Self-Regulatory Organizations; ICE Clear Europe Limited; Order Approving Proposed Rule Change, as Modified by Amendment No. 1, Relating to Amendments to its Operational Risk and Resilience Policy, 74547-74550 [2023-23941]
Download as PDF
<![CDATA[
Federal Register / Vol. 88, No. 209 / Tuesday, October 31, 2023 / Notices
C. Self-Regulatory Organization’s
Statement on Comments on the
Proposed Rule Change Received From
Members, Participants, or Others
No written comments were solicited
or received with respect to the proposed
rule change.
III. Date of Effectiveness of the
Proposed Rule Change and Timing for
Commission Action
The Exchange has filed the proposed
rule change pursuant to Section
19(b)(3)(A)(iii) of the Act 18 and Rule
19b–4(f)(6) thereunder.19 Because the
proposed rule change does not: (i)
significantly affect the protection of
investors or the public interest; (ii)
impose any significant burden on
competition; and (iii) become operative
prior to 30 days from the date on which
it was filed, or such shorter time as the
Commission may designate, if
consistent with the protection of
investors and the public interest, the
proposed rule change has become
effective pursuant to Section 19(b)(3)(A)
of the Act and Rule 19b–4(f)(6)(iii)
thereunder.20
At any time within 60 days of the
filing of such proposed rule change, the
Commission summarily may
temporarily suspend such rule change if
it appears to the Commission that such
action is necessary or appropriate in the
public interest, for the protection of
investors, or otherwise in furtherance of
the purposes of the Act. If the
Commission takes such action, the
Commission shall institute proceedings
under Section 19(b)(2)(B) 21 of the Act to
determine whether the proposed rule
change should be approved or
disapproved.
IV. Solicitation of Comments
Interested persons are invited to
submit written data, views, and
arguments concerning the foregoing,
including whether the proposed rule
change is consistent with the Act.
Comments may be submitted by any of
the following methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
18 15
U.S.C. 78s(b)(3)(A)(iii).
CFR 240.19b–4(f)(6).
20 17 CFR 240.19b–4(f)(6). In addition, Rule 19b–
4(f)(6)(iii) requires a self-regulatory organization to
give the Commission written notice of its intent to
file the proposed rule change, along with a brief
description and text of the proposed rule change,
at least five business days prior to the date of filing
of the proposed rule change, or such shorter time
as designated by the Commission. The Exchange
has satisfied this requirement.
21 15 U.S.C. 78s(b)(2)(B).
lotter on DSK11XQN23PROD with NOTICES1
19 17
VerDate Sep<11>2014
17:18 Oct 30, 2023
Jkt 262001
• Send an email to rule-comments@
sec.gov. Please include file number SR–
NYSEAMER–2023–49 on the subject
line.
Paper Comments
• Send paper comments in triplicate
to Secretary, Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549–1090.
All submissions should refer to file
number SR–NYSEAMER–2023–49. This
file number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549 on official
business days between the hours of 10
a.m. and 3 p.m. Copies of the filing also
will be available for inspection and
copying at the principal office of the
Exchange. Do not include personal
identifiable information in submissions;
you should submit only information
that you wish to make available
publicly. We may redact in part or
withhold entirely from publication
submitted material that is obscene or
subject to copyright protection. All
submissions should refer to file number
SR–NYSEAMER–2023–49 and should
be submitted on or before November 21,
2023.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.22
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2023–23940 Filed 10–30–23; 8:45 am]
BILLING CODE 8011–01–P
22 17
PO 00000
CFR 200.30–3(a)(12).
Frm 00147
Fmt 4703
Sfmt 4703
74547
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–98799; File No. SR–ICEEU–
2023–021]
Self-Regulatory Organizations; ICE
Clear Europe Limited; Order Approving
Proposed Rule Change, as Modified by
Amendment No. 1, Relating to
Amendments to its Operational Risk
and Resilience Policy
October 25, 2023.
I. Introduction
On August 15, 2023, ICE Clear Europe
Limited (‘‘ICE Clear Europe’’ or
‘‘Clearing House’’) filed with the
Securities and Exchange Commission
(‘‘Commission’’), pursuant to Section
19(b)(1) of the Securities Exchange Act
of 1934 (the ‘‘Act’’) 1 and Rule 19b–4
thereunder,2 a proposed rule change to
amend its Operational Risk and
Resilience Policy (the ‘‘Policy’’). On
August 24, 2023, ICE Clear Europe filed
Amendment No. 1 to the proposed rule
change to make certain changes to the
Exhibits 5.3 Notice of the proposed rule
change, as modified by Amendment No.
1, was published for comment in the
Federal Register on September 5, 2023.4
On October 3, 2023, the Commission
designated a longer period for
Commission action on the proposed rule
change until December 4, 2023.5 The
Commission has not received comments
regarding the proposed rule change. For
the reasons discussed below, the
Commission is approving the proposed
rule change, as modified by Amendment
No. 1 (hereinafter ‘‘the Proposed Rule
Change’’).
II. Description of the Proposed Rule
Change
A. Background
ICE Clear Europe is registered with
the Commission as a clearing agency for
1 15
U.S.C. 78s(b)(1).
CFR 240.19b–4.
3 Amendment No. 1 corrects the presentation of
changes in Exhibit 5 by reflecting the deletion of the
prior ‘‘Oversight of the Policy’’ section as part of the
updated governance and oversight provisions. This
amendment was filed with the Commission on
August 24, 2023.
4 Self-Regulatory Organizations; ICE Clear Europe
Limited; Notice of Filing of Proposed Rule Change,
as Modified by Amendment No. 1, Relating to
Amendments to its Operational Risk and Resilience
Policy, Exchange Act Release No. 98237 (Aug. 29,
2023); 88 FR 60727 (Sep. 5, 2023) (SR–ICEEU–
2023–021) (‘‘Notice’’).
5 Self-Regulatory Organizations; ICE Clear Europe
Limited; Notice of Designation of Longer Period for
Commission Action on Proposed Rule Change, as
Modified by Amendment No. 1, Relating to
Amendments to its Operational Risk and Resilience
Policy; Exchange Act Release No. 98573 (Sep. 27,
2023), 88 FR 68240 (Oct. 3, 2023) (File No. SR–
ICEEU–2023–021).
2 17
E:\FR\FM\31OCN1.SGM
31OCN1
74548
Federal Register / Vol. 88, No. 209 / Tuesday, October 31, 2023 / Notices
the purpose of clearing security-based
swaps. In its role as a clearing agency
for security-based swaps, ICE Clear
Europe maintains the Policy to address
how ICE Clear Europe identifies,
assesses, manages, monitors, and reports
its operational risks. ICE Clear Europe is
proposing to amend the Policy to add
new scenario analysis and testing
relating to operational risk and
resilience, require that ICE Clear Europe
assess emerging risks, and update the
review process for the Policy. The
Policy has five sections: (1)
Introduction, (2) Operational Risk and
Resilience Framework, (3) Risk and
Control Assessments, (4) Governance
and Oversight, and (5) Appendix. To
effect these amendments, the Proposed
Rule Change would amend all sections
except the Introduction, renumber or
relabel various provisions throughout
the Policy, and update the version
history to reflect these changes.
lotter on DSK11XQN23PROD with NOTICES1
B. Operational Risk and Resilience
Framework
Section 2 of the Policy, ‘‘Operational
Risk and Resilience Framework,’’
describes the overall framework that ICE
Clear Europe uses to address operational
risk 6 and maintain operational
resilience. Specifically, ICE Clear
Europe uses this framework to reduce
the likelihood of an operational
disruption event within acceptable
tolerance, and mitigate and quickly
recover from an operational disruption
event. In addition to the Policy itself,
the policies and procedures in the
framework are: (i) the Incident
Management Policy; (ii) the Business
Continuity & Disaster Recovery Policy;
(iii) the Information Security Policy and
Cyber Security Strategy; (iv) the
Outsourcing Policy; and (v) the Vendor
Management Policy.7
ICE Clear Europe proposes to update
the description of the operational risk
and resilience framework to reflect the
new name of the Outsourcing Policy.
ICE Clear Europe recently changed the
name of the Outsourcing Policy to the
Outsourcing and Third Party Risk
Management Policy, and the Proposed
Rule Change would reflect this update.8
6 The Policy defines operational risk as the risk
of an event occurring which negatively impacts the
achievement of business objectives resulting from
inadequate or failed internal operational controls,
people, systems, or external events.
7 See Self-Regulatory Organizations; ICE Clear
Europe Limited; Order Approving Proposed Rule
Change Relating to ICE Clear Europe Operational
Risk and Resilience Policy, Exchange Act Release
No. 96351 (Nov. 18, 2022); 87 FR 72553 (Nov. 25,
2022) (SR–ICEEU–2022–015).
8 For more information regarding the changes
relating to the Outsourcing and Third Party Risk
Management Policy, See Self-Regulatory
VerDate Sep<11>2014
17:18 Oct 30, 2023
Jkt 262001
The Proposed Rule Change also would
add language to reflect that the updated
policy has been approved by the Board
and is pending regulatory approval.9
ICE Clear Europe proposes to update
the description of its scenario analysis
and testing found in Section 2.6 of the
Policy. As noted in the Policy, ICE Clear
Europe has scenario analysis and testing
in place to identity any operational
resilience weakness, and it conducts
such testing on important business
services to determine if it can remain
within the impact tolerances under a
range of extreme but plausible
disruption scenarios. ICE Clear Europe
proposes to make additions to this
section without deleting any language,
except for one exception noted below
relating to the Board.
Specifically, the Proposed Rule
Change would add a requirement that
the Clearing House must maintain an
inventory of scenarios for the purposes
of scenario analysis and testing.
Moreover, the Policy currently specifies
that the testing should include scenarios
which disrupt more than one important
business service simultaneously and
take into account dependencies.10 The
Proposed Rule Change would specify
that such dependencies should be both
internal and external. The Proposed
Rule Change would also add language
stating that a portion of the scenarios
should be identified and selected for
reverse stress testing (through a
practical test where possible or a desk
top exercise), and that, over a three-year
cycle, all scenarios would have to be
tested at least once by either a practical
test or a desk top exercise. In addition,
the inventory of scenarios would need
to be reviewed on at least an annual
basis in order to determine if the
scenarios are still fit for purpose and if
updates are required. The annual review
of the inventory would be the
responsibility of the First Line with
Second Line review, and would be
approved by the Executive Risk
Organizations; ICE Clear Europe Limited; Order
Approving Proposed Rule Change, as Modified by
Amendment No. 1 and Partial Amendment No. 2,
Relating to Amendments to the Outsourcing Policy,
Exchange Act Release No. 98387 (Sep. 14, 2023); 88
FR 64953 (Sep. 20, 2023) (SR–ICEEU–2023–018).
9 Following publication of the Notice, the
Commission approved ICE Clear Europe’s proposed
change to the name of the Outsourcing Policy, as
well as other changes to the Outsourcing Policy. See
Self-Regulatory Organizations; ICE Clear Europe
Limited; Order Approving Proposed Rule Change,
as Modified by Amendment No. 1 and Partial
Amendment No. 2, Relating to Amendments to the
Outsourcing Policy, Exchange Act Release No.
98387 (Sep. 14, 2023); 88 FR 64953 (Sep. 20, 2023)
(SR–ICEEU–2023–019).
10 The Clearing House requires that for each
important business service, the following
dependencies must be identified: people, processes,
technology, facilities, and underlying information.
PO 00000
Frm 00148
Fmt 4703
Sfmt 4703
Committee (‘‘ERC’’).11 The ERC would
also be responsible for approving any
changes to the list of scenarios outside
of the annual review cycle. The detailed
scope of the testing based on the
scenarios in the inventory and the
results of testing and assessment against
the risk register would be shared with
the Second Line for review. The
Proposed Rule Change would also
specify that the scenario analysis and
testing results would be submitted to
the ERC or relevant Board subcommittee by removing a reference to
the Board and replacing it with the
relevant Board sub-committee.
C. Risk and Control Assessments
Section 3 of the Policy, ‘‘Risk and
Control Assessments,’’ addresses the
process that identifies, assesses,
manages, monitors, and reports
operational risk. The Proposed Rule
Change would add a new section on
control validation and assessment,
outlining that upon entry to the risk
register or when a material change is
made to a Key Control, Enterprise Risk
Management (‘‘ERM’’) will confirm that
validation of Key Controls is carried out.
Additionally, the amendments would
state that validation may be verified
directly by ERM or through ERM’s
oversight of validations performed by
the First Line. The amendments would
also replace two references to control
testing with control validation
throughout the Policy to be consistent
with the new section. The Proposed
Rule Change does not redefine control
testing and is meant to align with the
Clearing House’s Global Enterprise Risk
Management Policy.
In Section 3.2, ‘‘Risk Assessment,’’ the
amendments would address emerging
risks by adding a paragraph stating that
there should be an assessment of the
Velocity for emerging risks. Velocity
would be defined as an estimate of the
time frame within which impact of a
risk may be realized, and would be
considered as an additional factor
utilized in prioritizing Emerging Risks.
Other non-substantive drafting
clarifications would be made in this
section, such as renumbering to account
for the new section on control
validation and assessment.
11 Enteprise Risk Management is the Second Line
of defense and is responsible for challenging the
First Line and monitoring adherence to the
requirement of this policy. Key Controls have an
expected high level of mitigation and the associated
risks have an inherent risk score of ‘‘High’’ or ‘‘Very
High’’. First Line refers to the defense (or Risk
Owner) responsible for managing the risks to within
the Board appetite and ensuring adherence to all
the requirements in the Policy.
E:\FR\FM\31OCN1.SGM
31OCN1
lotter on DSK11XQN23PROD with NOTICES1
Federal Register / Vol. 88, No. 209 / Tuesday, October 31, 2023 / Notices
D. Governance and Oversight
In Section 4, ‘‘Governance and
Oversight,’’ the amendments would add
three new sections: ‘‘Reviews,’’ ‘‘Breach
Management,’’ and ‘‘Exception
Handling.’’
The ‘‘Reviews’’ section would replace
the previous ‘‘Oversight of the Policy’’
section, which stated only that the
Policy is subject to the oversight of the
Risk Oversight Department and that
failure to comply with the Policy shall
be escalated to the Board. This
statement must be removed to ensure
consistency with the Operational Risk
and Resilience Framework section
discussed above, which specifies that
the First Line of defense is responsible
for ensuring adherence to all the
requirements in the Policy, with the
Risk Oversight Department and
Enterprise Risk Management acting as
the Second Line of defense, with
responsibility for challenging the First
Line and monitoring adherence to the
requirement of the Policy.
Instead, the new ‘‘Reviews’’ section of
the Policy would include a number of
provisions governing the oversight and
review of the Policy. First, it would
specify that the owner of the Policy
would be responsible for ensuring that
the Policy remains up to date and is
reviewed in accordance with ICE Clear
Europe’s governance processes. It would
also provide that, unless otherwise
stated, a document review will be
conducted by the document owner and/
or relevant staff as appropriate, with
sign off being provided by the head of
the department (or their delegate) and
the Chief Risk Officer. Such document
reviews would need to encompass, at a
minimum, regulatory compliance;
documentation and purpose;
implementation; use; and open items
from previous validations or reviews
(where appropriate). The results of the
review, including any findings, would
need to be reported to ICE Clear
Europe’s Executive Risk Committee,
along with the priority of findings,
proposed remediations, and target due
date to remediate the findings. Finally,
the ‘‘Reviews’’ section would specify
that the document owner will aim to
remediate the findings, complete
internal governance, and receive
regulatory approvals (where applicable)
before the next annual review is due.
The new ‘‘Breach Management’’
section would specify that the
document owner would be responsible
for reporting material breaches or
unapproved deviations from the Policy
to their Head of Department, the Chief
Risk Officer, and the Head of Regulation
and Compliance (or, as applicable, their
VerDate Sep<11>2014
17:18 Oct 30, 2023
Jkt 262001
respective delegates). Those individuals
together would determine if further
escalation should be made to relevant
senior executives, the Board, and/or
competent authorities.
Finally, the new ‘‘Exception
Handling’’ section would specify that
exceptions to the Policy must be
approved in accordance with ICE Clear
Europe’s governance process for the
approval of changes, which would only
take effect after completion of all
necessary internal and regulatory
approvals.
E. Appendix
The Proposed Rule Change also
would modify and update three of the
appendixes, add one new appendix, and
remove a section from one appendix.
Specifically, the Proposed Rule
Change would modify and update the
table included as Appendix D,
‘‘Assessment of Expected Level of Risk
Mitigation,’’ by renaming the current
‘‘Mitigation’’ column as ‘‘Rating’’ and
adding a new column labeled
‘‘Examples,’’ which would include
specific examples for each level of
rating (high, medium, and low).
The Proposed Rule Change would
update and modify the table included as
Appendix E, ‘‘Control Effectiveness
Ratings,’’ by renaming the current
‘‘Effectiveness’’ and ‘‘Guidelines’’
columns as ‘‘Rating’’ and ‘‘Control
Assessment Guidelines,’’ respectively.
In addition, an additional bullet point
would be in the guideline column for
the ‘‘Unsatisfactory’’ rating, specifying
that this rating would apply where the
control validation and/or assessment
and audit programs result in major
findings.
The columns for the table included as
Appendix F, ‘‘Control Remediation
Recommendation & Timelines,’’
(Appendix F) would also be renamed.
The current heading labeled Control
Effectiveness would be renamed to
Control Effectiveness Rating, and the
heading labeled Mitigation would be
renamed to Level of Risk Mitigation. In
addition, for the scenario with a Control
Effectiveness Rating of Needs
Improvement and a High Level of Risk
Mitigation, the recommendation would
be changed from Medium to High.
A new table would be added as
Appendix G, ‘‘Velocity Assessment
Guidance,’’ in connection with the
amendments to Section 3.2 discussed
above relating to an assessment of the
velocity of emerging risks. This section
would include a chart separating the
Velocity Rating into categories of
Immediate (less than six months), Short
Term (between six and 18 months), and
Medium Term (greater than 18 months),
PO 00000
Frm 00149
Fmt 4703
Sfmt 4703
74549
and a description noting that each rating
is assessed based on the time in which
the impact of a risk may be realized if
the risk is unmitigated (e.g., an
immediate risk is one for which the
impact may be realized within six
months of the risk event occurring if the
risk is unmitigated).
Finally, the amendments would
remove the section labeled Control
Testing Scope following the chart on
Risk Mitigation in Appendix H, to
conform to the change in the Policy to
refer to control validation rather than
control testing.
III. Discussion and Commission
Findings
Section 19(b)(2)(C) of the Act directs
the Commission to approve a Proposed
Rule Change of a self-regulatory
organization if it finds that such
Proposed Rule Change is consistent
with the requirements of the Act and the
rules and regulations thereunder
applicable to such organization.12 For
the reasons discussed below, the
Commission finds that the Proposed
Rule Change is consistent with Section
17A(b)(3)(F) of the Act,13 and Rules
17Ad–22(e)(2)(v) and 17Ad–22(e)(17)
thereunder.14
i. Consistency With Section 17A(b)(3)(F)
of the Act
Section 17A(b)(3)(F) of the Act
requires, among other things, that the
rules of ICE Clear Europe be designed to
promote the prompt and accurate
clearance and settlement of securities
transactions and, to the extent
applicable, derivative agreements,
contracts, and transactions.15 Based on
its review of the record, and for the
reasons discussed below, the
Commission finds that the proposed
changes to the Policy are consistent
with the promotion of the prompt and
accurate clearance and settlement of
securities transactions.
As a registered clearing agency, ICE
Clear Europe faces a number of
operational risks that could impact or
threaten its ability to clear and settle
transactions if they are not eliminated or
mitigated. As noted above, ICE Clear
Europe maintains the Policy to address
how it identifies, assesses, manages,
monitors, and reports such operational
risks. Improving or enhancing the Policy
likewise improves or enhances ICE
Clear Europe’s ability to manage or
mitigate its operational risks and
12 15
U.S.C. 78s(b)(2)(C).
U.S.C. 78q–1(b)(3)(F).
14 17 CFR 240.17Ad–22(e)(2)(v) and (e)(17).
15 15 U.S.C. 78q–1(b)(3)(F).
13 15
E:\FR\FM\31OCN1.SGM
31OCN1
74550
Federal Register / Vol. 88, No. 209 / Tuesday, October 31, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES1
therefore ensure that it can continue to
clear and settle securities transactions.
For example, as discussed above, the
Proposed Rule Change would update
the Policy to require ICE Clear Europe
to maintain an inventory of scenarios for
the purposes of scenario analysis and
testing, which inventory would need to
be reviewed on at least an annual basis
in order to determine if the scenarios are
still fit for purpose and if updates are
required. These new requirements
should help ensure that ICE Clear
Europe personnel identify and maintain
an appropriate inventory of scenarios,
determine in a timely manner if updates
to the inventory or scenarios are needed,
and identify any gaps and necessary
resolutions or updates to the inventory
and scenarios sooner than what is
currently required.
Taken together, these enhancements
to the Policy should enhance ICE Clear
Europe’s operational resilience, which
in turn should decrease the likelihood
that operational incidents would disrupt
its ability to promptly and accurately
clear and settle securities transactions.
Accordingly, the Commission finds that
the Proposed Rule Change is consistent
with Section 17A(b)(3)(F) of the Act.16
ii. Consistency With Rule 17Ad–
22(e)(2)(v)
Rule 17Ad–22(e)(2)(v) require that ICE
Clear Europe establish, implement,
maintain, and enforce written policies
and procedures reasonably designed to
provide governance arrangements that,
among other things, are clear and
transparent and specify clear and direct
lines of responsibility.17
As discussed above, the Proposed
Rule Change would add new sections to
the Policy addressing reviews, breach
management, and exception handling.
Among other things, the section
addressing reviews would make the
document owner responsible for
ensuring that the Policy remains up-todate and is reviewed in accordance with
ICE Clear Europe’s governance
processes. Additionally, document
reviews will be conducted by the
document owner and signed off by the
head of the department (or their
delegate) and the Chief Risk Officer.
These reviews would encompass, at a
minimum, regulatory compliance;
documentation and purpose;
implementation; use; and, where
appropriate, open items from previous
validations or reviews.
Under the new section covering
breach management, the document
owner also would be responsible for
reporting material breaches or
unapproved deviations from the Policy
to their Head of Department, the Chief
Risk Officer, and the Head of Regulation
and Compliance (or, as applicable, their
respective delegates).
Under the new section addressing
exception handling, exceptions to the
Policy would need to be approved in
accordance with ICE Clear Europe’s
governance process for the approval of
changes, and could only take effect after
completion of all necessary internal and
regulatory approvals.
Additionally, the Proposed Rule
Change would add a new section to the
Policy on control validation and
assessment, outlining that upon entry to
the risk register or when a material
change is made to a Key Control, ERM
will confirm that validation of Key
Controls is carried out. The Proposed
Rule Change would also amend the
Policy to state that validation may be
verified directly by ERM or through
ERM’s oversight of validations
performed by the First Line.
Taken together, these changes would
help establish clear and direct
responsibilities for the document owner
of the Policy. Accordingly, the
Commission finds that the Proposed
Rule Change is consistent with Rule
17Ad–22(e)(2)(v).18
iii. Consistency With Rule 17Ad–
22(e)(17)
Rule 17Ad–22(e)(17) requires that ICE
Clear Europe establish, implement,
maintain, and enforce written policies
and procedures reasonably designed to
manage its operational risks by, among
other things, identifying the plausible
sources of operational risk, both internal
and external, and mitigating their
impact through the use of appropriate
systems, policies, procedures, and
controls.19
By adding a requirement to maintain
an inventory of scenarios for the
purposes of scenario analysis and test
and review those scenarios annually,
the Proposed Rule Change would
support ICE Clear Europe’s ability to
identify plausible sources of operational
risk, both internal and external, and
mitigate their impact through the Policy,
which supports Ice Clear Europe’s
efforts to manage and mitigate its
operational risks. Accordingly, the
Commission finds that the Proposed
Rule Change is consistent with Rule
17Ad–22(e)(17).20
18 17
CFR 240.17Ad–22(e)(2)(v).
CFR 240.17Ad–22(e)(17).
20 17 CFR 240.17Ad–22(e)(17).
16 15
U.S.C. 78q–1(b)(3)(F).
17 17 CFR 240.17Ad–22(e)(2)(v).
VerDate Sep<11>2014
17:18 Oct 30, 2023
19 17
Jkt 262001
PO 00000
Frm 00150
Fmt 4703
Sfmt 4703
IV. Conclusion
On the basis of the foregoing, the
Commission finds that the Proposed
Rule Change, as modified by
Amendment no. 1, is consistent with the
requirements of the Act, and in
particular, with the requirements of
Section 17A(b)(3)(F) of the Act,21 and
Rules 17Ad–22(e)(2)(v) and 17Ad–
22(e)(17) thereunder.22
It is therefore ordered pursuant to
Section 19(b)(2) of the Act 23 that the
Proposed Rule Change (SR–ICEEU–
2023–021) be, and hereby is,
approved.24
For the Commission, by the Division
of Trading and Markets, pursuant to
delegated authority.25
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2023–23941 Filed 10–30–23; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
[Release No. PA–61; File No. S7–19–23]
Privacy Act of 1974; System of
Records
Securities and Exchange
Commission.
ACTION: Notice of a new system of
records.
AGENCY:
The Securities and Exchange
Commission (SEC) proposes to establish
SEC–36, Harassment Prevention and
Response Program Records under the
Privacy Act of 1974. The information in
the system concerns internal inquiries
and/or investigations into allegations of
harassment reported to SEC by
applicants for employment, current and
former SEC employees, fellows, interns,
and individuals who conduct business
with the SEC; and resolutions of
allegations of workplace harassment.
The Harassment Prevention and
Response Program addresses harassment
concerns that are raised separate and
apart from harassment claims that may
also be raised under the procedures for
administrative equal employment
opportunity complaints.
DATES: The system of records will
become effective October 31, 2023, with
the exception of the routine uses, which
will become effective November 30,
SUMMARY:
21 15
U.S.C. 78q–1(b)(3)(F).
CFR 240.17Ad–22(e)(2)(v) and (e)(17).
23 15 U.S.C. 78s(b)(2).
24 In approving the Proposed Rule Change, the
Commission considered the proposal’s impact on
efficiency, competition, and capital formation. 15
U.S.C. 78c(f).
25 17 CFR 200.30–3(a)(12).
22 17
E:\FR\FM\31OCN1.SGM
31OCN1
]]>Agencies
[Federal Register Volume 88, Number 209 (Tuesday, October 31, 2023)]
[Notices]
[Pages 74547-74550]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-23941]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-98799; File No. SR-ICEEU-2023-021]
Self-Regulatory Organizations; ICE Clear Europe Limited; Order
Approving Proposed Rule Change, as Modified by Amendment No. 1,
Relating to Amendments to its Operational Risk and Resilience Policy
October 25, 2023.
I. Introduction
On August 15, 2023, ICE Clear Europe Limited (``ICE Clear Europe''
or ``Clearing House'') filed with the Securities and Exchange
Commission (``Commission''), pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934 (the ``Act'') \1\ and Rule 19b-4
thereunder,\2\ a proposed rule change to amend its Operational Risk and
Resilience Policy (the ``Policy''). On August 24, 2023, ICE Clear
Europe filed Amendment No. 1 to the proposed rule change to make
certain changes to the Exhibits 5.\3\ Notice of the proposed rule
change, as modified by Amendment No. 1, was published for comment in
the Federal Register on September 5, 2023.\4\ On October 3, 2023, the
Commission designated a longer period for Commission action on the
proposed rule change until December 4, 2023.\5\ The Commission has not
received comments regarding the proposed rule change. For the reasons
discussed below, the Commission is approving the proposed rule change,
as modified by Amendment No. 1 (hereinafter ``the Proposed Rule
Change'').
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Amendment No. 1 corrects the presentation of changes in
Exhibit 5 by reflecting the deletion of the prior ``Oversight of the
Policy'' section as part of the updated governance and oversight
provisions. This amendment was filed with the Commission on August
24, 2023.
\4\ Self-Regulatory Organizations; ICE Clear Europe Limited;
Notice of Filing of Proposed Rule Change, as Modified by Amendment
No. 1, Relating to Amendments to its Operational Risk and Resilience
Policy, Exchange Act Release No. 98237 (Aug. 29, 2023); 88 FR 60727
(Sep. 5, 2023) (SR-ICEEU-2023-021) (``Notice'').
\5\ Self-Regulatory Organizations; ICE Clear Europe Limited;
Notice of Designation of Longer Period for Commission Action on
Proposed Rule Change, as Modified by Amendment No. 1, Relating to
Amendments to its Operational Risk and Resilience Policy; Exchange
Act Release No. 98573 (Sep. 27, 2023), 88 FR 68240 (Oct. 3, 2023)
(File No. SR-ICEEU-2023-021).
---------------------------------------------------------------------------
II. Description of the Proposed Rule Change
A. Background
ICE Clear Europe is registered with the Commission as a clearing
agency for
[[Page 74548]]
the purpose of clearing security-based swaps. In its role as a clearing
agency for security-based swaps, ICE Clear Europe maintains the Policy
to address how ICE Clear Europe identifies, assesses, manages,
monitors, and reports its operational risks. ICE Clear Europe is
proposing to amend the Policy to add new scenario analysis and testing
relating to operational risk and resilience, require that ICE Clear
Europe assess emerging risks, and update the review process for the
Policy. The Policy has five sections: (1) Introduction, (2) Operational
Risk and Resilience Framework, (3) Risk and Control Assessments, (4)
Governance and Oversight, and (5) Appendix. To effect these amendments,
the Proposed Rule Change would amend all sections except the
Introduction, renumber or relabel various provisions throughout the
Policy, and update the version history to reflect these changes.
B. Operational Risk and Resilience Framework
Section 2 of the Policy, ``Operational Risk and Resilience
Framework,'' describes the overall framework that ICE Clear Europe uses
to address operational risk \6\ and maintain operational resilience.
Specifically, ICE Clear Europe uses this framework to reduce the
likelihood of an operational disruption event within acceptable
tolerance, and mitigate and quickly recover from an operational
disruption event. In addition to the Policy itself, the policies and
procedures in the framework are: (i) the Incident Management Policy;
(ii) the Business Continuity & Disaster Recovery Policy; (iii) the
Information Security Policy and Cyber Security Strategy; (iv) the
Outsourcing Policy; and (v) the Vendor Management Policy.\7\
---------------------------------------------------------------------------
\6\ The Policy defines operational risk as the risk of an event
occurring which negatively impacts the achievement of business
objectives resulting from inadequate or failed internal operational
controls, people, systems, or external events.
\7\ See Self-Regulatory Organizations; ICE Clear Europe Limited;
Order Approving Proposed Rule Change Relating to ICE Clear Europe
Operational Risk and Resilience Policy, Exchange Act Release No.
96351 (Nov. 18, 2022); 87 FR 72553 (Nov. 25, 2022) (SR-ICEEU-2022-
015).
---------------------------------------------------------------------------
ICE Clear Europe proposes to update the description of the
operational risk and resilience framework to reflect the new name of
the Outsourcing Policy. ICE Clear Europe recently changed the name of
the Outsourcing Policy to the Outsourcing and Third Party Risk
Management Policy, and the Proposed Rule Change would reflect this
update.\8\ The Proposed Rule Change also would add language to reflect
that the updated policy has been approved by the Board and is pending
regulatory approval.\9\
---------------------------------------------------------------------------
\8\ For more information regarding the changes relating to the
Outsourcing and Third Party Risk Management Policy, See Self-
Regulatory Organizations; ICE Clear Europe Limited; Order Approving
Proposed Rule Change, as Modified by Amendment No. 1 and Partial
Amendment No. 2, Relating to Amendments to the Outsourcing Policy,
Exchange Act Release No. 98387 (Sep. 14, 2023); 88 FR 64953 (Sep.
20, 2023) (SR-ICEEU-2023-018).
\9\ Following publication of the Notice, the Commission approved
ICE Clear Europe's proposed change to the name of the Outsourcing
Policy, as well as other changes to the Outsourcing Policy. See
Self-Regulatory Organizations; ICE Clear Europe Limited; Order
Approving Proposed Rule Change, as Modified by Amendment No. 1 and
Partial Amendment No. 2, Relating to Amendments to the Outsourcing
Policy, Exchange Act Release No. 98387 (Sep. 14, 2023); 88 FR 64953
(Sep. 20, 2023) (SR-ICEEU-2023-019).
---------------------------------------------------------------------------
ICE Clear Europe proposes to update the description of its scenario
analysis and testing found in Section 2.6 of the Policy. As noted in
the Policy, ICE Clear Europe has scenario analysis and testing in place
to identity any operational resilience weakness, and it conducts such
testing on important business services to determine if it can remain
within the impact tolerances under a range of extreme but plausible
disruption scenarios. ICE Clear Europe proposes to make additions to
this section without deleting any language, except for one exception
noted below relating to the Board.
Specifically, the Proposed Rule Change would add a requirement that
the Clearing House must maintain an inventory of scenarios for the
purposes of scenario analysis and testing. Moreover, the Policy
currently specifies that the testing should include scenarios which
disrupt more than one important business service simultaneously and
take into account dependencies.\10\ The Proposed Rule Change would
specify that such dependencies should be both internal and external.
The Proposed Rule Change would also add language stating that a portion
of the scenarios should be identified and selected for reverse stress
testing (through a practical test where possible or a desk top
exercise), and that, over a three-year cycle, all scenarios would have
to be tested at least once by either a practical test or a desk top
exercise. In addition, the inventory of scenarios would need to be
reviewed on at least an annual basis in order to determine if the
scenarios are still fit for purpose and if updates are required. The
annual review of the inventory would be the responsibility of the First
Line with Second Line review, and would be approved by the Executive
Risk Committee (``ERC'').\11\ The ERC would also be responsible for
approving any changes to the list of scenarios outside of the annual
review cycle. The detailed scope of the testing based on the scenarios
in the inventory and the results of testing and assessment against the
risk register would be shared with the Second Line for review. The
Proposed Rule Change would also specify that the scenario analysis and
testing results would be submitted to the ERC or relevant Board sub-
committee by removing a reference to the Board and replacing it with
the relevant Board sub-committee.
---------------------------------------------------------------------------
\10\ The Clearing House requires that for each important
business service, the following dependencies must be identified:
people, processes, technology, facilities, and underlying
information.
\11\ Enteprise Risk Management is the Second Line of defense and
is responsible for challenging the First Line and monitoring
adherence to the requirement of this policy. Key Controls have an
expected high level of mitigation and the associated risks have an
inherent risk score of ``High'' or ``Very High''. First Line refers
to the defense (or Risk Owner) responsible for managing the risks to
within the Board appetite and ensuring adherence to all the
requirements in the Policy.
---------------------------------------------------------------------------
C. Risk and Control Assessments
Section 3 of the Policy, ``Risk and Control Assessments,''
addresses the process that identifies, assesses, manages, monitors, and
reports operational risk. The Proposed Rule Change would add a new
section on control validation and assessment, outlining that upon entry
to the risk register or when a material change is made to a Key
Control, Enterprise Risk Management (``ERM'') will confirm that
validation of Key Controls is carried out. Additionally, the amendments
would state that validation may be verified directly by ERM or through
ERM's oversight of validations performed by the First Line. The
amendments would also replace two references to control testing with
control validation throughout the Policy to be consistent with the new
section. The Proposed Rule Change does not redefine control testing and
is meant to align with the Clearing House's Global Enterprise Risk
Management Policy.
In Section 3.2, ``Risk Assessment,'' the amendments would address
emerging risks by adding a paragraph stating that there should be an
assessment of the Velocity for emerging risks. Velocity would be
defined as an estimate of the time frame within which impact of a risk
may be realized, and would be considered as an additional factor
utilized in prioritizing Emerging Risks. Other non-substantive drafting
clarifications would be made in this section, such as renumbering to
account for the new section on control validation and assessment.
[[Page 74549]]
D. Governance and Oversight
In Section 4, ``Governance and Oversight,'' the amendments would
add three new sections: ``Reviews,'' ``Breach Management,'' and
``Exception Handling.''
The ``Reviews'' section would replace the previous ``Oversight of
the Policy'' section, which stated only that the Policy is subject to
the oversight of the Risk Oversight Department and that failure to
comply with the Policy shall be escalated to the Board. This statement
must be removed to ensure consistency with the Operational Risk and
Resilience Framework section discussed above, which specifies that the
First Line of defense is responsible for ensuring adherence to all the
requirements in the Policy, with the Risk Oversight Department and
Enterprise Risk Management acting as the Second Line of defense, with
responsibility for challenging the First Line and monitoring adherence
to the requirement of the Policy.
Instead, the new ``Reviews'' section of the Policy would include a
number of provisions governing the oversight and review of the Policy.
First, it would specify that the owner of the Policy would be
responsible for ensuring that the Policy remains up to date and is
reviewed in accordance with ICE Clear Europe's governance processes. It
would also provide that, unless otherwise stated, a document review
will be conducted by the document owner and/or relevant staff as
appropriate, with sign off being provided by the head of the department
(or their delegate) and the Chief Risk Officer. Such document reviews
would need to encompass, at a minimum, regulatory compliance;
documentation and purpose; implementation; use; and open items from
previous validations or reviews (where appropriate). The results of the
review, including any findings, would need to be reported to ICE Clear
Europe's Executive Risk Committee, along with the priority of findings,
proposed remediations, and target due date to remediate the findings.
Finally, the ``Reviews'' section would specify that the document owner
will aim to remediate the findings, complete internal governance, and
receive regulatory approvals (where applicable) before the next annual
review is due.
The new ``Breach Management'' section would specify that the
document owner would be responsible for reporting material breaches or
unapproved deviations from the Policy to their Head of Department, the
Chief Risk Officer, and the Head of Regulation and Compliance (or, as
applicable, their respective delegates). Those individuals together
would determine if further escalation should be made to relevant senior
executives, the Board, and/or competent authorities.
Finally, the new ``Exception Handling'' section would specify that
exceptions to the Policy must be approved in accordance with ICE Clear
Europe's governance process for the approval of changes, which would
only take effect after completion of all necessary internal and
regulatory approvals.
E. Appendix
The Proposed Rule Change also would modify and update three of the
appendixes, add one new appendix, and remove a section from one
appendix.
Specifically, the Proposed Rule Change would modify and update the
table included as Appendix D, ``Assessment of Expected Level of Risk
Mitigation,'' by renaming the current ``Mitigation'' column as
``Rating'' and adding a new column labeled ``Examples,'' which would
include specific examples for each level of rating (high, medium, and
low).
The Proposed Rule Change would update and modify the table included
as Appendix E, ``Control Effectiveness Ratings,'' by renaming the
current ``Effectiveness'' and ``Guidelines'' columns as ``Rating'' and
``Control Assessment Guidelines,'' respectively. In addition, an
additional bullet point would be in the guideline column for the
``Unsatisfactory'' rating, specifying that this rating would apply
where the control validation and/or assessment and audit programs
result in major findings.
The columns for the table included as Appendix F, ``Control
Remediation Recommendation & Timelines,'' (Appendix F) would also be
renamed. The current heading labeled Control Effectiveness would be
renamed to Control Effectiveness Rating, and the heading labeled
Mitigation would be renamed to Level of Risk Mitigation. In addition,
for the scenario with a Control Effectiveness Rating of Needs
Improvement and a High Level of Risk Mitigation, the recommendation
would be changed from Medium to High.
A new table would be added as Appendix G, ``Velocity Assessment
Guidance,'' in connection with the amendments to Section 3.2 discussed
above relating to an assessment of the velocity of emerging risks. This
section would include a chart separating the Velocity Rating into
categories of Immediate (less than six months), Short Term (between six
and 18 months), and Medium Term (greater than 18 months), and a
description noting that each rating is assessed based on the time in
which the impact of a risk may be realized if the risk is unmitigated
(e.g., an immediate risk is one for which the impact may be realized
within six months of the risk event occurring if the risk is
unmitigated).
Finally, the amendments would remove the section labeled Control
Testing Scope following the chart on Risk Mitigation in Appendix H, to
conform to the change in the Policy to refer to control validation
rather than control testing.
III. Discussion and Commission Findings
Section 19(b)(2)(C) of the Act directs the Commission to approve a
Proposed Rule Change of a self-regulatory organization if it finds that
such Proposed Rule Change is consistent with the requirements of the
Act and the rules and regulations thereunder applicable to such
organization.\12\ For the reasons discussed below, the Commission finds
that the Proposed Rule Change is consistent with Section 17A(b)(3)(F)
of the Act,\13\ and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17)
thereunder.\14\
---------------------------------------------------------------------------
\12\ 15 U.S.C. 78s(b)(2)(C).
\13\ 15 U.S.C. 78q-1(b)(3)(F).
\14\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(17).
---------------------------------------------------------------------------
i. Consistency With Section 17A(b)(3)(F) of the Act
Section 17A(b)(3)(F) of the Act requires, among other things, that
the rules of ICE Clear Europe be designed to promote the prompt and
accurate clearance and settlement of securities transactions and, to
the extent applicable, derivative agreements, contracts, and
transactions.\15\ Based on its review of the record, and for the
reasons discussed below, the Commission finds that the proposed changes
to the Policy are consistent with the promotion of the prompt and
accurate clearance and settlement of securities transactions.
---------------------------------------------------------------------------
\15\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
As a registered clearing agency, ICE Clear Europe faces a number of
operational risks that could impact or threaten its ability to clear
and settle transactions if they are not eliminated or mitigated. As
noted above, ICE Clear Europe maintains the Policy to address how it
identifies, assesses, manages, monitors, and reports such operational
risks. Improving or enhancing the Policy likewise improves or enhances
ICE Clear Europe's ability to manage or mitigate its operational risks
and
[[Page 74550]]
therefore ensure that it can continue to clear and settle securities
transactions.
For example, as discussed above, the Proposed Rule Change would
update the Policy to require ICE Clear Europe to maintain an inventory
of scenarios for the purposes of scenario analysis and testing, which
inventory would need to be reviewed on at least an annual basis in
order to determine if the scenarios are still fit for purpose and if
updates are required. These new requirements should help ensure that
ICE Clear Europe personnel identify and maintain an appropriate
inventory of scenarios, determine in a timely manner if updates to the
inventory or scenarios are needed, and identify any gaps and necessary
resolutions or updates to the inventory and scenarios sooner than what
is currently required.
Taken together, these enhancements to the Policy should enhance ICE
Clear Europe's operational resilience, which in turn should decrease
the likelihood that operational incidents would disrupt its ability to
promptly and accurately clear and settle securities transactions.
Accordingly, the Commission finds that the Proposed Rule Change is
consistent with Section 17A(b)(3)(F) of the Act.\16\
---------------------------------------------------------------------------
\16\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
ii. Consistency With Rule 17Ad-22(e)(2)(v)
Rule 17Ad-22(e)(2)(v) require that ICE Clear Europe establish,
implement, maintain, and enforce written policies and procedures
reasonably designed to provide governance arrangements that, among
other things, are clear and transparent and specify clear and direct
lines of responsibility.\17\
---------------------------------------------------------------------------
\17\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------
As discussed above, the Proposed Rule Change would add new sections
to the Policy addressing reviews, breach management, and exception
handling. Among other things, the section addressing reviews would make
the document owner responsible for ensuring that the Policy remains up-
to-date and is reviewed in accordance with ICE Clear Europe's
governance processes. Additionally, document reviews will be conducted
by the document owner and signed off by the head of the department (or
their delegate) and the Chief Risk Officer. These reviews would
encompass, at a minimum, regulatory compliance; documentation and
purpose; implementation; use; and, where appropriate, open items from
previous validations or reviews.
Under the new section covering breach management, the document
owner also would be responsible for reporting material breaches or
unapproved deviations from the Policy to their Head of Department, the
Chief Risk Officer, and the Head of Regulation and Compliance (or, as
applicable, their respective delegates).
Under the new section addressing exception handling, exceptions to
the Policy would need to be approved in accordance with ICE Clear
Europe's governance process for the approval of changes, and could only
take effect after completion of all necessary internal and regulatory
approvals.
Additionally, the Proposed Rule Change would add a new section to
the Policy on control validation and assessment, outlining that upon
entry to the risk register or when a material change is made to a Key
Control, ERM will confirm that validation of Key Controls is carried
out. The Proposed Rule Change would also amend the Policy to state that
validation may be verified directly by ERM or through ERM's oversight
of validations performed by the First Line.
Taken together, these changes would help establish clear and direct
responsibilities for the document owner of the Policy. Accordingly, the
Commission finds that the Proposed Rule Change is consistent with Rule
17Ad-22(e)(2)(v).\18\
---------------------------------------------------------------------------
\18\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------
iii. Consistency With Rule 17Ad-22(e)(17)
Rule 17Ad-22(e)(17) requires that ICE Clear Europe establish,
implement, maintain, and enforce written policies and procedures
reasonably designed to manage its operational risks by, among other
things, identifying the plausible sources of operational risk, both
internal and external, and mitigating their impact through the use of
appropriate systems, policies, procedures, and controls.\19\
---------------------------------------------------------------------------
\19\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
By adding a requirement to maintain an inventory of scenarios for
the purposes of scenario analysis and test and review those scenarios
annually, the Proposed Rule Change would support ICE Clear Europe's
ability to identify plausible sources of operational risk, both
internal and external, and mitigate their impact through the Policy,
which supports Ice Clear Europe's efforts to manage and mitigate its
operational risks. Accordingly, the Commission finds that the Proposed
Rule Change is consistent with Rule 17Ad-22(e)(17).\20\
---------------------------------------------------------------------------
\20\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
IV. Conclusion
On the basis of the foregoing, the Commission finds that the
Proposed Rule Change, as modified by Amendment no. 1, is consistent
with the requirements of the Act, and in particular, with the
requirements of Section 17A(b)(3)(F) of the Act,\21\ and Rules 17Ad-
22(e)(2)(v) and 17Ad-22(e)(17) thereunder.\22\
---------------------------------------------------------------------------
\21\ 15 U.S.C. 78q-1(b)(3)(F).
\22\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(17).
---------------------------------------------------------------------------
It is therefore ordered pursuant to Section 19(b)(2) of the Act
\23\ that the Proposed Rule Change (SR-ICEEU-2023-021) be, and hereby
is, approved.\24\
---------------------------------------------------------------------------
\23\ 15 U.S.C. 78s(b)(2).
\24\ In approving the Proposed Rule Change, the Commission
considered the proposal's impact on efficiency, competition, and
capital formation. 15 U.S.C. 78c(f).
---------------------------------------------------------------------------
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\25\
---------------------------------------------------------------------------
\25\ 17 CFR 200.30-3(a)(12).
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2023-23941 Filed 10-30-23; 8:45 am]
BILLING CODE 8011-01-P
