Self-Regulatory Organizations; The Depository Trust Company; Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Modify the Clearing Agency Operational Risk Management Framework, 75359-75362 [2023-24177]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 88, Number 211 (Thursday, November 2, 2023)]
[Notices]
[Pages 75359-75362]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-24177]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-98812; File No. SR-DTC-2023-011]


Self-Regulatory Organizations; The Depository Trust Company; 
Notice of Filing and Immediate Effectiveness of Proposed Rule Change To 
Modify the Clearing Agency Operational Risk Management Framework

October 27, 2023.
    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 
(``Act'') \1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that 
on October 20, 2023, The Depository Trust Company (``DTC'') filed with 
the Securities and Exchange Commission (``Commission'') the proposed 
rule change as described in Items I, II and III below, which Items have 
been prepared by the clearing agency. DTC filed the proposed rule 
change pursuant to Section 19(b)(3)(A) of the Act \3\ and Rule 19b-
4(f)(4) thereunder.\4\ The Commission is publishing this notice to 
solicit comments on the proposed rule change from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ 15 U.S.C. 78s(b)(3)(A).
    \4\ 17 CFR 240.19b-4(f)(4).
---------------------------------------------------------------------------

I. Clearing Agency's Statement of the Terms of Substance of the 
Proposed Rule Change

    The proposed rule change consists of modifications to the Clearing 
Agency Operational Risk Management Framework (``ORM Framework'' or 
``Framework'') of The Depository Trust Company (``DTC'') and its 
affiliates the National Securities Clearing Corporation (``NSCC'') and 
Fixed Income Clearing Corporation (``FICC,'' and together with DTC and 
NSCC, the ``Clearing Agencies'') in order to (i) revise nomenclature 
and process changes to Risk Profiles, (ii) update the ORM Framework to 
align programs, policies, procedures, and controls within Technology 
Risk Management (``TRM'') to the Cyber Risk Institute (``CRI'') Profile 
instead of the National Institute of Standards and Technology 
(``NIST'') standards, (iii) update recovery times for Tier 5 non-
essential functions, (iv) update business continuity testing across 
industry organizations, and (v) update the ORM Framework to reflect 
recent changes to group names and make other nonmaterial edits, as 
described in greater detail below.

II. Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

    In its filing with the Commission, the clearing agency included 
statements concerning the purpose of and basis for the proposed rule 
change and discussed any comments it received on the proposed rule 
change. The text of these statements may be examined at the places 
specified in Item IV below. The clearing agency has prepared summaries, 
set forth in sections A, B, and C below, of the most significant 
aspects of such statements.

(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

1. Purpose
    The Clearing Agencies adopted the ORM Framework \5\ to provide an 
outline for how each of the Clearing Agencies manages its operational 
risks. In this way, the Framework supports the Clearing Agencies' 
compliance with Rules 17Ad-22(e)(17) of the Standards for Covered 
Clearing Agencies (``Standards'') under the Securities Exchange Act of 
1934 (``Act''),\6\ as described in the Initial Filing. In addition to 
setting forth the way each of the Clearing Agencies addresses these 
requirements, the ORM Framework also contains a section titled 
``Framework Ownership and Change Management'' that, among other 
matters, describes the Framework ownership and the required governance 
process for review and approval of changes to the Framework.
---------------------------------------------------------------------------

    \5\ See Securities Exchange Act Release No. 81745 (September 28, 
2017), 82 FR 46332 (October 4, 2017) (SR-DTC-2017-014; SR-NSCC-2017-
013; SR-FICC-2017-017) (``Initial Filing'').
    \6\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    In connection with the annual review and approval of the Framework 
by the Boards of Directors of each of the Clearing Agencies (each a 
``Board'' and collectively, the ``Boards''), the Clearing Agencies are 
proposing to make certain revisions to the Framework.
    Such proposed changes would include (i) revise nomenclature and 
process changes to Risk Profiles, (ii) updating the ORM Framework to 
align programs, policies, procedures, and controls within Technology 
Risk Management (``TRM'') to the Cyber Risk Institute (``CRI'') Profile 
instead of the National Institute of Standards and Technology 
(``NIST'') standards, (iii) updating the recovery times for Tier 5 
equating to non-essential functions, (iv) updating business continuity 
testing across industry organizations, and (v) updating the ORM 
Framework to reflect recent changes to group names and

[[Page 75360]]

making other nonmaterial edits. The proposed changes are described in 
greater detail below.
i. Proposed Amendments To Revise Nomenclature and Process Changes to 
Risk Profiles
    Section 4.2 of the ORM Framework describes the risk profiles, which 
are tools used by the Clearing Agencies to monitor and document 
inherent risks and residual risks to support an overall assessment of 
the applicable Clearing Agency business' or Clearing Agency support 
area. The proposed changes would update the Framework to reflect recent 
developments to the name of the tools used by the Clearing Agency. The 
proposed changes would also reflect updates to Clearing Agency 
processes and other matters described in the Framework. These proposed 
changes do not substantively impact how the Clearing Agencies manage 
operational risk in compliance with the requirements of Rule 17Ad-
22(e)(17) under the Act.\7\
---------------------------------------------------------------------------

    \7\ Id.
---------------------------------------------------------------------------

    The proposed changes would update the Framework by removing 
references to risk profiles and replacing them with Risk Assessments 
and Quarterly Business Monitoring. These proposed changes reflect the 
Clearing Agencies bifurcation of the prior Risk Profile process into an 
assessment and a metrics review component, each with differing cadences 
for publication. Specifically Risk Assessments are prepared at least 
annually, and Quarterly Business Monitoring is generally prepared 
quarterly and not less than semi-annually.
ii. Proposed Amendments To Align to the Cyber Risk Institute Profile
    Section 5 of the Framework describes the role of TRM in 
establishing appropriate programs, policies, procedures, and controls 
with respect to the Clearing Agencies' information technology risks to 
help management ensure that systems have a high degree of security, 
resiliency, operational reliability, and adequate, scalable capacity, 
as required by Rule 17Ad-22(e)(17)(ii) under the Act.\8\ The Clearing 
Agencies previously aligned their technology risks management practices 
to the NIST standards, which are recognized information technology 
standards that have been used by TRM in support of executing such 
responsibilities. TRM shifted from reliance only on NIST standards to 
instead align their risk management practices with the standards of 
CRI, which is a global standard for cyber risk assessment and are based 
on the NIST Cyber Security Framework (``NIST SCF''). NIST CSF has five 
core functions, while the CRI standards have those same five core 
functions plus two additional core functions. This shift would allow 
the Clearing Agencies to continue maintaining compliance with Rule 
17Ad-22(e)(17) under the Act.\9\
---------------------------------------------------------------------------

    \8\ 17 CFR 240.17Ad-22(e)(17)(ii).
    \9\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    Therefore, the Clearing Agencies are proposing to amend Section 5 
of the Framework to remove reference to NIST standards and replace them 
with the CRI Profile to reflect its existing practice.
iii. Proposed Amendments To Update Recovery Time of Tier 5 Operations
    Section 6 of the Framework describes how the Clearing Agencies have 
established and maintain business continuity plans to address events 
that may pose a significant risk of disrupting their operations. The 
Framework describes how the business continuity process for each 
Clearing Agency Business and Clearing Agency Support Area \10\ is 
ranked within a range of tiers, from 0 to 5. The range of tiers is 
based on criticality to each applicable Clearing Agency's operations 
(each a ``Tier''), where Tier 0 equates to critical operations or 
support of such operations for which virtually no downtime is 
permitted, and Tier 5 equates to non-essential operations or support of 
such operations for which recovery times of greater than five days is 
permitted. The Clearing Agencies are proposing a change to the Tier 5 
recovery time from greater than five days to greater than fifteen days. 
The greater than fifteen days better represents the actual recovery 
time for the underlying product and service functions.
---------------------------------------------------------------------------

    \10\ The Clearing Agencies monitor key risks, including 
Operational Risks stemming from the day-to day operation of the 
Clearing Agencies' businesses and support areas (each a ``Clearing 
Agency Business'' or ``Clearing Agency Support Area'').
---------------------------------------------------------------------------

    To reflect this change in the Framework, the Clearing Agencies are 
proposing to amend Section 6 of the Framework to replace the number 
five, with fifteen, as it relates to recovery times for Tier 5 and 
align with Clearing Agency current practice.
iv. Proposed Amendments To Update the Description of Business 
Continuity Testing
    As mentioned above, Section 6 of the Framework describes how the 
Clearing Agencies manage business continuity risks. The Clearing 
Agencies are proposing changes to the Framework to describe their 
management of these risks more accurately. Specifically, the Clearing 
Agencies are proposing changes to better reflect their administration 
of industry testing, which is one of the preventive measures the 
Clearing Agencies may take with respect to business continuity risk 
management. The proposed changes would reflect the breadth of industry 
participants used for such industry exercises conducted by the Clearing 
Agencies instead of only the Securities Industry and Financial Markets 
Association (SIFMA) and the Financial Services Authority. The proposed 
rule change is not intended to reflect a material change to the 
industry testing done by the Clearing Agencies, but rather, would more 
accurately reflect the possible scope of any such testing.
    Therefore, the Clearing Agencies are proposing to amend the last 
bullet of Section 6 of the Framework to remove reference to SIFMA and 
the Financial Services Authority and include a more comprehensive 
description of industry testing currently conducted to manage its 
business continuity risks.
v. Proposed Amendments To Update Organizational Name Changes and Make 
Other Nonmaterial Edits
    Finally, the Framework is owned and managed by an officer within 
the Operational Risk Management Group within the Group Chief Risk 
Office of DTCC. While the role and responsibilities of the Operational 
Risk Management Group have not changed, the proposed changes would 
update the Framework to reflect a change in the name of the group. The 
Operational Risk Management Group is now referred to as Operational 
Risk. This proposed change would reflect a recent organizational name 
change.
    The proposed rule change would make additional immaterial edits to 
the Framework that do not alter how the Clearing Agencies comply with 
the applicable requirements of Rule 17Ad-22(e)(17) under the Act.\11\
---------------------------------------------------------------------------

    \11\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

2. Statutory Basis
    The Clearing Agencies believe that the proposed changes are 
consistent with Section 17A(b)(3)(F) of the Act \12\ and Rule 17Ad-
22(e)(17)(ii) and (iii) promulgated under the Act,\13\ for the reasons 
described below.
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 78s(b)(3)(F).
    \13\ 17 CFR 240.17Ad-22(e)(17)(ii) and (iii).
---------------------------------------------------------------------------

    The Clearing Agencies believe that the proposed changes are 
consistent with Section 17A(b)(3)(F) of the Act, which requires, in 
part, that the rules of a

[[Page 75361]]

registered clearing agency be designed to promote the prompt and 
accurate clearance and settlement of securities transactions, and to 
assure the safeguarding of securities and funds which are in the 
custody or control of the clearing agency or for which it is 
responsible, for the reasons described below.\14\ The proposed changes 
to (i) revise nomenclature and process changes to Risk Profiles, (ii) 
update the ORM Framework to align programs, policies, procedures, and 
controls within Technology Risk Management (``TRM'') to the Cyber Risk 
Institute (``CRI'') Profile instead of the National Institute of 
Standards and Technology (``NIST'') standards, (iii) update the 
recovery times for Tier 5 equating to non-essential functions, (iv) 
update business continuity testing across industry organizations, and 
(v) update the ORM Framework to reflect recent changes to group names 
and making other nonmaterial edits would update and clarify the 
Framework and would make it more comprehensive in how it describes the 
methods and tools currently used by the Clearing Agencies to manage 
operational risks and therefore comply with Section 17A(b3)(F) of the 
Act.\15\ By creating clearer, updated and more comprehensive 
descriptions, the Clearing Agencies believe the proposed changes would 
make the ORM Framework more effective in providing an overview of the 
important risk management activities described therein.
---------------------------------------------------------------------------

    \14\ 15 U.S.C. 78s(b)(3)(F).
    \15\ Id.
---------------------------------------------------------------------------

    The risk management functions described in the ORM Framework allow 
the Clearing Agencies to continue the prompt and accurate clearance and 
settlement of securities and can continue to assure the safeguarding of 
securities and funds which are in their custody or control or for which 
they are responsible notwithstanding the default of a member of an 
affiliated family. The proposed changes to (1) to revise nomenclature 
and process changes to risk profiles, (2) shift to the CRI standards, 
and (3) broaden the description of industry testing to capture the 
breadth of industry participants available to engage in such testing 
within the ORM Framework reflect the tools used by Clearing Agencies to 
assess inherent and residual risks; reliance by the Clearing Agencies 
on reliable global sources related to its information technology 
standards and diverse sources for industry testing. Identifying and 
mitigating plausible sources of operational risks both internal and 
external, information technology and business continuity, outlined in 
the above-referenced proposed changes, facilitates the Clearing 
Agencies' ability to continue the prompt and accurate clearance and 
settlement of securities transactions and assure the safeguarding of 
securities and funds which are in their custody or control or for which 
they are responsible. Therefore, the Clearing Agencies believe the 
proposed changes are consistent with the requirements of Section 
17A(b)(3)(F) of the Act.\16\
---------------------------------------------------------------------------

    \16\ Id.
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(17) under the Act requires, in part, that each 
covered clearing agency establish, implement, maintain and enforce 
written policies and procedures reasonably designed to manage the 
covered clearing agency's operational risks by (ii) ensuring that 
systems have a high degree of security, resiliency, operational 
reliability, and adequate, scalable capacity; and (iii) establishing 
and maintaining business continuity plans in order to address events 
that may pose a significant risk of disrupting their operations.
    The Framework would be amended to update the description of the 
Clearing Agencies' information technology and business continuity 
procedures. The proposed changes to revise nomenclature and process 
changes to Risk Profiles including the bifurcation of Risk Profiles 
process and identification of applicable governance processes assist 
the Clearing Agencies in effectively managing their operational risks 
by identifying the plausible sources of operational risk, both internal 
and external, and mitigating the impact of those risks. The proposed 
change to shift to CRI standards, which encompasses the NIST standards 
plus additional metrics, is part of the programs, policies, procedures, 
and controls used by the Clearing Agencies to continue the building, 
implementation, and maintenance of systems that have a high degree of 
security, resiliency, operational reliability, and adequate, scalable 
capacity. Lastly, accurately describing the Clearing Agencies industry 
testing procedure in the ORM framework conforms with the Clearing 
Agencies compliance obligations since business continuity testing is 
one of the preventive measures the Clearing Agencies may take with 
respect to business continuity risk management. As described above, 
these procedures address how the Clearing Agencies detect, identify, 
investigate, and resolve incidents that affect the Clearing Agencies' 
systems. These procedures are designed to help address the Clearing 
Agencies' compliance with the requirements of Rule 17Ad-22(e)(17)(ii) 
and (iii) under the Act.\17\ Therefore, the Clearing Agencies believe 
that the proposed rule changes to update the description of these 
procedures in the Risk Management Framework is consistent with Rule 
17Ad-22(e)(17)(ii) and (iii).\18\
---------------------------------------------------------------------------

    \17\ 17 CFR 240.17Ad-22(e)(17)(ii) and (iii).
    \18\ Id.
---------------------------------------------------------------------------

(B) Clearing Agency's Statement on Burden on Competition

    The Clearing Agencies do not believe that the proposed changes to 
the ORM Framework described above would have any impact, or impose any 
burden, on competition. The proposed changes would enhance the 
Framework by providing additional clarity and accuracy concerning the 
Clearing Agencies' operational risk management processes. The proposed 
rule changes to the Framework, would not advantage, or disadvantage any 
participant or user of the Clearing Agencies' services or unfairly 
inhibit access to the Clearing Agencies' services. As such, the 
Clearing Agencies do not believe that the proposed rule changes would 
have any impact on competition.

(C) Clearing Agency's Statement on Comments on the Proposed Rule Change 
Received From Members, Participants, or Others

    DTC has not received or solicited any written comments relating to 
this proposal. If any written comments are received, they will be 
publicly filed as an Exhibit 2 to this filing, as required by Form 19b-
4 and the General Instructions thereto.
    Persons submitting comments are cautioned that, according to 
Section IV (Solicitation of Comments) of the Exhibit 1A in the General 
Instructions to Form 19b-4, the Securities and Exchange Commission 
(``Commission'') does not edit personal identifying information from 
comment submissions. Commenters should submit only information that 
they wish to make available publicly, including their name, email 
address, and any other identifying information.
    All prospective commenters should follow the Commission's 
instructions on how to submit comments, available at https://www.sec.gov/regulatory-actions/how-to-submit comments. General 
questions regarding the rule filing process or logistical questions 
regarding this filing should be directed to the Main Office of the 
Commission's Division of Trading and Markets at

[[Page 75362]]

[email protected] or 202-551-5777.
    DTC reserves the right not to respond to any comments received.

III. Date of Effectiveness of the Proposed Rule Change, and Timing for 
Commission Action

    The foregoing rule change has become effective pursuant to Section 
19(b)(3)(A) \19\ of the Act and paragraph (f) \20\ of Rule 19b-4 
thereunder. At any time within 60 days of the filing of the proposed 
rule change, the Commission summarily may temporarily suspend such rule 
change if it appears to the Commission that such action is necessary or 
appropriate in the public interest, for the protection of investors, or 
otherwise in furtherance of the purposes of the Act.
---------------------------------------------------------------------------

    \19\ 15 U.S.C. 78s(b)(3)(A).
    \20\ 17 CFR 240.19b-4(f).
---------------------------------------------------------------------------

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
change is consistent with the Act. Comments may be submitted by any of 
the following methods:

Electronic Comments

     Use the Commission's internet comment form (https://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
file number SR-DTC-2023-011 on the subject line.

Paper Comments

     Send paper comments in triplicate to Secretary, Securities 
and Exchange Commission, 100 F Street NE, Washington, DC 20549.

All submissions should refer to file number SR-DTC-2023-011. This file 
number should be included on the subject line if email is used. To help 
the Commission process and review your comments more efficiently, 
please use only one method. The Commission will post all comments on 
the Commission's internet website (https://www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent amendments, all 
written statements with respect to the proposed rule change that are 
filed with the Commission, and all written communications relating to 
the proposed rule change between the Commission and any person, other 
than those that may be withheld from the public in accordance with the 
provisions of 5 U.S.C. 552, will be available for website viewing and 
printing in the Commission's Public Reference Room, 100 F Street NE, 
Washington, DC 20549 on official business days between the hours of 10 
a.m. and 3 p.m. Copies of the filing also will be available for 
inspection and copying at the principal office of DTC and on DTCC's 
website (https://dtcc.com/legal/sec-rule-filings.aspx). Do not include 
personal identifiable information in submissions; you should submit 
only information that you wish to make available publicly. We may 
redact in part or withhold entirely from publication submitted material 
that is obscene or subject to copyright protection. All submissions 
should refer to file number SR-DTC-2023-011 and should be submitted on 
or before November 24, 2023.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\21\
---------------------------------------------------------------------------

    \21\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2023-24177 Filed 11-1-23; 8:45 am]
BILLING CODE 8011-01-P