Self-Regulatory Organizations; National Securities Clearing Corporation; Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Modify the Clearing Agency Operational Risk Management Framework, 75344-75347 [2023-24179]
Download as PDF
<![CDATA[
75344
Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices
Because the exemption applies only to
fixed-income securities issued in
accordance with the requirements of
Rule 144A, it is limited to resales of
securities to an investor base that ‘‘can
be conclusively assumed to be
sophisticated,’’ 16 is able to obtain
certain basic financial information
concerning the issuers’ business, and
has extensive experience in the private
resale market for restricted securities.17
Under the requirements of Rule 144A,
securities can be sold only to ‘‘qualified
institutional investors’’ (or purchasers
that the seller or a person acting on its
behalf reasonably believes are qualified
institutional investors), which, with the
exception of registered dealers, must in
the aggregate own and invest on a
discretionary basis at least $100 million
in securities of issuers that are not
affiliated with such a qualified
institutional buyer.18 Furthermore, in
the case of issuers that do not file
periodic reports under the Exchange Act
or furnish home country information to
the Commission pursuant to 17 CFR 240
12g3–2(b), Rule 144A requires that any
prospective purchaser of Rule 144A
fixed-income securities has the right to
obtain from the issuer reasonably
current financial information (‘‘Rule
144A information’’): 19
khammond on DSKJM1Z7X2PROD with NOTICES
[A] very brief statement of the nature of the
business of the issuer and the products and
services it offers; and the issuer’s most recent
balance sheet and profit and loss and
retained earnings statements, and similar
financial statements for such part of the two
preceding fiscal years as the issuer has been
in operation (the financial information
should be audited to the extent possible).20
securities sold in compliance with the safe harbor
in Rule 144A. See Petition at n.1. Moreover, the
amendments to Rule 15c2–11 have applied to Rule
144A equity securities since the compliance date of
those amendments which was September 2021.
Accordingly, this exemption does not address
equity securities sold in compliance with the safe
harbor in Rule 144A.
16 Accredited Investor Definition, Release No. 33–
10824 (Aug. 26, 2020), 85 FR 64234, 64236 (Oct. 9,
2020) (‘‘Accredited Investor Release’’) (citing Resale
of Restricted Securities; Changes to Method of
Determining Holding Period of Restricted Securities
Under Rules 144 and 145, Release No. 33–6806
(Oct. 25, 1988), 53 FR 44016 (Nov. 1, 1988)) (‘‘1988
Rule 144A Proposing Release’’).
17 1988 Rule 144A Proposing Release, 53 FR at
44028.
18 17 CFR 230.144A(a)(1) (definition of ‘‘qualified
institutional buyer’’).
19 17 CFR 230.144A(d)(4).
20 Id. With respect to asset-backed securities, the
Commission has interpreted the information
requirement to mandate provision of ‘‘basic,
material information concerning the structure of the
securities and distributions thereon, the nature,
performance and servicing of the assets supporting
the securities, and any credit enhancement
mechanism associated with the securities.’’ See
Rule 144A Adopting Release, 55 FR at 17939.
VerDate Sep<11>2014
16:32 Nov 01, 2023
Jkt 262001
The availability of the Rule 144A
information can be used by prospective
qualified institutional buyers to make
better informed investment decisions
and assess potential risks in investing in
the security. While the Rule 144A
information that is required to be
provided to qualified institutional
buyers upon request is not the current
publicly available information defined
in paragraph (b) of Rule 15c2–11, the
Rule 144A information serves the same
purpose of investor protection.
The Commission finds it is
appropriate in the public interest, and
consistent with the protection of
investors, to exempt brokers and dealers
from the requirements of Rule 15c2–11,
with respect to Rule 144A fixed-income
securities.
III. Conclusion
Accordingly, it is hereby ordered,
pursuant to section 36(a) of the
Exchange Act 21 and Rule 15c2–11(g)
under the Exchange Act,22 that a broker
or dealer is exempt from the
requirements of Rule 15c2–11 with
respect to a fixed-income security to be
sold in compliance with the safe harbor
in Rule 144A 23 under the Securities Act
of 1933.24
This exemptive relief is subject to
modification or revocation at any time
by the Commission but will be in effect
unless and until the Commission
determines that modification or
revocation is necessary or appropriate in
furtherance of the purposes of the
Exchange Act, or the relief is otherwise
superseded by future Commission
action such as a rulemaking addressing
the Rule 144A safe harbor or issues
pertaining to the fixed income markets
more generally.
Persons relying on this exemption are
directed to the anti-fraud and antimanipulation provisions of the
Exchange Act, particularly sections 9(a)
and 10(b), and 17 CFR 240.10b–5
thereunder.25 Responsibility for
compliance with these and any other
applicable provisions of the Federal
securities laws must rest with the
persons relying on this exemption. This
order should not be considered a view
with respect to any other question that
the proposed transactions or quotations
may raise, including, but not limited to
the adequacy of the disclosure
concerning, and the applicability of
U.S.C.78mm(a).
CFR 240.15c2–11(g).
23 17 CFR 230.144A.
24 15 U.S.C. 77a et seq.
25 15 U.S.C. 78i(a), 78j(b); 17 CFR 240.10b–5.
other Federal or State laws to, the
proposed transactions or quotations.
By the Commission.
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2023–24245 Filed 11–1–23; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–98814; File No. SR–NSCC–
2023–010]
Self-Regulatory Organizations;
National Securities Clearing
Corporation; Notice of Filing and
Immediate Effectiveness of Proposed
Rule Change To Modify the Clearing
Agency Operational Risk Management
Framework
October 27, 2023.
Pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934
(‘‘Act’’) 1 and Rule 19b–4 thereunder,2
notice is hereby given that on October
20, 2023, National Securities Clearing
Corporation (‘‘NSCC’’) filed with the
Securities and Exchange Commission
(‘‘Commission’’) the proposed rule
change as described in Items I, II and III
below, which Items have been prepared
by the clearing agency. NSCC filed the
proposed rule change pursuant to
Section 19(b)(3)(A) of the Act 3 and Rule
19b–4(f)(4) thereunder.4 The
Commission is publishing this notice to
solicit comments on the proposed rule
change from interested persons.
I. Clearing Agency’s Statement of the
Terms of Substance of the Proposed
Rule Change
The proposed rule change consists of
modifications to the Clearing Agency
Operational Risk Management
Framework (‘‘ORM Framework’’ or
‘‘Framework’’) of the National Securities
Clearing Corporation (‘‘NSCC’’) and its
affiliates The Depository Trust Company
(‘‘DTC’’) and Fixed Income Clearing
Corporation (‘‘FICC,’’ and together with
NSCC and DTC, the ‘‘Clearing
Agencies’’) in order to (i) revise
nomenclature and process changes to
Risk Profiles, (ii) update the ORM
Framework to align programs, policies,
procedures, and controls within
Technology Risk Management (‘‘TRM’’)
to the Cyber Risk Institute (‘‘CRI’’)
Profile instead of the National Institute
of Standards and Technology (‘‘NIST’’)
standards, (iii) update recovery times for
21 15
22 17
PO 00000
Frm 00082
Fmt 4703
Sfmt 4703
1 15
U.S.C. 78s(b)(1).
CFR 240.19b–4.
3 15 U.S.C. 78s(b)(3)(A).
4 17 CFR 240.19b–4(f)(4).
2 17
E:\FR\FM\02NON1.SGM
02NON1
Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices
Tier 5 non-essential functions, (iv)
update business continuity testing
across industry organizations, and (v)
update the ORM Framework to reflect
recent changes to group names and
make other nonmaterial edits, as
described in greater detail below.
II. Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Proposed Rule Change
In its filing with the Commission, the
clearing agency included statements
concerning the purpose of and basis for
the proposed rule change and discussed
any comments it received on the
proposed rule change. The text of these
statements may be examined at the
places specified in Item IV below. The
clearing agency has prepared
summaries, set forth in sections A, B,
and C below, of the most significant
aspects of such statements.
khammond on DSKJM1Z7X2PROD with NOTICES
(A) Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Proposed Rule Change
1. Purpose
The Clearing Agencies adopted the
ORM Framework 5 to provide an outline
for how each of the Clearing Agencies
manages its operational risks. In this
way, the Framework supports the
Clearing Agencies’ compliance with
Rules 17Ad–22(e)(17) of the Standards
for Covered Clearing Agencies
(‘‘Standards’’) under the Securities
Exchange Act of 1934 (‘‘Act’’),6 as
described in the Initial Filing. In
addition to setting forth the way each of
the Clearing Agencies addresses these
requirements, the ORM Framework also
contains a section titled ‘‘Framework
Ownership and Change Management’’
that, among other matters, describes the
Framework ownership and the required
governance process for review and
approval of changes to the Framework.
In connection with the annual review
and approval of the Framework by the
Boards of Directors of each of the
Clearing Agencies (each a ‘‘Board’’ and
collectively, the ‘‘Boards’’), the Clearing
Agencies are proposing to make certain
revisions to the Framework.
Such proposed changes would
include (i) revise nomenclature and
process changes to Risk Profiles, (ii)
updating the ORM Framework to align
programs, policies, procedures, and
controls within Technology Risk
Management (‘‘TRM’’) to the Cyber Risk
Institute (‘‘CRI’’) Profile instead of the
5 See Securities Exchange Act Release No. 81745
(September 28, 2017), 82 FR 46332 (October 4,
2017) (SR–DTC–2017–014; SR–NSCC–2017–013;
SR–FICC–2017–017) (‘‘Initial Filing’’).
6 17 CFR 240.17Ad–22(e)(17).
VerDate Sep<11>2014
16:32 Nov 01, 2023
Jkt 262001
National Institute of Standards and
Technology (‘‘NIST’’) standards, (iii)
updating the recovery times for Tier 5
equating to non-essential functions, (iv)
updating business continuity testing
across industry organizations, and (v)
updating the ORM Framework to reflect
recent changes to group names and
making other nonmaterial edits. The
proposed changes are described in
greater detail below.
i. Proposed Amendments To Revise
Nomenclature and Process Changes to
Risk Profiles
Section 4.2 of the ORM Framework
describes the risk profiles, which are
tools used by the Clearing Agencies to
monitor and document inherent risks
and residual risks to support an overall
assessment of the applicable Clearing
Agency business’ or Clearing Agency
support area. The proposed changes
would update the Framework to reflect
recent developments to the name of the
tools used by the Clearing Agency. The
proposed changes would also reflect
updates to Clearing Agency processes
and other matters described in the
Framework. These proposed changes do
not substantively impact how the
Clearing Agencies manage operational
risk in compliance with the
requirements of Rule 17Ad–22(e)(17)
under the Act.7
The proposed changes would update
the Framework by removing references
to risk profiles and replacing them with
Risk Assessments and Quarterly
Business Monitoring. These proposed
changes reflect the Clearing Agencies
bifurcation of the prior Risk Profile
process into an assessment and a
metrics review component, each with
differing cadences for publication.
Specifically Risk Assessments are
prepared at least annually, and
Quarterly Business Monitoring is
generally prepared quarterly and not
less than semi-annually.
ii. Proposed Amendments To Align to
the Cyber Risk Institute Profile
Section 5 of the Framework describes
the role of TRM in establishing
appropriate programs, policies,
procedures, and controls with respect to
the Clearing Agencies’ information
technology risks to help management
ensure that systems have a high degree
of security, resiliency, operational
reliability, and adequate, scalable
capacity, as required by Rule 17Ad–
22(e)(17)(ii) under the Act.8 The
Clearing Agencies previously aligned
their technology risks management
7 Id.
8 17
PO 00000
CFR 240.17Ad–22(e)(17)(ii).
Frm 00083
Fmt 4703
Sfmt 4703
75345
practices to the NIST standards, which
are recognized information technology
standards that have been used by TRM
in support of executing such
responsibilities. TRM shifted from
reliance only on NIST standards to
instead align their risk management
practices with the standards of CRI,
which is a global standard for cyber risk
assessment and are based on the NIST
Cyber Security Framework (‘‘NIST
SCF’’). NIST CSF has five core
functions, while the CRI standards have
those same five core functions plus two
additional core functions. This shift
would allow the Clearing Agencies to
continue maintaining compliance with
Rule 17Ad–22(e)(17) under the Act.9
Therefore, the Clearing Agencies are
proposing to amend Section 5 of the
Framework to remove reference to NIST
standards and replace them with the
CRI Profile to reflect its existing
practice.
iii. Proposed Amendments To Update
Recovery Time of Tier 5 Operations
Section 6 of the Framework describes
how the Clearing Agencies have
established and maintain business
continuity plans to address events that
may pose a significant risk of disrupting
their operations. The Framework
describes how the business continuity
process for each Clearing Agency
Business and Clearing Agency Support
Area 10 is ranked within a range of tiers,
from 0 to 5. The range of tiers is based
on criticality to each applicable Clearing
Agency’s operations (each a ‘‘Tier’’),
where Tier 0 equates to critical
operations or support of such operations
for which virtually no downtime is
permitted, and Tier 5 equates to nonessential operations or support of such
operations for which recovery times of
greater than five days is permitted. The
Clearing Agencies are proposing a
change to the Tier 5 recovery time from
greater than five days to greater than
fifteen days. The greater than fifteen
days better represents the actual
recovery time for the underlying
product and service functions.
To reflect this change in the
Framework, the Clearing Agencies are
proposing to amend Section 6 of the
Framework to replace the number five,
with fifteen, as it relates to recovery
times for Tier 5 and align with Clearing
Agency current practice.
9 17
CFR 240.17Ad–22(e)(17).
Clearing Agencies monitor key risks,
including Operational Risks stemming from the
day-to day operation of the Clearing Agencies’
businesses and support areas (each a ‘‘Clearing
Agency Business’’ or ‘‘Clearing Agency Support
Area’’).
10 The
E:\FR\FM\02NON1.SGM
02NON1
75346
Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices
khammond on DSKJM1Z7X2PROD with NOTICES
iv. Proposed Amendments To Update
the Description of Business Continuity
Testing
As mentioned above, Section 6 of the
Framework describes how the Clearing
Agencies manage business continuity
risks. The Clearing Agencies are
proposing changes to the Framework to
describe their management of these risks
more accurately. Specifically, the
Clearing Agencies are proposing
changes to better reflect their
administration of industry testing,
which is one of the preventive measures
the Clearing Agencies may take with
respect to business continuity risk
management. The proposed changes
would reflect the breadth of industry
participants used for such industry
exercises conducted by the Clearing
Agencies instead of only the Securities
Industry and Financial Markets
Association (SIFMA) and the Financial
Services Authority. The proposed rule
change is not intended to reflect a
material change to the industry testing
done by the Clearing Agencies, but
rather, would more accurately reflect
the possible scope of any such testing.
Therefore, the Clearing Agencies are
proposing to amend the last bullet of
Section 6 of the Framework to remove
reference to SIFMA and the Financial
Services Authority and include a more
comprehensive description of industry
testing currently conducted to manage
its business continuity risks.
v. Proposed Amendments To Update
Organizational Name Changes and Make
Other Nonmaterial Edits
Finally, the Framework is owned and
managed by an officer within the
Operational Risk Management Group
within the Group Chief Risk Office of
DTCC. While the role and
responsibilities of the Operational Risk
Management Group have not changed,
the proposed changes would update the
Framework to reflect a change in the
name of the group. The Operational Risk
Management Group is now referred to as
Operational Risk. This proposed change
would reflect a recent organizational
name change.
The proposed rule change would
make additional immaterial edits to the
Framework that do not alter how the
Clearing Agencies comply with the
applicable requirements of Rule 17Ad–
22(e)(17) under the Act.11
2. Statutory Basis
The Clearing Agencies believe that the
proposed changes are consistent with
Section 17A(b)(3)(F) of the Act 12 and
Rule 17Ad–22(e)(17)(ii) and (iii)
promulgated under the Act,13 for the
reasons described below.
The Clearing Agencies believe that the
proposed changes are consistent with
Section 17A(b)(3)(F) of the Act, which
requires, in part, that the rules of a
registered clearing agency be designed
to promote the prompt and accurate
clearance and settlement of securities
transactions, and to assure the
safeguarding of securities and funds
which are in the custody or control of
the clearing agency or for which it is
responsible, for the reasons described
below.14 The proposed changes to (i)
revise nomenclature and process
changes to Risk Profiles, (ii) update the
ORM Framework to align programs,
policies, procedures, and controls
within Technology Risk Management
(‘‘TRM’’) to the Cyber Risk Institute
(‘‘CRI’’) Profile instead of the National
Institute of Standards and Technology
(‘‘NIST’’) standards, (iii) update the
recovery times for Tier 5 equating to
non-essential functions, (iv) update
business continuity testing across
industry organizations, and (v) update
the ORM Framework to reflect recent
changes to group names and making
other nonmaterial edits would update
and clarify the Framework and would
make it more comprehensive in how it
describes the methods and tools
currently used by the Clearing Agencies
to manage operational risks and
therefore comply with Section
17A(b)(3)(F) of the Act.15 By creating
clearer, updated and more
comprehensive descriptions, the
Clearing Agencies believe the proposed
changes would make the ORM
Framework more effective in providing
an overview of the important risk
management activities described
therein.
The risk management functions
described in the ORM Framework allow
the Clearing Agencies to continue the
prompt and accurate clearance and
settlement of securities and can
continue to assure the safeguarding of
securities and funds which are in their
custody or control or for which they are
responsible notwithstanding the default
of a member of an affiliated family. The
proposed changes to (1) to revise
nomenclature and process changes to
risk profiles, (2) shift to the CRI
standards, and (3) broaden the
description of industry testing to
capture the breadth of industry
participants available to engage in such
testing within the ORM Framework
13 17
11 17
CFR 240.17Ad–22(e)(17).
12 15 U.S.C. 78s(b)(3)(F).
VerDate Sep<11>2014
16:32 Nov 01, 2023
14 15
CFR 240.17Ad–22(e)(17)(ii) and (iii).
U.S.C. 78s(b)(3)(F).
15 Id.
Jkt 262001
PO 00000
Frm 00084
reflect the tools used by Clearing
Agencies to assess inherent and residual
risks; reliance by the Clearing Agencies
on reliable global sources related to its
information technology standards and
diverse sources for industry testing.
Identifying and mitigating plausible
sources of operational risks both
internal and external, information
technology and business continuity,
outlined in the above-referenced
proposed changes, facilitates the
Clearing Agencies’ ability to continue
the prompt and accurate clearance and
settlement of securities transactions and
assure the safeguarding of securities and
funds which are in their custody or
control or for which they are
responsible. Therefore, the Clearing
Agencies believe the proposed changes
are consistent with the requirements of
Section 17A(b)(3)(F) of the Act.16
Rule 17Ad–22(e)(17) under the Act
requires, in part, that each covered
clearing agency establish, implement,
maintain and enforce written policies
and procedures reasonably designed to
manage the covered clearing agency’s
operational risks by (ii) ensuring that
systems have a high degree of security,
resiliency, operational reliability, and
adequate, scalable capacity; and (iii)
establishing and maintaining business
continuity plans in order to address
events that may pose a significant risk
of disrupting their operations.
The Framework would be amended to
update the description of the Clearing
Agencies’ information technology and
business continuity procedures. The
proposed changes to revise
nomenclature and process changes to
Risk Profiles including the bifurcation
of Risk Profiles process and
identification of applicable governance
processes assist the Clearing Agencies in
effectively managing their operational
risks by identifying the plausible
sources of operational risk, both internal
and external, and mitigating the impact
of those risks. The proposed change to
shift to CRI standards, which
encompasses the NIST standards plus
additional metrics, is part of the
programs, policies, procedures, and
controls used by the Clearing Agencies
to continue the building,
implementation, and maintenance of
systems that have a high degree of
security, resiliency, operational
reliability, and adequate, scalable
capacity. Lastly, accurately describing
the Clearing Agencies industry testing
procedure in the ORM framework
conforms with the Clearing Agencies
compliance obligations since business
continuity testing is one of the
16 Id.
Fmt 4703
Sfmt 4703
E:\FR\FM\02NON1.SGM
02NON1
Federal Register / Vol. 88, No. 211 / Thursday, November 2, 2023 / Notices
preventive measures the Clearing
Agencies may take with respect to
business continuity risk management.
As described above, these procedures
address how the Clearing Agencies
detect, identify, investigate, and resolve
incidents that affect the Clearing
Agencies’ systems. These procedures are
designed to help address the Clearing
Agencies’ compliance with the
requirements of Rule 17Ad–22(e)(17)(ii)
and (iii) under the Act.17 Therefore, the
Clearing Agencies believe that the
proposed rule changes to update the
description of these procedures in the
Risk Management Framework is
consistent with Rule 17Ad–22(e)(17)(ii)
and (iii).18
khammond on DSKJM1Z7X2PROD with NOTICES
(B) Clearing Agency’s Statement on
Burden on Competition
The Clearing Agencies do not believe
that the proposed changes to the ORM
Framework described above would have
any impact, or impose any burden, on
competition. The proposed changes
would enhance the Framework by
providing additional clarity and
accuracy concerning the Clearing
Agencies’ operational risk management
processes. The proposed rule changes to
the Framework, would not advantage, or
disadvantage any participant or user of
the Clearing Agencies’ services or
unfairly inhibit access to the Clearing
Agencies’ services. As such, the
Clearing Agencies do not believe that
the proposed rule changes would have
any impact on competition.
(C) Clearing Agency’s Statement on
Comments on the Proposed Rule
Change Received From Members,
Participants, or Others
NSCC has not received or solicited
any written comments relating to this
proposal. If any written comments are
received, they will be publicly filed as
an Exhibit 2 to this filing, as required by
Form 19b–4 and the General
Instructions thereto.
Persons submitting comments are
cautioned that, according to Section IV
(Solicitation of Comments) of the
Exhibit 1A in the General Instructions to
Form 19b–4, the Securities and
Exchange Commission (‘‘Commission’’)
does not edit personal identifying
information from comment submissions.
Commenters should submit only
information that they wish to make
available publicly, including their
name, email address, and any other
identifying information.
All prospective commenters should
follow the Commission’s instructions on
how to submit comments, available at
https://www.sec.gov/regulatory-actions/
how-to-submit comments. General
questions regarding the rule filing
process or logistical questions regarding
this filing should be directed to the
Main Office of the Commission’s
Division of Trading and Markets at
tradingandmarkets@sec.gov or 202–
551–5777.
NSCC reserves the right not to
respond to any comments received.
III. Date of Effectiveness of the
Proposed Rule Change, and Timing for
Commission Action
The foregoing rule change has become
effective pursuant to Section
19(b)(3)(A) 19 of the Act and paragraph
(f) 20 of Rule 19b–4 thereunder. At any
time within 60 days of the filing of the
proposed rule change, the Commission
summarily may temporarily suspend
such rule change if it appears to the
Commission that such action is
necessary or appropriate in the public
interest, for the protection of investors,
or otherwise in furtherance of the
purposes of the Act.
IV. Solicitation of Comments
Interested persons are invited to
submit written data, views and
arguments concerning the foregoing,
including whether the proposed rule
change is consistent with the Act.
Comments may be submitted by any of
the following methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
• Send an email to rule-comments@
sec.gov. Please include file number SR–
NSCC–2023–010 on the subject line.
Paper Comments
• Send paper comments in triplicate
to Secretary, Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549.
All submissions should refer to file
number SR–NSCC–2023–010. This file
number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549 on official
business days between the hours of 10
a.m. and 3 p.m. Copies of the filing also
will be available for inspection and
copying at the principal office of NSCC
and on DTCC’s website (https://
dtcc.com/legal/sec-rule-filings.aspx). Do
not include personal identifiable
information in submissions; you should
submit only information that you wish
to make available publicly. We may
redact in part or withhold entirely from
publication submitted material that is
obscene or subject to copyright
protection. All submissions should refer
to file number SR–NSCC–2023–010 and
should be submitted on or before
November 24, 2023.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.21
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2023–24179 Filed 11–1–23; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–98813; File No. SR–FICC–
2023–015]
Self-Regulatory Organizations; Fixed
Income Clearing Corporation; Notice of
Filing and Immediate Effectiveness of
Proposed Rule Change To Modify the
Clearing Agency Operational Risk
Management Framework
October 27, 2023.
Pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934
(‘‘Act’’) 1 and Rule 19b–4 thereunder,2
notice is hereby given that on October
20, 2023, Fixed Income Clearing
Corporation (‘‘FICC’’) filed with the
Securities and Exchange Commission
(‘‘Commission’’) the proposed rule
change as described in Items I, II and III
below, which Items have been prepared
by the clearing agency. FICC filed the
proposed rule change pursuant to
Section 19(b)(3)(A) of the Act 3 and Rule
21 17
CFR 200.30–3(a)(12).
U.S.C. 78s(b)(1).
2 17 CFR 240.19b–4.
3 15 U.S.C. 78s(b)(3)(A).
1 15
17 17
CFR 240.17Ad–22(e)(17)(ii) and (iii).
18 Id.
VerDate Sep<11>2014
19 15
20 17
16:32 Nov 01, 2023
Jkt 262001
PO 00000
U.S.C. 78s(b)(3)(A).
CFR 240.19b–4(f).
Frm 00085
Fmt 4703
Sfmt 4703
75347
E:\FR\FM\02NON1.SGM
02NON1
]]>Agencies
[Federal Register Volume 88, Number 211 (Thursday, November 2, 2023)]
[Notices]
[Pages 75344-75347]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-24179]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-98814; File No. SR-NSCC-2023-010]
Self-Regulatory Organizations; National Securities Clearing
Corporation; Notice of Filing and Immediate Effectiveness of Proposed
Rule Change To Modify the Clearing Agency Operational Risk Management
Framework
October 27, 2023.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934
(``Act'') \1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that
on October 20, 2023, National Securities Clearing Corporation
(``NSCC'') filed with the Securities and Exchange Commission
(``Commission'') the proposed rule change as described in Items I, II
and III below, which Items have been prepared by the clearing agency.
NSCC filed the proposed rule change pursuant to Section 19(b)(3)(A) of
the Act \3\ and Rule 19b-4(f)(4) thereunder.\4\ The Commission is
publishing this notice to solicit comments on the proposed rule change
from interested persons.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ 15 U.S.C. 78s(b)(3)(A).
\4\ 17 CFR 240.19b-4(f)(4).
---------------------------------------------------------------------------
I. Clearing Agency's Statement of the Terms of Substance of the
Proposed Rule Change
The proposed rule change consists of modifications to the Clearing
Agency Operational Risk Management Framework (``ORM Framework'' or
``Framework'') of the National Securities Clearing Corporation
(``NSCC'') and its affiliates The Depository Trust Company (``DTC'')
and Fixed Income Clearing Corporation (``FICC,'' and together with NSCC
and DTC, the ``Clearing Agencies'') in order to (i) revise nomenclature
and process changes to Risk Profiles, (ii) update the ORM Framework to
align programs, policies, procedures, and controls within Technology
Risk Management (``TRM'') to the Cyber Risk Institute (``CRI'') Profile
instead of the National Institute of Standards and Technology
(``NIST'') standards, (iii) update recovery times for
[[Page 75345]]
Tier 5 non-essential functions, (iv) update business continuity testing
across industry organizations, and (v) update the ORM Framework to
reflect recent changes to group names and make other nonmaterial edits,
as described in greater detail below.
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
In its filing with the Commission, the clearing agency included
statements concerning the purpose of and basis for the proposed rule
change and discussed any comments it received on the proposed rule
change. The text of these statements may be examined at the places
specified in Item IV below. The clearing agency has prepared summaries,
set forth in sections A, B, and C below, of the most significant
aspects of such statements.
(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Change
1. Purpose
The Clearing Agencies adopted the ORM Framework \5\ to provide an
outline for how each of the Clearing Agencies manages its operational
risks. In this way, the Framework supports the Clearing Agencies'
compliance with Rules 17Ad-22(e)(17) of the Standards for Covered
Clearing Agencies (``Standards'') under the Securities Exchange Act of
1934 (``Act''),\6\ as described in the Initial Filing. In addition to
setting forth the way each of the Clearing Agencies addresses these
requirements, the ORM Framework also contains a section titled
``Framework Ownership and Change Management'' that, among other
matters, describes the Framework ownership and the required governance
process for review and approval of changes to the Framework.
---------------------------------------------------------------------------
\5\ See Securities Exchange Act Release No. 81745 (September 28,
2017), 82 FR 46332 (October 4, 2017) (SR-DTC-2017-014; SR-NSCC-2017-
013; SR-FICC-2017-017) (``Initial Filing'').
\6\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
In connection with the annual review and approval of the Framework
by the Boards of Directors of each of the Clearing Agencies (each a
``Board'' and collectively, the ``Boards''), the Clearing Agencies are
proposing to make certain revisions to the Framework.
Such proposed changes would include (i) revise nomenclature and
process changes to Risk Profiles, (ii) updating the ORM Framework to
align programs, policies, procedures, and controls within Technology
Risk Management (``TRM'') to the Cyber Risk Institute (``CRI'') Profile
instead of the National Institute of Standards and Technology
(``NIST'') standards, (iii) updating the recovery times for Tier 5
equating to non-essential functions, (iv) updating business continuity
testing across industry organizations, and (v) updating the ORM
Framework to reflect recent changes to group names and making other
nonmaterial edits. The proposed changes are described in greater detail
below.
i. Proposed Amendments To Revise Nomenclature and Process Changes to
Risk Profiles
Section 4.2 of the ORM Framework describes the risk profiles, which
are tools used by the Clearing Agencies to monitor and document
inherent risks and residual risks to support an overall assessment of
the applicable Clearing Agency business' or Clearing Agency support
area. The proposed changes would update the Framework to reflect recent
developments to the name of the tools used by the Clearing Agency. The
proposed changes would also reflect updates to Clearing Agency
processes and other matters described in the Framework. These proposed
changes do not substantively impact how the Clearing Agencies manage
operational risk in compliance with the requirements of Rule 17Ad-
22(e)(17) under the Act.\7\
---------------------------------------------------------------------------
\7\ Id.
---------------------------------------------------------------------------
The proposed changes would update the Framework by removing
references to risk profiles and replacing them with Risk Assessments
and Quarterly Business Monitoring. These proposed changes reflect the
Clearing Agencies bifurcation of the prior Risk Profile process into an
assessment and a metrics review component, each with differing cadences
for publication. Specifically Risk Assessments are prepared at least
annually, and Quarterly Business Monitoring is generally prepared
quarterly and not less than semi-annually.
ii. Proposed Amendments To Align to the Cyber Risk Institute Profile
Section 5 of the Framework describes the role of TRM in
establishing appropriate programs, policies, procedures, and controls
with respect to the Clearing Agencies' information technology risks to
help management ensure that systems have a high degree of security,
resiliency, operational reliability, and adequate, scalable capacity,
as required by Rule 17Ad-22(e)(17)(ii) under the Act.\8\ The Clearing
Agencies previously aligned their technology risks management practices
to the NIST standards, which are recognized information technology
standards that have been used by TRM in support of executing such
responsibilities. TRM shifted from reliance only on NIST standards to
instead align their risk management practices with the standards of
CRI, which is a global standard for cyber risk assessment and are based
on the NIST Cyber Security Framework (``NIST SCF''). NIST CSF has five
core functions, while the CRI standards have those same five core
functions plus two additional core functions. This shift would allow
the Clearing Agencies to continue maintaining compliance with Rule
17Ad-22(e)(17) under the Act.\9\
---------------------------------------------------------------------------
\8\ 17 CFR 240.17Ad-22(e)(17)(ii).
\9\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
Therefore, the Clearing Agencies are proposing to amend Section 5
of the Framework to remove reference to NIST standards and replace them
with the CRI Profile to reflect its existing practice.
iii. Proposed Amendments To Update Recovery Time of Tier 5 Operations
Section 6 of the Framework describes how the Clearing Agencies have
established and maintain business continuity plans to address events
that may pose a significant risk of disrupting their operations. The
Framework describes how the business continuity process for each
Clearing Agency Business and Clearing Agency Support Area \10\ is
ranked within a range of tiers, from 0 to 5. The range of tiers is
based on criticality to each applicable Clearing Agency's operations
(each a ``Tier''), where Tier 0 equates to critical operations or
support of such operations for which virtually no downtime is
permitted, and Tier 5 equates to non-essential operations or support of
such operations for which recovery times of greater than five days is
permitted. The Clearing Agencies are proposing a change to the Tier 5
recovery time from greater than five days to greater than fifteen days.
The greater than fifteen days better represents the actual recovery
time for the underlying product and service functions.
---------------------------------------------------------------------------
\10\ The Clearing Agencies monitor key risks, including
Operational Risks stemming from the day-to day operation of the
Clearing Agencies' businesses and support areas (each a ``Clearing
Agency Business'' or ``Clearing Agency Support Area'').
---------------------------------------------------------------------------
To reflect this change in the Framework, the Clearing Agencies are
proposing to amend Section 6 of the Framework to replace the number
five, with fifteen, as it relates to recovery times for Tier 5 and
align with Clearing Agency current practice.
[[Page 75346]]
iv. Proposed Amendments To Update the Description of Business
Continuity Testing
As mentioned above, Section 6 of the Framework describes how the
Clearing Agencies manage business continuity risks. The Clearing
Agencies are proposing changes to the Framework to describe their
management of these risks more accurately. Specifically, the Clearing
Agencies are proposing changes to better reflect their administration
of industry testing, which is one of the preventive measures the
Clearing Agencies may take with respect to business continuity risk
management. The proposed changes would reflect the breadth of industry
participants used for such industry exercises conducted by the Clearing
Agencies instead of only the Securities Industry and Financial Markets
Association (SIFMA) and the Financial Services Authority. The proposed
rule change is not intended to reflect a material change to the
industry testing done by the Clearing Agencies, but rather, would more
accurately reflect the possible scope of any such testing.
Therefore, the Clearing Agencies are proposing to amend the last
bullet of Section 6 of the Framework to remove reference to SIFMA and
the Financial Services Authority and include a more comprehensive
description of industry testing currently conducted to manage its
business continuity risks.
v. Proposed Amendments To Update Organizational Name Changes and Make
Other Nonmaterial Edits
Finally, the Framework is owned and managed by an officer within
the Operational Risk Management Group within the Group Chief Risk
Office of DTCC. While the role and responsibilities of the Operational
Risk Management Group have not changed, the proposed changes would
update the Framework to reflect a change in the name of the group. The
Operational Risk Management Group is now referred to as Operational
Risk. This proposed change would reflect a recent organizational name
change.
The proposed rule change would make additional immaterial edits to
the Framework that do not alter how the Clearing Agencies comply with
the applicable requirements of Rule 17Ad-22(e)(17) under the Act.\11\
---------------------------------------------------------------------------
\11\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
2. Statutory Basis
The Clearing Agencies believe that the proposed changes are
consistent with Section 17A(b)(3)(F) of the Act \12\ and Rule 17Ad-
22(e)(17)(ii) and (iii) promulgated under the Act,\13\ for the reasons
described below.
---------------------------------------------------------------------------
\12\ 15 U.S.C. 78s(b)(3)(F).
\13\ 17 CFR 240.17Ad-22(e)(17)(ii) and (iii).
---------------------------------------------------------------------------
The Clearing Agencies believe that the proposed changes are
consistent with Section 17A(b)(3)(F) of the Act, which requires, in
part, that the rules of a registered clearing agency be designed to
promote the prompt and accurate clearance and settlement of securities
transactions, and to assure the safeguarding of securities and funds
which are in the custody or control of the clearing agency or for which
it is responsible, for the reasons described below.\14\ The proposed
changes to (i) revise nomenclature and process changes to Risk
Profiles, (ii) update the ORM Framework to align programs, policies,
procedures, and controls within Technology Risk Management (``TRM'') to
the Cyber Risk Institute (``CRI'') Profile instead of the National
Institute of Standards and Technology (``NIST'') standards, (iii)
update the recovery times for Tier 5 equating to non-essential
functions, (iv) update business continuity testing across industry
organizations, and (v) update the ORM Framework to reflect recent
changes to group names and making other nonmaterial edits would update
and clarify the Framework and would make it more comprehensive in how
it describes the methods and tools currently used by the Clearing
Agencies to manage operational risks and therefore comply with Section
17A(b)(3)(F) of the Act.\15\ By creating clearer, updated and more
comprehensive descriptions, the Clearing Agencies believe the proposed
changes would make the ORM Framework more effective in providing an
overview of the important risk management activities described therein.
---------------------------------------------------------------------------
\14\ 15 U.S.C. 78s(b)(3)(F).
\15\ Id.
---------------------------------------------------------------------------
The risk management functions described in the ORM Framework allow
the Clearing Agencies to continue the prompt and accurate clearance and
settlement of securities and can continue to assure the safeguarding of
securities and funds which are in their custody or control or for which
they are responsible notwithstanding the default of a member of an
affiliated family. The proposed changes to (1) to revise nomenclature
and process changes to risk profiles, (2) shift to the CRI standards,
and (3) broaden the description of industry testing to capture the
breadth of industry participants available to engage in such testing
within the ORM Framework reflect the tools used by Clearing Agencies to
assess inherent and residual risks; reliance by the Clearing Agencies
on reliable global sources related to its information technology
standards and diverse sources for industry testing. Identifying and
mitigating plausible sources of operational risks both internal and
external, information technology and business continuity, outlined in
the above-referenced proposed changes, facilitates the Clearing
Agencies' ability to continue the prompt and accurate clearance and
settlement of securities transactions and assure the safeguarding of
securities and funds which are in their custody or control or for which
they are responsible. Therefore, the Clearing Agencies believe the
proposed changes are consistent with the requirements of Section
17A(b)(3)(F) of the Act.\16\
---------------------------------------------------------------------------
\16\ Id.
---------------------------------------------------------------------------
Rule 17Ad-22(e)(17) under the Act requires, in part, that each
covered clearing agency establish, implement, maintain and enforce
written policies and procedures reasonably designed to manage the
covered clearing agency's operational risks by (ii) ensuring that
systems have a high degree of security, resiliency, operational
reliability, and adequate, scalable capacity; and (iii) establishing
and maintaining business continuity plans in order to address events
that may pose a significant risk of disrupting their operations.
The Framework would be amended to update the description of the
Clearing Agencies' information technology and business continuity
procedures. The proposed changes to revise nomenclature and process
changes to Risk Profiles including the bifurcation of Risk Profiles
process and identification of applicable governance processes assist
the Clearing Agencies in effectively managing their operational risks
by identifying the plausible sources of operational risk, both internal
and external, and mitigating the impact of those risks. The proposed
change to shift to CRI standards, which encompasses the NIST standards
plus additional metrics, is part of the programs, policies, procedures,
and controls used by the Clearing Agencies to continue the building,
implementation, and maintenance of systems that have a high degree of
security, resiliency, operational reliability, and adequate, scalable
capacity. Lastly, accurately describing the Clearing Agencies industry
testing procedure in the ORM framework conforms with the Clearing
Agencies compliance obligations since business continuity testing is
one of the
[[Page 75347]]
preventive measures the Clearing Agencies may take with respect to
business continuity risk management. As described above, these
procedures address how the Clearing Agencies detect, identify,
investigate, and resolve incidents that affect the Clearing Agencies'
systems. These procedures are designed to help address the Clearing
Agencies' compliance with the requirements of Rule 17Ad-22(e)(17)(ii)
and (iii) under the Act.\17\ Therefore, the Clearing Agencies believe
that the proposed rule changes to update the description of these
procedures in the Risk Management Framework is consistent with Rule
17Ad-22(e)(17)(ii) and (iii).\18\
---------------------------------------------------------------------------
\17\ 17 CFR 240.17Ad-22(e)(17)(ii) and (iii).
\18\ Id.
---------------------------------------------------------------------------
(B) Clearing Agency's Statement on Burden on Competition
The Clearing Agencies do not believe that the proposed changes to
the ORM Framework described above would have any impact, or impose any
burden, on competition. The proposed changes would enhance the
Framework by providing additional clarity and accuracy concerning the
Clearing Agencies' operational risk management processes. The proposed
rule changes to the Framework, would not advantage, or disadvantage any
participant or user of the Clearing Agencies' services or unfairly
inhibit access to the Clearing Agencies' services. As such, the
Clearing Agencies do not believe that the proposed rule changes would
have any impact on competition.
(C) Clearing Agency's Statement on Comments on the Proposed Rule Change
Received From Members, Participants, or Others
NSCC has not received or solicited any written comments relating to
this proposal. If any written comments are received, they will be
publicly filed as an Exhibit 2 to this filing, as required by Form 19b-
4 and the General Instructions thereto.
Persons submitting comments are cautioned that, according to
Section IV (Solicitation of Comments) of the Exhibit 1A in the General
Instructions to Form 19b-4, the Securities and Exchange Commission
(``Commission'') does not edit personal identifying information from
comment submissions. Commenters should submit only information that
they wish to make available publicly, including their name, email
address, and any other identifying information.
All prospective commenters should follow the Commission's
instructions on how to submit comments, available at https://www.sec.gov/regulatory-actions/how-to-submit comments. General
questions regarding the rule filing process or logistical questions
regarding this filing should be directed to the Main Office of the
Commission's Division of Trading and Markets at
[email protected] or 202-551-5777.
NSCC reserves the right not to respond to any comments received.
III. Date of Effectiveness of the Proposed Rule Change, and Timing for
Commission Action
The foregoing rule change has become effective pursuant to Section
19(b)(3)(A) \19\ of the Act and paragraph (f) \20\ of Rule 19b-4
thereunder. At any time within 60 days of the filing of the proposed
rule change, the Commission summarily may temporarily suspend such rule
change if it appears to the Commission that such action is necessary or
appropriate in the public interest, for the protection of investors, or
otherwise in furtherance of the purposes of the Act.
---------------------------------------------------------------------------
\19\ 15 U.S.C. 78s(b)(3)(A).
\20\ 17 CFR 240.19b-4(f).
---------------------------------------------------------------------------
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed rule
change is consistent with the Act. Comments may be submitted by any of
the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/sro.shtml); or
Send an email to [email protected]. Please include
file number SR-NSCC-2023-010 on the subject line.
Paper Comments
Send paper comments in triplicate to Secretary, Securities
and Exchange Commission, 100 F Street NE, Washington, DC 20549.
All submissions should refer to file number SR-NSCC-2023-010. This file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method. The Commission will post all comments on
the Commission's internet website (https://www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent amendments, all
written statements with respect to the proposed rule change that are
filed with the Commission, and all written communications relating to
the proposed rule change between the Commission and any person, other
than those that may be withheld from the public in accordance with the
provisions of 5 U.S.C. 552, will be available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549 on official business days between the hours of 10
a.m. and 3 p.m. Copies of the filing also will be available for
inspection and copying at the principal office of NSCC and on DTCC's
website (https://dtcc.com/legal/sec-rule-filings.aspx). Do not include
personal identifiable information in submissions; you should submit
only information that you wish to make available publicly. We may
redact in part or withhold entirely from publication submitted material
that is obscene or subject to copyright protection. All submissions
should refer to file number SR-NSCC-2023-010 and should be submitted on
or before November 24, 2023.
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\21\
---------------------------------------------------------------------------
\21\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2023-24179 Filed 11-1-23; 8:45 am]
BILLING CODE 8011-01-P
