Self-Regulatory Organizations; National Securities Clearing Corporation; Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Modify the Clearing Agency Operational Risk Management Framework, 75344-75347 [2023-24179]

Download as PDF 75344 Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices Because the exemption applies only to fixed-income securities issued in accordance with the requirements of Rule 144A, it is limited to resales of securities to an investor base that ‘‘can be conclusively assumed to be sophisticated,’’ 16 is able to obtain certain basic financial information concerning the issuers’ business, and has extensive experience in the private resale market for restricted securities.17 Under the requirements of Rule 144A, securities can be sold only to ‘‘qualified institutional investors’’ (or purchasers that the seller or a person acting on its behalf reasonably believes are qualified institutional investors), which, with the exception of registered dealers, must in the aggregate own and invest on a discretionary basis at least $100 million in securities of issuers that are not affiliated with such a qualified institutional buyer.18 Furthermore, in the case of issuers that do not file periodic reports under the Exchange Act or furnish home country information to the Commission pursuant to 17 CFR 240 12g3–2(b), Rule 144A requires that any prospective purchaser of Rule 144A fixed-income securities has the right to obtain from the issuer reasonably current financial information (‘‘Rule 144A information’’): 19 khammond on DSKJM1Z7X2PROD with NOTICES [A] very brief statement of the nature of the business of the issuer and the products and services it offers; and the issuer’s most recent balance sheet and profit and loss and retained earnings statements, and similar financial statements for such part of the two preceding fiscal years as the issuer has been in operation (the financial information should be audited to the extent possible).20 securities sold in compliance with the safe harbor in Rule 144A. See Petition at n.1. Moreover, the amendments to Rule 15c2–11 have applied to Rule 144A equity securities since the compliance date of those amendments which was September 2021. Accordingly, this exemption does not address equity securities sold in compliance with the safe harbor in Rule 144A. 16 Accredited Investor Definition, Release No. 33– 10824 (Aug. 26, 2020), 85 FR 64234, 64236 (Oct. 9, 2020) (‘‘Accredited Investor Release’’) (citing Resale of Restricted Securities; Changes to Method of Determining Holding Period of Restricted Securities Under Rules 144 and 145, Release No. 33–6806 (Oct. 25, 1988), 53 FR 44016 (Nov. 1, 1988)) (‘‘1988 Rule 144A Proposing Release’’). 17 1988 Rule 144A Proposing Release, 53 FR at 44028. 18 17 CFR 230.144A(a)(1) (definition of ‘‘qualified institutional buyer’’). 19 17 CFR 230.144A(d)(4). 20 Id. With respect to asset-backed securities, the Commission has interpreted the information requirement to mandate provision of ‘‘basic, material information concerning the structure of the securities and distributions thereon, the nature, performance and servicing of the assets supporting the securities, and any credit enhancement mechanism associated with the securities.’’ See Rule 144A Adopting Release, 55 FR at 17939. VerDate Sep<11>2014 16:32 Nov 01, 2023 Jkt 262001 The availability of the Rule 144A information can be used by prospective qualified institutional buyers to make better informed investment decisions and assess potential risks in investing in the security. While the Rule 144A information that is required to be provided to qualified institutional buyers upon request is not the current publicly available information defined in paragraph (b) of Rule 15c2–11, the Rule 144A information serves the same purpose of investor protection. The Commission finds it is appropriate in the public interest, and consistent with the protection of investors, to exempt brokers and dealers from the requirements of Rule 15c2–11, with respect to Rule 144A fixed-income securities. III. Conclusion Accordingly, it is hereby ordered, pursuant to section 36(a) of the Exchange Act 21 and Rule 15c2–11(g) under the Exchange Act,22 that a broker or dealer is exempt from the requirements of Rule 15c2–11 with respect to a fixed-income security to be sold in compliance with the safe harbor in Rule 144A 23 under the Securities Act of 1933.24 This exemptive relief is subject to modification or revocation at any time by the Commission but will be in effect unless and until the Commission determines that modification or revocation is necessary or appropriate in furtherance of the purposes of the Exchange Act, or the relief is otherwise superseded by future Commission action such as a rulemaking addressing the Rule 144A safe harbor or issues pertaining to the fixed income markets more generally. Persons relying on this exemption are directed to the anti-fraud and antimanipulation provisions of the Exchange Act, particularly sections 9(a) and 10(b), and 17 CFR 240.10b–5 thereunder.25 Responsibility for compliance with these and any other applicable provisions of the Federal securities laws must rest with the persons relying on this exemption. This order should not be considered a view with respect to any other question that the proposed transactions or quotations may raise, including, but not limited to the adequacy of the disclosure concerning, and the applicability of U.S.C.78mm(a). CFR 240.15c2–11(g). 23 17 CFR 230.144A. 24 15 U.S.C. 77a et seq. 25 15 U.S.C. 78i(a), 78j(b); 17 CFR 240.10b–5. other Federal or State laws to, the proposed transactions or quotations. By the Commission. Sherry R. Haywood, Assistant Secretary. [FR Doc. 2023–24245 Filed 11–1–23; 8:45 am] BILLING CODE 8011–01–P SECURITIES AND EXCHANGE COMMISSION [Release No. 34–98814; File No. SR–NSCC– 2023–010] Self-Regulatory Organizations; National Securities Clearing Corporation; Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Modify the Clearing Agency Operational Risk Management Framework October 27, 2023. Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (‘‘Act’’) 1 and Rule 19b–4 thereunder,2 notice is hereby given that on October 20, 2023, National Securities Clearing Corporation (‘‘NSCC’’) filed with the Securities and Exchange Commission (‘‘Commission’’) the proposed rule change as described in Items I, II and III below, which Items have been prepared by the clearing agency. NSCC filed the proposed rule change pursuant to Section 19(b)(3)(A) of the Act 3 and Rule 19b–4(f)(4) thereunder.4 The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons. I. Clearing Agency’s Statement of the Terms of Substance of the Proposed Rule Change The proposed rule change consists of modifications to the Clearing Agency Operational Risk Management Framework (‘‘ORM Framework’’ or ‘‘Framework’’) of the National Securities Clearing Corporation (‘‘NSCC’’) and its affiliates The Depository Trust Company (‘‘DTC’’) and Fixed Income Clearing Corporation (‘‘FICC,’’ and together with NSCC and DTC, the ‘‘Clearing Agencies’’) in order to (i) revise nomenclature and process changes to Risk Profiles, (ii) update the ORM Framework to align programs, policies, procedures, and controls within Technology Risk Management (‘‘TRM’’) to the Cyber Risk Institute (‘‘CRI’’) Profile instead of the National Institute of Standards and Technology (‘‘NIST’’) standards, (iii) update recovery times for 21 15 22 17 PO 00000 Frm 00082 Fmt 4703 Sfmt 4703 1 15 U.S.C. 78s(b)(1). CFR 240.19b–4. 3 15 U.S.C. 78s(b)(3)(A). 4 17 CFR 240.19b–4(f)(4). 2 17 E:\FR\FM\02NON1.SGM 02NON1 Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices Tier 5 non-essential functions, (iv) update business continuity testing across industry organizations, and (v) update the ORM Framework to reflect recent changes to group names and make other nonmaterial edits, as described in greater detail below. II. Clearing Agency’s Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change In its filing with the Commission, the clearing agency included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The clearing agency has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. khammond on DSKJM1Z7X2PROD with NOTICES (A) Clearing Agency’s Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change 1. Purpose The Clearing Agencies adopted the ORM Framework 5 to provide an outline for how each of the Clearing Agencies manages its operational risks. In this way, the Framework supports the Clearing Agencies’ compliance with Rules 17Ad–22(e)(17) of the Standards for Covered Clearing Agencies (‘‘Standards’’) under the Securities Exchange Act of 1934 (‘‘Act’’),6 as described in the Initial Filing. In addition to setting forth the way each of the Clearing Agencies addresses these requirements, the ORM Framework also contains a section titled ‘‘Framework Ownership and Change Management’’ that, among other matters, describes the Framework ownership and the required governance process for review and approval of changes to the Framework. In connection with the annual review and approval of the Framework by the Boards of Directors of each of the Clearing Agencies (each a ‘‘Board’’ and collectively, the ‘‘Boards’’), the Clearing Agencies are proposing to make certain revisions to the Framework. Such proposed changes would include (i) revise nomenclature and process changes to Risk Profiles, (ii) updating the ORM Framework to align programs, policies, procedures, and controls within Technology Risk Management (‘‘TRM’’) to the Cyber Risk Institute (‘‘CRI’’) Profile instead of the 5 See Securities Exchange Act Release No. 81745 (September 28, 2017), 82 FR 46332 (October 4, 2017) (SR–DTC–2017–014; SR–NSCC–2017–013; SR–FICC–2017–017) (‘‘Initial Filing’’). 6 17 CFR 240.17Ad–22(e)(17). VerDate Sep<11>2014 16:32 Nov 01, 2023 Jkt 262001 National Institute of Standards and Technology (‘‘NIST’’) standards, (iii) updating the recovery times for Tier 5 equating to non-essential functions, (iv) updating business continuity testing across industry organizations, and (v) updating the ORM Framework to reflect recent changes to group names and making other nonmaterial edits. The proposed changes are described in greater detail below. i. Proposed Amendments To Revise Nomenclature and Process Changes to Risk Profiles Section 4.2 of the ORM Framework describes the risk profiles, which are tools used by the Clearing Agencies to monitor and document inherent risks and residual risks to support an overall assessment of the applicable Clearing Agency business’ or Clearing Agency support area. The proposed changes would update the Framework to reflect recent developments to the name of the tools used by the Clearing Agency. The proposed changes would also reflect updates to Clearing Agency processes and other matters described in the Framework. These proposed changes do not substantively impact how the Clearing Agencies manage operational risk in compliance with the requirements of Rule 17Ad–22(e)(17) under the Act.7 The proposed changes would update the Framework by removing references to risk profiles and replacing them with Risk Assessments and Quarterly Business Monitoring. These proposed changes reflect the Clearing Agencies bifurcation of the prior Risk Profile process into an assessment and a metrics review component, each with differing cadences for publication. Specifically Risk Assessments are prepared at least annually, and Quarterly Business Monitoring is generally prepared quarterly and not less than semi-annually. ii. Proposed Amendments To Align to the Cyber Risk Institute Profile Section 5 of the Framework describes the role of TRM in establishing appropriate programs, policies, procedures, and controls with respect to the Clearing Agencies’ information technology risks to help management ensure that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity, as required by Rule 17Ad– 22(e)(17)(ii) under the Act.8 The Clearing Agencies previously aligned their technology risks management 7 Id. 8 17 PO 00000 CFR 240.17Ad–22(e)(17)(ii). Frm 00083 Fmt 4703 Sfmt 4703 75345 practices to the NIST standards, which are recognized information technology standards that have been used by TRM in support of executing such responsibilities. TRM shifted from reliance only on NIST standards to instead align their risk management practices with the standards of CRI, which is a global standard for cyber risk assessment and are based on the NIST Cyber Security Framework (‘‘NIST SCF’’). NIST CSF has five core functions, while the CRI standards have those same five core functions plus two additional core functions. This shift would allow the Clearing Agencies to continue maintaining compliance with Rule 17Ad–22(e)(17) under the Act.9 Therefore, the Clearing Agencies are proposing to amend Section 5 of the Framework to remove reference to NIST standards and replace them with the CRI Profile to reflect its existing practice. iii. Proposed Amendments To Update Recovery Time of Tier 5 Operations Section 6 of the Framework describes how the Clearing Agencies have established and maintain business continuity plans to address events that may pose a significant risk of disrupting their operations. The Framework describes how the business continuity process for each Clearing Agency Business and Clearing Agency Support Area 10 is ranked within a range of tiers, from 0 to 5. The range of tiers is based on criticality to each applicable Clearing Agency’s operations (each a ‘‘Tier’’), where Tier 0 equates to critical operations or support of such operations for which virtually no downtime is permitted, and Tier 5 equates to nonessential operations or support of such operations for which recovery times of greater than five days is permitted. The Clearing Agencies are proposing a change to the Tier 5 recovery time from greater than five days to greater than fifteen days. The greater than fifteen days better represents the actual recovery time for the underlying product and service functions. To reflect this change in the Framework, the Clearing Agencies are proposing to amend Section 6 of the Framework to replace the number five, with fifteen, as it relates to recovery times for Tier 5 and align with Clearing Agency current practice. 9 17 CFR 240.17Ad–22(e)(17). Clearing Agencies monitor key risks, including Operational Risks stemming from the day-to day operation of the Clearing Agencies’ businesses and support areas (each a ‘‘Clearing Agency Business’’ or ‘‘Clearing Agency Support Area’’). 10 The E:\FR\FM\02NON1.SGM 02NON1 75346 Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices khammond on DSKJM1Z7X2PROD with NOTICES iv. Proposed Amendments To Update the Description of Business Continuity Testing As mentioned above, Section 6 of the Framework describes how the Clearing Agencies manage business continuity risks. The Clearing Agencies are proposing changes to the Framework to describe their management of these risks more accurately. Specifically, the Clearing Agencies are proposing changes to better reflect their administration of industry testing, which is one of the preventive measures the Clearing Agencies may take with respect to business continuity risk management. The proposed changes would reflect the breadth of industry participants used for such industry exercises conducted by the Clearing Agencies instead of only the Securities Industry and Financial Markets Association (SIFMA) and the Financial Services Authority. The proposed rule change is not intended to reflect a material change to the industry testing done by the Clearing Agencies, but rather, would more accurately reflect the possible scope of any such testing. Therefore, the Clearing Agencies are proposing to amend the last bullet of Section 6 of the Framework to remove reference to SIFMA and the Financial Services Authority and include a more comprehensive description of industry testing currently conducted to manage its business continuity risks. v. Proposed Amendments To Update Organizational Name Changes and Make Other Nonmaterial Edits Finally, the Framework is owned and managed by an officer within the Operational Risk Management Group within the Group Chief Risk Office of DTCC. While the role and responsibilities of the Operational Risk Management Group have not changed, the proposed changes would update the Framework to reflect a change in the name of the group. The Operational Risk Management Group is now referred to as Operational Risk. This proposed change would reflect a recent organizational name change. The proposed rule change would make additional immaterial edits to the Framework that do not alter how the Clearing Agencies comply with the applicable requirements of Rule 17Ad– 22(e)(17) under the Act.11 2. Statutory Basis The Clearing Agencies believe that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act 12 and Rule 17Ad–22(e)(17)(ii) and (iii) promulgated under the Act,13 for the reasons described below. The Clearing Agencies believe that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act, which requires, in part, that the rules of a registered clearing agency be designed to promote the prompt and accurate clearance and settlement of securities transactions, and to assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible, for the reasons described below.14 The proposed changes to (i) revise nomenclature and process changes to Risk Profiles, (ii) update the ORM Framework to align programs, policies, procedures, and controls within Technology Risk Management (‘‘TRM’’) to the Cyber Risk Institute (‘‘CRI’’) Profile instead of the National Institute of Standards and Technology (‘‘NIST’’) standards, (iii) update the recovery times for Tier 5 equating to non-essential functions, (iv) update business continuity testing across industry organizations, and (v) update the ORM Framework to reflect recent changes to group names and making other nonmaterial edits would update and clarify the Framework and would make it more comprehensive in how it describes the methods and tools currently used by the Clearing Agencies to manage operational risks and therefore comply with Section 17A(b)(3)(F) of the Act.15 By creating clearer, updated and more comprehensive descriptions, the Clearing Agencies believe the proposed changes would make the ORM Framework more effective in providing an overview of the important risk management activities described therein. The risk management functions described in the ORM Framework allow the Clearing Agencies to continue the prompt and accurate clearance and settlement of securities and can continue to assure the safeguarding of securities and funds which are in their custody or control or for which they are responsible notwithstanding the default of a member of an affiliated family. The proposed changes to (1) to revise nomenclature and process changes to risk profiles, (2) shift to the CRI standards, and (3) broaden the description of industry testing to capture the breadth of industry participants available to engage in such testing within the ORM Framework 13 17 11 17 CFR 240.17Ad–22(e)(17). 12 15 U.S.C. 78s(b)(3)(F). VerDate Sep<11>2014 16:32 Nov 01, 2023 14 15 CFR 240.17Ad–22(e)(17)(ii) and (iii). U.S.C. 78s(b)(3)(F). 15 Id. Jkt 262001 PO 00000 Frm 00084 reflect the tools used by Clearing Agencies to assess inherent and residual risks; reliance by the Clearing Agencies on reliable global sources related to its information technology standards and diverse sources for industry testing. Identifying and mitigating plausible sources of operational risks both internal and external, information technology and business continuity, outlined in the above-referenced proposed changes, facilitates the Clearing Agencies’ ability to continue the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in their custody or control or for which they are responsible. Therefore, the Clearing Agencies believe the proposed changes are consistent with the requirements of Section 17A(b)(3)(F) of the Act.16 Rule 17Ad–22(e)(17) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency’s operational risks by (ii) ensuring that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity; and (iii) establishing and maintaining business continuity plans in order to address events that may pose a significant risk of disrupting their operations. The Framework would be amended to update the description of the Clearing Agencies’ information technology and business continuity procedures. The proposed changes to revise nomenclature and process changes to Risk Profiles including the bifurcation of Risk Profiles process and identification of applicable governance processes assist the Clearing Agencies in effectively managing their operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating the impact of those risks. The proposed change to shift to CRI standards, which encompasses the NIST standards plus additional metrics, is part of the programs, policies, procedures, and controls used by the Clearing Agencies to continue the building, implementation, and maintenance of systems that have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity. Lastly, accurately describing the Clearing Agencies industry testing procedure in the ORM framework conforms with the Clearing Agencies compliance obligations since business continuity testing is one of the 16 Id. Fmt 4703 Sfmt 4703 E:\FR\FM\02NON1.SGM 02NON1 Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices preventive measures the Clearing Agencies may take with respect to business continuity risk management. As described above, these procedures address how the Clearing Agencies detect, identify, investigate, and resolve incidents that affect the Clearing Agencies’ systems. These procedures are designed to help address the Clearing Agencies’ compliance with the requirements of Rule 17Ad–22(e)(17)(ii) and (iii) under the Act.17 Therefore, the Clearing Agencies believe that the proposed rule changes to update the description of these procedures in the Risk Management Framework is consistent with Rule 17Ad–22(e)(17)(ii) and (iii).18 khammond on DSKJM1Z7X2PROD with NOTICES (B) Clearing Agency’s Statement on Burden on Competition The Clearing Agencies do not believe that the proposed changes to the ORM Framework described above would have any impact, or impose any burden, on competition. The proposed changes would enhance the Framework by providing additional clarity and accuracy concerning the Clearing Agencies’ operational risk management processes. The proposed rule changes to the Framework, would not advantage, or disadvantage any participant or user of the Clearing Agencies’ services or unfairly inhibit access to the Clearing Agencies’ services. As such, the Clearing Agencies do not believe that the proposed rule changes would have any impact on competition. (C) Clearing Agency’s Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others NSCC has not received or solicited any written comments relating to this proposal. If any written comments are received, they will be publicly filed as an Exhibit 2 to this filing, as required by Form 19b–4 and the General Instructions thereto. Persons submitting comments are cautioned that, according to Section IV (Solicitation of Comments) of the Exhibit 1A in the General Instructions to Form 19b–4, the Securities and Exchange Commission (‘‘Commission’’) does not edit personal identifying information from comment submissions. Commenters should submit only information that they wish to make available publicly, including their name, email address, and any other identifying information. All prospective commenters should follow the Commission’s instructions on how to submit comments, available at https://www.sec.gov/regulatory-actions/ how-to-submit comments. General questions regarding the rule filing process or logistical questions regarding this filing should be directed to the Main Office of the Commission’s Division of Trading and Markets at tradingandmarkets@sec.gov or 202– 551–5777. NSCC reserves the right not to respond to any comments received. III. Date of Effectiveness of the Proposed Rule Change, and Timing for Commission Action The foregoing rule change has become effective pursuant to Section 19(b)(3)(A) 19 of the Act and paragraph (f) 20 of Rule 19b–4 thereunder. At any time within 60 days of the filing of the proposed rule change, the Commission summarily may temporarily suspend such rule change if it appears to the Commission that such action is necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Act. IV. Solicitation of Comments Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission’s internet comment form (https://www.sec.gov/ rules/sro.shtml); or • Send an email to rule-comments@ sec.gov. Please include file number SR– NSCC–2023–010 on the subject line. Paper Comments • Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549. All submissions should refer to file number SR–NSCC–2023–010. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s internet website (https://www.sec.gov/ rules/sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission’s Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10 a.m. and 3 p.m. Copies of the filing also will be available for inspection and copying at the principal office of NSCC and on DTCC’s website (https:// dtcc.com/legal/sec-rule-filings.aspx). Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to file number SR–NSCC–2023–010 and should be submitted on or before November 24, 2023. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.21 J. Matthew DeLesDernier, Deputy Secretary. [FR Doc. 2023–24179 Filed 11–1–23; 8:45 am] BILLING CODE 8011–01–P SECURITIES AND EXCHANGE COMMISSION [Release No. 34–98813; File No. SR–FICC– 2023–015] Self-Regulatory Organizations; Fixed Income Clearing Corporation; Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Modify the Clearing Agency Operational Risk Management Framework October 27, 2023. Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (‘‘Act’’) 1 and Rule 19b–4 thereunder,2 notice is hereby given that on October 20, 2023, Fixed Income Clearing Corporation (‘‘FICC’’) filed with the Securities and Exchange Commission (‘‘Commission’’) the proposed rule change as described in Items I, II and III below, which Items have been prepared by the clearing agency. FICC filed the proposed rule change pursuant to Section 19(b)(3)(A) of the Act 3 and Rule 21 17 CFR 200.30–3(a)(12). U.S.C. 78s(b)(1). 2 17 CFR 240.19b–4. 3 15 U.S.C. 78s(b)(3)(A). 1 15 17 17 CFR 240.17Ad–22(e)(17)(ii) and (iii). 18 Id. VerDate Sep<11>2014 19 15 20 17 16:32 Nov 01, 2023 Jkt 262001 PO 00000 U.S.C. 78s(b)(3)(A). CFR 240.19b–4(f). Frm 00085 Fmt 4703 Sfmt 4703 75347 E:\FR\FM\02NON1.SGM 02NON1

Agencies

[Federal Register Volume 88, Number 211 (Thursday, November 2, 2023)]
[Notices]
[Pages 75344-75347]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-24179]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-98814; File No. SR-NSCC-2023-010]


Self-Regulatory Organizations; National Securities Clearing 
Corporation; Notice of Filing and Immediate Effectiveness of Proposed 
Rule Change To Modify the Clearing Agency Operational Risk Management 
Framework

October 27, 2023.
    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 
(``Act'') \1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that 
on October 20, 2023, National Securities Clearing Corporation 
(``NSCC'') filed with the Securities and Exchange Commission 
(``Commission'') the proposed rule change as described in Items I, II 
and III below, which Items have been prepared by the clearing agency. 
NSCC filed the proposed rule change pursuant to Section 19(b)(3)(A) of 
the Act \3\ and Rule 19b-4(f)(4) thereunder.\4\ The Commission is 
publishing this notice to solicit comments on the proposed rule change 
from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ 15 U.S.C. 78s(b)(3)(A).
    \4\ 17 CFR 240.19b-4(f)(4).
---------------------------------------------------------------------------

I. Clearing Agency's Statement of the Terms of Substance of the 
Proposed Rule Change

    The proposed rule change consists of modifications to the Clearing 
Agency Operational Risk Management Framework (``ORM Framework'' or 
``Framework'') of the National Securities Clearing Corporation 
(``NSCC'') and its affiliates The Depository Trust Company (``DTC'') 
and Fixed Income Clearing Corporation (``FICC,'' and together with NSCC 
and DTC, the ``Clearing Agencies'') in order to (i) revise nomenclature 
and process changes to Risk Profiles, (ii) update the ORM Framework to 
align programs, policies, procedures, and controls within Technology 
Risk Management (``TRM'') to the Cyber Risk Institute (``CRI'') Profile 
instead of the National Institute of Standards and Technology 
(``NIST'') standards, (iii) update recovery times for

[[Page 75345]]

Tier 5 non-essential functions, (iv) update business continuity testing 
across industry organizations, and (v) update the ORM Framework to 
reflect recent changes to group names and make other nonmaterial edits, 
as described in greater detail below.

II. Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

    In its filing with the Commission, the clearing agency included 
statements concerning the purpose of and basis for the proposed rule 
change and discussed any comments it received on the proposed rule 
change. The text of these statements may be examined at the places 
specified in Item IV below. The clearing agency has prepared summaries, 
set forth in sections A, B, and C below, of the most significant 
aspects of such statements.

(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

1. Purpose
    The Clearing Agencies adopted the ORM Framework \5\ to provide an 
outline for how each of the Clearing Agencies manages its operational 
risks. In this way, the Framework supports the Clearing Agencies' 
compliance with Rules 17Ad-22(e)(17) of the Standards for Covered 
Clearing Agencies (``Standards'') under the Securities Exchange Act of 
1934 (``Act''),\6\ as described in the Initial Filing. In addition to 
setting forth the way each of the Clearing Agencies addresses these 
requirements, the ORM Framework also contains a section titled 
``Framework Ownership and Change Management'' that, among other 
matters, describes the Framework ownership and the required governance 
process for review and approval of changes to the Framework.
---------------------------------------------------------------------------

    \5\ See Securities Exchange Act Release No. 81745 (September 28, 
2017), 82 FR 46332 (October 4, 2017) (SR-DTC-2017-014; SR-NSCC-2017-
013; SR-FICC-2017-017) (``Initial Filing'').
    \6\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    In connection with the annual review and approval of the Framework 
by the Boards of Directors of each of the Clearing Agencies (each a 
``Board'' and collectively, the ``Boards''), the Clearing Agencies are 
proposing to make certain revisions to the Framework.
    Such proposed changes would include (i) revise nomenclature and 
process changes to Risk Profiles, (ii) updating the ORM Framework to 
align programs, policies, procedures, and controls within Technology 
Risk Management (``TRM'') to the Cyber Risk Institute (``CRI'') Profile 
instead of the National Institute of Standards and Technology 
(``NIST'') standards, (iii) updating the recovery times for Tier 5 
equating to non-essential functions, (iv) updating business continuity 
testing across industry organizations, and (v) updating the ORM 
Framework to reflect recent changes to group names and making other 
nonmaterial edits. The proposed changes are described in greater detail 
below.
i. Proposed Amendments To Revise Nomenclature and Process Changes to 
Risk Profiles
    Section 4.2 of the ORM Framework describes the risk profiles, which 
are tools used by the Clearing Agencies to monitor and document 
inherent risks and residual risks to support an overall assessment of 
the applicable Clearing Agency business' or Clearing Agency support 
area. The proposed changes would update the Framework to reflect recent 
developments to the name of the tools used by the Clearing Agency. The 
proposed changes would also reflect updates to Clearing Agency 
processes and other matters described in the Framework. These proposed 
changes do not substantively impact how the Clearing Agencies manage 
operational risk in compliance with the requirements of Rule 17Ad-
22(e)(17) under the Act.\7\
---------------------------------------------------------------------------

    \7\ Id.
---------------------------------------------------------------------------

    The proposed changes would update the Framework by removing 
references to risk profiles and replacing them with Risk Assessments 
and Quarterly Business Monitoring. These proposed changes reflect the 
Clearing Agencies bifurcation of the prior Risk Profile process into an 
assessment and a metrics review component, each with differing cadences 
for publication. Specifically Risk Assessments are prepared at least 
annually, and Quarterly Business Monitoring is generally prepared 
quarterly and not less than semi-annually.
ii. Proposed Amendments To Align to the Cyber Risk Institute Profile
    Section 5 of the Framework describes the role of TRM in 
establishing appropriate programs, policies, procedures, and controls 
with respect to the Clearing Agencies' information technology risks to 
help management ensure that systems have a high degree of security, 
resiliency, operational reliability, and adequate, scalable capacity, 
as required by Rule 17Ad-22(e)(17)(ii) under the Act.\8\ The Clearing 
Agencies previously aligned their technology risks management practices 
to the NIST standards, which are recognized information technology 
standards that have been used by TRM in support of executing such 
responsibilities. TRM shifted from reliance only on NIST standards to 
instead align their risk management practices with the standards of 
CRI, which is a global standard for cyber risk assessment and are based 
on the NIST Cyber Security Framework (``NIST SCF''). NIST CSF has five 
core functions, while the CRI standards have those same five core 
functions plus two additional core functions. This shift would allow 
the Clearing Agencies to continue maintaining compliance with Rule 
17Ad-22(e)(17) under the Act.\9\
---------------------------------------------------------------------------

    \8\ 17 CFR 240.17Ad-22(e)(17)(ii).
    \9\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

    Therefore, the Clearing Agencies are proposing to amend Section 5 
of the Framework to remove reference to NIST standards and replace them 
with the CRI Profile to reflect its existing practice.
iii. Proposed Amendments To Update Recovery Time of Tier 5 Operations
    Section 6 of the Framework describes how the Clearing Agencies have 
established and maintain business continuity plans to address events 
that may pose a significant risk of disrupting their operations. The 
Framework describes how the business continuity process for each 
Clearing Agency Business and Clearing Agency Support Area \10\ is 
ranked within a range of tiers, from 0 to 5. The range of tiers is 
based on criticality to each applicable Clearing Agency's operations 
(each a ``Tier''), where Tier 0 equates to critical operations or 
support of such operations for which virtually no downtime is 
permitted, and Tier 5 equates to non-essential operations or support of 
such operations for which recovery times of greater than five days is 
permitted. The Clearing Agencies are proposing a change to the Tier 5 
recovery time from greater than five days to greater than fifteen days. 
The greater than fifteen days better represents the actual recovery 
time for the underlying product and service functions.
---------------------------------------------------------------------------

    \10\ The Clearing Agencies monitor key risks, including 
Operational Risks stemming from the day-to day operation of the 
Clearing Agencies' businesses and support areas (each a ``Clearing 
Agency Business'' or ``Clearing Agency Support Area'').
---------------------------------------------------------------------------

    To reflect this change in the Framework, the Clearing Agencies are 
proposing to amend Section 6 of the Framework to replace the number 
five, with fifteen, as it relates to recovery times for Tier 5 and 
align with Clearing Agency current practice.

[[Page 75346]]

iv. Proposed Amendments To Update the Description of Business 
Continuity Testing
    As mentioned above, Section 6 of the Framework describes how the 
Clearing Agencies manage business continuity risks. The Clearing 
Agencies are proposing changes to the Framework to describe their 
management of these risks more accurately. Specifically, the Clearing 
Agencies are proposing changes to better reflect their administration 
of industry testing, which is one of the preventive measures the 
Clearing Agencies may take with respect to business continuity risk 
management. The proposed changes would reflect the breadth of industry 
participants used for such industry exercises conducted by the Clearing 
Agencies instead of only the Securities Industry and Financial Markets 
Association (SIFMA) and the Financial Services Authority. The proposed 
rule change is not intended to reflect a material change to the 
industry testing done by the Clearing Agencies, but rather, would more 
accurately reflect the possible scope of any such testing.
    Therefore, the Clearing Agencies are proposing to amend the last 
bullet of Section 6 of the Framework to remove reference to SIFMA and 
the Financial Services Authority and include a more comprehensive 
description of industry testing currently conducted to manage its 
business continuity risks.
v. Proposed Amendments To Update Organizational Name Changes and Make 
Other Nonmaterial Edits
    Finally, the Framework is owned and managed by an officer within 
the Operational Risk Management Group within the Group Chief Risk 
Office of DTCC. While the role and responsibilities of the Operational 
Risk Management Group have not changed, the proposed changes would 
update the Framework to reflect a change in the name of the group. The 
Operational Risk Management Group is now referred to as Operational 
Risk. This proposed change would reflect a recent organizational name 
change.
    The proposed rule change would make additional immaterial edits to 
the Framework that do not alter how the Clearing Agencies comply with 
the applicable requirements of Rule 17Ad-22(e)(17) under the Act.\11\
---------------------------------------------------------------------------

    \11\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------

2. Statutory Basis
    The Clearing Agencies believe that the proposed changes are 
consistent with Section 17A(b)(3)(F) of the Act \12\ and Rule 17Ad-
22(e)(17)(ii) and (iii) promulgated under the Act,\13\ for the reasons 
described below.
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 78s(b)(3)(F).
    \13\ 17 CFR 240.17Ad-22(e)(17)(ii) and (iii).
---------------------------------------------------------------------------

    The Clearing Agencies believe that the proposed changes are 
consistent with Section 17A(b)(3)(F) of the Act, which requires, in 
part, that the rules of a registered clearing agency be designed to 
promote the prompt and accurate clearance and settlement of securities 
transactions, and to assure the safeguarding of securities and funds 
which are in the custody or control of the clearing agency or for which 
it is responsible, for the reasons described below.\14\ The proposed 
changes to (i) revise nomenclature and process changes to Risk 
Profiles, (ii) update the ORM Framework to align programs, policies, 
procedures, and controls within Technology Risk Management (``TRM'') to 
the Cyber Risk Institute (``CRI'') Profile instead of the National 
Institute of Standards and Technology (``NIST'') standards, (iii) 
update the recovery times for Tier 5 equating to non-essential 
functions, (iv) update business continuity testing across industry 
organizations, and (v) update the ORM Framework to reflect recent 
changes to group names and making other nonmaterial edits would update 
and clarify the Framework and would make it more comprehensive in how 
it describes the methods and tools currently used by the Clearing 
Agencies to manage operational risks and therefore comply with Section 
17A(b)(3)(F) of the Act.\15\ By creating clearer, updated and more 
comprehensive descriptions, the Clearing Agencies believe the proposed 
changes would make the ORM Framework more effective in providing an 
overview of the important risk management activities described therein.
---------------------------------------------------------------------------

    \14\ 15 U.S.C. 78s(b)(3)(F).
    \15\ Id.
---------------------------------------------------------------------------

    The risk management functions described in the ORM Framework allow 
the Clearing Agencies to continue the prompt and accurate clearance and 
settlement of securities and can continue to assure the safeguarding of 
securities and funds which are in their custody or control or for which 
they are responsible notwithstanding the default of a member of an 
affiliated family. The proposed changes to (1) to revise nomenclature 
and process changes to risk profiles, (2) shift to the CRI standards, 
and (3) broaden the description of industry testing to capture the 
breadth of industry participants available to engage in such testing 
within the ORM Framework reflect the tools used by Clearing Agencies to 
assess inherent and residual risks; reliance by the Clearing Agencies 
on reliable global sources related to its information technology 
standards and diverse sources for industry testing. Identifying and 
mitigating plausible sources of operational risks both internal and 
external, information technology and business continuity, outlined in 
the above-referenced proposed changes, facilitates the Clearing 
Agencies' ability to continue the prompt and accurate clearance and 
settlement of securities transactions and assure the safeguarding of 
securities and funds which are in their custody or control or for which 
they are responsible. Therefore, the Clearing Agencies believe the 
proposed changes are consistent with the requirements of Section 
17A(b)(3)(F) of the Act.\16\
---------------------------------------------------------------------------

    \16\ Id.
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(17) under the Act requires, in part, that each 
covered clearing agency establish, implement, maintain and enforce 
written policies and procedures reasonably designed to manage the 
covered clearing agency's operational risks by (ii) ensuring that 
systems have a high degree of security, resiliency, operational 
reliability, and adequate, scalable capacity; and (iii) establishing 
and maintaining business continuity plans in order to address events 
that may pose a significant risk of disrupting their operations.
    The Framework would be amended to update the description of the 
Clearing Agencies' information technology and business continuity 
procedures. The proposed changes to revise nomenclature and process 
changes to Risk Profiles including the bifurcation of Risk Profiles 
process and identification of applicable governance processes assist 
the Clearing Agencies in effectively managing their operational risks 
by identifying the plausible sources of operational risk, both internal 
and external, and mitigating the impact of those risks. The proposed 
change to shift to CRI standards, which encompasses the NIST standards 
plus additional metrics, is part of the programs, policies, procedures, 
and controls used by the Clearing Agencies to continue the building, 
implementation, and maintenance of systems that have a high degree of 
security, resiliency, operational reliability, and adequate, scalable 
capacity. Lastly, accurately describing the Clearing Agencies industry 
testing procedure in the ORM framework conforms with the Clearing 
Agencies compliance obligations since business continuity testing is 
one of the

[[Page 75347]]

preventive measures the Clearing Agencies may take with respect to 
business continuity risk management. As described above, these 
procedures address how the Clearing Agencies detect, identify, 
investigate, and resolve incidents that affect the Clearing Agencies' 
systems. These procedures are designed to help address the Clearing 
Agencies' compliance with the requirements of Rule 17Ad-22(e)(17)(ii) 
and (iii) under the Act.\17\ Therefore, the Clearing Agencies believe 
that the proposed rule changes to update the description of these 
procedures in the Risk Management Framework is consistent with Rule 
17Ad-22(e)(17)(ii) and (iii).\18\
---------------------------------------------------------------------------

    \17\ 17 CFR 240.17Ad-22(e)(17)(ii) and (iii).
    \18\ Id.
---------------------------------------------------------------------------

(B) Clearing Agency's Statement on Burden on Competition

    The Clearing Agencies do not believe that the proposed changes to 
the ORM Framework described above would have any impact, or impose any 
burden, on competition. The proposed changes would enhance the 
Framework by providing additional clarity and accuracy concerning the 
Clearing Agencies' operational risk management processes. The proposed 
rule changes to the Framework, would not advantage, or disadvantage any 
participant or user of the Clearing Agencies' services or unfairly 
inhibit access to the Clearing Agencies' services. As such, the 
Clearing Agencies do not believe that the proposed rule changes would 
have any impact on competition.

(C) Clearing Agency's Statement on Comments on the Proposed Rule Change 
Received From Members, Participants, or Others

    NSCC has not received or solicited any written comments relating to 
this proposal. If any written comments are received, they will be 
publicly filed as an Exhibit 2 to this filing, as required by Form 19b-
4 and the General Instructions thereto.
    Persons submitting comments are cautioned that, according to 
Section IV (Solicitation of Comments) of the Exhibit 1A in the General 
Instructions to Form 19b-4, the Securities and Exchange Commission 
(``Commission'') does not edit personal identifying information from 
comment submissions. Commenters should submit only information that 
they wish to make available publicly, including their name, email 
address, and any other identifying information.
    All prospective commenters should follow the Commission's 
instructions on how to submit comments, available at https://www.sec.gov/regulatory-actions/how-to-submit comments. General 
questions regarding the rule filing process or logistical questions 
regarding this filing should be directed to the Main Office of the 
Commission's Division of Trading and Markets at 
[email protected] or 202-551-5777.
    NSCC reserves the right not to respond to any comments received.

III. Date of Effectiveness of the Proposed Rule Change, and Timing for 
Commission Action

    The foregoing rule change has become effective pursuant to Section 
19(b)(3)(A) \19\ of the Act and paragraph (f) \20\ of Rule 19b-4 
thereunder. At any time within 60 days of the filing of the proposed 
rule change, the Commission summarily may temporarily suspend such rule 
change if it appears to the Commission that such action is necessary or 
appropriate in the public interest, for the protection of investors, or 
otherwise in furtherance of the purposes of the Act.
---------------------------------------------------------------------------

    \19\ 15 U.S.C. 78s(b)(3)(A).
    \20\ 17 CFR 240.19b-4(f).
---------------------------------------------------------------------------

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
change is consistent with the Act. Comments may be submitted by any of 
the following methods:

Electronic Comments

     Use the Commission's internet comment form (https://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
file number SR-NSCC-2023-010 on the subject line.

Paper Comments

     Send paper comments in triplicate to Secretary, Securities 
and Exchange Commission, 100 F Street NE, Washington, DC 20549.

All submissions should refer to file number SR-NSCC-2023-010. This file 
number should be included on the subject line if email is used. To help 
the Commission process and review your comments more efficiently, 
please use only one method. The Commission will post all comments on 
the Commission's internet website (https://www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent amendments, all 
written statements with respect to the proposed rule change that are 
filed with the Commission, and all written communications relating to 
the proposed rule change between the Commission and any person, other 
than those that may be withheld from the public in accordance with the 
provisions of 5 U.S.C. 552, will be available for website viewing and 
printing in the Commission's Public Reference Room, 100 F Street NE, 
Washington, DC 20549 on official business days between the hours of 10 
a.m. and 3 p.m. Copies of the filing also will be available for 
inspection and copying at the principal office of NSCC and on DTCC's 
website (https://dtcc.com/legal/sec-rule-filings.aspx). Do not include 
personal identifiable information in submissions; you should submit 
only information that you wish to make available publicly. We may 
redact in part or withhold entirely from publication submitted material 
that is obscene or subject to copyright protection. All submissions 
should refer to file number SR-NSCC-2023-010 and should be submitted on 
or before November 24, 2023.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\21\
---------------------------------------------------------------------------

    \21\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2023-24179 Filed 11-1-23; 8:45 am]
BILLING CODE 8011-01-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.