Self-Regulatory Organizations; The Options Clearing Corporation; Order Approving Proposed Rule Change Related to a Comprehensive Risk Management Framework, 58662-58667 [2017-26822]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 82, Number 238 (Wednesday, December 13, 2017)]
[Notices]
[Pages 58662-58667]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-26822]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-82232; File No. SR-OCC-2017-005]


Self-Regulatory Organizations; The Options Clearing Corporation; 
Order Approving Proposed Rule Change Related to a Comprehensive Risk 
Management Framework

December 7, 2017.
    On October 10, 2017, The Options Clearing Corporation (``OCC'') 
filed with the Securities and Exchange Commission (``Commission'') the 
proposed rule change SR-OCC-2017-005 pursuant to Section 19(b)(1) of 
the Securities Exchange Act of 1934 (``Act''),\1\ and Rule 19b-4 
thereunder.\2\ The proposed rule change was published for comment in 
the Federal Register on October 25, 2017.\3\ The Commission did not 
receive any comment letters on the proposed rule change. For the 
reasons discussed below, this order approves the proposed rule change.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Securities Exchange Act Release No. 34-81909 (Oct. 19, 
2017), 82 FR 49456 (Oct. 25, 2017) (File No. SR-OCC-2017-005) 
(``Notice'').
---------------------------------------------------------------------------

I. Description of the Proposed Rule Change \4\
---------------------------------------------------------------------------

    \4\ The subsequent description of the proposed rule change is 
substantially excerpted from OCC's description in the Notice. See 
Notice, 82 FR at 49456-49461.
---------------------------------------------------------------------------

    OCC proposes to adopt a new Risk Management Framework (``RMF'') 
document. The purpose of the RMF is to describe OCC's framework for 
comprehensive risk management, including OCC's framework to identify, 
measure, monitor, and manage all risks faced by OCC in the provision of 
clearing, settlement, and risk management services. More specifically, 
the RMF would establish the context for OCC's risk management 
framework, outline OCC's risk management philosophy, describe OCC's 
Risk Appetite Framework and use of Risk Tolerances,\5\ describe the 
governance arrangements that implement risk management, outline OCC's 
identification of Key Risks,\6\ and describe OCC's program for 
enterprise-wide risk management, including the ``three lines of 
defense'' structure (discussed below), and describe OCC's approach to 
risk monitoring, assessment, and reporting. As a single risk management 
framework addressing risks across all facets of OCC's business, OCC 
believes that the RMF would foster its compliance with the requirements 
of the CCA rules,\7\ and in particular the requirement of Rule 17Ad-
22(e)(3) \8\ that it maintain a sound framework for comprehensively 
managing risks.
---------------------------------------------------------------------------

    \5\ Under the proposed RMF, ``Risk Tolerances'' would be defined 
as the application of risk appetite to a specific sub-category or 
aspect of a Key Risk, typically in quantitative form, used to set an 
acceptable level of risk.
    \6\ OCC's Key Risks are described below in the discussion 
covering OCC's identification of its material risks.
    \7\ On September 28, 2016, the Commission adopted amendments to 
Exchange Act Rule 17Ad-22 and added new Exchange Act Rule 17Ab2-2 
pursuant to Section 17A of the Act and the Payment, Clearing and 
Settlement Supervision Act of 2010 (``Clearing Supervision Act'') to 
establish enhanced standards for the operation and governance of 
those clearing agencies registered with the Commission that meet the 
definition of a ``covered clearing agency,'' as defined by Exchange 
Act Rule 17Ad-22(a)(5) (collectively, the new and amended rules are 
herein referred to as the ``CCA rules'').
    \8\ 17 CFR 240.17Ad-22(e)(3).
---------------------------------------------------------------------------

A. Context of OCC's Risk Management Framework

    The RMF would begin by establishing the context for OCC's risk 
management framework. More specifically, OCC is a Systemically 
Important Financial Market Utility (``SIFMU'') \9\ that serves a 
critical role in financial markets as the sole central counterparty 
(``CCP'') that provides clearance and settlement services for U.S. 
listed options and guarantees the obligations associated with the 
contracts that it clears. OCC acknowledges its role as a SIFMU in 
promoting financial stability for market participants, investors, and 
the economy and that it must therefore maintain a sound risk management 
framework for comprehensively managing the risks that it presents.
---------------------------------------------------------------------------

    \9\ The Financial Stability Oversight Council designated OCC a 
SIFMU on July 18, 2012 pursuant to the Clearing Supervision Act. See 
12 U.S.C. 5463.
---------------------------------------------------------------------------

B. OCC's Risk Management Philosophy

    OCC states that the proposed RMF would describe its risk management 
philosophy. As a SIFMU, OCC must be mindful of the public interest and 
its obligation to promote financial stability, reduce the potential for 
systemic contagion, and support the smooth functioning of the U.S. 
financial markets. Furthermore, as a CCP, OCC concentrates financial 
risks for the markets it serves by acting as the CCP for all of the 
transactions that it clears. As a result of this concentration, OCC's 
primary objective is to ensure that it properly manages the financial 
risks associated with functioning as a CCP, which primarily relate to 
potential clearing member default scenarios.
    As a CCP, OCC's daily operations, among other things, involve 
managing financial, operational, and business risks. In managing these 
risks, OCC's daily operations--which are guided by policies, 
procedures, and controls--are designed to ensure that financial 
exposures and service disruptions are within acceptable limits set by 
OCC as part of its Risk Appetite Framework (``RAF'') as described 
below.

C. Risk Appetite Framework

    The proposed RMF would describe OCC's RAF and use of Risk 
Tolerances. The purpose of the RAF is to establish OCC's overall 
approach to managing risks at the enterprise level in an effective and 
integrated fashion. The RAF establishes the level and types of Key 
Risks, described in further detail below, that OCC is willing and able 
to assume in accordance with OCC's mission as a SIFMU. Under the RAF, 
Risk Appetite Statements \10\ would be used to express OCC's judgment, 
for each of OCC's Key Risks, regarding the level of risk that OCC is 
willing to accept related to the provision of CCP services. These 
statements would be qualitative indications of appetite that set the 
tone for OCC's approach to risk taking, and are indicative of the level 
of resources or effort OCC puts forth to prevent or mitigate the impact 
of a Key Risk.
---------------------------------------------------------------------------

    \10\ Under the proposed RMF, ``Risk Appetite Statement'' would 
be defined as a statement that expresses OCC's judgment, for each of 
OCC's Key Risks, regarding the level of risk OCC is willing to 
accept related to the provision of CCP services.
---------------------------------------------------------------------------

    Under the RMF, Risk Appetite Statements would be set annually by 
each department associated with a Key Risk in cooperation with OCC's 
Enterprise Risk Management department (``ERM'') according to applicable 
procedures. OCC's risk appetite levels would be classified into four 
categories:
    1. No appetite: OCC is unwilling to deliberately accept any level 
of risk.
    2. Low appetite: OCC devotes significant resources to managing risk 
but may choose to accept certain risks

[[Page 58663]]

that do not materially affect core clearing and settlement because the 
level of resources that OCC would be required to put forth to mitigate 
the risks would be impractical.
    3. Moderate appetite: OCC is willing to engage in certain 
activities that pose risks because those activities may bring longer-
term efficiencies or result in business opportunities even though the 
activities or new businesses may pose new risks to OCC.
    4. High appetite: OCC is willing to implement a new high-risk 
process or business opportunity; however, it is unlikely OCC would 
apply this level of appetite to a Key Risk absent a compelling, urgent 
business need.
    Under the RMF, OCC's Board would have ultimate responsibility for 
reviewing and approving the Risk Appetite Statements in connection with 
each Key Risk on an annual basis upon recommendation of OCC's 
Management Committee.
    The Risk Appetite Statements would allow OCC to carefully calibrate 
the levels of risk it accepts for each of its Key Risks to be 
consistent with OCC's core mission of promoting financial stability in 
the markets it serves. Accordingly, the RAF helps to ensure that OCC 
has an effective and comprehensive framework for managing its Key Risks 
(e.g., legal, credit, liquidity, operational, general business, 
investment, custody, and other risks that arise in or are borne by 
OCC).\11\
---------------------------------------------------------------------------

    \11\ OCC's Key Risks are described below in the discussion 
covering OCC's identification of its material risks.
---------------------------------------------------------------------------

    In addition to Risk Appetite Statements, the RMF would require that 
OCC assign Risk Tolerances to the Key Risks contained within the RMF as 
approved by OCC's Board. While the Risk Appetite Statements would be 
more high-level and principles-based, Risk Tolerances would 
comparatively be more granular and represent the application of OCC's 
risk appetite to specific sub-categories or aspects of Key Risks. The 
purpose of the proposed Risk Tolerances is to help ensure that OCC sets 
acceptable levels of risk within those specified sub-categories of Key 
Risks. Risk Tolerances would be stated in either quantitative or 
qualitative terms, depending on the nature of the risk and OCC's 
ability to measure it.
    Under the RMF, each department would be required to establish Risk 
Tolerances at least annually for sub-categories of Key Risks that are 
within their relevant domains of responsibility and would be 
responsible for managing applicable risks within established tolerance 
levels. ERM staff would monitor Risk Tolerances through quantitative 
metrics, where applicable, and compile such monitoring in a report that 
the Chief Risk Officer shall present to OCC's Management Committee and 
Board (or a committee thereof) at least quarterly. In addition, the RMF 
would require that OCC's Board evaluate its Risk Tolerances at least 
annually, and more frequently if necessary as a result of changes to 
products, processes, market conventions or other changes to OCC's 
material risks.

D. Identification of Key Risks

    The proposed RMF would identify risks that could affect OCC's 
ability to perform services as expected, and the process for 
identifying such risks would take a broad view to include: (i) Direct 
financial and operational risks that may prevent the smooth functioning 
of CCP services; (ii) reputational risks that could undermine the 
perception of OCC as a sound pillar in the financial market; and (iii) 
the risks OCC faces from third parties, such as custodians and 
settlement banks, that are critical to the design and operation of 
OCC's infrastructure and risk management. OCC believes that identifying 
Key Risks in this manner would facilitate its ability to manage 
comprehensively the legal, credit, liquidity, operational, general 
business, investment, custody, and other risks that arise in or are 
borne by it. Based on this identification process, the RMF would define 
OCC's Key Risks as described below.
Financial Risk
    The RMF would indicate that financial risk encompasses many aspects 
of risk at OCC, including the risks that a Clearing Member will be 
unable to meet its obligations when due or that OCC will not maintain 
sufficient financial resources to cover exposures (i.e., credit risk), 
the risk that OCC will not maintain sufficient liquid resources to meet 
its same day and, where appropriate, intraday and multiday settlement 
of payment obligations (i.e., liquidity risk), the risk that OCC will 
incur losses on overnight investments (i.e., investment risk), and the 
risk that financial models are inaccurate (i.e., model risk).
    The proposed RMF would require OCC's credit risk management 
framework to encompass policies and procedures for maintaining 
sufficient prefunded resources in the form of margin and Clearing Fund 
deposits, accepting collateral from participants that is low-risk and 
high-quality, monitoring the creditworthiness and operational 
reliability of all counterparties, including participants, custodians, 
settlement banks, liquidity providers, and linked financial market 
utilities (``FMUs''), and maintaining a waterfall of resources to be 
used in the event of participant default and a process for replenishing 
resources.
    In addition, the RMF would require OCC's liquidity risk framework 
to encompass sizing liquidity resources to cover liquidity needs in the 
event of the default of the largest Clearing Member Group, forecasting 
daily settlement needs under normal market conditions, maintaining 
liquid resources in the form of cash and committed facilities, 
maintaining a contingency funding plan and periodically reviewing the 
size of liquidity resources, maintaining liquidity resources at 
creditworthy custodians and monitoring the financial and operational 
performance of financial institutions and committed liquidity 
facilities, and investing liquidity resources in safe overnight 
investments or at a Federal Reserve Bank.
    Moreover, the RMF would require OCC to address investment risks by 
maintaining an account at a Federal Reserve Bank, which bears no 
investment risk, and investing funds not held at the Federal Reserve 
Bank in high-quality liquid assets. The RMF would also require OCC to 
manage model risk through a model development program, independent 
model validation and strong governance arrangements for the approval of 
new models or models with material changes in accordance with relevant 
policies.
Operational Risk
    The RMF would define operational risk as the risk of disruptions in 
OCC's CCP services due to: (i) Deficiencies in internal controls, 
processes or information systems; (ii) human error or misconduct; or 
(iii) external events or intrusions. The definition of operational risk 
would also cover deficiencies related to information technology 
(``IT''), such as data security and IT systems reliability. To reflect 
the importance OCC assigns to managing IT risks, the RMF would also 
categorize IT risk as a separate Key Risk, discussed below.
    The RMF would also assert that OCC manages operational risks in 
number of ways, including that OCC: (i) Maintains an Enterprise Project 
Management Program that performs initial assessments of proposed 
projects and manages project execution, to help ensure that proper 
oversight exists during the initiation, planning, execution, and 
delivery of OCC corporate projects; (ii) maintains a Business 
Continuity Program to support

[[Page 58664]]

continuance of critical services in the event of a catastrophic loss of 
infrastructure and/or staff (including a Crisis Management Plan, which 
outlines OCC's processes for decision-making in crisis or emergency 
circumstances); (iii) maintains a comprehensive third-party risk 
management program which includes requirements for onboarding and 
ongoing monitoring of third-parties on which OCC relies (such as 
vendors, settlement banks and FMUs with linkages to OCC) performed by 
various areas of the organization, including National Operations, 
Collateral Services, Credit Risk, and ERM; (iv) provides training and 
development through its Human Resources Department to ensure staff 
maintains and develops the necessary knowledge and skills to perform 
their jobs; and (v) conducts training on business ethics and OCC's Code 
of Conduct.
Operational Risk--Information Technology
    The RMF also would address operational risks specifically related 
to IT as a distinct Key Risk. Operational risk related to IT would be 
defined as the risk that inadequate levels of system functionality, 
confidentiality, integrity, availability, capacity, or resiliency for 
systems that support core clearing, settlement, or risk management 
services or critical business functions results in disruptions in OCC 
services. In addition to the ways described above that OCC manages 
operational risks generally, the RMF would also provide that OCC 
manages IT operational risks by maintaining: (i) A Quality Standards 
Program, which includes targets that set performance standards for 
systems operations; (ii) a cybersecurity program; and (iii) a program 
to maintain system functionality and capacity.
Legal Risk
    The RMF would define legal risk as the risk that OCC's by-laws, 
rules, policies, and procedures do not provide for a well-founded, 
clear, transparent, and enforceable legal basis for each aspect of its 
activities in all relevant jurisdictions. The RMF would also provide 
that OCC manages legal risk by: (i) Maintaining rules, policies, and 
contracts that are consistent with applicable laws and regulations; and 
(ii) maintaining legal agreements that establish counterparty 
obligations regarding the material aspects of its clearing, settlement, 
and risk management services, including, but not limited to, settlement 
finality, vendor performance, exchange performance, options exercise, 
and cross-margining obligations.
General Business Risk
    The RMF would define general business risk as the risk of any 
potential impairment of OCC's financial condition due to declines in 
its revenue or growth in its expenses arising from OCC's administration 
and operation as a business enterprise (as opposed to a participant's 
default), resulting in expenses that exceed revenues and losses that 
must be charged against OCC's capital.
    The RMF would provide that OCC manages general business risk by: 
(i) Maintaining a target capital level of liquid net assets funded by 
equity equal to the greater of six-months' operating expenses or the 
amount sufficient to ensure a recovery or orderly wind-down of OCC's 
operations as set forth in OCC's recovery and wind-down plan, and a 
plan that provides for capital replenishment in the event of non-
default losses in excess of target capital; (ii) maintaining a 
corporate planning program to manage new business activity; and (iii) 
actively managing the public perception of OCC.

E. Risk Management Governance

    The RMF would describe the governance arrangements through which 
OCC implements its risk management philosophy. These governance 
arrangements would include the responsibilities of the Board, the 
Board's committees, and management in establishing and executing OCC's 
risk management framework. These responsibilities are described in 
further detail below.
    The RMF would provide that OCC's risk governance framework follows 
a hierarchical structure that begins with the Board, which has ultimate 
oversight responsibility for OCC's risk management activities. The 
Board performs an oversight role to help ensure that OCC is managed and 
operated in a manner consistent with OCC's regulatory responsibilities 
as a SIFMU providing clearance and settlement services. The Board also 
is responsible for helping ensure that OCC has governance arrangements 
that, among other things, prioritize the safety and efficiency of OCC 
through the proposed risk management framework. Moreover, under the 
RMF, the Board is responsible for overseeing OCC's risk management 
policies, procedures, and systems designed to identify, measure, 
monitor, and manage risks consistent within the Risk Appetite 
Statements and Risk Tolerances approved by the Board. The RMF also 
provides that the Board is responsible for overseeing and approving 
OCC's recovery and orderly wind-down plan (consistent with OCC's Board 
of Directors Charter).
    To carry out these responsibilities, the RMF would indicate that 
the Board has established Committees to assist in overseeing OCC's Key 
Risks. These Committees are: (i) The Audit Committee; (ii) the 
Compensation and Performance Committee; (iii) the Governance and 
Nominating Committee; (iv) the Risk Committee; and (v) the Technology 
Committee. The responsibilities of these committees to manage OCC's Key 
Risks are outlined in their respective committee charters.\12\
---------------------------------------------------------------------------

    \12\ OCC's Board and Board committee charters are available on 
OCC's public website: https://www.theocc.com/about/corporate-information/what-is-occ.jsp.
---------------------------------------------------------------------------

    The RMF would also provide that OCC's Management Committee is 
responsible for annually reviewing and approving the RMF--and the Risk 
Appetite Statements and Risk Tolerances established thereunder--and 
recommending further approval thereof to the Board. The Management 
Committee would also review reports related to metrics for assessing 
Risk Tolerances to determine whether OCC's Key Risks are behaving 
within established tolerances and take or recommend action as needed to 
return Key Risks to their appropriate levels and escalate exceptions to 
Risk Tolerances and Risk Appetite Statements to relevant Board 
committees. The Management Committee would also be permitted to 
establish working groups to assist it in the management of Key Risks.

F. Risk Management Practice

    The RMF would describe OCC's program for enterprise-wide risk 
management. The internal structures for risk management described in 
the proposed RMF are intended to follow programs generally accepted in 
the financial services industry, including the ``three lines of 
defense'' model (i.e., front-line employees, enterprise risk/compliance 
functions and internal audit) and a program for internal controls that 
includes risk assessment and reporting.
``Three Lines of Defense''
    To maintain a resilient risk management and internal control 
infrastructure, the RMF would formalize OCC's ``three lines of 
defense'' model, which allows OCC to manage its control infrastructure 
with clarity of ownership and accountability. The first line of defense 
consists of OCC's operational business units, including Financial Risk 
Management, National Operations, technology, legal, regulatory affairs 
and

[[Page 58665]]

corporate functions such as human resources, finance, accounting, and 
project management. The first line is responsible and accountable for 
designing, owning, and managing risks by maintaining policies, 
procedures, processes, and controls to manage relevant risks. The first 
line would also be responsible and accountable for internal controls 
and implementing corrective action to address control deficiencies.
    The first line is supported and monitored by the second line of 
defense, which consists of the ERM, Compliance, Security Services, and 
Model Validation Group functions. The second line is an oversight 
function and is responsible for designing, implementing and maintaining 
an enterprise-wide risk management and compliance program and tools to 
assess and manage risk at the enterprise level. The second line would 
also work with the first line to assess risks and establish policies 
and guidelines, and advise, monitor, and report on the first line's 
effectiveness at managing risk and maintaining and operating a 
resilient control infrastructure. The second line reports to OCC's 
Management Committee and Board (or committee thereof) on the first line 
of defense's effectiveness at managing risk and compliance and an 
assessment of whether OCC's services are being delivered within Risk 
Appetite Statements and Risk Tolerances.
    The third line of defense consists of OCC's internal audit 
function. The third line reports to the Audit Committee of the Board 
and is accountable for designing, implementing, and maintaining a 
comprehensive audit program that allows senior management and the Board 
to receive independent and objective assurance that the quality of 
OCC's risk management and internal control infrastructure is consistent 
with OCC's risk appetite and Risk Tolerances. The RMF also would 
require that OCC's Internal Audit department maintains a diverse and 
skilled team of professionals with a variety of business, technology, 
and audit skills, and perform all of its activities in compliance with 
the Institute of Internal Auditors' standards found in the 
International Professional Practices Framework.
    The ``three lines of defense'' model is designed to provide for a 
robust governance structure that distinguishes among the three lines 
involved in the effective and comprehensive management of risk at OCC: 
(i) The functions that own and manage risks; (ii) the functions that 
oversee and provide guidance on the management of risks; and (iii) and 
the functions that provide independent and objective assurance of the 
robustness and appropriateness of risk management and internal 
controls.
Risk Assessments
    In furtherance of the ``three lines of defense'' model, the RMF 
would provide for risk identification and assessment programs described 
below to identify, measure, and monitor current and emerging risks at 
OCC. Findings or recommendations that result from the assessments would 
be documented, monitored, and escalated through the appropriate 
governance according to applicable OCC policies and procedures.
    One such assessment--the Enterprise Risk Assessment--would be 
conducted by OCC's first line of defense in conjunction with ERM. The 
Enterprise Risk Assessment would analyze risks based on: (i) Inherent 
Risk; \13\ (ii) quality of risk management; and (iii) Residual Risk 
\14\ to provide OCC information on the quantity of risk in a certain 
functional area or business area, and provide a mechanism to prioritize 
risk mitigation activities. ERM would use analysis of Residual Risk in 
conjunction with metrics related to Risk Tolerances to develop a risk 
profile and determine whether a Key Risk is within appetite and provide 
OCC's Management Committee and Board (or committee thereof) information 
on the quantity of risk in a certain functional area or business area, 
which would provide a mechanism to prioritize risk mitigation 
activities.
---------------------------------------------------------------------------

    \13\ Under the RMF, ``Inherent Risk'' would be defined as the 
absolute level of risk exposure posed by a process or activity prior 
to the application of controls or other risk-mitigating factors.
    \14\ Under the RMF, ``Residual Risk'' would be defined as the 
level of risk exposure posed by a process or activity after the 
application of controls or other risk-mitigating factors.
---------------------------------------------------------------------------

    Another such assessment--the Scenario Analysis Program--would be a 
method for identifying risks that may not be otherwise captured in 
OCC's risk statements. ERM, in cooperation with the first line of 
defense, would design simulations of potential disruptions, and 
business unit staff would be able to identify risks that may not have 
been previously uncovered or identify weaknesses in current controls. 
ERM would include potential risks identified through the Scenario 
Analysis Program in its analysis of, and reporting on, the quantity of 
risk within a certain Key Risk and whether the Key Risk is within 
appetite.
    A third assessment--the IT Risk Assessment Program--would be 
conducted by OCC's Security Services department prior to the 
procurement, development, installation, and operation of IT services 
and systems. This assessment would be triggered by certain events that 
may affect the nature or level of IT risks OCC faces, such as 
evaluation or procurement of a new system or technology, changes in OCC 
business processes that affect current services and systems, and the 
emergence of new threats that subvert existing controls and that 
require a new technology mitigation. OCC would also conduct periodic 
assessments.
    A fourth assessment would be conducted by OCC's compliance function 
to identify and measure regulatory compliance risks. The assessment 
would also provide OCC's compliance function with a basis for 
prioritizing testing and training activities.
Risk Reporting
    Under the RMF, ERM would be responsible for completing a review and 
reporting process that provides OCC's Management Committee and Board 
(or committee thereof) with the information necessary to fulfill their 
obligations for risk management and oversight of risk management 
activities, respectively. This reporting would be designed to assist 
OCC's Management Committee and Board (or committee thereof) in 
understanding the most significant risks faced by OCC from a process 
perspective and determining whether Risk Tolerances are being managed 
in accordance with Risk Appetite Statements. On a quarterly basis, ERM 
would provide a risk report with a summary analysis of risk appetite 
and risk profile that includes analysis of Residual Risks from the 
Enterprise Risk Assessment program, reporting on Risk Tolerances and 
recommendations for prioritization of risk mitigation activities. The 
reporting process would indicate procedures for escalation in the event 
of a breach of Risk Tolerance.

G. Control Activities

    Under the RMF, the Compliance Department would be responsible for 
maintaining an inventory of all business processes and associated 
controls. OCC would also provide guides to assist staff in documenting 
their control activities in a consistent way and periodically conduct 
training on the importance of a strong risk and control environment. In 
addition, on at least an annual basis, the Compliance Department would 
be required to conduct training to assist OCC staff in understanding 
their respective responsibilities in implementing OCC's risk and 
control environment.

[[Page 58666]]

II. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act directs the Commission to approve a 
proposed rule change of a self-regulatory organization if it finds that 
such proposed rule change is consistent with the requirements of the 
Act and the rules and regulations thereunder applicable to such 
organization.\15\ After carefully considering the proposed rule change, 
the Commission finds that the proposed rule change is consistent with 
the requirements of the Act and the rules and regulations thereunder 
applicable to OCC. More specifically, the Commission finds that the 
proposal is consistent with Section 17A(b)(3)(F) of the Act \16\ and 
Rule 17Ad-22(e)(3) under the Act.\17\
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 78s(b)(2)(C).
    \16\ 15 U.S.C. 78q-1(b)(3)(F).
    \17\ 17 CFR 240.17Ad-22(e)(3).
---------------------------------------------------------------------------

A. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires that the rules of a 
registered clearing agency be designed to do, among other things, the 
following: (1) Promote the prompt and accurate clearance and settlement 
of securities transactions; (2) assure the safeguarding of securities 
and funds which are in the custody or control of the clearing agency or 
for which it is responsible; and (3) in general protect investors and 
the public interest.\18\
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    As described above, the RMF would address and clarify different 
ways OCC comprehensively manages Key Risks, which include legal, 
credit, liquidity, operational, general business, investment, custody, 
and other risks that arise in or are borne by OCC. For example, the RMF 
would describe OCCs overall framework for comprehensive risk 
management, including OCC's framework to identify, measure, monitor, 
and manage all risks faced by OCC in the provision of clearing, 
settlement, and risk management services. The RMF would also establish 
the context for OCC's risk management framework, outline OCC's risk 
management philosophy, describe OCC's Risk Appetite Framework and use 
of Risk Tolerances, describe the governance arrangements that implement 
risk management, outline OCC's identification of Key Risks, and 
describe OCC's program for enterprise-wide risk management, including 
the ``three lines of defense'' structure and OCC's approach to risk 
monitoring, assessment, and reporting.
    By providing these clarifications and adding transparency to OCC's 
risk management practices, the RMF is designed to help OCC be in a 
better position to identify, measure, monitor, and manage the various 
risks that may arise in or be borne by OCC. By better identifying, 
measuring, monitoring, and managing the risks that may arise in or be 
borne by OCC, the RMF is designed to help reduce the possibility that 
OCC fails in providing its critical operations and services to the 
financial markets. By better positioning OCC to continue its critical 
operations and services, and mitigating the risk of financial loss 
contagion caused by its failure, the RMF is designed to promote the 
prompt and accurate clearance and settlement of securities transactions 
and help assure the safeguarding of securities and funds which are in 
the custody or control of OCC, or for which OCC is responsible. As a 
result, the Commission finds that the proposed rule change, in general, 
protects investors and the public interest. Accordingly, the Commission 
believes that the proposed rule change is consistent with Section 
17A(b)(3)(F) of the Act.\19\
---------------------------------------------------------------------------

    \19\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

B. Consistency With Rule 17Ad-22(e)(3) of the Act

    Rule 17Ad-22(e)(3) under the Act requires, in part, that a covered 
clearing agency ``establish, implement, maintain and enforce written 
policies and procedures reasonably designed to . . . [m]aintain a sound 
risk management framework for comprehensively managing legal, credit, 
liquidity, operational, general business, investment, custody, and 
other risks that arise in or are borne by the covered clearing agency, 
which . . . [i]ncludes risk management policies, procedures, and 
systems designed to identify, measure, monitor, and manage the range of 
risks that arise in or are borne by the covered clearing agency, that 
are subject to review on a specified periodic basis and approved by the 
board of directors annually . . .'' \20\
---------------------------------------------------------------------------

    \20\ 17 CFR 240.17Ad-22(e)(3).
---------------------------------------------------------------------------

    As described above, the RMF describes OCC's comprehensive framework 
for identifying, measuring, monitoring, and managing the risks that 
arise within OCC or are borne by it, including legal, credit, 
liquidity, operational, general business, investment, and custody risk. 
For example, the RMF describes OCC's framework for identifying its Key 
Risks and the relevant policies that OCC maintains to address those 
risks.
    The RMF also describes OCC's RAF and use of Risk Appetite 
Statements and Risk Tolerances to help ensure that OCC sets appropriate 
levels and types of Key Risks that OCC is willing and able to assume in 
accordance with the performance of its critical role in the financial 
markets. For example, the use of Risk Appetite Statements helps ensure 
that OCC can carefully calibrate the levels of risk it accepts for each 
Key Risk in a manner consistent with OCC's core mission of promoting 
financial stability in the markets it serves. In addition, the use of 
Risk Tolerances helps ensure that OCC sets acceptable levels of risk 
within specified sub-categories of Key Risks, and that also may be used 
to set thresholds for acceptable variability in risk levels and to 
provide clear and transparent escalation triggers when the thresholds 
are breached.
    Moreover, the Commission believes the RMF would clarify the 
foundation of OCC's risk management practices by describing OCC's 
enterprise-wide risk management framework. This framework incorporates 
established principles employed across the financial services industry 
such as the ``three lines of defense'' model for enterprise-wide risk 
management to help ensure that OCC maintains and operates a resilient, 
effective, and reliable risk management and internal control 
infrastructure that assures risk management and processing outcomes 
expected by OCC stakeholders. This framework also describes how OCC's 
second line of defense monitors the risks that arise in or are borne by 
OCC through a variety of risk assessment, risk reporting, and internal 
control management activities. Finally, the RMF also states that the 
RMF and related documents are subject to annual board approval.
    For the above specified reasons, the Commission therefore believes 
that the proposed rule change: (i) Provides a variety of risk 
assessment, risk reporting, and internal control management activities; 
and (ii) provides for a sound, comprehensive framework for identifying, 
measuring, monitoring, and managing the range of risks that arise in or 
are borne by OCC. The Commission therefore finds that these changes are 
consistent with the requirements of Rule 17Ad-22(e)(3).

III. Conclusion

    On the basis of the foregoing, the Commission finds that the 
proposed change is consistent with the requirements of the Act, and in 
particular, with the requirements of

[[Page 58667]]

Section 17A of the Act \21\ and the rules and regulations thereunder.
---------------------------------------------------------------------------

    \21\ In approving this proposed rule change, the Commission has 
considered the proposed rule's impact on efficiency, competition, 
and capital formation. See 15 U.S.C. 78c(f).
---------------------------------------------------------------------------

    It is therefore ordered, pursuant to Section 19(b)(2) of the 
Act,\22\ that the proposed rule change (SR-OCC-2017-005) be, and it 
hereby is, approved.
---------------------------------------------------------------------------

    \22\ 15 U.S.C. 78s(b)(2).
    \23\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\23\

Eduardo A. Aleman,
Assistant Secretary.
[FR Doc. 2017-26822 Filed 12-12-17; 8:45 am]
BILLING CODE 8011-01-P