Self-Regulatory Organizations; The Depository Trust Company; Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Modify the Clearing Agency Operational Risk Management Framework, 75359-75362 [2023-24177]
Download as PDF
Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices
and practice the steps needed to
effectuate a wind-down. The added
timeline flexibility would enhance
ICEEU’s ability to use the Plan
effectively to carry-out an orderly winddown.
Additionally, the Proposed Rule
Change would edit a section of the Plan
discussing how ICEEU will meet its
liquidity requirements during winddown. For example, the Proposed Rule
Change would make clear that collateral
held as cash from Clearing Members
should be immediately accessible or
available at short notice and that the
vast majority, instead of approximately
99 percent, of funds should be invested
in high-quality, short-term instruments.
The Proposed Rule Change would make
these edits to make this portion of the
Plan consistent with the Liquidity and
Investment Management Policy.38 By
making the Plan consistent with the
Liquidity and Investment Management
Policy the Proposed Rule Change
decreases the potential for confusion
which allows ICEEU personnel to
correctly interpret the liquidity
provisions in the Plan and effectuate a
wind-down in a consistent and
coordinated fashion. This increases the
likelihood of an orderly wind-down.
Therefore, the Proposed Rule Change is
consistent with the requirements of Rule
17Ad–22(e)(3)(ii).39
IV. Conclusion
On the basis of the foregoing, the
Commission finds that the proposed
rule change, as modified by Amendment
No. 1, is consistent with the
requirements of the Act, and in
particular, Section 17A(b)(3)(F) of the
Act 40 and Rules 17Ad–22(e)(2)(i),
(e)(2)(v),41 and (e)(3)(ii) thereunder.42
It is therefore ordered pursuant to
Section 19(b)(2) of the Act that the
proposed rule change, as modified by
Amendment No. 1 (SR–ICEEU–2023–
011) be, and hereby is, approved.43
For the Commission by the Division of
Trading and Markets, pursuant to delegated
authority.44
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2023–24180 Filed 11–1–23; 8:45 am]
khammond on DSKJM1Z7X2PROD with NOTICES
BILLING CODE 8011–01–P
38 Notice,
88 FR at 60002.
CFR 240.17Ad–22(e)(3)(ii).
40 15 U.S.C. 78q–1(b)(3)(F).
41 17 CFR 240.17Ad–22(e)(2)(i) and (v).
42 17 CFR 240.17Ad–22(e)(3)(ii).
43 In approving the Proposed Rule Change, the
Commission considered the proposal’s impacts on
efficiency, competition, and capital formation. 15
U.S.C. 78c(f).
44 17 CFR 200.30–3(a)(12).
39 17
VerDate Sep<11>2014
16:32 Nov 01, 2023
Jkt 262001
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–98812; File No. SR–DTC–
2023–011]
Self-Regulatory Organizations; The
Depository Trust Company; Notice of
Filing and Immediate Effectiveness of
Proposed Rule Change To Modify the
Clearing Agency Operational Risk
Management Framework
October 27, 2023.
Pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934
(‘‘Act’’) 1 and Rule 19b–4 thereunder,2
notice is hereby given that on October
20, 2023, The Depository Trust
Company (‘‘DTC’’) filed with the
Securities and Exchange Commission
(‘‘Commission’’) the proposed rule
change as described in Items I, II and III
below, which Items have been prepared
by the clearing agency. DTC filed the
proposed rule change pursuant to
Section 19(b)(3)(A) of the Act 3 and Rule
19b–4(f)(4) thereunder.4 The
Commission is publishing this notice to
solicit comments on the proposed rule
change from interested persons.
I. Clearing Agency’s Statement of the
Terms of Substance of the Proposed
Rule Change
The proposed rule change consists of
modifications to the Clearing Agency
Operational Risk Management
Framework (‘‘ORM Framework’’ or
‘‘Framework’’) of The Depository Trust
Company (‘‘DTC’’) and its affiliates the
National Securities Clearing Corporation
(‘‘NSCC’’) and Fixed Income Clearing
Corporation (‘‘FICC,’’ and together with
DTC and NSCC, the ‘‘Clearing
Agencies’’) in order to (i) revise
nomenclature and process changes to
Risk Profiles, (ii) update the ORM
Framework to align programs, policies,
procedures, and controls within
Technology Risk Management (‘‘TRM’’)
to the Cyber Risk Institute (‘‘CRI’’)
Profile instead of the National Institute
of Standards and Technology (‘‘NIST’’)
standards, (iii) update recovery times for
Tier 5 non-essential functions, (iv)
update business continuity testing
across industry organizations, and (v)
update the ORM Framework to reflect
recent changes to group names and
make other nonmaterial edits, as
described in greater detail below.
U.S.C. 78s(b)(1).
CFR 240.19b–4.
3 15 U.S.C. 78s(b)(3)(A).
4 17 CFR 240.19b–4(f)(4).
2 17
Frm 00097
Fmt 4703
II. Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Proposed Rule Change
In its filing with the Commission, the
clearing agency included statements
concerning the purpose of and basis for
the proposed rule change and discussed
any comments it received on the
proposed rule change. The text of these
statements may be examined at the
places specified in Item IV below. The
clearing agency has prepared
summaries, set forth in sections A, B,
and C below, of the most significant
aspects of such statements.
(A) Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Proposed Rule Change
1. Purpose
The Clearing Agencies adopted the
ORM Framework 5 to provide an outline
for how each of the Clearing Agencies
manages its operational risks. In this
way, the Framework supports the
Clearing Agencies’ compliance with
Rules 17Ad–22(e)(17) of the Standards
for Covered Clearing Agencies
(‘‘Standards’’) under the Securities
Exchange Act of 1934 (‘‘Act’’),6 as
described in the Initial Filing. In
addition to setting forth the way each of
the Clearing Agencies addresses these
requirements, the ORM Framework also
contains a section titled ‘‘Framework
Ownership and Change Management’’
that, among other matters, describes the
Framework ownership and the required
governance process for review and
approval of changes to the Framework.
In connection with the annual review
and approval of the Framework by the
Boards of Directors of each of the
Clearing Agencies (each a ‘‘Board’’ and
collectively, the ‘‘Boards’’), the Clearing
Agencies are proposing to make certain
revisions to the Framework.
Such proposed changes would
include (i) revise nomenclature and
process changes to Risk Profiles, (ii)
updating the ORM Framework to align
programs, policies, procedures, and
controls within Technology Risk
Management (‘‘TRM’’) to the Cyber Risk
Institute (‘‘CRI’’) Profile instead of the
National Institute of Standards and
Technology (‘‘NIST’’) standards, (iii)
updating the recovery times for Tier 5
equating to non-essential functions, (iv)
updating business continuity testing
across industry organizations, and (v)
updating the ORM Framework to reflect
recent changes to group names and
5 See Securities Exchange Act Release No. 81745
(September 28, 2017), 82 FR 46332 (October 4,
2017) (SR–DTC–2017–014; SR–NSCC–2017–013;
SR–FICC–2017–017) (‘‘Initial Filing’’).
6 17 CFR 240.17Ad–22(e)(17).
1 15
PO 00000
75359
Sfmt 4703
E:\FR\FM\02NON1.SGM
02NON1
75360
Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices
making other nonmaterial edits. The
proposed changes are described in
greater detail below.
khammond on DSKJM1Z7X2PROD with NOTICES
i. Proposed Amendments To Revise
Nomenclature and Process Changes to
Risk Profiles
Section 4.2 of the ORM Framework
describes the risk profiles, which are
tools used by the Clearing Agencies to
monitor and document inherent risks
and residual risks to support an overall
assessment of the applicable Clearing
Agency business’ or Clearing Agency
support area. The proposed changes
would update the Framework to reflect
recent developments to the name of the
tools used by the Clearing Agency. The
proposed changes would also reflect
updates to Clearing Agency processes
and other matters described in the
Framework. These proposed changes do
not substantively impact how the
Clearing Agencies manage operational
risk in compliance with the
requirements of Rule 17Ad–22(e)(17)
under the Act.7
The proposed changes would update
the Framework by removing references
to risk profiles and replacing them with
Risk Assessments and Quarterly
Business Monitoring. These proposed
changes reflect the Clearing Agencies
bifurcation of the prior Risk Profile
process into an assessment and a
metrics review component, each with
differing cadences for publication.
Specifically Risk Assessments are
prepared at least annually, and
Quarterly Business Monitoring is
generally prepared quarterly and not
less than semi-annually.
ii. Proposed Amendments To Align to
the Cyber Risk Institute Profile
Section 5 of the Framework describes
the role of TRM in establishing
appropriate programs, policies,
procedures, and controls with respect to
the Clearing Agencies’ information
technology risks to help management
ensure that systems have a high degree
of security, resiliency, operational
reliability, and adequate, scalable
capacity, as required by Rule 17Ad–
22(e)(17)(ii) under the Act.8 The
Clearing Agencies previously aligned
their technology risks management
practices to the NIST standards, which
are recognized information technology
standards that have been used by TRM
in support of executing such
responsibilities. TRM shifted from
reliance only on NIST standards to
instead align their risk management
practices with the standards of CRI,
7 Id.
8 17
CFR 240.17Ad–22(e)(17)(ii).
VerDate Sep<11>2014
16:32 Nov 01, 2023
Jkt 262001
which is a global standard for cyber risk
assessment and are based on the NIST
Cyber Security Framework (‘‘NIST
SCF’’). NIST CSF has five core
functions, while the CRI standards have
those same five core functions plus two
additional core functions. This shift
would allow the Clearing Agencies to
continue maintaining compliance with
Rule 17Ad–22(e)(17) under the Act.9
Therefore, the Clearing Agencies are
proposing to amend Section 5 of the
Framework to remove reference to NIST
standards and replace them with the
CRI Profile to reflect its existing
practice.
iii. Proposed Amendments To Update
Recovery Time of Tier 5 Operations
Section 6 of the Framework describes
how the Clearing Agencies have
established and maintain business
continuity plans to address events that
may pose a significant risk of disrupting
their operations. The Framework
describes how the business continuity
process for each Clearing Agency
Business and Clearing Agency Support
Area 10 is ranked within a range of tiers,
from 0 to 5. The range of tiers is based
on criticality to each applicable Clearing
Agency’s operations (each a ‘‘Tier’’),
where Tier 0 equates to critical
operations or support of such operations
for which virtually no downtime is
permitted, and Tier 5 equates to nonessential operations or support of such
operations for which recovery times of
greater than five days is permitted. The
Clearing Agencies are proposing a
change to the Tier 5 recovery time from
greater than five days to greater than
fifteen days. The greater than fifteen
days better represents the actual
recovery time for the underlying
product and service functions.
To reflect this change in the
Framework, the Clearing Agencies are
proposing to amend Section 6 of the
Framework to replace the number five,
with fifteen, as it relates to recovery
times for Tier 5 and align with Clearing
Agency current practice.
iv. Proposed Amendments To Update
the Description of Business Continuity
Testing
As mentioned above, Section 6 of the
Framework describes how the Clearing
Agencies manage business continuity
risks. The Clearing Agencies are
proposing changes to the Framework to
9 17
CFR 240.17Ad–22(e)(17).
Clearing Agencies monitor key risks,
including Operational Risks stemming from the
day-to day operation of the Clearing Agencies’
businesses and support areas (each a ‘‘Clearing
Agency Business’’ or ‘‘Clearing Agency Support
Area’’).
10 The
PO 00000
Frm 00098
Fmt 4703
Sfmt 4703
describe their management of these risks
more accurately. Specifically, the
Clearing Agencies are proposing
changes to better reflect their
administration of industry testing,
which is one of the preventive measures
the Clearing Agencies may take with
respect to business continuity risk
management. The proposed changes
would reflect the breadth of industry
participants used for such industry
exercises conducted by the Clearing
Agencies instead of only the Securities
Industry and Financial Markets
Association (SIFMA) and the Financial
Services Authority. The proposed rule
change is not intended to reflect a
material change to the industry testing
done by the Clearing Agencies, but
rather, would more accurately reflect
the possible scope of any such testing.
Therefore, the Clearing Agencies are
proposing to amend the last bullet of
Section 6 of the Framework to remove
reference to SIFMA and the Financial
Services Authority and include a more
comprehensive description of industry
testing currently conducted to manage
its business continuity risks.
v. Proposed Amendments To Update
Organizational Name Changes and Make
Other Nonmaterial Edits
Finally, the Framework is owned and
managed by an officer within the
Operational Risk Management Group
within the Group Chief Risk Office of
DTCC. While the role and
responsibilities of the Operational Risk
Management Group have not changed,
the proposed changes would update the
Framework to reflect a change in the
name of the group. The Operational Risk
Management Group is now referred to as
Operational Risk. This proposed change
would reflect a recent organizational
name change.
The proposed rule change would
make additional immaterial edits to the
Framework that do not alter how the
Clearing Agencies comply with the
applicable requirements of Rule 17Ad–
22(e)(17) under the Act.11
2. Statutory Basis
The Clearing Agencies believe that the
proposed changes are consistent with
Section 17A(b)(3)(F) of the Act 12 and
Rule 17Ad–22(e)(17)(ii) and (iii)
promulgated under the Act,13 for the
reasons described below.
The Clearing Agencies believe that the
proposed changes are consistent with
Section 17A(b)(3)(F) of the Act, which
requires, in part, that the rules of a
11 17
CFR 240.17Ad–22(e)(17).
U.S.C. 78s(b)(3)(F).
13 17 CFR 240.17Ad–22(e)(17)(ii) and (iii).
12 15
E:\FR\FM\02NON1.SGM
02NON1
khammond on DSKJM1Z7X2PROD with NOTICES
Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices
registered clearing agency be designed
to promote the prompt and accurate
clearance and settlement of securities
transactions, and to assure the
safeguarding of securities and funds
which are in the custody or control of
the clearing agency or for which it is
responsible, for the reasons described
below.14 The proposed changes to (i)
revise nomenclature and process
changes to Risk Profiles, (ii) update the
ORM Framework to align programs,
policies, procedures, and controls
within Technology Risk Management
(‘‘TRM’’) to the Cyber Risk Institute
(‘‘CRI’’) Profile instead of the National
Institute of Standards and Technology
(‘‘NIST’’) standards, (iii) update the
recovery times for Tier 5 equating to
non-essential functions, (iv) update
business continuity testing across
industry organizations, and (v) update
the ORM Framework to reflect recent
changes to group names and making
other nonmaterial edits would update
and clarify the Framework and would
make it more comprehensive in how it
describes the methods and tools
currently used by the Clearing Agencies
to manage operational risks and
therefore comply with Section
17A(b3)(F) of the Act.15 By creating
clearer, updated and more
comprehensive descriptions, the
Clearing Agencies believe the proposed
changes would make the ORM
Framework more effective in providing
an overview of the important risk
management activities described
therein.
The risk management functions
described in the ORM Framework allow
the Clearing Agencies to continue the
prompt and accurate clearance and
settlement of securities and can
continue to assure the safeguarding of
securities and funds which are in their
custody or control or for which they are
responsible notwithstanding the default
of a member of an affiliated family. The
proposed changes to (1) to revise
nomenclature and process changes to
risk profiles, (2) shift to the CRI
standards, and (3) broaden the
description of industry testing to
capture the breadth of industry
participants available to engage in such
testing within the ORM Framework
reflect the tools used by Clearing
Agencies to assess inherent and residual
risks; reliance by the Clearing Agencies
on reliable global sources related to its
information technology standards and
diverse sources for industry testing.
Identifying and mitigating plausible
sources of operational risks both
14 15
internal and external, information
technology and business continuity,
outlined in the above-referenced
proposed changes, facilitates the
Clearing Agencies’ ability to continue
the prompt and accurate clearance and
settlement of securities transactions and
assure the safeguarding of securities and
funds which are in their custody or
control or for which they are
responsible. Therefore, the Clearing
Agencies believe the proposed changes
are consistent with the requirements of
Section 17A(b)(3)(F) of the Act.16
Rule 17Ad–22(e)(17) under the Act
requires, in part, that each covered
clearing agency establish, implement,
maintain and enforce written policies
and procedures reasonably designed to
manage the covered clearing agency’s
operational risks by (ii) ensuring that
systems have a high degree of security,
resiliency, operational reliability, and
adequate, scalable capacity; and (iii)
establishing and maintaining business
continuity plans in order to address
events that may pose a significant risk
of disrupting their operations.
The Framework would be amended to
update the description of the Clearing
Agencies’ information technology and
business continuity procedures. The
proposed changes to revise
nomenclature and process changes to
Risk Profiles including the bifurcation
of Risk Profiles process and
identification of applicable governance
processes assist the Clearing Agencies in
effectively managing their operational
risks by identifying the plausible
sources of operational risk, both internal
and external, and mitigating the impact
of those risks. The proposed change to
shift to CRI standards, which
encompasses the NIST standards plus
additional metrics, is part of the
programs, policies, procedures, and
controls used by the Clearing Agencies
to continue the building,
implementation, and maintenance of
systems that have a high degree of
security, resiliency, operational
reliability, and adequate, scalable
capacity. Lastly, accurately describing
the Clearing Agencies industry testing
procedure in the ORM framework
conforms with the Clearing Agencies
compliance obligations since business
continuity testing is one of the
preventive measures the Clearing
Agencies may take with respect to
business continuity risk management.
As described above, these procedures
address how the Clearing Agencies
detect, identify, investigate, and resolve
incidents that affect the Clearing
Agencies’ systems. These procedures are
U.S.C. 78s(b)(3)(F).
VerDate Sep<11>2014
16 Id.
16:32 Nov 01, 2023
designed to help address the Clearing
Agencies’ compliance with the
requirements of Rule 17Ad–22(e)(17)(ii)
and (iii) under the Act.17 Therefore, the
Clearing Agencies believe that the
proposed rule changes to update the
description of these procedures in the
Risk Management Framework is
consistent with Rule 17Ad–22(e)(17)(ii)
and (iii).18
(B) Clearing Agency’s Statement on
Burden on Competition
The Clearing Agencies do not believe
that the proposed changes to the ORM
Framework described above would have
any impact, or impose any burden, on
competition. The proposed changes
would enhance the Framework by
providing additional clarity and
accuracy concerning the Clearing
Agencies’ operational risk management
processes. The proposed rule changes to
the Framework, would not advantage, or
disadvantage any participant or user of
the Clearing Agencies’ services or
unfairly inhibit access to the Clearing
Agencies’ services. As such, the
Clearing Agencies do not believe that
the proposed rule changes would have
any impact on competition.
(C) Clearing Agency’s Statement on
Comments on the Proposed Rule
Change Received From Members,
Participants, or Others
DTC has not received or solicited any
written comments relating to this
proposal. If any written comments are
received, they will be publicly filed as
an Exhibit 2 to this filing, as required by
Form 19b–4 and the General
Instructions thereto.
Persons submitting comments are
cautioned that, according to Section IV
(Solicitation of Comments) of the
Exhibit 1A in the General Instructions to
Form 19b–4, the Securities and
Exchange Commission (‘‘Commission’’)
does not edit personal identifying
information from comment submissions.
Commenters should submit only
information that they wish to make
available publicly, including their
name, email address, and any other
identifying information.
All prospective commenters should
follow the Commission’s instructions on
how to submit comments, available at
https://www.sec.gov/regulatory-actions/
how-to-submit comments. General
questions regarding the rule filing
process or logistical questions regarding
this filing should be directed to the
Main Office of the Commission’s
Division of Trading and Markets at
17 17
15 Id.
Jkt 262001
PO 00000
Frm 00099
CFR 240.17Ad–22(e)(17)(ii) and (iii).
18 Id.
Fmt 4703
Sfmt 4703
75361
E:\FR\FM\02NON1.SGM
02NON1
75362
Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices
tradingandmarkets@sec.gov or 202–
551–5777.
DTC reserves the right not to respond
to any comments received.
III. Date of Effectiveness of the
Proposed Rule Change, and Timing for
Commission Action
The foregoing rule change has become
effective pursuant to Section
19(b)(3)(A) 19 of the Act and paragraph
(f) 20 of Rule 19b–4 thereunder. At any
time within 60 days of the filing of the
proposed rule change, the Commission
summarily may temporarily suspend
such rule change if it appears to the
Commission that such action is
necessary or appropriate in the public
interest, for the protection of investors,
or otherwise in furtherance of the
purposes of the Act.
IV. Solicitation of Comments
Interested persons are invited to
submit written data, views and
arguments concerning the foregoing,
including whether the proposed rule
change is consistent with the Act.
Comments may be submitted by any of
the following methods:
khammond on DSKJM1Z7X2PROD with NOTICES
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
• Send an email to rule-comments@
sec.gov. Please include file number SR–
DTC–2023–011 on the subject line.
Paper Comments
• Send paper comments in triplicate
to Secretary, Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549.
All submissions should refer to file
number SR–DTC–2023–011. This file
number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
19 15
20 17
U.S.C. 78s(b)(3)(A).
CFR 240.19b–4(f).
VerDate Sep<11>2014
16:32 Nov 01, 2023
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549 on official
business days between the hours of 10
a.m. and 3 p.m. Copies of the filing also
will be available for inspection and
copying at the principal office of DTC
and on DTCC’s website (https://
dtcc.com/legal/sec-rule-filings.aspx). Do
not include personal identifiable
information in submissions; you should
submit only information that you wish
to make available publicly. We may
redact in part or withhold entirely from
publication submitted material that is
obscene or subject to copyright
protection. All submissions should refer
to file number SR–DTC–2023–011 and
should be submitted on or before
November 24, 2023.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.21
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2023–24177 Filed 11–1–23; 8:45 am]
BILLING CODE 8011–01–P
SMALL BUSINESS ADMINISTRATION
[Disaster Declaration #20032 and #20033;
MISSOURI Disaster Number MO–20000]
Administrative Disaster Declaration of
a Rural Area for the State of Missouri
U.S. Small Business
Administration.
ACTION: Notice.
AGENCY:
This is a notice of an
Administrative disaster declaration of a
rural area for the State of Missouri dated
10/27/2023.
Incident: Severe Storms, Straight-line
Winds, Tornadoes and Flooding.
Incident Period: 07/29/2023 through
08/14/2023.
DATES: Issued on 10/27/2023.
Physical Loan Application Deadline
Date: 12/26/2023.
Economic Injury (EIDL) Loan
Application Deadline Date: 07/29/2024.
ADDRESSES: Visit the MySBA Loan
Portal at https://lending.sba.gov to
apply for a disaster assistance loan.
FOR FURTHER INFORMATION CONTACT:
Alan Escobar, Office of Disaster
Recovery & Resilience, U.S. Small
Business Administration, 409 3rd Street
SW, Suite 6050, Washington, DC 20416,
(202) 205–6734.
SUPPLEMENTARY INFORMATION: Notice is
hereby given that as a result of the
Administrator’s disaster declaration of a
SUMMARY:
21 17
Jkt 262001
PO 00000
CFR 200.30–3(a)(12).
Frm 00100
Fmt 4703
Sfmt 4703
rural area, applications for disaster
loans may be submitted online using the
MySBA Loan Portal https://
lending.sba.gov or other locally
announced locations. Please contact the
SBA disaster assistance customer
service center by email at
disastercustomerservice@sba.gov or by
phone at 1–800–659–2955 for further
assistance.
The following areas have been
determined to be adversely affected by
the disaster:
Primary Counties: Bollinger, Knox.
The Interest Rates are:
Percent
For Physical Damage:
Homeowners with Credit Available Elsewhere ....................
Homeowners without Credit
Available Elsewhere ............
Businesses with Credit Available Elsewhere ....................
Businesses without Credit
Available Elsewhere ............
Non-Profit Organizations with
Credit Available Elsewhere
Non-Profit Organizations without Credit Available Elsewhere ...................................
For Economic Injury:
Business and Small Agricultural Cooperatives without
Credit Available Elsewhere
Non-Profit Organizations without Credit Available Elsewhere ...................................
5.000
2.500
8.000
4.000
2.375
2.375
4.000
2.375
The number assigned to this disaster
for physical damage is 200326 and for
economic injury is 200330.
The State which received an EIDL
Declaration is Missouri.
(Catalog of Federal Domestic Assistance
Number 59008)
Isabella Guzman,
Administrator.
[FR Doc. 2023–24201 Filed 11–1–23; 8:45 am]
BILLING CODE 8026–09–P
SMALL BUSINESS ADMINISTRATION
Procurement Scorecard Program;
Exclusion for Certain Department of
Veterans Affairs Contracts
U.S. Small Business
Administration.
ACTION: Notice.
AGENCY:
The U.S. Small Business
Administration (SBA) publishes an
annual procurement scorecard
(Scorecard) that scores agencies on their
performance in contracting with small
businesses. This notice modifies the
method that SBA uses to calculate
contracting dollars for the Department
SUMMARY:
E:\FR\FM\02NON1.SGM
02NON1
Agencies
[Federal Register Volume 88, Number 211 (Thursday, November 2, 2023)]
[Notices]
[Pages 75359-75362]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-24177]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-98812; File No. SR-DTC-2023-011]
Self-Regulatory Organizations; The Depository Trust Company;
Notice of Filing and Immediate Effectiveness of Proposed Rule Change To
Modify the Clearing Agency Operational Risk Management Framework
October 27, 2023.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934
(``Act'') \1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that
on October 20, 2023, The Depository Trust Company (``DTC'') filed with
the Securities and Exchange Commission (``Commission'') the proposed
rule change as described in Items I, II and III below, which Items have
been prepared by the clearing agency. DTC filed the proposed rule
change pursuant to Section 19(b)(3)(A) of the Act \3\ and Rule 19b-
4(f)(4) thereunder.\4\ The Commission is publishing this notice to
solicit comments on the proposed rule change from interested persons.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ 15 U.S.C. 78s(b)(3)(A).
\4\ 17 CFR 240.19b-4(f)(4).
---------------------------------------------------------------------------
I. Clearing Agency's Statement of the Terms of Substance of the
Proposed Rule Change
The proposed rule change consists of modifications to the Clearing
Agency Operational Risk Management Framework (``ORM Framework'' or
``Framework'') of The Depository Trust Company (``DTC'') and its
affiliates the National Securities Clearing Corporation (``NSCC'') and
Fixed Income Clearing Corporation (``FICC,'' and together with DTC and
NSCC, the ``Clearing Agencies'') in order to (i) revise nomenclature
and process changes to Risk Profiles, (ii) update the ORM Framework to
align programs, policies, procedures, and controls within Technology
Risk Management (``TRM'') to the Cyber Risk Institute (``CRI'') Profile
instead of the National Institute of Standards and Technology
(``NIST'') standards, (iii) update recovery times for Tier 5 non-
essential functions, (iv) update business continuity testing across
industry organizations, and (v) update the ORM Framework to reflect
recent changes to group names and make other nonmaterial edits, as
described in greater detail below.
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
In its filing with the Commission, the clearing agency included
statements concerning the purpose of and basis for the proposed rule
change and discussed any comments it received on the proposed rule
change. The text of these statements may be examined at the places
specified in Item IV below. The clearing agency has prepared summaries,
set forth in sections A, B, and C below, of the most significant
aspects of such statements.
(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
1. Purpose
The Clearing Agencies adopted the ORM Framework \5\ to provide an
outline for how each of the Clearing Agencies manages its operational
risks. In this way, the Framework supports the Clearing Agencies'
compliance with Rules 17Ad-22(e)(17) of the Standards for Covered
Clearing Agencies (``Standards'') under the Securities Exchange Act of
1934 (``Act''),\6\ as described in the Initial Filing. In addition to
setting forth the way each of the Clearing Agencies addresses these
requirements, the ORM Framework also contains a section titled
``Framework Ownership and Change Management'' that, among other
matters, describes the Framework ownership and the required governance
process for review and approval of changes to the Framework.
---------------------------------------------------------------------------
\5\ See Securities Exchange Act Release No. 81745 (September 28,
2017), 82 FR 46332 (October 4, 2017) (SR-DTC-2017-014; SR-NSCC-2017-
013; SR-FICC-2017-017) (``Initial Filing'').
\6\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
In connection with the annual review and approval of the Framework
by the Boards of Directors of each of the Clearing Agencies (each a
``Board'' and collectively, the ``Boards''), the Clearing Agencies are
proposing to make certain revisions to the Framework.
Such proposed changes would include (i) revise nomenclature and
process changes to Risk Profiles, (ii) updating the ORM Framework to
align programs, policies, procedures, and controls within Technology
Risk Management (``TRM'') to the Cyber Risk Institute (``CRI'') Profile
instead of the National Institute of Standards and Technology
(``NIST'') standards, (iii) updating the recovery times for Tier 5
equating to non-essential functions, (iv) updating business continuity
testing across industry organizations, and (v) updating the ORM
Framework to reflect recent changes to group names and
[[Page 75360]]
making other nonmaterial edits. The proposed changes are described in
greater detail below.
i. Proposed Amendments To Revise Nomenclature and Process Changes to
Risk Profiles
Section 4.2 of the ORM Framework describes the risk profiles, which
are tools used by the Clearing Agencies to monitor and document
inherent risks and residual risks to support an overall assessment of
the applicable Clearing Agency business' or Clearing Agency support
area. The proposed changes would update the Framework to reflect recent
developments to the name of the tools used by the Clearing Agency. The
proposed changes would also reflect updates to Clearing Agency
processes and other matters described in the Framework. These proposed
changes do not substantively impact how the Clearing Agencies manage
operational risk in compliance with the requirements of Rule 17Ad-
22(e)(17) under the Act.\7\
---------------------------------------------------------------------------
\7\ Id.
---------------------------------------------------------------------------
The proposed changes would update the Framework by removing
references to risk profiles and replacing them with Risk Assessments
and Quarterly Business Monitoring. These proposed changes reflect the
Clearing Agencies bifurcation of the prior Risk Profile process into an
assessment and a metrics review component, each with differing cadences
for publication. Specifically Risk Assessments are prepared at least
annually, and Quarterly Business Monitoring is generally prepared
quarterly and not less than semi-annually.
ii. Proposed Amendments To Align to the Cyber Risk Institute Profile
Section 5 of the Framework describes the role of TRM in
establishing appropriate programs, policies, procedures, and controls
with respect to the Clearing Agencies' information technology risks to
help management ensure that systems have a high degree of security,
resiliency, operational reliability, and adequate, scalable capacity,
as required by Rule 17Ad-22(e)(17)(ii) under the Act.\8\ The Clearing
Agencies previously aligned their technology risks management practices
to the NIST standards, which are recognized information technology
standards that have been used by TRM in support of executing such
responsibilities. TRM shifted from reliance only on NIST standards to
instead align their risk management practices with the standards of
CRI, which is a global standard for cyber risk assessment and are based
on the NIST Cyber Security Framework (``NIST SCF''). NIST CSF has five
core functions, while the CRI standards have those same five core
functions plus two additional core functions. This shift would allow
the Clearing Agencies to continue maintaining compliance with Rule
17Ad-22(e)(17) under the Act.\9\
---------------------------------------------------------------------------
\8\ 17 CFR 240.17Ad-22(e)(17)(ii).
\9\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
Therefore, the Clearing Agencies are proposing to amend Section 5
of the Framework to remove reference to NIST standards and replace them
with the CRI Profile to reflect its existing practice.
iii. Proposed Amendments To Update Recovery Time of Tier 5 Operations
Section 6 of the Framework describes how the Clearing Agencies have
established and maintain business continuity plans to address events
that may pose a significant risk of disrupting their operations. The
Framework describes how the business continuity process for each
Clearing Agency Business and Clearing Agency Support Area \10\ is
ranked within a range of tiers, from 0 to 5. The range of tiers is
based on criticality to each applicable Clearing Agency's operations
(each a ``Tier''), where Tier 0 equates to critical operations or
support of such operations for which virtually no downtime is
permitted, and Tier 5 equates to non-essential operations or support of
such operations for which recovery times of greater than five days is
permitted. The Clearing Agencies are proposing a change to the Tier 5
recovery time from greater than five days to greater than fifteen days.
The greater than fifteen days better represents the actual recovery
time for the underlying product and service functions.
---------------------------------------------------------------------------
\10\ The Clearing Agencies monitor key risks, including
Operational Risks stemming from the day-to day operation of the
Clearing Agencies' businesses and support areas (each a ``Clearing
Agency Business'' or ``Clearing Agency Support Area'').
---------------------------------------------------------------------------
To reflect this change in the Framework, the Clearing Agencies are
proposing to amend Section 6 of the Framework to replace the number
five, with fifteen, as it relates to recovery times for Tier 5 and
align with Clearing Agency current practice.
iv. Proposed Amendments To Update the Description of Business
Continuity Testing
As mentioned above, Section 6 of the Framework describes how the
Clearing Agencies manage business continuity risks. The Clearing
Agencies are proposing changes to the Framework to describe their
management of these risks more accurately. Specifically, the Clearing
Agencies are proposing changes to better reflect their administration
of industry testing, which is one of the preventive measures the
Clearing Agencies may take with respect to business continuity risk
management. The proposed changes would reflect the breadth of industry
participants used for such industry exercises conducted by the Clearing
Agencies instead of only the Securities Industry and Financial Markets
Association (SIFMA) and the Financial Services Authority. The proposed
rule change is not intended to reflect a material change to the
industry testing done by the Clearing Agencies, but rather, would more
accurately reflect the possible scope of any such testing.
Therefore, the Clearing Agencies are proposing to amend the last
bullet of Section 6 of the Framework to remove reference to SIFMA and
the Financial Services Authority and include a more comprehensive
description of industry testing currently conducted to manage its
business continuity risks.
v. Proposed Amendments To Update Organizational Name Changes and Make
Other Nonmaterial Edits
Finally, the Framework is owned and managed by an officer within
the Operational Risk Management Group within the Group Chief Risk
Office of DTCC. While the role and responsibilities of the Operational
Risk Management Group have not changed, the proposed changes would
update the Framework to reflect a change in the name of the group. The
Operational Risk Management Group is now referred to as Operational
Risk. This proposed change would reflect a recent organizational name
change.
The proposed rule change would make additional immaterial edits to
the Framework that do not alter how the Clearing Agencies comply with
the applicable requirements of Rule 17Ad-22(e)(17) under the Act.\11\
---------------------------------------------------------------------------
\11\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
2. Statutory Basis
The Clearing Agencies believe that the proposed changes are
consistent with Section 17A(b)(3)(F) of the Act \12\ and Rule 17Ad-
22(e)(17)(ii) and (iii) promulgated under the Act,\13\ for the reasons
described below.
---------------------------------------------------------------------------
\12\ 15 U.S.C. 78s(b)(3)(F).
\13\ 17 CFR 240.17Ad-22(e)(17)(ii) and (iii).
---------------------------------------------------------------------------
The Clearing Agencies believe that the proposed changes are
consistent with Section 17A(b)(3)(F) of the Act, which requires, in
part, that the rules of a
[[Page 75361]]
registered clearing agency be designed to promote the prompt and
accurate clearance and settlement of securities transactions, and to
assure the safeguarding of securities and funds which are in the
custody or control of the clearing agency or for which it is
responsible, for the reasons described below.\14\ The proposed changes
to (i) revise nomenclature and process changes to Risk Profiles, (ii)
update the ORM Framework to align programs, policies, procedures, and
controls within Technology Risk Management (``TRM'') to the Cyber Risk
Institute (``CRI'') Profile instead of the National Institute of
Standards and Technology (``NIST'') standards, (iii) update the
recovery times for Tier 5 equating to non-essential functions, (iv)
update business continuity testing across industry organizations, and
(v) update the ORM Framework to reflect recent changes to group names
and making other nonmaterial edits would update and clarify the
Framework and would make it more comprehensive in how it describes the
methods and tools currently used by the Clearing Agencies to manage
operational risks and therefore comply with Section 17A(b3)(F) of the
Act.\15\ By creating clearer, updated and more comprehensive
descriptions, the Clearing Agencies believe the proposed changes would
make the ORM Framework more effective in providing an overview of the
important risk management activities described therein.
---------------------------------------------------------------------------
\14\ 15 U.S.C. 78s(b)(3)(F).
\15\ Id.
---------------------------------------------------------------------------
The risk management functions described in the ORM Framework allow
the Clearing Agencies to continue the prompt and accurate clearance and
settlement of securities and can continue to assure the safeguarding of
securities and funds which are in their custody or control or for which
they are responsible notwithstanding the default of a member of an
affiliated family. The proposed changes to (1) to revise nomenclature
and process changes to risk profiles, (2) shift to the CRI standards,
and (3) broaden the description of industry testing to capture the
breadth of industry participants available to engage in such testing
within the ORM Framework reflect the tools used by Clearing Agencies to
assess inherent and residual risks; reliance by the Clearing Agencies
on reliable global sources related to its information technology
standards and diverse sources for industry testing. Identifying and
mitigating plausible sources of operational risks both internal and
external, information technology and business continuity, outlined in
the above-referenced proposed changes, facilitates the Clearing
Agencies' ability to continue the prompt and accurate clearance and
settlement of securities transactions and assure the safeguarding of
securities and funds which are in their custody or control or for which
they are responsible. Therefore, the Clearing Agencies believe the
proposed changes are consistent with the requirements of Section
17A(b)(3)(F) of the Act.\16\
---------------------------------------------------------------------------
\16\ Id.
---------------------------------------------------------------------------
Rule 17Ad-22(e)(17) under the Act requires, in part, that each
covered clearing agency establish, implement, maintain and enforce
written policies and procedures reasonably designed to manage the
covered clearing agency's operational risks by (ii) ensuring that
systems have a high degree of security, resiliency, operational
reliability, and adequate, scalable capacity; and (iii) establishing
and maintaining business continuity plans in order to address events
that may pose a significant risk of disrupting their operations.
The Framework would be amended to update the description of the
Clearing Agencies' information technology and business continuity
procedures. The proposed changes to revise nomenclature and process
changes to Risk Profiles including the bifurcation of Risk Profiles
process and identification of applicable governance processes assist
the Clearing Agencies in effectively managing their operational risks
by identifying the plausible sources of operational risk, both internal
and external, and mitigating the impact of those risks. The proposed
change to shift to CRI standards, which encompasses the NIST standards
plus additional metrics, is part of the programs, policies, procedures,
and controls used by the Clearing Agencies to continue the building,
implementation, and maintenance of systems that have a high degree of
security, resiliency, operational reliability, and adequate, scalable
capacity. Lastly, accurately describing the Clearing Agencies industry
testing procedure in the ORM framework conforms with the Clearing
Agencies compliance obligations since business continuity testing is
one of the preventive measures the Clearing Agencies may take with
respect to business continuity risk management. As described above,
these procedures address how the Clearing Agencies detect, identify,
investigate, and resolve incidents that affect the Clearing Agencies'
systems. These procedures are designed to help address the Clearing
Agencies' compliance with the requirements of Rule 17Ad-22(e)(17)(ii)
and (iii) under the Act.\17\ Therefore, the Clearing Agencies believe
that the proposed rule changes to update the description of these
procedures in the Risk Management Framework is consistent with Rule
17Ad-22(e)(17)(ii) and (iii).\18\
---------------------------------------------------------------------------
\17\ 17 CFR 240.17Ad-22(e)(17)(ii) and (iii).
\18\ Id.
---------------------------------------------------------------------------
(B) Clearing Agency's Statement on Burden on Competition
The Clearing Agencies do not believe that the proposed changes to
the ORM Framework described above would have any impact, or impose any
burden, on competition. The proposed changes would enhance the
Framework by providing additional clarity and accuracy concerning the
Clearing Agencies' operational risk management processes. The proposed
rule changes to the Framework, would not advantage, or disadvantage any
participant or user of the Clearing Agencies' services or unfairly
inhibit access to the Clearing Agencies' services. As such, the
Clearing Agencies do not believe that the proposed rule changes would
have any impact on competition.
(C) Clearing Agency's Statement on Comments on the Proposed Rule Change
Received From Members, Participants, or Others
DTC has not received or solicited any written comments relating to
this proposal. If any written comments are received, they will be
publicly filed as an Exhibit 2 to this filing, as required by Form 19b-
4 and the General Instructions thereto.
Persons submitting comments are cautioned that, according to
Section IV (Solicitation of Comments) of the Exhibit 1A in the General
Instructions to Form 19b-4, the Securities and Exchange Commission
(``Commission'') does not edit personal identifying information from
comment submissions. Commenters should submit only information that
they wish to make available publicly, including their name, email
address, and any other identifying information.
All prospective commenters should follow the Commission's
instructions on how to submit comments, available at https://www.sec.gov/regulatory-actions/how-to-submit comments. General
questions regarding the rule filing process or logistical questions
regarding this filing should be directed to the Main Office of the
Commission's Division of Trading and Markets at
[[Page 75362]]
[email protected] or 202-551-5777.
DTC reserves the right not to respond to any comments received.
III. Date of Effectiveness of the Proposed Rule Change, and Timing for
Commission Action
The foregoing rule change has become effective pursuant to Section
19(b)(3)(A) \19\ of the Act and paragraph (f) \20\ of Rule 19b-4
thereunder. At any time within 60 days of the filing of the proposed
rule change, the Commission summarily may temporarily suspend such rule
change if it appears to the Commission that such action is necessary or
appropriate in the public interest, for the protection of investors, or
otherwise in furtherance of the purposes of the Act.
---------------------------------------------------------------------------
\19\ 15 U.S.C. 78s(b)(3)(A).
\20\ 17 CFR 240.19b-4(f).
---------------------------------------------------------------------------
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed rule
change is consistent with the Act. Comments may be submitted by any of
the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/sro.shtml); or
Send an email to [email protected]. Please include
file number SR-DTC-2023-011 on the subject line.
Paper Comments
Send paper comments in triplicate to Secretary, Securities
and Exchange Commission, 100 F Street NE, Washington, DC 20549.
All submissions should refer to file number SR-DTC-2023-011. This file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method. The Commission will post all comments on
the Commission's internet website (https://www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent amendments, all
written statements with respect to the proposed rule change that are
filed with the Commission, and all written communications relating to
the proposed rule change between the Commission and any person, other
than those that may be withheld from the public in accordance with the
provisions of 5 U.S.C. 552, will be available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549 on official business days between the hours of 10
a.m. and 3 p.m. Copies of the filing also will be available for
inspection and copying at the principal office of DTC and on DTCC's
website (https://dtcc.com/legal/sec-rule-filings.aspx). Do not include
personal identifiable information in submissions; you should submit
only information that you wish to make available publicly. We may
redact in part or withhold entirely from publication submitted material
that is obscene or subject to copyright protection. All submissions
should refer to file number SR-DTC-2023-011 and should be submitted on
or before November 24, 2023.
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\21\
---------------------------------------------------------------------------
\21\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2023-24177 Filed 11-1-23; 8:45 am]
BILLING CODE 8011-01-P