Self-Regulatory Organizations; The Depository Trust Company; Fixed Income Clearing Corporation; National Securities Clearing Corporation; Notice of Filings and Immediate Effectiveness of Proposed Rule Changes To Amend the Clearing Agency Operational Risk Management Framework, 81531-81534 [2020-27596]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 85, Number 242 (Wednesday, December 16, 2020)]
[Notices]
[Pages 81531-81534]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-27596]



[[Page 81531]]

=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-90626; File Nos. SR-DTC-2020-015; SR-FICC-2020-016; SR-
NSCC-2020-019]


Self-Regulatory Organizations; The Depository Trust Company; 
Fixed Income Clearing Corporation; National Securities Clearing 
Corporation; Notice of Filings and Immediate Effectiveness of Proposed 
Rule Changes To Amend the Clearing Agency Operational Risk Management 
Framework

December 10, 2020.
    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 
(``Act'') \1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that 
on December 1, 2020, The Depository Trust Company (``DTC''), Fixed 
Income Clearing Corporation (``FICC''), and National Securities 
Clearing Corporation (``NSCC,'' and collectively, the ``Clearing 
Agencies'') filed with the Securities and Exchange Commission 
(``Commission'') the proposed rule changes as described in Items I, II 
and III below, which Items have been primarily prepared by the Clearing 
Agencies. The Clearing Agencies filed the proposed rule changes 
pursuant to Section 19(b)(3)(A) of the Act \3\ and Rule 19b-4(f)(3) 
thereunder.\4\ The Commission is publishing this notice to solicit 
comments on the proposed rule changes from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ 15 U.S.C. 78s(b)(3)(A).
    \4\ 17 CFR 240.19b-4(f)(3).
---------------------------------------------------------------------------

I. Clearing Agencies' Statement of the Terms of Substance of the 
Proposed Rule Changes

    The proposed rule changes consist of amendments to the Clearing 
Agency Operational Risk Management Framework (``ORM Framework'' or 
``Framework'') of Clearing Agencies. Specifically, the proposed rule 
changes would (1) include a description of the Clearing Agencies' 
incident management procedures; (2) update the ORM Framework to reflect 
recent changes to group names and responsibilities, and other processes 
and matters described in the Framework; and (3) enhance the 
descriptions of certain matters within the ORM Framework to improve its 
clarity and comprehensiveness, as further described below.

II. Clearing Agencies' Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Changes

    In their filings with the Commission, the Clearing Agencies 
included statements concerning the purpose of and basis for the 
proposed rule changes and discussed any comments they received on the 
proposed rule changes. The text of these statements may be examined at 
the places specified in Item IV below. The Clearing Agencies have 
prepared summaries, set forth in sections A, B, and C below, of the 
most significant aspects of such statements.

(A) Clearing Agencies' Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Changes

1. Purpose
    The Clearing Agencies adopted the ORM Framework \5\ to provide an 
outline for how each of the Clearing Agencies manages its operational 
risks. In this way, the Framework supports the Clearing Agencies' 
compliance with Rules 17Ad-22(e)(17) of the Standards for Covered 
Clearing Agencies (``Standards'') under the Act,\6\ as described in the 
Initial Filing. In addition to setting forth the manner in which each 
of the Clearing Agencies addresses these requirements, the ORM 
Framework also contains a section titled ``Framework Ownership and 
Change Management'' that, among other matters, describes the Framework 
ownership and the required governance process for review and approval 
of changes to the Framework.
---------------------------------------------------------------------------

    \5\ See Securities Exchange Act Release No. 81745 (September 28, 
2017), 82 FR 46332 (October 4, 2017) (SR-DTC-2017-014; SR-NSCC-2017-
013; SR-FICC-2017-017) (``Initial Filing'').
    \6\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    In connection with the annual review and approval of the Framework 
by the Boards of Directors of each of the Clearing Agencies (each a 
``Board'' and collectively, the ``Boards''), the Clearing Agencies are 
proposing to make certain revisions to the Framework.
    Such proposed changes would include a description of the Clearing 
Agencies' incident management procedures in connection with its 
information technology risk management. The proposed changes would also 
update the ORM Framework to reflect recent changes to group names and 
responsibilities, certain processes and other matters described in the 
Framework. Finally, the proposed changes would enhance the descriptions 
of certain matters within the ORM Framework to improve its clarity and 
comprehensiveness. Each of these proposed changes are further described 
below.
i. Proposed Amendments To Describe Incident Management Procedures
    First, the proposed changes would add a description of the Clearing 
Agencies' incident management procedures in Section 5 of the Framework, 
which currently describes information technology management. The 
Clearing Agencies currently follow these incident management 
procedures, which support the Clearing Agencies' compliance with the 
requirements of Rule 17Ad-22(e)(17)(i) and (ii) and define the actions 
that are taken following detection of systems incidents.\7\ The purpose 
of these procedures, as proposed to be described in Section 5 of the 
Framework, is to define the actions that are taken following the 
detection of systems incidents. Generally, these actions include 
identification and classification, investigation and diagnosis, and 
resolution and recovery of the incidents that affect the Clearing 
Agencies' systems.
---------------------------------------------------------------------------

    \7\ 17 CFR 240.17Ad-22(e)(17)(i) and (ii).
---------------------------------------------------------------------------

    The proposed change would be to include a description of these 
existing procedures in the Framework in connection with its description 
of information technology management. This proposed change would 
improve the Framework by including this important aspect of operational 
risk management and providing a more complete description of the 
Clearing Agencies' processes that support their compliance with the 
requirements of Rule 17Ad-22(e)(17)(i) and (ii).
ii. Proposed Amendments To Update the Framework
    Second, the proposed changes would update the ORM Framework to 
reflect recent developments with respect to the names and 
responsibilities of groups that take certain actions described in the 
Framework. The proposed changes would also reflect updates to processes 
and other matters described in the Framework, as described below. These 
proposed changes do not substantively impact how the Clearing Agencies 
manage operational risk in compliance with the requirements of Rule 
17Ad-22(e)(17).\8\
---------------------------------------------------------------------------

    \8\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

1. Proposed Change to the Name of Business Continuity Management
    Section 6 of the ORM Framework describes the Clearing Agencies' 
management of business continuity risk and the business continuity 
plans that

[[Page 81532]]

have been established and maintained by the Clearing Agencies in 
compliance with the requirements of Rule 17Ad-22(e)(17)(iii).\9\ The 
group responsible for these activities was previously called Business 
Continuity Management. While the role and responsibilities of this risk 
management function have not changed, its name has been changed to 
``Business Continuity & Resiliency'' to reflect an increased focus on 
strengthening the resiliency of the Clearing Agencies and the ability 
of their systems to sustain and recover from numerous incidents. The 
Framework would be updated to reflect the change to the name of this 
group.
---------------------------------------------------------------------------

    \9\ 17 CFR 240.17Ad-22(e)(17)(iii).
---------------------------------------------------------------------------

2. Proposed Change To Revise Description of Document Repository
    Section 4.1 of the ORM Framework describes Risk Tolerance 
Statements, which document the overall risk reduction or mitigation 
objectives for the Clearing Agencies with respect to identified risks 
to the Clearing Agencies. Risk Tolerance Statements also document the 
risk controls and other measures used to manage identified risks, 
including escalation requirements in the event of risk metric breaches. 
Currently, Section 4.1 states that Risk Tolerance Statements are 
located in the DTCC Enterprise Policy Repository.
    The name of the repository where all policies, procedures and 
related documents are maintained has changed. Therefore, the Clearing 
Agencies are proposing to update this Section of the Framework to refer 
generally to the central repository for all policies, procedures and 
related documents, rather than refer to the specific name of that 
central repository. This proposed change would allow the Framework to 
accurately describe where Risk Tolerance Statements are maintained, 
notwithstanding this recent, and any potential future, change to the 
name of that document management tool.
3. Proposed Change To Reflect Expansion of Operating Centers
    Section 6 of the ORM Framework, which describes business continuity 
risk management, currently includes a statement that the operating 
centers that support the Clearing Agencies are run from no fewer than 
three geographic regions in the United States. Since the ORM Framework 
was adopted the Clearing Agencies have expanded the geographic spread 
and diversity of their operating centers. In order to reflect this 
change, the ORM Framework would be updated to state that these 
operating centers are run from geographic regions globally (i.e., 
without the limitation that they are located in the United States).
iii. Proposed Amendments To Clarify and Enhance Descriptions in the 
Framework
    Finally, the proposed changes would enhance the descriptions of 
certain matters within the ORM Framework to improve its clarity and 
comprehensiveness, as described below.
1. Proposed Change To Describe Annual Approval of Framework by Boards
    Section 2 of the ORM Framework addresses the Framework's ownership 
and change management. This section currently states that the Framework 
should be reviewed by the document owner no less frequently than 
annually but does not specify the regulatory requirement that the 
Framework also be approved by the Boards on an annual basis. The 
Clearing Agencies are proposing to amend Section 2 of the Framework to 
include the requirement that the Framework be approved by the Boards, 
or a duly authorized committee of the Boards, annually.
    Rule 17Ad-22(e)(3) under the Act requires that the Clearing 
Agencies maintain a sound risk management framework for comprehensively 
managing the risks that arise in or are borne by the Clearing Agencies, 
including operational risks.\10\ Rule 17Ad-22(e)(3)(i) under the Act 
requires that the risk management policies, procedures, and systems 
that are maintained in compliance with Rule 17Ad-22(e)(3) be subject to 
review on a specified periodic basis and be approved by the Boards 
annually.\11\ As stated above, the Framework provides an outline for 
how each of the Clearing Agencies manage operational risks, as required 
by both Rules 17Ad-22(e)(3) and (17) under the Act.\12\ Therefore, the 
ORM Framework is reviewed and approved by the Boards annually, as 
required by Rule 17Ad-22(e)(3)(i) under the Act.\13\
---------------------------------------------------------------------------

    \10\ 17 CFR 240.17Ad-22(e)(3).
    \11\ 17 CFR 240.17Ad-22(e)(3)(i).
    \12\ 17 CFR 240.17Ad-22(e)(3), (17).
    \13\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

    The Clearing Agencies are proposing to amend Section 2 of the 
Framework to state that the Framework shall be approved by the Boards, 
or a duly authorized committee of the Boards, annually. The proposed 
change would enhance the comprehensiveness of the Framework to specify 
this requirement, which is aligned with the applicable requirements of 
Rule 17Ad-22(e)(3)(i) under the Act.\14\
---------------------------------------------------------------------------

    \14\ Id.
---------------------------------------------------------------------------

2. Proposed Change To Clarify Description of Risk Profiles
    Section 4.2 of the ORM Framework describes the Risk Profiles, which 
are tools used by the Operational Risk Management group within the 
Group Chief Risk Office of The Depository Trust & Clearing Corporation 
(``ORM'') \15\ to document risk assessments and consolidate pertinent 
operational risk and control data, including, without limitation, 
incidents, audit findings, compliance testing results, and risk 
metrics, to support an overall assessment of the applicable Clearing 
Agency Business' or Clearing Agency Support Area's inherent risk and 
residual risk. The Clearing Agencies are proposing changes to this 
Section to clarify and simplify the description of Risk Profiles.
---------------------------------------------------------------------------

    \15\ The parent company of the Clearing Agencies is The 
Depository Trust & Clearing Corporation (``DTCC''). DTCC operates on 
a shared services model with respect to the Clearing Agencies. Most 
corporate functions are established and managed on an enterprise-
wide basis pursuant to intercompany agreements under which it is 
generally DTCC that provides a relevant service to a Clearing 
Agency.
---------------------------------------------------------------------------

    First, the proposed changes would clarify that the assessments 
documented in Risk Profiles both (1) assess inherent risks, and (2) 
identify residual risks. The proposed changes would do this by revising 
the relevant sentence and by removing the current description of risk 
acceptance of residual risks, which is a process that is separate from 
the description of Risk Profiles. The proposed changes would focus the 
description on the two types of risks that are relevant to the Risk 
Profiles.
    Second, the proposed change would simplify the description of how 
the Risk Profiles are created by removing reference to ORM as the 
responsible group. Currently, both ORM and the Clearing Agency business 
and support areas are jointly responsible for the tasks related to 
creating and documenting Risk Profiles. Over time, the responsibility 
for these tasks has shifted away from ORM, and to the Clearing Agency 
business and support areas. The proposed changes would continue to 
identify the crucial tasks related to the creation and maintenance of 
Risk Profiles but would simplify this section of the Framework by 
removing reference to the division of responsibilities among these 
groups.
    Third, the proposed changes would clarify that Clearing Agency 
businesses and support areas are responsible for the day-to-day 
management of all risk applicable to their area. Currently, Section 4.2 
states that these groups are only responsible for the management of 
residual risks. The proposed change

[[Page 81533]]

would correct this statement and clarify these groups' 
responsibilities.
    Finally, the proposed changes would clarify that the Clearing 
Agency businesses and support areas are responsible for updating their 
policies and procedures to support risk management at the Clearing 
Agencies. Currently, the relevant sentence in Section 4.2 states that 
such policies and procedures support operational risk management at the 
Clearing Agencies. The proposed change would clarify the 
responsibilities of these groups and the role of policies and 
procedures in risk management.
3. Proposed Change To Clarify the Responsibilities of the ORM Group
    Section 4.3 of the ORM Framework describes the responsibilities of 
ORM. Currently, this Section states that this group is responsible for 
reviewing, revising and creating Risk Tolerance Statements. However, 
ORM is responsible for working with the businesses that own the 
relevant risks in reviewing, revising and creating Risk Tolerance 
Statements. Therefore, the proposed changes would clarify ORM's 
responsibilities with respect to Risk Tolerance Statements.
4. Proposed Changes To Clarify Description of Business Continuity Risk 
Management
    Section 6 of the ORM Framework describes how the Clearing Agencies 
manage business continuity risks. The Clearing Agencies are proposing 
changes to this section to clarify the description of business 
continuity risk management and to make this section more comprehensive.
    First, the proposed changes would include a reference to events 
that have the potential to disrupt the Clearing Agencies' businesses in 
a statement that refers generally to the types of events that could 
impact the Clearing Agencies. This update would make the statement more 
comprehensive by including events that are considered ``near-miss'' 
events, or events that did not have had an impact on the Clearing 
Agencies but had the potential of causing an impact on their 
businesses. This proposed change would align the description to current 
practice, by which the Clearing Agencies take into account ``near-
miss'' events in its risk management processes.
    Second, the proposed changes would update the description of the 
``tiers'' that are used to rank the criticality of the Clearing 
Agencies' businesses and support areas. The proposed changes would not 
impact the way these tiered rankings are applied and would align the 
description in the Framework to the current description in the Clearing 
Agencies' internal procedures. Among the updates to the description of 
the tiers, the proposed changes would include a clarifying statement 
that the Clearing Agencies' support areas are automatically assigned 
the same tier as the Clearing Agency business that they support, and 
would remove references to the Clearing Agency support areas in the 
description of the process that results in a group's tier.
    Finally, the proposed changes to Section 6 would clarify statements 
in connection with the creation of business impact analyses (``BIA''), 
which are used to assign each Clearing Agency business with a tier. The 
proposed changes would clarify, for example, that appropriate risk 
controls may be applied with respect to an applicable Clearing Agency 
business at any time, and not only during a business continuity event. 
The proposed changes would also clarify that the BIA identify product 
dependencies within an applicable Clearing Agency business. While the 
process for creating BIA has not changed, the proposed changes to 
Section 6 of the Framework would enhance the description of the process 
by making it clearer and more comprehensive.
2. Statutory Basis
    The Clearing Agencies believe that the proposed changes are 
consistent with Section 17A(b)(3)(F) of the Act \16\ and Rule 17Ad-
22(e)(3)(i), and (17)(i) and (ii) promulgated under the Act,\17\ for 
the reasons described below.
---------------------------------------------------------------------------

    \16\ 15 U.S.C. 78q-1(b)(3)(F).
    \17\ 17 CFR 240.17Ad-22(e)(17)(i) and (ii).
---------------------------------------------------------------------------

    The Clearing Agencies believe that the proposed changes are 
consistent with Section 17A(b)(3)(F) of the Act, which requires, in 
part, that the rules of a registered clearing agency be designed to 
promote the prompt and accurate clearance and settlement of securities 
transactions, and to assure the safeguarding of securities and funds 
which are in the custody or control of the clearing agency or for which 
it is responsible, for the reasons described below.\18\ The proposed 
changes would update and clarify the Framework and would make it more 
comprehensive in how it describes operational risk management of the 
Clearing Agencies, as described above. By creating clearer, updated and 
more comprehensive descriptions, the Clearing Agencies believe the 
proposed changes would make the ORM Framework more effective in 
providing an overview of the important risk management activities 
described therein.
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    As described in the Initial Filing, the risk management functions 
described in the ORM Framework allow the Clearing Agencies to continue 
the prompt and accurate clearance and settlement of securities and can 
continue to assure the safeguarding of securities and funds which are 
in their custody or control or for which they are responsible 
notwithstanding the default of a member of an affiliated family. The 
proposed changes to improve the clarity and accuracy of the 
descriptions of these functions within the ORM Framework would assist 
the Clearing Agencies in carrying out these risk management functions. 
Therefore, the Clearing Agencies believe the proposed changes are 
consistent with the requirements of Section 17A(b)(3)(F) of the 
Act.\19\
---------------------------------------------------------------------------

    \19\ Id.
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(3)(i) under the Act requires, in part, that each 
covered clearing agency establish, implement, maintain and enforce 
written policies and procedures reasonably designed to maintain a sound 
risk management framework for comprehensively managing operational 
risks that arise in or are borne by the covered clearing agency, which 
includes risk management policies, procedures, and systems that are 
subject to review on a specified periodic basis and approved by the 
board of directors annually.\20\ As described above, the Framework is 
currently approved by the Board annually, in compliance with the 
requirements of Rule 17Ad-22(e)(3)(i). The proposed changes would 
describe this annual approval in Section 2 of the Framework, where the 
Framework's ownership and change management is addressed. By including 
a description of the required annual Board approval of the Framework, 
the proposed changes are consistent with the requirements of Rule 17Ad-
22(e)(3)(i) under the Act.\21\
---------------------------------------------------------------------------

    \20\ 17 CFR 240.17Ad-22(e)(3)(i).
    \21\ Id.
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(17) under the Act requires, in part, that each 
covered clearing agency establish, implement, maintain and enforce 
written policies and procedures reasonably designed to manage the 
covered clearing agency's operational risks by (i) identifying the 
plausible sources of operational risk, both internal and external, and 
mitigating their impact through the use of appropriate systems, 
policies, procedures, and controls; and (ii) ensuring that systems have 
a high degree of security, resiliency,

[[Page 81534]]

operational reliability, and adequate, scalable capacity.\22\
---------------------------------------------------------------------------

    \22\ 17 CFR 240.17Ad-22(e)(17)(i) and (ii).
---------------------------------------------------------------------------

    The Framework would be amended to include a description of the 
Clearing Agencies' incident management procedures. As described above, 
these procedures address how the Clearing Agencies detect, identify, 
investigate and resolve incidents that affect the Clearing Agencies' 
systems. These procedures are designed to help address the Clearing 
Agencies' compliance with the requirements of Rule 17Ad-22(e)(17)(i) 
and (ii).\23\ Therefore, the Clearing Agencies believe that the 
proposed rule changes to include a description of these procedures in 
the Risk Management Framework is consistent with Rule 17Ad-22(e)(17)(i) 
and (ii).\24\
---------------------------------------------------------------------------

    \23\ Id.
    \24\ Id.
---------------------------------------------------------------------------

(B) Clearing Agencies' Statement on Burden on Competition

    The Clearing Agencies do not believe that the proposed changes to 
the ORM Framework described above would have any impact, or impose any 
burden, on competition. As described above, the proposed rule changes 
would update the Framework and would improve the clarity and 
comprehensiveness of the descriptions of certain matters within the 
Framework. Therefore, the proposed changes are technical and non-
material in nature, relating mostly to the operation of the ORM 
Framework rather than the risk management functions described therein. 
As such, the Clearing Agencies do not believe that the proposed rule 
changes would have any impact on competition.

(C) Clearing Agencies' Statement on Comments on the Proposed Rule 
Changes Received From Members, Participants, or Others

    The Clearing Agencies have not solicited or received any written 
comments relating to this proposal. The Clearing Agencies will notify 
the Commission of any written comments received by the Clearing 
Agencies.

III. Date of Effectiveness of the Proposed Rule Changes, and Timing for 
Commission Action

    The foregoing rule changes have become effective pursuant to 
Section 19(b)(3)(A) \25\ of the Act and paragraph (f) \26\ of Rule 19b-
4 thereunder. At any time within 60 days of the filing of the proposed 
rule changes, the Commission summarily may temporarily suspend such 
rule changes if it appears to the Commission that such action is 
necessary or appropriate in the public interest, for the protection of 
investors, or otherwise in furtherance of the purposes of the Act.
---------------------------------------------------------------------------

    \25\ 15 U.S.C 78s(b)(3)(A).
    \26\ 17 CFR 240.19b-4(f).
---------------------------------------------------------------------------

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
changes are consistent with the Act. Comments may be submitted by any 
of the following methods:

Electronic Comments

     Use the Commission's internet comment form
    (https://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
File Number SR-DTC-2020-015, SR-FICC-2020-016, or SR-NSCC-2020-019 on 
the subject line.

Paper Comments

     Send paper comments in triplicate to Secretary, Securities 
and Exchange Commission, 100 F Street NE, Washington, DC 20549.

All submissions should refer to File Number SR-DTC-2020-015, SR-FICC-
2020-016, or SR-NSCC-2020-019. This file number should be included on 
the subject line if email is used. To help the Commission process and 
review your comments more efficiently, please use only one method. The 
Commission will post all comments on the Commission's internet website 
(https://www.sec.gov/rules/sro.shtml). Copies of the submission, all 
subsequent amendments, all written statements with respect to the 
proposed rule changes that are filed with the Commission, and all 
written communications relating to the proposed rule changes between 
the Commission and any person, other than those that may be withheld 
from the public in accordance with the provisions of 5 U.S.C. 552, will 
be available for website viewing and printing in the Commission's 
Public Reference Room, 100 F Street NE, Washington, DC 20549 on 
official business days between the hours of 10:00 a.m. and 3:00 p.m. 
Copies of the filing also will be available for inspection and copying 
at the principal office of the Clearing Agencies and on DTCC's website 
(https://dtcc.com/legal/sec-rule-filings.aspx). All comments received 
will be posted without change. Persons submitting comments are 
cautioned that we do not redact or edit personal identifying 
information from comment submissions. You should submit only 
information that you wish to make available publicly. All submissions 
should refer to File Number SR-DTC-2020-015, SR-FICC-2020-016, or SR-
NSCC-2020-019 and should be submitted on or before January 6, 2021.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\27\
---------------------------------------------------------------------------

    \27\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2020-27596 Filed 12-15-20; 8:45 am]
BILLING CODE 8011-01-P