[Federal Register Volume 88, Number 209 (Tuesday, October 31, 2023)]
[Notices]
[Pages 74547-74550]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-23941]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-98799; File No. SR-ICEEU-2023-021]


Self-Regulatory Organizations; ICE Clear Europe Limited; Order 
Approving Proposed Rule Change, as Modified by Amendment No. 1, 
Relating to Amendments to its Operational Risk and Resilience Policy

October 25, 2023.

I. Introduction

    On August 15, 2023, ICE Clear Europe Limited (``ICE Clear Europe'' 
or ``Clearing House'') filed with the Securities and Exchange 
Commission (``Commission''), pursuant to Section 19(b)(1) of the 
Securities Exchange Act of 1934 (the ``Act'') \1\ and Rule 19b-4 
thereunder,\2\ a proposed rule change to amend its Operational Risk and 
Resilience Policy (the ``Policy''). On August 24, 2023, ICE Clear 
Europe filed Amendment No. 1 to the proposed rule change to make 
certain changes to the Exhibits 5.\3\ Notice of the proposed rule 
change, as modified by Amendment No. 1, was published for comment in 
the Federal Register on September 5, 2023.\4\ On October 3, 2023, the 
Commission designated a longer period for Commission action on the 
proposed rule change until December 4, 2023.\5\ The Commission has not 
received comments regarding the proposed rule change. For the reasons 
discussed below, the Commission is approving the proposed rule change, 
as modified by Amendment No. 1 (hereinafter ``the Proposed Rule 
Change'').
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Amendment No. 1 corrects the presentation of changes in 
Exhibit 5 by reflecting the deletion of the prior ``Oversight of the 
Policy'' section as part of the updated governance and oversight 
provisions. This amendment was filed with the Commission on August 
24, 2023.
    \4\ Self-Regulatory Organizations; ICE Clear Europe Limited; 
Notice of Filing of Proposed Rule Change, as Modified by Amendment 
No. 1, Relating to Amendments to its Operational Risk and Resilience 
Policy, Exchange Act Release No. 98237 (Aug. 29, 2023); 88 FR 60727 
(Sep. 5, 2023) (SR-ICEEU-2023-021) (``Notice'').
    \5\ Self-Regulatory Organizations; ICE Clear Europe Limited; 
Notice of Designation of Longer Period for Commission Action on 
Proposed Rule Change, as Modified by Amendment No. 1, Relating to 
Amendments to its Operational Risk and Resilience Policy; Exchange 
Act Release No. 98573 (Sep. 27, 2023), 88 FR 68240 (Oct. 3, 2023) 
(File No. SR-ICEEU-2023-021).
---------------------------------------------------------------------------

II. Description of the Proposed Rule Change

A. Background

    ICE Clear Europe is registered with the Commission as a clearing 
agency for

[[Page 74548]]

the purpose of clearing security-based swaps. In its role as a clearing 
agency for security-based swaps, ICE Clear Europe maintains the Policy 
to address how ICE Clear Europe identifies, assesses, manages, 
monitors, and reports its operational risks. ICE Clear Europe is 
proposing to amend the Policy to add new scenario analysis and testing 
relating to operational risk and resilience, require that ICE Clear 
Europe assess emerging risks, and update the review process for the 
Policy. The Policy has five sections: (1) Introduction, (2) Operational 
Risk and Resilience Framework, (3) Risk and Control Assessments, (4) 
Governance and Oversight, and (5) Appendix. To effect these amendments, 
the Proposed Rule Change would amend all sections except the 
Introduction, renumber or relabel various provisions throughout the 
Policy, and update the version history to reflect these changes.

B. Operational Risk and Resilience Framework

    Section 2 of the Policy, ``Operational Risk and Resilience 
Framework,'' describes the overall framework that ICE Clear Europe uses 
to address operational risk \6\ and maintain operational resilience. 
Specifically, ICE Clear Europe uses this framework to reduce the 
likelihood of an operational disruption event within acceptable 
tolerance, and mitigate and quickly recover from an operational 
disruption event. In addition to the Policy itself, the policies and 
procedures in the framework are: (i) the Incident Management Policy; 
(ii) the Business Continuity & Disaster Recovery Policy; (iii) the 
Information Security Policy and Cyber Security Strategy; (iv) the 
Outsourcing Policy; and (v) the Vendor Management Policy.\7\
---------------------------------------------------------------------------

    \6\ The Policy defines operational risk as the risk of an event 
occurring which negatively impacts the achievement of business 
objectives resulting from inadequate or failed internal operational 
controls, people, systems, or external events.
    \7\ See Self-Regulatory Organizations; ICE Clear Europe Limited; 
Order Approving Proposed Rule Change Relating to ICE Clear Europe 
Operational Risk and Resilience Policy, Exchange Act Release No. 
96351 (Nov. 18, 2022); 87 FR 72553 (Nov. 25, 2022) (SR-ICEEU-2022-
015).
---------------------------------------------------------------------------

    ICE Clear Europe proposes to update the description of the 
operational risk and resilience framework to reflect the new name of 
the Outsourcing Policy. ICE Clear Europe recently changed the name of 
the Outsourcing Policy to the Outsourcing and Third Party Risk 
Management Policy, and the Proposed Rule Change would reflect this 
update.\8\ The Proposed Rule Change also would add language to reflect 
that the updated policy has been approved by the Board and is pending 
regulatory approval.\9\
---------------------------------------------------------------------------

    \8\ For more information regarding the changes relating to the 
Outsourcing and Third Party Risk Management Policy, See Self-
Regulatory Organizations; ICE Clear Europe Limited; Order Approving 
Proposed Rule Change, as Modified by Amendment No. 1 and Partial 
Amendment No. 2, Relating to Amendments to the Outsourcing Policy, 
Exchange Act Release No. 98387 (Sep. 14, 2023); 88 FR 64953 (Sep. 
20, 2023) (SR-ICEEU-2023-018).
    \9\ Following publication of the Notice, the Commission approved 
ICE Clear Europe's proposed change to the name of the Outsourcing 
Policy, as well as other changes to the Outsourcing Policy. See 
Self-Regulatory Organizations; ICE Clear Europe Limited; Order 
Approving Proposed Rule Change, as Modified by Amendment No. 1 and 
Partial Amendment No. 2, Relating to Amendments to the Outsourcing 
Policy, Exchange Act Release No. 98387 (Sep. 14, 2023); 88 FR 64953 
(Sep. 20, 2023) (SR-ICEEU-2023-019).
---------------------------------------------------------------------------

    ICE Clear Europe proposes to update the description of its scenario 
analysis and testing found in Section 2.6 of the Policy. As noted in 
the Policy, ICE Clear Europe has scenario analysis and testing in place 
to identity any operational resilience weakness, and it conducts such 
testing on important business services to determine if it can remain 
within the impact tolerances under a range of extreme but plausible 
disruption scenarios. ICE Clear Europe proposes to make additions to 
this section without deleting any language, except for one exception 
noted below relating to the Board.
    Specifically, the Proposed Rule Change would add a requirement that 
the Clearing House must maintain an inventory of scenarios for the 
purposes of scenario analysis and testing. Moreover, the Policy 
currently specifies that the testing should include scenarios which 
disrupt more than one important business service simultaneously and 
take into account dependencies.\10\ The Proposed Rule Change would 
specify that such dependencies should be both internal and external. 
The Proposed Rule Change would also add language stating that a portion 
of the scenarios should be identified and selected for reverse stress 
testing (through a practical test where possible or a desk top 
exercise), and that, over a three-year cycle, all scenarios would have 
to be tested at least once by either a practical test or a desk top 
exercise. In addition, the inventory of scenarios would need to be 
reviewed on at least an annual basis in order to determine if the 
scenarios are still fit for purpose and if updates are required. The 
annual review of the inventory would be the responsibility of the First 
Line with Second Line review, and would be approved by the Executive 
Risk Committee (``ERC'').\11\ The ERC would also be responsible for 
approving any changes to the list of scenarios outside of the annual 
review cycle. The detailed scope of the testing based on the scenarios 
in the inventory and the results of testing and assessment against the 
risk register would be shared with the Second Line for review. The 
Proposed Rule Change would also specify that the scenario analysis and 
testing results would be submitted to the ERC or relevant Board sub-
committee by removing a reference to the Board and replacing it with 
the relevant Board sub-committee.
---------------------------------------------------------------------------

    \10\ The Clearing House requires that for each important 
business service, the following dependencies must be identified: 
people, processes, technology, facilities, and underlying 
information.
    \11\ Enteprise Risk Management is the Second Line of defense and 
is responsible for challenging the First Line and monitoring 
adherence to the requirement of this policy. Key Controls have an 
expected high level of mitigation and the associated risks have an 
inherent risk score of ``High'' or ``Very High''. First Line refers 
to the defense (or Risk Owner) responsible for managing the risks to 
within the Board appetite and ensuring adherence to all the 
requirements in the Policy.
---------------------------------------------------------------------------

C. Risk and Control Assessments

    Section 3 of the Policy, ``Risk and Control Assessments,'' 
addresses the process that identifies, assesses, manages, monitors, and 
reports operational risk. The Proposed Rule Change would add a new 
section on control validation and assessment, outlining that upon entry 
to the risk register or when a material change is made to a Key 
Control, Enterprise Risk Management (``ERM'') will confirm that 
validation of Key Controls is carried out. Additionally, the amendments 
would state that validation may be verified directly by ERM or through 
ERM's oversight of validations performed by the First Line. The 
amendments would also replace two references to control testing with 
control validation throughout the Policy to be consistent with the new 
section. The Proposed Rule Change does not redefine control testing and 
is meant to align with the Clearing House's Global Enterprise Risk 
Management Policy.
    In Section 3.2, ``Risk Assessment,'' the amendments would address 
emerging risks by adding a paragraph stating that there should be an 
assessment of the Velocity for emerging risks. Velocity would be 
defined as an estimate of the time frame within which impact of a risk 
may be realized, and would be considered as an additional factor 
utilized in prioritizing Emerging Risks. Other non-substantive drafting 
clarifications would be made in this section, such as renumbering to 
account for the new section on control validation and assessment.

[[Page 74549]]

D. Governance and Oversight

    In Section 4, ``Governance and Oversight,'' the amendments would 
add three new sections: ``Reviews,'' ``Breach Management,'' and 
``Exception Handling.''
    The ``Reviews'' section would replace the previous ``Oversight of 
the Policy'' section, which stated only that the Policy is subject to 
the oversight of the Risk Oversight Department and that failure to 
comply with the Policy shall be escalated to the Board. This statement 
must be removed to ensure consistency with the Operational Risk and 
Resilience Framework section discussed above, which specifies that the 
First Line of defense is responsible for ensuring adherence to all the 
requirements in the Policy, with the Risk Oversight Department and 
Enterprise Risk Management acting as the Second Line of defense, with 
responsibility for challenging the First Line and monitoring adherence 
to the requirement of the Policy.
    Instead, the new ``Reviews'' section of the Policy would include a 
number of provisions governing the oversight and review of the Policy. 
First, it would specify that the owner of the Policy would be 
responsible for ensuring that the Policy remains up to date and is 
reviewed in accordance with ICE Clear Europe's governance processes. It 
would also provide that, unless otherwise stated, a document review 
will be conducted by the document owner and/or relevant staff as 
appropriate, with sign off being provided by the head of the department 
(or their delegate) and the Chief Risk Officer. Such document reviews 
would need to encompass, at a minimum, regulatory compliance; 
documentation and purpose; implementation; use; and open items from 
previous validations or reviews (where appropriate). The results of the 
review, including any findings, would need to be reported to ICE Clear 
Europe's Executive Risk Committee, along with the priority of findings, 
proposed remediations, and target due date to remediate the findings. 
Finally, the ``Reviews'' section would specify that the document owner 
will aim to remediate the findings, complete internal governance, and 
receive regulatory approvals (where applicable) before the next annual 
review is due.
    The new ``Breach Management'' section would specify that the 
document owner would be responsible for reporting material breaches or 
unapproved deviations from the Policy to their Head of Department, the 
Chief Risk Officer, and the Head of Regulation and Compliance (or, as 
applicable, their respective delegates). Those individuals together 
would determine if further escalation should be made to relevant senior 
executives, the Board, and/or competent authorities.
    Finally, the new ``Exception Handling'' section would specify that 
exceptions to the Policy must be approved in accordance with ICE Clear 
Europe's governance process for the approval of changes, which would 
only take effect after completion of all necessary internal and 
regulatory approvals.

E. Appendix

    The Proposed Rule Change also would modify and update three of the 
appendixes, add one new appendix, and remove a section from one 
appendix.
    Specifically, the Proposed Rule Change would modify and update the 
table included as Appendix D, ``Assessment of Expected Level of Risk 
Mitigation,'' by renaming the current ``Mitigation'' column as 
``Rating'' and adding a new column labeled ``Examples,'' which would 
include specific examples for each level of rating (high, medium, and 
low).
    The Proposed Rule Change would update and modify the table included 
as Appendix E, ``Control Effectiveness Ratings,'' by renaming the 
current ``Effectiveness'' and ``Guidelines'' columns as ``Rating'' and 
``Control Assessment Guidelines,'' respectively. In addition, an 
additional bullet point would be in the guideline column for the 
``Unsatisfactory'' rating, specifying that this rating would apply 
where the control validation and/or assessment and audit programs 
result in major findings.
    The columns for the table included as Appendix F, ``Control 
Remediation Recommendation & Timelines,'' (Appendix F) would also be 
renamed. The current heading labeled Control Effectiveness would be 
renamed to Control Effectiveness Rating, and the heading labeled 
Mitigation would be renamed to Level of Risk Mitigation. In addition, 
for the scenario with a Control Effectiveness Rating of Needs 
Improvement and a High Level of Risk Mitigation, the recommendation 
would be changed from Medium to High.
    A new table would be added as Appendix G, ``Velocity Assessment 
Guidance,'' in connection with the amendments to Section 3.2 discussed 
above relating to an assessment of the velocity of emerging risks. This 
section would include a chart separating the Velocity Rating into 
categories of Immediate (less than six months), Short Term (between six 
and 18 months), and Medium Term (greater than 18 months), and a 
description noting that each rating is assessed based on the time in 
which the impact of a risk may be realized if the risk is unmitigated 
(e.g., an immediate risk is one for which the impact may be realized 
within six months of the risk event occurring if the risk is 
unmitigated).
    Finally, the amendments would remove the section labeled Control 
Testing Scope following the chart on Risk Mitigation in Appendix H, to 
conform to the change in the Policy to refer to control validation 
rather than control testing.

III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act directs the Commission to approve a 
Proposed Rule Change of a self-regulatory organization if it finds that 
such Proposed Rule Change is consistent with the requirements of the 
Act and the rules and regulations thereunder applicable to such 
organization.\12\ For the reasons discussed below, the Commission finds 
that the Proposed Rule Change is consistent with Section 17A(b)(3)(F) 
of the Act,\13\ and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17) 
thereunder.\14\
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 78s(b)(2)(C).
    \13\ 15 U.S.C. 78q-1(b)(3)(F).
    \14\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(17).
---------------------------------------------------------------------------

i. Consistency With Section 17A(b)(3)(F) of the Act
    Section 17A(b)(3)(F) of the Act requires, among other things, that 
the rules of ICE Clear Europe be designed to promote the prompt and 
accurate clearance and settlement of securities transactions and, to 
the extent applicable, derivative agreements, contracts, and 
transactions.\15\ Based on its review of the record, and for the 
reasons discussed below, the Commission finds that the proposed changes 
to the Policy are consistent with the promotion of the prompt and 
accurate clearance and settlement of securities transactions.
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    As a registered clearing agency, ICE Clear Europe faces a number of 
operational risks that could impact or threaten its ability to clear 
and settle transactions if they are not eliminated or mitigated. As 
noted above, ICE Clear Europe maintains the Policy to address how it 
identifies, assesses, manages, monitors, and reports such operational 
risks. Improving or enhancing the Policy likewise improves or enhances 
ICE Clear Europe's ability to manage or mitigate its operational risks 
and

[[Page 74550]]

therefore ensure that it can continue to clear and settle securities 
transactions.
    For example, as discussed above, the Proposed Rule Change would 
update the Policy to require ICE Clear Europe to maintain an inventory 
of scenarios for the purposes of scenario analysis and testing, which 
inventory would need to be reviewed on at least an annual basis in 
order to determine if the scenarios are still fit for purpose and if 
updates are required. These new requirements should help ensure that 
ICE Clear Europe personnel identify and maintain an appropriate 
inventory of scenarios, determine in a timely manner if updates to the 
inventory or scenarios are needed, and identify any gaps and necessary 
resolutions or updates to the inventory and scenarios sooner than what 
is currently required.
    Taken together, these enhancements to the Policy should enhance ICE 
Clear Europe's operational resilience, which in turn should decrease 
the likelihood that operational incidents would disrupt its ability to 
promptly and accurately clear and settle securities transactions. 
Accordingly, the Commission finds that the Proposed Rule Change is 
consistent with Section 17A(b)(3)(F) of the Act.\16\
---------------------------------------------------------------------------

    \16\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

ii. Consistency With Rule 17Ad-22(e)(2)(v)
    Rule 17Ad-22(e)(2)(v) require that ICE Clear Europe establish, 
implement, maintain, and enforce written policies and procedures 
reasonably designed to provide governance arrangements that, among 
other things, are clear and transparent and specify clear and direct 
lines of responsibility.\17\
---------------------------------------------------------------------------

    \17\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------

    As discussed above, the Proposed Rule Change would add new sections 
to the Policy addressing reviews, breach management, and exception 
handling. Among other things, the section addressing reviews would make 
the document owner responsible for ensuring that the Policy remains up-
to-date and is reviewed in accordance with ICE Clear Europe's 
governance processes. Additionally, document reviews will be conducted 
by the document owner and signed off by the head of the department (or 
their delegate) and the Chief Risk Officer. These reviews would 
encompass, at a minimum, regulatory compliance; documentation and 
purpose; implementation; use; and, where appropriate, open items from 
previous validations or reviews.
    Under the new section covering breach management, the document 
owner also would be responsible for reporting material breaches or 
unapproved deviations from the Policy to their Head of Department, the 
Chief Risk Officer, and the Head of Regulation and Compliance (or, as 
applicable, their respective delegates).
    Under the new section addressing exception handling, exceptions to 
the Policy would need to be approved in accordance with ICE Clear 
Europe's governance process for the approval of changes, and could only 
take effect after completion of all necessary internal and regulatory 
approvals.
    Additionally, the Proposed Rule Change would add a new section to 
the Policy on control validation and assessment, outlining that upon 
entry to the risk register or when a material change is made to a Key 
Control, ERM will confirm that validation of Key Controls is carried 
out. The Proposed Rule Change would also amend the Policy to state that 
validation may be verified directly by ERM or through ERM's oversight 
of validations performed by the First Line.
    Taken together, these changes would help establish clear and direct 
responsibilities for the document owner of the Policy. Accordingly, the 
Commission finds that the Proposed Rule Change is consistent with Rule 
17Ad-22(e)(2)(v).\18\
---------------------------------------------------------------------------

    \18\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------

iii. Consistency With Rule 17Ad-22(e)(17)

    Rule 17Ad-22(e)(17) requires that ICE Clear Europe establish, 
implement, maintain, and enforce written policies and procedures 
reasonably designed to manage its operational risks by, among other 
things, identifying the plausible sources of operational risk, both 
internal and external, and mitigating their impact through the use of 
appropriate systems, policies, procedures, and controls.\19\
---------------------------------------------------------------------------

    \19\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    By adding a requirement to maintain an inventory of scenarios for 
the purposes of scenario analysis and test and review those scenarios 
annually, the Proposed Rule Change would support ICE Clear Europe's 
ability to identify plausible sources of operational risk, both 
internal and external, and mitigate their impact through the Policy, 
which supports Ice Clear Europe's efforts to manage and mitigate its 
operational risks. Accordingly, the Commission finds that the Proposed 
Rule Change is consistent with Rule 17Ad-22(e)(17).\20\
---------------------------------------------------------------------------

    \20\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

IV. Conclusion

    On the basis of the foregoing, the Commission finds that the 
Proposed Rule Change, as modified by Amendment no. 1, is consistent 
with the requirements of the Act, and in particular, with the 
requirements of Section 17A(b)(3)(F) of the Act,\21\ and Rules 17Ad-
22(e)(2)(v) and 17Ad-22(e)(17) thereunder.\22\
---------------------------------------------------------------------------

    \21\ 15 U.S.C. 78q-1(b)(3)(F).
    \22\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(17).
---------------------------------------------------------------------------

    It is therefore ordered pursuant to Section 19(b)(2) of the Act 
\23\ that the Proposed Rule Change (SR-ICEEU-2023-021) be, and hereby 
is, approved.\24\
---------------------------------------------------------------------------

    \23\ 15 U.S.C. 78s(b)(2).
    \24\ In approving the Proposed Rule Change, the Commission 
considered the proposal's impact on efficiency, competition, and 
capital formation. 15 U.S.C. 78c(f).
---------------------------------------------------------------------------

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\25\
---------------------------------------------------------------------------

    \25\ 17 CFR 200.30-3(a)(12).

Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2023-23941 Filed 10-30-23; 8:45 am]
BILLING CODE 8011-01-P