[Federal Register Volume 89, Number 52 (Friday, March 15, 2024)]
[Rules and Regulations]
[Pages 18749-18767]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-05322]



 ========================================================================
 Rules and Regulations
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains regulatory documents 
 having general applicability and legal effect, most of which are keyed 
 to and codified in the Code of Federal Regulations, which is published 
 under 50 titles pursuant to 44 U.S.C. 1510.
 
 The Code of Federal Regulations is sold by the Superintendent of Documents. 
 
 ========================================================================
 

  Federal Register / Vol. 89, No. 52 / Friday, March 15, 2024 / Rules 
and Regulations  

[[Page 18749]]



FEDERAL RESERVE SYSTEM

12 CFR Part 234

[Regulation HH; Docket No. R-1782]
RIN 7100-AG40


Financial Market Utilities

AGENCY: Board of Governors of the Federal Reserve System.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Board of Governors of the Federal Reserve System (Board) 
is publishing a final rule amending the requirements relating to 
operational risk management in the Board's Regulation HH, which applies 
to certain financial market utilities (FMUs) that have been designated 
as systemically important (designated FMUs) by the Financial Stability 
Oversight Council (FSOC) under Title VIII of the Dodd-Frank Wall Street 
Reform and Consumer Protection Act (the Dodd-Frank Act or Act). The 
amendments update, refine, and add specificity to the operational risk 
management requirements in Regulation HH to reflect changes in the 
operational risk, technology, and regulatory landscape in which 
designated FMUs operate. The final rule also adopts specific incident-
notification requirements.

DATES: 
    Effective date: The final rule is effective April 15, 2024.
    Compliance dates: Designated FMUs must be in compliance with the 
rule by September 11, 2024, except for the incident management and 
notification requirement in Sec.  234.3(a)(17)(vi), under Amendatory 
Instruction 3, with which designated FMUs must be in compliance by June 
13, 2024.

FOR FURTHER INFORMATION CONTACT: Emily Caron, Assistant Director (202-
452-5261) or Katherine Standbridge, Senior Financial Institution and 
Policy Analyst (202-452-3873), Division of Reserve Bank Operations and 
Payment Systems; or Corinne Milliken Van Ness, Senior Counsel (202-452-
2421) or M. Benjamin Snodgrass, Senior Counsel (202-263-4877), Legal 
Division. For users of TTY-TRS, please call 711 from any telephone, 
anywhere in the United States.

SUPPLEMENTARY INFORMATION:

I. Overview

    Title VIII of the Dodd-Frank Act, titled the ``Payment, Clearing, 
and Settlement Supervision Act of 2010,'' was enacted to mitigate 
systemic risk in the financial system and to promote financial 
stability, in part, through an enhanced supervisory framework for 
designated FMUs. Section 803(6) of the Act defines an FMU as a ``person 
that manages or operates a multilateral system for the purpose of 
transferring, clearing, or settling payments, securities, or other 
financial transactions among financial institutions or between 
financial institutions and the person.'' \1\ Pursuant to section 
805(a)(1)(A) of the Act, and as described below, the Board is required 
to prescribe risk-management standards governing the operations related 
to the payment, clearing, and settlement activities of certain 
designated FMUs.
---------------------------------------------------------------------------

    \1\ 12 U.S.C. 5462(6).
---------------------------------------------------------------------------

    The Board adopted Regulation HH, Designated Financial Market 
Utilities, in July 2012 to implement, among other things, the statutory 
provisions under section 805(a)(1)(A) of the Act.\2\ In November 2014, 
the Board published amendments to the risk-management standards in 
Regulation HH, 12 CFR part 234, based on the Principles for Financial 
Market Infrastructures (PFMI).\3\
---------------------------------------------------------------------------

    \2\ 77 FR 45907 (Aug. 2, 2012).
    \3\ 79 FR 65543 (Nov. 5, 2014). The PFMI, published by the 
Committee on Payment and Settlement Systems (now the Committee on 
Payments and Market Infrastructures) and the Technical Committee of 
the International Organization of Securities Commissions in April 
2012, is widely recognized as the most relevant set of international 
risk-management standards for payment, clearing, and settlement 
systems.
---------------------------------------------------------------------------

    In October 2022, the Board published for comment a notice of 
proposed rulemaking (NPRM) to amend the requirements relating to 
operational risk management in Regulation HH. The Board proposed to 
update, refine, and add specificity to the operational risk management 
requirements in Regulation HH. The proposed amendments reflected 
changes in the operational risk, technology, and regulatory landscape 
in which designated FMUs operate since the Board last amended 
Regulation HH in 2014. The Board also proposed to adopt specific 
incident-notification requirements.\4\ The public comment period for 
the proposed amendments closed on December 5, 2022. The Board is now 
adopting final amendments to Regulation HH, with modifications to 
certain sections of the proposal as discussed below.
---------------------------------------------------------------------------

    \4\ 87 FR 60314 (Oct. 5, 2022).
---------------------------------------------------------------------------

II. Background

A. Financial Market Utilities

    FMUs provide essential infrastructure to clear and settle payments 
and other financial transactions. Financial institutions, including 
banking organizations, participate in FMU arrangements pursuant to a 
common set of rules and procedures, technical infrastructure, and risk-
management framework.
    If a systemically important FMU fails to perform as expected or 
fails to effectively measure, monitor, and manage its risks, it could 
pose significant risk to its participants and the financial system more 
broadly. For example, the inability of an FMU to complete settlement on 
time could create credit or liquidity problems for its participants or 
other FMUs. An FMU, therefore, should have a robust risk-management 
framework, including appropriate policies and procedures to measure, 
monitor, and manage the range of risks that arise in or are borne by 
the FMU.

B. Title VIII of the Dodd-Frank Act

    In recognition of the criticality of FMUs to the stability of the 
financial system, Title VIII of the Dodd-Frank Act established a 
framework for enhanced supervision of certain FMUs. Section 804 of the 
Act states that the FSOC shall designate those FMUs that it determines 
are, or are likely to become, systemically important. Such a 
designation by the FSOC makes an FMU subject to the supervisory 
framework set out in Title VIII of the Act.
    Section 805(a)(1)(A) of the Act requires the Board to prescribe 
risk-management standards governing the operations related to payment, 
clearing, and settlement activities of designated

[[Page 18750]]

FMUs.\5\ As set out in section 805(b) of the Act, the applicable risk-
management standards must (1) promote robust risk management, (2) 
promote safety and soundness, (3) reduce systemic risks, and (4) 
support the stability of the broader financial system.\6\
---------------------------------------------------------------------------

    \5\ 12 U.S.C. 5464(a)(1). The Act directs the Board to ``tak[e] 
into consideration relevant international standards and existing 
prudential requirements'' when it promulgates these risk-management 
standards. Id. In addition, section 805(a)(2) of the Act grants the 
U.S. Commodity Futures Trading Commission (CFTC) and the U.S. 
Securities and Exchange Commission (SEC) the authority to prescribe 
such risk-management standards for a designated FMU that is, 
respectively, a derivatives clearing organization (DCO) registered 
under section 5b of the Commodity Exchange Act or a clearing agency 
registered under section 17A of the Securities Exchange Act of 1934. 
12 U.S.C. 5464(a)(2).
    \6\ Further, under section 805(c), the risk-management standards 
may address areas such as (1) risk-management policies and 
procedures, (2) margin and collateral requirements, (3) participant 
or counterparty default policies and procedures, (4) the ability to 
complete timely clearing and settlement of financial transactions, 
(5) capital and financial resource requirements for designated FMUs, 
and (6) other areas that are necessary to achieve the objectives and 
principles for risk-management standards. 12 U.S.C. 5464(c).
---------------------------------------------------------------------------

    A designated FMU is subject to examination by the federal agency 
that has primary jurisdiction over the FMU under federal banking, 
securities, or commodity futures laws (the ``Supervisory Agency'').\7\ 
At present, the FSOC has designated eight FMUs as systemically 
important, and the Board is the Supervisory Agency for two of these 
designated FMUs--The Clearing House Payments Company, L.L.C. (on the 
basis of its role as operator of the Clearing House Interbank Payments 
System (CHIPS)) and CLS Bank International.\8\ The risk-management 
standards in the Board's Regulation HH apply to Board-supervised 
designated FMUs.\9\
---------------------------------------------------------------------------

    \7\ The Act's definition of ``Supervisory Agency'' is codified 
at 12 U.S.C. 5462(8). Section 807 of the Act authorizes the 
Supervisory Agencies to examine and take enforcement actions against 
the Supervisory Agencies' respective designated FMUs. The Act also 
describes certain authorities that the Board has with respect to 
designated FMUs for which it is not the Supervisory Agency, such as 
participation in examinations and recommendations on enforcement 
actions. 12 U.S.C. 5466.
    \8\ The SEC is the Supervisory Agency for The Depository Trust 
Company (DTC); Fixed Income Clearing Corporation (FICC); National 
Securities Clearing Corporation (NSCC); and The Options Clearing 
Corporation (OCC). The CFTC is the Supervisory Agency for the 
Chicago Mercantile Exchange, Inc. (CME); and ICE Clear Credit LLC 
(ICC). See U.S. Department of the Treasury, Financial Market Utility 
Designations, https://home.treasury.gov/policy-issues/financial-markets-financial-institutions-and-fiscal-service/fsoc/designations.
    \9\ The risk-management standards in Regulation HH would also 
apply to any designated FMU for which another Federal banking agency 
is the Supervisory Agency. At this time, there are no such 
designated FMUs.
---------------------------------------------------------------------------

C. Regulation HH Risk-Management Standards for Designated FMUs

    Section 234.3 of Regulation HH includes a set of 23 risk-management 
standards addressing governance, transparency, and the various risks 
that can arise in connection with a designated FMU's payment, clearing, 
and settlement activities, including legal, financial, and operational 
risks. These standards are based on and generally consistent with the 
PFMI. The Regulation HH standards generally employ a flexible, 
principles-based approach. In several cases, however, the Board adopted 
specific minimum requirements that a designated FMU must meet in order 
to achieve the overall objective of a particular standard.
1. Operational Risk Management
    Section 234.3(a)(17) of Regulation HH, as amended in 2014, requires 
that a designated FMU manage its operational risks by establishing a 
robust operational risk-management framework that is approved by its 
board of directors.\10\ Specifically, a designated FMU must (1) 
identify and mitigate its plausible sources of operational risk; (2) 
identify, monitor, and manage the operational risks it may pose to 
other FMUs and trade repositories; (3) ensure a high degree of security 
and operational reliability; (4) have adequate, scalable capacity to 
handle increasing stress volumes; (5) address potential and evolving 
vulnerabilities and threats; and (6) provide for rapid recovery and 
timely resumption of critical operations and fulfillment of 
obligations, including in the event of a wide-scale or major 
disruption. Section 234.3(a)(17) also contains several specific minimum 
requirements for business continuity planning, including a requirement 
for the designated FMU to have a business continuity plan that (1) 
incorporates the use of a secondary site at a location with a distinct 
risk profile from the primary site; (2) is designed to enable critical 
systems to recover and resume operations no later than two hours 
following disruptive events; (3) is designed to enable it to complete 
settlement by the end of the day of the disruption, even in case of 
extreme circumstances; and (4) is tested at least annually.\11\
---------------------------------------------------------------------------

    \10\ In this SUPPLEMENTARY INFORMATION, Sec.  234.4(a)(17) will 
be informally referred to as the ``operational risk management 
standard.''
    \11\ 12 CFR 234.3(a)(17)(vii).
---------------------------------------------------------------------------

    Although the term ``operational risk'' is not defined in current 
Regulation HH, when the Board proposed amendments to Sec.  234.3(a)(17) 
in 2014, it described operational risk as the risk that deficiencies in 
information systems, internal processes, and personnel or disruptions 
from external events will result in the deterioration or breakdown of 
services provided by an FMU.\12\ Consistent with an all-hazards view of 
managing operational risk, the Board believes operational risk could 
arise internally and externally. Internal sources of operational risk 
include the designated FMU's people, processes, and technology.\13\ 
External sources of operational risk are those that fall outside the 
direct control of a designated FMU. For example, external sources of 
operational risk can include the designated FMU's participants and 
other entities, such as other FMUs, settlement banks, liquidity 
providers, and service providers, which may transmit threats through 
their various connections to the designated FMU. External sources of 
operational risk also include physical events, such as pandemics, 
natural disasters, and other destruction of property, as well as 
information security threats, such as cyberattacks and technology 
supply chain vulnerabilities. These internal and external sources of 
operational risk can manifest in different scenarios (including wide-
scale or major disruptions) and can result in the reduction, 
deterioration, or breakdown of services that a designated FMU provides. 
A designated FMU must plan for these types of scenarios and test its 
systems, polices, procedures, and controls against them.
---------------------------------------------------------------------------

    \12\ 79 FR 3666, 3683 (Jan. 22, 2014). The Board also 
incorporated this definition of ``operational risk'' into part I of 
the Federal Reserve Policy on Payment System Risk (PSR policy) in 
2014, see 79 FR 2838, 2845 (Jan. 16, 2014), and into its supervisory 
rating system for financial market infrastructure in 2016, see 81 FR 
58932, 58936 (Aug. 26, 2016). The PSR policy is available at https://www.federalreserve.gov/paymentsystems/files/psr_policy.pdf.
    \13\ Deficiencies in assessing and managing these sources of 
operational risk could cause errors or delays in processing, systems 
outages, insufficient capacity, fraud, data loss, and data leakage.
---------------------------------------------------------------------------

    Importantly, the Board believes that effective operational risk 
management, in combination with sound governance arrangements and 
effective management of general business risk (including the risk of 
losses from operational events), promotes operational resilience, which 
refers to the ability of an FMU to: (1) maintain essential operational 
capabilities under adverse conditions or stress, even if in a degraded 
or debilitated state; and (2) recover to effective operational 
capability in a time frame consistent with the provision of critical 
services.\14\
---------------------------------------------------------------------------

    \14\ See Sec.  234.3(a)(2) and (15).

---------------------------------------------------------------------------

[[Page 18751]]

2. Evolution in the Operational Risk, Technology, and Regulatory 
Landscape
    When the Board proposed amendments to Regulation HH's risk-
management standards in 2014, the Board recognized that there was 
ongoing work and discussion domestically and internationally on 
developing operational risk-management standards and guidance and 
planning for business continuity with respect to cybersecurity and 
responses to cyberattacks.\15\ For example, in 2016, the Committee on 
Payments and Market Infrastructures (CPMI) and Technical Committee of 
the International Organization of Securities Commissions (IOSCO) 
published Guidance on cyber resilience for financial market 
infrastructures (Cyber Guidance), which supplements the PFMI and 
provides guidance on cyber resilience, including in the context of 
governance, the comprehensive management of risks, and operational risk 
management.\16\ The Cyber Guidance has informed the Federal Reserve's 
supervision of designated FMUs.\17\
---------------------------------------------------------------------------

    \15\ 79 FR 3666, 3683 (Jan. 22, 2014).
    \16\ CPMI-IOSCO, Guidance on Cyber Resilience for Financial 
Market Infrastructures (June 2016), https://www.bis.org/cpmi/publ/d146.htm.
    \17\ For example, when the Board finalized its ORSOM 
(Organization; Risk Management; Settlement; Operational Risk and 
Information Technology (IT); and Market Support, Access, and 
Transparency) rating system for designated FMUs in 2016, it noted 
that the then-forthcoming Cyber Guidance would guide the Board's 
assessment of a designated FMU with respect to operational risk and 
cybersecurity policies and procedures. 81 FR 58932, 58934 (Aug. 26, 
2016).
---------------------------------------------------------------------------

    More recently, new challenges to operational risk management have 
emerged, including a global pandemic and severe weather events. In 
addition, certain types of cyberattacks that were once thought to be 
extreme or ``tail-risk'' events, like attacks on the supply chain and 
ransomware attacks, have become more prevalent. Technology solutions 
for the mitigation and management of various operational risks have 
also advanced since 2014, including the development of new technologies 
that have the potential to improve the resilience of designated FMUs. 
Finally, the legal, regulatory, and supervisory landscape in which 
designated FMUs operate has evolved to reflect these changes in the 
broader operational risk environment. For example, in July 2021, the 
Board, the Office of the Comptroller of the Currency (OCC), and the 
Federal Deposit Insurance Corporation (FDIC) proposed guidance for 
banking organizations on managing risks associated with third-party 
relationships.\18\ In November 2021, the Board, OCC, and FDIC adopted 
requirements on computer-security incident notifications for banking 
organizations and bank service providers (interagency notification 
rule).\19\ The evolution in the operational risk, technology, and 
regulatory landscape motivated the Board to conduct a full review of 
Sec.  234.3(a)(17) to determine whether updates were necessary. 
Following this review, the Board believes that the outcomes required by 
the current operational risk management standard are generally still 
relevant and comprehensive. However, the Board has identified several 
areas where it believes updates to the rule are necessary.
---------------------------------------------------------------------------

    \18\ 86 FR 38182 (July 19, 2021). The Board, OCC, and FDIC 
issued final third-party risk management guidance for banking 
organizations in June 2023. 88 FR 37920 (June 9, 2023).
    \19\ 86 FR 66424 (Nov. 23, 2021). Congress also recently enacted 
the Cyber Incident Reporting for Critical Infrastructure Act of 
2022, which requires covered entities to report significant cyber 
incidents to the Cybersecurity and Infrastructure Agency (``CISA''). 
See Public Law 117-103, Div. Y (codified at 6 U.S.C. 681-681g).
---------------------------------------------------------------------------

D. Overview of the Proposal

    The Board proposed to amend the operational risk management 
standard to reflect changes in the operational risk and threat 
landscape, as well as to reflect developments in designated FMUs' 
operations and technology usage since the Board last amended Regulation 
HH in 2014. The proposed amendments focused on four areas: (1) review 
and testing, (2) incident management and notification, (3) business 
continuity management and planning, and (4) third-party risk 
management. The Board also proposed several technical or clarifying 
revisions throughout Sec. Sec.  234.2 and 234.3(a).\20\
---------------------------------------------------------------------------

    \20\ In addition to the technical changes described below in 
section III.G, the Board proposed a technical change to the title of 
Sec.  234.3. Currently, the section is erroneously titled 
``Standards for payment systems,'' which is the legacy title from 
the initial Regulation HH risk-management standards published in 
2012. The Board proposed to replace ``payment systems'' with 
``designated financial market utilities.''
---------------------------------------------------------------------------

III. Summary of Public Comments and Analysis

    The Board received six public comment letters. Two letters were 
from entities that operate designated FMUs, one letter was from a non-
profit organization, and three letters were from individuals. The Board 
considered each of these comments as well as subsequent staff analysis 
in developing the final rule. The Board is adopting the proposed rule 
text with modifications to certain sections, as discussed below.

A. Overall Response and Approach

    Commenters were generally supportive of the proposed amendments. Of 
the three substantive comments received, one commenter expressed 
support for the amendments as proposed. Two commenters, while 
expressing support for the overall proposal, raised concerns that 
aspects of the proposal were broader than necessary. These commenters 
suggested additional clarifications to and refinements in the scope of 
the proposed amendments. Both of these commenters raised concerns that 
amendments to Regulation HH should permit a designated FMU to apply a 
risk-based and proportionate approach to operational risk management. 
This comment was made both generally and with respect to specific 
aspects of the review and testing, business continuity management and 
planning, and third-party risk management sections of the proposed 
amendments. The Board generally understands a ``risk-based and 
proportionate approach'' as an approach whereby entities identify, 
assess, and understand the risks to which they are exposed and take 
measures commensurate with those risks.\21\
---------------------------------------------------------------------------

    \21\ See Cyber Guidance, supra note 16, at 26.
---------------------------------------------------------------------------

    The final rule does not expressly specify that designated FMUs may 
use a risk-based and proportionate approach to comply with the amended 
operational risk management standard. The Board believes that it is 
unnecessary to do so. Designated FMUs currently use risk-based and 
proportionate approaches to manage operational risk, as the Board 
generally has implemented principles-based requirements in Regulation 
HH. The proposed amendments were not intended to affect designated 
FMUs' ability to continue to use risk-based and proportionate 
approaches where appropriate. Furthermore, other parts of Regulation 
HH's risk-management standards, such as the framework for the 
comprehensive management of risks found in Sec.  234.3(a)(3), do not 
expressly specify a risk-based and proportionate approach. Thus, adding 
such language to the operational risk management standard could result 
in a difference in drafting not driven by a difference in intended 
meaning.
    The Board has, however, amended certain aspects of the proposal to 
incorporate several specific concerns raised by the commenters. These 
concerns and the Board's response are described in the sections that 
follow.

[[Page 18752]]

B. Compliance Date

    In the NPRM, the Board proposed an effective and compliance date of 
60 days from the date the final rule was published in the Federal 
Register. Two commenters expressed the need for additional time to 
comply with the final rule and requested 180 days after publication to 
comply. Specifically, these commenters requested more time to enable 
designated FMUs to assess their current procedures and practices 
against the amendments and to implement any necessary changes. They 
also noted that the proposed third-party risk management requirements 
might necessitate changes to designated FMUs' contracts with third 
parties, which might take longer than 60 days. One commenter explained 
that it would take longer than 60 days to implement the incident 
notification requirement of the Board's proposed incident management 
framework. A third commenter considered the Board's amendment of the 
operational risk management standard overdue and viewed incident 
management and notification as the most important part of the proposal.
    The Board is adopting the final rule with an effective date of 
April 15, 2024. Designated FMUs are expected to comply with the 
requirements of the final rule no later than September 11, 2024, with 
the exception of the requirement to establish a documented framework 
for incident management, set forth in in Sec.  234.3(a)(17)(vi). 
Designated FMUs are expected to comply with Sec.  234.3(a)(17)(vi) no 
later than June 13, 2024. Designated FMUs are encouraged, however, to 
comply with the provisions as soon as possible.
    After consideration of the public comments as well as internal 
analysis, the Board is providing additional time to allow sufficient 
time for designated FMUs to review their existing policies, procedures, 
practices, and contracts against the requirements of the final rule and 
to minimize burden on designated FMUs and the markets they serve. 
However, the Board adopted an earlier compliance date for the 
requirement to establish a documented framework for incident 
management, set forth in Sec.  234.3(a)(17)(vi). The Board believes 
that designated FMUs can leverage existing practices for incident 
management and notification and that an earlier compliance date 
balances the need for prompt conformance with Sec.  234.3(a)(17)(vi), 
which the Board considers of critical importance to both the Board and 
designated FMUs' participants and other stakeholders, with the overall 
burden on designated FMUs.

C. Review and Testing

    Section 234.3(a)(17)(i) of Regulation HH requires designated FMUs 
to identify the plausible sources of operational risk, both internal 
and external, and mitigate their impact through the use of appropriate 
systems, policies, procedures, and controls that are reviewed, audited, 
and tested periodically and after major changes. This general review 
and testing requirement applies broadly to the systems, policies, 
procedures, and controls that the designated FMU develops to mitigate 
sources of operational risk. The Board proposed to amend Sec.  
234.3(a)(17)(i) to provide more specificity regarding its expectations 
around testing, review, and remediation. Just as the current general 
review and testing requirement in Sec.  234.3(a)(17)(i) applies broadly 
to a designated FMU's systems, policies, procedures, and controls, the 
proposed amendments would also apply broadly to the systems, policies, 
procedures, and controls developed to mitigate the impact of the 
designated FMU's sources of operational risk.
    Specifically, proposed Sec.  234.3(a)(17)(i)(A) and (B) set forth 
the Board's expectations regarding review and testing. In Sec.  
234.3(a)(17)(i)(A)(1), the Board proposed to require a designated FMU 
to conduct tests of its systems, policies, procedures, and controls in 
accordance with a documented testing framework.\22\ The Board further 
proposed in Sec.  234.3(a)(17)(i)(A)(2) to require that a designated 
FMU's testing assess whether its systems, policies, procedures, or 
controls function as intended.\23\
---------------------------------------------------------------------------

    \22\ The Board explained in the NPRM that the testing framework 
should account for any interdependencies between and among the 
systems, policies, procedures, and controls that are being tested. 
The Board further explained that a designated FMU should take a 
comprehensive and risk-based approach to its operational risk 
management testing program, rather than focusing only on testing 
individual (or groups of) systems, policies, procedures, or controls 
(or components therein). A designated FMU could describe its testing 
framework in either a single document or in multiple documents, as 
appropriate, and could leverage relevant industry standards as it 
develops its testing framework. For example, a designated FMU could 
leverage standards developed by the National Institute of Standards 
and Technology (NIST), the Federal Financial Institutions 
Examination Council (FFIEC), the Financial Services Sector 
Coordinating Council (FSSCC), and the International Organization for 
Standardization (ISO).
    \23\ Such tests could include capacity stress tests, crisis 
management tabletop exercises, after-action reviews of incidents, 
business continuity tests both internally and with participants, 
vulnerability assessments, cyber scenario-based testing, penetration 
tests, and red team tests.
---------------------------------------------------------------------------

    In Sec.  234.3(a)(17)(i)(B), the Board proposed to require a 
designated FMU to conduct a review of the design, implementation, and 
testing of systems, policies, procedures, and controls after the 
designated FMU experienced any material operational incidents (which 
are discussed in section III.C.1 below). The Board also proposed in 
Sec.  234.3(a)(17)(i)(B) to require a designated FMU to review the 
design, implementation, and testing of systems, policies, procedures, 
and controls after significant changes to the environment in which it 
operates.\24\
---------------------------------------------------------------------------

    \24\ The Board also proposed a technical amendment to the 
requirement for the designated FMU to review its recovery and 
orderly wind-down plan under Sec.  234.3(a)(3)(iii)(G) from 
``following'' to ``after'' changes to the designated FMU's systems 
and environment. This conforms with the review requirement under 
proposed Sec.  234.3(a)(17)(i)(B). The Board also proposed a 
technical amendment to the requirement for the designated FMU to 
update its public disclosure under Sec.  234.3(a)(23)(v) from 
``following'' to ``to reflect'' changes to its systems and 
environment. The Board did not receive any comments on these 
technical amendments and is adopting them as proposed.
---------------------------------------------------------------------------

    Finally, the Board proposed in Sec.  234.3(a)(17)(i)(C) to require 
a designated FMU to remediate, as soon as possible and following 
established governance processes, any deficiencies identified during 
tests and reviews.
1. Review and Testing--Section 234.3(a)(17)(i)(A) and (B)
(a) Summary of Comments
    One commenter welcomed the additional clarity provided by the 
proposed amendments to Sec.  234.3(a)(17)(i) generally, and another 
commenter appreciated the proposal's testing and review expectations. 
Two commenters suggested that all of Sec.  234.3(a)(17)(i), including 
paragraphs (a)(17)(i)(A), (B), and (C), be amended to expressly 
contemplate the designated FMU taking a risk-based approach to testing, 
review, and remediation activities.
    Commenters did not suggest other revisions to proposed Sec.  
234.3(a)(17)(i)(A). With respect to the proposed review requirements 
set out in Sec.  234.3(a)(17)(i)(B), two commenters raised a concern 
that the proposed language could be interpreted to require a designated 
FMU to review all of its systems, policies, procedures, and controls 
after a material operational incident or significant change to the 
environment in which the designated FMU operates. These commenters 
suggested clarifying that Sec.  234.3(a)(17)(i)(B) require review of 
only the relevant systems, policies, procedures, and controls affected 
by material operational incidents or significant changes to the 
environment.

[[Page 18753]]

    One commenter further suggested that, in the case of significant 
changes to the environment, Sec.  234.3(a)(17)(i)(B) require a review 
only when the change is reasonably likely to create operational risk. 
The commenter noted such an approach would avoid reviews when there are 
changes to the environment that do not reasonably create operational 
risk.
(b) Final Rule
    The Board is adopting proposed Sec.  234.3(a)(17)(i)(A) and (B) 
with certain revisions based on internal analysis and public comments.
    Consistent with the preamble to the proposed rule, the Board has 
clarified in Sec.  234.3(a)(17)(i)(A)(1) that a designated FMU's 
documented testing framework must address at a minimum scope, 
frequency, participation, interdependencies, and reporting. A 
designated FMU may also choose to add additional pieces to their 
documented testing frameworks based on their own internal analysis. 
This could include documented governance processes around review and 
testing. Importantly, as described further below, a designated FMU 
would need to remediate deficiencies identified during testing, 
following established governance processes.
    The Board has adopted two amendments to proposed Sec.  
234.3(a)(17)(i)(B). First, the Board has modified the rule text in 
Sec.  234.3(a)(17)(i)(B) to reflect that a designated FMU's review of 
design, implementation, and testing after material operational 
incidents or after changes to the environment in which the designated 
FMU operates applies only to affected and similar systems, policies, 
procedures, and controls. The Board agrees with commenters that a 
designated FMU need not review irrelevant systems, policies, 
procedures, and controls.\25\ The Board would consider relevant 
systems, policies, procedures, and controls to include those affected 
directly by a material operational incident or significant change to 
the environment. In addition, the Board would consider relevant 
systems, policies, procedures, and controls to include those that have 
not been directly affected but that share important features with 
(i.e., are similar to) affected systems, policies, procedures, and 
controls. For example, a similar system could be one that is 
susceptible to the same type of vulnerability that has caused a 
material operational incident in a different system, but which was not 
actually affected in a particular instance.
---------------------------------------------------------------------------

    \25\ See 87 FR 60314, 60317 (Oct. 5, 2022) (proposing that a 
designated FMU conduct a review of the design, implementation, and 
testing of relevant systems, policies, procedures, and controls 
after the designated FMU experiences any material operational 
incidents).
---------------------------------------------------------------------------

    Second, consistent with statements in the preamble to the NPRM and 
in response to comments, the Board has clarified that Sec.  
234.3(a)(17)(i)(B) requires designated FMUs to conduct reviews when a 
change to the environment in which the designated FMU operates could 
significantly affect the plausible sources or mitigants of operational 
risk.\26\ Designated FMUs should exercise care to ensure that they 
effectively identify changes to the environment that have an 
operational risk component, but the review requirement would not be 
triggered by a change that does not relate to operational risk.
---------------------------------------------------------------------------

    \26\ See id. (explaining that the operational risk environment, 
including sources of risk and the nature or types of threats, can 
change unexpectedly and quickly and that the proposal would ensure 
that designated FMUs review and make timely changes to their 
systems, policies, procedures, and controls following such changes).
---------------------------------------------------------------------------

    For the reasons described in section III.A, supra, the Board has 
not expressly referred to a risk-based and proportionate approach in 
the final rule. With respect to testing, Sec.  234.3(a)(17)(i)(A)(1) 
requires a designated FMU's documented testing framework to address, at 
a minimum, scope, frequency, participation, interdependencies, and 
reporting--all of which could be calibrated based on a designated FMU's 
identification, assessment, and prioritization of risks.\27\ With 
respect to review, the Board believes the requirement to conduct 
reviews after certain events is consistent with a risk-based approach. 
Moreover, the two clarifications the Board has made to Sec.  
234.3(a)(17)(i)(B) focus the requirements of that paragraph on the 
review triggers that the Board considers most important for a 
designated FMU's management of operational risk.
---------------------------------------------------------------------------

    \27\ The Board expects that, in developing its documented 
testing framework, a designated FMU would be guided by the 
documented risk-management framework established by the board of 
directors, which must include, among other things, the designated 
FMU's risk-tolerance policy. 12 CFR 234.3(a)(2)(iv)(F).
---------------------------------------------------------------------------

2. Remediation of Identified Deficiencies--Section 234.3(a)(17)(i)(C)
(a) Summary of Comments
    Similar to the comments on the testing and review requirements, two 
commenters suggested that the rule text clarify that a designated FMU 
may take a risk-based approach to the remediation process. One 
commenter specifically recommended that the rule allow a designated FMU 
to remediate or mitigate an identified deficiency in a manner that is 
consistent with the designated FMU's risk appetite. As part of a risk-
based approach, one commenter suggested that a designated FMU should be 
able to accept the risks associated with certain deficiencies so long 
as the risks are within the designated FMU's risk appetite.
    One commenter noted that, while proposed Sec.  234.3(a)(17)(i)(C) 
stated that a designated FMU's remediation of deficiencies in systems, 
policies, procedures, or controls should follow established governance 
processes, it was unclear if the requirement to follow governance 
processes referred solely to the need to validate remediation steps or 
if it was intended to be broader. The commenter suggested that 
governance processes for managing and overseeing remediation should 
include processes for decision making on prioritization of remediation 
approaches in addition to validation. One commenter noted that the 
proposed rule did not address expectations regarding validation of 
remediation steps. The commenter suggested that validation should be 
risk-based and proportionate to the deficiency that is being 
remediated.
(b) Final Rule
    The Board is adopting Sec.  234.3(a)(17)(i)(C) with one 
modification in response to concerns raised by commenters.\28\ In order 
to address concerns that the proposal would have required a designated 
FMU to approach all deficiencies in the same manner, the Board has 
removed the word ``any'' from proposed Sec.  234.3(a)(17)(i)(C).\29\ In 
addition, the Board expects that a designated FMU, in establishing the 
governance processes contemplated by Sec.  234.3(a)(17)(i)(C), would 
take into account the designated FMU's risk-tolerance policy.\30\ In 
that regard, the Board notes that remediation could include both 
actions to eliminate a deficiency or vulnerability or to reduce the 
risk associated with a deficiency or vulnerability to an

[[Page 18754]]

acceptable level.\31\ For example, if a designated FMU were to identify 
a deficiency in a system that was slated for replacement in the near 
future, the designated FMU could consider steps to reduce the risk of 
that deficiency pending the implementation of the new system in lieu of 
working to eliminate the deficiency in the old system. When consistent 
with a designated FMU's risk tolerance and otherwise consistent with a 
robust operational risk framework, a designated FMU could determine and 
document its decision to accept the risk of a deficiency.
---------------------------------------------------------------------------

    \28\ For the reasons described in section III.A, supra, the 
Board has not expressly referred to a risk-based and proportionate 
approach in the final rule.
    \29\ As noted above, proposed Sec.  234.3(a)(17)(i)(C) would 
have required a designated FMU to remediate, as soon as possible and 
following established governance processes, any deficiencies 
identified during tests and reviews.
    \30\ A designated FMU must have governance arrangements that, 
among other things, are designed to ensure that the board of 
directors establishes a clear, documented risk-management framework 
that includes the designated FMU's risk-tolerance policy, assigns 
responsibilities and accountability for risk decisions, and 
addresses decision making in crises and emergencies. 12 CFR 
234.3(a)(2)(iv)(F).
    \31\ The Board understands that the terms ``remediation'' and 
``mitigation'' are sometimes used in different ways in the 
information technology and security field. The Board's use of 
``remediation'' and ``mitigation'' is consistent with NIST's 
definitions of the terms. NIST defines ``remediation'' as ``the act 
of mitigating a vulnerability or a threat,'' and ``mitigation'' as 
``a decision, action, or practice intended to reduce the level of 
risk associated with one or more threat events, threat scenarios, or 
vulnerabilities.'' These definitions can be found at https://csrc.nist.gov/glossary/term/remediation and https://csrc.nist.gov/glossary/term/mitigation, respectively.
---------------------------------------------------------------------------

    The Board expects that a designated FMU will conduct an internal 
risk analysis of all deficiencies identified in review and testing, as 
required in Sec.  234.3(a)(17)(i)(A) and (B), and use established 
governance processes to determine how to address and prioritize 
identified deficiencies in order to reduce the level of risk posed by 
those deficiencies.\32\ The decisions a designated FMU makes may depend 
upon the facts and circumstances.\33\
---------------------------------------------------------------------------

    \32\ As noted above, a designated FMU's documented testing 
framework could address governance processes for remediation.
    \33\ A designated FMU should consult widely used and relevant 
industry standards to inform its understanding of how it should 
remediate deficiencies. These industry standards, such as those 
published by NIST, FFIEC, FSSCC, and ISO, are updated regularly and 
typically offer current and specific information on operational risk 
management practices.
---------------------------------------------------------------------------

    Finally, commenters noted that proposed Sec.  234.3(a)(17)(i)(C) 
did not specifically address validation but that the NPRM stated that 
it would be imperative for a designated FMU to perform subsequent 
validation to assess whether the remediation measures have addressed 
deficiencies without introducing vulnerabilities. The Board continues 
to believe that designated FMUs should assess the effectiveness and 
broader impact of any changes they make to remediate a deficiency.\34\ 
The Board acknowledges that the validation performed may depend on the 
nature of both the deficiency and any changes made to remediate the 
deficiency. As with remediation, the Board believes that a designated 
FMU, in its governance processes, could address validation in a risk-
based manner.
---------------------------------------------------------------------------

    \34\ In the event a designated FMU accepts the risk of a 
deficiency, there may be no change to validate.
---------------------------------------------------------------------------

D. Incident Management and Notification

    The Board proposed in Sec.  234.3(a)(17)(vi) to require a 
designated FMU to establish a documented framework for incident 
management that provides for the prompt detection, analysis, and 
escalation of an incident; appropriate procedures for addressing an 
incident; and incorporation of lessons learned following an 
incident.\35\
---------------------------------------------------------------------------

    \35\ These broad categories in incident management are generally 
consistent with those identified in the NIST computer-security 
incident handling guide. See NIST, Computer Security Incident 
Handling Guide (Special Publication 800-61, rev. 2), https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf.
---------------------------------------------------------------------------

    Specifically, in Sec.  234.3(a)(17)(vi) the Board proposed to 
require that a designated FMU's incident management framework include a 
plan for notification and communication of material operational 
incidents. This plan, among other things, would need to identify the 
entities that would be notified of operational incidents, including 
non-participants that could be affected by material operational 
incidents at the designated FMU. Relevant entities may also include 
appropriate industry information-sharing fora, such as groups that are 
designed to share information about cyber threats or support cyber risk 
management.
    In Sec.  234.3(a)(17)(vi)(A), the Board proposed to require a 
designated FMU to notify the Board immediately when it activated its 
business continuity plan or had a reasonable basis to conclude that (1) 
there was an actual or likely disruption, or material degradation, to 
any of its critical operations or services,\36\ or to its ability to 
fulfill its obligations on time; or (2) there was unauthorized entry, 
or the potential for unauthorized entry, into the designated FMU's 
computer, network, electronic, technical, automated, or similar systems 
that affects or has the potential to affect its critical operations or 
services.
---------------------------------------------------------------------------

    \36\ Critical operations and critical services are discussed 
below in section III.G.2.
---------------------------------------------------------------------------

    In Sec.  234.3(a)(17)(vi)(B), the Board proposed to require a 
designated FMU to establish criteria and processes, including the 
appropriate methods of communication, to provide for timely 
communication and responsible disclosure of material operational 
incidents to its participants or other relevant entities that have been 
identified in its notification and communication plan. As proposed, 
this incident notification requirement would arise in two 
circumstances. First, under proposed Sec.  234.3(a)(17)(vi)(B)(1), a 
designated FMU would need to notify affected participants immediately 
in the event of actual disruptions or material degradation to its 
critical operations or services or to its ability to fulfill its 
obligations on time. Second, under proposed Sec.  
234.3(a)(17)(vi)(B)(2), a designated FMU would need to notify all 
participants and other relevant entities in a timely and responsible 
manner of all other material operational incidents that require 
immediate notification to the Board.\37\
---------------------------------------------------------------------------

    \37\ As noted in the NPRM, a designated FMU would need to 
identify non-participant relevant entities in its plan for 
notification and communication of material operational incidents.
---------------------------------------------------------------------------

1. Documented Incident Management Framework--Section 234.3(a)(17)(vi)
(a) Summary of Comments
    One commenter broadly supported the proposal and viewed incident 
management and notification as the most important part of the Board's 
proposed amendments to Regulation HH. Two commenters did not object in 
concept to the requirement for a documented framework for incident 
management but expressed concerns with specific aspects of the proposed 
requirement to have a plan for notification and communication of 
material operational incidents. These concerns are discussed in 
sections III.D.2 and III.D.3, infra.
(b) Final Rule
    The Board is adopting the introductory portion of Sec.  
234.3(a)(17)(vi) as proposed and, as discussed below, has adopted Sec.  
234.3(a)(17)(vi)(A) and (B) with certain modifications. In line with 
the all-hazards approach to operational risk management in this 
standard, the Board reiterates its belief that it is important for a 
designated FMU to be prepared to detect, address, and learn from any 
type of operational incident, regardless of the scenario or source of 
risk and the level of severity. Different types of incidents may 
require different levels of escalation internally or externally, and 
may require different strategies for containment or eradication. For 
example, given the increasing prevalence of cyberattacks in the 
financial sector, a designated FMU should plan for an incident where a 
participant (or another type of connected entity), rather than the 
designated FMU itself, is experiencing a cyberattack. In this scenario, 
a designated FMU should be operationally prepared to take, and should 
have a legal basis to take,

[[Page 18755]]

appropriate steps to mitigate the risk of contagion to itself or other 
participants, including, but not limited to, restricting or limiting a 
participant's access to the designated FMU or a particular 
functionality or disconnecting the participant from the FMU if 
necessary. Relatedly and as further discussed in section III.E.3, a 
designated FMU should also have processes and procedures to determine 
whether and when it would be appropriate to reestablish availability to 
such a participant.
2. Incident Notification to the Board--Section 234.3(a)(17)(vi)(A)
(a) Summary of Comments
    Two commenters expressed concerns regarding the circumstances that 
would trigger a notice requirement to the Board. One commenter noted 
that proposed Sec.  234.3(a)(17)(vi)(A) would require a designated FMU 
to notify the Board any time the designated FMU activated its business 
continuity plan. This commenter highlighted that activation of the 
business continuity plan may not involve an actual disruption to the 
designated FMU's critical operations or services and that the proposal 
could result in unnecessary notifications. Two commenters indicated 
concern with the words ``likely'' in proposed Sec.  
234.3(a)(17)(vi)(A)(1) and ``potential'' in proposed Sec.  
234.3(a)(17)(vi)(A)(2). The concerns raised include providing 
notifications where it was unnecessary, the potential for false alarms 
or misimpressions regarding a designated FMU's reliability, and 
desensitization of supervisors and participants due to excessive 
notification regarding insignificant events, with one commenter 
suggesting notices be limited to actual incidents. One commenter also 
noted that the ``likely'' and ``potential'' standards were different 
from other incident notification requirements such as under the Cyber 
Incident Reporting for Critical Infrastructure Act (CIRCIA) and 
suggested harmonizing the proposed notification requirements with other 
laws and regulations.
    These commenters suggested a number of specific revisions to the 
proposal. One suggested limiting notification to the Board to actual 
disruptions or material degradations. Another suggested limiting 
notifications of an unauthorized entry, or the potential for 
unauthorized entry, to situations which could result in a serious 
detriment to participants or other relevant entities, and more 
generally suggested granting more discretion for a designated FMU to 
determine appropriate circumstances for notice based on the probability 
and severity of an event.
    One commenter supported the requirement to provide ``immediate'' 
notification to the Board and affected parties. Two commenters 
requested clarification of the term ``immediately'' as used regarding 
notification of material operational incidents in proposed Sec.  
234.3(a)(17)(vi)(A) and (a)(17)(vi)(B)(1). These commenters requested 
that the explanation provided in the NPRM, which distinguished 
``immediately'' from ``instantaneous,'' be directly incorporated into 
the text of Regulation HH. One commenter suggested that such a revision 
would provide greater clarity to participants and other relevant 
entities.
    Finally, two commenters responded to a question in the NPRM 
regarding the process by which a designated FMU should provide notice 
to the Board. These commenters suggested that notices be provided to 
the team responsible for ongoing supervision of the designated FMU. One 
of the commenters noted that a designated FMU's supervisory team would 
likely continue to expect notice regardless of whether a designated FMU 
was required to notify a central point of contact. One of the 
commenters also suggested that the Board specify contacts and provide a 
method for delivering notices outside of business hours.
(b) Final Rule
    The Board is adopting Sec.  234.3(a)(17)(vi)(A) as proposed, with 
two revisions that respond to comments received. First, as proposed, 
Sec.  234.3(a)(17)(vi)(A)(2) would have required notice to the Board of 
an unauthorized entry, or a potential for unauthorized entry, into a 
designated FMU's computer, network, electronic, technical, automated, 
or other systems that affect or have the potential to affect its 
critical operations or services. In light of concerns regarding 
unnecessary notices, the Board believes it is appropriate to clarify 
what constitutes the ``potential'' for unauthorized entry. The Board 
has amended Sec.  234.3(a)(17)(vi)(A)(2) to refer instead to an 
unauthorized entry or a vulnerability that could allow unauthorized 
entry. The Board believes that it is important to receive notice from a 
designated FMU if the designated FMU has a reasonable basis to conclude 
that there exists a vulnerability (such as a zero-day vulnerability) 
that may be, but has not yet been, exploited.\38\
---------------------------------------------------------------------------

    \38\ ``Zero-day'' vulnerabilities are those for which patches 
are not yet available. See, e.g., Board of Governors of the Federal 
Reserve System, Cybersecurity and Financial System Resilience 
Report, at 23 (Aug. 2023), available at https://www.federalreserve.gov/publications/files/cybersecurity-report-202308.pdf.
---------------------------------------------------------------------------

    Second, the Board has clarified that a designated FMU must notify 
the Board of incidents ``in accordance with the process established by 
the Board.'' The Board will provide actual notice of this process to 
affected designated FMUs.
    Other than with respect to these revisions, the Board has adopted 
Sec.  234.3(a)(17)(vi)(A) as proposed. Given the large volume and value 
of payment, clearing, and settlement activity processed by designated 
FMUs and their interconnectedness with financial institutions and 
markets, material operational issues occurring at designated FMUs could 
have financial stability implications. Therefore, the Board continues 
to believe that it is critical for the Board to be notified immediately 
of these types of issues.\39\ The Board notes that ``immediately'' as 
used in Sec.  234.3(a)(17)(vi)(A) is meant to convey the urgency in 
notifying the Board of these material operational incidents. 
``Immediate'' does not mean ``instantaneous,'' and as such the Board 
does not believe clarification expressly stating this is necessary. The 
Board would expect to be notified of an operational incident once the 
designated FMU activates its business continuity plan or has a 
reasonable basis to conclude that an incident meets any of the criteria 
in Sec.  234.3(a)(17)(vi)(A), even if the designated FMU does not yet 
have detailed information on the root cause or measures for containment 
or remediation. In these cases, the Board would expect to receive any 
available information that the designated FMU has at the time of 
notification.
---------------------------------------------------------------------------

    \39\ The Board recognizes that, ``immediately'' poses a 
heightened requirement for notification by designated FMUs relative 
to banking organizations subject to the interagency rule. This 
heightened requirement is consistent with the systemic importance of 
designated FMUs and in line with expectations for designated FMUs 
for which the SEC is the Supervisory Agency. SEC Regulation SCI 
provides for immediate notification to the SEC upon any 
``responsible SCI personnel'' having a reasonable basis to conclude 
that an ``SCI event'' has occurred. See 17 CFR 242.1002(b)(1).
---------------------------------------------------------------------------

    Except as described above, the Board continues to believe that 
notification is appropriate when a designated FMU has a reasonable 
basis to conclude that there is (1) an actual or likely disruption or 
material degradation to any critical operations or services, or to its 
ability to fulfill its obligations on time or (2) an unauthorized 
entry, or a vulnerability that could allow unauthorized entry, into the 
designated FMU's computer, network, electronic, technical, automated, 
or similar systems that

[[Page 18756]]

affects or has the potential to affect its critical operations or 
services. The Board appreciates commenters' interest in harmonizing 
notice requirements. However, the Board notes that the interagency 
notification rule applies to banking organizations and bank service 
providers broadly, whereas Regulation HH applies to FMUs that have been 
designated as systemically important by the FSOC. The Board 
acknowledges that CIRCIA provides for after-the-fact reporting of 
incidents. The Board believes receiving notices of actual and likely 
incidents as soon as the designated FMU is aware of them is appropriate 
given the Board's supervisory role and the systemic importance of 
designated FMUs.
    For the same reasons, the Board does not believe it is appropriate 
to limit notice to the Board with respect to unauthorized entries, or 
vulnerabilities that could allow unauthorized entry, to situations that 
could result in a serious detriment to participants or other relevant 
entities or to afford designated FMUs discretion to determine 
appropriate circumstances for notice based on the probability and 
severity of an event.
    Similarly, the Board understands that activation of a business 
continuity plan does not mean an actual incident must have occurred. 
Activation does mean, however, that the probability of an event 
occurring that could adversely impact the designated FMU's continued 
operations was high enough to meet the threshold for the designated FMU 
to trigger its business continuity plan.\40\ Accordingly, the Board 
believes a designated FMU should notify the Board when it activates its 
business continuity plan.
---------------------------------------------------------------------------

    \40\ For example, if a designated FMU activates its business 
continuity plan in anticipation of an extreme weather event, the 
Board would expect to be notified. The Board should be made aware if 
the designated FMU anticipates non-business-as-usual actions or 
operations.
---------------------------------------------------------------------------

3. Incident Notification to Participants and Other Relevant Entities--
Section 234.3(a)(17)(vi)(B)
(a) Summary of Comments
    As noted above with respect to notices required to be made to the 
Board, one commenter noted it was judicious and sensible to require 
designated FMUs to immediately notify affected participants of material 
operational incidents. Two commenters requested clarification of the 
term ``immediately'' as used regarding notification of material 
operational incidents in proposed Sec.  234.3(a)(17)(vi)(B)(1). One 
commenter suggested revising the proposed notification requirement in 
Sec.  234.3(a)(17)(vi)(B)(1), for the same reasons outlined in their 
comments for proposed Sec.  234.3(a)(17)(vi)(A)(1), by limiting it to 
actual disruptions or material degradations to a designated FMU's 
critical operations or services, or to the designated FMU's ability to 
fulfill its settlement obligations on time, that could result in a 
serious detriment to participants or other relevant entities. The 
commenter suggested that the addition of the italicized language would 
permit the designated FMU to comply with the regulatory requirements 
while liaising with supervisors to ensure the notification provided to 
participants and other entities meets supervisory expectations.
    One commenter expressed concern that the requirements under 
proposed Sec.  234.3(a)(17)(vi)(B)(2) could result in false alarms to 
third parties, give an impression of unreliability, or desensitize 
parties to notifications. The commenter proposed that Sec.  
234.3(a)(17)(vi)(B)(2) be amended to only require notification for 
actual incidents or actual unauthorized entries.
(b) Final Rule
    The Board is adopting proposed Sec.  234.3(a)(17)(vi)(B) with 
certain revisions to clarify the circumstances in which the Board 
expects a designated FMU to provide notice of material operational 
incidents to participants (including unaffected participants) and other 
relevant entities, consistent with the concept of ``responsible 
disclosure,'' and to respond to commenters' concerns that disclosure 
under proposed Sec.  234.3(a)(17)(vi)(B) could result in false alarms 
to third parties, give an impression of unreliability, or desensitize 
parties to notifications.
    With respect to Sec.  234.3(a)(17)(vi)(B)(2), the Board believes 
there are scenarios where all participants and identified relevant 
entities should be informed of likely disruptions or vulnerabilities 
that could allow for unauthorized entry into the designated FMU's 
computer, network, electronic, technical, automated, or similar 
systems, even where no incident or unauthorized access happens. The 
Board recognizes, though, that notification of certain likely incidents 
or vulnerabilities may not be required. Under the final rule, a 
designated FMU should establish criteria and processes for timely 
communication and responsible disclosure that guide whether and when it 
is appropriate to notify in a responsible manner entities of a 
particular incident. For example, consistent with the concept of 
responsible disclosure, the Board recognizes that there might be risks 
to providing early disclosures under Sec.  234.3(a)(17)(vi)(B)(2) to a 
broad audience regarding certain types of material operational issues. 
The Board would expect a designated FMU, in practicing responsible 
disclosure, to account for both the benefit of the information to be 
provided in a notification and the potential risk of disclosing that 
information. For example, if a designated FMU identifies a cyber 
vulnerability, the designated FMU might weigh the risk of disclosure as 
sufficiently great to delay notification under Sec.  
234.3(a)(17)(vi)(B)(2) or tailor the information provided under Sec.  
234.3(a)(17)(vi)(B)(1) or (2) to avoid exposing the designated FMU to a 
cyberattack. The Board also recognizes the risks of over-notification 
and of reporting false alarms to a broad audience. Notice under Sec.  
234.3(a)(17)(vi)(B)(2) of incidents that are resolved without 
disruption may provide little benefit to participants or identified 
relevant entities. In addition, a designated FMU that provides 
notification to the Board under the ``reasonable basis'' standard set 
forth in Sec.  234.3(a)(17)(vi)(A) may subsequently determine there to 
have been a false alarm. Under such circumstances, a designated FMU 
could determine that broad disclosure under Sec.  
234.3(a)(17)(vi)(B)(2) is not appropriate. Consistent with concerns 
raised by one commenter, a designated FMU could incorporate 
consultation with its supervisors in the development of criteria and 
processes with respect to novel or complex incidents.
    When designing its communication plan, the Board would expect a 
designated FMU to consider the timing, content, recipients, and method 
of notification for a range of potential material operational 
incidents. In determining the scope of disclosure for a particular 
incident, the Board would expect a designated FMU to consider factors 
such as the risk-mitigation benefits arising from early warning to the 
financial system, the safety and soundness of the designated FMU, and 
any financial stability implications of disclosure.
4. Examples of Material Operational Incidents
    The following is a non-exhaustive list of operational incidents 
that the Board would consider to be material for purposes of the final 
rule.\41\ The Board

[[Page 18757]]

would expect examples 1-3 to trigger immediate notifications to the 
Board and to the designated FMU's affected participants (and 
notification in a timely manner to unaffected participants and other 
relevant entities identified in the designated FMU's plan for 
notification and communication of material operational incidents, as 
applicable).
---------------------------------------------------------------------------

    \41\ The NPRM included a list of examples. The Board did not 
receive any specific comments on the examples. The Board has 
expanded on that list to provide further clarity.
---------------------------------------------------------------------------

    (1) A failed system upgrade or change results in widespread user 
outages for participants and designated FMU employees.
    (2) Large-scale distributed denial of service attacks that prevent 
the designated FMU from receiving its participants' payment 
instructions.
    (3) A severe weather event or other natural disaster that causes 
significant damage to a designated FMU's production site and disrupts 
core payment, clearing, or settlement processes, necessitating failover 
to another site during the business day.
    The Board would expect examples 4-7 to trigger immediate 
notification to the Board, but a designated FMU would determine when 
and whether to notify participants and other relevant entities based on 
the criteria in its notification and communication plan.
    (4) A severe weather event or other natural disaster that causes 
significant damage to a designated FMU's production site and 
necessitates failover to another site during the business day, but the 
designated FMU's core payment, clearing, or settlement processes remain 
available to participants.
    (5) Malware on a designated FMU's network that poses an imminent 
threat to its critical operations or services (such as its core 
payment, clearing, or settlement processes, or collateral management 
processes), or that may require the designated FMU to disengage any 
compromised products or information systems that support the designated 
FMU's critical operations and services from internet-based network 
connections.
    (6) A ransom malware attack that encrypts a critical system or 
backup data.
    (7) A zero-day vulnerability on software that the designated FMU 
uses and has determined, if exploited, could lead to a disruption to or 
material degradation of its critical operations or services.

E. Business Continuity Management and Planning

    Section 234.3(a)(17)(vi) of the current rule (under the proposal, 
renumbered as Sec.  234.3(a)(17)(vii)) requires that a designated FMU 
have business continuity management that provides for rapid recovery 
and timely resumption of its critical operations and fulfillment of its 
obligations, including in the event of a wide-scale or major 
disruption.\42\ Section 234.3(a)(17)(vii) of the current rule (under 
the proposal, renumbered Sec.  234.3(a)(17)(viii)) elaborates on 
certain requirements for a designated FMU's business continuity plan. 
The Board proposed to amend current Sec.  234.3(a)(17)(vii) to provide 
further detail in Regulation HH related to business continuity 
management and planning in order to promote robust risk management, 
reduce systemic risks, increase safety and soundness, and support the 
stability of the broader financial system.
---------------------------------------------------------------------------

    \42\ The Board proposed a technical revision to that section, as 
described in section III.G.2, infra.
---------------------------------------------------------------------------

    Specifically, the Board proposed to amend current Sec.  
234.3(a)(17)(vii)(A) to update terminology related to required backup 
sites. The Board proposed to replace the references to a ``secondary 
site'' and ``primary site'' with a general reference to ``two sites 
providing for sufficient redundancy supporting critical operations and 
services'' that are located at a sufficient geographical distance from 
``each other'' to have a distinct risk profile (collectively, ``two 
sites with distinct risk profiles'').
    The Board did not propose substantive amendments to the 
requirements under current Sec.  234.3(a)(17)(vii)(B) and (C) 
(renumbered as Sec.  234.3(a)(17)(viii)(B) and (C)), which require a 
designated FMU's business continuity plan to be designed to enable 
recovery and resumption no later than two hours following disruptive 
events and completion of settlement by the end of the day of the 
disruption, even in case of extreme circumstances. The Board proposed a 
technical amendment to Sec.  234.3(a)(17)(vii)(B) to clarify that the 
two-hour recovery time objective applies to critical operations and 
services.\43\
---------------------------------------------------------------------------

    \43\ See section III.G.2, infra.
---------------------------------------------------------------------------

    In Sec.  234.3(a)(17)(viii)(D), the Board proposed to require that 
a designated FMU's business continuity plan set out criteria and 
processes that address the reconnection of a designated FMU to its 
participants and other entities following a disruption to the 
designated FMU's critical operations or services.
    The Board proposed to separate current Sec.  234.3(a)(17)(vii)(D) 
of Regulation HH, which requires the business continuity plan to be 
``tested at least annually,'' into two requirements (renumbered as 
Sec.  234.3(a)(17)(viii)(E) and (F)). In Sec.  234.3(a)(17)(viii)(E), 
the Board proposed to maintain the requirement for at least annual 
testing and clarify that this requirement covers the designated FMU's 
business continuity arrangements, including the people, processes, and 
technologies of the two sites with distinct risk profiles.\44\ The 
Board proposed to require a designated FMU's testing to demonstrate 
that the designated FMU is able to run live production at the two sites 
with distinct risk profiles; that its solutions for data recovery and 
data reconciliation enable it to meet its objectives to recover and 
resume operations two hours following a disruption and enable 
settlement by the end of the day of the disruption even in case of 
extreme circumstances, including if there is data loss or corruption; 
and that it has geographically dispersed staff who can effectively run 
the operations and manage the business of the designated FMU.
---------------------------------------------------------------------------

    \44\ These tests would be subject to the general testing 
requirements described in section III.C.1 above.
---------------------------------------------------------------------------

    In Sec.  234.3(a)(17)(viii)(F), the Board proposed to require a 
designated FMU to review its business continuity plans, pursuant to the 
general review requirements described in section III.C.1 above, at 
least annually, to: (1) incorporate lessons learned from actual and 
averted disruptions, and (2) update the scenarios considered and 
assumptions built into the plan in order to ensure responsiveness to 
the evolving risk environment and incorporate new and evolving sources 
of operational risk (e.g., extreme cyber events).
1. Two Sites Providing for Sufficient Redundancy--Section 
234.3(a)(17)(viii)(A)
(a) Summary of Comments
    The Board received no comments on proposed Sec.  
234.3(a)(17)(viii)(A).
(b) Final Rule
    The Board is adopting Sec.  234.3(a)(17)(viii)(A) as proposed. This 
amendment accommodates data center arrangements with multiple 
production sites, rather than reflecting only the traditional 
arrangement where one site is considered ``primary'' and another site 
is treated distinctly as a backup site. A designated FMU will still be 
required, however, to maintain a minimum of two locations that are 
sufficiently geographically distant from each other to have distinct 
risk profiles. Consistent with the Board's explanation when it adopted 
the current text of Regulation HH in 2014, the Board noted in the

[[Page 18758]]

NPRM that it would consider sites to have ``distinct risk profiles'' 
if, for example, they are not located in areas that would be 
susceptible to the same severe weather event (e.g., the same hurricane 
zone) or on the same earthquake fault line. These sites would likely 
also have distinct power and telecommunications providers and be 
operated by geographically dispersed staff.
2. Recovery and Resumption--Section 234.3(a)(17)(viii)(B) and (C)
(a) Summary of Comments
    Two commenters suggested that the Board incorporate into the text 
of Regulation HH the Board's statement in the NPRM that the recovery 
time objectives set forth in Sec.  234.3(a)(17)(vii)(B) and (C) 
(renumbered as Sec.  234.3(a)(17)(viii)(B) and (C)) should not be 
interpreted as a requirement for a designated FMU to resume operations 
in a compromised or otherwise untrusted state.\45\ One of these 
commenters expressed the concern that, absent clarification of the text 
of Regulation HH, a designated FMU could be required under Regulation 
HH to resume critical operations in an untrusted state in order to 
comply with the recovery time objectives.
---------------------------------------------------------------------------

    \45\ See 87 FR 60314, 60320 (Oct. 5, 2022).
---------------------------------------------------------------------------

(b) Final Rule
    The Board is adopting this section as proposed, without substantive 
change from the previous version of the rule. Regulation HH requires a 
designated FMU to have a business continuity plan that is designed to 
enable the designated FMU to meet these objectives. The Board 
reiterates that the recovery time objectives should not be interpreted 
as a requirement for a designated FMU to resume operations in a 
compromised or otherwise untrusted state.
    Since the Board established these requirements in Regulation HH, 
the two-hour recovery time objective has been a particular area of 
focus during bilateral discussions with Board-supervised designated 
FMUs, as well as in broader domestic and international fora, 
specifically in the context of extreme cyber events. At the center of 
those discussions is the balance between (i) timely recovery and 
resumption of critical operations and (ii) appropriate assurance that 
critical operations are restored to a trusted state. The Board 
continues to believe it is imperative to financial stability that a 
designated FMU be able to recover and resume its critical operations 
and services quickly after disruptive events, both physical and cyber, 
and to complete settlement by the end of the day of the disruption. In 
related discussions with Board-supervised designated FMUs, and 
supported by provisions in the CPMI-IOSCO Cyber Guidance, Board staff 
has emphasized that recovery time objectives are necessary and critical 
targets around which plans, systems, and processes should be 
designed.\46\ However, these recovery time objectives should not be 
interpreted as a requirement for a designated FMU to resume operations 
in a compromised or otherwise untrusted state.
---------------------------------------------------------------------------

    \46\ For example, paragraph 6.2.2 of the Cyber Guidance notes 
that the objectives for resuming operations set goals for, 
ultimately, the sound functioning of the financial system, which 
should be planned for and tested against. It further notes the 
criticality of the recovery and resumption objectives under 
Principle 17, Key Consideration 6 of the PFMI, while also 
acknowledging that financial market infrastructures should exercise 
judgment in effecting resumption so that risks to itself or its 
ecosystem do not thereby escalate. For additional details, see CPMI-
IOSCO, Guidance on Cyber Resilience for Financial Market 
Infrastructures (June 2016) at section 6, https://www.bis.org/cpmi/publ/d146.htm (``Response and Recovery'').
---------------------------------------------------------------------------

    Threats to designated FMUs' operations continue to evolve, and the 
Board expects that a designated FMU will update on an ongoing basis the 
scenarios in its plan to reflect evolving threats. The Board also 
expects that a designated FMU will seek and implement solutions that 
are designed to enable it to meet its recovery and resumptions 
objectives. For many types of disruptive scenarios, technologies and 
methods already exist to enable a designated FMU to recover and resume 
operations within two hours of the disruption. For example, if an 
earthquake damages a designated FMU's infrastructure and disrupts 
operations at one data center, the designated FMU may continue to 
operate from or fail over to another location that is outside the 
earthquake radius.
    The Board recognizes, however, that certain threats to designated 
FMUs' operations, as well as the technology to mitigate those threats, 
are continually evolving. In areas where threats and technology are 
still evolving, such as is the case for extreme cyberattacks (e.g., 
where significant data loss or corruption occurs across its data 
centers), the Board recognizes that a designated FMU will need to take 
a holistic approach that integrates protective, detective, and 
containment measures with response, recovery, and resumption solutions. 
The Board continues to expect that a designated FMU's business 
continuity planning will be a dynamic process in which the designated 
FMU works on an ongoing basis to update its plan to recover and resume 
operations in light of these evolving threats. Federal Reserve 
supervisors will also continue to work with designated FMUs through the 
supervisory process as designated FMUs identify reasonable approaches 
to prepare for and recover from such attacks. As development of 
adequate solutions for extreme cyberattacks continues, designated FMUs 
should also plan for contingency scenarios in which planned recovery 
and resumption objectives cannot be achieved. Planning for such 
scenarios would be in accordance with national policies aimed at 
improving the cybersecurity posture of U.S. critical 
infrastructures.\47\
---------------------------------------------------------------------------

    \47\ See, e.g., Presidential Policy Directive/PPD-21, Critical 
Infrastructure Security and Resilience (Feb. 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
---------------------------------------------------------------------------

3. Reestablishment of Availability After a Disruption to the Designated 
FMU's Critical Operations or Services--Section 234.3(a)(17)(viii)(D)
(a) Summary of Comments
    One commenter expressed support for the proposal's requirement that 
a designated FMU have plans in place regarding reconnection to its 
participants following a cybersecurity disruption. Another commenter 
indicated that the criteria and processes for reconnection should be 
risk-based to account for the fact that a reconnection process may not 
be necessary for all disruptions or that aspects of such a process may 
not be needed in all cases. Another commenter suggested removing the 
term ``reconnection'' because not all disruptions result in a 
disconnection, thus a reconnection may not be required. This commenter 
suggested revising proposed Sec.  234.3(a)(17)(viii)(D) to use the 
phrase ``resumption of access'' rather than ``reconnection,'' and to 
specify that resumption of access to the designated FMU includes 
resumption of access to relevant functionalities. The commenter noted 
that, in a cyberattack scenario, in addition to disconnection, risk 
mitigants might include limiting or restricting a participant's access 
to the designated FMU or a particular functionality.
(b) Final Rule
    The Board has amended the text of proposed Sec.  
234.3(a)(17)(viii)(D) to require a designated FMU's business continuity 
plan to set out criteria and processes by which the designated 
financial market utility will ``reestablish availability'' for 
``affected'' participants and other entities following a disruption to 
the designated FMU's critical

[[Page 18759]]

operations or services.\48\ In the NPRM, the Board noted that it would 
consider a disruption to a designated FMU's critical operations or 
services broadly as a form of ``disconnection'' to external parties. 
However, some disruptions may not, as a technical matter, result in a 
designated FMU severing a participant's or other entity's connection to 
the designated FMU.
---------------------------------------------------------------------------

    \48\ The NIST definitions of ``availability'' and ``disruption'' 
are consistent with the final rule. The NIST glossary, which can be 
found at https://csrc.nist.gov/glossary, defines ``availability'' as 
``timely, reliable access to data and information services for 
authorized users'' and ``disruption'' as ``an unplanned event that 
causes an information system to be inoperable for a length of time 
(e.g., minor or extended power outage, extended unavailable network, 
or equipment or facility damage or destruction).'' https://csrc.nist.gov/glossary, defines ``availability'' as ``timely, 
reliable access to data and information services for authorized 
users'' and ``disruption'' as ``an unplanned event that causes an 
information system to be inoperable for a length of time (e.g., 
minor or extended power outage, extended unavailable network, or 
equipment or facility damage or destruction).''
---------------------------------------------------------------------------

    The Board believes that the term ``reestablish availability'' 
better captures the Board's expectations for designated FMUs. Proposed 
Sec.  234.3(a)(17)(viii)(D) was intended to emphasize the importance of 
ex ante criteria and processes addressing when and how a designated FMU 
will make itself available to participants and other entities after a 
disruption causes the designated FMU's critical operations or services 
to become unavailable--regardless of whether there is a technical 
disconnection. This would include situations, as noted in the NPRM, in 
which a designated FMU deliberately takes itself offline such that 
participants cannot access its services (e.g., if it experiences a 
major cyberattack that it needs to contain); it would also include 
situations where a designated FMU becomes unavailable due to another 
type of external event (e.g., if its production site loses power due to 
a severe weather event in its region). In such situations, there may be 
a gap in availability, but not a disconnection by the designated FMU of 
participants or other entities from its services. The Board has also 
clarified that a designated FMU's criteria and processes should address 
resumption of availability to ``affected'' participants and other 
entities.
    For the reasons discussed in section III.A, supra, the Board has 
not referred to a risk-based and proportionate approach in the final 
rule. Nevertheless, the Board recognizes that the way in which a 
designated FMU applies its criteria and processes for reestablishing 
availability may differ from one type of disruption to another. Some 
disruptions may be more straightforward and pose little risk to 
participants or other entities, while others may present greater risk 
of contagion. Given the current threat landscape and the ability for 
malware to spread, the Board believes it is crucial for a designated 
FMU to balance the need to quickly recover and resume its critical 
operations against the risk of contagion to its ecosystem should it 
resume operations in a compromised or otherwise untrusted state. For 
cyber incidents, it is particularly important for a designated FMU to 
be prepared to assure its participants, other connected entities, and 
regulator(s) that it has achieved an uncompromised and trusted 
state.\49\ A designated FMU should consider establishing a phased 
approach to reestablishing availability, transaction testing with 
selected participants, and heightened monitoring for an appropriate 
period of time after reestablishing availability.
---------------------------------------------------------------------------

    \49\ A designated FMU might consider leveraging third-party 
experts to verify its remediation efforts.
---------------------------------------------------------------------------

4. Business Continuity Testing and Review--Section 
234.3(a)(17)(viii)(E) and (F)
(a) Summary of Comments
    Two commenters noted that there may be circumstances in which 
recovery within two hours following disruptive events is not currently 
possible. One commenter expressed concern specifically with respect to 
Sec.  234.3(a)(17)(viii)(E)(2), which proposed to require a designated 
FMU to demonstrate that its solutions for data recovery and 
reconciliation would enable it to meet its recovery and resumption 
objectives, even in case of extreme circumstances, including in the 
event of data loss or data corruption. That commenter encouraged the 
Board to amend proposed Sec.  234.3(a)(17)(viii)(E)(2) to recognize the 
ever-evolving nature of cyber-threats and solutions to address them. 
Specifically, the commenter recommended that Sec.  
234.3(a)(17)(viii)(E)(2) be amended to require a designated FMU, in 
consultation with its supervisors, to identify reasonable approaches to 
prepare for and recover from extreme cyber-attacks.
    The Board did not receive comments on the proposed requirements for 
business continuity testing and review in Sec.  
234.3(a)(17)(viii)(E)(1) or (3) or (a)(17)(viii)(F).
(b) Final Rule
    The Board recognizes the ever-evolving nature of cyber threats and 
acknowledges that there are certain cyber scenarios which may result in 
extreme data loss or data corruption for which the designated FMU may 
not be able to demonstrate that its solutions for data recovery and 
data reconciliation enable it to meet the recovery and resumption 
objectives under Sec.  234.3(a)(17)(viii)(B) and (C). The Board has 
therefore amended the final rule text in Sec.  
234.3(a)(17)(viii)(E)(2), and made conforming edits in Sec.  
234.3(a)(17)(viii)(E)(1) and (3), to clarify that a designated FMU's 
testing should assess the capability of its systems and the 
effectiveness of its procedures for data recovery and data 
reconciliation to meet the recovery and resumption objectives under 
Sec.  234.3(a)(17)(viii)(B) and (C), even in case of extreme 
circumstances, including in the event of data loss or data corruption.
    Designated FMUs should continue to plan for and test extreme 
scenarios from which they may need to recover, including wide-scale and 
major disruptions. Scenario testing should include functional testing 
of the designated FMU's ability to recover and resume settlement in the 
case of extreme cyber-based scenarios that cause data loss or data 
corruption. In some circumstances, a designated FMU may not be able to 
demonstrate that it can recover and resume operations within two hours, 
or complete settlement by end of day. The designated FMU should be able 
to demonstrate to supervisors, however, that (1) it is assessing the 
capability of its systems and effectiveness of its procedures against 
its recovery, resumption, and settlement objectives; and (2) it has an 
understanding of the circumstances in which it may not be able to 
recover and resume critical operations and services within two hours 
following disruptive events or complete settlement by the end of the 
day. The designated FMU should also be able to demonstrate that it is 
working to increase the capability of its systems and effectiveness of 
its procedures to be able to meet those objectives in the future. The 
Board reiterates that Federal Reserve supervisors will continue to work 
with designated FMUs through the supervisory process as designated FMUs 
identify reasonable approaches to prepare for and recover from extreme 
cyber-attacks.

[[Page 18760]]

F. Third-Party Risk Management

    The Board expects a designated FMU to conduct its activities--
whether conducted directly by the designated FMU or through a service 
provider--in a safe and sound manner.\50\ Accordingly, the Board 
proposed to establish third-party risk management requirements in Sec.  
234.3(a)(17)(ix). The Board proposed these requirements because of the 
importance of ensuring that a designated FMU's activities do not become 
less safe when they are outsourced to third parties and because of the 
importance of managing operational risk associated with third-party 
relationships, including ``supply chain risk.'' \51\
---------------------------------------------------------------------------

    \50\ The Board believes that this expectation is consistent with 
section 807(b) of the Dodd-Frank Act, which provides each 
Supervisory Agency of a designated FMU with authority to examine the 
provision of any service integral to the operation of the designated 
FMU for compliance with applicable law, rules, orders, and standards 
to the same extent as if the designated FMU were performing the 
service on its own premises. 12 U.S.C. 5466(b).
    \51\ Supply chain risk encompasses the potential for harm or 
compromise to a designated FMU that arises as a result of security 
risks from its third parties' subcontractors or suppliers, as well 
as the subcontractors' or suppliers' supply chains, and their 
products or services (including software that may be used by the 
third party or the designated FMU). This definition is consistent 
with NIST's definition of ``supply chain risk'' in the NIST 
computer-security incident handling guide. See NIST, Computer 
Security Incident Handling Guide (Special Publication 800-61, rev. 
2), https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf. The Board identified supply chain risk as a 
threat on which the Board is focused in its report on cybersecurity 
and financial system resilience. See Board of Governors of the 
Federal Reserve System, Report to Congress: Cybersecurity and 
Financial System Resilience Report (September 2021), https://www.federalreserve.gov/publications/files/cybersecurity-report-202109.pdf.
---------------------------------------------------------------------------

    Specifically, the Board proposed to add a definition of ``third 
party'' in Sec.  234.2(n), and to add Sec.  234.3(a)(17)(ix) regarding 
the management of risks associated with third-party relationships. In 
Sec.  234.2(n), the Board proposed to define ``third party'' as ``any 
entity with which a designated FMU maintains a business arrangement, by 
contract or otherwise.'' \52\ For purposes of proposed Sec.  
234.3(a)(17)(ix), the Board noted that it would consider third-party 
relationships to include vendor relationships for products such as 
software and arrangements for any services that third parties perform 
for a designated FMU.
---------------------------------------------------------------------------

    \52\ This definition was consistent with the definition of 
``third-party relationship'' in then-proposed interagency guidance 
for banking organizations on third-party relationships. See 86 FR 
38182, 38186-87 (July 19, 2021). The Board explained in the NPRM 
that the Board viewed the requirements of proposed Sec.  
234.3(a)(17)(ix) as broadly consistent with the proposed interagency 
guidance. The Board, OCC, and FDIC have since adopted final 
Interagency Guidance on Third-Party Relationships: Risk Management. 
88 FR 37920 (June 9, 2023). The Board continues to believe that the 
final amendments to Regulation HH remain broadly consistent with the 
final interagency guidance. In examining designated FMUs under 
Regulation HH, Board examiners will continue to reference guidance 
on third-party risk management.
---------------------------------------------------------------------------

    In Sec.  234.3(a)(17)(ix), the Board proposed to require a 
designated FMU to have systems, policies, procedures, and controls that 
effectively identify, monitor, and manage risks associated with third-
party relationships. Additionally, for any service that is performed 
for the designated FMU by a third party, a designated FMU's systems, 
policies, procedures, and controls would need to ensure that risks are 
identified, monitored, and managed to the same extent as if the 
designated FMU were performing the service itself.\53\
---------------------------------------------------------------------------

    \53\ As noted in the NPRM, the Board believes that where a 
designated FMU outsources the provision of services to a third 
party, the designated FMU retains the responsibility for meeting the 
risk-management standards in Regulation HH.
---------------------------------------------------------------------------

    In Sec.  234.3(a)(17)(ix)(A) and (B), the Board proposed specific 
requirements for three components of third-party risk management: risk 
assessments, information-sharing arrangements, and business continuity 
management and testing. In Sec.  234.3(a)(17)(ix)(A), the Board 
proposed to require a designated FMU to regularly conduct risk 
assessments of its third-party relationships and establish, as 
appropriate, information-sharing arrangements with third parties. In 
Sec.  234.3(a)(17)(ix)(B), the Board proposed to require a designated 
FMU to include third parties in its business continuity management and 
testing, as appropriate.\54\
---------------------------------------------------------------------------

    \54\ In the final rule, the Board has reorganized risk 
assessment, information sharing, and business continuity management 
and testing into separate paragraphs (a)(17)(ix)(A), (B), and (C) of 
Sec.  234.3, respectively. The headings used in this SUPPLEMENTARY 
INFORMATION refer to these reorganized paragraphs.
---------------------------------------------------------------------------

1. Definition of Third-Party Risk; Identification, Monitoring, and 
Management of Risks Associated With Third-Party Relationships--Section 
234.2(n); Section 234.3(a)(17)(ix)
(a) Summary of Comments
    Two commenters supported the addition of the third-party risk 
management rule to Regulation HH, but one of these commenters suggested 
the rule incorporate concepts of proportionality and criticality. Two 
commenters expressed concern with the scope of the definition of 
``third party.'' These commenters suggested narrowing the definition in 
a number of ways. One commenter suggested distinguishing between 
services the commenter considered ``outsourced'' and other third-party 
services. One commenter noted that the proposed definition may 
unintentionally capture entities with which a designated FMU has a 
business relationship, such as participants in a designated FMU and 
employees, but which it does not treat as traditional service-providing 
vendors. One commenter suggested that the ``third party'' definition 
should include only entities that could have a material impact on the 
designated FMU's designated activities.
    One commenter suggested Sec.  234.3(a)(17)(ix) be amended to permit 
the designated FMU to have risk-based systems, policies, procedures, 
and controls and to be flexible in managing third party risk. Another 
commenter explained that a designated FMU should be able to apply its 
most stringent risk management controls to third parties that provide 
services essential to performing the services for which the FMU was 
designated as systemically important. Both of these commenters also 
provided comments to the more specific requirements set forth in 
proposed Sec.  234.3(a)(17)(ix)(A) and (B), which are addressed in 
sections III.F.2 and III.F.3, infra.
    Finally, these commenters noted that the definition of third party 
would include central banks and other entities that may be unable or 
unwilling to establish formal information-sharing relationships or 
participate in a designated FMU's business continuity management and 
testing. Both commenters suggested excluding central banks from the 
definition, and one commenter recommended narrowing the definition by 
expressly excluding real-time gross settlement systems and their 
operators from the definition of ``third party.''
(b) Final Rule
    After considering the comments received, the Board has made one 
modification to the definition of ``third party.'' Additionally, the 
Board is adopting as proposed the risk-management standards requirement 
set forth in the introductory portion of Sec.  234.3(a)(17)(ix), but 
the Board has amended the specific requirements set forth in proposed 
Sec.  234.3(a)(17)(ix)(A) and (B) to more expressly recognize that not 
all third parties present the same risk to a designated FMU.
    As discussed in the NPRM, products and services provided by third 
parties can include a wide variety of arrangements, from heating, 
ventilation, and air conditioning (often referred to as HVAC) services 
that support the physical infrastructure of a designated

[[Page 18761]]

FMU to technology platforms or financial risk management modeling that 
are essential to executing a designated FMU's payment, clearing, or 
settlement activities. The Board does not believe it is appropriate to 
narrow the definition of third party to vendor, outsourcing, or other 
types of arrangements for purposes of the Board's third-party risk-
management standards. Doing so could result in third-party risks being 
overlooked. The Board is concerned that limitations to ``outsourced'' 
or ``traditional vendor'' activities could result in inconsistent 
treatment of third parties, depending on how a particular designated 
FMU decides to categorize various third-party relationships. Moreover, 
the Board has observed that operational risk, and in particular cyber 
risk, has the potential to arise from unexpected sources, which may not 
be considered outsourced or even directly related to a designated FMU's 
critical operations or services. Thus, the Board believes that a 
designated FMU's systems, policies, procedures, and controls should 
address third parties more broadly.
    A broad definition of third party does not mean, however, that the 
Board expects a designated FMU to address all third parties in the same 
manner. Although the Board, for the reasons described in section III.A, 
supra, has not expressly referred to a risk-based and proportionate 
approach in the final rule, the Board believes that Sec.  
234.3(a)(17)(ix) is consistent with such an approach. As the Board 
stated in the NPRM, a designated FMU should adopt risk management 
practices that are commensurate with the level of risk posed by its 
third-party relationships, as identified through the risk assessments 
it conducts.
    While the Board generally believes a broad definition of third 
party is appropriate, the Board has, in response to comments, clarified 
in the final rule that relationships between a designated FMU and its 
participants are not ``third-party'' relationships when the participant 
is acting in that capacity only.\55\ If a participant maintains other 
relationships with a designated FMU--such as acting as a provider of 
pricing data, financial risk modeling services, liquidity, or asset 
custody services--the participant would be within the scope of the 
definition of ``third party'' as it relates to its other business 
arrangements with the designated FMU.\56\
---------------------------------------------------------------------------

    \55\ The Board also does not consider the relationship between a 
designated FMU and an employee to be a third-party relationship.
    \56\ The Board acknowledges that recent interagency guidance for 
banking organizations does not categorically exclude customer 
relationships from the scope of ``business arrangements'' within the 
scope of that guidance. 88 FR 37920, 37922 (June 9, 2023). In 
adopting the final interagency guidance, the agencies explained that 
some business relationships may incorporate elements or features of 
a customer relationship. Whereas banking organizations may enter 
into different types of arrangements, designated FMUs' arrangements 
with their participants are standardized and governed by a uniform 
set of terms applicable to each participant or class of 
participants, and risk management of participants is addressed in 
another section of Regulation HH. Specifically, Sec.  234.3(a)(18) 
of Regulation HH requires a designated FMU to have objective, risk-
based, and publicly disclosed criteria for participation; monitor 
compliance with its participation requirements on an ongoing basis; 
and have the authority to impose risk controls on a participant in 
situations where the designated FMU determines the participant poses 
heightened risk to the designated FMU. 12 CFR 234.3(a)(18).
---------------------------------------------------------------------------

2. Assessment of Third Party Risk--Section 234.3(a)(17)(ix)(A)
(a) Summary of Comments
    As discussed in section III.F.1, commenters raised concerns about 
the scope of the definition of third party. As an alternative to 
definitional changes, one commenter suggested that the requirement to 
conduct risk assessments could apply broadly, but that specific 
information-sharing and business continuity testing requirements should 
apply only to third parties that provide critical services. Comments on 
the information-sharing and business continuity management and testing 
requirements are discussed in section III.F.3, infra.
(b) Final Rule
    The Board is adopting the risk assessment requirement in Sec.  
234.3(a)(17)(ix)(A) substantially as proposed but has moved the 
information sharing requirement to Sec.  234.3(a)(17)(ix)(B) (and, 
consequently, the business continuity management and testing 
requirement to Sec.  234.3(a)(17)(ix)(C)). To assess risk levels of 
third parties and monitor any changes in these risk levels that may 
affect a designated FMU and its ecosystem, the Board expects the 
designated FMU to regularly conduct risk assessments for each third 
party with which it maintains a business relationship. The Board 
expects that a designated FMU could incorporate a risk-based approach 
to prioritizing and determining the frequency and scope of risk 
assessments.
    In general, and as discussed in the NPRM, the Board expects a 
designated FMU to take a rigorous and comprehensive approach to 
identifying, monitoring, and managing risks associated with third-party 
relationships. To do this effectively, it would be prudent for the 
designated FMU to understand ex ante any risks associated with the 
third party, including details on the services or products the third 
party will provide and the security controls and business continuity 
planning that the third party has in place. Before entering into a 
third-party relationship, the designated FMU should have a plan in 
place to address how it will effectively identify, monitor, and manage 
the relationship and its associated risks, in order to ensure that the 
designated FMU can continue to meet the risk-management requirements in 
Regulation HH.
3. Information Sharing Arrangements and Business Continuity and 
Testing--Section 234.3(a)(17)(ix)(B) and (C)
(a) Summary of Comments
    Two commenters raised concerns about the requirement to enter into 
information-sharing arrangements with third parties and include third 
parties in business continuity and testing, as appropriate. One of the 
commenters suggested that, in lieu of narrowing the proposed definition 
of ``third party,'' the Board could apply information-sharing and 
business continuity management and testing requirements only to third 
parties that provide critical services. That commenter also requested 
further clarification with respect to any specific expectations or 
relevant objectives in connection with information-sharing arrangements 
and business continuity management and testing.
    The same commenters noted that a designated FMU may not have the 
negotiating power to require certain third parties to enter into 
information-sharing arrangements or participate in the designated FMU's 
business continuity management and testing.\57\ One of the commenters 
also raised concerns that third parties outside the United States could 
have limitations on their ability to share information with a 
designated FMU. To address these types of concerns, one commenter 
suggested that a designated FMU could implement alternative risk 
mitigants. For example, if a telecommunication provider would not enter 
into an information-sharing arrangement, the commenter suggested that a 
designated FMU could have

[[Page 18762]]

redundant or diverse telecommunication channels.
---------------------------------------------------------------------------

    \57\ One commenter proposed that the Board require the Federal 
Reserve Banks to provide designated FMUs with necessary information 
for the designated FMU to perform its third-party risk management.
---------------------------------------------------------------------------

    The Board received a comment outside the scope of the proposal. The 
commenter noted that several third parties provide services to multiple 
designated FMUs and foreign systemically important FMIs. The commenter 
suggested that the Board and its foreign counterparts arrange scenario 
exercises involving designated FMUs and foreign FMIs. The commenter 
also recommended that the Board evaluate whether to have direct or 
collective oversight over certain third parties.
(b) Final Rule
    The Board is adopting Sec.  234.3(a)(17)(ix)(B) and (C) with two 
substantive revisions in response to comments received. In addition, 
the Board has made structural changes to the rule text: the 
information-sharing requirement has been moved from proposed Sec.  
234.3(a)(17)(ix)(A) to Sec.  234.3(a)(17)(ix)(B) and the business 
continuity management and testing requirement in proposed Sec.  
234.3(a)(17)(ix)(B) has been moved to new Sec.  234.3(a)(17)(ix)(C).
    First, the Board has amended the information-sharing and business 
continuity management and testing requirements to apply only with 
respect to third parties that provide services material to any of the 
designated FMU's critical operations or services. The Board believes 
that this limitation strikes an appropriate balance between effective 
risk management and the efficient use of resources by designated FMUs. 
A designated FMU should use the risk assessments conducted pursuant to 
final rule Sec.  234.3(a)(17)(ix)(A) to inform its determinations of 
which third parties are in scope for purposes of Sec.  
234.3(a)(17)(ix)(B) and (C).
    Second, the Board has amended the business continuity management 
and testing requirement to accommodate more clearly approaches to 
business continuity management and testing that do not include the 
participation of each third party in a designated FMU's testing. 
Specifically, the final rule provides that a designated FMU must 
``address'' (rather than ``include'') in its business continuity 
management and testing, as appropriate, third parties that provide 
services material to any of the designated FMU's critical operations or 
services. The Board recognizes that there are effective approaches to 
testing that do not involve participation of a third party, such as 
planning for alternatives to be used in the event of a third party's 
unavailability. A designated FMU is expected to determine, through 
internal risk analysis, an appropriate way to address each covered 
third party, in business continuity management and testing, keeping in 
mind the overall requirement in Sec.  234.3(a)(17)(ix) that the 
designated FMU effectively identify, monitor, and manage risks 
associated with third-party relationships.
    The final rule, like the proposed rule, continues to apply an ``as 
appropriate'' qualification to the provisions related to information-
sharing arrangements and business continuity management and testing. It 
does not set forth prescriptive requirements that a designated FMU must 
follow in all circumstances. The Board does not believe that 
prescriptive requirements would be appropriate, in light of different 
facts and circumstances a designated FMU may face with respect to each 
of its covered third parties. A designated FMU should consider what is 
appropriate in accordance with the risk-management standards 
articulated in the introductory portion of Sec.  234.3(a)(17)(ix) and 
the risk assessments it conducts pursuant to Sec.  234.3(a)(17)(ix)(A).
    With respect to information-sharing arrangements, a designated FMU 
should conduct appropriate due diligence on third parties and ensure it 
obtains the information necessary to appropriately identify, monitor, 
and manage third-party risk. Information-sharing arrangements should 
include, where necessary, expectations related to when the designated 
FMU will be notified of material operational incidents or outages. They 
should also include, where appropriate, expectations with respect to 
information regarding the third party's information security controls, 
operational resilience objectives and capabilities, the third-party's 
arrangements with its own vendors, and changes in security controls at 
the third party. Consistent with a risk-based approach, a designated 
FMU should consider heightened requirements where there is higher risk. 
For example, with certain third parties that are essential to its 
critical operations and services, a designated FMU might require 
mandatory approval from the designated FMU before the service provider 
may outsource any material elements of its service to another party, in 
order to manage supply chain risks.
    A designated FMU would generally be expected to make reasonable 
efforts to enter into contractual information-sharing arrangements, 
given the application of Sec.  234.3(a)(17)(ix)(B) to third parties 
that provide services material to the designated FMU's critical 
operations or services. The Board, however, understands that there may 
be circumstances in which a designated FMU may not be able to negotiate 
a contractual information sharing arrangement with certain third 
parties or all of the designated FMU's desired terms. For example, 
utility operators such as electricity providers, as well as central 
banks or other operators of FMIs, may have particular needs for 
uniformity in how they interact with participants and customers.
    In such situations, a designated FMU should consider whether it is 
appropriate to rely on non-contractual arrangements or other risk 
mitigants. In some cases, such as with central banks, the designated 
FMU may appropriately rely on informal information-sharing arrangements 
or, where available, other factors that may mitigate the risk 
associated with the lack of a contractual arrangement. For example, a 
designated FMU could consider the availability of public information 
about a third party or consider whether the designated FMU has 
sufficient contingency arrangements that would allow the designated FMU 
to continue to carry out its critical operations and services in a safe 
and sound manner in the absence of contractual information-sharing 
arrangements. A designated FMU might also consider the existence of 
backups, redundant services, or other means of managing third-party 
risk. If a designated FMU cannot with confidence ascertain and 
demonstrate that informal arrangements or other mitigants are 
sufficient, the designated FMU should consider whether it is 
appropriate to transition to an alternative third party, if available, 
or choose to keep a service in-house.
    The Board expects that a designated FMU would evaluate the 
sufficiency of its business continuity arrangements with a third party 
in light of how the designated FMU addresses the third party in its 
business continuity management and testing. In some circumstances, a 
designated FMU may determine that it is appropriate for a third party 
to participate directly in the designated FMU's scenario exercises to 
ensure that the designated FMU can effectively manage any instances in 
which the third party experiences an incident causing disruption or 
material degradation to the designated FMU's critical operations or 
services. For example, where a cyberattack on a third party could 
impair the third party's ability to enable a designated FMU to fulfill 
its obligations on time, it may be necessary for the designated FMU to 
include the third party in scenario exercises to enable the designated 
FMU

[[Page 18763]]

to be prepared to react, such as by switching to a contingency plan. If 
a designated FMU determines that it is essential for a third party to 
participate in business continuity testing, the Board would, in line 
with the discussion above regarding information-sharing arrangements, 
generally expect the designated FMU to make reasonable efforts to 
require that participation by contract. It may be reasonable in some 
circumstances for a designated FMU to rely on non-contractual 
arrangements with third parties, such as central banks, to participate 
in the designated FMU's business continuity planning.
    In other circumstances, a designated FMU may have contingencies in 
place such that participation by a particular third party in business 
continuity testing is not essential. If participation is not essential, 
a designated FMU should consider whether its information-sharing 
arrangements or other available sources of information afford the 
designated FMU with access to sufficient information to effectively 
address the third party in business continuity testing. The sufficiency 
of information may depend on the services provided by the third party 
and a designated FMU's ability to conduct critical operations and 
services safely and soundly in contingency scenarios without the third 
party. A designated FMU should consider the third party's business 
continuity planning in any risk assessment of the third party that the 
designated FMU completes, and, where appropriate, the designated FMU 
should include information about a third party's own business 
continuity planning in information-sharing arrangements it establishes 
with a third party.

G. Technical Revisions

1. Definition of Operational Risk
(a) Proposed Rule
    In Sec.  234.2(h), the Board proposed to add ``operational risk'' 
as a defined term in Regulation HH. The Board proposed to define this 
term as ``the risk that deficiencies in information systems or internal 
processes, human errors, management failures, or disruptions from 
external events will result in the reduction, deterioration, or 
breakdown of services provided by the designated financial market 
utility.''
(b) Summary of Comments
    The Board received one comment that supported the proposed 
definition of operational risk.
(c) Final Rule
    The Board is adopting the definition of ``operational risk'' as 
proposed. This definition is consistent with the definition of 
operational risk in the PFMI and the Board's definition in part I of 
the Federal Reserve Policy on Payment System Risk (PSR policy).\58\ In 
the supplementary information of its 2014 notice of proposed 
rulemaking, the Board had provided this definition of operational risk 
when it proposed amendments to Regulation HH based on the PFMI.\59\
---------------------------------------------------------------------------

    \58\ Part I of the PSR policy sets out the Board's views, and 
related standards, regarding the management of risks in financial 
market infrastructures, including those operated by the Reserve 
Banks. The Board concurrently amended the risk-management standards 
in Regulation HH and revised part I of the PSR policy based on the 
PFMI in 2014. The PSR policy is available at https://www.federalreserve.gov/paymentsystems/files/psr_policy.pdf.
    \59\ 79 FR 3666, 3683 (Jan. 22, 2014).
---------------------------------------------------------------------------

2. Definition of Critical Operations and Critical Services
(a) Proposed Rule
    In Sec.  234.2(d), the Board proposed to add ``critical 
operations'' and ``critical services'' as defined terms in Regulation 
HH, in order to streamline references to these terms. Under the 
proposal, these terms were defined as ``any operations or services that 
the designated financial market utility identifies under 12 CFR 
234.3(a)(3)(iii)(A).''
(b) Summary of Comments
    The Board received one comment on the definition of critical 
operations and critical services, which was supportive of the revision.
(c) Final Rule
    The Board is adopting the definition of critical operations and 
critical services as proposed. Under Sec.  234.3(a)(3)(iii)(A), a 
designated FMU must identify its critical operations and services 
related to payment, clearing, and settlement for purposes of developing 
its integrated plans for recovery and orderly wind-down. The Board's 
amendments to Sec.  234.3(a)(17), related to review and testing, 
incident management and planning, and business continuity management 
planning, refer to a designated FMU's critical operations and/or 
services in multiple places. Amending Regulation HH to include 
definitions of ``critical operations'' and ``critical services'' 
clarifies that the critical operations or services that the designated 
FMU should consider under paragraph (a)(17) are the same set of 
critical operations and services that the designated FMU has identified 
under paragraph (a)(3).
3. Cross-Reference to ``Other Entities'' Identified in Sec.  
234.3(a)(3) on Comprehensive Management of Risk
(a) Proposed Rule
    The Board proposed to streamline and replace the reference to 
``financial market utilities and trade repositories, if any'' in Sec.  
234.3(a)(17)(ii) with the phrase ``relevant entities such as those 
referenced in paragraph (a)(3)(ii).'' In connection with this, the 
Board proposed to include ``trade repositories'' in the list of 
entities listed under Sec.  234.3(a)(3)(ii).\60\
---------------------------------------------------------------------------

    \60\ Because of the differences in the definition for financial 
market infrastructure in the PFMI, which includes trade 
repositories, and the definition of FMU in the Dodd-Frank Act, which 
does not, the Board had previously inadvertently excluded the 
reference to ``trade repositories'' in Sec.  234.3(a)(3)(ii).
---------------------------------------------------------------------------

(b) Summary of Comments
    One commenter had no objection to the addition of the term ``trade 
repositories'' to Sec.  234.3(a)(3)(ii), but suggested changing the 
term ``relevant entities'' as used in Sec.  234.3(a)(17)(ii) to 
``identified entities.'' The commenter noted that change would allow 
the word ``relevant'' to be used elsewhere in the rule when discussing 
the entities referenced in Sec.  234.3(a)(17)(ii).
(c) Final Rule
    The Board has adopted the proposed revisions to Sec.  
234.3(a)(3)(ii) and (a)(17)(ii) but has removed the word ``relevant'' 
from the latter revision. Upon review, the Board believes that the 
reference to entities listed in Sec.  234.3(a)(3)(ii) is sufficiently 
clear without including a modifier like ``relevant'' or ``identified.'' 
The Board believes that, as adopted, Sec.  234.3(a)(17)(ii) is 
consistent with the requirement under paragraph (a)(3)(ii) for the 
designated FMU to identify, measure, monitor, and manage the material 
risks that it poses due to interdependencies with other entities, such 
as other FMUs, settlement banks, liquidity providers, and service 
providers.
4. Operational Capabilities To Ensure High Degree of Security and 
Operational Reliability
(a) Proposed Rule
    Section 234.3(a)(17)(iii) requires a designated FMU to have 
``policies and systems'' that are designed to achieve clearly defined 
objectives to ensure a high degree of security and operational 
reliability.
    A designated FMU is implicitly required to have the operational

[[Page 18764]]

capability to achieve these objectives. In Sec.  234.3(a)(17)(iii), the 
Board proposed to make this requirement explicit by clarifying that a 
designated FMU must have ``operational capabilities''--in addition to 
the existing reference to ``policies and systems''--that are designed 
to achieve clearly defined objectives to ensure a high degree of 
security and operational reliability.
(b) Summary of Comments
    One commenter suggested removing the reference to ``operational 
capabilities'' in proposed Sec.  234.3(a)(17)(iii) and instead adding a 
reference to ``processes and controls,'' in addition to ``policies and 
systems.'' The commenter noted this drafting would better align with 
the terminology used throughout Regulation HH.
(c) Final Rule
    Upon consideration of the comment, the Board has removed the term 
``operational capabilities'' in proposed Sec.  234.3(a)(17)(iii) and 
replaced it with ``procedures and controls.'' This change aligns the 
language in Sec.  234.3(a)(17)(iii) with terminology used elsewhere in 
Regulation HH. Regulation HH frequently uses the term ``procedures and 
controls,'' and the Board believes the phrase achieves the suggested 
drafting consistency and the intended meaning.
    The Board expects a designated FMU to establish clearly defined 
objectives to ensure a high degree of security and operational 
reliability; to have systems, procedures, and controls designed to 
achieve these objectives; and to have policies, such as benchmarks, in 
place for the designated FMU to evaluate its systems' performance 
against these objectives.
5. Identify, Monitor, and Manage Potential and Evolving Vulnerabilities 
and Threats
(a) Proposed Rule
    Section 234.3(a)(17)(v) requires a designated FMU to have 
comprehensive physical, information, and cyber security policies, 
procedures, and controls ``that address'' potential and evolving 
vulnerabilities and threats. The Board proposed a technical change to 
clarify what it means to ``address'' potential and evolving 
vulnerabilities and threats. Specifically, the Board proposed to 
replace the phrase ``that address'' with the phrase ``that enable the 
designated financial market utility to identify, monitor, and manage'' 
potential and evolving vulnerabilities and threats.
(b) Summary of Comments
    One commenter supported the proposed change. No other comments were 
received in response to this proposed revision of Sec.  
234.3(a)(17)(v).
(c) Final Rule
    The Board is adopting the technical revision as proposed.

IV. Administrative Law Matters

A. Regulatory Flexibility Act Analysis

    The Regulatory Flexibility Act (RFA) generally requires that, in 
connection with a final rulemaking, an agency prepare and make 
available a final regulatory flexibility analysis describing the impact 
of the final rule on small entities.\61\ However, a final regulatory 
flexibility analysis is not required if the agency certifies that the 
final rule will not have a significant economic impact on a substantial 
number of small entities.
---------------------------------------------------------------------------

    \61\ 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------

    The Small Business Administration (SBA) has adopted size standards 
for determining whether a particular entity is considered a ``small 
entity'' for purposes of the RFA. The Board believes that the most 
appropriate SBA size standard to apply in determining whether a 
designated FMU is a small entity is the SBA size standard for financial 
transactions processing, reserve, and clearinghouse activities. Under 
this standard, a designated FMU is considered a small entity if its 
annual receipts are less than $47 million.\62\ The Board includes the 
assets of all domestic and foreign affiliates in determining whether to 
classify a designated FMU as a small entity.\63\ For the reasons 
described below and under section 605(b) of the RFA, the Board 
certifies that the final rule will not have a significant economic 
impact on a substantial number of small entities.\64\
---------------------------------------------------------------------------

    \62\ 13 CFR 121.201 (subsector 522320). Alternatively, the SBA 
size standards for (1) securities and commodities exchanges; (2) 
trust, fiduciary, and custody activities; or (3) international, 
secondary market, and all other nondepository credit intermediation 
activities could also apply to certain designated FMUs; these size 
standards are currently the same as the size standard for financial 
transactions processing, reserve, and clearinghouse activities 
(i.e., annual receipts of less than $47 million). Id. (subsectors 
523210, 523991, and 522299).
    \63\ 13 CFR 121.103.
    \64\ 5 U.S.C. 605(b).
---------------------------------------------------------------------------

    In connection with the proposed rule, the Board stated that it did 
not believe that the proposal would have a significant economic impact 
on a substantial number of small entities. Nevertheless, the Board 
published and invited comment on an initial regulatory flexibility 
analysis of the proposal. No comments were received on the initial 
regulatory flexibility analysis.
    The Board is finalizing amendments to Regulation HH that would 
affect the regulatory requirements that apply to designated FMUs other 
than derivatives clearing organizations registered with the CFTC and 
clearing agencies registered with the SEC. At present, the FSOC has 
designated eight FMUs as systemically important; two of these 
designated FMUs are subject to the Board's Regulation HH. The reasons 
and justification for the final rule are described above in more detail 
in this SUPPLEMENTARY INFORMATION.
    The Board has considered whether to conduct a final regulatory 
flexibility analysis in connection with the final rule. However, the 
annual receipts of designated FMUs subject to this final rule exceed 
the $47 million threshold under which a designated FMU is considered a 
``small entity'' under SBA regulations. Because the final rule is not 
likely to apply to any company with annual receipts of $47 million or 
less, it is not expected to apply to any small entity for purposes of 
the RFA. In light of the foregoing, the Board certifies that the final 
rule will not have a significant economic impact on a substantial 
number of small entities.

B. Competitive Impact Analysis

    As a matter of policy, the Board conducts a competitive impact 
analysis in connection with any operational or legal changes that could 
have a substantial effect on payment system participants, even if 
competitive effects are not apparent on the face of the proposal. 
Pursuant to this policy, the Board assesses whether proposed changes 
``would have a direct and material adverse effect on the ability of 
other service providers to compete effectively with the Federal Reserve 
in providing similar services'' and whether any such adverse effect 
``was due to legal differences or due to a dominant market position 
deriving from such legal differences.'' If, as a result of this 
analysis, the Board identifies an adverse effect on competition, the 
Board then assesses whether the associated benefits--such as 
improvements to payment system efficiency or integrity--can be achieved 
while minimizing the adverse effect on competition.\65\
---------------------------------------------------------------------------

    \65\ See Policies: The Federal Reserve in the Payments System 
(issued 1984; revised 1990 and January 2001), https://www.federalreserve.gov/paymentsystems/pfs_frpaysys.htm.
---------------------------------------------------------------------------

    Designated FMUs are subject to the supervisory framework 
established under Title VIII of the Dodd-Frank Act. The final rule 
amends current

[[Page 18765]]

Regulation HH operational risk-management standards for certain 
designated FMUs. At least one designated FMU that is currently subject 
to Regulation HH competes with the Fedwire[supreg] \66\ Funds Service 
provided by the Reserve Banks.
---------------------------------------------------------------------------

    \66\ Fedwire is a registered service mark of the Reserve Banks. 
A list of marks related to financial service products that are 
offered to financial institutions by the Reserve Banks is available 
at FRBservices.org.
---------------------------------------------------------------------------

    Under the Federal Reserve Act, the Board has general supervisory 
authority over the Reserve Banks, including the Reserve Banks' 
provision of payment and settlement services. This general supervisory 
authority is more extensive in scope than the Board's authority over 
certain designated FMUs under Title VIII. In practice, Board oversight 
of the Reserve Banks goes beyond the typical supervisory framework for 
private-sector entities, including the framework provided by Title 
VIII. The Fedwire Funds Service and Fedwire Securities Service 
(collectively, Fedwire Services) are subject to the risk-management 
standards in part I of the PSR policy, including applicable principles 
from the PFMI as set forth in an appendix to the PSR policy. The Board 
is guided by its interpretation of the corresponding provisions of 
Regulation HH in its application of the risk management expectations in 
the PSR policy.\67\
---------------------------------------------------------------------------

    \67\ See section I.B.1 of the PSR policy.
---------------------------------------------------------------------------

    One commenter expressed its appreciation for the Board's commitment 
to apply risk-management standards to the Fedwire Funds Service that 
are at least as stringent as those in Regulation HH, but asked the 
Board to amend the appendix to the PSR policy to more closely align 
with Regulation HH. The commenter also requested that the Board revise 
the PSR policy to include the Reserve Banks' National Settlement 
Service (NSS), along with the Fedwire Services, as a service subject to 
the appendix of the PSR policy.
    The Board recognizes the critical role that the Fedwire Services 
play in the financial system and, as noted in the proposal, the Board 
remains committed to applying risk-management standards to the Fedwire 
Funds Service that are at least as stringent as the Regulation HH 
standards that are applied to designated FMUs that provide similar 
services. At the same time, however, the Board continues to believe 
that a different level of detail is required for Regulation HH than for 
part I of the PSR policy. Regulation HH is an enforceable rule 
applicable to designated FMUs other than those supervised by the CFTC 
or SEC, so additional detail provides greater clarity on the Board's 
expectations. The PSR policy, on the other hand, is a policy statement 
that provides guidance about (as relevant here) the Board's exercise of 
its other supervisory or regulatory authority over other financial 
market infrastructures (including those operated by the Reserve Banks) 
or their participants.
    The Board continues to believe that the current approach to the 
appendix to the PSR policy is consistent with the purpose of the 
document and the Board's long-standing supervisory approach under the 
PSR policy. In light of the Federal Reserve's oversight framework for 
the Fedwire Services, the Board does not believe that the amendments to 
Regulation HH will have any direct and material adverse effect on the 
ability of other service providers to compete with the Reserve Banks.
    Finally, the Board does not believe that the exclusion of NSS from 
the list of Federal Reserve services subject to the appendix of the PSR 
policy has a direct and material effect on the ability of other service 
providers to compete with the Reserve Banks. NSS provides services to a 
number of financial market infrastructures, but is not itself a 
competitor with other service providers, and in particular with any 
service providers to which Regulation HH applies.

C. Paperwork Reduction Act Analysis

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3506; 5 CFR part 1320, appendix A, section 1), the Board reviewed the 
final rule under the authority delegated to the Board by the Office of 
Management and Budget. As noted in the NPRM, for purposes of the 
Paperwork Reduction Act, a ``collection of information'' involves 10 or 
more respondents. Any recordkeeping, disclosure, or reporting 
requirement that is contained in a rule of general applicability or 
that is addressed to all or a substantial majority of an industry is 
presumed to involve 10 or more respondents (5 CFR 1320.3(c), 
1320.3(c)(4)). Regulation HH applies to fewer than 10 persons, and 
these persons do not represent all or a substantial majority of the 
participants in payment, clearing, and settlement systems. 
Additionally, Regulation HH is not a rule of general applicability. 
Therefore, no collections of information under the Paperwork Reduction 
Act are contained in the final rule. The Board did not receive any 
comments on this analysis.

List of Subjects in 12 CFR Part 234

    Banks, Banking, Credit, Electronic funds transfers, Financial 
market utilities, Securities.

Authority and Issuance

    For the reasons set forth in the preamble, the Board is amending 
part 234 of chapter II of title 12 of the Code of Federal Regulations 
as follows:

PART 234--DESIGNATED FINANCIAL MARKET UTILITIES (REGULATION HH)

0
1. The authority citation for part 234 continues to read as follows:

    Authority:  12 U.S.C. 5461 et seq.


0
2. Revise Sec.  234.2 to read as follows:


Sec.  234.2  Definitions.

    (a) Backtest means the ex post comparison of realized outcomes with 
margin model forecasts to analyze and monitor model performance and 
overall margin coverage.
    (b) Central counterparty means an entity that interposes itself 
between counterparties to contracts traded in one or more financial 
markets, becoming the buyer to every seller and the seller to every 
buyer.
    (c) Central securities depository means an entity that provides 
securities accounts and central safekeeping services.
    (d) Critical operations and critical services refer to any 
operations or services that the designated financial market utility 
identifies under Sec.  234.3(a)(3)(iii)(A).
    (e) Designated financial market utility means a financial market 
utility that is currently designated by the Financial Stability 
Oversight Council under section 804 of the Dodd-Frank Act (12 U.S.C. 
5463).
    (f) Financial market utility has the same meaning as the term is 
defined in section 803(6) of the Dodd-Frank Act (12 U.S.C. 5462(6)).
    (g) Link means, for purposes of Sec.  234.3(a)(20), a set of 
contractual and operational arrangements between two or more central 
counterparties, central securities depositories, or securities 
settlement systems, or between one or more of these financial market 
utilities and one or more trade repositories, that connect them 
directly or indirectly, such as for the purposes of participating in 
settlement, cross margining, or expanding their services to additional 
instruments and participants.
    (h) Operational risk means the risk that deficiencies in 
information systems or internal processes, human errors, management 
failures, or disruptions from external events will result in the

[[Page 18766]]

reduction, deterioration, or breakdown of services provided by the 
designated financial market utility.
    (i) Orderly wind-down means the actions of a designated financial 
market utility to effect the permanent cessation, sale, or transfer of 
one or more of its critical operations or services in a manner that 
would not increase the risk of significant liquidity or credit problems 
spreading among financial institutions or markets and thereby threaten 
the stability of the U.S. financial system.
    (j) Recovery means, for purposes of Sec.  234.3(a)(3) and (15), the 
actions of a designated financial market utility, consistent with its 
rules, procedures, and other ex ante contractual arrangements, to 
address any uncovered loss, liquidity shortfall, or capital inadequacy, 
whether arising from participant default or other causes (such as 
business, operational, or other structural weaknesses), including 
actions to replenish any depleted prefunded financial resources and 
liquidity arrangements, as necessary to maintain the designated 
financial market utility's viability as a going concern and to continue 
its provision of critical services.
    (k) Securities settlement system means an entity that enables 
securities to be transferred and settled by book entry and allows 
transfers of securities free of or against payment.
    (l) Stress test means the estimation of credit or liquidity 
exposures that would result from the realization of potential stress 
scenarios, such as extreme price changes, multiple defaults, and 
changes in other valuation inputs and assumptions.
    (m) Supervisory Agency has the same meaning as the term is defined 
in section 803(8) of the Dodd-Frank Act (12 U.S.C. 5462(8)).
    (n) Third party means any entity, other than a participant of a 
designated financial market utility acting in that capacity, with which 
a designated financial market utility maintains a business arrangement, 
by contract or otherwise.
    (o) Trade repository means an entity that maintains a centralized 
electronic record of transaction data, such as a swap data repository 
or a security-based swap data repository.

0
3. In Sec.  234.3:
0
a. Revise the section heading;
0
b. Add the words ``trade repositories,'' after the words ``such as 
other financial market utilities,'' in paragraph (a)(3)(ii);
0
c. Remove the word ``following'' and add in its place ``after'', in 
paragraph (a)(3)(iii)(G);
0
d. Revise paragraph (a)(17); and
0
e. Remove the word ``following'' and add in its place the words ``to 
reflect'', in paragraph (a)(23)(v).
    The revisions read as follows:


Sec.  234.3  Standards for designated financial market utilities.

    (a) * * *
    (17) Operational risk. The designated financial market utility 
manages its operational risks by establishing a robust operational 
risk-management framework that is approved by the board of directors. 
In this regard, the designated financial market utility--
    (i) Identifies the plausible sources of operational risk, both 
internal and external, and mitigates their impact through the use of 
appropriate systems, policies, procedures, and controls--including 
those specific systems, policies, procedures, or controls required 
pursuant to this paragraph (a)(17)--that are reviewed, audited, and 
tested periodically and after major changes such that--
    (A) The designated financial market utility conducts tests--
    (1) In accordance with a documented testing framework that 
addresses, at a minimum, scope, frequency, participation, 
interdependencies, and reporting; and
    (2) That assess whether the designated financial market utility's 
systems, policies, procedures, or controls function as intended;
    (B) The designated financial market utility reviews the design, 
implementation, and testing of affected and similar systems, policies, 
procedures, and controls, after material operational incidents, 
including the material operational incidents described in paragraph 
(a)(17)(vi)(A) of this section, or after changes to the environment in 
which the designated financial market utility operates that could 
significantly affect the plausible sources or mitigants of operational 
risk; and
    (C) The designated financial market utility remediates as soon as 
possible, following established governance processes, deficiencies in 
systems, policies, procedures, or controls identified in the process of 
review or testing;
    (ii) Identifies, monitors, and manages the risks its operations 
might pose to other entities such as those referenced in paragraph 
(a)(3)(ii) of this section;
    (iii) Has systems, policies, procedures, and controls that are 
designed to achieve clearly defined objectives to ensure a high degree 
of security and operational reliability;
    (iv) Has systems that have adequate, scalable capacity to handle 
increasing stress volumes and achieve the designated financial market 
utility's service-level objectives;
    (v) Has comprehensive physical, information, and cyber security 
policies, procedures, and controls that enable the designated financial 
market utility to identify, monitor, and manage potential and evolving 
vulnerabilities and threats;
    (vi) Has a documented framework for incident management that 
provides for the prompt detection, analysis, and escalation of an 
incident, appropriate procedures for addressing an incident, and 
incorporation of lessons learned following an incident. This framework 
includes a plan for notification and communication of material 
operational incidents to identified relevant entities that ensures the 
designated financial market utility--
    (A) Immediately notifies the Board, in accordance with the process 
established by the Board, when the designated financial market utility 
activates its business continuity plan or has a reasonable basis to 
conclude that--
    (1) There is an actual or likely disruption, or material 
degradation, to any critical operations or services, or to its ability 
to fulfill its obligations on time; or
    (2) There is unauthorized entry or a vulnerability that could allow 
unauthorized entry into the designated financial market utility's 
computer, network, electronic, technical, automated, or similar systems 
that affects or has the potential to affect its critical operations or 
services; and
    (B) Establishes criteria and processes providing for timely 
communication and responsible disclosure of material operational 
incidents to the designated financial market utility's participants and 
other relevant entities, such that--
    (1) Affected participants are notified immediately of actual 
disruptions or material degradations to any critical operations or 
services, or to the designated financial market utility's ability to 
fulfill its obligations on time; and
    (2) Participants and other relevant entities, as identified in the 
designated financial market utility's plan for notification and 
communication, are notified in a timely manner of material operational 
incidents described in paragraph (a)(17)(vi)(A) of this section, as 
appropriate, taking into account the risks and benefits of the 
disclosure to the designated financial market utility and such 
participants and other relevant entities;
    (vii) Has business continuity management that provides for rapid 
recovery and timely resumption of critical operations and services and

[[Page 18767]]

fulfillment of its obligations, including in the event of a wide-scale 
disruption or a major disruption;
    (viii) Has a business continuity plan that--
    (A) Incorporates the use of two sites providing for sufficient 
redundancy supporting critical operations that are located at a 
sufficient geographical distance from each other to have a distinct 
risk profile;
    (B) Is designed to enable critical systems, including information 
technology systems, to recover and resume critical operations and 
services no later than two hours following disruptive events;
    (C) Is designed to enable it to complete settlement by the end of 
the day of the disruption, even in case of extreme circumstances;
    (D) Sets out criteria and processes by which the designated 
financial market utility will reestablish availability for affected 
participants and other entities following a disruption to the 
designated financial market utility's critical operations or services;
    (E) Provides for testing, pursuant to the requirements under 
paragraphs (a)(17)(i)(A) and (C) of this section, at least annually, of 
the designated financial market utility's business continuity 
arrangements, including the people, processes, and technologies of the 
sites required under paragraph (a)(17)(viii)(A) of this section, such 
that--
    (1) The designated financial market utility can demonstrate that it 
can run live production at the sites required under paragraph 
(a)(17)(viii)(A) of this section;
    (2) The designated financial market utility assesses the capability 
of its systems and effectiveness of its procedures for data recovery 
and data reconciliation to meet the recovery and resumption objectives 
under paragraphs (a)(17)(viii)(B) and (C) of this section, even in case 
of extreme circumstances, including in the event of data loss or data 
corruption; and
    (3) The designated financial market utility can demonstrate that it 
has geographically dispersed staff who can effectively run the 
operations and manage the business of the designated financial market 
utility; and
    (F) Is reviewed, pursuant to the requirements under paragraphs 
(a)(17)(i)(B) and (C) of this section, at least annually, in order to--
    (1) Incorporate lessons learned from actual and averted 
disruptions; and
    (2) Update scenarios and assumptions in order to ensure 
responsiveness to the evolving risk environment and incorporate new and 
evolving sources of operational risk; and
    (ix) Has systems, policies, procedures, and controls that 
effectively identify, monitor, and manage risks associated with third-
party relationships, and that ensure that, for any service that is 
performed for the designated financial market utility by a third party, 
risks are identified, monitored, and managed to the same extent as if 
the designated financial market utility were performing the service 
itself. In this regard, the designated financial market utility--
    (A) Regularly conducts risk assessments of third parties;
    (B) Establishes information-sharing arrangements, as appropriate, 
with third parties that provide services material to any of the 
designated financial market utility's critical operations or services; 
and
    (C) Addresses in its business continuity management and testing, as 
appropriate, third parties that provide services material to any of the 
designated financial market utility's critical operations or services.
* * * * *

    By order of the Board of Governors of the Federal Reserve 
System.
Ann E. Misback,
Secretary of the Board.
[FR Doc. 2024-05322 Filed 3-14-24; 8:45 am]
BILLING CODE 6210-01-P