Self-Regulatory Organizations; the Options Clearing Corporation Notice of Filing of Proposed Rule Change by the Options Clearing Corporation Concerning a Risk Management Framework and Corporate Risk Management Policy, 58409-58425 [2022-20728]
Download as PDF
<![CDATA[
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
All submissions should refer to File
Number SR–CboeBYX–2022–021. This
file number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549 on official
business days between the hours of
10:00 a.m. and 3:00 p.m. Copies of the
filing also will be available for
inspection and copying at the principal
office of the Exchange. All comments
received will be posted without change.
Persons submitting comments are
cautioned that we do not redact or edit
personal identifying information from
comment submissions. You should
submit only information that you wish
to make available publicly. All
submissions should refer to File
Number SR–CboeBYX–2022–021, and
should be submitted on or before
October 17, 2022.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.19
J. Matthew DeLesDernier,
Deputy Secretary.
Commission, and recording secretaries
will attend the closed meeting. Certain
staff members who have an interest in
the matters also may be present. In the
event that the time, date, or location of
this meeting changes, an announcement
of the change, along with the new time,
date, and/or place of the meeting will be
posted on the Commission’s website at
https://www.sec.gov.
The General Counsel of the
Commission, or his designee, has
certified that, in his opinion, one or
more of the exemptions set forth in 5
U.S.C. 552b(c)(3), (5), (6), (7), (8), 9(B)
and (10) and 17 CFR 200.402(a)(3),
(a)(5), (a)(6), (a)(7), (a)(8), (a)(9)(ii) and
(a)(10), permit consideration of the
scheduled matters at the closed meeting.
The subject matter of the closed
meeting will consist of the following
topics:
Institution and settlement of
injunctive actions;
Institution and settlement of
administrative proceedings;
Resolution of litigation claims; and
Other matters relating to examinations
and enforcement proceedings.
At times, changes in Commission
priorities require alterations in the
scheduling of meeting agenda items that
may consist of adjudicatory,
examination, litigation, or regulatory
matters.
CONTACT PERSON FOR MORE INFORMATION:
For further information; please contact
Vanessa A. Countryman from the Office
of the Secretary at (202) 551–5400.
(Authority: 5 U.S.C. 552b)
Dated: September 22, 2022.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2022–20883 Filed 9–22–22; 4:15 pm]
BILLING CODE 8011–01–P
[FR Doc. 2022–20727 Filed 9–23–22; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–95842; File No. SR–OCC–
2022–010]
Sunshine Act Meetings
2:00 p.m. on Thursday,
September 29, 2022.
PLACE: The meeting will be held via
remote means and/or at the
Commission’s headquarters, 100 F
Street NE, Washington, DC 20549.
STATUS: This meeting will be closed to
the public.
MATTERS TO BE CONSIDERED:
Commissioners, Counsel to the
Commissioners, the Secretary to the
TIME AND DATE:
Self-Regulatory Organizations; the
Options Clearing Corporation Notice of
Filing of Proposed Rule Change by the
Options Clearing Corporation
Concerning a Risk Management
Framework and Corporate Risk
Management Policy
September 20, 2022.
Pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934
(‘‘Exchange Act’’ or ‘‘Act’’),1 and Rule
19b–4 thereunder,2 notice is hereby
1 15
19 17
CFR 200.30–3(a)(12).
VerDate Sep<11>2014
16:43 Sep 23, 2022
2 17
Jkt 256001
PO 00000
U.S.C. 78s(b)(1).
CFR 240.19b–4.
Frm 00102
Fmt 4703
Sfmt 4703
58409
given that on September 6, 2022, the
Options Clearing Corporation (‘‘OCC’’)
filed with the Securities and Exchange
Commission (‘‘SEC’’ or ‘‘Commission’’)
the proposed rule change as described
in Items I, II, and III below, which Items
have been prepared by OCC. The
Commission is publishing this notice to
solicit comments on the proposed rule
change from interested persons.
I. Clearing Agency’s Statement of the
Terms of Substance of the Proposed
Rule Change
OCC files this proposed rule change to
adopt a revised Risk Management
Framework (‘‘RMF’’) as well as a new
Corporate Risk Management Policy
(‘‘CRMP’’). The RMF and CRMP are
provided as in Exhibits 5A and 5B of
File No. SR–OCC–2022–010. The RMF
and CRMP would replace the current
OCC Risk Management Framework
Policy (‘‘RMF Policy’’). These
documents are being submitted without
marking to improve readability and are
being submitted in their entirety as new
rule text. The RMF Policy, provided as
Exhibit 5C of File No. SR–OCC–2022–
010, is submitted entirely in
strikethrough text to indicate its
retirement. In addition, OCC submits
corresponding changes to its Clearing
Fund Methodology Policy, Collateral
Risk Management Policy, Default
Management Policy, Margin Policy,
Model Risk Management Policy,
Recovery and Orderly Wind-Down Plan,
and Third-Party Risk Management
Framework (‘‘TPRMF’’) (collectively,
the ‘‘OCC Risk Policies’’) to update any
reference to the RMF Policy to refer
instead to the proposed RMF. The OCC
Risk Policies are provided as Exhibits
5D–5J of File SR–OCC–2022–010. OCC
submitted Exhibits 5D through 5I
subject to a confidential treatment
request under SEC Rule 24b–2.3
The proposed rule change does not
require any changes to the text of OCC’s
By-Laws or Rules. All terms with initial
capitalization that are not otherwise
defined herein have the same meaning
as set forth in the OCC By-Laws and
Rules.4
II. Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Proposed Rule Change
In its filing with the Commission,
OCC included statements concerning
the purpose of and basis for the
proposed rule change and discussed any
comments it received on the proposed
3 17
CFR 240.24b–2.
By-Laws and Rules can be found on
OCC’s website: https://www.theocc.com/CompanyInformation/Documents-and-Archives/By-Lawsand-Rules.
4 OCC’s
E:\FR\FM\26SEN1.SGM
26SEN1
58410
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
rule change. The text of these statements
may be examined at the places specified
in Item IV below. OCC has prepared
summaries, set forth in sections (A), (B),
and (C) below, of the most significant
aspects of these statements.
(A) Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Proposed Rule Change
(1) Purpose
OCC maintains various documents
designed to define a comprehensive
framework for managing OCC’s various
risks, including financial risks, legal,
and operational risks. OCC’s RMF
Policy serves as an umbrella document
describing OCC’s framework for
managing risk at a high level. As
required by SEC Rule 17Ad.22(e)(3)(i),
OCC routinely reviews its policies and
procedures for potential improvements,
such as providing more comprehensive
descriptions and definitions as well as
making the documents more clear,
internally consistent, and well
organized. Based on its routine review
of the existing RMF Policy, OCC
believes it should replace its current
RMF Policy with two, more detailed
documents. By making this change,
described in detail below, OCC intends
to enhance the clarity and transparency
of its overall risk management
framework. The change to OCC’s
documents will not affect OCC’s
members or other market participants.
Rather, it is intended to better describe
and strengthen OCC’s internal risk
management processes.
Background
OCC proposes to amend its existing
RMF Policy 5 by establishing the RMF
and CRMP. OCC believes the revised
documents enhance the clarity and
transparency of its overall risk
management framework and once
approved, OCC plans to make the RMF
and CRMP publicly available on its
website (www.theocc.com). OCC
believes the proposed revised RMF
would continue to provide a foundation
to support and describe the risk
management policies, procedures, and
systems that make up OCC’s sound risk
management framework.
In undertaking this revision of the
RMF Policy, OCC is seeking to present
its approach to risk management more
clearly. The RMF Policy presents
detailed information about OCC’s
second line functions, while also
summarizing information about other
risk management functions at OCC. OCC
5 See Exchange Act Release No. 34–82232 (Dec.
7, 2017), 82 FR 58662 (Dec. 13, 2017) (File No. SR–
OCC–2017–005).
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
believes that the proposed RMF presents
a clear summary of OCC’s overall
approach to risk management across its
three lines of defense and, if necessary,
its planning for recovery and winddown. Consistent with the presentation
of OCC’s risk management across its
three lines of defense, the RMF would
refer to the CRMP, which would contain
the detail behind OCC’s second line
corporate risk management program.
OCC believes this is consistent with its
approach to providing detailed
information about its various functions
in documents that stand separate from,
but support and provide detail about the
risk management activities summarized
in, its proposed RMF.6
The proposed RMF would provide an
overview of risk management at OCC.
The proposed RMF introduces the
categories of risk OCC faces and then
explains how OCC manages these risks.
The proposed RMF includes an
overview of OCC’s risk universe,
descriptions of risk management
practices across OCC’s three lines of
defense model, a discussion of how
OCC is also prepared, if necessary, with
tools to manage both recovery and
orderly wind-down, and the
requirement to escalate exceptions to
and deviations from OCC’s risk
management frameworks and policies to
OCC’s Corporate Risk Management and
Compliance departments.
The proposed CRMP would support
the proposed RMF by explaining in
greater detail OCC’s risk management
activities related to the second line of
defense corporate risk management
program. The proposed CRMP would
explain that the OCC Corporate Risk
Management department (‘‘Corporate
Risk’’), formerly referred to as the
Enterprise Risk Management
department (‘‘ERM’’),7 evaluates risks
that may affect OCC’s ability to perform
the functions detailed in the proposed
RMF. As discussed below, the proposed
CRMP would provide an overview of
the activities overseen by Corporate Risk
to identify, measure, monitor, manage,
report, and escalate risks. Certain of this
information is currently included in the
6 For example, the RMF addresses risks managed
by OCC’s first line of defense through supporting
policies and procedures, including, among other
rule-filed policies, the Margin Policy, Collateral
Risk Management Policy, Liquidity Risk
Management Framework, and the Default
Management Policy.
7 As part of the proposed rule change, OCC would
reflect that OCC has renamed its ERM department
as Corporate Risk and make conforming changes
throughout the OCC Risk Policies. In addition to
functions specific to enterprise risk monitoring,
Corporate Risk includes other functions such as
Model Risk Management and Third-Party Risk
Management.
PO 00000
Frm 00103
Fmt 4703
Sfmt 4703
RMF Policy, but OCC believes,
consistent with other areas of risk
managed by OCC, the details about its
corporate risk management program
should reside in the proposed CRMP.
Other information would be new,
including sections to describe Corporate
Risk’s risk monitoring, risk treatment,
and risk escalation and training
processes. Exhibit 3 to File No. SR–
OCC–2022–010 summarizes the
proposed reorganization of the RMF
Policy into the RMF and CRMP.
Proposed Changes to Risk Management
Framework Policy
The proposed revisions to the RMF
Policy are designed to present OCC’s
approach to risk management more
clearly. For example, the RMF Policy
currently presents detailed information
about both the financial and corporate
risk management functions at OCC. OCC
proposes to adopt a new RMF to more
clearly describe its overall risk
framework. OCC also proposes to adopt
a new CRMP to describe its approach to
corporate risk management in more
detail. The proposed changes to the
current RMF Policy are discussed in
detail below.
Purpose Section
The purpose section of the RMF
Policy would be replaced with purpose
and introduction sections of the new
RMF and CRMP, respectively. These
sections would be revised to reflect the
reorganization of content in the RMF
Policy in the new RMF and CRMP,
focusing on the purpose and intent of
each of the newly proposed documents.
For example, the purpose of the
proposed RMF would be to: (i) describe
how OCC manages risk while providing
efficient and effective clearing and
settlement services to the markets it
serves; (ii) explain how OCC’s
governance model and three lines of
defense facilitate risk management; and
(iii) address OCC’s ability to employ
recovery tools and facilitate an orderly
wind-down. The purpose of the
proposed CRMP would be to describe
OCC’s corporate risk management
approach, including activities to
identify, measure, monitor, manage,
report, and escalate risks to inform
decision-making.
Context for Risk Management
Framework and Risk Management
Philosophy
OCC proposes to delete the Context
for Risk Management Framework and
Risk Management Philosophy sections
of the RMF Policy from the proposed
RMF. OCC believes these sections
provide history and background
E:\FR\FM\26SEN1.SGM
26SEN1
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
information about OCC and its purpose
in the financial markets, but do not
contain rules of OCC. Additionally, OCC
believes the information presented in
the Risk Management Philosophy
section serves as an additional purpose
section and that all items highlighted in
this section are covered in the proposed
RMF or CRMP. For example, OCC’s
approach relative to risk appetite is
mentioned in the Risk Management
Philosophy section but is covered in
more comprehensive detail in the
CRMP.
Risk Appetite Framework and Tolerance
The RMF Policy describes OCC’s risk
appetite framework, including
descriptions of OCC’s use of a risk
universe, risk appetites,8 and risk
tolerances.9 The RMF Policy also
describes the use of Key Risks 10 and
Risk Sub-categories to define the
universe of risks faced by OCC and the
Risk Appetite Statements 11 assigned to
such risks. OCC proposes to relocate
this information to the Risk Governance
section of the proposed CRMP.
However, an overview of OCC’s risk
universe would be retained in the RMF,
including a description of the main risk
categories and that, pursuant to the
CRMP, these categories are broken down
to risk-subcategories and risk
statements, as described below, which
comprise OCC’s risk universe that OCC
manages through the three lines of
defense model to maintain effective
clearing and settlement operations.
The proposed CRMP would state that
the establishment and maintenance of
OCC’s risk universe, risk appetites, risk
tolerances, and risk rating scales is
facilitated by Corporate Risk and used
across OCC to create a transparent
means to manage risk. The proposed
CRMP would also state that Corporate
Risk establishes the risk universe, which
organizes OCC’s risks into the following
three layers to classify and aggregate
risks:
• Risk categories, which are the
highest-level groups of risk aggregation;
• Risk sub-categories, which further
classify risks within risk categories into
detailed groups; and
8 Risk appetites are qualitative articulations of the
amount of risk OCC is willing to accept and
establish expectations for OCC’s risk management.
9 Risk tolerances are qualitative or quantitative
measures that help inform whether risks are within
risk appetites.
10 The RMF Policy defines Key Risk to mean risk
that is related to the foundational aspects of CCP
clearing, settlement, and risk management services.
11 The RMF Policy defines Risk Appetite
Statement to mean a statement that expresses OCC’s
judgment, for each of OCC’s Key Risks, regarding
the level of risk OCC is willing to accept related to
the provision of CCP services.
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
• Risk statements, which are
descriptions of the drivers, events, and
consequences of risks.
The terms ‘‘risk categories,’’ ‘‘risk subcategories,’’ and ‘‘risk statements’’
essentially represent the Key Risks, Subcategories, and Definitions that are
discussed in the current RMF Policy.
OCC believes the proposed terms better
describe the elements that comprise
OCC’s risk universe and the relationship
between them.
Risk categories, sub-categories,
appetites, and tolerances would
continue to be reviewed on at least an
annual basis. Under the current RMF,
Key Risks are approved by OCC’s Board
and risk appetites for Key Risks are set
by the business departments responsible
for those risk in cooperation with ERM.
Under the proposed CRMP, the risk
universe would be owned and approved
by the Chief Risk Officer (‘‘CRO’’) and
provided to the Management
Committee. OCC believes the Chief Risk
Officer, who is responsible for OCC’s
corporate risk management function, is
the officer best situated to manage the
risk universe. Changes to the RMF to
reflect any changes to risk categories
would continue to require Board
approval. In addition, the Board or the
Risk Committee, if the Board has
delegated the Risk Committee such
authority,12 would ultimately be
responsible for approving risk appetites,
which establish the type and amount of
risk OCC is willing to accept. OCC
believes that the Board or Risk
Committee are best positioned to
approve risk appetites because of their
oversight role with respect to OCC’s risk
management. Additionally, the Board or
Risk Committee would continue to be
responsible for approving risk
tolerances.
The proposed CRMP would also
provide additional details around the
internal governance process for
reviewing and approving risk categories,
appetites, and tolerances and for
monitoring risk tolerances. For example,
the proposed CRMP would state that at
least every twelve months, Corporate
Risk determines whether updates to the
risk universe are necessary to better
align risk categories, sub-categories, and
statements with OCC’s clearance,
settlement and risk management
services. The proposed CRMP would
require that risk category and subcategory updates are approved by the
CRO while risk statements are approved
by Corporate Risk management. The
12 The Board has approved such delegation of
authority to the Risk Committee. See Exchange Act
Release No. 94988 (May 26, 2022); 87 FR 33535
(June 2, 2022) (File No. SR–OCC–2022–002).
PO 00000
Frm 00104
Fmt 4703
Sfmt 4703
58411
proposed CRMP would further provide
that the Management Committee and
Board are then notified of updates to
risk categories and sub-categories.
The proposed CRMP would state that
at least every twelve months, risk
appetites are established at a risk subcategory level and presented by the CRO
to the Management Committee for
recommendation to the Board or Risk
Committee for approval. The proposed
CRMP would require that Risk Owners
manage the level of risk exposure posed
by a process against risk appetites.13
The proposed CRMP would state that
Corporate Risk monitors risks to identify
breaches of risk appetite. The proposed
CRMP would also provide that risk
appetite breaches are escalated by the
CRO to the Management Committee,
Risk Committee, and Board. The
proposed CRMP would state that Risk
Owners, with input from relevant
business areas, develop and execute risk
treatment plans to reduce risks that
exceed OCC’s risk appetites.14 The
proposed CRMP would state that at least
every twelve months, Corporate Risk
and Risk Owners review risk appetites
and, where necessary, make adjustments
to align with OCC’s clearance,
settlement and risk management
services. The proposed CRMP would
state that the CRO reviews and presents
changes to risk appetites to the
Management Committee for
recommendation to the Board for
approval. OCC proposes to remove the
more general risk appetite statement
definitions (i.e., no appetite, low
appetite, moderate appetite, and high
appetite), which are currently described
in the RMF Policy, and would instead
use more detailed qualitative risk
appetite statements for each risk subcategory following the governance
process described above.
With respect to risk tolerances, the
proposed CRMP would state that Risk
Owners are responsible for managing
applicable risks within established
tolerances and developing risk
treatment plans to resolve breaches of
risk tolerance. The proposed CRMP
would require that risk tolerance
breaches are escalated by the CRO to the
Management Committee, Risk
Committee, and Board. The proposed
CRMP would state that at least every
twelve months, Corporate Risk and Risk
Owners review risk tolerances and,
where necessary, make adjustments to
align with OCC’s services. The proposed
13 The proposed CRMP defines ‘‘Risk Owner’’ to
mean an employee with the accountability and
authority to manage the risk.
14 The proposed CRMP would state that risk
treatment is the process to manage a risk through
avoidance, mitigation, transference, or acceptance.
E:\FR\FM\26SEN1.SGM
26SEN1
58412
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
CRMP would state that the CRO reviews
and presents changes to risk tolerances
to the Management Committee for
recommendation to the Board for
approval. As discussed below in
connection with the monitoring of key
risk indicators, the CRO would also
monitor and report risk, including risk
tolerance breaches, to the Board at each
regularly scheduled meeting. OCC notes
that it also proposes to change the
reporting cadence to align with the
timing of Board meetings to reflect that
Board meetings typically, but do not
always, occur on a quarterly schedule.15
The proposed CRMP would also
introduce the concept of risk rating
scales, which provide an assessment of
risk from an impact and likelihood
perspective consistently across OCC.
The proposed CRMP would state that
OCC’s risk rating scales rate the
magnitude of impact an event will have
on a process and the likelihood an event
will occur. The proposed CRMP would
state that the impact risk rating scale
considers operational, internal financial,
external financial, legal and regulatory,
and reputational impacts. The proposed
CRMP would state that the likelihood
risk rating scale considers a 10-year
financial cycle and yearly corporate
planning activities. The proposed CRMP
would state that these risk rating scales
are used to measure inherent and
residual risk at a risk statement level.
The proposed CRMP would state that
inherent risk is the level of risk
exposure posed by a process absent any
controls to reduce the likelihood or
severity of an event. The proposed
CRMP would state that residual risk is
the level of risk exposure posed by a
process or activity after the application
of controls or other risk-mitigating
factors. The proposed CRMP would
state that at least every twelve months,
Corporate Risk and Risk Owners
perform a review of the risk rating
scales. The proposed CRMP would state
that the CRO reviews and approves
changes to the risk scales. The proposed
CRMP would state that the Management
Committee and Board are notified of
changes to the risk rating scales.
OCC believes the proposed CRMP
would provide a more comprehensive
overview of OCC’s risk governance
framework and would include changes
intended to improve certain processes
therein. The proposed CRMP would
provide additional details around the
internal governance process for
reviewing and approving risk categories,
15 See, e.g., Exchange Act Release No. 94988, 87
FR at 33539 (updating cadence of certain Board
reporting to reflect that such reporting occurs at
regular Board meetings).
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
appetites, and tolerances and for
monitoring risk tolerances and would
describe OCC’s risk rating scale process.
The proposed changes would also
improve the governance process for the
risk universe by allowing the CRO to
modify risk categories as needed, with
oversight of Management Committee,
the Risk Committee and the Board, and
provide the Board or Risk Committee
with more direct responsibility for
setting the appetites for those risks.
Risk Management Governance
OCC proposes to relocate the Risk
Management Governance section of the
current RMF Policy to a new
Governance section of the proposed
RMF with certain modifications. OCC
proposes to update the description of
the responsibilities of the Board, which
are generally already addressed in the
Board of Directors Charter and
Corporate Governance Principles
(‘‘Board Charter’’),16 which is filed with
the Commission as a rule of OCC.17 The
proposed RMF would state that the
Board is responsible for advising and
overseeing management. The proposed
RMF would state that pursuant to the
OCC Board of Directors Charter and
Corporate Governance Principles, the
CRO presents a review of the RMF to the
Board for approval at least annually.
The proposed RMF would state that the
Board may delegate the oversight of
specific risks to Board-level committees
(‘‘Committees’’).18 The proposed RMF
would state that the Board may form or
disband committees, including
subcommittees to manage specific risks,
as it from time to time deems
appropriate, and may delegate authority
to one or more designated members of
such committees. The proposed RMF
would state that the responsibilities of
Board committees regarding managing
risks are outlined in committee charters.
OCC also proposes to update the
description of the responsibilities of the
Management Committee and working
groups in the new RMF. The proposed
RMF would state that OCC’s
Management Committee supports the
management and conduct of its business
in accordance with policy directives
16 The Board Charter can be found on OCC’s
public website: https://www.theocc.com/about/
corporate-information/board-charter.
17 See, e.g., Exchange Act Release No. 84473 (Oct.
23, 2018), 83 FR 54385 (Oct. 29, 2018) (File No. SR–
OCC–2018–012).
18 The Board has delegated oversight of specific
risks to Committees through the Committee
Charters. For example, the Board has delegated
oversight of OCC’s financial, collateral, risk model
and third-party risk management processes to the
Risk Committee. See Exchange Act Release No.
94988, 87 FR at 33539 (File No. SR–OCC–2022–
002).
PO 00000
Frm 00105
Fmt 4703
Sfmt 4703
from the Board. The proposed RMF
would state that the Management
Committee includes officers 19
responsible for ensuring that its actions
and decisions are consistent with OCC’s
mission, Code of Conduct, Rules and
By-Laws, policies, procedures, and
general principles of sound corporate
governance. The proposed RMF would
state that the CRO is a member of the
Management Committee and reports to
the Risk Committee. The proposed RMF
would state that the Management
Committee may form and delegate
authority to subcommittees and working
groups of employees to conduct certain
of its activities. The proposed RMF
would state that subcommittees and
working groups are responsible for
reporting and escalating information as
may be appropriate. This would replace
the current description in the RMF
Policy, which primarily relates to the
committee’s role and responsibilities in
reviewing and recommending changes
to OCC’s risk universe, including risk
appetites and tolerances, and escalating
breaches of such to the Board. These
responsibilities would now be
addressed in the proposed CRMP (as
discussed in the Risk Appetite
Framework and Tolerance section
above).
The Governance section of the
proposed RMF would also be updated to
include a description of the
responsibilities of OCC employees. The
proposed RMF would state that OCC
considers risk management during
employee recruitment, development,
training, and succession planning. The
proposed RMF would state that OCC
recruits and retains personnel with
appropriate risk management
knowledge, skills, and competencies.
The proposed RMF would state that
OCC also identifies successors for
designated officers based on knowledge
and experience. The proposed RMF
would state that OCC provides internal
and external development opportunities
including required training related to
risk, compliance, security, conflicts of
interest, escalation of concerns, and the
OCC Code of Conduct. The proposed
RMF would state that OCC provides
outlets for employees to anonymously
report concerns that are reviewed by
19 The proposed RMF would state that The
Management Committee may include, but is not
limited to the following officers: Executive
Chairman, Chief Executive Officer, Chief Operating
Officer, Chief Financial Risk Officer, Chief External
Relations Officer, Chief Risk Officer, Chief Audit
Executive, Chief Compliance Officer, Chief
Financial Officer, Chief Human Resources Officer,
Chief Information Officer, Chief Security Officer,
Chief Legal Officer and General Counsel, Chief
Clearing and Settlement Services Officer, and Chief
Regulatory Counsel.
E:\FR\FM\26SEN1.SGM
26SEN1
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
OCC’s Compliance, Human Resources,
and Legal departments.
Identification of Key Risks
The RMF Policy currently contains an
Identification of Key Risks section that
defines OCC’s Key Risks and provides a
brief description of OCC’s policies and
procedures for managing each of those
Key Risk and their respective Risk SubCategories. OCC proposes to replace the
Identification of Key Risks section with
a new OCC Risk Management section of
the proposed RMF, which would be
reorganized to focus on the three lines
of defense model currently described in
the RMF Policy and describe the types
of risks managed by each line of
defense. The new OCC Risk
Management section of the RMF would:
(i) restate existing content of the RMF;
(ii) introduce new content not currently
contained in OCC’s RMF Policy; and
(iii) delete certain aspects of the RMF
Policy. The changes are discussed in
detail below.
The proposed RMF would state that
OCC employs a three lines of defense
model. The proposed RMF would state
that the model clarifies ownership and
accountability and enhances
communication for expectations around
risk management throughout the
organization. The proposed RMF would
state that the first line of defense
maintains policies, procedures,
processes, and controls established for
day-to-day risk management. The
proposed RMF would state that the
second line of defense evaluates and
provides effective challenge to the first
line by executing critical analysis to
identify process limitations and
recommending changes to relevant
policies, procedures, processes, systems,
and controls. Lastly, the proposed RMF
would state that the third line of defense
is an internal audit function that
reviews and provides objective
assurance to the first and second lines.
The proposed RMF would state that
OCC employees report to members of
the Management Committee. Consistent
with the OCC Employee Code of
Conduct, employees are expected to
escalate risk information through their
reporting line or to other members of
management. The proposed RMF would
state that risks identified at OCC are
reported to the Management Committee
and Board consistent with relevant
charters and policies.
First Line of Defense
The proposed RMF would state that
the risk inherent in OCC’s clearing and
settlement services is managed by the
first line of defense, which is
responsible for owning and managing
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
risks by maintaining policies,
procedures, processes, systems, and
controls that manage relevant risks. The
proposed RMF would state that the first
line of defense is comprised of OCC’s
operational business units, including
Financial Risk Management (‘‘FRM’’),
Business Operations, Information
Technology, and Corporate Finance, and
also includes corporate functions such
as human resources and project
management. The proposed RMF would
state that the first line of defense is also
accountable for maintaining internal
controls, control self-testing, and
implementing corrective action to
address control deficiencies. The
proposed RMF would state that the first
line of defense maintains policies and
associated procedures that detail the
processes and controls implemented
across business units which are used to
execute risk management related to the
clearing and settlement services detailed
below.
Membership Standards
The proposed RMF would state that
Membership standards are established
by the Board and risk managed by
OCC’s Business Operations, FRM and
Information Technology in accordance
with OCC’s TPRMF. The proposed RMF
would state that OCC has risk-based
clearing membership standards to
manage the risks arising from Clearing
Members. The proposed RMF would
state that these requirements include
applicable registrations, net capital
requirements, creditworthiness,
adequate operational capabilities, and
maintaining qualified personnel. The
proposed RMF would state that the Risk
Committee reviews these standards to
ensure OCC provides fair and open
access to clearing and settlement
services. The proposed RMF would state
that Clearing Members that fail to meet
the membership standards face the
possibility of consequences up to and
including suspension.
Credit
The proposed RMF would state that
OCC’s credit risk is managed by
Business Operations, FRM, and
Corporate Finance. The proposed RMF
would state that OCC is exposed to
credit risk based on its role as guarantor
of cleared contracts. The proposed RMF
would state that OCC has credit risk
related to Clearing Members and
manages this exposure by collecting
margin and Clearing Fund resources
based on a Clearing Member’s risk
profile. The proposed RMF would state
that OCC also faces credit risk from
other financial institutions that facilitate
payment, clearing, and settlement
PO 00000
Frm 00106
Fmt 4703
Sfmt 4703
58413
activities (e.g., clearing banks,
custodians, and linked financial market
utilities). The proposed RMF would
state that FRM monitors its credit risk
related to Clearing Members and
financial institutions consistent with the
TPRMF. The proposed RMF would state
that FRM analyzes the creditworthiness
of each financial institution, in addition
to other information that could impact
the financial institution’s ability to
facilitate payment, clearing, and
settlement services.
Clearing Fund
The proposed RMF would state that
OCC’s Clearing Fund is managed by
FRM and Business Operations. The
proposed RMF would state that OCC
maintains a Clearing Fund comprised of
high-quality liquid assets to cover its
credit risk exposure from Clearing
Members in accordance with OCC’s
confidential Clearing Fund
Methodology Policy and Chapter X of
OCC’s Rules. The proposed RMF would
state that FRM uses stress tests to
project the Clearing Fund size necessary
to maintain prefunded financial
resources to cover losses arising from
the default of the two Clearing Member
Groups that would potentially cause the
largest aggregate credit exposure to OCC
in extreme but plausible market
conditions. The proposed RMF would
state that FRM also uses stress test
results to determine the sufficiency of
the Clearing Fund size and determine
whether to issue calls for additional
collateral or perform an intra-month
Clearing Fund resizing. The proposed
RMF would state that FRM reviews the
adequacy of its Clearing Fund models
through sensitivity analysis and an
analysis of its parameters and
assumptions. The proposed RMF would
state that FRM reports the results of
Clearing Fund model reviews to the
Board.
Margin
The proposed RMF would state that
OCC’s margin is managed by FRM and
Business Operations. The proposed
RMF would state that FRM utilizes a
risk-based margin methodology to
calculate Clearing Member margin
requirements in accordance with OCC’s
confidential Margin Policy and Chapter
VI of OCC’s Rules. The proposed RMF
would state that FRM calculates margin
daily for Clearing Member accounts.
The proposed RMF would state that
Intra-day margin calls may also be made
for accounts incurring significant losses.
The proposed RMF would state that
FRM reviews the adequacy of its margin
models through sensitivity analysis,
backtests, and an analysis of its
E:\FR\FM\26SEN1.SGM
26SEN1
58414
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
parameters and assumptions. The
proposed RMF would state that FRM
reports the results of margin model
reviews to the Board.
Clearing Fund Methodology Policy,21
Collateral Risk Management Policy,22
Default Management Policy,23 and
TPRMF 24).
Collateral
Liquidity
The proposed RMF would state that
OCC’s liquidity risk is managed by FRM
and Corporate Finance. The proposed
RMF would state that OCC manages its
liquidity risk in accordance with its
confidential Liquidity Risk Management
Framework by maintaining a reliable
and diverse set of committed resources
and liquidity providers, establishing a
contingent funding plan to collect
additional resources, and performing
stress testing that covers a wide range of
scenarios that include the default of the
Clearing Member Group that would
generate the largest aggregate liquidity
obligation in extreme but plausible
market conditions. The proposed RMF
would state that FRM also tests the
sufficiency of its resources by
forecasting daily settlement under
normal and stressed market conditions
and compares these results to the liquid
resources maintained. The proposed
RMF would state that FRM reports the
results of these reviews to the Board.
The new Liquidity section of the
proposed RMF would replace the
Liquidity Risk Management Framework
section of the current RMF Policy and
would summarize and refer to OCC’s
Liquidity Risk Management Framework
as the governing document for managing
OCC’s liquidity risks while removing
certain summary information that is
more specifically addressed in the
Liquidity Risk Management
Framework.25
The proposed RMF would state that
OCC’s collateral risk is managed by
Business Operations, Corporate Finance,
and FRM in accordance with OCC’s
confidential Collateral Risk Policy and
OCC Rules 604 and 1002. The proposed
RMF would state that OCC requires its
Clearing Members to deposit collateral
as margin and Clearing Fund. The
proposed RMF would state that OCC
limits acceptable assets to those with
low credit, market, and liquidity risks,
and employs other risk mitigation tools,
including collateral concentration
limits. The proposed RMF would state
that FRM applies risk-based haircuts
and Business Operations revalues
collateral daily to ensure margin and
Clearing Fund requirements are met.
Default Management
The proposed RMF would state that
OCC’s default management risk is
managed by FRM in accordance with
OCC’s confidential Default Management
Policy and Chapter XI of OCC’s Rules.
The proposed RMF would state that in
the event of a Clearing Member default,
OCC takes timely action to contain
losses and liquidity pressures and
continue to meet its obligations. The
proposed RMF would state that OCC
closes open positions in an orderly
manner, which may include performing
auctions, utilizing liquidation agents, or
applying hedges. The proposed RMF
would state that Margin and Clearing
Fund deposits of the defaulting Clearing
Member are used to offset these losses,
followed by other financial resources.
The proposed RMF would state that
OCC performs default testing with the
participation of designated Clearing
Members and other stakeholders to
evaluate its processes and systems,
including close-out processes.
The newly proposed Membership
Standards, Credit, Clearing Fund,
Margin, Collateral, and Default
Management sections of the RMF would
effectively replace the Credit Risk
Management Framework section of
OCC’s RMF Policy and refer to the same
OCC Risk Policies currently maintained
by OCC (and described in the RMF) to
address such risks and which are
currently filed with the Commission as
rules of OCC (e.g., the Margin Policy,20
20 See, e.g., Exchange Act Release No. 82355 (Dec.
19, 2017), 82 FR 61058 (Dec. 26, 2017) (File No. SR–
OCC–2017–007).
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
Settlement
The proposed RMF would add a new
section specifically discussing
settlement risk (which is currently
addressed indirectly in the Operational
Risk section of the RMF Policy). The
proposed RMF would state that OCC’s
settlement risk is managed by Business
Operations in accordance with Chapters
V and IX of OCC’s Rules. The proposed
RMF would state that OCC uses clearing
21 See, e.g., Exchange Act Release No. 83735 (July
27, 2018), 83 FR 37855 (Aug. 2, 2018) (File No. SR–
OCC–2018–008).
22 See, e.g., Exchange Act Release No. 82311 (Dec.
13, 2017), 82 FR 60252 (Dec. 19, 2017) (File No. SR–
OCC–2017–008).
23 See, e.g., Exchange Act Release No. 82310 (Dec.
13, 2017), 82 FR 60265 (Dec. 19, 2017) (File No. SR–
OCC–2017–010).
24 See, e.g., Exchange Act Release No. 90797 (Dec.
23, 2020), 85 FR 86592 (Dec. 30, 2020) (File No. SR–
OCC–2020–014).
25 See, e.g., Exchange Act Release 89014 (June 4,
2020), 85 FR 35446 (June 10, 2020) (File No. SR–
OCC–2020–003).
PO 00000
Frm 00107
Fmt 4703
Sfmt 4703
banks to facilitate settlements on at least
a daily basis. The proposed RMF would
state that OCC issues instructions to
clearing banks to debit or credit the
account of a Clearing Member, and
correspondingly debit or credit OCC’s
account, with a specific dollar amount
by a specified time. The proposed RMF
would state that settlement finality
occurs when a clearing bank confirms
the settlement instruction or is silent
past the applicable deadline.
Custody and Investment
The proposed RMF would state that
OCC’s custody and investment risk is
managed by its Corporate Finance
department, Business Operations, and
FRM in accordance with OCC Rules 604
and 1002(b). The proposed RMF would
state that OCC holds its own and its
Clearing Members’ assets at settlement
and custodian banks, as well as at other
financial market utilities. The proposed
RMF would state that OCC requires
settlement and custodian banks to meet
minimum financial and operational
requirements. The proposed RMF would
state that OCC complies with applicable
customer protection and segregation
requirements for the handling of
customer funds. The proposed RMF
would state that OCC maintains working
capital and non-invested Clearing
Member cash in accounts that minimize
delays in access to funds. The proposed
RMF would state that OCC maintains
accounts at the Federal Reserve to
custody funds. The proposed RMF
would state that OCC invests in
instruments with minimal credit,
market, and liquidity risks. The new
Custody and Investment section of the
proposed RMF would effectively replace
the Investment Risk section of the RMF
Policy, which also discusses OCC’s use
of Federal Reserve bank accounts and
the investment of funds not held at the
Federal Reserve.
General Business
The proposed RMF would state that
OCC’s general business risk is managed
by Corporate Finance, Information
Technology, Business Operations and
Financial Risk Management. The
proposed RMF would state that
Corporate Finance performs financial
planning and analysis, reviews
operating budgets and fee structures,
and reviews business performance. The
proposed RMF would state that OCC
maintains liquid net assets funded by
equity sufficient to cover potential
general business losses and comply with
financial resource requirements in
accordance with its confidential Capital
E:\FR\FM\26SEN1.SGM
26SEN1
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
Management Policy.26 Furthermore, the
proposed RMF would state that
Information Technology reviews OCC’s
ability to maintain its critical services
under a range of scenarios, including
adverse market conditions. The
proposed RMF would state that
Business Operations and Financial Risk
Management also perform assessments
to determine if potential new business
opportunities fit within OCC’s models
and risk management systems. The new
General Business section of the
proposed RMF would replace the
General Business Risk section (and in
part, the Reputational Risk section) of
the current RMF Policy, continue to
refer to OCC’s Capital Management
Policy as the governing document for
managing OCC’s general business risks,
and remove certain summary
information that is more specifically
addressed in OCC’s Capital Management
Policy.27
Technology
The proposed RMF would state that
OCC’s technology risk is managed by
OCC’s Information Technology. The
proposed RMF would state that OCC
uses technology solutions to manage
risk and facilitate clearing and
settlement by utilizing systems that
have adequate levels of availability,
security, resiliency, integrity, and
adequate, scalable capacity based on
their criticality. The proposed RMF
would state that Information
Technology manages technology risk by
utilizing a structured technology
delivery approach that provides for
consistency and establishes
responsibilities and requirements. The
proposed RMF would state that
Information Technology monitors and
evaluates technology performance in
part based on service levels related to
data integrity, system availability, data
timeliness, and data quality to manage
technology risk. The proposed RMF
would state that to achieve these service
levels, Information Technology manages
OCC’s efforts across technology
incidents, changes, configurations,
system capacity, and evaluates system
recoverability through disaster recovery
testing. The Technology section of the
proposed RMF, along with the Security
section (discussed below), are intended
to replace the Operational Risk—
Information Technology section of the
RMF Policy. These general details in the
RMF would replace more specific
information concerning OCC’s quality
26 See, e.g., Exchange Act Release 88029 (Jan. 24,
2020), 85 FR 5500 (Jan. 30, 2020) (File No. SR–
OCC–2019–007).
27 See id.
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
standards program, cybersecurity
program, and system functionality and
capacity.28
Legal
The proposed RMF would state that
OCC’s legal risk is managed through
efforts across OCC that are advised by
OCC’s Legal department (‘‘Legal’’). The
proposed RMF would state that OCC
manages its legal risk by establishing,
implementing and enforcing written
documents that are reasonably designed
to provide a well-founded, clear,
transparent, and enforceable legal basis
for each aspect of OCC’s activities in all
relevant jurisdictions and comply with
applicable legal and regulatory
requirements. The proposed RMF would
state that in order to manage legal risk
across OCC, employees are required to
consult with Legal on legal and
regulatory matters, including but not
limited to interpretation of laws and
regulations applicable to OCC,
including OCC’s Rules and By-Laws,
legal claims against OCC, government or
regulatory requests or inspections, and
matters that may be the subject of a
proposed rule change filing. The Legal
section of the proposed RMF would
replace, in part, the Legal Risk section
of the RMF Policy, including by
replacing a specific sub-section
discussing OCC’s maintenance of
contracts with more general
requirements that OCC establish,
implement, and enforce written
documents, including legal agreements,
and maintain documents that are
reasonably designed to provide a wellfounded, clear, transparent, and
enforceable legal basis for each aspect of
OCC’s activities, which would include
any contracts regarding the material
aspects of OCC’s clearing, settlement,
and risk management activities as
discussed in the RMF Policy.
Second Line of Defense
The proposed RMF would state that
OCC’s second line of defense includes
compliance, corporate risk, third-party
risk, model risk management, security,
and business continuity. The proposed
RMF would state that the second line
has no operational authority or
responsibility for the first line to
prevent conflicts of interest. The
proposed RMF would state that the
second line provides objective analysis
to identify potential enhancements and
improvements to first line processes to
28 OCC intends to include a detailed discussion
of these aspects of its operational risk management
in a new Operational Risk Management Framework
document, which is currently being finalized by
OCC and will be filed with the Commission when
it is complete.
PO 00000
Frm 00108
Fmt 4703
Sfmt 4703
58415
help ensure compliance with applicable
laws and regulations and prudent risk
management. The proposed RMF would
state that second line management
reports to Board committees and has the
authority to escalate information to the
first line, Management Committee, and
the Board. Additionally, the proposed
RMF would state that second line
management provides reports to the
Board at least quarterly at its scheduled
meetings.
Compliance
The proposed RMF would state that
OCC’s Compliance department
(‘‘Compliance’’) oversees OCC’s
management of compliance risk by
adhering to applicable rules and
regulations, policies, procedures,
processes, controls, and standards of
conduct. The proposed RMF would
state that Compliance manages
compliance risk by establishing
processes to prevent, detect, respond to,
and report on compliance risk. The
proposed RMF would state that
Compliance supports and assesses the
management of compliance risk through
advising, monitoring, reporting, testing,
and training activities and maintains
mechanisms for reporting unethical or
fraudulent behavior or misconduct. The
Compliance section of the proposed
RMF would replace the Regulatory
Compliance section of the RMF Policy
and reframe this section based on the
Compliance department’s role in
helping OCC manage compliance risk.
Corporate Risk
The proposed RMF would state that
Corporate Risk evaluates enterprise risk
by identifying, measuring, monitoring,
managing, reporting, and escalating
risks to inform decision-making in
accordance with the CRMP. The
proposed RMF would state that
Corporate Risk evaluates enterprise risk
to provide an understanding of inherent
and residual risks as compared against
Board-approved levels.
Third-Party Risk
The proposed RMF would state that
OCC’s Third-Party Risk Management
business unit evaluates risks posed to
OCC by third parties by identifying,
measuring, monitoring, managing,
reporting, and escalating risks as
described in the TPRMF. The proposed
RMF would state that Third-Party Risk
Management aggregates information
about the risks presented by third
parties based on their relationships to
OCC. The new Third-Party Risk section
of the proposed RMF would replace the
Third-Party Monitoring Program section
of the RMF Policy and remove certain
E:\FR\FM\26SEN1.SGM
26SEN1
58416
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
details which are more comprehensively
addressed in the TPRMF.29
Model Risk Management
The proposed RMF would state that
Model Risk Management performs
independent model validation,
evaluates model parameters and
assumptions, assesses mitigating factors,
and provides effective and independent
challenge throughout OCC’s model
lifecycle in accordance with its
confidential Model Risk Management
Policy. The proposed RMF would state
that Models are governed and
independently assessed and certified to
determine adequate performance. The
proposed RMF would state that this
includes model testing and performance
monitoring (e.g., backtesting, sensitivity
analysis). The new Model Risk
Management section of the proposed
RMF would replace the Model Risk
section of the RMF Policy. This new
section of the RMF would focus on
Model Risk Management’s role in
helping OCC manage model risk and
would remove certain details that are
more comprehensively addressed in the
Model Risk Management Policy.30
Security
The proposed RMF would include
new rule text stating that OCC’s Security
department (‘‘Security’’) manages
information, physical, and personnel
security risk to safeguard the
confidentiality, integrity, and
availability of corporate information
systems and data assets implemented
and maintained by Information
Technology. The proposed RMF would
state that Security employs a risk-based
methodology and controls to manage
information governance, system
resiliency, and cyber security. In
addition, the proposed RMF would state
that Security maintains policies and
procedures that require appropriate
protective controls and event detection
via security monitoring. The proposed
RMF would state that Security evaluates
its processes and controls through
internal and external testing, scanning
for threats and vulnerabilities, and
benchmarking against industry
standards.
In addition, the proposed RMF would
incorporate an existing portion of the
RMF Policy concerning IT risk
assessments conducted by Security
prior to the procurement, development,
installation and operation of IT services
and systems, including the triggers that
29 See
supra note 24.
e.g., Exchange Act Release No. 82785 (Feb.
27, 2018), 83 FR 9345 (Mar. 5, 2018) (File No. SR–
OCC–2017–011).
30 See,
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
may change IT risks at OCC.31 Crossreferences found in the RMF Policy to
procedures that outline IT risk
assessments at a procedural level would
be removed. OCC does not believe that
identifying the underlying procedure is
necessary for understanding the process
at a policy level.
Business Continuity
The proposed RMF would state that
Business Continuity maintains a
business continuity program that
establishes OCC’s plan for maintaining
backup and recovery capabilities that
are sufficiently resilient and
geographically diverse to address both
internal and external events that could
impact OCC’s operations.32
Third Line of Defense
The proposed RMF would state that
OCC’s third line of defense consists of
Internal Audit. Internal Audit is
independent and reports directly to the
Audit Committee of the Board (‘‘Audit
Committee’’) to ensure this
independence; the Audit Committee
oversees the activities performed by
Internal Audit in accordance with the
Audit Committee Charter. The proposed
RMF would state that Internal Audit has
no responsibility for first- or second-line
functions. The proposed RMF would
state that Internal Audit designs,
implements, and maintains an audit
program that provides the Management
Committee and Audit Committee
independent and objective assurance
related to the quality of OCC’s risk
management, governance, compliance,
controls, and business processes in
accordance with the confidential
Internal Audit Policy. The proposed
RMF would state that Internal Audit
issues independent reports to the first
and second line as well as the Audit
Committee and Board. This section of
the RMF would replace a discussion of
the third line of defense in OCC’s
current RMF Policy and would remove
certain details that are more
comprehensively addressed in the
Internal Audit Policy.33
31 This discussion would replace the IT Risk
Assessment section of the current RMF Policy. OCC
intends to include a detailed discussion of its IT
risk assessment in a new Operational Risk
Management Framework document, which is
currently being finalized by OCC and will be filed
with the Commission when it is complete.
32 The Business Continuity section of the RMF
would replace the Business Continuity Program
section of the current RMF Policy. OCC intends to
include a detailed discussion of its Business
Continuity Program in a new Operational Risk
Management Framework document, which is
currently being finalized by OCC and will be filed
with the Commission when it is complete.
33 Such details include requirements related to
the diversity and skills of Internal Audit personnel
PO 00000
Frm 00109
Fmt 4703
Sfmt 4703
Risk Management Practice
The RMF Policy currently contains a
Risk Management Practice section that
describes OCC’s three lines of defense
model and Enterprise Risk Assessment
program. As discussed above, OCC
would relocate the discussion of its
three lines of defense model to the new
RMF. In addition, OCC proposes to
relocate the discussion of its Enterprise
Risk Assessment program to the new
CRMP. OCC also proposes to relocate
the Risk Reporting section of the RMF
Policy to the CRMP. Additionally, OCC
would eliminate the specific
Compliance Risk Assessment section of
the RMF Policy.
Enterprise Risk Assessment and
Scenario Analysis Program
The RMF Policy currently describes
the Enterprise Risk Assessment process
conducted by the first line and
Corporate Risk. The RMF Policy
provides that Enterprise Risk
Assessments shall analyze Inherent
Risk,34 the quality of risk management,
and Residual Risk 35 of the subcategories of Key Risks and use analysis
of Residual Risk in conjunction with
metrics related to risk tolerances to
develop a risk profile and determine
whether a Key Risk is within its risk
appetite. The RMF Policy also requires
that Corporate Risk’s analysis of
Residual Risk be provided to the
Management Committee and Board (or
committee thereof) to inform them on
the quantity of risk in a certain
functional area or business area, and
provide a mechanism to prioritize risk
mitigation activities.
The proposed CRMP would revise
this description to more accurately and
completely describe the risk assessment,
monitoring, and reporting processes
conducted by Corporate Risk. The
proposed CRMP would state that
enterprise risk assessments are a
quarterly activity where the control
environment is evaluated to determine
its effectiveness in preventing or
mitigating inherent risks identified to
arrive at a residual risk rating for each
risk statement. The proposed CRMP
would state that Corporate Risk (and not
Compliance, as specified in the RMF
Policy) maintains an inventory of all
and the external standards of professionalism
pursuant to which Internal Audit performs its
functions.
34 The RMF Policy defines ‘‘Inherent Risk’’ to
mean the absolute level of risk exposure posed by
a process or activity prior to the application of
controls or other risk-mitigating factors.
35 The RMF Policy defines ‘‘Residual Risk’’ to
mean the level of risk exposure posed to a process
or activity after the application of controls or other
risk-mitigating factors.
E:\FR\FM\26SEN1.SGM
26SEN1
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
business processes, risks, and associated
controls in a database used by OCC to
manage Enterprise Governance, Risk
and Compliance. The CRMP would state
that Corporate Risk uses data from a
variety of sources (e.g., risk events,
Internal Audit findings, security risk
assessments and observations, thirdparty observations, control design
assessments, management control selftesting results, and business impact
analyses) to rate the impact and
likelihood of a risk and assess the
quality of the control environment. The
proposed CRMP would state that
enterprise risk assessments are
conducted through workshops across
the first and second lines of defense and
are supplemented by including
information from emerging risk surveys
(top-down), process-based risk
assessments (bottom-up), and enterprise
technology assessments. The proposed
CRMP would state that quarterly, the
results of the enterprise risk assessment
(the levels of residual risk) are
aggregated and provided to the CRO for
approval and presented to the
Management Committee and Board by
the CRO. The CRMP would also
elaborate on the use of residual risk, risk
tolerances, and risk ratings and
associated reporting as discussed in the
Risk Governance section of the
proposed CRMP and would also provide
details on Corporate Risk’s risk
monitoring and risk treatment activities
in new sections of the CRMP (as
discussed further below).
The RMF Policy also describes OCC’s
Scenario Analysis Program, which is an
industry-standard method of identifying
operational risks that may not be
otherwise captured by the Enterprise
Risk Assessment program. Pursuant to
the RMF Policy, Corporate Risk and the
first line design simulations of potential
business disruptions, and business unit
staff shall use such simulations to
identify risks that may not have been
previously uncovered or identify
weaknesses in current controls.
Corporate Risk includes the potential
risks identified through the Scenario
Analysis Program in its analysis of, and
reporting on, the quantity of risk within
a certain Key Risk and whether the Key
Risk is within its risk appetite.
OCC proposes to relocate the
discussion of its Scenario Analysis
Program to the CRMP with revisions
designed to more accurately and
completely describe the scenario
analysis process. The proposed CRMP
would state that operational scenario
analysis is the process of leveraging
OCC subject matter expertise to identify
potential operational risks and assess
the potential outcomes of stressed
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
operations. The proposed CRMP would
state that operational scenarios consider
both internal and external scenarios that
may impact OCC’s ability to perform its
clearance, settlement and risk
management services. The proposed
CRMP would state that Corporate Risk,
through workshops with the first and
second lines of defense, designs
operational scenarios utilizing available
information (e.g., annual top-risk survey
conducted by Corporate Risk,
Management Committee
recommendation, enterprise risk
assessments). The proposed CRMP
would state that the workshops are
designed to identify risks that may not
have been previously uncovered or
weaknesses in current controls. The
proposed CRMP would state that
operational scenarios are used to assess
the potential that future extreme but
plausible business disruptions may
impact OCC’s clearance, settlement and
risk management services and are inputs
in OCC’s target capital requirements and
recovery and wind-down planning. The
proposed CRMP would state that Risk
Owners use scenarios to identify new
and existing risks and identify
weaknesses in current controls. The
proposed CRMP would state that
Corporate Risk includes potential risks
identified through operational scenario
analysis when analyzing and reporting
across risk categories and subcategories.
Risk Reporting
The proposed CRMP would contain a
revised Risk Reporting section. The
proposed CRMP would state that risk
reporting provides a view of OCC’s risks
to facilitate risk management and inform
decision-making. The proposed CRMP
would state that Corporate Risk reports
risks based on its risk identification,
measurement, and monitoring activities
to assist in the understanding of the
risks OCC faces and whether these risks
are being managed within OCC’s risk
tolerances and appetites. The proposed
CRMP would state that quarterly, the
CRO reports risks (e.g., risk appetite or
risk tolerance breaches, material
operational risk events, summary of risk
acceptances, and risk mitigation) to the
Management Committee, Board, and
relevant Board committees.
Compliance Risk Assessment
OCC proposes to remove a section of
the RMF Policy specifically dedicated to
the Compliance Risk Assessment
program. This section currently
provides a brief discussion of the
Compliance department’s program used
to identify and measure the risks faced
by OCC regarding regulatory compliance
PO 00000
Frm 00110
Fmt 4703
Sfmt 4703
58417
and prioritize the testing and training
activities associated with such risks.
OCC believes this section is
appropriately addressed in the
Compliance section of the proposed
RMF (discussed in detail above), which
provides that Compliance manages
compliance risk by establishing
processes to prevent, detect, respond to,
and report on compliance risk and
assesses the management of compliance
risk through advising, monitoring,
reporting, testing, and training activities
and maintains mechanisms for reporting
unethical or fraudulent behavior or
misconduct. This would include the
activities performed by Compliance in
the Compliance Risk Assessment
program.
Control Activities
OCC proposes to eliminate the
Control Activities section of the RMF
Policy, which describes certain
activities performed by OCC’s
Compliance department relating to the
maintenance of business process and
control inventories and annual training
of OCC staff. This would be replaced by
more general descriptions of
Compliance’s responsibilities under the
proposed RMF. As discussed above, the
RMF would more generally describe the
department’s responsibilities for the
management of compliance risk,
including by: (i) establishing processes
to prevent, detect, respond to, and
report on compliance risk; (ii) assessing
the management of compliance risk
through advising, monitoring, reporting,
testing, and training activities; and (iii)
maintaining mechanisms for reporting
unethical or fraudulent behavior or
misconduct. Additionally, as noted
above, the proposed CRMP would
transfer responsibility for maintaining
OCC’s inventory of all business
processes, risks, and associated controls
from Compliance to Corporate Risk.
Policy Exceptions and Violations
OCC proposes to replace the Policy
Exceptions and Violations sections in
the current RMF Policy with a new Risk
Acceptances and Deviations section in
the RMF. The RMF would require that
risk acceptances,36 including exceptions
to OCC’s risk management frameworks
and policies, shall be escalated to
Corporate Risk in accordance with the
CRMP. In addition, the RMF would
36 As discussed in more detail below with respect
to the proposed Risk Treatment section of the
CRMP, acceptance is a risk treatment method that
may be used to acknowledge when the cost or
complexity of avoiding, mitigating, or transferring
the risk exceeds the potential impact (e.g., OCC
accepts a risk temporarily and implements shortterm mitigants, knowing that a long-term solution
is planned).
E:\FR\FM\26SEN1.SGM
26SEN1
58418
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
require that deviations from OCC’s risk
management frameworks and policies
shall be escalated to Compliance in
accordance with the Policy Governance
Policy (‘‘PGP’’).37 By including this
generally applicable provision in the
RMF, OCC would no longer include this
information in each individual policy
and procedure. Policy exceptions would
continue to be escalated as part of OCC’s
risk acceptance process and policy
violations would be escalated as part of
OCC’s PGP document deviation risk
event process. The proposed change
would allow OCC to remain consistent
with this practice in its policies and
procedures without requiring each to
have its own individual Policy
Exceptions and Violations sections that
would need to be updated as OCC’s
process for escalating exceptions and
deviations develops and matures.
Other Deleted Sections of the RMF
Policy
Project Management, Budgeting, and
Training Changes
OCC proposes to delete from its rules
certain sections of the RMF Policy
related to project management,
corporate planning and budgeting, and
Human Resources and Compliance
Training and Policies. OCC believes that
these sections deal with policies and
practices that are administrative in
nature and do not constitute material
aspects of the operation of the facilities
of OCC.38 OCC would not maintain
these details in the RMF or CRMP;
however, OCC would continue to
maintain and update these details when
necessary in other internal policies,
37 OCC proposes to use the term ‘‘deviation’’
rather than ‘‘violation’’ as found in the current RMF
Policy to align with the terminology used in the
PGP.
38 Section 19(b)(1) of the Exchange Act requires
a self-regulatory organization (‘‘SRO’’) such as OCC
to file with the Commission any proposed rule or
any proposed change in, addition to, or deletion
from the rules of such SRO. See 15 U.S.C. 78s(b)(1).
Section 3(a)(27) of the Exchange Act defines ‘‘rules
of a clearing agency’’ to mean its (1) constitution,
(2) articles of incorporation, (3) bylaws, (4) rules, (5)
instruments corresponding to the foregoing and (6)
such ‘‘stated policies, practices and interpretations’’
(‘‘SPPI’’) as the Commission may determine by rule.
See 15 U.S.C. 78c(a)(27). Exchange Act Rule 19b–
4(a)(6) defines the term ‘‘SPPI’’ to include (i) any
material aspect of the operation of the facilities of
an SRO and (ii) statements made generally available
to membership of, to all participants in, or to
persons having or seeking access to facilities of an
SRO that establishes or changes certain standards,
limits, or guidelines. See 17 CFR 240.19b–4(a)(6).
Rule 19b–4(c) provides, however, that an SPPI may
not be deemed to be a proposed rule change if it
is: (i) reasonably and fairly implied by an existing
rule of the SRO or (ii) concerned solely with the
administration of the SRO and is not an SPPI with
respect to the meaning, administration, or
enforcement of an existing rule the SRO. See 17
CFR 240.19b–4(c).
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
procedures, or OCC documentation
maintained for such purposes.
Risk Universe
Finally, OCC proposes to remove the
RMF Policy’s Appendix: OCC’s Key
Risks with CCA, PFMI, and Reg SCI
Mapping. The proposed CRMP would
require that Corporate Risk continue to
maintain the risk universe, and OCC has
included its risk categories in Section II
of the proposed RMF but proposes that
the additional detailed documentation
and mapping be maintained internally
by Corporate Risk. OCC believes it may
need to update the mapping and risks,
as well as how OCC defines them,
dynamically based on business and
market factors. OCC believes by
following the governance outlined in
the proposed CRMP, proper scrutiny
will be given to any revisions to this
information. Moreover, OCC believes
that the policies and processes
maintained by OCC to establish,
maintain, review and update its risk
universe, which reflects the universe of
risks that OCC must monitor and
manage, constitute material aspects of
the operation of the facilities of OCC,
but the risk universe itself is the output
of those processes and simply lists those
risks that OCC has identified pursuant
to the requirements of the RMF Policy
(and the proposed CRMP).
New Sections in the RMF and CRMP
OCC proposes to add new sections to
its RMF and CRMP to describe certain
aspects of its risk management
framework and approach to enterprise
risk management, which are discussed
in detail below.
RMF: Recovery and Orderly WindDown Plan
The proposed RMF would include a
new section discussing OCC’s Recovery
and Orderly Wind-Down Plan. The
proposed RMF would state that in the
event of extreme financial, operational,
or general business stress, Corporate
Risk maintains a confidential Recovery
and Orderly Wind-Down Plan which
details the departments responsible for
executing the plan. The proposed RMF
would state that OCC employs a set of
recovery tools in the event of severe
financial, operational, or general
business stress, to continue to provide
critical clearing and settlement services.
The proposed RMF would state that
should OCC’s recovery efforts be
unsuccessful or if, based on facts and
circumstances, it is determined that its
recovery tools would be insufficient,
OCC has a wind-down plan that
provides for the orderly resolution of
the firm.
PO 00000
Frm 00111
Fmt 4703
Sfmt 4703
CRMP: Risk Monitoring
The CRMP would introduce a new
section to describe Corporate Risk’s Risk
Monitoring process, including key risk
indicator monitoring and operational
risk even monitoring. The proposed
CRMP would state that Corporate Risk
and Risk Owners monitor internal and
external risks to determine whether
OCC’s risk management practices
continue to operate effectively. The
proposed CRMP would state that the
information gathered during this
monitoring is used to inform enterprise
risk assessments.
Key Risk Indicator Monitoring
The proposed CRMP would state that
key risk indicators (‘‘KRIs’’) are
qualitative or quantitative metrics
designed to identify changes to risks.
The proposed CRMP would state that
Corporate Risk and Risk Owners utilize
KRIs to measure and monitor levels of
risk against risk appetite and risk
tolerances. The proposed CRMP would
state that KRIs are established at a risk
sub-category level. KRIs include three
thresholds: green, amber, and red. The
proposed CRMP would state that green
indicates a low risk of breaching
tolerance, amber indicates a moderate
risk of breaching tolerance, and red
indicates a breach of tolerance. The
proposed CRMP would state that amber
and red thresholds are points of
escalation to the CRO, Management
Committee, and the Board.
The proposed CRMP would state that
Risk Owners, in collaboration with
Corporate Risk, develop KRIs by
considering business (e.g., process and
controls) and regulatory requirements.
The proposed CRMP would state that
Corporate Risk facilitates identifying,
modifying, and reviewing KRIs with a
designated Management Committee
member, including defining and
reviewing the risk tolerance and risk
thresholds for the KRI. The proposed
CRMP would state that KRIs that breach
the red threshold result in the
development and execution of risk
treatment plans by Risk Owners. The
proposed CRMP would state that
Corporate Risk reports against red,
amber, and green thresholds to the CRO
and Management Committee on a
quarterly basis and to the Board at each
regularly scheduled meeting.
Operational Risk Event Monitoring
The proposed CRMP would state that
an operational risk event is an event
which results in a financial loss or an
adverse impact to OCC or its ability to
deliver its services. The proposed CRMP
would state that such events arise from
E:\FR\FM\26SEN1.SGM
26SEN1
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
failed or inadequate internal processes,
people, systems, or exposure to external
events. The proposed CRMP would state
that Risk Owners are responsible for
identifying, assessing, and escalating
operational risk events. The proposed
CRMP would provide that Corporate
Risk is responsible for ensuring that
material operational risk events, as well
as identified trends, are reported to the
CRO and Management Committee on a
quarterly basis and to the Board at each
regularly scheduled meeting. The
proposed CRMP would state that Risk
Owners perform root cause analysis and
enhance or develop processes that
would reduce the impact or likelihood
of similar events occurring in the future.
The proposed CRMP would state that
Risk Owners are responsible for
escalating operational risk events
causing serious and extended
disruptions in production operations.
The proposed CRMP would state that
risk events that have a major or extreme
impact to OCC’s ability to perform its
clearance, settlement and risk
management services are immediately
reported to the Management Committee
and Board.
CRMP: Risk Treatment
The CRMP would introduce a new
section to describe OCC’s risk treatment
process, which is the process by which
Risk Owners manage risk exposures by
utilizing risk treatment methods to
remain within risk appetites and
tolerances. The proposed CRMP would
state that risk treatment methods are
implemented by Risk Owners and
include the decision to mitigate, avoid,
transfer, or accept an identified risk.
The proposed CRMP would state that
mitigation is a risk treatment method
where controls including policies,
procedures, processes, and systems can
be implemented to manage a risk within
established risk appetites and tolerances
(e.g., OCC creates a procedure to
document a process including
implementing controls to mitigate a
risk).
The proposed CRMP would state that
avoidance is a risk treatment method
that may be used when controls are
ineffective at preventing or mitigating a
risk within approved risk appetites or
tolerances (e.g., OCC does not onboard
a clearing member due to poor financial
health). The proposed CRMP would
state that transference is a risk treatment
method where risks are moved to a
third-party usually through the
purchase of insurance (e.g., fraud,
general liability, and employment
insurance). Insurance covered would be
coordinated by the Corporate Finance
team, with involvement from other first
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
and second line stakeholders, and
subject to review by the Management
Committee and the Board.
The proposed CRMP would state that
acceptance is a risk treatment method
that may be used to acknowledge when
the cost or complexity of avoiding,
mitigating, or transferring the risk
exceeds the potential impact (e.g., OCC
accepts a risk temporarily and
implements short-term mitigants,
knowing that a long-term solution is
planned). The proposed CRMP would
state that Corporate Risk evaluates risk
acceptances submitted by Risk Owners.
The proposed CRMP would state that
any risks presented for acceptance that
are outside of risk appetite or risk
tolerance must be approved by the
Management Committee annually. The
proposed CRMP would state that
Corporate Risk reports on risks accepted
above approved risk appetite or risk
tolerance to the CRO, Management
Committee, and Board.
CRMP: Risk Escalation, and Training
The proposed CRMP would also
describe Corporate Risk’s process for
escalating risks to the CRO,
Management Committee, and Board and
training employees about risk to support
risk management and decision-making.
Escalation
The proposed CRMP would state that
OCC employees are responsible for
escalating risks through timely
identification and reporting. The
proposed CRMP would state that in
accordance with OCC’s Employee
Handbook and Policy Governance
Policy, OCC employees are expected to
escalate risks through their reporting
line, OCC’s internal working groups, or
to the Management Committee. The
proposed CRMP would state that
quarterly, Corporate Risk, through the
CRO, escalates breaches of risk appetites
and risk tolerances to the Management
Committee, Board, and relevant Board
committees. The proposed CRMP would
state that escalation occurs (i) consistent
with obligations established in the
Management Committee Charter, Board
Charter, Board Committee Charters,
policies, and procedures, or (ii) anytime
through the CRO directly to the Board.
Training
The proposed CRMP would state that
OCC employees are trained to promote
a culture of risk and control awareness.
The proposed CRMP would state that
Corporate Risk collaborates with other
OCC departments to create and
disseminate training to enable
accountability, empower decisionmaking, promote risk awareness, and
PO 00000
Frm 00112
Fmt 4703
Sfmt 4703
58419
detail escalation. The proposed CRMP
would state that this training promotes
awareness of OCC’s regulatory
requirements, policies, procedures,
processes, controls, and standards of
conduct.
Conforming Changes to OCC Risk
Policies
Finally, OCC proposes to update other
OCC Risk Policies to be consistent with
the proposed RMF. Specifically, OCC
would update references to the RMF
Policy, including the summary of the
RMF Policy in the Recovery and Orderly
Wind-Down Plan, to refer to the RMF
and CRMP. References to the
‘‘Enterprise Risk Management’’
department or ‘‘ERM’’ would be
changed to ‘‘Corporate Risk
Management’’ or ‘‘Corporate Risk’’ to
reflect that department’s name. In the
case of the Collateral Risk Management
Policy, OCC would delete reference to
the Enterprise Risk Management
Policy’s annual review of concentration
limits because that review is conducted
by the Model Risk Management, which
is part of Corporate Risk. The OCC Risk
Policies would be further conformed to
reflect that what was formerly referred
to as OCC’s Model Validation Group is
now referred to as Model Risk
Management. OCC would also remove
the Policy Exceptions and Violations
sections of the applicable OCC Risk
Policies as the exception and violation
processes for all of the OCC Risk
Policies would be covered by the new
Risk Acceptances and Deviations
section of the proposed RMF (as
discussed above).
OCC also propose to make
administrative updates to crossreferences to other internal OCC policies
and procedures and other
administrative changes arising from
OCC’s annual review of its risk
management frameworks and
procedures. Specifically, OCC would
also revise the TPRMF to:
• include General Business Risk as a
type of risk that may be presented by
third-party relationships;
• Revise the introduction of the onboarding and off-boarding monitoring of
counterparties with multiple
relationships with OCC to reference the
respective procedures and work groups
in the Third-Party Relationship
Management section, which as evident
from the existing TPRMF is not limited
to monitoring by the Credit and
Liquidity Risk Working Group, as that
current introduction suggests;
• Delete reference to specific OCC
Rules in favor of reference to Chapters
of OCC’s Rulebook because the specific
Rules currently identified are not a
E:\FR\FM\26SEN1.SGM
26SEN1
58420
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
complete list of those in the identified
Chapters that give OCC authority to act
to protect OCC from exposure presented
by a Clearing Member.
Make other administrative changes to
business unit names
(2) Statutory Basis
OCC believes the proposed rule
change is consistent with Section 17A of
the Exchange Act 39 and Rule 17Ad–
22(e)(3). Section 17A(b)(3)(F) of the
Act 40 requires, in part, that the rules of
a clearing agency be designed to
promote the prompt and accurate
clearance and settlement of securities
transactions, to assure the safeguarding
of securities and funds in the custody or
control of the clearing agency or for
which it is responsible, and in general,
to protect investors and the public
interest. Rule 17Ad–22(e)(3)(i) 41
requires, in part, that a covered clearing
agency establish, implement, maintain
and enforce written policies and
procedures reasonably designed to
maintain a sound risk management
framework for comprehensively
managing legal, credit, liquidity,
operational, general business,
investment, custody, and other risks
that arise in or are borne by the covered
clearing agency, which includes risk
management policies, procedures, and
systems designed to identify, measure,
monitor, and manage the range of risks
that arise in or are borne by the covered
clearing agency, that are subject to
review on a specified periodic basis and
approved by the board of directors
annually. For the reasons addressed
below, OCC believe the proposed
changes are consistent with these
requirements.
Consistency With Section 17A(b)(3)(F)
of the Exchange Act
The proposed RMF and associated
policies, including the CRMP, would be
the foundation for a risk management
framework designed to promote the
prompt and accurate clearance and
settlement of securities transactions,
assure the safeguarding of securities and
funds in the OCC’s custody or control,
and in general, protect investors and the
public interest. Risk management is the
means by which OCC guards against
disruption to OCC’s clearance and
settlement services and loss of financial
resources necessary to maintain OCC as
a going concern or in OCC’s custody or
control to address member defaults and
liquidity shortfalls. As a clearing agency
that has been designated a systemically
U.S.C. 78q–1.
U.S.C. 78q–1(b)(3)(F).
41 17 CFR 240.17Ad–22(e)(3)(i).
important financial market utility by the
Federal Stability Oversight Counsel,
such disruption or losses may present
systemic risks to the markets OCC
serves, OCC’s Clearing Members, and
other market participants, including
investors, thereby harming the public
interest.
As described above, the proposed
RMF would be designed to provide a
foundation to support the risk
management policies, procedures, and
systems that make up OCC’s sound risk
management framework. The proposed
RMF would describe OCC’s overall
framework for comprehensive risk
management, including OCC’s
framework to identify, measure, monitor
and manage the risks faced by OCC in
the provision of clearing, settlement and
risk management services. The proposed
RMF would provide the context for
OCC’s risk management framework,
identify OCC’s risk categories, describe
the governance arrangements that
implement risk management, and
describe OCC’s program for risk
management, including the three lines
of defense structure. In addition, the
proposed CRMP would support the
proposed RMF by explaining OCC’s risk
management activities related to
enterprise risk. These changes are not
meant to significantly alter OCC’s
approach to risk management, but rather
to present OCC’s approach to enterprise
risk in a standalone policy, similar to
OCC’s approach with OCC’s risk
management. OCC believes that more
clearly delineating its overall approach
to risk management and its approach to
enterprise risk through two separate
policies helps support risk management
processes designed to promote the
prompt and accurate clearance and
settlement of securities transactions,
assure the safeguarding of securities and
funds in OCC’s custody, and in general,
protect investors and the public interest.
Accordingly, OCC believes that
establishing the RMF and CRMP is
consistent with Section 17A(b)(3)(F) of
the Act.42
The proposed RMF and CRMP would
also make a number of substantive
changes to OCC’s rules beyond the
reorganization and restatement of
existing OCC rules. Consistency of these
changes with Section 17A(b)(3)(F) of the
Act 43 are discussed below.
RMF Policy: Purpose Section
The purpose section of the RMF
Policy would be revised to reflect the
reorganization of content in the RMF
Policy in the new RMF and CRMP,
focusing on the purpose and intent of
each of the newly proposed documents.
The proposed change is designed to
clearly explain the purpose of the
proposed RMF and CRMP and their
place in OCC’s overall framework for
comprehensively managing legal, credit,
liquidity, operational, general business,
investment, custody, and other risks
that arise in or are borne. OCC believes
that providing this enhanced clarity in
two of its key risk management policies
would strengthen risk management
processes designed to promote the
prompt and accurate clearance and
settlement of securities transactions,
assure the safeguarding of securities and
funds in OCC’s custody or control or for
which it is responsible, and in general,
protect investors and the public interest.
Accordingly, OCC believes the proposed
changes are consistent with Section
17A(b)(3)(F) of the Act.44
RMF Policy: Context for Risk
Management Framework and Risk
Management Philosophy
OCC would delete the Context for
Risk Management Framework and Risk
Management Philosophy sections of the
RMF Policy from the proposed RMF.
These sections provide history and
background information about OCC and
its purpose in the financial market, but
do not contain rules of OCC.
Additionally, the information presented
in the Risk Management Philosophy
section serves as an additional purpose
section and all items highlighted in this
section are covered in the proposed
RMF and CRMP. OCC believes that
removing this extraneous information
would enhance the clarity of these risk
policies by focusing on the rules
governing OCC’s overall risk framework
and corporate risk management program
and would strengthen risk management
processes designed to promote the
prompt and accurate clearance and
settlement of securities transactions,
assure the safeguarding of securities and
funds in OCC’s custody or control or for
which it is responsible, and in general,
protect investors and the public interest.
Accordingly, OCC believes that revising
the purposes changes are consistent
with Section 17A(b)(3)(F) of the Act.45
RMF Policy: Risk Appetite Framework
and Tolerance
OCC proposes to make certain
modifications to the description of its
risk appetite framework, including
descriptions of OCC’s use of a risk
universe, risk appetites and risk
tolerances, in the new CRMP. As
39 15
40 15
VerDate Sep<11>2014
16:43 Sep 23, 2022
42 15
U.S.C. 78q–1(b)(3)(F).
43 Id.
Jkt 256001
PO 00000
Frm 00113
44 15
45 15
Fmt 4703
Sfmt 4703
E:\FR\FM\26SEN1.SGM
U.S.C. 78q–1(b)(3)(F).
U.S.C. 78q–1(b)(3)(F).
26SEN1
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
described above, the proposed CRMP
would revise certain terminology in
OCC’s risk universe, such as organizing
the universe into ‘‘risk categories,’’ ‘‘risk
sub-categories,’’ and ‘‘risk statements’’
to effectively represent the Key Risks,
Sub-categories, and Definitions that are
discussed in the current RMF Policy.
OCC would also modify certain
governance requirements for the risk
universe. Under the current RMF, Key
Risks are approved by OCC’s Board and
risk appetites for Key Risks are set by
the business departments responsible
for those risk in cooperation with
Corporate Risk. Under the proposed
CRMP, the risk universe would be
owned and approved by OCC’s CRO and
provided to the Management Committee
and Board. The Board or the Risk
Committee would ultimately be
responsible for approving risk appetites
and would continue to approve risk
tolerances. The proposed CRMP would
also provide additional details around
the internal governance process for
reviewing and approving risk categories,
appetites, and tolerances and for
monitoring risk tolerances. OCC would
also remove the more general risk
appetite statement definitions (i.e., no
appetite, low appetite, moderate
appetite, and high appetite), which are
currently described in the RMF Policy,
enabling OCC to use more detailed,
qualitative risk appetite statements for
each risk sub-category following the
governance processes described above.
In addition, OCC would change the
cadence of risk reporting, including risk
tolerance breaches, to align with the
timing of OCC’s regular Board meetings.
The proposed CRMP would also
introduce the concept of risk rating
scales, which provide an assessment of
risk from an impact and likelihood
perspective consistently across OCC and
would be used to measure inherent and
residual risk at a risk statement level.
OCC believes the proposed CRMP
would provide a more comprehensive
overview of the governance of OCC’s
risk universe and enhance certain
processes therein. The proposed CRMP
would provide additional details around
the internal governance process for
reviewing and approving risk categories,
appetites, and tolerances and for
monitoring risk tolerances and improve
the governance process for the risk
universe by allowing the CRO to modify
risk categories as needed, with oversight
of Management Committee and Board,
and provide the Board or Risk
Committee with more direct
responsibility for setting the appetites
for those risk. For these reasons, OCC
believes the proposed changes would
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
strengthen risk management processes
designed to promote the prompt and
accurate clearance and settlement of
securities transactions, assure the
safeguarding of securities and funds in
OCC’s custody or control or for which
it is responsible, and in general, protect
investors and the public interest.
Accordingly, OCC believes that the
proposed changes are consistent with
Section 17A(b)(3)(F) of the Act.46
RMF Policy: Risk Management
Governance
OCC proposes to modify certain
descriptions of its risk management
governance arrangements in the new
RMF. For example, OCC would update
and streamline the description of the
responsibilities of its Board as they are
generally already addressed in the
Board Charter.47 OCC also proposes to
update the description of the
responsibilities of the Management
Committee, which primarily relates to
the committee’s role and responsibilities
in reviewing and recommending
changes to OCC’s risk universe, as this
would not be addressed in the proposed
CRMP (as discussed above). OCC would
also update the discussion of working
groups and their responsibilities and
include a description of the
responsibilities of and development
opportunities for OCC employees. OCC
believes the proposed changes would
improve OCC’s risk framework by
presenting a more concise, clear, and
transparent description of OCC’s risk
management governance and thereby
promote the prompt and accurate
clearance and settlement of securities
transactions, assure the safeguarding of
securities and funds in OCC’s custody
or control or for which it is responsible,
and in general, protect investors and the
public interest. Accordingly, OCC
believes that the proposed changes are
consistent with Section 17A(b)(3)(F) of
the Act.48
RMF Policy: Identification of Key Risks
OCC proposes to replace the
Identification of Key Risks section of the
RMF Policy, which provides a brief
description of OCC’s policies and
procedures for managing each of those
Key Risk and their respective Risk SubCategories, with a new OCC Risk
Management section of the proposed
RMF. The proposed RMF would
reorganize the focus of this description
to align with the three lines of defense
model currently described in the RMF
Policy and describe the types of risks
U.S.C. 78q–1(b)(3)(F).
supra notes 16 and 17.
48 15 U.S.C. 78q–1(b)(3)(F).
58421
managed by each line of defense. The
new OCC Risk Management section of
the RMF would: (i) restate existing
content of the RMF; (ii) introduce new
content not currently contained in
OCC’s RMF Policy; and (iii) delete
certain aspects of the RMF Policy. The
proposed RMF would continue to refer
to the same rules and OCC Risk Policies
currently maintained by OCC (and
described in the RMF) to address such
risks and which are currently filed with
the Commission as rules of OCC.49
OCC also proposes to remove certain
details concerning its management of
operational risk (e.g., quality standards
program, cybersecurity program, system
functionality and capacity, and business
continuity program) as these aspects of
its operational risk management would
be contained in a new Operational Risk
Management Framework document,
which is currently being finalized by
OCC, and will contain a more detailed
and comprehensive overview of OCC’s
framework for managing operational
risk.
OCC believes these proposed changes
would present a comprehensive, clear,
and transparent description of the key
risks faced by OCC and the assignment
of responsibility for managing such risk,
thereby strengthening risk management
processes designed to promote the
prompt and accurate clearance and
settlement of securities transactions,
assure the safeguarding of securities and
funds in OCC’s custody or control or for
which it is responsible, and in general,
protect investors and the public interest.
Accordingly, OCC believes that the
proposed changes are consistent with
Section 17A(b)(3)(F) of the Act.50
RMF Policy: Risk Management Practice
OCC proposes to relocate the
discussion of its enterprise risk
assessments, scenario analysis program,
and risk reporting process to the new
CRMP. As discussed above, the
proposed CRMP is designed to more
accurately and completely describe the
risk assessment, monitoring, and
reporting processes conducted by
Corporate Risk. Additionally, OCC
would eliminate the specific IT Risk
Assessment section of the RMF Policy,
as these details would be more
appropriately addressed in the
forthcoming Operational Risk
Management Framework document, and
would also remove the Compliance Risk
Assessment section of the RMF Policy
because this information is
appropriately covered in the
Compliance section of the proposed
46 15
47 See
PO 00000
Frm 00114
Fmt 4703
Sfmt 4703
49 See
50 15
E:\FR\FM\26SEN1.SGM
supra notes 20–26 and associated text.
U.S.C. 78q–1(b)(3)(F).
26SEN1
58422
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
RMF. OCC believes the proposed
changes would result in an improved
description of Corporate Risk’s risk
assessment, scenario analysis, and risk
reporting responsibilities and thereby
strengthen risk management processes
designed to promote the prompt and
accurate clearance and settlement of
securities transactions, assure the
safeguarding of securities and funds in
OCC’s custody or control or for which
it is responsible, and in general, protect
investors and the public interest.
Accordingly, OCC believes the proposed
changes are consistent with Section
17A(b)(3)(F) of the Act.51
RMF Policy: Control Activities
OCC proposes to replace the Control
Activities section of the RMF Policy
with more general and broader
descriptions of Compliance’s
responsibilities in the proposed RMF. In
addition, under the proposed CRMP,
responsibility for maintaining OCC’s
inventory of all business processes,
risks, and associated controls would
move from Compliance to Corporate
Risk. As such, Corporate Risk would be
responsible for reviewing the design of
controls. Compliance would continue to
perform design testing. OCC believes
that assigning responsibility for
reviewing control design to Corporate
Risk is appropriate given its
responsibilities in the enterprise risk
assessment process, as part of which
Corporate Risk leads quarterly
workshops that assess the likelihood
and impact of risks by reviewing data
from across OCC, including risk events,
Internal Audit findings, security risk
assessments and observations, thirdparty observations, control design
assessments, management control selftesting results, and business impact
analyses, supplemented by information
from emerging risk surveys (top-down),
process-based risk assessments (bottomup), and enterprise technology
assessments. This enterprise risk
assessment process affords Corporate
Risk a holistic view of risk and controls,
which OCC believes puts Corporate Risk
in a unique position to review and
improve control design with respect to
controls intended to promote the
prompt and accurate clearance and
settlement of securities transactions,
assure the safeguarding of securities and
funds in OCC’s custody or control or for
which it is responsible, and in general,
protect investors and the public interest.
Accordingly, OCC believes the proposed
changes are consistent with Section
17A(b)(3)(F) of the Act.52
51 15
52 15
U.S.C. 78q–1(b)(3)(F).
U.S.C. 78q–1(b)(3)(F).
VerDate Sep<11>2014
16:43 Sep 23, 2022
RMF Policy: Exceptions and Violations
OCC proposes to replace the
individual Policy Exceptions and
Violations sections in the current RMF
Policy and other OCC Risk Policies with
a new Risk Acceptances and Deviations
section in the RMF. The proposed
change would provide for a single
framework for risk acceptances,
exceptions, deviations, and the
escalation of deviations across OCC’s
filed policies rather than requiring each
policy to have its own individual Policy
Exceptions and Violations sections,
which may over time become
inconsistent as policies are updated at
different times. Such inconsistency
could create confusion about escalation
obligations and procedures, which
could in turn lead to failure to escalate
issues appropriately. Accordingly, OCC
believes that improving the
documentation for its escalation process
would strengthen risk management
processes designed to promote the
prompt and accurate clearance and
settlement of securities transactions,
assure the safeguarding of securities and
funds in OCC’s custody or control or for
which it is responsible, and in general,
protect investors and the public interest.
Accordingly, OCC believes that the
proposed changes are consistent with
Section 17A(b)(3)(F) of the Act.53
New Sections in Proposed RMF and
CRMP
OCC proposes to add new sections to
the proposed RMF and CRMP to provide
additional details concerning its overall
framework for managing risk and its
approach to enterprise risk
management. For example, the proposed
RMF would include a new section
discussing OCC’s Recovery and Orderly
Wind-Down Plan. In addition, the
CRMP would introduce a new section to
describe Corporate Risk’s Risk
Monitoring process, including key risk
indicator monitoring and operational
risk even monitoring. The CRMP would
also introduce a new section to describe
OCC’s risk treatment process, which is
the process by which Risk Owners
manage risk exposures by utilizing risk
treatment methods to remain within risk
appetites and tolerances. Additionally,
the proposed CRMP would also describe
Corporate Risk’s process for escalating
risks to the CRO, Management
Committee, and Board and training
employees about risk to support risk
management and decision-making. The
proposed changes would provide a more
comprehensive and transparent
discussion of OCC’s overall framework
for managing risk and its approach to
enterprise risk management. OCC
believes the proposed enhancements to
its risk management documentation
would serve to promote the prompt and
accurate clearance and settlement of
securities transactions, assure the
safeguarding of securities and funds in
OCC’s custody or control or for which
it is responsible, and in general, protect
investors and the public interest.
Accordingly, OCC believes that the
proposed changes are consistent with
Section 17A(b)(3)(F) of the Act.54
For the reasons set forth above, OCC
believes the proposed rule change
would promote the prompt and accurate
clearance and settlement of securities
transactions, assure the safeguarding of
securities and funds in the custody or
control of the clearing agency or for
which it is responsible, and in general,
to protect investors and the public
interest in accordance with Section
17A(b)(3)(F) of the Act.55
Consistency With Rule 17Ad–22 Under
the Exchange Act
OCC believes that the proposed rule
change is generally consistent with Rule
17Ad–22(e)(3)(i) 56 because the
proposed RMF would describe OCC’s
comprehensive framework for
identifying, measuring, monitoring and
managing the risks that arise within
OCC or are borne by it, including legal,
credit, liquidity, operational, general
business, investment and custody risk.
Moreover, the proposed CRMP would
explain that Corporate Risk evaluates
risks that may affect OCC’s ability to
perform the services detailed in the
proposed RMF. The proposed RMF
would explain how OCC employs
established practices, such as the three
lines of defense model for enterprisewide risk management, to ensure that
OCC maintains and operates a resilient,
effective and reliable risk management
and internal control infrastructure that
assures risk management and processing
outcomes expected by OCC
stakeholders. The proposed CRMP
would describe how OCC’s second line
of defense monitors the risks that arise
in or are borne by OCC through a variety
of risk assessment, risk reporting,
evaluation and internal control
management activities, consistent with
the requirements of Rule 17Ad–
22(e)(3)(i).57
The proposed CRMP would describe
OCC’s use of risk appetites and risk
tolerances to evaluate OCC’s risks across
54 15
55 15
U.S.C. 78q–1(b)(3)(F).
U.S.C. 78q–1(b)(3)(F).
56 Id.
53 15
Jkt 256001
PO 00000
U.S.C. 78q–1(b)(3)(F).
Frm 00115
Fmt 4703
Sfmt 4703
57 Id.
E:\FR\FM\26SEN1.SGM
26SEN1
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
its risk universe to ensure that OCC sets
appropriate levels and types risk that
OCC is willing and able to assume in
accordance with OCC’s mission as a
systemically important financial market
utility. For example, the use of risk
appetites allows OCC to carefully
calibrate the levels of risk it accepts in
a manner consistent with OCC’s core
mission of promoting financial stability
in the markets it serves. In addition, the
use of risk tolerances helps to inform
whether risks are within Boardapproved risk appetites. As a result,
OCC believes the proposed RMF, as
supported by the CRMP, is reasonably
designed to provide for a sound,
comprehensive framework for
identifying, measuring, monitoring and
managing the range of risks that arise in
or are borne by OCC in a manner
consistent with Rule 17Ad–22(e)(3)(i).58
RMF Policy: Risk Appetite Framework
and Tolerance
As described herein, OCC proposes to
make certain modifications to the
description of its risk appetite
framework, including descriptions of
OCC’s use of a risk universe, risk
appetites and risk tolerances and the
governance process for maintain the risk
universe, in the proposed CRMP. The
proposed CRMP would also introduce
the concept of risk rating scales, which
provide an assessment of risk from an
impact and likelihood perspective
consistently across OCC and would be
used to measure inherent and residual
risk at a risk statement level. OCC
believes the proposed CRMP would
provide a more comprehensive
overview of the governance of OCC’s
risk universe and enhance certain
processes therein. The proposed CRMP
would also provide additional details
around the internal governance process
for reviewing and approving risk
categories, appetites, and tolerances and
for monitoring risk tolerances and
improve the governance process for the
risk universe by allowing the CRO to
modify risk categories as needed, with
oversight of Management Committee
and Board, and provide the Board or
Risk Committee with more direct
responsibility for setting the appetites
for those risk. OCC believes the propose
changes are reasonably designed to
provide for a sound, comprehensive
framework for identifying, measuring,
monitoring and managing the range of
risks that arise in or are borne by OCC
in a manner consistent with Rule 17Ad–
22(e)(3)(i).59
RMF Policy: Risk Management
Governance
Rules 17Ad–22(e)(2)(i) and (ii) 60
require that a covered clearing agency
establish, implement, maintain and
enforce written policies and procedures
reasonably designed to provide for
governance arrangements that (i) are
clear and transparent and (ii) clearly
prioritize the safety and efficiency of the
covered clearing agency. As discussed
above, OCC proposes to modify certain
descriptions of its risk management
governance arrangements in the new
RMF, including the roles and
responsibilities of the Board,
Management Committee, and OCC’s
internal working groups. OCC believes
the proposed changes would improve
OCC’s risk framework by presenting a
more clear, concise, and transparent
description of OCC’s governance
arrangements as they relate to the
management of risk within OCC. As a
result, OCC believes the proposed
changes are reasonably designed to
provide for governance arrangements
that (i) are clear and transparent and (ii)
clearly prioritize the safety and
efficiency of the covered clearing agency
in accordance with Rules 17Ad–
22(e)(2)(i) and (ii).61
RMF Policy: Identification of Key Risks
As described above, OCC proposes to
replace the Identification of Key Risks
section of the RMF Policy with a new
OCC Risk Management section of the
proposed RMF. The proposed RMF
would reorganize the focus of this
description to align with the three lines
of defense model currently described in
the RMF Policy and describe the types
of risks managed by each line of
defense. As described herein, the new
OCC Risk Management section of the
RMF would: (i) restate existing content
of the RMF; (ii) introduce new content
not currently contained in OCC’s RMF
Policy; and (iii) delete certain aspects of
the RMF Policy. The proposed RMF
would continue to refer to the same
rules and OCC Risk Policies currently
maintained by OCC (and described in
the RMF) to address such risks and
which are currently filed with the
Commission as rules of OCC.62 OCC
believes the proposed changes would
present a more comprehensive, clear,
and transparent description of the key
risks faced by OCC and the assignment
of responsibility for managing such
risks. As a result, OCC believes the
proposed RMF, as supported by the
CRMP, is reasonably designed to
60 17
61 Id.
59 Id.
62 See
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
PO 00000
provide for a sound, comprehensive
framework for identifying, measuring,
monitoring and managing the range of
risks that arise in or are borne by OCC
in a manner consistent with Rule 17Ad–
22(e)(3)(i).63
RMF Policy: Risk Management Practice
OCC proposes to relocate the
discussion of its enterprise risk
assessments, scenario analysis program,
and risk reporting process to the new
CRMP. As discussed above, the
proposed CRMP is designed to more
accurately and completely describe the
risk assessment, monitoring, and
reporting processes conducted by
Corporate Risk. OCC believes the
proposed changes would result in an
improved description of Corporate
Risk’s risk assessment, scenario
analysis, and risk reporting
responsibilities and is therefore
reasonably designed to support a sound,
comprehensive framework for
identifying, measuring, monitoring and
managing the range of risks that arise in
or are borne by OCC in a manner
consistent with Rule 17Ad–22(e)(3)(i).64
RMF Policy: Exceptions and Violations
OCC proposes to replace the
individual Policy Exceptions and
Violations sections in the current RMF
Policy and other OCC Risk Policies with
a new Risk Acceptances and Deviations
section in the RMF. The proposed
change would provide for a single
framework for risk acceptances and
deviations, and the escalation of
deviations across OCC’s filed policies
rather than requiring each policy to
have its own individual Policy
Exceptions and Violations sections,
which may over time become
inconsistent as OCC’s individual risk
policies evolve. This single framework
would help to avoid ambiguities or
confusion about escalation obligations
or procedures that might otherwise arise
if changes to such procedures were not
applied consistently. The change would
also reduce the administrative burden of
having to update each document within
OCC’s universe of policies and
procedures as OCC’s process for
escalating risk acceptance and
deviations from those policies and
procedures matures over time. OCC
believes that improving the
documentation for its escalation
processes is reasonably designed to
support its comprehensive framework
for identifying, measuring, monitoring
and managing the range of risks that
arise in or are borne by OCC in a
CFR 240.17Ad–22(e)(2)(i) and (ii).
58 Id.
63 17
supra notes 20–26 and associated text.
Frm 00116
Fmt 4703
Sfmt 4703
58423
CFR 240.17Ad–22(e)(3)(i).
64 Id.
E:\FR\FM\26SEN1.SGM
26SEN1
58424
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
manner consistent with Rule 17Ad–
22(e)(3)(i).65
material aspects of OCC’s overall risk
management framework and Corporate
Risk program would be contained in the
New Sections in Proposed RMF and
proposed RMF and CRMP described
CRMP
herein. As described in detail herein,
OCC proposes to add new sections to
various details in the current RMF
the proposed RMF and CRMP to provide Policy would no longer be OCC rule text
additional details concerning its overall following adoption of the RMF and
framework for managing risk and its
CRMP. Specifically, OCC believes the
approach to enterprise risk
removing the following sections of the
management. For example, the proposed current RMF Policy from OCC’s rule text
RMF would include a new section
are consistent with Section 19(b)(1) of
discussing OCC’s Recovery and Orderly the Act and Rule 19b–4 because they are
66
Wind-Down Plan and introduce a new administrative in nature and do not
section to describe Corporate Risk’s Risk address material aspects of the of the
Monitoring process, including key risk
operation of the facilities of OCC:
indicator monitoring and operational
• The Context for Risk Management
risk even monitoring. The CRMP would
Framework and Risk Management
also introduce a new section to describe
Philosophy sections providing history
OCC’s risk treatment process and would
and background information about OCC
also describe Corporate Risk’s process
and its purpose in the financial
for escalating risks to the CRO,
markets; 71
Management Committee, and Board and
• Sections of the RMF Policy related
training employees about risk to support
to project planning, corporate
risk management and decision-making.
budgeting, and Human Resources and
The proposed changes would provide a
Compliance training; and
more comprehensive and transparent
• The Risk Universe, which reflects
discussion of OCC’s overall framework
the output of policies and processes
for managing risk and its approach to
described in the RMF Policy (and
enterprise risk management. OCC
eventually, the proposed CRMP).
believes the proposed changes are
Accordingly, OCC believes the
therefore reasonably designed to
proposed changes would be consistent
provide for a sound, comprehensive
with the requirements of Section
framework for identifying, measuring,
19(b)(1) of the Act and Rule 19b–4
monitoring and managing the range of
thereunder.72
risks that arise in or are borne by OCC
in a manner consistent with Rule 17Ad–
(B) Clearing Agency’s Statement on
22(e)(3)(i).67
Burden on Competition
Consistency With Section 19(b) of the
Section 17A(b)(3)(I) of the Act 73
Exchange Act
requires that the rules of a clearing
Section 19(b)(1) of the Act 68 and Rule agency not impose any burden on
19b–4 69 thereunder set forth the
competition not necessary or
requirements for SRO proposed rule
appropriate in furtherance of the
changes, including the regulatory filing
purposes of the Act. OCC does not
requirements for ‘‘stated policies,
believe that the proposed rule changes
practices and interpretations.’’ 70 OCC
would impact or impose any burden on
proposes to retire its existing RMF
competition. The proposed rule change
Policy, which was, in part, previously
clearly and transparently presents the
filed as an OCC ‘‘rule’’ with the
framework OCC uses to identify,
Commission, as the RMF and CRMP
monitor and manage its risks. While the
would replace the RMF Policy in its
proposed rule change would enhance
entirety. Under the proposal, the
OCC’s framework of risk management
documentation, these updates do not
65 Id.
affect Clearing Members’ access to
66 OCC believes this proposed change also
OCC’s services or impose any direct
supports compliance with Exchange Act Rule
17Ad–22(e)(3)(ii), which requires a covered clearing burdens on Clearing Members.
agency to maintain a sound risk management
Accordingly, the proposed rule change
framework for comprehensively managing legal,
would not unfairly inhibit access to
credit, liquidity, operational, general business,
OCC’s services or disadvantage or favor
investment, custody, and other risks that arise in or
are borne by the covered clearing agency, which
includes plans for the recovery and orderly winddown of the covered clearing agency necessitated
by credit losses, liquidity shortfalls, losses from
general business risk, or any other losses. See 17
CFR 240.17Ad–22(e)(3)(ii).
67 17 CFR 240.17Ad–22(e)(3)(i).
68 15 U.S.C. 78s(b)(1).
69 17 CFR 240.19b–4.
70 See supra note 38.
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
71 Additionally, OCC believes the information
presented in the Risk Management Philosophy
section serves as an additional purpose section and
that all items highlighted in this section would be
covered in, or otherwise reasonably and fairly
implied by, the proposed RMF and CRMP.
72 See 15 U.S.C. 78s(b)(1) and 17 CFR 240.19b–
4.
73 15 U.S.C. 78q–1(b)(3)(I).
PO 00000
Frm 00117
Fmt 4703
Sfmt 4703
any particular user in relationship to
another user.
For the foregoing reasons, OCC
believes that the proposed rule change
is in the public interest, would be
consistent with the requirements of the
Act applicable to clearing agencies, and
would not impact or impose a burden
on competition.
(C) Clearing Agency’s Statement on
Comments on the Proposed Rule
Change Received From Members,
Participants or Others
Written comments on the proposed
rule change were not and are not
intended to be solicited with respect to
the proposed rule change and none have
been received.
III. Date of Effectiveness of the
Proposed Rule Change and Timing for
Commission Action
Within 45 days of the date of
publication of this notice in the Federal
Register or within such longer period
up to 90 days (i) as the Commission may
designate if it finds such longer period
to be appropriate and publishes its
reasons for so finding or (ii) as to which
the self regulatory organization
consents, the Commission will: (A) by
order approve or disapprove such
proposed rule change, or (B) institute
proceedings to determine whether the
proposed rule change should be
disapproved. The proposal shall not
take effect until all regulatory actions
required with respect to the proposal are
completed.
IV. Solicitation of Comments
Interested persons are invited to
submit written data, views and
arguments concerning the foregoing,
including whether the proposed rule
change is consistent with the Act.
Comments may be submitted by any of
the following methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
• Send an email to rule-comments@
sec.gov. Please include File Number SR–
OCC–2022–010 on the subject line.
Paper Comments
• Send paper comments in triplicate
to Vanessa Countryman, Secretary,
Securities and Exchange Commission,
100 F Street NE, Washington, DC
20549–1090.
All submissions should refer to File
Number SR–OCC–2022–010. This file
number should be included on the
subject line if email is used. To help the
Commission process and review your
E:\FR\FM\26SEN1.SGM
26SEN1
Federal Register / Vol. 87, No. 185 / Monday, September 26, 2022 / Notices
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549, on official
business days between the hours of
10:00 a.m. and 3:00 p.m. Copies of such
filing also will be available for
inspection and copying at the principal
office of OCC and on OCC’s website at
https://www.theocc.com/CompanyInformation/Documents-and-Archives/
By-Laws-and-Rules.
All comments received will be posted
without change. Persons submitting
comments are cautioned that we do not
redact or edit personal identifying
information from comment submissions.
You should submit only information
that you wish to make available
publicly.
All submissions should refer to File
Number SR–OCC–2022–010 and should
be submitted on or before October 17,
2022.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.74
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2022–20728 Filed 9–23–22; 8:45 am]
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–95837; File No. SR–DTC–
2022–009]
Self-Regulatory Organizations; The
Depository Trust Company; Notice of
Filing and Immediate Effectiveness of
a Proposed Rule Change To Make
Clarifications to the DTC Rules
Concerning the Admission of
Participants to DTC’s Premises and
DTC’s Authority To Impose Fines
Pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934
74 17
CFR 200.30–3(a)(12).
VerDate Sep<11>2014
16:43 Sep 23, 2022
Jkt 256001
I. Clearing Agency’s Statement of the
Terms of Substance of the Proposed
Rule Change
The proposed rule change consists of
amendments to DTC Rules, By-Laws
and Organization Certificate (‘‘Rules’’)
concerning the admission of
Participants to DTC’s premises and
DTC’s authority to impose fines. DTC
filed the proposed rule change pursuant
to Section 19(b)(3)(A) of the Act 5 and
Rule 19b–4(f)(4) 6 thereunder so that the
proposal was effective upon filing with
the Commission, as described in greater
detail below.7
II. Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Proposed Rule Change
In its filing with the Commission, the
clearing agency included statements
concerning the purpose of and basis for
the proposed rule change and discussed
any comments it received on the
proposed rule change. The text of these
statements may be examined at the
places specified in Item IV below. The
clearing agency has prepared
summaries, set forth in sections A, B,
and C below, of the most significant
aspects of such statements.
(A) Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Proposed Rule Change
BILLING CODE 8011–01–P
September 20, 2022.
(‘‘Act’’) 1 and Rule 19b–4 thereunder,2
notice is hereby given that on
September 14, 2022, The Depository
Trust Company (‘‘DTC’’) filed with the
Securities and Exchange Commission
(‘‘Commission’’) the proposed rule
change as described in Items I, II and III
below, which Items have been prepared
by the clearing agency. DTC filed the
proposed rule change pursuant to
Section 19(b)(3)(A) of the Act 3 and Rule
19b–4(f)(4) thereunder.4 The
Commission is publishing this notice to
solicit comments on the proposed rule
change from interested persons.
1. Purpose
DTC proposes to revise its Rules to
clarify requirements related to the
admission of Participants to DTC’s
premises and DTC’s authority to impose
fines. The proposed changes are
described in detail below.
DTC Rule 17 provides, among other
things, that necessary credentials for
1 15
U.S.C. 78s(b)(1).
CFR 240.19b–4.
3 15 U.S.C. 78s(b)(3)(A).
4 17 CFR 240.19b–4(f)(4).
5 15 U.S.C. 78s(b)(3)(A).
6 17 CFR 240.19b–4(f)(4).
7 Terms not defined herein are defined in the
Rules, available at https://dtcc.com/∼/media/Files/
Downloads/legal/rules/dtc_rules.pdf.
2 17
PO 00000
Frm 00118
Fmt 4703
Sfmt 4703
58425
entering DTC’s premises shall be
provided as specified in the
Procedures.8 The rule further provides
that, unless revoked by DTC, all
credentials, authorizations and powers
of attorney issued pursuant to Rule 17
or in connection with the work of DTC
shall remain in full force and effect until
DTC shall have received notice of the
revocation thereof or of the termination
of the holder’s employment.9
DTC proposes to revise Rule 17 to
delete the requirement that necessary
credentials for entering DTC’s premises
be provided as specified in the
Procedures. DTC does not currently
maintain in its Procedures any
specifications for providing such
credentials. The proposed rule change
would therefore remove outdated rule
language that may cause confusion for
DTC’s Participants and readers of its
Rules. DTC also proposes to revise Rule
17 to clarify that Participants must
provide ‘‘written’’ notice of the
revocation of any credentials,
authorizations and powers of attorney or
the termination of the holder’s
employment in order for such
revocation or termination to become
effective pursuant to Rule 17. The
proposed rule change would clarify the
appropriate method for notifying DTC of
a revocation or termination of
credentials and conform the notification
requirement in Rule 17 to the
requirements of DTC’s affiliate clearing
agencies, providing clear and consistent
requirements across the clearing
agencies’ rules.10
DTC Rule 21 discusses DTC’s
authority to discipline Participants or
Pledgees for, among other things,
violations of DTC’s Rules or
Procedures.11 DTC’s disciplinary
authority includes imposing any of the
following sanctions: expulsion;
suspension; limitation of activities,
functions and operations; fine; censure;
and any other fitting sanction.
DTC proposes to revise Rule 21 to
state that fines shall be payable in the
manner and at such time as determined
by DTC from time to time. The proposed
8 The contents of all DTC Service Guides
constitute ‘‘Procedures’’ of DTC. The Procedures
may be found on DTCC’s public website, available
at https://www.dtcc.com/legal/rules-andprocedures.
9 See Rule 17, supra note 7.
10 See National Securities Clearing Corporation
(‘‘NSCC’’) Rule 27, Fixed Income Clearing
Corporation (‘‘FICC’’) Government Securities
Division (‘‘GSD’’) Rule 27, and FICC Mortgage Back
Securities Division (‘‘MBSD’’) Rule 20. The NSCC
Rules & Procedures, FICC GSD Rulebook, and FICC
MBSD Clearing Rules are available on DTCC’s
public website, available at https://www.dtcc.com/
legal/rules-and-procedures.
11 See Rule 21, supra note 7.
E:\FR\FM\26SEN1.SGM
26SEN1
]]>Agencies
[Federal Register Volume 87, Number 185 (Monday, September 26, 2022)]
[Notices]
[Pages 58409-58425]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-20728]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-95842; File No. SR-OCC-2022-010]
Self-Regulatory Organizations; the Options Clearing Corporation
Notice of Filing of Proposed Rule Change by the Options Clearing
Corporation Concerning a Risk Management Framework and Corporate Risk
Management Policy
September 20, 2022.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934
(``Exchange Act'' or ``Act''),\1\ and Rule 19b-4 thereunder,\2\ notice
is hereby given that on September 6, 2022, the Options Clearing
Corporation (``OCC'') filed with the Securities and Exchange Commission
(``SEC'' or ``Commission'') the proposed rule change as described in
Items I, II, and III below, which Items have been prepared by OCC. The
Commission is publishing this notice to solicit comments on the
proposed rule change from interested persons.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------
I. Clearing Agency's Statement of the Terms of Substance of the
Proposed Rule Change
OCC files this proposed rule change to adopt a revised Risk
Management Framework (``RMF'') as well as a new Corporate Risk
Management Policy (``CRMP''). The RMF and CRMP are provided as in
Exhibits 5A and 5B of File No. SR-OCC-2022-010. The RMF and CRMP would
replace the current OCC Risk Management Framework Policy (``RMF
Policy''). These documents are being submitted without marking to
improve readability and are being submitted in their entirety as new
rule text. The RMF Policy, provided as Exhibit 5C of File No. SR-OCC-
2022-010, is submitted entirely in strikethrough text to indicate its
retirement. In addition, OCC submits corresponding changes to its
Clearing Fund Methodology Policy, Collateral Risk Management Policy,
Default Management Policy, Margin Policy, Model Risk Management Policy,
Recovery and Orderly Wind-Down Plan, and Third-Party Risk Management
Framework (``TPRMF'') (collectively, the ``OCC Risk Policies'') to
update any reference to the RMF Policy to refer instead to the proposed
RMF. The OCC Risk Policies are provided as Exhibits 5D-5J of File SR-
OCC-2022-010. OCC submitted Exhibits 5D through 5I subject to a
confidential treatment request under SEC Rule 24b-2.\3\
---------------------------------------------------------------------------
\3\ 17 CFR 240.24b-2.
---------------------------------------------------------------------------
The proposed rule change does not require any changes to the text
of OCC's By-Laws or Rules. All terms with initial capitalization that
are not otherwise defined herein have the same meaning as set forth in
the OCC By-Laws and Rules.\4\
---------------------------------------------------------------------------
\4\ OCC's By-Laws and Rules can be found on OCC's website:
https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules.
---------------------------------------------------------------------------
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
In its filing with the Commission, OCC included statements
concerning the purpose of and basis for the proposed rule change and
discussed any comments it received on the proposed
[[Page 58410]]
rule change. The text of these statements may be examined at the places
specified in Item IV below. OCC has prepared summaries, set forth in
sections (A), (B), and (C) below, of the most significant aspects of
these statements.
(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
(1) Purpose
OCC maintains various documents designed to define a comprehensive
framework for managing OCC's various risks, including financial risks,
legal, and operational risks. OCC's RMF Policy serves as an umbrella
document describing OCC's framework for managing risk at a high level.
As required by SEC Rule 17Ad.22(e)(3)(i), OCC routinely reviews its
policies and procedures for potential improvements, such as providing
more comprehensive descriptions and definitions as well as making the
documents more clear, internally consistent, and well organized. Based
on its routine review of the existing RMF Policy, OCC believes it
should replace its current RMF Policy with two, more detailed
documents. By making this change, described in detail below, OCC
intends to enhance the clarity and transparency of its overall risk
management framework. The change to OCC's documents will not affect
OCC's members or other market participants. Rather, it is intended to
better describe and strengthen OCC's internal risk management
processes.
Background
OCC proposes to amend its existing RMF Policy \5\ by establishing
the RMF and CRMP. OCC believes the revised documents enhance the
clarity and transparency of its overall risk management framework and
once approved, OCC plans to make the RMF and CRMP publicly available on
its website (www.theocc.com). OCC believes the proposed revised RMF
would continue to provide a foundation to support and describe the risk
management policies, procedures, and systems that make up OCC's sound
risk management framework.
---------------------------------------------------------------------------
\5\ See Exchange Act Release No. 34-82232 (Dec. 7, 2017), 82 FR
58662 (Dec. 13, 2017) (File No. SR-OCC-2017-005).
---------------------------------------------------------------------------
In undertaking this revision of the RMF Policy, OCC is seeking to
present its approach to risk management more clearly. The RMF Policy
presents detailed information about OCC's second line functions, while
also summarizing information about other risk management functions at
OCC. OCC believes that the proposed RMF presents a clear summary of
OCC's overall approach to risk management across its three lines of
defense and, if necessary, its planning for recovery and wind-down.
Consistent with the presentation of OCC's risk management across its
three lines of defense, the RMF would refer to the CRMP, which would
contain the detail behind OCC's second line corporate risk management
program. OCC believes this is consistent with its approach to providing
detailed information about its various functions in documents that
stand separate from, but support and provide detail about the risk
management activities summarized in, its proposed RMF.\6\
---------------------------------------------------------------------------
\6\ For example, the RMF addresses risks managed by OCC's first
line of defense through supporting policies and procedures,
including, among other rule-filed policies, the Margin Policy,
Collateral Risk Management Policy, Liquidity Risk Management
Framework, and the Default Management Policy.
---------------------------------------------------------------------------
The proposed RMF would provide an overview of risk management at
OCC. The proposed RMF introduces the categories of risk OCC faces and
then explains how OCC manages these risks. The proposed RMF includes an
overview of OCC's risk universe, descriptions of risk management
practices across OCC's three lines of defense model, a discussion of
how OCC is also prepared, if necessary, with tools to manage both
recovery and orderly wind-down, and the requirement to escalate
exceptions to and deviations from OCC's risk management frameworks and
policies to OCC's Corporate Risk Management and Compliance departments.
The proposed CRMP would support the proposed RMF by explaining in
greater detail OCC's risk management activities related to the second
line of defense corporate risk management program. The proposed CRMP
would explain that the OCC Corporate Risk Management department
(``Corporate Risk''), formerly referred to as the Enterprise Risk
Management department (``ERM''),\7\ evaluates risks that may affect
OCC's ability to perform the functions detailed in the proposed RMF. As
discussed below, the proposed CRMP would provide an overview of the
activities overseen by Corporate Risk to identify, measure, monitor,
manage, report, and escalate risks. Certain of this information is
currently included in the RMF Policy, but OCC believes, consistent with
other areas of risk managed by OCC, the details about its corporate
risk management program should reside in the proposed CRMP. Other
information would be new, including sections to describe Corporate
Risk's risk monitoring, risk treatment, and risk escalation and
training processes. Exhibit 3 to File No. SR-OCC-2022-010 summarizes
the proposed reorganization of the RMF Policy into the RMF and CRMP.
---------------------------------------------------------------------------
\7\ As part of the proposed rule change, OCC would reflect that
OCC has renamed its ERM department as Corporate Risk and make
conforming changes throughout the OCC Risk Policies. In addition to
functions specific to enterprise risk monitoring, Corporate Risk
includes other functions such as Model Risk Management and Third-
Party Risk Management.
---------------------------------------------------------------------------
Proposed Changes to Risk Management Framework Policy
The proposed revisions to the RMF Policy are designed to present
OCC's approach to risk management more clearly. For example, the RMF
Policy currently presents detailed information about both the financial
and corporate risk management functions at OCC. OCC proposes to adopt a
new RMF to more clearly describe its overall risk framework. OCC also
proposes to adopt a new CRMP to describe its approach to corporate risk
management in more detail. The proposed changes to the current RMF
Policy are discussed in detail below.
Purpose Section
The purpose section of the RMF Policy would be replaced with
purpose and introduction sections of the new RMF and CRMP,
respectively. These sections would be revised to reflect the
reorganization of content in the RMF Policy in the new RMF and CRMP,
focusing on the purpose and intent of each of the newly proposed
documents. For example, the purpose of the proposed RMF would be to:
(i) describe how OCC manages risk while providing efficient and
effective clearing and settlement services to the markets it serves;
(ii) explain how OCC's governance model and three lines of defense
facilitate risk management; and (iii) address OCC's ability to employ
recovery tools and facilitate an orderly wind-down. The purpose of the
proposed CRMP would be to describe OCC's corporate risk management
approach, including activities to identify, measure, monitor, manage,
report, and escalate risks to inform decision-making.
Context for Risk Management Framework and Risk Management Philosophy
OCC proposes to delete the Context for Risk Management Framework
and Risk Management Philosophy sections of the RMF Policy from the
proposed RMF. OCC believes these sections provide history and
background
[[Page 58411]]
information about OCC and its purpose in the financial markets, but do
not contain rules of OCC. Additionally, OCC believes the information
presented in the Risk Management Philosophy section serves as an
additional purpose section and that all items highlighted in this
section are covered in the proposed RMF or CRMP. For example, OCC's
approach relative to risk appetite is mentioned in the Risk Management
Philosophy section but is covered in more comprehensive detail in the
CRMP.
Risk Appetite Framework and Tolerance
The RMF Policy describes OCC's risk appetite framework, including
descriptions of OCC's use of a risk universe, risk appetites,\8\ and
risk tolerances.\9\ The RMF Policy also describes the use of Key Risks
\10\ and Risk Sub-categories to define the universe of risks faced by
OCC and the Risk Appetite Statements \11\ assigned to such risks. OCC
proposes to relocate this information to the Risk Governance section of
the proposed CRMP. However, an overview of OCC's risk universe would be
retained in the RMF, including a description of the main risk
categories and that, pursuant to the CRMP, these categories are broken
down to risk-subcategories and risk statements, as described below,
which comprise OCC's risk universe that OCC manages through the three
lines of defense model to maintain effective clearing and settlement
operations.
---------------------------------------------------------------------------
\8\ Risk appetites are qualitative articulations of the amount
of risk OCC is willing to accept and establish expectations for
OCC's risk management.
\9\ Risk tolerances are qualitative or quantitative measures
that help inform whether risks are within risk appetites.
\10\ The RMF Policy defines Key Risk to mean risk that is
related to the foundational aspects of CCP clearing, settlement, and
risk management services.
\11\ The RMF Policy defines Risk Appetite Statement to mean a
statement that expresses OCC's judgment, for each of OCC's Key
Risks, regarding the level of risk OCC is willing to accept related
to the provision of CCP services.
---------------------------------------------------------------------------
The proposed CRMP would state that the establishment and
maintenance of OCC's risk universe, risk appetites, risk tolerances,
and risk rating scales is facilitated by Corporate Risk and used across
OCC to create a transparent means to manage risk. The proposed CRMP
would also state that Corporate Risk establishes the risk universe,
which organizes OCC's risks into the following three layers to classify
and aggregate risks:
Risk categories, which are the highest-level groups of
risk aggregation;
Risk sub-categories, which further classify risks within
risk categories into detailed groups; and
Risk statements, which are descriptions of the drivers,
events, and consequences of risks.
The terms ``risk categories,'' ``risk sub-categories,'' and ``risk
statements'' essentially represent the Key Risks, Sub-categories, and
Definitions that are discussed in the current RMF Policy. OCC believes
the proposed terms better describe the elements that comprise OCC's
risk universe and the relationship between them.
Risk categories, sub-categories, appetites, and tolerances would
continue to be reviewed on at least an annual basis. Under the current
RMF, Key Risks are approved by OCC's Board and risk appetites for Key
Risks are set by the business departments responsible for those risk in
cooperation with ERM. Under the proposed CRMP, the risk universe would
be owned and approved by the Chief Risk Officer (``CRO'') and provided
to the Management Committee. OCC believes the Chief Risk Officer, who
is responsible for OCC's corporate risk management function, is the
officer best situated to manage the risk universe. Changes to the RMF
to reflect any changes to risk categories would continue to require
Board approval. In addition, the Board or the Risk Committee, if the
Board has delegated the Risk Committee such authority,\12\ would
ultimately be responsible for approving risk appetites, which establish
the type and amount of risk OCC is willing to accept. OCC believes that
the Board or Risk Committee are best positioned to approve risk
appetites because of their oversight role with respect to OCC's risk
management. Additionally, the Board or Risk Committee would continue to
be responsible for approving risk tolerances.
---------------------------------------------------------------------------
\12\ The Board has approved such delegation of authority to the
Risk Committee. See Exchange Act Release No. 94988 (May 26, 2022);
87 FR 33535 (June 2, 2022) (File No. SR-OCC-2022-002).
---------------------------------------------------------------------------
The proposed CRMP would also provide additional details around the
internal governance process for reviewing and approving risk
categories, appetites, and tolerances and for monitoring risk
tolerances. For example, the proposed CRMP would state that at least
every twelve months, Corporate Risk determines whether updates to the
risk universe are necessary to better align risk categories, sub-
categories, and statements with OCC's clearance, settlement and risk
management services. The proposed CRMP would require that risk category
and sub-category updates are approved by the CRO while risk statements
are approved by Corporate Risk management. The proposed CRMP would
further provide that the Management Committee and Board are then
notified of updates to risk categories and sub-categories.
The proposed CRMP would state that at least every twelve months,
risk appetites are established at a risk sub-category level and
presented by the CRO to the Management Committee for recommendation to
the Board or Risk Committee for approval. The proposed CRMP would
require that Risk Owners manage the level of risk exposure posed by a
process against risk appetites.\13\ The proposed CRMP would state that
Corporate Risk monitors risks to identify breaches of risk appetite.
The proposed CRMP would also provide that risk appetite breaches are
escalated by the CRO to the Management Committee, Risk Committee, and
Board. The proposed CRMP would state that Risk Owners, with input from
relevant business areas, develop and execute risk treatment plans to
reduce risks that exceed OCC's risk appetites.\14\ The proposed CRMP
would state that at least every twelve months, Corporate Risk and Risk
Owners review risk appetites and, where necessary, make adjustments to
align with OCC's clearance, settlement and risk management services.
The proposed CRMP would state that the CRO reviews and presents changes
to risk appetites to the Management Committee for recommendation to the
Board for approval. OCC proposes to remove the more general risk
appetite statement definitions (i.e., no appetite, low appetite,
moderate appetite, and high appetite), which are currently described in
the RMF Policy, and would instead use more detailed qualitative risk
appetite statements for each risk sub-category following the governance
process described above.
---------------------------------------------------------------------------
\13\ The proposed CRMP defines ``Risk Owner'' to mean an
employee with the accountability and authority to manage the risk.
\14\ The proposed CRMP would state that risk treatment is the
process to manage a risk through avoidance, mitigation,
transference, or acceptance.
---------------------------------------------------------------------------
With respect to risk tolerances, the proposed CRMP would state that
Risk Owners are responsible for managing applicable risks within
established tolerances and developing risk treatment plans to resolve
breaches of risk tolerance. The proposed CRMP would require that risk
tolerance breaches are escalated by the CRO to the Management
Committee, Risk Committee, and Board. The proposed CRMP would state
that at least every twelve months, Corporate Risk and Risk Owners
review risk tolerances and, where necessary, make adjustments to align
with OCC's services. The proposed
[[Page 58412]]
CRMP would state that the CRO reviews and presents changes to risk
tolerances to the Management Committee for recommendation to the Board
for approval. As discussed below in connection with the monitoring of
key risk indicators, the CRO would also monitor and report risk,
including risk tolerance breaches, to the Board at each regularly
scheduled meeting. OCC notes that it also proposes to change the
reporting cadence to align with the timing of Board meetings to reflect
that Board meetings typically, but do not always, occur on a quarterly
schedule.\15\
---------------------------------------------------------------------------
\15\ See, e.g., Exchange Act Release No. 94988, 87 FR at 33539
(updating cadence of certain Board reporting to reflect that such
reporting occurs at regular Board meetings).
---------------------------------------------------------------------------
The proposed CRMP would also introduce the concept of risk rating
scales, which provide an assessment of risk from an impact and
likelihood perspective consistently across OCC. The proposed CRMP would
state that OCC's risk rating scales rate the magnitude of impact an
event will have on a process and the likelihood an event will occur.
The proposed CRMP would state that the impact risk rating scale
considers operational, internal financial, external financial, legal
and regulatory, and reputational impacts. The proposed CRMP would state
that the likelihood risk rating scale considers a 10-year financial
cycle and yearly corporate planning activities. The proposed CRMP would
state that these risk rating scales are used to measure inherent and
residual risk at a risk statement level. The proposed CRMP would state
that inherent risk is the level of risk exposure posed by a process
absent any controls to reduce the likelihood or severity of an event.
The proposed CRMP would state that residual risk is the level of risk
exposure posed by a process or activity after the application of
controls or other risk-mitigating factors. The proposed CRMP would
state that at least every twelve months, Corporate Risk and Risk Owners
perform a review of the risk rating scales. The proposed CRMP would
state that the CRO reviews and approves changes to the risk scales. The
proposed CRMP would state that the Management Committee and Board are
notified of changes to the risk rating scales.
OCC believes the proposed CRMP would provide a more comprehensive
overview of OCC's risk governance framework and would include changes
intended to improve certain processes therein. The proposed CRMP would
provide additional details around the internal governance process for
reviewing and approving risk categories, appetites, and tolerances and
for monitoring risk tolerances and would describe OCC's risk rating
scale process. The proposed changes would also improve the governance
process for the risk universe by allowing the CRO to modify risk
categories as needed, with oversight of Management Committee, the Risk
Committee and the Board, and provide the Board or Risk Committee with
more direct responsibility for setting the appetites for those risks.
Risk Management Governance
OCC proposes to relocate the Risk Management Governance section of
the current RMF Policy to a new Governance section of the proposed RMF
with certain modifications. OCC proposes to update the description of
the responsibilities of the Board, which are generally already
addressed in the Board of Directors Charter and Corporate Governance
Principles (``Board Charter''),\16\ which is filed with the Commission
as a rule of OCC.\17\ The proposed RMF would state that the Board is
responsible for advising and overseeing management. The proposed RMF
would state that pursuant to the OCC Board of Directors Charter and
Corporate Governance Principles, the CRO presents a review of the RMF
to the Board for approval at least annually. The proposed RMF would
state that the Board may delegate the oversight of specific risks to
Board-level committees (``Committees'').\18\ The proposed RMF would
state that the Board may form or disband committees, including
subcommittees to manage specific risks, as it from time to time deems
appropriate, and may delegate authority to one or more designated
members of such committees. The proposed RMF would state that the
responsibilities of Board committees regarding managing risks are
outlined in committee charters.
---------------------------------------------------------------------------
\16\ The Board Charter can be found on OCC's public website:
https://www.theocc.com/about/corporate-information/board-charter.
\17\ See, e.g., Exchange Act Release No. 84473 (Oct. 23, 2018),
83 FR 54385 (Oct. 29, 2018) (File No. SR-OCC-2018-012).
\18\ The Board has delegated oversight of specific risks to
Committees through the Committee Charters. For example, the Board
has delegated oversight of OCC's financial, collateral, risk model
and third-party risk management processes to the Risk Committee. See
Exchange Act Release No. 94988, 87 FR at 33539 (File No. SR-OCC-
2022-002).
---------------------------------------------------------------------------
OCC also proposes to update the description of the responsibilities
of the Management Committee and working groups in the new RMF. The
proposed RMF would state that OCC's Management Committee supports the
management and conduct of its business in accordance with policy
directives from the Board. The proposed RMF would state that the
Management Committee includes officers \19\ responsible for ensuring
that its actions and decisions are consistent with OCC's mission, Code
of Conduct, Rules and By-Laws, policies, procedures, and general
principles of sound corporate governance. The proposed RMF would state
that the CRO is a member of the Management Committee and reports to the
Risk Committee. The proposed RMF would state that the Management
Committee may form and delegate authority to subcommittees and working
groups of employees to conduct certain of its activities. The proposed
RMF would state that subcommittees and working groups are responsible
for reporting and escalating information as may be appropriate. This
would replace the current description in the RMF Policy, which
primarily relates to the committee's role and responsibilities in
reviewing and recommending changes to OCC's risk universe, including
risk appetites and tolerances, and escalating breaches of such to the
Board. These responsibilities would now be addressed in the proposed
CRMP (as discussed in the Risk Appetite Framework and Tolerance section
above).
---------------------------------------------------------------------------
\19\ The proposed RMF would state that The Management Committee
may include, but is not limited to the following officers: Executive
Chairman, Chief Executive Officer, Chief Operating Officer, Chief
Financial Risk Officer, Chief External Relations Officer, Chief Risk
Officer, Chief Audit Executive, Chief Compliance Officer, Chief
Financial Officer, Chief Human Resources Officer, Chief Information
Officer, Chief Security Officer, Chief Legal Officer and General
Counsel, Chief Clearing and Settlement Services Officer, and Chief
Regulatory Counsel.
---------------------------------------------------------------------------
The Governance section of the proposed RMF would also be updated to
include a description of the responsibilities of OCC employees. The
proposed RMF would state that OCC considers risk management during
employee recruitment, development, training, and succession planning.
The proposed RMF would state that OCC recruits and retains personnel
with appropriate risk management knowledge, skills, and competencies.
The proposed RMF would state that OCC also identifies successors for
designated officers based on knowledge and experience. The proposed RMF
would state that OCC provides internal and external development
opportunities including required training related to risk, compliance,
security, conflicts of interest, escalation of concerns, and the OCC
Code of Conduct. The proposed RMF would state that OCC provides outlets
for employees to anonymously report concerns that are reviewed by
[[Page 58413]]
OCC's Compliance, Human Resources, and Legal departments.
Identification of Key Risks
The RMF Policy currently contains an Identification of Key Risks
section that defines OCC's Key Risks and provides a brief description
of OCC's policies and procedures for managing each of those Key Risk
and their respective Risk Sub-Categories. OCC proposes to replace the
Identification of Key Risks section with a new OCC Risk Management
section of the proposed RMF, which would be reorganized to focus on the
three lines of defense model currently described in the RMF Policy and
describe the types of risks managed by each line of defense. The new
OCC Risk Management section of the RMF would: (i) restate existing
content of the RMF; (ii) introduce new content not currently contained
in OCC's RMF Policy; and (iii) delete certain aspects of the RMF
Policy. The changes are discussed in detail below.
The proposed RMF would state that OCC employs a three lines of
defense model. The proposed RMF would state that the model clarifies
ownership and accountability and enhances communication for
expectations around risk management throughout the organization. The
proposed RMF would state that the first line of defense maintains
policies, procedures, processes, and controls established for day-to-
day risk management. The proposed RMF would state that the second line
of defense evaluates and provides effective challenge to the first line
by executing critical analysis to identify process limitations and
recommending changes to relevant policies, procedures, processes,
systems, and controls. Lastly, the proposed RMF would state that the
third line of defense is an internal audit function that reviews and
provides objective assurance to the first and second lines. The
proposed RMF would state that OCC employees report to members of the
Management Committee. Consistent with the OCC Employee Code of Conduct,
employees are expected to escalate risk information through their
reporting line or to other members of management. The proposed RMF
would state that risks identified at OCC are reported to the Management
Committee and Board consistent with relevant charters and policies.
First Line of Defense
The proposed RMF would state that the risk inherent in OCC's
clearing and settlement services is managed by the first line of
defense, which is responsible for owning and managing risks by
maintaining policies, procedures, processes, systems, and controls that
manage relevant risks. The proposed RMF would state that the first line
of defense is comprised of OCC's operational business units, including
Financial Risk Management (``FRM''), Business Operations, Information
Technology, and Corporate Finance, and also includes corporate
functions such as human resources and project management. The proposed
RMF would state that the first line of defense is also accountable for
maintaining internal controls, control self-testing, and implementing
corrective action to address control deficiencies. The proposed RMF
would state that the first line of defense maintains policies and
associated procedures that detail the processes and controls
implemented across business units which are used to execute risk
management related to the clearing and settlement services detailed
below.
Membership Standards
The proposed RMF would state that Membership standards are
established by the Board and risk managed by OCC's Business Operations,
FRM and Information Technology in accordance with OCC's TPRMF. The
proposed RMF would state that OCC has risk-based clearing membership
standards to manage the risks arising from Clearing Members. The
proposed RMF would state that these requirements include applicable
registrations, net capital requirements, creditworthiness, adequate
operational capabilities, and maintaining qualified personnel. The
proposed RMF would state that the Risk Committee reviews these
standards to ensure OCC provides fair and open access to clearing and
settlement services. The proposed RMF would state that Clearing Members
that fail to meet the membership standards face the possibility of
consequences up to and including suspension.
Credit
The proposed RMF would state that OCC's credit risk is managed by
Business Operations, FRM, and Corporate Finance. The proposed RMF would
state that OCC is exposed to credit risk based on its role as guarantor
of cleared contracts. The proposed RMF would state that OCC has credit
risk related to Clearing Members and manages this exposure by
collecting margin and Clearing Fund resources based on a Clearing
Member's risk profile. The proposed RMF would state that OCC also faces
credit risk from other financial institutions that facilitate payment,
clearing, and settlement activities (e.g., clearing banks, custodians,
and linked financial market utilities). The proposed RMF would state
that FRM monitors its credit risk related to Clearing Members and
financial institutions consistent with the TPRMF. The proposed RMF
would state that FRM analyzes the creditworthiness of each financial
institution, in addition to other information that could impact the
financial institution's ability to facilitate payment, clearing, and
settlement services.
Clearing Fund
The proposed RMF would state that OCC's Clearing Fund is managed by
FRM and Business Operations. The proposed RMF would state that OCC
maintains a Clearing Fund comprised of high-quality liquid assets to
cover its credit risk exposure from Clearing Members in accordance with
OCC's confidential Clearing Fund Methodology Policy and Chapter X of
OCC's Rules. The proposed RMF would state that FRM uses stress tests to
project the Clearing Fund size necessary to maintain prefunded
financial resources to cover losses arising from the default of the two
Clearing Member Groups that would potentially cause the largest
aggregate credit exposure to OCC in extreme but plausible market
conditions. The proposed RMF would state that FRM also uses stress test
results to determine the sufficiency of the Clearing Fund size and
determine whether to issue calls for additional collateral or perform
an intra-month Clearing Fund resizing. The proposed RMF would state
that FRM reviews the adequacy of its Clearing Fund models through
sensitivity analysis and an analysis of its parameters and assumptions.
The proposed RMF would state that FRM reports the results of Clearing
Fund model reviews to the Board.
Margin
The proposed RMF would state that OCC's margin is managed by FRM
and Business Operations. The proposed RMF would state that FRM utilizes
a risk-based margin methodology to calculate Clearing Member margin
requirements in accordance with OCC's confidential Margin Policy and
Chapter VI of OCC's Rules. The proposed RMF would state that FRM
calculates margin daily for Clearing Member accounts. The proposed RMF
would state that Intra-day margin calls may also be made for accounts
incurring significant losses. The proposed RMF would state that FRM
reviews the adequacy of its margin models through sensitivity analysis,
backtests, and an analysis of its
[[Page 58414]]
parameters and assumptions. The proposed RMF would state that FRM
reports the results of margin model reviews to the Board.
Collateral
The proposed RMF would state that OCC's collateral risk is managed
by Business Operations, Corporate Finance, and FRM in accordance with
OCC's confidential Collateral Risk Policy and OCC Rules 604 and 1002.
The proposed RMF would state that OCC requires its Clearing Members to
deposit collateral as margin and Clearing Fund. The proposed RMF would
state that OCC limits acceptable assets to those with low credit,
market, and liquidity risks, and employs other risk mitigation tools,
including collateral concentration limits. The proposed RMF would state
that FRM applies risk-based haircuts and Business Operations revalues
collateral daily to ensure margin and Clearing Fund requirements are
met.
Default Management
The proposed RMF would state that OCC's default management risk is
managed by FRM in accordance with OCC's confidential Default Management
Policy and Chapter XI of OCC's Rules. The proposed RMF would state that
in the event of a Clearing Member default, OCC takes timely action to
contain losses and liquidity pressures and continue to meet its
obligations. The proposed RMF would state that OCC closes open
positions in an orderly manner, which may include performing auctions,
utilizing liquidation agents, or applying hedges. The proposed RMF
would state that Margin and Clearing Fund deposits of the defaulting
Clearing Member are used to offset these losses, followed by other
financial resources. The proposed RMF would state that OCC performs
default testing with the participation of designated Clearing Members
and other stakeholders to evaluate its processes and systems, including
close-out processes.
The newly proposed Membership Standards, Credit, Clearing Fund,
Margin, Collateral, and Default Management sections of the RMF would
effectively replace the Credit Risk Management Framework section of
OCC's RMF Policy and refer to the same OCC Risk Policies currently
maintained by OCC (and described in the RMF) to address such risks and
which are currently filed with the Commission as rules of OCC (e.g.,
the Margin Policy,\20\ Clearing Fund Methodology Policy,\21\ Collateral
Risk Management Policy,\22\ Default Management Policy,\23\ and TPRMF
\24\).
---------------------------------------------------------------------------
\20\ See, e.g., Exchange Act Release No. 82355 (Dec. 19, 2017),
82 FR 61058 (Dec. 26, 2017) (File No. SR-OCC-2017-007).
\21\ See, e.g., Exchange Act Release No. 83735 (July 27, 2018),
83 FR 37855 (Aug. 2, 2018) (File No. SR-OCC-2018-008).
\22\ See, e.g., Exchange Act Release No. 82311 (Dec. 13, 2017),
82 FR 60252 (Dec. 19, 2017) (File No. SR-OCC-2017-008).
\23\ See, e.g., Exchange Act Release No. 82310 (Dec. 13, 2017),
82 FR 60265 (Dec. 19, 2017) (File No. SR-OCC-2017-010).
\24\ See, e.g., Exchange Act Release No. 90797 (Dec. 23, 2020),
85 FR 86592 (Dec. 30, 2020) (File No. SR-OCC-2020-014).
---------------------------------------------------------------------------
Liquidity
The proposed RMF would state that OCC's liquidity risk is managed
by FRM and Corporate Finance. The proposed RMF would state that OCC
manages its liquidity risk in accordance with its confidential
Liquidity Risk Management Framework by maintaining a reliable and
diverse set of committed resources and liquidity providers,
establishing a contingent funding plan to collect additional resources,
and performing stress testing that covers a wide range of scenarios
that include the default of the Clearing Member Group that would
generate the largest aggregate liquidity obligation in extreme but
plausible market conditions. The proposed RMF would state that FRM also
tests the sufficiency of its resources by forecasting daily settlement
under normal and stressed market conditions and compares these results
to the liquid resources maintained. The proposed RMF would state that
FRM reports the results of these reviews to the Board. The new
Liquidity section of the proposed RMF would replace the Liquidity Risk
Management Framework section of the current RMF Policy and would
summarize and refer to OCC's Liquidity Risk Management Framework as the
governing document for managing OCC's liquidity risks while removing
certain summary information that is more specifically addressed in the
Liquidity Risk Management Framework.\25\
---------------------------------------------------------------------------
\25\ See, e.g., Exchange Act Release 89014 (June 4, 2020), 85 FR
35446 (June 10, 2020) (File No. SR-OCC-2020-003).
---------------------------------------------------------------------------
Settlement
The proposed RMF would add a new section specifically discussing
settlement risk (which is currently addressed indirectly in the
Operational Risk section of the RMF Policy). The proposed RMF would
state that OCC's settlement risk is managed by Business Operations in
accordance with Chapters V and IX of OCC's Rules. The proposed RMF
would state that OCC uses clearing banks to facilitate settlements on
at least a daily basis. The proposed RMF would state that OCC issues
instructions to clearing banks to debit or credit the account of a
Clearing Member, and correspondingly debit or credit OCC's account,
with a specific dollar amount by a specified time. The proposed RMF
would state that settlement finality occurs when a clearing bank
confirms the settlement instruction or is silent past the applicable
deadline.
Custody and Investment
The proposed RMF would state that OCC's custody and investment risk
is managed by its Corporate Finance department, Business Operations,
and FRM in accordance with OCC Rules 604 and 1002(b). The proposed RMF
would state that OCC holds its own and its Clearing Members' assets at
settlement and custodian banks, as well as at other financial market
utilities. The proposed RMF would state that OCC requires settlement
and custodian banks to meet minimum financial and operational
requirements. The proposed RMF would state that OCC complies with
applicable customer protection and segregation requirements for the
handling of customer funds. The proposed RMF would state that OCC
maintains working capital and non-invested Clearing Member cash in
accounts that minimize delays in access to funds. The proposed RMF
would state that OCC maintains accounts at the Federal Reserve to
custody funds. The proposed RMF would state that OCC invests in
instruments with minimal credit, market, and liquidity risks. The new
Custody and Investment section of the proposed RMF would effectively
replace the Investment Risk section of the RMF Policy, which also
discusses OCC's use of Federal Reserve bank accounts and the investment
of funds not held at the Federal Reserve.
General Business
The proposed RMF would state that OCC's general business risk is
managed by Corporate Finance, Information Technology, Business
Operations and Financial Risk Management. The proposed RMF would state
that Corporate Finance performs financial planning and analysis,
reviews operating budgets and fee structures, and reviews business
performance. The proposed RMF would state that OCC maintains liquid net
assets funded by equity sufficient to cover potential general business
losses and comply with financial resource requirements in accordance
with its confidential Capital
[[Page 58415]]
Management Policy.\26\ Furthermore, the proposed RMF would state that
Information Technology reviews OCC's ability to maintain its critical
services under a range of scenarios, including adverse market
conditions. The proposed RMF would state that Business Operations and
Financial Risk Management also perform assessments to determine if
potential new business opportunities fit within OCC's models and risk
management systems. The new General Business section of the proposed
RMF would replace the General Business Risk section (and in part, the
Reputational Risk section) of the current RMF Policy, continue to refer
to OCC's Capital Management Policy as the governing document for
managing OCC's general business risks, and remove certain summary
information that is more specifically addressed in OCC's Capital
Management Policy.\27\
---------------------------------------------------------------------------
\26\ See, e.g., Exchange Act Release 88029 (Jan. 24, 2020), 85
FR 5500 (Jan. 30, 2020) (File No. SR-OCC-2019-007).
\27\ See id.
---------------------------------------------------------------------------
Technology
The proposed RMF would state that OCC's technology risk is managed
by OCC's Information Technology. The proposed RMF would state that OCC
uses technology solutions to manage risk and facilitate clearing and
settlement by utilizing systems that have adequate levels of
availability, security, resiliency, integrity, and adequate, scalable
capacity based on their criticality. The proposed RMF would state that
Information Technology manages technology risk by utilizing a
structured technology delivery approach that provides for consistency
and establishes responsibilities and requirements. The proposed RMF
would state that Information Technology monitors and evaluates
technology performance in part based on service levels related to data
integrity, system availability, data timeliness, and data quality to
manage technology risk. The proposed RMF would state that to achieve
these service levels, Information Technology manages OCC's efforts
across technology incidents, changes, configurations, system capacity,
and evaluates system recoverability through disaster recovery testing.
The Technology section of the proposed RMF, along with the Security
section (discussed below), are intended to replace the Operational
Risk--Information Technology section of the RMF Policy. These general
details in the RMF would replace more specific information concerning
OCC's quality standards program, cybersecurity program, and system
functionality and capacity.\28\
---------------------------------------------------------------------------
\28\ OCC intends to include a detailed discussion of these
aspects of its operational risk management in a new Operational Risk
Management Framework document, which is currently being finalized by
OCC and will be filed with the Commission when it is complete.
---------------------------------------------------------------------------
Legal
The proposed RMF would state that OCC's legal risk is managed
through efforts across OCC that are advised by OCC's Legal department
(``Legal''). The proposed RMF would state that OCC manages its legal
risk by establishing, implementing and enforcing written documents that
are reasonably designed to provide a well-founded, clear, transparent,
and enforceable legal basis for each aspect of OCC's activities in all
relevant jurisdictions and comply with applicable legal and regulatory
requirements. The proposed RMF would state that in order to manage
legal risk across OCC, employees are required to consult with Legal on
legal and regulatory matters, including but not limited to
interpretation of laws and regulations applicable to OCC, including
OCC's Rules and By-Laws, legal claims against OCC, government or
regulatory requests or inspections, and matters that may be the subject
of a proposed rule change filing. The Legal section of the proposed RMF
would replace, in part, the Legal Risk section of the RMF Policy,
including by replacing a specific sub-section discussing OCC's
maintenance of contracts with more general requirements that OCC
establish, implement, and enforce written documents, including legal
agreements, and maintain documents that are reasonably designed to
provide a well-founded, clear, transparent, and enforceable legal basis
for each aspect of OCC's activities, which would include any contracts
regarding the material aspects of OCC's clearing, settlement, and risk
management activities as discussed in the RMF Policy.
Second Line of Defense
The proposed RMF would state that OCC's second line of defense
includes compliance, corporate risk, third-party risk, model risk
management, security, and business continuity. The proposed RMF would
state that the second line has no operational authority or
responsibility for the first line to prevent conflicts of interest. The
proposed RMF would state that the second line provides objective
analysis to identify potential enhancements and improvements to first
line processes to help ensure compliance with applicable laws and
regulations and prudent risk management. The proposed RMF would state
that second line management reports to Board committees and has the
authority to escalate information to the first line, Management
Committee, and the Board. Additionally, the proposed RMF would state
that second line management provides reports to the Board at least
quarterly at its scheduled meetings.
Compliance
The proposed RMF would state that OCC's Compliance department
(``Compliance'') oversees OCC's management of compliance risk by
adhering to applicable rules and regulations, policies, procedures,
processes, controls, and standards of conduct. The proposed RMF would
state that Compliance manages compliance risk by establishing processes
to prevent, detect, respond to, and report on compliance risk. The
proposed RMF would state that Compliance supports and assesses the
management of compliance risk through advising, monitoring, reporting,
testing, and training activities and maintains mechanisms for reporting
unethical or fraudulent behavior or misconduct. The Compliance section
of the proposed RMF would replace the Regulatory Compliance section of
the RMF Policy and reframe this section based on the Compliance
department's role in helping OCC manage compliance risk.
Corporate Risk
The proposed RMF would state that Corporate Risk evaluates
enterprise risk by identifying, measuring, monitoring, managing,
reporting, and escalating risks to inform decision-making in accordance
with the CRMP. The proposed RMF would state that Corporate Risk
evaluates enterprise risk to provide an understanding of inherent and
residual risks as compared against Board-approved levels.
Third-Party Risk
The proposed RMF would state that OCC's Third-Party Risk Management
business unit evaluates risks posed to OCC by third parties by
identifying, measuring, monitoring, managing, reporting, and escalating
risks as described in the TPRMF. The proposed RMF would state that
Third-Party Risk Management aggregates information about the risks
presented by third parties based on their relationships to OCC. The new
Third-Party Risk section of the proposed RMF would replace the Third-
Party Monitoring Program section of the RMF Policy and remove certain
[[Page 58416]]
details which are more comprehensively addressed in the TPRMF.\29\
---------------------------------------------------------------------------
\29\ See supra note 24.
---------------------------------------------------------------------------
Model Risk Management
The proposed RMF would state that Model Risk Management performs
independent model validation, evaluates model parameters and
assumptions, assesses mitigating factors, and provides effective and
independent challenge throughout OCC's model lifecycle in accordance
with its confidential Model Risk Management Policy. The proposed RMF
would state that Models are governed and independently assessed and
certified to determine adequate performance. The proposed RMF would
state that this includes model testing and performance monitoring
(e.g., backtesting, sensitivity analysis). The new Model Risk
Management section of the proposed RMF would replace the Model Risk
section of the RMF Policy. This new section of the RMF would focus on
Model Risk Management's role in helping OCC manage model risk and would
remove certain details that are more comprehensively addressed in the
Model Risk Management Policy.\30\
---------------------------------------------------------------------------
\30\ See, e.g., Exchange Act Release No. 82785 (Feb. 27, 2018),
83 FR 9345 (Mar. 5, 2018) (File No. SR-OCC-2017-011).
---------------------------------------------------------------------------
Security
The proposed RMF would include new rule text stating that OCC's
Security department (``Security'') manages information, physical, and
personnel security risk to safeguard the confidentiality, integrity,
and availability of corporate information systems and data assets
implemented and maintained by Information Technology. The proposed RMF
would state that Security employs a risk-based methodology and controls
to manage information governance, system resiliency, and cyber
security. In addition, the proposed RMF would state that Security
maintains policies and procedures that require appropriate protective
controls and event detection via security monitoring. The proposed RMF
would state that Security evaluates its processes and controls through
internal and external testing, scanning for threats and
vulnerabilities, and benchmarking against industry standards.
In addition, the proposed RMF would incorporate an existing portion
of the RMF Policy concerning IT risk assessments conducted by Security
prior to the procurement, development, installation and operation of IT
services and systems, including the triggers that may change IT risks
at OCC.\31\ Cross-references found in the RMF Policy to procedures that
outline IT risk assessments at a procedural level would be removed. OCC
does not believe that identifying the underlying procedure is necessary
for understanding the process at a policy level.
---------------------------------------------------------------------------
\31\ This discussion would replace the IT Risk Assessment
section of the current RMF Policy. OCC intends to include a detailed
discussion of its IT risk assessment in a new Operational Risk
Management Framework document, which is currently being finalized by
OCC and will be filed with the Commission when it is complete.
---------------------------------------------------------------------------
Business Continuity
The proposed RMF would state that Business Continuity maintains a
business continuity program that establishes OCC's plan for maintaining
backup and recovery capabilities that are sufficiently resilient and
geographically diverse to address both internal and external events
that could impact OCC's operations.\32\
---------------------------------------------------------------------------
\32\ The Business Continuity section of the RMF would replace
the Business Continuity Program section of the current RMF Policy.
OCC intends to include a detailed discussion of its Business
Continuity Program in a new Operational Risk Management Framework
document, which is currently being finalized by OCC and will be
filed with the Commission when it is complete.
---------------------------------------------------------------------------
Third Line of Defense
The proposed RMF would state that OCC's third line of defense
consists of Internal Audit. Internal Audit is independent and reports
directly to the Audit Committee of the Board (``Audit Committee'') to
ensure this independence; the Audit Committee oversees the activities
performed by Internal Audit in accordance with the Audit Committee
Charter. The proposed RMF would state that Internal Audit has no
responsibility for first- or second-line functions. The proposed RMF
would state that Internal Audit designs, implements, and maintains an
audit program that provides the Management Committee and Audit
Committee independent and objective assurance related to the quality of
OCC's risk management, governance, compliance, controls, and business
processes in accordance with the confidential Internal Audit Policy.
The proposed RMF would state that Internal Audit issues independent
reports to the first and second line as well as the Audit Committee and
Board. This section of the RMF would replace a discussion of the third
line of defense in OCC's current RMF Policy and would remove certain
details that are more comprehensively addressed in the Internal Audit
Policy.\33\
---------------------------------------------------------------------------
\33\ Such details include requirements related to the diversity
and skills of Internal Audit personnel and the external standards of
professionalism pursuant to which Internal Audit performs its
functions.
---------------------------------------------------------------------------
Risk Management Practice
The RMF Policy currently contains a Risk Management Practice
section that describes OCC's three lines of defense model and
Enterprise Risk Assessment program. As discussed above, OCC would
relocate the discussion of its three lines of defense model to the new
RMF. In addition, OCC proposes to relocate the discussion of its
Enterprise Risk Assessment program to the new CRMP. OCC also proposes
to relocate the Risk Reporting section of the RMF Policy to the CRMP.
Additionally, OCC would eliminate the specific Compliance Risk
Assessment section of the RMF Policy.
Enterprise Risk Assessment and Scenario Analysis Program
The RMF Policy currently describes the Enterprise Risk Assessment
process conducted by the first line and Corporate Risk. The RMF Policy
provides that Enterprise Risk Assessments shall analyze Inherent
Risk,\34\ the quality of risk management, and Residual Risk \35\ of the
sub-categories of Key Risks and use analysis of Residual Risk in
conjunction with metrics related to risk tolerances to develop a risk
profile and determine whether a Key Risk is within its risk appetite.
The RMF Policy also requires that Corporate Risk's analysis of Residual
Risk be provided to the Management Committee and Board (or committee
thereof) to inform them on the quantity of risk in a certain functional
area or business area, and provide a mechanism to prioritize risk
mitigation activities.
---------------------------------------------------------------------------
\34\ The RMF Policy defines ``Inherent Risk'' to mean the
absolute level of risk exposure posed by a process or activity prior
to the application of controls or other risk-mitigating factors.
\35\ The RMF Policy defines ``Residual Risk'' to mean the level
of risk exposure posed to a process or activity after the
application of controls or other risk-mitigating factors.
---------------------------------------------------------------------------
The proposed CRMP would revise this description to more accurately
and completely describe the risk assessment, monitoring, and reporting
processes conducted by Corporate Risk. The proposed CRMP would state
that enterprise risk assessments are a quarterly activity where the
control environment is evaluated to determine its effectiveness in
preventing or mitigating inherent risks identified to arrive at a
residual risk rating for each risk statement. The proposed CRMP would
state that Corporate Risk (and not Compliance, as specified in the RMF
Policy) maintains an inventory of all
[[Page 58417]]
business processes, risks, and associated controls in a database used
by OCC to manage Enterprise Governance, Risk and Compliance. The CRMP
would state that Corporate Risk uses data from a variety of sources
(e.g., risk events, Internal Audit findings, security risk assessments
and observations, third-party observations, control design assessments,
management control self-testing results, and business impact analyses)
to rate the impact and likelihood of a risk and assess the quality of
the control environment. The proposed CRMP would state that enterprise
risk assessments are conducted through workshops across the first and
second lines of defense and are supplemented by including information
from emerging risk surveys (top-down), process-based risk assessments
(bottom-up), and enterprise technology assessments. The proposed CRMP
would state that quarterly, the results of the enterprise risk
assessment (the levels of residual risk) are aggregated and provided to
the CRO for approval and presented to the Management Committee and
Board by the CRO. The CRMP would also elaborate on the use of residual
risk, risk tolerances, and risk ratings and associated reporting as
discussed in the Risk Governance section of the proposed CRMP and would
also provide details on Corporate Risk's risk monitoring and risk
treatment activities in new sections of the CRMP (as discussed further
below).
The RMF Policy also describes OCC's Scenario Analysis Program,
which is an industry-standard method of identifying operational risks
that may not be otherwise captured by the Enterprise Risk Assessment
program. Pursuant to the RMF Policy, Corporate Risk and the first line
design simulations of potential business disruptions, and business unit
staff shall use such simulations to identify risks that may not have
been previously uncovered or identify weaknesses in current controls.
Corporate Risk includes the potential risks identified through the
Scenario Analysis Program in its analysis of, and reporting on, the
quantity of risk within a certain Key Risk and whether the Key Risk is
within its risk appetite.
OCC proposes to relocate the discussion of its Scenario Analysis
Program to the CRMP with revisions designed to more accurately and
completely describe the scenario analysis process. The proposed CRMP
would state that operational scenario analysis is the process of
leveraging OCC subject matter expertise to identify potential
operational risks and assess the potential outcomes of stressed
operations. The proposed CRMP would state that operational scenarios
consider both internal and external scenarios that may impact OCC's
ability to perform its clearance, settlement and risk management
services. The proposed CRMP would state that Corporate Risk, through
workshops with the first and second lines of defense, designs
operational scenarios utilizing available information (e.g., annual
top-risk survey conducted by Corporate Risk, Management Committee
recommendation, enterprise risk assessments). The proposed CRMP would
state that the workshops are designed to identify risks that may not
have been previously uncovered or weaknesses in current controls. The
proposed CRMP would state that operational scenarios are used to assess
the potential that future extreme but plausible business disruptions
may impact OCC's clearance, settlement and risk management services and
are inputs in OCC's target capital requirements and recovery and wind-
down planning. The proposed CRMP would state that Risk Owners use
scenarios to identify new and existing risks and identify weaknesses in
current controls. The proposed CRMP would state that Corporate Risk
includes potential risks identified through operational scenario
analysis when analyzing and reporting across risk categories and sub-
categories.
Risk Reporting
The proposed CRMP would contain a revised Risk Reporting section.
The proposed CRMP would state that risk reporting provides a view of
OCC's risks to facilitate risk management and inform decision-making.
The proposed CRMP would state that Corporate Risk reports risks based
on its risk identification, measurement, and monitoring activities to
assist in the understanding of the risks OCC faces and whether these
risks are being managed within OCC's risk tolerances and appetites. The
proposed CRMP would state that quarterly, the CRO reports risks (e.g.,
risk appetite or risk tolerance breaches, material operational risk
events, summary of risk acceptances, and risk mitigation) to the
Management Committee, Board, and relevant Board committees.
Compliance Risk Assessment
OCC proposes to remove a section of the RMF Policy specifically
dedicated to the Compliance Risk Assessment program. This section
currently provides a brief discussion of the Compliance department's
program used to identify and measure the risks faced by OCC regarding
regulatory compliance and prioritize the testing and training
activities associated with such risks. OCC believes this section is
appropriately addressed in the Compliance section of the proposed RMF
(discussed in detail above), which provides that Compliance manages
compliance risk by establishing processes to prevent, detect, respond
to, and report on compliance risk and assesses the management of
compliance risk through advising, monitoring, reporting, testing, and
training activities and maintains mechanisms for reporting unethical or
fraudulent behavior or misconduct. This would include the activities
performed by Compliance in the Compliance Risk Assessment program.
Control Activities
OCC proposes to eliminate the Control Activities section of the RMF
Policy, which describes certain activities performed by OCC's
Compliance department relating to the maintenance of business process
and control inventories and annual training of OCC staff. This would be
replaced by more general descriptions of Compliance's responsibilities
under the proposed RMF. As discussed above, the RMF would more
generally describe the department's responsibilities for the management
of compliance risk, including by: (i) establishing processes to
prevent, detect, respond to, and report on compliance risk; (ii)
assessing the management of compliance risk through advising,
monitoring, reporting, testing, and training activities; and (iii)
maintaining mechanisms for reporting unethical or fraudulent behavior
or misconduct. Additionally, as noted above, the proposed CRMP would
transfer responsibility for maintaining OCC's inventory of all business
processes, risks, and associated controls from Compliance to Corporate
Risk.
Policy Exceptions and Violations
OCC proposes to replace the Policy Exceptions and Violations
sections in the current RMF Policy with a new Risk Acceptances and
Deviations section in the RMF. The RMF would require that risk
acceptances,\36\ including exceptions to OCC's risk management
frameworks and policies, shall be escalated to Corporate Risk in
accordance with the CRMP. In addition, the RMF would
[[Page 58418]]
require that deviations from OCC's risk management frameworks and
policies shall be escalated to Compliance in accordance with the Policy
Governance Policy (``PGP'').\37\ By including this generally applicable
provision in the RMF, OCC would no longer include this information in
each individual policy and procedure. Policy exceptions would continue
to be escalated as part of OCC's risk acceptance process and policy
violations would be escalated as part of OCC's PGP document deviation
risk event process. The proposed change would allow OCC to remain
consistent with this practice in its policies and procedures without
requiring each to have its own individual Policy Exceptions and
Violations sections that would need to be updated as OCC's process for
escalating exceptions and deviations develops and matures.
---------------------------------------------------------------------------
\36\ As discussed in more detail below with respect to the
proposed Risk Treatment section of the CRMP, acceptance is a risk
treatment method that may be used to acknowledge when the cost or
complexity of avoiding, mitigating, or transferring the risk exceeds
the potential impact (e.g., OCC accepts a risk temporarily and
implements short-term mitigants, knowing that a long-term solution
is planned).
\37\ OCC proposes to use the term ``deviation'' rather than
``violation'' as found in the current RMF Policy to align with the
terminology used in the PGP.
---------------------------------------------------------------------------
Other Deleted Sections of the RMF Policy
Project Management, Budgeting, and Training Changes
OCC proposes to delete from its rules certain sections of the RMF
Policy related to project management, corporate planning and budgeting,
and Human Resources and Compliance Training and Policies. OCC believes
that these sections deal with policies and practices that are
administrative in nature and do not constitute material aspects of the
operation of the facilities of OCC.\38\ OCC would not maintain these
details in the RMF or CRMP; however, OCC would continue to maintain and
update these details when necessary in other internal policies,
procedures, or OCC documentation maintained for such purposes.
---------------------------------------------------------------------------
\38\ Section 19(b)(1) of the Exchange Act requires a self-
regulatory organization (``SRO'') such as OCC to file with the
Commission any proposed rule or any proposed change in, addition to,
or deletion from the rules of such SRO. See 15 U.S.C. 78s(b)(1).
Section 3(a)(27) of the Exchange Act defines ``rules of a clearing
agency'' to mean its (1) constitution, (2) articles of
incorporation, (3) bylaws, (4) rules, (5) instruments corresponding
to the foregoing and (6) such ``stated policies, practices and
interpretations'' (``SPPI'') as the Commission may determine by
rule. See 15 U.S.C. 78c(a)(27). Exchange Act Rule 19b-4(a)(6)
defines the term ``SPPI'' to include (i) any material aspect of the
operation of the facilities of an SRO and (ii) statements made
generally available to membership of, to all participants in, or to
persons having or seeking access to facilities of an SRO that
establishes or changes certain standards, limits, or guidelines. See
17 CFR 240.19b-4(a)(6). Rule 19b-4(c) provides, however, that an
SPPI may not be deemed to be a proposed rule change if it is: (i)
reasonably and fairly implied by an existing rule of the SRO or (ii)
concerned solely with the administration of the SRO and is not an
SPPI with respect to the meaning, administration, or enforcement of
an existing rule the SRO. See 17 CFR 240.19b-4(c).
---------------------------------------------------------------------------
Risk Universe
Finally, OCC proposes to remove the RMF Policy's Appendix: OCC's
Key Risks with CCA, PFMI, and Reg SCI Mapping. The proposed CRMP would
require that Corporate Risk continue to maintain the risk universe, and
OCC has included its risk categories in Section II of the proposed RMF
but proposes that the additional detailed documentation and mapping be
maintained internally by Corporate Risk. OCC believes it may need to
update the mapping and risks, as well as how OCC defines them,
dynamically based on business and market factors. OCC believes by
following the governance outlined in the proposed CRMP, proper scrutiny
will be given to any revisions to this information. Moreover, OCC
believes that the policies and processes maintained by OCC to
establish, maintain, review and update its risk universe, which
reflects the universe of risks that OCC must monitor and manage,
constitute material aspects of the operation of the facilities of OCC,
but the risk universe itself is the output of those processes and
simply lists those risks that OCC has identified pursuant to the
requirements of the RMF Policy (and the proposed CRMP).
New Sections in the RMF and CRMP
OCC proposes to add new sections to its RMF and CRMP to describe
certain aspects of its risk management framework and approach to
enterprise risk management, which are discussed in detail below.
RMF: Recovery and Orderly Wind-Down Plan
The proposed RMF would include a new section discussing OCC's
Recovery and Orderly Wind-Down Plan. The proposed RMF would state that
in the event of extreme financial, operational, or general business
stress, Corporate Risk maintains a confidential Recovery and Orderly
Wind-Down Plan which details the departments responsible for executing
the plan. The proposed RMF would state that OCC employs a set of
recovery tools in the event of severe financial, operational, or
general business stress, to continue to provide critical clearing and
settlement services. The proposed RMF would state that should OCC's
recovery efforts be unsuccessful or if, based on facts and
circumstances, it is determined that its recovery tools would be
insufficient, OCC has a wind-down plan that provides for the orderly
resolution of the firm.
CRMP: Risk Monitoring
The CRMP would introduce a new section to describe Corporate Risk's
Risk Monitoring process, including key risk indicator monitoring and
operational risk even monitoring. The proposed CRMP would state that
Corporate Risk and Risk Owners monitor internal and external risks to
determine whether OCC's risk management practices continue to operate
effectively. The proposed CRMP would state that the information
gathered during this monitoring is used to inform enterprise risk
assessments.
Key Risk Indicator Monitoring
The proposed CRMP would state that key risk indicators (``KRIs'')
are qualitative or quantitative metrics designed to identify changes to
risks. The proposed CRMP would state that Corporate Risk and Risk
Owners utilize KRIs to measure and monitor levels of risk against risk
appetite and risk tolerances. The proposed CRMP would state that KRIs
are established at a risk sub-category level. KRIs include three
thresholds: green, amber, and red. The proposed CRMP would state that
green indicates a low risk of breaching tolerance, amber indicates a
moderate risk of breaching tolerance, and red indicates a breach of
tolerance. The proposed CRMP would state that amber and red thresholds
are points of escalation to the CRO, Management Committee, and the
Board.
The proposed CRMP would state that Risk Owners, in collaboration
with Corporate Risk, develop KRIs by considering business (e.g.,
process and controls) and regulatory requirements. The proposed CRMP
would state that Corporate Risk facilitates identifying, modifying, and
reviewing KRIs with a designated Management Committee member, including
defining and reviewing the risk tolerance and risk thresholds for the
KRI. The proposed CRMP would state that KRIs that breach the red
threshold result in the development and execution of risk treatment
plans by Risk Owners. The proposed CRMP would state that Corporate Risk
reports against red, amber, and green thresholds to the CRO and
Management Committee on a quarterly basis and to the Board at each
regularly scheduled meeting.
Operational Risk Event Monitoring
The proposed CRMP would state that an operational risk event is an
event which results in a financial loss or an adverse impact to OCC or
its ability to deliver its services. The proposed CRMP would state that
such events arise from
[[Page 58419]]
failed or inadequate internal processes, people, systems, or exposure
to external events. The proposed CRMP would state that Risk Owners are
responsible for identifying, assessing, and escalating operational risk
events. The proposed CRMP would provide that Corporate Risk is
responsible for ensuring that material operational risk events, as well
as identified trends, are reported to the CRO and Management Committee
on a quarterly basis and to the Board at each regularly scheduled
meeting. The proposed CRMP would state that Risk Owners perform root
cause analysis and enhance or develop processes that would reduce the
impact or likelihood of similar events occurring in the future. The
proposed CRMP would state that Risk Owners are responsible for
escalating operational risk events causing serious and extended
disruptions in production operations. The proposed CRMP would state
that risk events that have a major or extreme impact to OCC's ability
to perform its clearance, settlement and risk management services are
immediately reported to the Management Committee and Board.
CRMP: Risk Treatment
The CRMP would introduce a new section to describe OCC's risk
treatment process, which is the process by which Risk Owners manage
risk exposures by utilizing risk treatment methods to remain within
risk appetites and tolerances. The proposed CRMP would state that risk
treatment methods are implemented by Risk Owners and include the
decision to mitigate, avoid, transfer, or accept an identified risk.
The proposed CRMP would state that mitigation is a risk treatment
method where controls including policies, procedures, processes, and
systems can be implemented to manage a risk within established risk
appetites and tolerances (e.g., OCC creates a procedure to document a
process including implementing controls to mitigate a risk).
The proposed CRMP would state that avoidance is a risk treatment
method that may be used when controls are ineffective at preventing or
mitigating a risk within approved risk appetites or tolerances (e.g.,
OCC does not onboard a clearing member due to poor financial health).
The proposed CRMP would state that transference is a risk treatment
method where risks are moved to a third-party usually through the
purchase of insurance (e.g., fraud, general liability, and employment
insurance). Insurance covered would be coordinated by the Corporate
Finance team, with involvement from other first and second line
stakeholders, and subject to review by the Management Committee and the
Board.
The proposed CRMP would state that acceptance is a risk treatment
method that may be used to acknowledge when the cost or complexity of
avoiding, mitigating, or transferring the risk exceeds the potential
impact (e.g., OCC accepts a risk temporarily and implements short-term
mitigants, knowing that a long-term solution is planned). The proposed
CRMP would state that Corporate Risk evaluates risk acceptances
submitted by Risk Owners. The proposed CRMP would state that any risks
presented for acceptance that are outside of risk appetite or risk
tolerance must be approved by the Management Committee annually. The
proposed CRMP would state that Corporate Risk reports on risks accepted
above approved risk appetite or risk tolerance to the CRO, Management
Committee, and Board.
CRMP: Risk Escalation, and Training
The proposed CRMP would also describe Corporate Risk's process for
escalating risks to the CRO, Management Committee, and Board and
training employees about risk to support risk management and decision-
making.
Escalation
The proposed CRMP would state that OCC employees are responsible
for escalating risks through timely identification and reporting. The
proposed CRMP would state that in accordance with OCC's Employee
Handbook and Policy Governance Policy, OCC employees are expected to
escalate risks through their reporting line, OCC's internal working
groups, or to the Management Committee. The proposed CRMP would state
that quarterly, Corporate Risk, through the CRO, escalates breaches of
risk appetites and risk tolerances to the Management Committee, Board,
and relevant Board committees. The proposed CRMP would state that
escalation occurs (i) consistent with obligations established in the
Management Committee Charter, Board Charter, Board Committee Charters,
policies, and procedures, or (ii) anytime through the CRO directly to
the Board.
Training
The proposed CRMP would state that OCC employees are trained to
promote a culture of risk and control awareness. The proposed CRMP
would state that Corporate Risk collaborates with other OCC departments
to create and disseminate training to enable accountability, empower
decision-making, promote risk awareness, and detail escalation. The
proposed CRMP would state that this training promotes awareness of
OCC's regulatory requirements, policies, procedures, processes,
controls, and standards of conduct.
Conforming Changes to OCC Risk Policies
Finally, OCC proposes to update other OCC Risk Policies to be
consistent with the proposed RMF. Specifically, OCC would update
references to the RMF Policy, including the summary of the RMF Policy
in the Recovery and Orderly Wind-Down Plan, to refer to the RMF and
CRMP. References to the ``Enterprise Risk Management'' department or
``ERM'' would be changed to ``Corporate Risk Management'' or
``Corporate Risk'' to reflect that department's name. In the case of
the Collateral Risk Management Policy, OCC would delete reference to
the Enterprise Risk Management Policy's annual review of concentration
limits because that review is conducted by the Model Risk Management,
which is part of Corporate Risk. The OCC Risk Policies would be further
conformed to reflect that what was formerly referred to as OCC's Model
Validation Group is now referred to as Model Risk Management. OCC would
also remove the Policy Exceptions and Violations sections of the
applicable OCC Risk Policies as the exception and violation processes
for all of the OCC Risk Policies would be covered by the new Risk
Acceptances and Deviations section of the proposed RMF (as discussed
above).
OCC also propose to make administrative updates to cross-references
to other internal OCC policies and procedures and other administrative
changes arising from OCC's annual review of its risk management
frameworks and procedures. Specifically, OCC would also revise the
TPRMF to:
include General Business Risk as a type of risk that may
be presented by third-party relationships;
Revise the introduction of the on-boarding and off-
boarding monitoring of counterparties with multiple relationships with
OCC to reference the respective procedures and work groups in the
Third-Party Relationship Management section, which as evident from the
existing TPRMF is not limited to monitoring by the Credit and Liquidity
Risk Working Group, as that current introduction suggests;
Delete reference to specific OCC Rules in favor of
reference to Chapters of OCC's Rulebook because the specific Rules
currently identified are not a
[[Page 58420]]
complete list of those in the identified Chapters that give OCC
authority to act to protect OCC from exposure presented by a Clearing
Member.
Make other administrative changes to business unit names
(2) Statutory Basis
OCC believes the proposed rule change is consistent with Section
17A of the Exchange Act \39\ and Rule 17Ad-22(e)(3). Section
17A(b)(3)(F) of the Act \40\ requires, in part, that the rules of a
clearing agency be designed to promote the prompt and accurate
clearance and settlement of securities transactions, to assure the
safeguarding of securities and funds in the custody or control of the
clearing agency or for which it is responsible, and in general, to
protect investors and the public interest. Rule 17Ad-22(e)(3)(i) \41\
requires, in part, that a covered clearing agency establish, implement,
maintain and enforce written policies and procedures reasonably
designed to maintain a sound risk management framework for
comprehensively managing legal, credit, liquidity, operational, general
business, investment, custody, and other risks that arise in or are
borne by the covered clearing agency, which includes risk management
policies, procedures, and systems designed to identify, measure,
monitor, and manage the range of risks that arise in or are borne by
the covered clearing agency, that are subject to review on a specified
periodic basis and approved by the board of directors annually. For the
reasons addressed below, OCC believe the proposed changes are
consistent with these requirements.
---------------------------------------------------------------------------
\39\ 15 U.S.C. 78q-1.
\40\ 15 U.S.C. 78q-1(b)(3)(F).
\41\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
Consistency With Section 17A(b)(3)(F) of the Exchange Act
The proposed RMF and associated policies, including the CRMP, would
be the foundation for a risk management framework designed to promote
the prompt and accurate clearance and settlement of securities
transactions, assure the safeguarding of securities and funds in the
OCC's custody or control, and in general, protect investors and the
public interest. Risk management is the means by which OCC guards
against disruption to OCC's clearance and settlement services and loss
of financial resources necessary to maintain OCC as a going concern or
in OCC's custody or control to address member defaults and liquidity
shortfalls. As a clearing agency that has been designated a
systemically important financial market utility by the Federal
Stability Oversight Counsel, such disruption or losses may present
systemic risks to the markets OCC serves, OCC's Clearing Members, and
other market participants, including investors, thereby harming the
public interest.
As described above, the proposed RMF would be designed to provide a
foundation to support the risk management policies, procedures, and
systems that make up OCC's sound risk management framework. The
proposed RMF would describe OCC's overall framework for comprehensive
risk management, including OCC's framework to identify, measure,
monitor and manage the risks faced by OCC in the provision of clearing,
settlement and risk management services. The proposed RMF would provide
the context for OCC's risk management framework, identify OCC's risk
categories, describe the governance arrangements that implement risk
management, and describe OCC's program for risk management, including
the three lines of defense structure. In addition, the proposed CRMP
would support the proposed RMF by explaining OCC's risk management
activities related to enterprise risk. These changes are not meant to
significantly alter OCC's approach to risk management, but rather to
present OCC's approach to enterprise risk in a standalone policy,
similar to OCC's approach with OCC's risk management. OCC believes that
more clearly delineating its overall approach to risk management and
its approach to enterprise risk through two separate policies helps
support risk management processes designed to promote the prompt and
accurate clearance and settlement of securities transactions, assure
the safeguarding of securities and funds in OCC's custody, and in
general, protect investors and the public interest. Accordingly, OCC
believes that establishing the RMF and CRMP is consistent with Section
17A(b)(3)(F) of the Act.\42\
---------------------------------------------------------------------------
\42\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
The proposed RMF and CRMP would also make a number of substantive
changes to OCC's rules beyond the reorganization and restatement of
existing OCC rules. Consistency of these changes with Section
17A(b)(3)(F) of the Act \43\ are discussed below.
---------------------------------------------------------------------------
\43\ Id.
---------------------------------------------------------------------------
RMF Policy: Purpose Section
The purpose section of the RMF Policy would be revised to reflect
the reorganization of content in the RMF Policy in the new RMF and
CRMP, focusing on the purpose and intent of each of the newly proposed
documents. The proposed change is designed to clearly explain the
purpose of the proposed RMF and CRMP and their place in OCC's overall
framework for comprehensively managing legal, credit, liquidity,
operational, general business, investment, custody, and other risks
that arise in or are borne. OCC believes that providing this enhanced
clarity in two of its key risk management policies would strengthen
risk management processes designed to promote the prompt and accurate
clearance and settlement of securities transactions, assure the
safeguarding of securities and funds in OCC's custody or control or for
which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes the proposed changes are
consistent with Section 17A(b)(3)(F) of the Act.\44\
---------------------------------------------------------------------------
\44\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Context for Risk Management Framework and Risk Management
Philosophy
OCC would delete the Context for Risk Management Framework and Risk
Management Philosophy sections of the RMF Policy from the proposed RMF.
These sections provide history and background information about OCC and
its purpose in the financial market, but do not contain rules of OCC.
Additionally, the information presented in the Risk Management
Philosophy section serves as an additional purpose section and all
items highlighted in this section are covered in the proposed RMF and
CRMP. OCC believes that removing this extraneous information would
enhance the clarity of these risk policies by focusing on the rules
governing OCC's overall risk framework and corporate risk management
program and would strengthen risk management processes designed to
promote the prompt and accurate clearance and settlement of securities
transactions, assure the safeguarding of securities and funds in OCC's
custody or control or for which it is responsible, and in general,
protect investors and the public interest. Accordingly, OCC believes
that revising the purposes changes are consistent with Section
17A(b)(3)(F) of the Act.\45\
---------------------------------------------------------------------------
\45\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Risk Appetite Framework and Tolerance
OCC proposes to make certain modifications to the description of
its risk appetite framework, including descriptions of OCC's use of a
risk universe, risk appetites and risk tolerances, in the new CRMP. As
[[Page 58421]]
described above, the proposed CRMP would revise certain terminology in
OCC's risk universe, such as organizing the universe into ``risk
categories,'' ``risk sub-categories,'' and ``risk statements'' to
effectively represent the Key Risks, Sub-categories, and Definitions
that are discussed in the current RMF Policy. OCC would also modify
certain governance requirements for the risk universe. Under the
current RMF, Key Risks are approved by OCC's Board and risk appetites
for Key Risks are set by the business departments responsible for those
risk in cooperation with Corporate Risk. Under the proposed CRMP, the
risk universe would be owned and approved by OCC's CRO and provided to
the Management Committee and Board. The Board or the Risk Committee
would ultimately be responsible for approving risk appetites and would
continue to approve risk tolerances. The proposed CRMP would also
provide additional details around the internal governance process for
reviewing and approving risk categories, appetites, and tolerances and
for monitoring risk tolerances. OCC would also remove the more general
risk appetite statement definitions (i.e., no appetite, low appetite,
moderate appetite, and high appetite), which are currently described in
the RMF Policy, enabling OCC to use more detailed, qualitative risk
appetite statements for each risk sub-category following the governance
processes described above. In addition, OCC would change the cadence of
risk reporting, including risk tolerance breaches, to align with the
timing of OCC's regular Board meetings. The proposed CRMP would also
introduce the concept of risk rating scales, which provide an
assessment of risk from an impact and likelihood perspective
consistently across OCC and would be used to measure inherent and
residual risk at a risk statement level.
OCC believes the proposed CRMP would provide a more comprehensive
overview of the governance of OCC's risk universe and enhance certain
processes therein. The proposed CRMP would provide additional details
around the internal governance process for reviewing and approving risk
categories, appetites, and tolerances and for monitoring risk
tolerances and improve the governance process for the risk universe by
allowing the CRO to modify risk categories as needed, with oversight of
Management Committee and Board, and provide the Board or Risk Committee
with more direct responsibility for setting the appetites for those
risk. For these reasons, OCC believes the proposed changes would
strengthen risk management processes designed to promote the prompt and
accurate clearance and settlement of securities transactions, assure
the safeguarding of securities and funds in OCC's custody or control or
for which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes that the proposed changes
are consistent with Section 17A(b)(3)(F) of the Act.\46\
---------------------------------------------------------------------------
\46\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Risk Management Governance
OCC proposes to modify certain descriptions of its risk management
governance arrangements in the new RMF. For example, OCC would update
and streamline the description of the responsibilities of its Board as
they are generally already addressed in the Board Charter.\47\ OCC also
proposes to update the description of the responsibilities of the
Management Committee, which primarily relates to the committee's role
and responsibilities in reviewing and recommending changes to OCC's
risk universe, as this would not be addressed in the proposed CRMP (as
discussed above). OCC would also update the discussion of working
groups and their responsibilities and include a description of the
responsibilities of and development opportunities for OCC employees.
OCC believes the proposed changes would improve OCC's risk framework by
presenting a more concise, clear, and transparent description of OCC's
risk management governance and thereby promote the prompt and accurate
clearance and settlement of securities transactions, assure the
safeguarding of securities and funds in OCC's custody or control or for
which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes that the proposed changes
are consistent with Section 17A(b)(3)(F) of the Act.\48\
---------------------------------------------------------------------------
\47\ See supra notes 16 and 17.
\48\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Identification of Key Risks
OCC proposes to replace the Identification of Key Risks section of
the RMF Policy, which provides a brief description of OCC's policies
and procedures for managing each of those Key Risk and their respective
Risk Sub-Categories, with a new OCC Risk Management section of the
proposed RMF. The proposed RMF would reorganize the focus of this
description to align with the three lines of defense model currently
described in the RMF Policy and describe the types of risks managed by
each line of defense. The new OCC Risk Management section of the RMF
would: (i) restate existing content of the RMF; (ii) introduce new
content not currently contained in OCC's RMF Policy; and (iii) delete
certain aspects of the RMF Policy. The proposed RMF would continue to
refer to the same rules and OCC Risk Policies currently maintained by
OCC (and described in the RMF) to address such risks and which are
currently filed with the Commission as rules of OCC.\49\
---------------------------------------------------------------------------
\49\ See supra notes 20-26 and associated text.
---------------------------------------------------------------------------
OCC also proposes to remove certain details concerning its
management of operational risk (e.g., quality standards program,
cybersecurity program, system functionality and capacity, and business
continuity program) as these aspects of its operational risk management
would be contained in a new Operational Risk Management Framework
document, which is currently being finalized by OCC, and will contain a
more detailed and comprehensive overview of OCC's framework for
managing operational risk.
OCC believes these proposed changes would present a comprehensive,
clear, and transparent description of the key risks faced by OCC and
the assignment of responsibility for managing such risk, thereby
strengthening risk management processes designed to promote the prompt
and accurate clearance and settlement of securities transactions,
assure the safeguarding of securities and funds in OCC's custody or
control or for which it is responsible, and in general, protect
investors and the public interest. Accordingly, OCC believes that the
proposed changes are consistent with Section 17A(b)(3)(F) of the
Act.\50\
---------------------------------------------------------------------------
\50\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Risk Management Practice
OCC proposes to relocate the discussion of its enterprise risk
assessments, scenario analysis program, and risk reporting process to
the new CRMP. As discussed above, the proposed CRMP is designed to more
accurately and completely describe the risk assessment, monitoring, and
reporting processes conducted by Corporate Risk. Additionally, OCC
would eliminate the specific IT Risk Assessment section of the RMF
Policy, as these details would be more appropriately addressed in the
forthcoming Operational Risk Management Framework document, and would
also remove the Compliance Risk Assessment section of the RMF Policy
because this information is appropriately covered in the Compliance
section of the proposed
[[Page 58422]]
RMF. OCC believes the proposed changes would result in an improved
description of Corporate Risk's risk assessment, scenario analysis, and
risk reporting responsibilities and thereby strengthen risk management
processes designed to promote the prompt and accurate clearance and
settlement of securities transactions, assure the safeguarding of
securities and funds in OCC's custody or control or for which it is
responsible, and in general, protect investors and the public interest.
Accordingly, OCC believes the proposed changes are consistent with
Section 17A(b)(3)(F) of the Act.\51\
---------------------------------------------------------------------------
\51\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Control Activities
OCC proposes to replace the Control Activities section of the RMF
Policy with more general and broader descriptions of Compliance's
responsibilities in the proposed RMF. In addition, under the proposed
CRMP, responsibility for maintaining OCC's inventory of all business
processes, risks, and associated controls would move from Compliance to
Corporate Risk. As such, Corporate Risk would be responsible for
reviewing the design of controls. Compliance would continue to perform
design testing. OCC believes that assigning responsibility for
reviewing control design to Corporate Risk is appropriate given its
responsibilities in the enterprise risk assessment process, as part of
which Corporate Risk leads quarterly workshops that assess the
likelihood and impact of risks by reviewing data from across OCC,
including risk events, Internal Audit findings, security risk
assessments and observations, third-party observations, control design
assessments, management control self-testing results, and business
impact analyses, supplemented by information from emerging risk surveys
(top-down), process-based risk assessments (bottom-up), and enterprise
technology assessments. This enterprise risk assessment process affords
Corporate Risk a holistic view of risk and controls, which OCC believes
puts Corporate Risk in a unique position to review and improve control
design with respect to controls intended to promote the prompt and
accurate clearance and settlement of securities transactions, assure
the safeguarding of securities and funds in OCC's custody or control or
for which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes the proposed changes are
consistent with Section 17A(b)(3)(F) of the Act.\52\
---------------------------------------------------------------------------
\52\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
RMF Policy: Exceptions and Violations
OCC proposes to replace the individual Policy Exceptions and
Violations sections in the current RMF Policy and other OCC Risk
Policies with a new Risk Acceptances and Deviations section in the RMF.
The proposed change would provide for a single framework for risk
acceptances, exceptions, deviations, and the escalation of deviations
across OCC's filed policies rather than requiring each policy to have
its own individual Policy Exceptions and Violations sections, which may
over time become inconsistent as policies are updated at different
times. Such inconsistency could create confusion about escalation
obligations and procedures, which could in turn lead to failure to
escalate issues appropriately. Accordingly, OCC believes that improving
the documentation for its escalation process would strengthen risk
management processes designed to promote the prompt and accurate
clearance and settlement of securities transactions, assure the
safeguarding of securities and funds in OCC's custody or control or for
which it is responsible, and in general, protect investors and the
public interest. Accordingly, OCC believes that the proposed changes
are consistent with Section 17A(b)(3)(F) of the Act.\53\
---------------------------------------------------------------------------
\53\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
New Sections in Proposed RMF and CRMP
OCC proposes to add new sections to the proposed RMF and CRMP to
provide additional details concerning its overall framework for
managing risk and its approach to enterprise risk management. For
example, the proposed RMF would include a new section discussing OCC's
Recovery and Orderly Wind-Down Plan. In addition, the CRMP would
introduce a new section to describe Corporate Risk's Risk Monitoring
process, including key risk indicator monitoring and operational risk
even monitoring. The CRMP would also introduce a new section to
describe OCC's risk treatment process, which is the process by which
Risk Owners manage risk exposures by utilizing risk treatment methods
to remain within risk appetites and tolerances. Additionally, the
proposed CRMP would also describe Corporate Risk's process for
escalating risks to the CRO, Management Committee, and Board and
training employees about risk to support risk management and decision-
making. The proposed changes would provide a more comprehensive and
transparent discussion of OCC's overall framework for managing risk and
its approach to enterprise risk management. OCC believes the proposed
enhancements to its risk management documentation would serve to
promote the prompt and accurate clearance and settlement of securities
transactions, assure the safeguarding of securities and funds in OCC's
custody or control or for which it is responsible, and in general,
protect investors and the public interest. Accordingly, OCC believes
that the proposed changes are consistent with Section 17A(b)(3)(F) of
the Act.\54\
---------------------------------------------------------------------------
\54\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
For the reasons set forth above, OCC believes the proposed rule
change would promote the prompt and accurate clearance and settlement
of securities transactions, assure the safeguarding of securities and
funds in the custody or control of the clearing agency or for which it
is responsible, and in general, to protect investors and the public
interest in accordance with Section 17A(b)(3)(F) of the Act.\55\
---------------------------------------------------------------------------
\55\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
Consistency With Rule 17Ad-22 Under the Exchange Act
OCC believes that the proposed rule change is generally consistent
with Rule 17Ad-22(e)(3)(i) \56\ because the proposed RMF would describe
OCC's comprehensive framework for identifying, measuring, monitoring
and managing the risks that arise within OCC or are borne by it,
including legal, credit, liquidity, operational, general business,
investment and custody risk. Moreover, the proposed CRMP would explain
that Corporate Risk evaluates risks that may affect OCC's ability to
perform the services detailed in the proposed RMF. The proposed RMF
would explain how OCC employs established practices, such as the three
lines of defense model for enterprise-wide risk management, to ensure
that OCC maintains and operates a resilient, effective and reliable
risk management and internal control infrastructure that assures risk
management and processing outcomes expected by OCC stakeholders. The
proposed CRMP would describe how OCC's second line of defense monitors
the risks that arise in or are borne by OCC through a variety of risk
assessment, risk reporting, evaluation and internal control management
activities, consistent with the requirements of Rule 17Ad-
22(e)(3)(i).\57\
---------------------------------------------------------------------------
\56\ Id.
\57\ Id.
---------------------------------------------------------------------------
The proposed CRMP would describe OCC's use of risk appetites and
risk tolerances to evaluate OCC's risks across
[[Page 58423]]
its risk universe to ensure that OCC sets appropriate levels and types
risk that OCC is willing and able to assume in accordance with OCC's
mission as a systemically important financial market utility. For
example, the use of risk appetites allows OCC to carefully calibrate
the levels of risk it accepts in a manner consistent with OCC's core
mission of promoting financial stability in the markets it serves. In
addition, the use of risk tolerances helps to inform whether risks are
within Board-approved risk appetites. As a result, OCC believes the
proposed RMF, as supported by the CRMP, is reasonably designed to
provide for a sound, comprehensive framework for identifying,
measuring, monitoring and managing the range of risks that arise in or
are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).\58\
---------------------------------------------------------------------------
\58\ Id.
---------------------------------------------------------------------------
RMF Policy: Risk Appetite Framework and Tolerance
As described herein, OCC proposes to make certain modifications to
the description of its risk appetite framework, including descriptions
of OCC's use of a risk universe, risk appetites and risk tolerances and
the governance process for maintain the risk universe, in the proposed
CRMP. The proposed CRMP would also introduce the concept of risk rating
scales, which provide an assessment of risk from an impact and
likelihood perspective consistently across OCC and would be used to
measure inherent and residual risk at a risk statement level. OCC
believes the proposed CRMP would provide a more comprehensive overview
of the governance of OCC's risk universe and enhance certain processes
therein. The proposed CRMP would also provide additional details around
the internal governance process for reviewing and approving risk
categories, appetites, and tolerances and for monitoring risk
tolerances and improve the governance process for the risk universe by
allowing the CRO to modify risk categories as needed, with oversight of
Management Committee and Board, and provide the Board or Risk Committee
with more direct responsibility for setting the appetites for those
risk. OCC believes the propose changes are reasonably designed to
provide for a sound, comprehensive framework for identifying,
measuring, monitoring and managing the range of risks that arise in or
are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).\59\
---------------------------------------------------------------------------
\59\ Id.
---------------------------------------------------------------------------
RMF Policy: Risk Management Governance
Rules 17Ad-22(e)(2)(i) and (ii) \60\ require that a covered
clearing agency establish, implement, maintain and enforce written
policies and procedures reasonably designed to provide for governance
arrangements that (i) are clear and transparent and (ii) clearly
prioritize the safety and efficiency of the covered clearing agency. As
discussed above, OCC proposes to modify certain descriptions of its
risk management governance arrangements in the new RMF, including the
roles and responsibilities of the Board, Management Committee, and
OCC's internal working groups. OCC believes the proposed changes would
improve OCC's risk framework by presenting a more clear, concise, and
transparent description of OCC's governance arrangements as they relate
to the management of risk within OCC. As a result, OCC believes the
proposed changes are reasonably designed to provide for governance
arrangements that (i) are clear and transparent and (ii) clearly
prioritize the safety and efficiency of the covered clearing agency in
accordance with Rules 17Ad-22(e)(2)(i) and (ii).\61\
---------------------------------------------------------------------------
\60\ 17 CFR 240.17Ad-22(e)(2)(i) and (ii).
\61\ Id.
---------------------------------------------------------------------------
RMF Policy: Identification of Key Risks
As described above, OCC proposes to replace the Identification of
Key Risks section of the RMF Policy with a new OCC Risk Management
section of the proposed RMF. The proposed RMF would reorganize the
focus of this description to align with the three lines of defense
model currently described in the RMF Policy and describe the types of
risks managed by each line of defense. As described herein, the new OCC
Risk Management section of the RMF would: (i) restate existing content
of the RMF; (ii) introduce new content not currently contained in OCC's
RMF Policy; and (iii) delete certain aspects of the RMF Policy. The
proposed RMF would continue to refer to the same rules and OCC Risk
Policies currently maintained by OCC (and described in the RMF) to
address such risks and which are currently filed with the Commission as
rules of OCC.\62\ OCC believes the proposed changes would present a
more comprehensive, clear, and transparent description of the key risks
faced by OCC and the assignment of responsibility for managing such
risks. As a result, OCC believes the proposed RMF, as supported by the
CRMP, is reasonably designed to provide for a sound, comprehensive
framework for identifying, measuring, monitoring and managing the range
of risks that arise in or are borne by OCC in a manner consistent with
Rule 17Ad-22(e)(3)(i).\63\
---------------------------------------------------------------------------
\62\ See supra notes 20-26 and associated text.
\63\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
RMF Policy: Risk Management Practice
OCC proposes to relocate the discussion of its enterprise risk
assessments, scenario analysis program, and risk reporting process to
the new CRMP. As discussed above, the proposed CRMP is designed to more
accurately and completely describe the risk assessment, monitoring, and
reporting processes conducted by Corporate Risk. OCC believes the
proposed changes would result in an improved description of Corporate
Risk's risk assessment, scenario analysis, and risk reporting
responsibilities and is therefore reasonably designed to support a
sound, comprehensive framework for identifying, measuring, monitoring
and managing the range of risks that arise in or are borne by OCC in a
manner consistent with Rule 17Ad-22(e)(3)(i).\64\
---------------------------------------------------------------------------
\64\ Id.
---------------------------------------------------------------------------
RMF Policy: Exceptions and Violations
OCC proposes to replace the individual Policy Exceptions and
Violations sections in the current RMF Policy and other OCC Risk
Policies with a new Risk Acceptances and Deviations section in the RMF.
The proposed change would provide for a single framework for risk
acceptances and deviations, and the escalation of deviations across
OCC's filed policies rather than requiring each policy to have its own
individual Policy Exceptions and Violations sections, which may over
time become inconsistent as OCC's individual risk policies evolve. This
single framework would help to avoid ambiguities or confusion about
escalation obligations or procedures that might otherwise arise if
changes to such procedures were not applied consistently. The change
would also reduce the administrative burden of having to update each
document within OCC's universe of policies and procedures as OCC's
process for escalating risk acceptance and deviations from those
policies and procedures matures over time. OCC believes that improving
the documentation for its escalation processes is reasonably designed
to support its comprehensive framework for identifying, measuring,
monitoring and managing the range of risks that arise in or are borne
by OCC in a
[[Page 58424]]
manner consistent with Rule 17Ad-22(e)(3)(i).\65\
---------------------------------------------------------------------------
\65\ Id.
---------------------------------------------------------------------------
New Sections in Proposed RMF and CRMP
OCC proposes to add new sections to the proposed RMF and CRMP to
provide additional details concerning its overall framework for
managing risk and its approach to enterprise risk management. For
example, the proposed RMF would include a new section discussing OCC's
Recovery and Orderly Wind-Down Plan \66\ and introduce a new section to
describe Corporate Risk's Risk Monitoring process, including key risk
indicator monitoring and operational risk even monitoring. The CRMP
would also introduce a new section to describe OCC's risk treatment
process and would also describe Corporate Risk's process for escalating
risks to the CRO, Management Committee, and Board and training
employees about risk to support risk management and decision-making.
The proposed changes would provide a more comprehensive and transparent
discussion of OCC's overall framework for managing risk and its
approach to enterprise risk management. OCC believes the proposed
changes are therefore reasonably designed to provide for a sound,
comprehensive framework for identifying, measuring, monitoring and
managing the range of risks that arise in or are borne by OCC in a
manner consistent with Rule 17Ad-22(e)(3)(i).\67\
---------------------------------------------------------------------------
\66\ OCC believes this proposed change also supports compliance
with Exchange Act Rule 17Ad-22(e)(3)(ii), which requires a covered
clearing agency to maintain a sound risk management framework for
comprehensively managing legal, credit, liquidity, operational,
general business, investment, custody, and other risks that arise in
or are borne by the covered clearing agency, which includes plans
for the recovery and orderly wind-down of the covered clearing
agency necessitated by credit losses, liquidity shortfalls, losses
from general business risk, or any other losses. See 17 CFR
240.17Ad-22(e)(3)(ii).
\67\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
Consistency With Section 19(b) of the Exchange Act
Section 19(b)(1) of the Act \68\ and Rule 19b-4 \69\ thereunder set
forth the requirements for SRO proposed rule changes, including the
regulatory filing requirements for ``stated policies, practices and
interpretations.'' \70\ OCC proposes to retire its existing RMF Policy,
which was, in part, previously filed as an OCC ``rule'' with the
Commission, as the RMF and CRMP would replace the RMF Policy in its
entirety. Under the proposal, the material aspects of OCC's overall
risk management framework and Corporate Risk program would be contained
in the proposed RMF and CRMP described herein. As described in detail
herein, various details in the current RMF Policy would no longer be
OCC rule text following adoption of the RMF and CRMP. Specifically, OCC
believes the removing the following sections of the current RMF Policy
from OCC's rule text are consistent with Section 19(b)(1) of the Act
and Rule 19b-4 because they are administrative in nature and do not
address material aspects of the of the operation of the facilities of
OCC:
---------------------------------------------------------------------------
\68\ 15 U.S.C. 78s(b)(1).
\69\ 17 CFR 240.19b-4.
\70\ See supra note 38.
---------------------------------------------------------------------------
The Context for Risk Management Framework and Risk
Management Philosophy sections providing history and background
information about OCC and its purpose in the financial markets; \71\
---------------------------------------------------------------------------
\71\ Additionally, OCC believes the information presented in the
Risk Management Philosophy section serves as an additional purpose
section and that all items highlighted in this section would be
covered in, or otherwise reasonably and fairly implied by, the
proposed RMF and CRMP.
---------------------------------------------------------------------------
Sections of the RMF Policy related to project planning,
corporate budgeting, and Human Resources and Compliance training; and
The Risk Universe, which reflects the output of policies
and processes described in the RMF Policy (and eventually, the proposed
CRMP).
Accordingly, OCC believes the proposed changes would be consistent
with the requirements of Section 19(b)(1) of the Act and Rule 19b-4
thereunder.\72\
---------------------------------------------------------------------------
\72\ See 15 U.S.C. 78s(b)(1) and 17 CFR 240.19b-4.
---------------------------------------------------------------------------
(B) Clearing Agency's Statement on Burden on Competition
Section 17A(b)(3)(I) of the Act \73\ requires that the rules of a
clearing agency not impose any burden on competition not necessary or
appropriate in furtherance of the purposes of the Act. OCC does not
believe that the proposed rule changes would impact or impose any
burden on competition. The proposed rule change clearly and
transparently presents the framework OCC uses to identify, monitor and
manage its risks. While the proposed rule change would enhance OCC's
framework of risk management documentation, these updates do not affect
Clearing Members' access to OCC's services or impose any direct burdens
on Clearing Members. Accordingly, the proposed rule change would not
unfairly inhibit access to OCC's services or disadvantage or favor any
particular user in relationship to another user.
---------------------------------------------------------------------------
\73\ 15 U.S.C. 78q-1(b)(3)(I).
---------------------------------------------------------------------------
For the foregoing reasons, OCC believes that the proposed rule
change is in the public interest, would be consistent with the
requirements of the Act applicable to clearing agencies, and would not
impact or impose a burden on competition.
(C) Clearing Agency's Statement on Comments on the Proposed Rule Change
Received From Members, Participants or Others
Written comments on the proposed rule change were not and are not
intended to be solicited with respect to the proposed rule change and
none have been received.
III. Date of Effectiveness of the Proposed Rule Change and Timing for
Commission Action
Within 45 days of the date of publication of this notice in the
Federal Register or within such longer period up to 90 days (i) as the
Commission may designate if it finds such longer period to be
appropriate and publishes its reasons for so finding or (ii) as to
which the self regulatory organization consents, the Commission will:
(A) by order approve or disapprove such proposed rule change, or (B)
institute proceedings to determine whether the proposed rule change
should be disapproved. The proposal shall not take effect until all
regulatory actions required with respect to the proposal are completed.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed rule
change is consistent with the Act. Comments may be submitted by any of
the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/sro.shtml); or
Send an email to [email protected]. Please include
File Number SR-OCC-2022-010 on the subject line.
Paper Comments
Send paper comments in triplicate to Vanessa Countryman,
Secretary, Securities and Exchange Commission, 100 F Street NE,
Washington, DC 20549-1090.
All submissions should refer to File Number SR-OCC-2022-010. This file
number should be included on the subject line if email is used. To help
the Commission process and review your
[[Page 58425]]
comments more efficiently, please use only one method. The Commission
will post all comments on the Commission's internet website (https://www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent
amendments, all written statements with respect to the proposed rule
change that are filed with the Commission, and all written
communications relating to the proposed rule change between the
Commission and any person, other than those that may be withheld from
the public in accordance with the provisions of 5 U.S.C. 552, will be
available for website viewing and printing in the Commission's Public
Reference Room, 100 F Street NE, Washington, DC 20549, on official
business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of
such filing also will be available for inspection and copying at the
principal office of OCC and on OCC's website at https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules.
All comments received will be posted without change. Persons
submitting comments are cautioned that we do not redact or edit
personal identifying information from comment submissions. You should
submit only information that you wish to make available publicly.
All submissions should refer to File Number SR-OCC-2022-010 and
should be submitted on or before October 17, 2022.
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\74\
---------------------------------------------------------------------------
\74\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2022-20728 Filed 9-23-22; 8:45 am]
BILLING CODE 8011-01-P
