances under a range of extreme but plausible
disruption scenarios. ICE Clear Europe proposes to make additions to
this section without deleting any language, except for one exception
noted below relating to the Board.
Specifically, the Proposed Rule Change would add a requirement that
the Clearing House must maintain an inventory of scenarios for the
purposes of scenario analysis and testing. Moreover, the Policy
currently specifies that the testing should include scenarios which
disrupt more than one important business service simultaneously and
take into account dependencies.\10\ The Proposed Rule Change would
specify that such dependencies should be both internal and external.
The Proposed Rule Change would also add language stating that a portion
of the scenarios should be identified and selected for reverse stress
testing (through a practical test where possible or a desk top
exercise), and that, over a three-year cycle, all scenarios would have
to be tested at least once by either a practical test or a desk top
exercise. In addition, the inventory of scenarios would need to be
reviewed on at least an annual basis in order to determine if the
scenarios are still fit for purpose and if updates are required. The
annual review of the inventory would be the responsibility of the First
Line with Second Line review, and would be approved by the Executive
Risk Committee (``ERC'').\11\ The ERC would also be responsible for
approving any changes to the list of scenarios outside of the annual
review cycle. The detailed scope of the testing based on the scenarios
in the inventory and the results of testing and assessment against the
risk register would be shared with the Second Line for review. The
Proposed Rule Change would also specify that the scenario analysis and
testing results would be submitted to the ERC or relevant Board sub-
committee by removing a reference to the Board and replacing it with
the relevant Board sub-committee.
---------------------------------------------------------------------------
\10\ The Clearing House requires that for each important
business service, the following dependencies must be identified:
people, processes, technology, facilities, and underlying
information.
\11\ Enteprise Risk Management is the Second Line of defense and
is responsible for challenging the First Line and monitoring
adherence to the requirement of this policy. Key Controls have an
expected high level of mitigation and the associated risks have an
inherent risk score of ``High'' or ``Very High''. First Line refers
to the defense (or Risk Owner) responsible for managing the risks to
within the Board appetite and ensuring adherence to all the
requirements in the Policy.
---------------------------------------------------------------------------
C. Risk and Control Assessments
Section 3 of the Policy, ``Risk and Control Assessments,''
addresses the process that identifies, assesses, manages, monitors, and
reports operational risk. The Proposed Rule Change would add a new
section on control validation and assessment, outlining that upon entry
to the risk register or when a material change is made to a Key
Control, Enterprise Risk Management (``ERM'') will confirm that
validation of Key Controls is carried out. Additionally, the amendments
would state that validation may be verified directly by ERM or through
ERM's oversight of validations performed by the First Line. The
amendments would also replace two references to control testing with
control validation throughout the Policy to be consistent with the new
section. The Proposed Rule Change does not redefine control testing and
is meant to align with the Clearing House's Global Enterprise Risk
Management Policy.
In Section 3.2, ``Risk Assessment,'' the amendments would address
emerging risks by adding a paragraph stating that there should be an
assessment of the Velocity for emerging risks. Velocity would be
defined as an estimate of the time frame within which impact of a risk
may be realized, and would be considered as an additional factor
utilized in prioritizing Emerging Risks. Other non-substantive drafting
clarifications would be made in this section, such as renumbering to
account for the new section on control validation and assessment.
[[Page 74549]]
D. Governance and Oversight
In Section 4, ``Governance and Oversight,'' the amendments would
add three new sections: ``Reviews,'' ``Breach Management,'' and
``Exception Handling.''
The ``Reviews'' section would replace the previous ``Oversight of
the Policy'' section, which stated only that the Policy is subject to
the oversight of the Risk Oversight Department and that failure to
comply with the Policy shall be escalated to the Board. This statement
must be removed to ensure consistency with the Operational Risk and
Resilience Framework section discussed above, which specifies that the
First Line of defense is responsible for ensuring adherence to all the
requirements in the Policy, with the Risk Oversight Department and
Enterprise Risk Management acting as the Second Line of defense, with
responsibility for challenging the First Line and monitoring adherence
to the requirement of the Policy.
Instead, the new ``Reviews'' section of the Policy would include a
number of provisions governing the oversight and review of the Policy.
First, it would specify that the owner of the Policy would be
responsible for ensuring that the Policy remains up to date and is
reviewed in accordance with ICE Clear Europe's governance processes. It
would also provide that, unless otherwise stated, a document review
will be conducted by the document owner and/or relevant staff as
appropriate, with sign off being provided by the head of the department
(or their delegate) and the Chief Risk Officer. Such document reviews
would need to encompass, at a minimum, regulatory compliance;
documentation and purpose; implementation; use; and open items from
previous validations or reviews (where appropriate). The results of the
review, including any findings, would need to be reported to ICE Clear
Europe's Executive Risk Committee, along with the priority of findings,
proposed remediations, and target due date to remediate the findings.
Finally, the ``Reviews'' section would specify that the document owner
will aim to remediate the findings, complete internal governance, and
receive regulatory approvals (where applicable) before the next annual
review is due.
The new ``Breach Management'' section would specify that the
document owner would be responsible for reporting material breaches or
unapproved deviations from the Policy to their Head of Department, the
Chief Risk Officer, and the Head of Regulation and Compliance (or, as
applicable, their respective delegates). Those individuals together
would determine if further escalation should be made to relevant senior
executives, the Board, and/or competent authorities.
Finally, the new ``Exception Handling'' section would specify that
exceptions to the Policy must be approved in accordance with ICE Clear
Europe's governance process for the approval of changes, which would
only take effect after completion of all necessary internal and
regulatory approvals.
E. Appendix
The Proposed Rule Change also would modify and update three of the
appendixes, add one new appendix, and remove a section from one
appendix.
Specifically, the Proposed Rule Change would modify and update the
table included as Appendix D, ``Assessment of Expected Level of Risk
Mitigation,'' by renaming the current ``Mitigation'' column as
``Rating'' and adding a new column labeled ``Examples,'' which would
include specific examples for each level of rating (high, medium, and
low).
The Proposed Rule Change would update and modify the table included
as Appendix E, ``Control Effectiveness Ratings,'' by renaming the
current ``Effectiveness'' and ``Guidelines'' columns as ``Rating'' and
``Control Assessment Guidelines,'' respectively. In addition, an
additional bullet point would be in the guideline column for the
``Unsatisfactory'' rating, specifying that this rating would apply
where the control validation and/or assessment and audit programs
result in major findings.
The columns for the table included as Appendix F, ``Control
Remediation Recommendation & Timelines,'' (Appendix F) would also be
renamed. The current heading labeled Control Effectiveness would be
renamed to Control Effectiveness Rating, and the heading labeled
Mitigation would be renamed to Level of Risk Mitigation. In addition,
for the scenario with a Control Effectiveness Rating of Needs
Improvement and a High Level of Risk Mitigation, the recommendation
would be changed from Medium to High.
A new table would be added as Appendix G, ``Velocity Assessment
Guidance,'' in connection with the amendments to Section 3.2 discussed
above relating to an assessment of the velocity of emerging risks. This
section would include a chart separating the Velocity Rating into
categories of Immediate (less than six months), Short Term (between six
and 18 months), and Medium Term (greater than 18 months), and a
description noting that each rating is assessed based on the time in
which the impact of a risk may be realized if the risk is unmitigated
(e.g., an immediate risk is one for which the impact may be realized
within six months of the risk event occurring if the risk is
unmitigated).
Finally, the amendments would remove the section labeled Control
Testing Scope following the chart on Risk Mitigation in Appendix H, to
conform to the change in the Policy to refer to control validation
rather than control testing.
III. Discussion and Commission Findings
Section 19(b)(2)(C) of the Act directs the Commission to approve a
Proposed Rule Change of a self-regulatory organization if it finds that
such Proposed Rule Change is consistent with the requirements of the
Act and the rules and regulations thereunder applicable to such
organization.\12\ For the reasons discussed below, the Commission finds
that the Proposed Rule Change is consistent with Section 17A(b)(3)(F)
of the Act,\13\ and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17)
thereunder.\14\
---------------------------------------------------------------------------
\12\ 15 U.S.C. 78s(b)(2)(C).
\13\ 15 U.S.C. 78q-1(b)(3)(F).
\14\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(17).
---------------------------------------------------------------------------
i. Consistency With Section 17A(b)(3)(F) of the Act
Section 17A(b)(3)(F) of the Act requires, among other things, that
the rules of ICE Clear Europe be designed to promote the prompt and
accurate clearance and settlement of securities transactions and, to
the extent applicable, derivative agreements, contracts, and
transactions.\15\ Based on its review of the record, and for the
reasons discussed below, the Commission finds that the proposed changes
to the Policy are consistent with the promotion of the prompt and
accurate clearance and settlement of securities transactions.
---------------------------------------------------------------------------
\15\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
As a registered clearing agency, ICE Clear Europe faces a number of
operational risks that could impact or threaten its ability to clear
and settle transactions if they are not eliminated or mitigated. As
noted above, ICE Clear Europe maintains the Policy to address how it
identifies, assesses, manages, monitors, and reports such operational
risks. Improving or enhancing the Policy likewise improves or enhances
ICE Clear Europe's ability to manage or mitigate its operational risks
and
[[Page 74550]]
therefore ensure that it can continue to clear and settle securities
transactions.
For example, as discussed above, the Proposed Rule Change would
update the Policy to require ICE Clear Europe to maintain an inventory
of scenarios for the purposes of scenario analysis and testing, which
inventory would need to be reviewed on at least an annual basis in
order to determine if the scenarios are still fit for purpose and if
updates are required. These new requirements should help ensure that
ICE Clear Europe personnel identify and maintain an appropriate
inventory of scenarios, determine in a timely manner if updates to the
inventory or scenarios are needed, and identify any gaps and necessary
resolutions or updates to the inventory and scenarios sooner than what
is currently required.
Taken together, these enhancements to the Policy should enhance ICE
Clear Europe's operational resilience, which in turn should decrease
the likelihood that operational incidents would disrupt its ability to
promptly and accurately clear and settle securities transactions.
Accordingly, the Commission finds that the Proposed Rule Change is
consistent with Section 17A(b)(3)(F) of the Act.\16\
---------------------------------------------------------------------------
\16\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
ii. Consistency With Rule 17Ad-22(e)(2)(v)
Rule 17Ad-22(e)(2)(v) require that ICE Clear Europe establish,
implement, maintain, and enforce written policies and procedures
reasonably designed to provide governance arrangements that, among
other things, are clear and transparent and specify clear and direct
lines of responsibility.\17\
---------------------------------------------------------------------------
\17\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------
As discussed above, the Proposed Rule Change would add new sections
to the Policy addressing reviews, breach management, and exception
handling. Among other things, the section addressing reviews would make
the document owner responsible for ensuring that the Policy remains up-
to-date and is reviewed in accordance with ICE Clear Europe's
governance processes. Additionally, document reviews will be conducted
by the document owner and signed off by the head of the department (or
their delegate) and the Chief Risk Officer. These reviews would
encompass, at a minimum, regulatory compliance; documentation and
purpose; implementation; use; and, where appropriate, open items from
previous validations or reviews.
Under the new section covering breach management, the document
owner also would be responsible for reporting material breaches or
unapproved deviations from the Policy to their Head of Department, the
Chief Risk Officer, and the Head of Regulation and Compliance (or, as
applicable, their respective delegates).
Under the new section addressing exception handling, exceptions to
the Policy would need to be approved in accordance with ICE Clear
Europe's governance process for the approval of changes, and could only
take effect after completion of all necessary internal and regulatory
approvals.
Additionally, the Proposed Rule Change would add a new section to
the Policy on control validation and assessment, outlining that upon
entry to the risk register or when a material change is made to a Key
Control, ERM will confirm that validation of Key Controls is carried
out. The Proposed Rule Change would also amend the Policy to state that
validation may be verified directly by ERM or through ERM's oversight
of validations performed by the First Line.
Taken together, these changes would help establish clear and direct
responsibilities for the document owner of the Policy. Accordingly, the
Commission finds that the Proposed Rule Change is consistent with Rule
17Ad-22(e)(2)(v).\18\
---------------------------------------------------------------------------
\18\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------
iii. Consistency With Rule 17Ad-22(e)(17)
Rule 17Ad-22(e)(17) requires that ICE Clear Europe establish,
implement, maintain, and enforce written policies and procedures
reasonably designed to manage its operational risks by, among other
things, identifying the plausible sources of operational risk, both
internal and external, and mitigating their impact through the use of
appropriate systems, policies, procedures, and controls.\19\
---------------------------------------------------------------------------
\19\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
By adding a requirement to maintain an inventory of scenarios for
the purposes of scenario analysis and test and review those scenarios
annually, the Proposed Rule Change would support ICE Clear Europe's
ability to identify plausible sources of operational risk, both
internal and external, and mitigate their impact through the Policy,
which supports Ice Clear Europe's efforts to manage and mitigate its
operational risks. Accordingly, the Commission finds that the Proposed
Rule Change is consistent with Rule 17Ad-22(e)(17).\20\
---------------------------------------------------------------------------
\20\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
IV. Conclusion
On the basis of the foregoing, the Commission finds that the
Proposed Rule Change, as modified by Amendment no. 1, is consistent
with the requirements of the Act, and in particular, with the
requirements of Section 17A(b)(3)(F) of the Act,\21\ and Rules 17Ad-
22(e)(2)(v) and 17Ad-22(e)(17) thereunder.\22\
---------------------------------------------------------------------------
\21\ 15 U.S.C. 78q-1(b)(3)(F).
\22\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(17).
---------------------------------------------------------------------------
It is therefore ordered pursuant to Section 19(b)(2) of the Act
\23\ that the Proposed Rule Change (SR-ICEEU-2023-021) be, and hereby
is, approved.\24\
---------------------------------------------------------------------------
\23\ 15 U.S.C. 78s(b)(2).
\24\ In approving the Proposed Rule Change, the Commission
considered the proposal's impact on efficiency, competition, and
capital formation. 15 U.S.C. 78c(f).
---------------------------------------------------------------------------
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\25\
---------------------------------------------------------------------------
\25\ 17 CFR 200.30-3(a)(12).
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2023-23941 Filed 10-30-23; 8:45 am]
BILLING CODE 8011-01-P