Self-Regulatory Organizations; The Depository Trust Company; National Securities Clearing Corporation; Fixed Income Clearing Corporation; Order Approving Proposed Rule Changes To Adopt the Clearing Agency Operational Risk Management Framework, 46332-46335 [2017-21273]
Download as PDF
<![CDATA[
46332
Federal Register / Vol. 82, No. 191 / Wednesday, October 4, 2017 / Notices
rising interest rates. Applicant states
that this projection also reflects
anticipated increases in its holdings of
investment securities should the
Commission grant the requested Order;
however, Applicant does not anticipate
that its interest income from investment
securities would ever represent other
than a small amount as compared to its
total revenues. Applicant further states
that its projected increase in interest
income will not result in any material
increase in net income for Applicant
because (a) it passes through to its
Members substantially all of its earnings
on Clearing Fund cash and (b) its
earnings on CP Program proceeds are
substantially offset by its interest
expense on the commercial paper notes
and extendible notes that are issued to
holders.
5. Applicant asserts that its historical
development, its public representations
of policy, the activities of its officers
and directors and its sources of revenue,
as discussed in the application,
demonstrate that it is engaged primarily
in the business of providing clearing,
settlement, risk management, CCP and
ancillary services to its Members, and
not in an investment business.
Applicant thus asserts that it satisfies
the criteria for issuing an order under
Section 3(b)(2) of the Act.
For the Commission, by the Division of
Investment Management, under delegated
authority.
Eduardo A. Aleman,
Assistant Secretary.
[FR Doc. 2017–21282 Filed 10–3–17; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–81745; File Nos. SR–DTC–
2017–014; SR–NSCC–2017–013; SR–FICC–
2017–017]
Self-Regulatory Organizations; The
Depository Trust Company; National
Securities Clearing Corporation; Fixed
Income Clearing Corporation; Order
Approving Proposed Rule Changes To
Adopt the Clearing Agency Operational
Risk Management Framework
sradovich on DSK3GMQ082PROD with NOTICES
September 28, 2017.
I. Introduction
On July 25, 2017, The Depository
Trust Company (‘‘DTC’’), Fixed Income
Clearing Corporation (‘‘FICC’’), and
National Securities Clearing Corporation
(‘‘NSCC,’’ each a ‘‘Clearing Agency,’’
and collectively with DTC and FICC, the
‘‘Clearing Agencies’’), filed with the
Securities and Exchange Commission
(‘‘Commission’’) proposed rule changes
VerDate Sep<11>2014
20:18 Oct 03, 2017
Jkt 244001
SR–DTC–2017–014, SR–NSCC–2017–
013, and SR–FICC–2017–017,
respectively, pursuant to Section
19(b)(1) of the Securities Exchange Act
of 1934 (‘‘Act’’) 1 and Rule 19b–4
thereunder.2 The proposed rule changes
were published for comment in the
Federal Register on August 14, 2017.3
The Commission did not receive any
comment letters on the proposed rule
changes. For the reasons discussed
below, the Commission approves the
proposed rule changes.
II. Description of the Proposed Rule
Changes
The proposed rule changes would
adopt the Clearing Agency Operational
Risk Management Framework
(‘‘Framework’’) of the Clearing
Agencies, as described below.
A. Overview of the Framework
The Framework would describe how
each of Clearing Agency manages
operational risk. Operational risk is
defined by the Clearing Agencies in the
Framework as the risk of direct or
indirect loss or reputational harm
resulting from an event, internal or
external, that is the result of inadequate
or failed processes, people, and systems
(‘‘Operational Risk’’).4 More
specifically, the Framework would
describe how the Clearing Agencies (i)
manage Operational Risk; (ii) manage
their information technology risks; and
(iii) manage their business continuity
risks.5 The DTCC Operational Risk
Management group (‘‘ORM’’) would
maintain the Framework, on behalf of
the Clearing Agencies.6
B. Operational Risk Management
The Framework would describe how
ORM is charged with establishing
appropriate systems, policies,
procedures, and controls to enable the
Clearing Agencies to identify plausible
sources of Operational Risk.7
Specifically, the Framework would
describe how the Clearing Agencies
identify key risks, including Operational
Risk, and set metrics to categorize such
risks (e.g., from ‘‘no impact’’ to ‘‘severe
impact’’) through ‘‘Risk Tolerance
Statements.’’ 8 The Framework would
describe how the Risk Tolerance
Statements identify the overall risk
reduction or mitigation objectives of the
Clearing Agencies, with respect to
identified risks to the Clearing
Agencies.9 The Framework would also
explain how the Risk Tolerance
Statements document the risk controls
and other measures the Clearing
Agencies would use to manage such
identified risks (including escalation
requirements in the event of risk metric
breaches). The Framework would state
that ORM would annually review,
revise, update, and/or create, as
necessary, each Risk Tolerance
Statement.10
The Framework would also describe
how the Clearing Agencies monitor key
risks, including Operational Risk,
through ‘‘Risk Profiles.’’ 11 The
Framework would state that ‘‘Risk
Profiles’’ identify how risk is assessed
for each of the Clearing Agencies’
businesses and support areas (each a
‘‘Clearing Agency Business’’ and/or
‘‘Clearing Agency Support Area’’).12 The
Framework would explain that the risk
assessment documented in these
profiles includes (1) assessment of
inherent risk (i.e., risk without any
mitigating controls); (2) evaluation of
existing controls and, as appropriate,
any new additional controls, as well as
the evaluation of the same risk against
the strength of such controls; and (3)
identification of any residual risk and a
determination to either further mitigate
such risk or accept such risk by the
applicable Clearing Agency Business or
Clearing Agency Support Area.13
The Framework would then describe
generally the responsibilities of ORM,
which is part of the second line of
defense within the Clearing Agencies’
‘‘Three Lines of Defense’’ approach to
risk management.14 The Framework
would identify ORM responsibilities
8 Id.
1 15
U.S.C. 78s(b)(1).
2 17 CFR 240.19b–4.
3 Securities Exchange Act Release No. 81338
(August 8, 2017), 82 FR 36049 (August 14, 2017)
(SR–DTC–2017–014, SR–NSCC–2017–013, SR–
FICC–2017–017) (‘‘Notice’’).
4 Notice, 82 FR at 37943.
5 Id.
6 Id. The parent company of the Clearing
Agencies is The Depository Trust & Clearing
Corporation (‘‘DTCC’’). DTCC operates on a shared
services model with respect to the Clearing
Agencies. Most corporate functions are established
and managed on an enterprise-wide basis pursuant
to intercompany agreements under which it is
generally DTCC that provides a relevant service to
a Clearing Agency.
7 Notice, 82 FR at 37943.
PO 00000
Frm 00122
Fmt 4703
Sfmt 4703
9 Id.
10 Id.
11 Id.
12 Id.
13 Id.
14 Id. The Three Lines of Defense approach to risk
management identifies the roles and responsibilities
of different Clearing Agency Businesses or Clearing
Agency Support Areas in identifying, assessing,
measuring, monitoring, mitigating, and reporting
certain key risks faced by the Clearing Agencies.
The Three Lines of Defense approach is more fully
described in a separate framework, the Clearing
Agency Risk Management Framework. See
Securities Exchange Act Release No. 81635
(September 15, 2017), 82 FR 44224 (September 21,
2017)(SR–DTC–2017–013, SR–NSCC–2017–012,
SR–FICC–2017–016).
E:\FR\FM\04OCN1.SGM
04OCN1
Federal Register / Vol. 82, No. 191 / Wednesday, October 4, 2017 / Notices
sradovich on DSK3GMQ082PROD with NOTICES
including, but not limited to,
management of the Risk Tolerance
Statements, and working with the
Clearing Agency Businesses and
Clearing Agency Support Areas to create
and monitor Risk Profiles.15
C. Information Technology Risks
The Framework would describe how
the Clearing Agencies address
information technology risks.16 The
Framework would state that the DTCC
Technology Risk Management group
(‘‘TRM’’), on behalf of the Clearing
Agencies, is responsible for establishing
appropriate programs, policies,
procedures, and controls with respect to
the Clearing Agencies’ information
technology risks.17 The Framework
would indicate that these
responsibilities would help respective
Clearing Agency’s management to
ensure that systems have a high degree
of security, resiliency, operational
reliability, and adequate, scalable
capacity.18 The Framework would
describe some of the recognized
information technology standards that
TRM may use to execute its
responsibilities (as applicable).19
The Framework would also identify
some of TRM’s responsibilities,
including (1) performing risk
assessments to, among other things,
facilitate the determination of the
Clearing Agencies’ investment and
remediation priorities; (2) facilitating
annual mandatory and periodic
information security awareness,
education, training, and communication
to personnel of Clearing Agency
Businesses and Clearing Agency
Support Areas and relevant external
parties; and (3) creating, implementing,
and managing certain programs,
including programs that (i) address
information security throughout a
system’s lifecycle, (ii) facilitate
compliance with evolving and
established regulatory rules and
guidelines that govern protection of the
information assets of the Clearing
Agencies and their participants, (iii)
identify, prioritize, and manage the
level of cyber threats to the Clearing
Agencies, and (iv) assure that access to
Clearing Agency information assets is
appropriately authorized and
authenticated based on current business
need.20
Additionally, the Framework would
note that TRM’s risk strategy is closely
aligned to the Clearing Agencies’
business drivers and future strategic
direction.21 The Framework would state
that such risk strategy allows the
Clearing Agencies to achieve
information security threat mitigation
objectives, resiliency of infrastructure
supporting Clearing Agency critical
business applications, and operational
reliability.22 The Framework would also
describe how TRM’s early and
consistent involvement in initiatives to
develop new products and systems
establishes this priority.23 The
Framework would state that TRM is
involved from the initial planning phase
through the design, build, and operative
phases of those initiatives, to address
certain requirements.24 The Framework
would then explain that TRM’s
involvement specifically addresses
effectiveness, reliability, and availability
requirements of those initiatives,
incorporating those requirements into
the initiatives’ design and execution
(from both a technology and cyber
security perspective).25
The Framework would next describe
the Clearing Agencies’ security strategy
and defense, stating that the Clearing
Agencies’ network security framework
and preventive controls are designed to
support a reliable and robust tiered
security strategy and defense.26 The
Framework would state that these
controls include modern and
technically advanced security firewalls,
intrusion detection, system and data
monitoring, and data protection tools.27
The Framework would also describe the
Clearing Agencies’ enhanced security
features and the standards they use to
assess vulnerabilities and potential
threats.28
D. Business Continuity Risks
Finally, the Framework would
describe how the Clearing Agencies
establish and maintain business
continuity plans to address events that
may pose significant business
continuity risks (i.e., disrupting of
Clearing Agency operations).29 The
Framework would identify how the
business continuity process for each
Clearing Agency Business and Clearing
Agency Support Area is ranked by the
significance of a possible disruption to
its operation.30 The Framework would
21 Id.
22 Notice,
23 Notice,
82 FR at 37943–44.
82 FR at 37944.
explain that these rankings fall within a
range of tiers, from 0 to 5, based on
criticality to each applicable Clearing
Agency’s operations (each a ‘‘Tier’’),
where Tier 0 equates to critical
operations or support of such operations
for which virtually no downtime is
permitted under applicable regulatory
standards, and Tier 5 equates to nonessential operations or support of such
operations for which recovery times of
greater than five days is permitted.31
The Framework would state that each
Clearing Agency Business and Clearing
Agency Support Area annually updates
its own business continuity plan, as
well as reviews and ratifies its business
impact analysis.32 The Framework
would describe that the DTCC Business
Continuity Management department
(‘‘BCM’’) uses that analysis, on behalf of
the Clearing Agencies, to validate the
Business’ or Support Area’s current Tier
ranking, described above.33 The
Framework would identify the key
elements of the business impact
analysis, including (1) an assessment of
the criticality of the applicable Clearing
Agency Business or Clearing Agency
Support Area, based on potential impact
to the Clearing Agency; (2) an
estimation of the maximum allowable
downtime for the applicable Clearing
Agency Business or Clearing Agency
Support Area; and (3) the identification
of dependencies, and the ranking of
such dependencies to align with the
criticality of the applicable Clearing
Agency Business’s, or Clearing Agency
Support Area’s, recovery.34
The Framework would describe the
Clearing Agencies’ multiple data
centers, and the emergency monitoring
and back-up systems available at each
site.35 The Framework would explain
the capacity of the various data centers
(including emergency monitoring and
back-up systems).36 The Framework
would also describe how the Clearing
Agencies’ operating centers (which may
include data centers) assist in recovery
efforts, and explain how each Clearing
Agency Business and Clearing Agency
Support Area creates and deploys its
own work-area recovery strategy to
mitigate the loss of primary workspace
and/or associated desktop technology,
as well as for purposes of appropriately
locating personnel.37 The Framework
would further indicate how each workarea recovery strategy is developed and
24 Id.
31 Id.
25 Id.
32 Id.
16 Id.
26 Id.
33 Id.
17 Id.
27 Id.
34 Id.
18 Id.
28 Id.
35 Id.
19 Id.
29 Id.
36 Id.
20 Id.
30 Id.
37 Id.
15 Notice,
82 FR at 37943.
VerDate Sep<11>2014
20:18 Oct 03, 2017
Jkt 244001
PO 00000
Frm 00123
Fmt 4703
Sfmt 4703
46333
E:\FR\FM\04OCN1.SGM
04OCN1
46334
Federal Register / Vol. 82, No. 191 / Wednesday, October 4, 2017 / Notices
executed (based on the applicable
Clearing Agency Business’ and Clearing
Agency Support Area’s current Tier
ranking, as described above).38
The Framework would describe the
responsibilities of BCM in managing a
disruptive business event.39 The
Framework would state that managing a
disruptive business event would
include coordination with a team of
representatives from each Clearing
Agency Business and Clearing Agency
Support Area.40 Finally, the Framework
would describe how the Clearing
Agencies conduct regular exercises used
to simulate loss of Clearing Agency
locations, and would describe some of
the preventive measures the Clearing
Agencies take with respect to business
continuity risk management.41
III. Discussion and Commission
Findings
Section 19(b)(2)(C) of the Act directs
the Commission to approve a proposed
rule change of a self-regulatory
organization if it finds that such
proposed rule change is consistent with
the requirements of the Act and rules
and regulations thereunder applicable to
such organization.42 After carefully
considering the proposed rule changes,
the Commission finds that the proposed
rule changes are consistent with the
requirements of the Act and the rules
and regulations thereunder applicable to
the Clearing Agencies. Specifically, the
Commission finds that the proposed
rule changes are consistent with Section
17A(b)(3)(F) of the Act 43 and Rules
17Ad–22(e)(17)(i)–(iii) under the Act.44
sradovich on DSK3GMQ082PROD with NOTICES
A. Consistency With Section
17A(b)(3)(F) of the Act
Section 17A(b)(3)(F) of the Act
requires, in part, that the rules of a
registered clearing agency be designed
to assure the safeguarding of securities
and funds which are in the custody or
control of the Clearing Agencies or for
which they are responsible.45
As described above, the Framework
would describe how the Clearing
Agencies manage their Operational Risk.
Specifically, the Frameworks would
describe how the Clearing Agencies
address their technology risks,
information security risks, and their
business continuity risks. The
Framework would describe the
processes, systems, and controls (as well
38 Id.
39 Id.
40 Id.
41 Id.
42 15
U.S.C. 78s(b)(2)(C).
U.S.C. 78q–1(b)(3)(F).
44 17 CFR 240.17Ad–22(e)(17)(i)–(iii).
45 15 U.S.C. 78q–1(b)(3)(F).
as the supporting policies and
procedures) used by the Clearing
Agencies to identify, manage, and
mitigate risks which threaten the
Clearing Agencies’ ability to function.
By describing their Operational Risk
practices in a clear and comprehensive
manner, the Framework is designed to
help the Clearing Agencies prevent and
manage the risks that arise in, or are
borne by, the Clearing Agencies. The
Framework would explain how the
Clearing Agencies identify and mitigate
risks generally (through the Three Lines
of Defense, Risk Tolerance Statements,
and Risk Profiles), as well as how they
specially identify and mitigate
information technology risk (through
the TRM’s efforts) and business
continuity risk (through data centers
and operational centers). By better
managing the risks that arise in or are
bone by the Clearing Agencies through
such risk mitigation practices, the
Framework is designed to help reduce
the possibility that a Clearing Agency
fails. By better positioning the Clearing
Agencies to continue their critical
operations and services, and mitigating
the risk of financial loss contagion
caused by a Clearing Agency failure, the
Framework is designed to help assure
the safeguarding of securities and funds
which are in the custody or control of
the Clearing Agencies, or for which they
are responsible. Accordingly, the
Commission believes that the proposed
rule changes are consistent with Section
17A(b)(3)(F) of the Act.46
B. Consistency With Rule 17Ad–
22(e)(17)(i)
Rule 17Ad–22(e)(17)(i) under the Act
requires, in part, that each covered
clearing agency establish, implement,
maintain and enforce written policies
and procedures reasonably designed to
manage the covered clearing agency’s
operational risks by identifying the
plausible sources of operational risk,
both internal and external, and
mitigating their impact through the use
of appropriate systems, policies,
procedures, and controls.47
As described above, the Framework
would describe how the Risk Tolerance
Statements and the Risk Profiles assist
the Clearing Agencies identify and
mitigate the plausible sources of
Operational Risk, both internal and
external. As described above, the
Framework explains how the Risk
Tolerance Statements (i) identify both
internal and external Clearing Agency
risks; (ii) categorize the respective
Clearing Agencies’ tolerance for those
risks; and (iii) then identify governance
process applicable to any breach of
those tolerances. In this way, the Risk
Tolerance Statements are designed to
help the Clearing Agencies to identify
and manage the internal and external
risks. As also described above, the
Framework would describe how the
Risk Profiles are designed to serve a
similar function, by serving as a tool for
identifying and assessing inherent risks,
and evaluating the controls around
those risks. The Framework also
describes the role of ORM, which
includes oversight of both the Risk
Tolerance Statements and Risk Profiles.
By describing the functions of the
Risk Tolerance Statements and Risk
Profiles, (which, together, are designed
to (i) assist the Clearing Agencies in
effectively managing their operational
risks by identifying the plausible
sources of operational risk, both internal
and external, and (ii) assist the Clearing
Agencies in mitigating the impact of
those risks), and by describing the role
of ORM in overseeing the Risk
Tolerance Statements and Risk Profiles,
the Commission believes the Framework
is consistent with the requirements of
Rule 17Ad–22(e)(17)(i).48
C. Consistency With Rule 17Ad–
22(e)(17)(ii)
Rule 17Ad–22(e)(17)(ii) under the Act
requires, in part, that each covered
clearing agency establish, implement,
maintain and enforce written policies
and procedures reasonably designed to
manage the covered clearing agency’s
operational risks by ensuring that
systems have a high degree of security,
resiliency, operational reliability, and
adequate, scalable capacity.49
As noted above, the Framework
would describe how the Clearing
Agencies manage their Operational Risk.
Specifically, the Framework would
describe TRM’s role and responsibilities
in managing the Clearing Agencies’
information technology risks. In
particular, the Framework would
identify TRM’s (i) programs, systems,
and controls; (ii) information technology
risk management standards; and (iii)
continuous role in product and project
initiatives to address security issues
through the lifecycle of Clearing Agency
initiatives.
The Framework thereby describes
how TRM is designed to safeguard the
integrity of the Clearing Agencies’
information technology, as well as the
standards against which TRM’s
safeguards would be evaluated. In this
manner, the Framework is designed to
43 15
VerDate Sep<11>2014
20:18 Oct 03, 2017
Jkt 244001
46 Id.
47 17
PO 00000
48 Id.
CFR 240.17Ad–22(e)(17)(i).
Frm 00124
Fmt 4703
Sfmt 4703
49 17
E:\FR\FM\04OCN1.SGM
CFR 240.17Ad–22(e)(17)(ii).
04OCN1
Federal Register / Vol. 82, No. 191 / Wednesday, October 4, 2017 / Notices
sradovich on DSK3GMQ082PROD with NOTICES
ensure that the Clearing Agencies’
systems have a high degree of security,
resiliency, and operational reliability.
Furthermore, as the Framework
indicates TRM’s early and continuous
involvement in the Clearing Agencies’
initiatives, the Framework reveals how
TRM would enable the Clearing
Agencies to grow and evolve while
accounting for technology and cyber
security concerns, thereby ensuring the
Clearing Agencies’ adequate and
scalable capacity.
Therefore, by describing TRM’s role
and responsibilities in helping the
Clearing Agencies maintain systems
with a high degree of security,
resiliency, operational reliability, and
adequate, scalable capacity, the
Commission believes the Framework is
consistent with the requirements of Rule
17Ad–22(e)(17)(ii).50
rule changes are consistent with the
requirements of the Act and in
particular with the requirements of
Section 17A of the Act 53 and the rules
and regulations thereunder.
It is therefore ordered, pursuant to
Section 19(b)(2) of the Act, that
proposed rule changes SR–DTC–2017–
014, SR–NSCC–2017–013, and SR–
FICC–2017–017 be, and hereby are,
approved.54
D. Consistency With Rule 17Ad–
22(e)(17)(iii)
Rule 17Ad–22(e)(17)(iii) under the
Act requires, in part, that each covered
clearing agency establish, implement,
maintain and enforce written policies
and procedures reasonably designed to
manage the covered clearing agency’s
operational risks by establishing and
maintaining a business continuity plan
that addresses events posing a
significant risk of disrupting
operations.51
As described above, the Framework
would describe how the Clearing
Agencies establish and maintain
business continuity plans. Specifically,
the Framework would describe the
critical features of the Clearing
Agencies’ business continuity plans to
demonstrate how they are designed to
address events posing a significant risk
of disrupting the Clearing Agencies’
operations. The Framework would also
indicate how each Clearing Agency
Business and Clearing Agency Support
Area reviews and ratifies its respective
plan and its business impact analysis,
relative to its assigned Tier. Therefore,
as the Framework describes how the
Clearing Agencies establish and
maintain their business continuity
plans, which are designed to address
events posing a significant risk of
disrupting operations, the Commission
believes that the Framework is
consistent with the requirements of Rule
17Ad–22(e)(17)(iii).52
[SECURITIES EXCHANGE ACT OF 1934
Release No. 81760/September 28, 2017:
INVESTMENT COMPANY ACT OF 1940
Release No. 32842/September 28, 2017]
IV. Conclusion
On the basis of the foregoing, the
Commission finds that the proposed
50 Id.
51 17
CFR 240.17Ad–22(e)(17)(iii).
52 Id.
VerDate Sep<11>2014
20:18 Oct 03, 2017
Jkt 244001
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.55
Eduardo A. Aleman,
Assistant Secretary.
[FR Doc. 2017–21273 Filed 10–3–17; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
Exemptive Relief for Individuals and
Entities Affected by Hurricanes
Harvey, Irma or Maria
Order Under Section 15b, Section 17a And
Section 36 Of The Securities Exchange Act
Of 1934 Granting Exemptions From Specified
Provisions Of The Exchange Act And Certain
Rules Thereunder
Order Under Section 6(C) And Section
38(A) Of The Investment Company Act Of
1940 Granting Exemptions From Specified
Provisions Of The Investment Company Act
And Certain Rules Thereunder
In late August 2017, Hurricane Harvey
caused catastrophic damage along the
Texas and Louisiana coast, in early
September 2017, Hurricane Irma caused
catastrophic damage to the U.S. Virgin
Islands, Puerto Rico and the Florida
coast, and, in mid-September 2017,
Hurricane Maria caused additional
catastrophic damage to the U.S. Virgin
Islands and Puerto Rico. The storms and
subsequent flooding have displaced
individuals and businesses and
disrupted communications and
transportation across the affected
regions. We are issuing this Order to
address the needs of companies and
individuals with obligations under the
federal securities laws who have been
directly or indirectly affected by
Hurricane Harvey, Hurricane Irma or
Hurricane Maria and their respective
aftermaths.
53 15
U.S.C. 78q–1.
approving the Proposed Rule Changes, the
Commission considered the proposals’ impact on
efficiency, competition and capital formation. 15
U.S.C. 78c(f).
55 17 CFR 200.30–3(a)(12).
54 In
PO 00000
Frm 00125
Fmt 4703
Sfmt 4703
46335
Section 15B(a)(4) of the Securities
Exchange Act of 1934 (the ‘‘Exchange
Act’’) provides that the Securities and
Exchange Commission (the
‘‘Commission’’), by rule or order, upon
its own motion or upon application,
may conditionally or unconditionally
exempt any broker, dealer, municipal
securities dealer or municipal advisor,
or class of brokers, dealers, municipal
securities dealers, or municipal advisors
from any provision of Section 15B or the
rules or regulations thereunder, if the
Commission finds that such exemption
is consistent with the public interest,
the protection of investors and the
purposes of Section 15B.
Section 36 of the Exchange Act
authorizes the Commission, by rule,
regulation or order, to exempt, either
conditionally or unconditionally, any
person, security or transaction, or any
class or classes of persons, securities or
transactions, from any provision or
provisions of the Exchange Act or any
rule or regulation thereunder, to the
extent that such exemption is necessary
or appropriate in the public interest,
and is consistent with the protection of
investors.
Section 17A(c)(1) of the Exchange Act
provides that the appropriate regulatory
agency, by rule or by order, upon its
own motion or upon application, may
conditionally or unconditionally
exempt any person or security or class
of persons or securities from any
provision of Section 17A or any rule or
regulation prescribed under Section
17A, if the appropriate regulatory
agency 1 finds that such exemption is in
the public interest and consistent with
the protection of investors and the
purposes of Section 17A, including the
prompt and accurate clearance and
settlement of securities transactions and
the safeguarding of securities and funds.
Section 17A(c)(1) also requires that the
Commission not object to the use of
exemptive authority in instances where
an appropriate regulatory authority
other than the Commission is providing
exemptive relief.
Section 6(c) of the Investment
Company Act of 1940 (the ‘‘Company
Act’’) provides that the Commission
may conditionally or unconditionally
exempt any person, security or
transaction, or any class or classes of
persons, securities or transactions, from
any provision or provisions of the
Company Act, or any rule or regulation
thereunder, if and to the extent that
such exemption is necessary or
appropriate in the public interest and
consistent with the protection of
1 Section 3(a)(34)(B) of the Exchange Act defines
‘‘appropriate regulatory authority.’’
E:\FR\FM\04OCN1.SGM
04OCN1
]]>Agencies
[Federal Register Volume 82, Number 191 (Wednesday, October 4, 2017)]
[Notices]
[Pages 46332-46335]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-21273]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-81745; File Nos. SR-DTC-2017-014; SR-NSCC-2017-013; SR-
FICC-2017-017]
Self-Regulatory Organizations; The Depository Trust Company;
National Securities Clearing Corporation; Fixed Income Clearing
Corporation; Order Approving Proposed Rule Changes To Adopt the
Clearing Agency Operational Risk Management Framework
September 28, 2017.
I. Introduction
On July 25, 2017, The Depository Trust Company (``DTC''), Fixed
Income Clearing Corporation (``FICC''), and National Securities
Clearing Corporation (``NSCC,'' each a ``Clearing Agency,'' and
collectively with DTC and FICC, the ``Clearing Agencies''), filed with
the Securities and Exchange Commission (``Commission'') proposed rule
changes SR-DTC-2017-014, SR-NSCC-2017-013, and SR-FICC-2017-017,
respectively, pursuant to Section 19(b)(1) of the Securities Exchange
Act of 1934 (``Act'') \1\ and Rule 19b-4 thereunder.\2\ The proposed
rule changes were published for comment in the Federal Register on
August 14, 2017.\3\ The Commission did not receive any comment letters
on the proposed rule changes. For the reasons discussed below, the
Commission approves the proposed rule changes.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Securities Exchange Act Release No. 81338 (August 8, 2017),
82 FR 36049 (August 14, 2017) (SR-DTC-2017-014, SR-NSCC-2017-013,
SR-FICC-2017-017) (``Notice'').
---------------------------------------------------------------------------
II. Description of the Proposed Rule Changes
The proposed rule changes would adopt the Clearing Agency
Operational Risk Management Framework (``Framework'') of the Clearing
Agencies, as described below.
A. Overview of the Framework
The Framework would describe how each of Clearing Agency manages
operational risk. Operational risk is defined by the Clearing Agencies
in the Framework as the risk of direct or indirect loss or reputational
harm resulting from an event, internal or external, that is the result
of inadequate or failed processes, people, and systems (``Operational
Risk'').\4\ More specifically, the Framework would describe how the
Clearing Agencies (i) manage Operational Risk; (ii) manage their
information technology risks; and (iii) manage their business
continuity risks.\5\ The DTCC Operational Risk Management group
(``ORM'') would maintain the Framework, on behalf of the Clearing
Agencies.\6\
---------------------------------------------------------------------------
\4\ Notice, 82 FR at 37943.
\5\ Id.
\6\ Id. The parent company of the Clearing Agencies is The
Depository Trust & Clearing Corporation (``DTCC''). DTCC operates on
a shared services model with respect to the Clearing Agencies. Most
corporate functions are established and managed on an enterprise-
wide basis pursuant to intercompany agreements under which it is
generally DTCC that provides a relevant service to a Clearing
Agency.
---------------------------------------------------------------------------
B. Operational Risk Management
The Framework would describe how ORM is charged with establishing
appropriate systems, policies, procedures, and controls to enable the
Clearing Agencies to identify plausible sources of Operational Risk.\7\
---------------------------------------------------------------------------
\7\ Notice, 82 FR at 37943.
---------------------------------------------------------------------------
Specifically, the Framework would describe how the Clearing
Agencies identify key risks, including Operational Risk, and set
metrics to categorize such risks (e.g., from ``no impact'' to ``severe
impact'') through ``Risk Tolerance Statements.'' \8\ The Framework
would describe how the Risk Tolerance Statements identify the overall
risk reduction or mitigation objectives of the Clearing Agencies, with
respect to identified risks to the Clearing Agencies.\9\ The Framework
would also explain how the Risk Tolerance Statements document the risk
controls and other measures the Clearing Agencies would use to manage
such identified risks (including escalation requirements in the event
of risk metric breaches). The Framework would state that ORM would
annually review, revise, update, and/or create, as necessary, each Risk
Tolerance Statement.\10\
---------------------------------------------------------------------------
\8\ Id.
\9\ Id.
\10\ Id.
---------------------------------------------------------------------------
The Framework would also describe how the Clearing Agencies monitor
key risks, including Operational Risk, through ``Risk Profiles.'' \11\
The Framework would state that ``Risk Profiles'' identify how risk is
assessed for each of the Clearing Agencies' businesses and support
areas (each a ``Clearing Agency Business'' and/or ``Clearing Agency
Support Area'').\12\ The Framework would explain that the risk
assessment documented in these profiles includes (1) assessment of
inherent risk (i.e., risk without any mitigating controls); (2)
evaluation of existing controls and, as appropriate, any new additional
controls, as well as the evaluation of the same risk against the
strength of such controls; and (3) identification of any residual risk
and a determination to either further mitigate such risk or accept such
risk by the applicable Clearing Agency Business or Clearing Agency
Support Area.\13\
---------------------------------------------------------------------------
\11\ Id.
\12\ Id.
\13\ Id.
---------------------------------------------------------------------------
The Framework would then describe generally the responsibilities of
ORM, which is part of the second line of defense within the Clearing
Agencies' ``Three Lines of Defense'' approach to risk management.\14\
The Framework would identify ORM responsibilities
[[Page 46333]]
including, but not limited to, management of the Risk Tolerance
Statements, and working with the Clearing Agency Businesses and
Clearing Agency Support Areas to create and monitor Risk Profiles.\15\
---------------------------------------------------------------------------
\14\ Id. The Three Lines of Defense approach to risk management
identifies the roles and responsibilities of different Clearing
Agency Businesses or Clearing Agency Support Areas in identifying,
assessing, measuring, monitoring, mitigating, and reporting certain
key risks faced by the Clearing Agencies. The Three Lines of Defense
approach is more fully described in a separate framework, the
Clearing Agency Risk Management Framework. See Securities Exchange
Act Release No. 81635 (September 15, 2017), 82 FR 44224 (September
21, 2017)(SR-DTC-2017-013, SR-NSCC-2017-012, SR-FICC-2017-016).
\15\ Notice, 82 FR at 37943.
---------------------------------------------------------------------------
C. Information Technology Risks
The Framework would describe how the Clearing Agencies address
information technology risks.\16\ The Framework would state that the
DTCC Technology Risk Management group (``TRM''), on behalf of the
Clearing Agencies, is responsible for establishing appropriate
programs, policies, procedures, and controls with respect to the
Clearing Agencies' information technology risks.\17\ The Framework
would indicate that these responsibilities would help respective
Clearing Agency's management to ensure that systems have a high degree
of security, resiliency, operational reliability, and adequate,
scalable capacity.\18\ The Framework would describe some of the
recognized information technology standards that TRM may use to execute
its responsibilities (as applicable).\19\
---------------------------------------------------------------------------
\16\ Id.
\17\ Id.
\18\ Id.
\19\ Id.
---------------------------------------------------------------------------
The Framework would also identify some of TRM's responsibilities,
including (1) performing risk assessments to, among other things,
facilitate the determination of the Clearing Agencies' investment and
remediation priorities; (2) facilitating annual mandatory and periodic
information security awareness, education, training, and communication
to personnel of Clearing Agency Businesses and Clearing Agency Support
Areas and relevant external parties; and (3) creating, implementing,
and managing certain programs, including programs that (i) address
information security throughout a system's lifecycle, (ii) facilitate
compliance with evolving and established regulatory rules and
guidelines that govern protection of the information assets of the
Clearing Agencies and their participants, (iii) identify, prioritize,
and manage the level of cyber threats to the Clearing Agencies, and
(iv) assure that access to Clearing Agency information assets is
appropriately authorized and authenticated based on current business
need.\20\
---------------------------------------------------------------------------
\20\ Id.
---------------------------------------------------------------------------
Additionally, the Framework would note that TRM's risk strategy is
closely aligned to the Clearing Agencies' business drivers and future
strategic direction.\21\ The Framework would state that such risk
strategy allows the Clearing Agencies to achieve information security
threat mitigation objectives, resiliency of infrastructure supporting
Clearing Agency critical business applications, and operational
reliability.\22\ The Framework would also describe how TRM's early and
consistent involvement in initiatives to develop new products and
systems establishes this priority.\23\ The Framework would state that
TRM is involved from the initial planning phase through the design,
build, and operative phases of those initiatives, to address certain
requirements.\24\ The Framework would then explain that TRM's
involvement specifically addresses effectiveness, reliability, and
availability requirements of those initiatives, incorporating those
requirements into the initiatives' design and execution (from both a
technology and cyber security perspective).\25\
---------------------------------------------------------------------------
\21\ Id.
\22\ Notice, 82 FR at 37943-44.
\23\ Notice, 82 FR at 37944.
\24\ Id.
\25\ Id.
---------------------------------------------------------------------------
The Framework would next describe the Clearing Agencies' security
strategy and defense, stating that the Clearing Agencies' network
security framework and preventive controls are designed to support a
reliable and robust tiered security strategy and defense.\26\ The
Framework would state that these controls include modern and
technically advanced security firewalls, intrusion detection, system
and data monitoring, and data protection tools.\27\ The Framework would
also describe the Clearing Agencies' enhanced security features and the
standards they use to assess vulnerabilities and potential threats.\28\
---------------------------------------------------------------------------
\26\ Id.
\27\ Id.
\28\ Id.
---------------------------------------------------------------------------
D. Business Continuity Risks
Finally, the Framework would describe how the Clearing Agencies
establish and maintain business continuity plans to address events that
may pose significant business continuity risks (i.e., disrupting of
Clearing Agency operations).\29\ The Framework would identify how the
business continuity process for each Clearing Agency Business and
Clearing Agency Support Area is ranked by the significance of a
possible disruption to its operation.\30\ The Framework would explain
that these rankings fall within a range of tiers, from 0 to 5, based on
criticality to each applicable Clearing Agency's operations (each a
``Tier''), where Tier 0 equates to critical operations or support of
such operations for which virtually no downtime is permitted under
applicable regulatory standards, and Tier 5 equates to non-essential
operations or support of such operations for which recovery times of
greater than five days is permitted.\31\
---------------------------------------------------------------------------
\29\ Id.
\30\ Id.
\31\ Id.
---------------------------------------------------------------------------
The Framework would state that each Clearing Agency Business and
Clearing Agency Support Area annually updates its own business
continuity plan, as well as reviews and ratifies its business impact
analysis.\32\ The Framework would describe that the DTCC Business
Continuity Management department (``BCM'') uses that analysis, on
behalf of the Clearing Agencies, to validate the Business' or Support
Area's current Tier ranking, described above.\33\ The Framework would
identify the key elements of the business impact analysis, including
(1) an assessment of the criticality of the applicable Clearing Agency
Business or Clearing Agency Support Area, based on potential impact to
the Clearing Agency; (2) an estimation of the maximum allowable
downtime for the applicable Clearing Agency Business or Clearing Agency
Support Area; and (3) the identification of dependencies, and the
ranking of such dependencies to align with the criticality of the
applicable Clearing Agency Business's, or Clearing Agency Support
Area's, recovery.\34\
---------------------------------------------------------------------------
\32\ Id.
\33\ Id.
\34\ Id.
---------------------------------------------------------------------------
The Framework would describe the Clearing Agencies' multiple data
centers, and the emergency monitoring and back-up systems available at
each site.\35\ The Framework would explain the capacity of the various
data centers (including emergency monitoring and back-up systems).\36\
The Framework would also describe how the Clearing Agencies' operating
centers (which may include data centers) assist in recovery efforts,
and explain how each Clearing Agency Business and Clearing Agency
Support Area creates and deploys its own work-area recovery strategy to
mitigate the loss of primary workspace and/or associated desktop
technology, as well as for purposes of appropriately locating
personnel.\37\ The Framework would further indicate how each work-area
recovery strategy is developed and
[[Page 46334]]
executed (based on the applicable Clearing Agency Business' and
Clearing Agency Support Area's current Tier ranking, as described
above).\38\
---------------------------------------------------------------------------
\35\ Id.
\36\ Id.
\37\ Id.
\38\ Id.
---------------------------------------------------------------------------
The Framework would describe the responsibilities of BCM in
managing a disruptive business event.\39\ The Framework would state
that managing a disruptive business event would include coordination
with a team of representatives from each Clearing Agency Business and
Clearing Agency Support Area.\40\ Finally, the Framework would describe
how the Clearing Agencies conduct regular exercises used to simulate
loss of Clearing Agency locations, and would describe some of the
preventive measures the Clearing Agencies take with respect to business
continuity risk management.\41\
---------------------------------------------------------------------------
\39\ Id.
\40\ Id.
\41\ Id.
---------------------------------------------------------------------------
III. Discussion and Commission Findings
Section 19(b)(2)(C) of the Act directs the Commission to approve a
proposed rule change of a self-regulatory organization if it finds that
such proposed rule change is consistent with the requirements of the
Act and rules and regulations thereunder applicable to such
organization.\42\ After carefully considering the proposed rule
changes, the Commission finds that the proposed rule changes are
consistent with the requirements of the Act and the rules and
regulations thereunder applicable to the Clearing Agencies.
Specifically, the Commission finds that the proposed rule changes are
consistent with Section 17A(b)(3)(F) of the Act \43\ and Rules 17Ad-
22(e)(17)(i)-(iii) under the Act.\44\
---------------------------------------------------------------------------
\42\ 15 U.S.C. 78s(b)(2)(C).
\43\ 15 U.S.C. 78q-1(b)(3)(F).
\44\ 17 CFR 240.17Ad-22(e)(17)(i)-(iii).
---------------------------------------------------------------------------
A. Consistency With Section 17A(b)(3)(F) of the Act
Section 17A(b)(3)(F) of the Act requires, in part, that the rules
of a registered clearing agency be designed to assure the safeguarding
of securities and funds which are in the custody or control of the
Clearing Agencies or for which they are responsible.\45\
---------------------------------------------------------------------------
\45\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
As described above, the Framework would describe how the Clearing
Agencies manage their Operational Risk. Specifically, the Frameworks
would describe how the Clearing Agencies address their technology
risks, information security risks, and their business continuity risks.
The Framework would describe the processes, systems, and controls (as
well as the supporting policies and procedures) used by the Clearing
Agencies to identify, manage, and mitigate risks which threaten the
Clearing Agencies' ability to function.
By describing their Operational Risk practices in a clear and
comprehensive manner, the Framework is designed to help the Clearing
Agencies prevent and manage the risks that arise in, or are borne by,
the Clearing Agencies. The Framework would explain how the Clearing
Agencies identify and mitigate risks generally (through the Three Lines
of Defense, Risk Tolerance Statements, and Risk Profiles), as well as
how they specially identify and mitigate information technology risk
(through the TRM's efforts) and business continuity risk (through data
centers and operational centers). By better managing the risks that
arise in or are bone by the Clearing Agencies through such risk
mitigation practices, the Framework is designed to help reduce the
possibility that a Clearing Agency fails. By better positioning the
Clearing Agencies to continue their critical operations and services,
and mitigating the risk of financial loss contagion caused by a
Clearing Agency failure, the Framework is designed to help assure the
safeguarding of securities and funds which are in the custody or
control of the Clearing Agencies, or for which they are responsible.
Accordingly, the Commission believes that the proposed rule changes are
consistent with Section 17A(b)(3)(F) of the Act.\46\
---------------------------------------------------------------------------
\46\ Id.
---------------------------------------------------------------------------
B. Consistency With Rule 17Ad-22(e)(17)(i)
Rule 17Ad-22(e)(17)(i) under the Act requires, in part, that each
covered clearing agency establish, implement, maintain and enforce
written policies and procedures reasonably designed to manage the
covered clearing agency's operational risks by identifying the
plausible sources of operational risk, both internal and external, and
mitigating their impact through the use of appropriate systems,
policies, procedures, and controls.\47\
---------------------------------------------------------------------------
\47\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------
As described above, the Framework would describe how the Risk
Tolerance Statements and the Risk Profiles assist the Clearing Agencies
identify and mitigate the plausible sources of Operational Risk, both
internal and external. As described above, the Framework explains how
the Risk Tolerance Statements (i) identify both internal and external
Clearing Agency risks; (ii) categorize the respective Clearing
Agencies' tolerance for those risks; and (iii) then identify governance
process applicable to any breach of those tolerances. In this way, the
Risk Tolerance Statements are designed to help the Clearing Agencies to
identify and manage the internal and external risks. As also described
above, the Framework would describe how the Risk Profiles are designed
to serve a similar function, by serving as a tool for identifying and
assessing inherent risks, and evaluating the controls around those
risks. The Framework also describes the role of ORM, which includes
oversight of both the Risk Tolerance Statements and Risk Profiles.
By describing the functions of the Risk Tolerance Statements and
Risk Profiles, (which, together, are designed to (i) assist the
Clearing Agencies in effectively managing their operational risks by
identifying the plausible sources of operational risk, both internal
and external, and (ii) assist the Clearing Agencies in mitigating the
impact of those risks), and by describing the role of ORM in overseeing
the Risk Tolerance Statements and Risk Profiles, the Commission
believes the Framework is consistent with the requirements of Rule
17Ad-22(e)(17)(i).\48\
---------------------------------------------------------------------------
\48\ Id.
---------------------------------------------------------------------------
C. Consistency With Rule 17Ad-22(e)(17)(ii)
Rule 17Ad-22(e)(17)(ii) under the Act requires, in part, that each
covered clearing agency establish, implement, maintain and enforce
written policies and procedures reasonably designed to manage the
covered clearing agency's operational risks by ensuring that systems
have a high degree of security, resiliency, operational reliability,
and adequate, scalable capacity.\49\
---------------------------------------------------------------------------
\49\ 17 CFR 240.17Ad-22(e)(17)(ii).
---------------------------------------------------------------------------
As noted above, the Framework would describe how the Clearing
Agencies manage their Operational Risk. Specifically, the Framework
would describe TRM's role and responsibilities in managing the Clearing
Agencies' information technology risks. In particular, the Framework
would identify TRM's (i) programs, systems, and controls; (ii)
information technology risk management standards; and (iii) continuous
role in product and project initiatives to address security issues
through the lifecycle of Clearing Agency initiatives.
The Framework thereby describes how TRM is designed to safeguard
the integrity of the Clearing Agencies' information technology, as well
as the standards against which TRM's safeguards would be evaluated. In
this manner, the Framework is designed to
[[Page 46335]]
ensure that the Clearing Agencies' systems have a high degree of
security, resiliency, and operational reliability. Furthermore, as the
Framework indicates TRM's early and continuous involvement in the
Clearing Agencies' initiatives, the Framework reveals how TRM would
enable the Clearing Agencies to grow and evolve while accounting for
technology and cyber security concerns, thereby ensuring the Clearing
Agencies' adequate and scalable capacity.
Therefore, by describing TRM's role and responsibilities in helping
the Clearing Agencies maintain systems with a high degree of security,
resiliency, operational reliability, and adequate, scalable capacity,
the Commission believes the Framework is consistent with the
requirements of Rule 17Ad-22(e)(17)(ii).\50\
---------------------------------------------------------------------------
\50\ Id.
---------------------------------------------------------------------------
D. Consistency With Rule 17Ad-22(e)(17)(iii)
Rule 17Ad-22(e)(17)(iii) under the Act requires, in part, that each
covered clearing agency establish, implement, maintain and enforce
written policies and procedures reasonably designed to manage the
covered clearing agency's operational risks by establishing and
maintaining a business continuity plan that addresses events posing a
significant risk of disrupting operations.\51\
---------------------------------------------------------------------------
\51\ 17 CFR 240.17Ad-22(e)(17)(iii).
---------------------------------------------------------------------------
As described above, the Framework would describe how the Clearing
Agencies establish and maintain business continuity plans.
Specifically, the Framework would describe the critical features of the
Clearing Agencies' business continuity plans to demonstrate how they
are designed to address events posing a significant risk of disrupting
the Clearing Agencies' operations. The Framework would also indicate
how each Clearing Agency Business and Clearing Agency Support Area
reviews and ratifies its respective plan and its business impact
analysis, relative to its assigned Tier. Therefore, as the Framework
describes how the Clearing Agencies establish and maintain their
business continuity plans, which are designed to address events posing
a significant risk of disrupting operations, the Commission believes
that the Framework is consistent with the requirements of Rule 17Ad-
22(e)(17)(iii).\52\
---------------------------------------------------------------------------
\52\ Id.
---------------------------------------------------------------------------
IV. Conclusion
On the basis of the foregoing, the Commission finds that the
proposed rule changes are consistent with the requirements of the Act
and in particular with the requirements of Section 17A of the Act \53\
and the rules and regulations thereunder.
---------------------------------------------------------------------------
\53\ 15 U.S.C. 78q-1.
---------------------------------------------------------------------------
It is therefore ordered, pursuant to Section 19(b)(2) of the Act,
that proposed rule changes SR-DTC-2017-014, SR-NSCC-2017-013, and SR-
FICC-2017-017 be, and hereby are, approved.\54\
---------------------------------------------------------------------------
\54\ In approving the Proposed Rule Changes, the Commission
considered the proposals' impact on efficiency, competition and
capital formation. 15 U.S.C. 78c(f).
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\55\
---------------------------------------------------------------------------
\55\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
Eduardo A. Aleman,
Assistant Secretary.
[FR Doc. 2017-21273 Filed 10-3-17; 8:45 am]
BILLING CODE 8011-01-P
