Self-Regulatory Organizations; ICE Clear Europe Limited; Order Approving Proposed Rule Change Relating to ICE Clear Europe Operational Risk and Resilience Policy, 72553-72556 [2022-25662]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 87, Number 226 (Friday, November 25, 2022)]
[Notices]
[Pages 72553-72556]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-25662]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-96351; File No. SR-ICEEU-2022-015]


Self-Regulatory Organizations; ICE Clear Europe Limited; Order 
Approving Proposed Rule Change Relating to ICE Clear Europe Operational 
Risk and Resilience Policy

November 18, 2022.

I. Introduction

    On September 22, 2022, ICE Clear Europe Limited (``ICE Clear 
Europe'') filed with the Securities and Exchange Commission 
(``Commission''), pursuant to Section 19(b)(1) of the Securities 
Exchange Act of 1934 (the ``Act'') \1\ and Rule 19b-4 thereunder,\2\ a 
proposed rule change to amend its Operational Risk Management Policy 
and rename it the Operational Risk and Resilience Policy. The proposed 
rule change was published for comment in the Federal Register on 
October 7, 2022.\3\ The Commission did not receive comments regarding 
the proposed rule change. For the reasons discussed below, the 
Commission is approving the proposed rule change.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Self-Regulatory Organizations; ICE Clear Europe Limited; 
Notice of Filing of Proposed Rule Change Relating to the ICE Clear 
Europe Operational Risk and Resiliency Policy, Exchange Act Release 
No. 95964 (Oct. 3, 2022); 87 FR 61109 (Oct. 7, 2022) (SR-ICEEU-2022-
015) (``Notice'').
---------------------------------------------------------------------------

II. Description of the Proposed Rule Change

A. Background

    ICE Clear Europe currently has in place an Operational Risk 
Management Policy. The current Operational Risk Management Policy 
explains how ICE Clear Europe identifies, assesses, manages, monitors, 
and reports its operational risks. The proposed rule

[[Page 72554]]

change would maintain the current substance of the Operational Risk 
Management Policy while expanding it to include a description of how 
ICE Clear Europe maintains operational resilience, in addition to 
managing operational risk. The proposed rule change would define 
operational resilience as the ability to prevent, respond to, recover, 
and learn from operational service disruption events. The proposed rule 
change would add descriptions of the following elements that ICE Clear 
Europe employs to maintain operational resilience: (i) the three lines 
of defense; (ii) certain other ICE Clear Europe policies and procedures 
that form a framework for managing and maintaining operational 
resilience; (iii) important business services; (iv) impact tolerances; 
and (v) scenario analysis and testing. The proposed rule change also 
would rename the Operational Risk Management Policy as the Operational 
Risk and Resilience Policy (referred to below as the ``Policy'').
    ICE Clear Europe maintains that overall these changes would 
memorialize in the Policy its current practices with respect to 
operational resilience. ICE Clear Europe is making these changes to 
demonstrate compliance with certain additional legal requirements 
applicable to ICE Clear Europe in its home jurisdiction, the United 
Kingdom.\4\
---------------------------------------------------------------------------

    \4\ Notice, 87 FR at 61109.
---------------------------------------------------------------------------

    In addition to the changes related to operational resilience, the 
proposed rule change would make other updates to the Policy, including 
fixing typographical errors and adjusting the frequency of review.

B. Operational Resilience Updates

i. Three Lines of Defense
    The proposed rule change would add to the Policy a description of 
the three lines of defense, which is the model that ICE Clear Europe 
currently uses for managing risks. The proposed rule change would not 
make any changes to this model but would memorialize it in the Policy, 
in compliance with certain additional legal requirements applicable to 
ICE Clear Europe in its home jurisdiction.\5\
---------------------------------------------------------------------------

    \5\ Notice, 87 FR at 61109.
---------------------------------------------------------------------------

    Under the three lines of defense model, the ICE Clear Europe 
business line that generates the risk is considered to be the First 
Line of defense (or Risk Owner). The First Line is responsible for 
managing risks and adhering to the Policy. All ICE Clear Europe 
departments, other than the Risk Oversight Department and Internal 
Audit, could be the First Line of defense.
    The Risk Oversight Department/Enterprise Risk Management \6\ is the 
Second Line of defense. The Second Line is responsible for challenging 
the First Line and monitoring adherence to the Policy.
---------------------------------------------------------------------------

    \6\ ICE's Enterprise Risk Management team coordinates with ICE 
Clear Europe's Risk Oversight Department in providing the Second 
Line function.
---------------------------------------------------------------------------

    Internal Audit is the Third Line of defense. It provides 
independent and objective assurance to ICE Clear Europe's Board 
regarding, among other things, evaluation of governance, risk 
management, and key controls mitigating current and evolving risk.
ii. Framework
    The proposed rule change would add to the Policy a description of 
the other policies and procedures that ICE Clear Europe uses to 
maintain operational resilience. ICE Clear Europe considers these 
policies and procedures to form a complimentary operational risk and 
resilience framework. As would be described in the Policy, ICE Clear 
Europe uses this framework to reduce the likelihood of an operational 
disruption event within acceptable tolerance, and mitigate and quickly 
recover from an operational disruption event. In addition to the Policy 
itself, the policies and procedures in the framework are: (i) the 
Incident Management Policy; \7\ (ii) the Business Continuity & Disaster 
Recovery Policy; \8\ (iii) the Information Security Policy and Cyber 
Security Strategy; \9\ (iv) the Outsourcing Policy; \10\ and (v) the 
Vendor Management Policy.\11\
---------------------------------------------------------------------------

    \7\ ICE Clear Europe's Incident Management Policy provides a 
framework for the communication, resolution, and recording of 
incidents and to ensure incidents are resolved in a planned and 
controlled manner so that any interruption is resolved quickly, and 
service is restored.
    \8\ ICE Clear Europe's Business Continuity & Disaster Recovery 
helps to ensure appropriate plans are in place to recover from a 
business continuity or disaster recovery incident which impact the 
availability of primary office, failure in IT infrastructure or 
reduced availability of staff.
    \9\ ICE Clear Europe's Information Security Policy and Cyber 
Security Strategy explains the responsibilities of users as well as 
the steps they must take to help protect information and information 
systems and ways to prevent and respond to a variety of threats to 
information and information systems.
    \10\ ICE Clear Europe's Outsourcing Policy governs outsourcing 
arrangements to ensure minimum operational resilience standards are 
being met by outsourced service providers.
    \11\ ICE Clear Europe's Vendor Management Policy helps to ensure 
the requisite due diligence is performed and helps to ensure that 
vendors have the capacity, resiliency and capability to fully 
support ICE Clear Europe.
---------------------------------------------------------------------------

    Again, ICE Clear Europe currently maintains these policies and 
procedures and the proposed rule change would not alter these policies 
and procedures. The proposed rule change would only memorialize these 
policies and procedures to demonstrate how they form a complimentary 
framework for managing and maintaining ICE Clear Europe's operational 
resilience, in compliance with certain additional legal requirements 
applicable to ICE Clear Europe in its home jurisdiction.\12\
---------------------------------------------------------------------------

    \12\ Notice, 87 FR at 61109, 61110.
---------------------------------------------------------------------------

iii. Important Business Services
    Next, the proposed rule change would add a description of ICE Clear 
Europe's Important Business Services and set certain requirements with 
respect to these services. The proposed rule change would define a 
business service as important if a prolonged disruption of that service 
would significantly disrupt the orderly functioning of a market that 
ICE Clear Europe serves, thereby impacting financial stability. The 
proposed rule change would require that ICE Clear Europe identify and 
document its Important Business Services and the people, processes, 
technology, facilities, and underlying information related to such 
services. Moreover, the relevant First Line must review the important 
business service annually, subject to oversight by Second Line and 
approval by a Board-level committee.
    ICE Clear Europe currently maintains and documents its critical 
business services, as part of managing its operational risk and 
maintaining operational resilience. ICE Clear Europe's critical 
business services are similar to Important Business Services, but 
slightly broader in scope. ICE Clear Europe's Important Business 
Services therefore would be a subset of its critical business services. 
Given that, ICE Clear Europe maintains that overall, identifying its 
Important Business Services would not substantively alter its existing 
risk management framework. While not changing its approach in a 
substantive way, ICE Clear Europe is introducing the concept of 
Important Business Services to demonstrate compliance with certain 
additional legal requirements applicable in its home jurisdiction.\13\
---------------------------------------------------------------------------

    \13\ Notice, 87 FR at 61110.
---------------------------------------------------------------------------

iv. Impact Tolerances
    The proposed rule change would also add a description of the 
maximum levels of disruption to its Important Business Services that 
ICE Clear Europe could tolerate. The proposed rule change would 
describe these as impact tolerances. For each Important Business

[[Page 72555]]

Service, ICE Clear Europe would establish an appropriate impact 
tolerance, as well as controls and recovery procedures to help ensure 
ICE Clear Europe can recover when the tolerance is exceeded.
    ICE Clear Europe would monitor impact tolerances and would escalate 
breaches to the Executive Risk Committee and Board. Moreover, First 
Line personnel would review breaches and establish a remediation plan. 
Second Line would be required to agree to the review and remediation 
plan, and ultimately the review and remediation would be presented to 
the Board.
---------------------------------------------------------------------------

    \14\ Notice, 87 FR at 61110.
    \15\ Notice, 87 FR at 61110.
---------------------------------------------------------------------------

    First Line would review the impact tolerances annually. Second Line 
would oversee this review and an appropriate Board-level Committee 
would approve it.
    ICE Clear Europe currently maintains a risk management framework 
that already covers incident management based on levels of severity 
linked to financial, reputational, operational and regulatory 
impacts.\14\ ICE Clear Europe therefore maintains that overall, 
establishing impact tolerances with respect to its Important Business 
Services would build on its existing risk management framework to 
demonstrate compliance with certain additional legal requirements 
applicable in its home jurisdiction.\15\
v. Scenario Analysis and Testing

    The proposed rule change also would add an overview of ICE Clear 
Europe's scenario analysis and testing. ICE Clear Europe would conduct 
scenario analysis and testing on its Important Business Services to 
determine if ICE Clear Europe can remain within the impact tolerances 
under a range of extreme but plausible disruption scenarios. ICE Clear 
Europe's testing scenarios would include scenarios that affect more 
than one Important Business Service at a time and that take into 
account dependencies.
    For any identified weaknesses related to extreme but plausible 
scenarios, the First Line must develop a remediation plan, with which 
the Second Line must agree. Moreover, scenario analysis and testing 
results would be reported to the Executive Risk Committee and the 
Board.
    ICE Clear Europe currently conducts scenario analysis and testing. 
ICE Clear Europe is adding this section to the Policy to document its 
scenario analysis and testing, particularly with respect to its 
Important Business Services. As discussed above, ICE Clear Europe is 
identifying, and establishing impact tolerances for its Important 
Business Services in compliance with certain additional legal 
requirements applicable to ICE Clear Europe in its home 
jurisdiction.\16\ ICE Clear Europe maintains that memorializing its 
approach to scenario analysis and testing, in particular with respect 
to its Important Business Services, would further demonstrate 
compliance with these legal requirements.\17\
---------------------------------------------------------------------------

    \16\ Notice, 87 FR at 61110.
    \17\ Notice, 87 FR at 61110.
---------------------------------------------------------------------------

C. Other Updates and Typographical Corrections

    In addition to expanding the Policy to include operational 
resilience, the proposed rule change would make other updates to the 
Policy. For example, the proposed rule change would correct 
typographical errors, update references, and remove redundant 
references. The proposed rule change also would rename the section 
formerly titled ``The Policy for Operational Risk Management'' as 
``Risk and Control Assessments,'' to more clearly reflect the 
information contained there.
    The proposed rule change also would correct a reference to the 
Enterprise Risk Register. Section 3.1 currently provides that all 
``risks are documented in the Enterprise Risk Register . . .'' The 
proposed rule change would correct this to provide instead that all 
``risk assessments,'' and not just ``risks,'' are documented in the 
Enterprise Risk Register. The proposed rule change also would correct a 
reference to the Enterprise Risk Register in Section 3.1, changing it 
from the ``Risk Register Dashboard'' to the ``Enterprise Risk 
Register.''
    The proposed rule change would correct a drafting error in Section 
3.2.5. Section 3.2.5 requires, among other things, that ICE Clear 
Europe periodically monitor key Controls, meaning controls that 
mitigate high inherent risks. As currently written, Section 3.2.5 
requires that Enterprise Risk Management coordinate with the First, 
Second, and Third Lines to develop control monitoring plans for Key 
Controls. The proposed rule change would delete the reference to the 
Second Line. Given that the Enterprise Risk Management Group is, as 
noted above, part of ICE Clear Europe's Second Line, the reference is 
redundant.
    Finally, the proposed rule change would amend the review section of 
the Policy to require that it be subject to at least an annual review 
or earlier in the event of a material change. Currently the Policy is 
subject to a biennial review or earlier in the event of a material 
change. ICE Clear Europe is making this change to make the Policy 
consistent with other ICE Clear Europe policies, which are subject to 
annual reviews.

III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act directs the Commission to approve a 
proposed rule change of a self-regulatory organization if it finds that 
such proposed rule change is consistent with the requirements of the 
Act and the rules and regulations thereunder applicable to such 
organization.\18\ For the reasons discussed below, the Commission finds 
that the proposed rule change is consistent with Section 17A(b)(3)(F) 
of the Act,\19\ and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17) 
thereunder.\20\
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 78s(b)(2)(C).
    \19\ 15 U.S.C. 78q-1(b)(3)(F).
    \20\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(17).
---------------------------------------------------------------------------

i. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires, among other things, that 
the rules of ICE Clear Europe be designed to promote the prompt and 
accurate clearance and settlement of securities transactions and, to 
the extent applicable, derivative agreements, contracts, and 
transactions.\21\ Based on its review of the record, and for the 
reasons discussed below, the Commission believes the proposed changes 
to the Policy are consistent with the promotion of the prompt and 
accurate clearance and settlement of securities transactions.
---------------------------------------------------------------------------

    \21\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    The Commission believes that the proposed rule change would help 
ICE Clear Europe maintain its overall operational resilience while 
demonstrating compliance with certain additional legal requirements 
applicable to ICE Clear Europe in its home jurisdiction. It would do so 
by memorializing in the Policy how ICE Clear Europe manages and 
maintains its operational resilience. As discussed above, ICE Clear 
Europe does so by using, among others, the three lines of defense model 
and maintain complimentary operational risk and resilience framework. 
The Commission believes that memorializing these practices in the 
Policy would help to ensure that ICE Clear Europe personnel follow them 
on a consistent and predictable basis. Because the Commission believes 
that these practices are an effective means of maintaining operational 
resilience, the Commission believes that

[[Page 72556]]

memorializing them in the Policy, and therefore helping to ensure that 
ICE Clear Europe personnel follow these processes on a consistent and 
predictable basis, would help ICE Clear Europe maintain operational 
resilience.
    The Commission similarly believes that identifying ICE Clear 
Europe's Important Business Services, setting impact tolerances with 
respect to those services, and conducting scenario and analysis and 
testing for those services, would help ICE Clear Europe to maintain 
these Important Business Services in the event of a disruption. Because 
a prolonged disruption to an Important Business Service would 
significantly disrupt the orderly functioning of a market that ICE 
Clear Europe serves, thus impacting financial stability, the Commission 
believes that maintaining Important Business Services against the 
threat of a disruption and other operational risks would help ICE Clear 
Europe maintain its overall operational resilience.
    Moreover, the Commission believes that the other changes discussed 
in Part II.C above would improve the Policy and therefore ICE Clear 
Europe's ability to maintain operational resilience using the Policy. 
For example, the Commission believes that fixing typographical errors, 
removing the redundant reference to the Second Line in Section 3.2.5, 
and updating references would help to ensure that the Policy can be 
applied consistently and free from error. The Commission also believes 
that making the Policy subject to at least an annual review or earlier 
in the event of a material change, rather than a biennial review, would 
help to identify any gaps and necessary resolutions or updates sooner 
than what is currently required.
    For these reasons, the Commission believes the proposed rule change 
would help ICE Clear Europe maintain operational resilience using the 
Policy. ICE Clear Europe's operational resilience should decrease the 
likelihood that operational incidents disrupt its ability to promptly 
and accurately clear and settle securities transactions. The Commission 
believes therefore the proposed rule change would maintain ICE Clear 
Europe's ability to promptly and accurately clear and settle securities 
transactions, consistent with Section 17A(b)(3)(F) of the Act.\22\
---------------------------------------------------------------------------

    \22\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

ii. Consistency With Rule 17Ad-22(e)(2)(v)

    Rule 17Ad-22(e)(2)(v) requires that ICE Clear Europe establish, 
implement, maintain and enforce written policies and procedures 
reasonably designed to provide for governance arrangements that, among 
other things, specify clear and direct lines of responsibility.\23\ The 
Commission believes that the proposed changes discussed above would 
maintain clear and direct lines of responsibility for First Line and 
Second Line personnel. For example, the First Line would review each 
Important Business Service annually, subject to oversight by the Risk 
Oversight Department and approval by a Board-level committee. The First 
Line additionally would review the impact tolerances annually, and the 
Second Line would oversee this review. The First Line also would, as 
discussed above, develop plans to remediate certain findings from 
scenario analysis and testing. As discussed above, the proposed rule 
change would memorialize these lines of responsibility to demonstrate 
compliance with certain additional legal requirements applicable to ICE 
Clear Europe in its home jurisdiction. The Commission believes all of 
these changes would specify clear and direct lines of responsibility.
---------------------------------------------------------------------------

    \23\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------

    Therefore, the Commission finds that the proposed rule change is 
consistent with Rule 17Ad-22(e)(2)(v).\24\
---------------------------------------------------------------------------

    \24\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------

iii. Consistency With Rule 17Ad-22(e)(17)

    Rule 17Ad-22(e)(17) requires that ICE Clear Europe establish, 
implement, maintain and enforce written policies and procedures 
reasonably designed to manage its operational risks by, among other 
things, identifying the plausible sources of operational risk, both 
internal and external, and mitigating their impact through the use of 
appropriate systems, policies, procedures, and controls.\25\ The 
Commission believes that by memorializing in the Policy how ICE Clear 
Europe manages and maintains its operational resilience, the proposed 
rule change would mitigate the impact of operational risk at ICE Clear 
Europe by helping to ensure that ICE Clear Europe personnel follow 
these processes on a consistent and predictable basis, and therefore 
are able to maintain operational resilience and mitigate the impact of 
operational risk at ICE Clear Europe. The Commission also believes that 
identifying ICE Clear Europe's Important Business Services, setting 
impact tolerances with respect to those services, and conducting 
scenario and analysis and testing for those services would help ICE 
Clear Europe to identify, manage, and mitigate the impact of 
operational risks to these Important Business Services. Therefore, the 
Commission finds that the proposed rule change is consistent with Rule 
17Ad-22(e)(17).\26\
---------------------------------------------------------------------------

    \25\ 17 CFR 240.17Ad-22(e)(17).
    \26\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

IV. Conclusion

    On the basis of the foregoing, the Commission finds that the 
proposed rule change is consistent with the requirements of the Act, 
and in particular, with the requirements of Section 17A(b)(3)(F) of the 
Act,\27\ and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17) thereunder.\28\
---------------------------------------------------------------------------

    \27\ 15 U.S.C. 78q-1(b)(3)(F).
    \28\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(17).
---------------------------------------------------------------------------

    It is therefore ordered pursuant to Section 19(b)(2) of the Act 
\29\ that the proposed rule change (SR-ICEEU-2022-015) be, and hereby 
is, approved.\30\
---------------------------------------------------------------------------

    \29\ 15 U.S.C. 78s(b)(2).
    \30\ In approving the proposed rule change, the Commission 
considered the proposal's impact on efficiency, competition, and 
capital formation. 15 U.S.C. 78c(f).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\31\
---------------------------------------------------------------------------

    \31\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2022-25662 Filed 11-23-22; 8:45 am]
BILLING CODE 8011-01-P