Financial Market Utilities, 18749-18767 [2024-05322]
Download as PDFAgencies
[Federal Register Volume 89, Number 52 (Friday, March 15, 2024)] [Rules and Regulations] [Pages 18749-18767] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2024-05322] �======================================================================== �Rules and Regulations � Federal Register �________________________________________________________________________ � �This section of the FEDERAL REGISTER contains regulatory documents �having general applicability and legal effect, most of which are keyed �to and codified in the Code of Federal Regulations, which is published �under 50 titles pursuant to 44 U.S.C. 1510. � �The Code of Federal Regulations is sold by the Superintendent of Documents. � �======================================================================== � ��Federal Register / Vol. 89, No. 52 / Friday, March 15, 2024 / Rules and Regulations�� [[Page 18749]] FEDERAL RESERVE SYSTEM 12 CFR Part 234 [Regulation HH; Docket No. R-1782] RIN 7100-AG40 Financial Market Utilities AGENCY: Board of Governors of the Federal Reserve System. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Board of Governors of the Federal Reserve System (Board) is publishing a final rule amending the requirements relating to operational risk management in the Board's Regulation HH, which applies to certain financial market utilities (FMUs) that have been designated as systemically important (designated FMUs) by the Financial Stability Oversight Council (FSOC) under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act or Act). The amendments update, refine, and add specificity to the operational risk management requirements in Regulation HH to reflect changes in the operational risk, technology, and regulatory landscape in which designated FMUs operate. The final rule also adopts specific incident- notification requirements. DATES: Effective date: The final rule is effective April 15, 2024. Compliance dates: Designated FMUs must be in compliance with the rule by September 11, 2024, except for the incident management and notification requirement in Sec. 234.3(a)(17)(vi), under Amendatory Instruction 3, with which designated FMUs must be in compliance by June 13, 2024. FOR FURTHER INFORMATION CONTACT: Emily Caron, Assistant Director (202- 452-5261) or Katherine Standbridge, Senior Financial Institution and Policy Analyst (202-452-3873), Division of Reserve Bank Operations and Payment Systems; or Corinne Milliken Van Ness, Senior Counsel (202-452- 2421) or M. Benjamin Snodgrass, Senior Counsel (202-263-4877), Legal Division. For users of TTY-TRS, please call 711 from any telephone, anywhere in the United States. SUPPLEMENTARY INFORMATION: I. Overview Title VIII of the Dodd-Frank Act, titled the ``Payment, Clearing, and Settlement Supervision Act of 2010,'' was enacted to mitigate systemic risk in the financial system and to promote financial stability, in part, through an enhanced supervisory framework for designated FMUs. Section 803(6) of the Act defines an FMU as a ``person that manages or operates a multilateral system for the purpose of transferring, clearing, or settling payments, securities, or other financial transactions among financial institutions or between financial institutions and the person.'' \1\ Pursuant to section 805(a)(1)(A) of the Act, and as described below, the Board is required to prescribe risk-management standards governing the operations related to the payment, clearing, and settlement activities of certain designated FMUs. --------------------------------------------------------------------------- \1\ 12 U.S.C. 5462(6). --------------------------------------------------------------------------- The Board adopted Regulation HH, Designated Financial Market Utilities, in July 2012 to implement, among other things, the statutory provisions under section 805(a)(1)(A) of the Act.\2\ In November 2014, the Board published amendments to the risk-management standards in Regulation HH, 12 CFR part 234, based on the Principles for Financial Market Infrastructures (PFMI).\3\ --------------------------------------------------------------------------- \2\ 77 FR 45907 (Aug. 2, 2012). \3\ 79 FR 65543 (Nov. 5, 2014). The PFMI, published by the Committee on Payment and Settlement Systems (now the Committee on Payments and Market Infrastructures) and the Technical Committee of the International Organization of Securities Commissions in April 2012, is widely recognized as the most relevant set of international risk-management standards for payment, clearing, and settlement systems. --------------------------------------------------------------------------- In October 2022, the Board published for comment a notice of proposed rulemaking (NPRM) to amend the requirements relating to operational risk management in Regulation HH. The Board proposed to update, refine, and add specificity to the operational risk management requirements in Regulation HH. The proposed amendments reflected changes in the operational risk, technology, and regulatory landscape in which designated FMUs operate since the Board last amended Regulation HH in 2014. The Board also proposed to adopt specific incident-notification requirements.\4\ The public comment period for the proposed amendments closed on December 5, 2022. The Board is now adopting final amendments to Regulation HH, with modifications to certain sections of the proposal as discussed below. --------------------------------------------------------------------------- \4\ 87 FR 60314 (Oct. 5, 2022). --------------------------------------------------------------------------- II. Background A. Financial Market Utilities FMUs provide essential infrastructure to clear and settle payments and other financial transactions. Financial institutions, including banking organizations, participate in FMU arrangements pursuant to a common set of rules and procedures, technical infrastructure, and risk- management framework. If a systemically important FMU fails to perform as expected or fails to effectively measure, monitor, and manage its risks, it could pose significant risk to its participants and the financial system more broadly. For example, the inability of an FMU to complete settlement on time could create credit or liquidity problems for its participants or other FMUs. An FMU, therefore, should have a robust risk-management framework, including appropriate policies and procedures to measure, monitor, and manage the range of risks that arise in or are borne by the FMU. B. Title VIII of the Dodd-Frank Act In recognition of the criticality of FMUs to the stability of the financial system, Title VIII of the Dodd-Frank Act established a framework for enhanced supervision of certain FMUs. Section 804 of the Act states that the FSOC shall designate those FMUs that it determines are, or are likely to become, systemically important. Such a designation by the FSOC makes an FMU subject to the supervisory framework set out in Title VIII of the Act. Section 805(a)(1)(A) of the Act requires the Board to prescribe risk-management standards governing the operations related to payment, clearing, and settlement activities of designated [[Page 18750]] FMUs.\5\ As set out in section 805(b) of the Act, the applicable risk- management standards must (1) promote robust risk management, (2) promote safety and soundness, (3) reduce systemic risks, and (4) support the stability of the broader financial system.\6\ --------------------------------------------------------------------------- \5\ 12 U.S.C. 5464(a)(1). The Act directs the Board to ``tak[e] into consideration relevant international standards and existing prudential requirements'' when it promulgates these risk-management standards. Id. In addition, section 805(a)(2) of the Act grants the U.S. Commodity Futures Trading Commission (CFTC) and the U.S. Securities and Exchange Commission (SEC) the authority to prescribe such risk-management standards for a designated FMU that is, respectively, a derivatives clearing organization (DCO) registered under section 5b of the Commodity Exchange Act or a clearing agency registered under section 17A of the Securities Exchange Act of 1934. 12 U.S.C. 5464(a)(2). \6\ Further, under section 805(c), the risk-management standards may address areas such as (1) risk-management policies and procedures, (2) margin and collateral requirements, (3) participant or counterparty default policies and procedures, (4) the ability to complete timely clearing and settlement of financial transactions, (5) capital and financial resource requirements for designated FMUs, and (6) other areas that are necessary to achieve the objectives and principles for risk-management standards. 12 U.S.C. 5464(c). --------------------------------------------------------------------------- A designated FMU is subject to examination by the federal agency that has primary jurisdiction over the FMU under federal banking, securities, or commodity futures laws (the ``Supervisory Agency'').\7\ At present, the FSOC has designated eight FMUs as systemically important, and the Board is the Supervisory Agency for two of these designated FMUs--The Clearing House Payments Company, L.L.C. (on the basis of its role as operator of the Clearing House Interbank Payments System (CHIPS)) and CLS Bank International.\8\ The risk-management standards in the Board's Regulation HH apply to Board-supervised designated FMUs.\9\ --------------------------------------------------------------------------- \7\ The Act's definition of ``Supervisory Agency'' is codified at 12 U.S.C. 5462(8). Section 807 of the Act authorizes the Supervisory Agencies to examine and take enforcement actions against the Supervisory Agencies' respective designated FMUs. The Act also describes certain authorities that the Board has with respect to designated FMUs for which it is not the Supervisory Agency, such as participation in examinations and recommendations on enforcement actions. 12 U.S.C. 5466. \8\ The SEC is the Supervisory Agency for The Depository Trust Company (DTC); Fixed Income Clearing Corporation (FICC); National Securities Clearing Corporation (NSCC); and The Options Clearing Corporation (OCC). The CFTC is the Supervisory Agency for the Chicago Mercantile Exchange, Inc. (CME); and ICE Clear Credit LLC (ICC). See U.S. Department of the Treasury, Financial Market Utility Designations, https://home.treasury.gov/policy-issues/financial-markets-financial-institutions-and-fiscal-service/fsoc/designations. \9\ The risk-management standards in Regulation HH would also apply to any designated FMU for which another Federal banking agency is the Supervisory Agency. At this time, there are no such designated FMUs. --------------------------------------------------------------------------- C. Regulation HH Risk-Management Standards for Designated FMUs Section 234.3 of Regulation HH includes a set of 23 risk-management standards addressing governance, transparency, and the various risks that can arise in connection with a designated FMU's payment, clearing, and settlement activities, including legal, financial, and operational risks. These standards are based on and generally consistent with the PFMI. The Regulation HH standards generally employ a flexible, principles-based approach. In several cases, however, the Board adopted specific minimum requirements that a designated FMU must meet in order to achieve the overall objective of a particular standard. 1. Operational Risk Management Section 234.3(a)(17) of Regulation HH, as amended in 2014, requires that a designated FMU manage its operational risks by establishing a robust operational risk-management framework that is approved by its board of directors.\10\ Specifically, a designated FMU must (1) identify and mitigate its plausible sources of operational risk; (2) identify, monitor, and manage the operational risks it may pose to other FMUs and trade repositories; (3) ensure a high degree of security and operational reliability; (4) have adequate, scalable capacity to handle increasing stress volumes; (5) address potential and evolving vulnerabilities and threats; and (6) provide for rapid recovery and timely resumption of critical operations and fulfillment of obligations, including in the event of a wide-scale or major disruption. Section 234.3(a)(17) also contains several specific minimum requirements for business continuity planning, including a requirement for the designated FMU to have a business continuity plan that (1) incorporates the use of a secondary site at a location with a distinct risk profile from the primary site; (2) is designed to enable critical systems to recover and resume operations no later than two hours following disruptive events; (3) is designed to enable it to complete settlement by the end of the day of the disruption, even in case of extreme circumstances; and (4) is tested at least annually.\11\ --------------------------------------------------------------------------- \10\ In this SUPPLEMENTARY INFORMATION, Sec. 234.4(a)(17) will be informally referred to as the ``operational risk management standard.'' \11\ 12 CFR 234.3(a)(17)(vii). --------------------------------------------------------------------------- Although the term ``operational risk'' is not defined in current Regulation HH, when the Board proposed amendments to Sec. 234.3(a)(17) in 2014, it described operational risk as the risk that deficiencies in information systems, internal processes, and personnel or disruptions from external events will result in the deterioration or breakdown of services provided by an FMU.\12\ Consistent with an all-hazards view of managing operational risk, the Board believes operational risk could arise internally and externally. Internal sources of operational risk include the designated FMU's people, processes, and technology.\13\ External sources of operational risk are those that fall outside the direct control of a designated FMU. For example, external sources of operational risk can include the designated FMU's participants and other entities, such as other FMUs, settlement banks, liquidity providers, and service providers, which may transmit threats through their various connections to the designated FMU. External sources of operational risk also include physical events, such as pandemics, natural disasters, and other destruction of property, as well as information security threats, such as cyberattacks and technology supply chain vulnerabilities. These internal and external sources of operational risk can manifest in different scenarios (including wide- scale or major disruptions) and can result in the reduction, deterioration, or breakdown of services that a designated FMU provides. A designated FMU must plan for these types of scenarios and test its systems, polices, procedures, and controls against them. --------------------------------------------------------------------------- \12\ 79 FR 3666, 3683 (Jan. 22, 2014). The Board also incorporated this definition of ``operational risk'' into part I of the Federal Reserve Policy on Payment System Risk (PSR policy) in 2014, see 79 FR 2838, 2845 (Jan. 16, 2014), and into its supervisory rating system for financial market infrastructure in 2016, see 81 FR 58932, 58936 (Aug. 26, 2016). The PSR policy is available at https://www.federalreserve.gov/paymentsystems/files/psr_policy.pdf. \13\ Deficiencies in assessing and managing these sources of operational risk could cause errors or delays in processing, systems outages, insufficient capacity, fraud, data loss, and data leakage. --------------------------------------------------------------------------- Importantly, the Board believes that effective operational risk management, in combination with sound governance arrangements and effective management of general business risk (including the risk of losses from operational events), promotes operational resilience, which refers to the ability of an FMU to: (1) maintain essential operational capabilities under adverse conditions or stress, even if in a degraded or debilitated state; and (2) recover to effective operational capability in a time frame consistent with the provision of critical services.\14\ --------------------------------------------------------------------------- \14\ See Sec. 234.3(a)(2) and (15). --------------------------------------------------------------------------- [[Page 18751]] 2. Evolution in the Operational Risk, Technology, and Regulatory Landscape When the Board proposed amendments to Regulation HH's risk- management standards in 2014, the Board recognized that there was ongoing work and discussion domestically and internationally on developing operational risk-management standards and guidance and planning for business continuity with respect to cybersecurity and responses to cyberattacks.\15\ For example, in 2016, the Committee on Payments and Market Infrastructures (CPMI) and Technical Committee of the International Organization of Securities Commissions (IOSCO) published Guidance on cyber resilience for financial market infrastructures (Cyber Guidance), which supplements the PFMI and provides guidance on cyber resilience, including in the context of governance, the comprehensive management of risks, and operational risk management.\16\ The Cyber Guidance has informed the Federal Reserve's supervision of designated FMUs.\17\ --------------------------------------------------------------------------- \15\ 79 FR 3666, 3683 (Jan. 22, 2014). \16\ CPMI-IOSCO, Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016), https://www.bis.org/cpmi/publ/d146.htm. \17\ For example, when the Board finalized its ORSOM (Organization; Risk Management; Settlement; Operational Risk and Information Technology (IT); and Market Support, Access, and Transparency) rating system for designated FMUs in 2016, it noted that the then-forthcoming Cyber Guidance would guide the Board's assessment of a designated FMU with respect to operational risk and cybersecurity policies and procedures. 81 FR 58932, 58934 (Aug. 26, 2016). --------------------------------------------------------------------------- More recently, new challenges to operational risk management have emerged, including a global pandemic and severe weather events. In addition, certain types of cyberattacks that were once thought to be extreme or ``tail-risk'' events, like attacks on the supply chain and ransomware attacks, have become more prevalent. Technology solutions for the mitigation and management of various operational risks have also advanced since 2014, including the development of new technologies that have the potential to improve the resilience of designated FMUs. Finally, the legal, regulatory, and supervisory landscape in which designated FMUs operate has evolved to reflect these changes in the broader operational risk environment. For example, in July 2021, the Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) proposed guidance for banking organizations on managing risks associated with third-party relationships.\18\ In November 2021, the Board, OCC, and FDIC adopted requirements on computer-security incident notifications for banking organizations and bank service providers (interagency notification rule).\19\ The evolution in the operational risk, technology, and regulatory landscape motivated the Board to conduct a full review of Sec. 234.3(a)(17) to determine whether updates were necessary. Following this review, the Board believes that the outcomes required by the current operational risk management standard are generally still relevant and comprehensive. However, the Board has identified several areas where it believes updates to the rule are necessary. --------------------------------------------------------------------------- \18\ 86 FR 38182 (July 19, 2021). The Board, OCC, and FDIC issued final third-party risk management guidance for banking organizations in June 2023. 88 FR 37920 (June 9, 2023). \19\ 86 FR 66424 (Nov. 23, 2021). Congress also recently enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires covered entities to report significant cyber incidents to the Cybersecurity and Infrastructure Agency (``CISA''). See Public Law 117-103, Div. Y (codified at 6 U.S.C. 681-681g). --------------------------------------------------------------------------- D. Overview of the Proposal The Board proposed to amend the operational risk management standard to reflect changes in the operational risk and threat landscape, as well as to reflect developments in designated FMUs' operations and technology usage since the Board last amended Regulation HH in 2014. The proposed amendments focused on four areas: (1) review and testing, (2) incident management and notification, (3) business continuity management and planning, and (4) third-party risk management. The Board also proposed several technical or clarifying revisions throughout Sec. Sec. 234.2 and 234.3(a).\20\ --------------------------------------------------------------------------- \20\ In addition to the technical changes described below in section III.G, the Board proposed a technical change to the title of Sec. 234.3. Currently, the section is erroneously titled ``Standards for payment systems,'' which is the legacy title from the initial Regulation HH risk-management standards published in 2012. The Board proposed to replace ``payment systems'' with ``designated financial market utilities.'' --------------------------------------------------------------------------- III. Summary of Public Comments and Analysis The Board received six public comment letters. Two letters were from entities that operate designated FMUs, one letter was from a non- profit organization, and three letters were from individuals. The Board considered each of these comments as well as subsequent staff analysis in developing the final rule. The Board is adopting the proposed rule text with modifications to certain sections, as discussed below. A. Overall Response and Approach Commenters were generally supportive of the proposed amendments. Of the three substantive comments received, one commenter expressed support for the amendments as proposed. Two commenters, while expressing support for the overall proposal, raised concerns that aspects of the proposal were broader than necessary. These commenters suggested additional clarifications to and refinements in the scope of the proposed amendments. Both of these commenters raised concerns that amendments to Regulation HH should permit a designated FMU to apply a risk-based and proportionate approach to operational risk management. This comment was made both generally and with respect to specific aspects of the review and testing, business continuity management and planning, and third-party risk management sections of the proposed amendments. The Board generally understands a ``risk-based and proportionate approach'' as an approach whereby entities identify, assess, and understand the risks to which they are exposed and take measures commensurate with those risks.\21\ --------------------------------------------------------------------------- \21\ See Cyber Guidance, supra note 16, at 26. --------------------------------------------------------------------------- The final rule does not expressly specify that designated FMUs may use a risk-based and proportionate approach to comply with the amended operational risk management standard. The Board believes that it is unnecessary to do so. Designated FMUs currently use risk-based and proportionate approaches to manage operational risk, as the Board generally has implemented principles-based requirements in Regulation HH. The proposed amendments were not intended to affect designated FMUs' ability to continue to use risk-based and proportionate approaches where appropriate. Furthermore, other parts of Regulation HH's risk-management standards, such as the framework for the comprehensive management of risks found in Sec. 234.3(a)(3), do not expressly specify a risk-based and proportionate approach. Thus, adding such language to the operational risk management standard could result in a difference in drafting not driven by a difference in intended meaning. The Board has, however, amended certain aspects of the proposal to incorporate several specific concerns raised by the commenters. These concerns and the Board's response are described in the sections that follow. [[Page 18752]] B. Compliance Date In the NPRM, the Board proposed an effective and compliance date of 60 days from the date the final rule was published in the Federal Register. Two commenters expressed the need for additional time to comply with the final rule and requested 180 days after publication to comply. Specifically, these commenters requested more time to enable designated FMUs to assess their current procedures and practices against the amendments and to implement any necessary changes. They also noted that the proposed third-party risk management requirements might necessitate changes to designated FMUs' contracts with third parties, which might take longer than 60 days. One commenter explained that it would take longer than 60 days to implement the incident notification requirement of the Board's proposed incident management framework. A third commenter considered the Board's amendment of the operational risk management standard overdue and viewed incident management and notification as the most important part of the proposal. The Board is adopting the final rule with an effective date of April 15, 2024. Designated FMUs are expected to comply with the requirements of the final rule no later than September 11, 2024, with the exception of the requirement to establish a documented framework for incident management, set forth in in Sec. 234.3(a)(17)(vi). Designated FMUs are expected to comply with Sec. 234.3(a)(17)(vi) no later than June 13, 2024. Designated FMUs are encouraged, however, to comply with the provisions as soon as possible. After consideration of the public comments as well as internal analysis, the Board is providing additional time to allow sufficient time for designated FMUs to review their existing policies, procedures, practices, and contracts against the requirements of the final rule and to minimize burden on designated FMUs and the markets they serve. However, the Board adopted an earlier compliance date for the requirement to establish a documented framework for incident management, set forth in Sec. 234.3(a)(17)(vi). The Board believes that designated FMUs can leverage existing practices for incident management and notification and that an earlier compliance date balances the need for prompt conformance with Sec. 234.3(a)(17)(vi), which the Board considers of critical importance to both the Board and designated FMUs' participants and other stakeholders, with the overall burden on designated FMUs. C. Review and Testing Section 234.3(a)(17)(i) of Regulation HH requires designated FMUs to identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls that are reviewed, audited, and tested periodically and after major changes. This general review and testing requirement applies broadly to the systems, policies, procedures, and controls that the designated FMU develops to mitigate sources of operational risk. The Board proposed to amend Sec. 234.3(a)(17)(i) to provide more specificity regarding its expectations around testing, review, and remediation. Just as the current general review and testing requirement in Sec. 234.3(a)(17)(i) applies broadly to a designated FMU's systems, policies, procedures, and controls, the proposed amendments would also apply broadly to the systems, policies, procedures, and controls developed to mitigate the impact of the designated FMU's sources of operational risk. Specifically, proposed Sec. 234.3(a)(17)(i)(A) and (B) set forth the Board's expectations regarding review and testing. In Sec. 234.3(a)(17)(i)(A)(1), the Board proposed to require a designated FMU to conduct tests of its systems, policies, procedures, and controls in accordance with a documented testing framework.\22\ The Board further proposed in Sec. 234.3(a)(17)(i)(A)(2) to require that a designated FMU's testing assess whether its systems, policies, procedures, or controls function as intended.\23\ --------------------------------------------------------------------------- \22\ The Board explained in the NPRM that the testing framework should account for any interdependencies between and among the systems, policies, procedures, and controls that are being tested. The Board further explained that a designated FMU should take a comprehensive and risk-based approach to its operational risk management testing program, rather than focusing only on testing individual (or groups of) systems, policies, procedures, or controls (or components therein). A designated FMU could describe its testing framework in either a single document or in multiple documents, as appropriate, and could leverage relevant industry standards as it develops its testing framework. For example, a designated FMU could leverage standards developed by the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC), the Financial Services Sector Coordinating Council (FSSCC), and the International Organization for Standardization (ISO). \23\ Such tests could include capacity stress tests, crisis management tabletop exercises, after-action reviews of incidents, business continuity tests both internally and with participants, vulnerability assessments, cyber scenario-based testing, penetration tests, and red team tests. --------------------------------------------------------------------------- In Sec. 234.3(a)(17)(i)(B), the Board proposed to require a designated FMU to conduct a review of the design, implementation, and testing of systems, policies, procedures, and controls after the designated FMU experienced any material operational incidents (which are discussed in section III.C.1 below). The Board also proposed in Sec. 234.3(a)(17)(i)(B) to require a designated FMU to review the design, implementation, and testing of systems, policies, procedures, and controls after significant changes to the environment in which it operates.\24\ --------------------------------------------------------------------------- \24\ The Board also proposed a technical amendment to the requirement for the designated FMU to review its recovery and orderly wind-down plan under Sec. 234.3(a)(3)(iii)(G) from ``following'' to ``after'' changes to the designated FMU's systems and environment. This conforms with the review requirement under proposed Sec. 234.3(a)(17)(i)(B). The Board also proposed a technical amendment to the requirement for the designated FMU to update its public disclosure under Sec. 234.3(a)(23)(v) from ``following'' to ``to reflect'' changes to its systems and environment. The Board did not receive any comments on these technical amendments and is adopting them as proposed. --------------------------------------------------------------------------- Finally, the Board proposed in Sec. 234.3(a)(17)(i)(C) to require a designated FMU to remediate, as soon as possible and following established governance processes, any deficiencies identified during tests and reviews. 1. Review and Testing--Section 234.3(a)(17)(i)(A) and (B) (a) Summary of Comments One commenter welcomed the additional clarity provided by the proposed amendments to Sec. 234.3(a)(17)(i) generally, and another commenter appreciated the proposal's testing and review expectations. Two commenters suggested that all of Sec. 234.3(a)(17)(i), including paragraphs (a)(17)(i)(A), (B), and (C), be amended to expressly contemplate the designated FMU taking a risk-based approach to testing, review, and remediation activities. Commenters did not suggest other revisions to proposed Sec. 234.3(a)(17)(i)(A). With respect to the proposed review requirements set out in Sec. 234.3(a)(17)(i)(B), two commenters raised a concern that the proposed language could be interpreted to require a designated FMU to review all of its systems, policies, procedures, and controls after a material operational incident or significant change to the environment in which the designated FMU operates. These commenters suggested clarifying that Sec. 234.3(a)(17)(i)(B) require review of only the relevant systems, policies, procedures, and controls affected by material operational incidents or significant changes to the environment. [[Page 18753]] One commenter further suggested that, in the case of significant changes to the environment, Sec. 234.3(a)(17)(i)(B) require a review only when the change is reasonably likely to create operational risk. The commenter noted such an approach would avoid reviews when there are changes to the environment that do not reasonably create operational risk. (b) Final Rule The Board is adopting proposed Sec. 234.3(a)(17)(i)(A) and (B) with certain revisions based on internal analysis and public comments. Consistent with the preamble to the proposed rule, the Board has clarified in Sec. 234.3(a)(17)(i)(A)(1) that a designated FMU's documented testing framework must address at a minimum scope, frequency, participation, interdependencies, and reporting. A designated FMU may also choose to add additional pieces to their documented testing frameworks based on their own internal analysis. This could include documented governance processes around review and testing. Importantly, as described further below, a designated FMU would need to remediate deficiencies identified during testing, following established governance processes. The Board has adopted two amendments to proposed Sec. 234.3(a)(17)(i)(B). First, the Board has modified the rule text in Sec. 234.3(a)(17)(i)(B) to reflect that a designated FMU's review of design, implementation, and testing after material operational incidents or after changes to the environment in which the designated FMU operates applies only to affected and similar systems, policies, procedures, and controls. The Board agrees with commenters that a designated FMU need not review irrelevant systems, policies, procedures, and controls.\25\ The Board would consider relevant systems, policies, procedures, and controls to include those affected directly by a material operational incident or significant change to the environment. In addition, the Board would consider relevant systems, policies, procedures, and controls to include those that have not been directly affected but that share important features with (i.e., are similar to) affected systems, policies, procedures, and controls. For example, a similar system could be one that is susceptible to the same type of vulnerability that has caused a material operational incident in a different system, but which was not actually affected in a particular instance. --------------------------------------------------------------------------- \25\ See 87 FR 60314, 60317 (Oct. 5, 2022) (proposing that a designated FMU conduct a review of the design, implementation, and testing of relevant systems, policies, procedures, and controls after the designated FMU experiences any material operational incidents). --------------------------------------------------------------------------- Second, consistent with statements in the preamble to the NPRM and in response to comments, the Board has clarified that Sec. 234.3(a)(17)(i)(B) requires designated FMUs to conduct reviews when a change to the environment in which the designated FMU operates could significantly affect the plausible sources or mitigants of operational risk.\26\ Designated FMUs should exercise care to ensure that they effectively identify changes to the environment that have an operational risk component, but the review requirement would not be triggered by a change that does not relate to operational risk. --------------------------------------------------------------------------- \26\ See id. (explaining that the operational risk environment, including sources of risk and the nature or types of threats, can change unexpectedly and quickly and that the proposal would ensure that designated FMUs review and make timely changes to their systems, policies, procedures, and controls following such changes). --------------------------------------------------------------------------- For the reasons described in section III.A, supra, the Board has not expressly referred to a risk-based and proportionate approach in the final rule. With respect to testing, Sec. 234.3(a)(17)(i)(A)(1) requires a designated FMU's documented testing framework to address, at a minimum, scope, frequency, participation, interdependencies, and reporting--all of which could be calibrated based on a designated FMU's identification, assessment, and prioritization of risks.\27\ With respect to review, the Board believes the requirement to conduct reviews after certain events is consistent with a risk-based approach. Moreover, the two clarifications the Board has made to Sec. 234.3(a)(17)(i)(B) focus the requirements of that paragraph on the review triggers that the Board considers most important for a designated FMU's management of operational risk. --------------------------------------------------------------------------- \27\ The Board expects that, in developing its documented testing framework, a designated FMU would be guided by the documented risk-management framework established by the board of directors, which must include, among other things, the designated FMU's risk-tolerance policy. 12 CFR 234.3(a)(2)(iv)(F). --------------------------------------------------------------------------- 2. Remediation of Identified Deficiencies--Section 234.3(a)(17)(i)(C) (a) Summary of Comments Similar to the comments on the testing and review requirements, two commenters suggested that the rule text clarify that a designated FMU may take a risk-based approach to the remediation process. One commenter specifically recommended that the rule allow a designated FMU to remediate or mitigate an identified deficiency in a manner that is consistent with the designated FMU's risk appetite. As part of a risk- based approach, one commenter suggested that a designated FMU should be able to accept the risks associated with certain deficiencies so long as the risks are within the designated FMU's risk appetite. One commenter noted that, while proposed Sec. 234.3(a)(17)(i)(C) stated that a designated FMU's remediation of deficiencies in systems, policies, procedures, or controls should follow established governance processes, it was unclear if the requirement to follow governance processes referred solely to the need to validate remediation steps or if it was intended to be broader. The commenter suggested that governance processes for managing and overseeing remediation should include processes for decision making on prioritization of remediation approaches in addition to validation. One commenter noted that the proposed rule did not address expectations regarding validation of remediation steps. The commenter suggested that validation should be risk-based and proportionate to the deficiency that is being remediated. (b) Final Rule The Board is adopting Sec. 234.3(a)(17)(i)(C) with one modification in response to concerns raised by commenters.\28\ In order to address concerns that the proposal would have required a designated FMU to approach all deficiencies in the same manner, the Board has removed the word ``any'' from proposed Sec. 234.3(a)(17)(i)(C).\29\ In addition, the Board expects that a designated FMU, in establishing the governance processes contemplated by Sec. 234.3(a)(17)(i)(C), would take into account the designated FMU's risk-tolerance policy.\30\ In that regard, the Board notes that remediation could include both actions to eliminate a deficiency or vulnerability or to reduce the risk associated with a deficiency or vulnerability to an [[Page 18754]] acceptable level.\31\ For example, if a designated FMU were to identify a deficiency in a system that was slated for replacement in the near future, the designated FMU could consider steps to reduce the risk of that deficiency pending the implementation of the new system in lieu of working to eliminate the deficiency in the old system. When consistent with a designated FMU's risk tolerance and otherwise consistent with a robust operational risk framework, a designated FMU could determine and document its decision to accept the risk of a deficiency. --------------------------------------------------------------------------- \28\ For the reasons described in section III.A, supra, the Board has not expressly referred to a risk-based and proportionate approach in the final rule. \29\ As noted above, proposed Sec. 234.3(a)(17)(i)(C) would have required a designated FMU to remediate, as soon as possible and following established governance processes, any deficiencies identified during tests and reviews. \30\ A designated FMU must have governance arrangements that, among other things, are designed to ensure that the board of directors establishes a clear, documented risk-management framework that includes the designated FMU's risk-tolerance policy, assigns responsibilities and accountability for risk decisions, and addresses decision making in crises and emergencies. 12 CFR 234.3(a)(2)(iv)(F). \31\ The Board understands that the terms ``remediation'' and ``mitigation'' are sometimes used in different ways in the information technology and security field. The Board's use of ``remediation'' and ``mitigation'' is consistent with NIST's definitions of the terms. NIST defines ``remediation'' as ``the act of mitigating a vulnerability or a threat,'' and ``mitigation'' as ``a decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities.'' These definitions can be found at https://csrc.nist.gov/glossary/term/remediation and https://csrc.nist.gov/glossary/term/mitigation, respectively. --------------------------------------------------------------------------- The Board expects that a designated FMU will conduct an internal risk analysis of all deficiencies identified in review and testing, as required in Sec. 234.3(a)(17)(i)(A) and (B), and use established governance processes to determine how to address and prioritize identified deficiencies in order to reduce the level of risk posed by those deficiencies.\32\ The decisions a designated FMU makes may depend upon the facts and circumstances.\33\ --------------------------------------------------------------------------- \32\ As noted above, a designated FMU's documented testing framework could address governance processes for remediation. \33\ A designated FMU should consult widely used and relevant industry standards to inform its understanding of how it should remediate deficiencies. These industry standards, such as those published by NIST, FFIEC, FSSCC, and ISO, are updated regularly and typically offer current and specific information on operational risk management practices. --------------------------------------------------------------------------- Finally, commenters noted that proposed Sec. 234.3(a)(17)(i)(C) did not specifically address validation but that the NPRM stated that it would be imperative for a designated FMU to perform subsequent validation to assess whether the remediation measures have addressed deficiencies without introducing vulnerabilities. The Board continues to believe that designated FMUs should assess the effectiveness and broader impact of any changes they make to remediate a deficiency.\34\ The Board acknowledges that the validation performed may depend on the nature of both the deficiency and any changes made to remediate the deficiency. As with remediation, the Board believes that a designated FMU, in its governance processes, could address validation in a risk- based manner. --------------------------------------------------------------------------- \34\ In the event a designated FMU accepts the risk of a deficiency, there may be no change to validate. --------------------------------------------------------------------------- D. Incident Management and Notification The Board proposed in Sec. 234.3(a)(17)(vi) to require a designated FMU to establish a documented framework for incident management that provides for the prompt detection, analysis, and escalation of an incident; appropriate procedures for addressing an incident; and incorporation of lessons learned following an incident.\35\ --------------------------------------------------------------------------- \35\ These broad categories in incident management are generally consistent with those identified in the NIST computer-security incident handling guide. See NIST, Computer Security Incident Handling Guide (Special Publication 800-61, rev. 2), https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf. --------------------------------------------------------------------------- Specifically, in Sec. 234.3(a)(17)(vi) the Board proposed to require that a designated FMU's incident management framework include a plan for notification and communication of material operational incidents. This plan, among other things, would need to identify the entities that would be notified of operational incidents, including non-participants that could be affected by material operational incidents at the designated FMU. Relevant entities may also include appropriate industry information-sharing fora, such as groups that are designed to share information about cyber threats or support cyber risk management. In Sec. 234.3(a)(17)(vi)(A), the Board proposed to require a designated FMU to notify the Board immediately when it activated its business continuity plan or had a reasonable basis to conclude that (1) there was an actual or likely disruption, or material degradation, to any of its critical operations or services,\36\ or to its ability to fulfill its obligations on time; or (2) there was unauthorized entry, or the potential for unauthorized entry, into the designated FMU's computer, network, electronic, technical, automated, or similar systems that affects or has the potential to affect its critical operations or services. --------------------------------------------------------------------------- \36\ Critical operations and critical services are discussed below in section III.G.2. --------------------------------------------------------------------------- In Sec. 234.3(a)(17)(vi)(B), the Board proposed to require a designated FMU to establish criteria and processes, including the appropriate methods of communication, to provide for timely communication and responsible disclosure of material operational incidents to its participants or other relevant entities that have been identified in its notification and communication plan. As proposed, this incident notification requirement would arise in two circumstances. First, under proposed Sec. 234.3(a)(17)(vi)(B)(1), a designated FMU would need to notify affected participants immediately in the event of actual disruptions or material degradation to its critical operations or services or to its ability to fulfill its obligations on time. Second, under proposed Sec. 234.3(a)(17)(vi)(B)(2), a designated FMU would need to notify all participants and other relevant entities in a timely and responsible manner of all other material operational incidents that require immediate notification to the Board.\37\ --------------------------------------------------------------------------- \37\ As noted in the NPRM, a designated FMU would need to identify non-participant relevant entities in its plan for notification and communication of material operational incidents. --------------------------------------------------------------------------- 1. Documented Incident Management Framework--Section 234.3(a)(17)(vi) (a) Summary of Comments One commenter broadly supported the proposal and viewed incident management and notification as the most important part of the Board's proposed amendments to Regulation HH. Two commenters did not object in concept to the requirement for a documented framework for incident management but expressed concerns with specific aspects of the proposed requirement to have a plan for notification and communication of material operational incidents. These concerns are discussed in sections III.D.2 and III.D.3, infra. (b) Final Rule The Board is adopting the introductory portion of Sec. 234.3(a)(17)(vi) as proposed and, as discussed below, has adopted Sec. 234.3(a)(17)(vi)(A) and (B) with certain modifications. In line with the all-hazards approach to operational risk management in this standard, the Board reiterates its belief that it is important for a designated FMU to be prepared to detect, address, and learn from any type of operational incident, regardless of the scenario or source of risk and the level of severity. Different types of incidents may require different levels of escalation internally or externally, and may require different strategies for containment or eradication. For example, given the increasing prevalence of cyberattacks in the financial sector, a designated FMU should plan for an incident where a participant (or another type of connected entity), rather than the designated FMU itself, is experiencing a cyberattack. In this scenario, a designated FMU should be operationally prepared to take, and should have a legal basis to take, [[Page 18755]] appropriate steps to mitigate the risk of contagion to itself or other participants, including, but not limited to, restricting or limiting a participant's access to the designated FMU or a particular functionality or disconnecting the participant from the FMU if necessary. Relatedly and as further discussed in section III.E.3, a designated FMU should also have processes and procedures to determine whether and when it would be appropriate to reestablish availability to such a participant. 2. Incident Notification to the Board--Section 234.3(a)(17)(vi)(A) (a) Summary of Comments Two commenters expressed concerns regarding the circumstances that would trigger a notice requirement to the Board. One commenter noted that proposed Sec. 234.3(a)(17)(vi)(A) would require a designated FMU to notify the Board any time the designated FMU activated its business continuity plan. This commenter highlighted that activation of the business continuity plan may not involve an actual disruption to the designated FMU's critical operations or services and that the proposal could result in unnecessary notifications. Two commenters indicated concern with the words ``likely'' in proposed Sec. 234.3(a)(17)(vi)(A)(1) and ``potential'' in proposed Sec. 234.3(a)(17)(vi)(A)(2). The concerns raised include providing notifications where it was unnecessary, the potential for false alarms or misimpressions regarding a designated FMU's reliability, and desensitization of supervisors and participants due to excessive notification regarding insignificant events, with one commenter suggesting notices be limited to actual incidents. One commenter also noted that the ``likely'' and ``potential'' standards were different from other incident notification requirements such as under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and suggested harmonizing the proposed notification requirements with other laws and regulations. These commenters suggested a number of specific revisions to the proposal. One suggested limiting notification to the Board to actual disruptions or material degradations. Another suggested limiting notifications of an unauthorized entry, or the potential for unauthorized entry, to situations which could result in a serious detriment to participants or other relevant entities, and more generally suggested granting more discretion for a designated FMU to determine appropriate circumstances for notice based on the probability and severity of an event. One commenter supported the requirement to provide ``immediate'' notification to the Board and affected parties. Two commenters requested clarification of the term ``immediately'' as used regarding notification of material operational incidents in proposed Sec. 234.3(a)(17)(vi)(A) and (a)(17)(vi)(B)(1). These commenters requested that the explanation provided in the NPRM, which distinguished ``immediately'' from ``instantaneous,'' be directly incorporated into the text of Regulation HH. One commenter suggested that such a revision would provide greater clarity to participants and other relevant entities. Finally, two commenters responded to a question in the NPRM regarding the process by which a designated FMU should provide notice to the Board. These commenters suggested that notices be provided to the team responsible for ongoing supervision of the designated FMU. One of the commenters noted that a designated FMU's supervisory team would likely continue to expect notice regardless of whether a designated FMU was required to notify a central point of contact. One of the commenters also suggested that the Board specify contacts and provide a method for delivering notices outside of business hours. (b) Final Rule The Board is adopting Sec. 234.3(a)(17)(vi)(A) as proposed, with two revisions that respond to comments received. First, as proposed, Sec. 234.3(a)(17)(vi)(A)(2) would have required notice to the Board of an unauthorized entry, or a potential for unauthorized entry, into a designated FMU's computer, network, electronic, technical, automated, or other systems that affect or have the potential to affect its critical operations or services. In light of concerns regarding unnecessary notices, the Board believes it is appropriate to clarify what constitutes the ``potential'' for unauthorized entry. The Board has amended Sec. 234.3(a)(17)(vi)(A)(2) to refer instead to an unauthorized entry or a vulnerability that could allow unauthorized entry. The Board believes that it is important to receive notice from a designated FMU if the designated FMU has a reasonable basis to conclude that there exists a vulnerability (such as a zero-day vulnerability) that may be, but has not yet been, exploited.\38\ --------------------------------------------------------------------------- \38\ ``Zero-day'' vulnerabilities are those for which patches are not yet available. See, e.g., Board of Governors of the Federal Reserve System, Cybersecurity and Financial System Resilience Report, at 23 (Aug. 2023), available at https://www.federalreserve.gov/publications/files/cybersecurity-report-202308.pdf. --------------------------------------------------------------------------- Second, the Board has clarified that a designated FMU must notify the Board of incidents ``in accordance with the process established by the Board.'' The Board will provide actual notice of this process to affected designated FMUs. Other than with respect to these revisions, the Board has adopted Sec. 234.3(a)(17)(vi)(A) as proposed. Given the large volume and value of payment, clearing, and settlement activity processed by designated FMUs and their interconnectedness with financial institutions and markets, material operational issues occurring at designated FMUs could have financial stability implications. Therefore, the Board continues to believe that it is critical for the Board to be notified immediately of these types of issues.\39\ The Board notes that ``immediately'' as used in Sec. 234.3(a)(17)(vi)(A) is meant to convey the urgency in notifying the Board of these material operational incidents. ``Immediate'' does not mean ``instantaneous,'' and as such the Board does not believe clarification expressly stating this is necessary. The Board would expect to be notified of an operational incident once the designated FMU activates its business continuity plan or has a reasonable basis to conclude that an incident meets any of the criteria in Sec. 234.3(a)(17)(vi)(A), even if the designated FMU does not yet have detailed information on the root cause or measures for containment or remediation. In these cases, the Board would expect to receive any available information that the designated FMU has at the time of notification. --------------------------------------------------------------------------- \39\ The Board recognizes that, ``immediately'' poses a heightened requirement for notification by designated FMUs relative to banking organizations subject to the interagency rule. This heightened requirement is consistent with the systemic importance of designated FMUs and in line with expectations for designated FMUs for which the SEC is the Supervisory Agency. SEC Regulation SCI provides for immediate notification to the SEC upon any ``responsible SCI personnel'' having a reasonable basis to conclude that an ``SCI event'' has occurred. See 17 CFR 242.1002(b)(1). --------------------------------------------------------------------------- Except as described above, the Board continues to believe that notification is appropriate when a designated FMU has a reasonable basis to conclude that there is (1) an actual or likely disruption or material degradation to any critical operations or services, or to its ability to fulfill its obligations on time or (2) an unauthorized entry, or a vulnerability that could allow unauthorized entry, into the designated FMU's computer, network, electronic, technical, automated, or similar systems that [[Page 18756]] affects or has the potential to affect its critical operations or services. The Board appreciates commenters' interest in harmonizing notice requirements. However, the Board notes that the interagency notification rule applies to banking organizations and bank service providers broadly, whereas Regulation HH applies to FMUs that have been designated as systemically important by the FSOC. The Board acknowledges that CIRCIA provides for after-the-fact reporting of incidents. The Board believes receiving notices of actual and likely incidents as soon as the designated FMU is aware of them is appropriate given the Board's supervisory role and the systemic importance of designated FMUs. For the same reasons, the Board does not believe it is appropriate to limit notice to the Board with respect to unauthorized entries, or vulnerabilities that could allow unauthorized entry, to situations that could result in a serious detriment to participants or other relevant entities or to afford designated FMUs discretion to determine appropriate circumstances for notice based on the probability and severity of an event. Similarly, the Board understands that activation of a business continuity plan does not mean an actual incident must have occurred. Activation does mean, however, that the probability of an event occurring that could adversely impact the designated FMU's continued operations was high enough to meet the threshold for the designated FMU to trigger its business continuity plan.\40\ Accordingly, the Board believes a designated FMU should notify the Board when it activates its business continuity plan. --------------------------------------------------------------------------- \40\ For example, if a designated FMU activates its business continuity plan in anticipation of an extreme weather event, the Board would expect to be notified. The Board should be made aware if the designated FMU anticipates non-business-as-usual actions or operations. --------------------------------------------------------------------------- 3. Incident Notification to Participants and Other Relevant Entities-- Section 234.3(a)(17)(vi)(B) (a) Summary of Comments As noted above with respect to notices required to be made to the Board, one commenter noted it was judicious and sensible to require designated FMUs to immediately notify affected participants of material operational incidents. Two commenters requested clarification of the term ``immediately'' as used regarding notification of material operational incidents in proposed Sec. 234.3(a)(17)(vi)(B)(1). One commenter suggested revising the proposed notification requirement in Sec. 234.3(a)(17)(vi)(B)(1), for the same reasons outlined in their comments for proposed Sec. 234.3(a)(17)(vi)(A)(1), by limiting it to actual disruptions or material degradations to a designated FMU's critical operations or services, or to the designated FMU's ability to fulfill its settlement obligations on time, that could result in a serious detriment to participants or other relevant entities. The commenter suggested that the addition of the italicized language would permit the designated FMU to comply with the regulatory requirements while liaising with supervisors to ensure the notification provided to participants and other entities meets supervisory expectations. One commenter expressed concern that the requirements under proposed Sec. 234.3(a)(17)(vi)(B)(2) could result in false alarms to third parties, give an impression of unreliability, or desensitize parties to notifications. The commenter proposed that Sec. 234.3(a)(17)(vi)(B)(2) be amended to only require notification for actual incidents or actual unauthorized entries. (b) Final Rule The Board is adopting proposed Sec. 234.3(a)(17)(vi)(B) with certain revisions to clarify the circumstances in which the Board expects a designated FMU to provide notice of material operational incidents to participants (including unaffected participants) and other relevant entities, consistent with the concept of ``responsible disclosure,'' and to respond to commenters' concerns that disclosure under proposed Sec. 234.3(a)(17)(vi)(B) could result in false alarms to third parties, give an impression of unreliability, or desensitize parties to notifications. With respect to Sec. 234.3(a)(17)(vi)(B)(2), the Board believes there are scenarios where all participants and identified relevant entities should be informed of likely disruptions or vulnerabilities that could allow for unauthorized entry into the designated FMU's computer, network, electronic, technical, automated, or similar systems, even where no incident or unauthorized access happens. The Board recognizes, though, that notification of certain likely incidents or vulnerabilities may not be required. Under the final rule, a designated FMU should establish criteria and processes for timely communication and responsible disclosure that guide whether and when it is appropriate to notify in a responsible manner entities of a particular incident. For example, consistent with the concept of responsible disclosure, the Board recognizes that there might be risks to providing early disclosures under Sec. 234.3(a)(17)(vi)(B)(2) to a broad audience regarding certain types of material operational issues. The Board would expect a designated FMU, in practicing responsible disclosure, to account for both the benefit of the information to be provided in a notification and the potential risk of disclosing that information. For example, if a designated FMU identifies a cyber vulnerability, the designated FMU might weigh the risk of disclosure as sufficiently great to delay notification under Sec. 234.3(a)(17)(vi)(B)(2) or tailor the information provided under Sec. 234.3(a)(17)(vi)(B)(1) or (2) to avoid exposing the designated FMU to a cyberattack. The Board also recognizes the risks of over-notification and of reporting false alarms to a broad audience. Notice under Sec. 234.3(a)(17)(vi)(B)(2) of incidents that are resolved without disruption may provide little benefit to participants or identified relevant entities. In addition, a designated FMU that provides notification to the Board under the ``reasonable basis'' standard set forth in Sec. 234.3(a)(17)(vi)(A) may subsequently determine there to have been a false alarm. Under such circumstances, a designated FMU could determine that broad disclosure under Sec. 234.3(a)(17)(vi)(B)(2) is not appropriate. Consistent with concerns raised by one commenter, a designated FMU could incorporate consultation with its supervisors in the development of criteria and processes with respect to novel or complex incidents. When designing its communication plan, the Board would expect a designated FMU to consider the timing, content, recipients, and method of notification for a range of potential material operational incidents. In determining the scope of disclosure for a particular incident, the Board would expect a designated FMU to consider factors such as the risk-mitigation benefits arising from early warning to the financial system, the safety and soundness of the designated FMU, and any financial stability implications of disclosure. 4. Examples of Material Operational Incidents The following is a non-exhaustive list of operational incidents that the Board would consider to be material for purposes of the final rule.\41\ The Board [[Page 18757]] would expect examples 1-3 to trigger immediate notifications to the Board and to the designated FMU's affected participants (and notification in a timely manner to unaffected participants and other relevant entities identified in the designated FMU's plan for notification and communication of material operational incidents, as applicable). --------------------------------------------------------------------------- \41\ The NPRM included a list of examples. The Board did not receive any specific comments on the examples. The Board has expanded on that list to provide further clarity. --------------------------------------------------------------------------- (1) A failed system upgrade or change results in widespread user outages for participants and designated FMU employees. (2) Large-scale distributed denial of service attacks that prevent the designated FMU from receiving its participants' payment instructions. (3) A severe weather event or other natural disaster that causes significant damage to a designated FMU's production site and disrupts core payment, clearing, or settlement processes, necessitating failover to another site during the business day. The Board would expect examples 4-7 to trigger immediate notification to the Board, but a designated FMU would determine when and whether to notify participants and other relevant entities based on the criteria in its notification and communication plan. (4) A severe weather event or other natural disaster that causes significant damage to a designated FMU's production site and necessitates failover to another site during the business day, but the designated FMU's core payment, clearing, or settlement processes remain available to participants. (5) Malware on a designated FMU's network that poses an imminent threat to its critical operations or services (such as its core payment, clearing, or settlement processes, or collateral management processes), or that may require the designated FMU to disengage any compromised products or information systems that support the designated FMU's critical operations and services from internet-based network connections. (6) A ransom malware attack that encrypts a critical system or backup data. (7) A zero-day vulnerability on software that the designated FMU uses and has determined, if exploited, could lead to a disruption to or material degradation of its critical operations or services. E. Business Continuity Management and Planning Section 234.3(a)(17)(vi) of the current rule (under the proposal, renumbered as Sec. 234.3(a)(17)(vii)) requires that a designated FMU have business continuity management that provides for rapid recovery and timely resumption of its critical operations and fulfillment of its obligations, including in the event of a wide-scale or major disruption.\42\ Section 234.3(a)(17)(vii) of the current rule (under the proposal, renumbered Sec. 234.3(a)(17)(viii)) elaborates on certain requirements for a designated FMU's business continuity plan. The Board proposed to amend current Sec. 234.3(a)(17)(vii) to provide further detail in Regulation HH related to business continuity management and planning in order to promote robust risk management, reduce systemic risks, increase safety and soundness, and support the stability of the broader financial system. --------------------------------------------------------------------------- \42\ The Board proposed a technical revision to that section, as described in section III.G.2, infra. --------------------------------------------------------------------------- Specifically, the Board proposed to amend current Sec. 234.3(a)(17)(vii)(A) to update terminology related to required backup sites. The Board proposed to replace the references to a ``secondary site'' and ``primary site'' with a general reference to ``two sites providing for sufficient redundancy supporting critical operations and services'' that are located at a sufficient geographical distance from ``each other'' to have a distinct risk profile (collectively, ``two sites with distinct risk profiles''). The Board did not propose substantive amendments to the requirements under current Sec. 234.3(a)(17)(vii)(B) and (C) (renumbered as Sec. 234.3(a)(17)(viii)(B) and (C)), which require a designated FMU's business continuity plan to be designed to enable recovery and resumption no later than two hours following disruptive events and completion of settlement by the end of the day of the disruption, even in case of extreme circumstances. The Board proposed a technical amendment to Sec. 234.3(a)(17)(vii)(B) to clarify that the two-hour recovery time objective applies to critical operations and services.\43\ --------------------------------------------------------------------------- \43\ See section III.G.2, infra. --------------------------------------------------------------------------- In Sec. 234.3(a)(17)(viii)(D), the Board proposed to require that a designated FMU's business continuity plan set out criteria and processes that address the reconnection of a designated FMU to its participants and other entities following a disruption to the designated FMU's critical operations or services. The Board proposed to separate current Sec. 234.3(a)(17)(vii)(D) of Regulation HH, which requires the business continuity plan to be ``tested at least annually,'' into two requirements (renumbered as Sec. 234.3(a)(17)(viii)(E) and (F)). In Sec. 234.3(a)(17)(viii)(E), the Board proposed to maintain the requirement for at least annual testing and clarify that this requirement covers the designated FMU's business continuity arrangements, including the people, processes, and technologies of the two sites with distinct risk profiles.\44\ The Board proposed to require a designated FMU's testing to demonstrate that the designated FMU is able to run live production at the two sites with distinct risk profiles; that its solutions for data recovery and data reconciliation enable it to meet its objectives to recover and resume operations two hours following a disruption and enable settlement by the end of the day of the disruption even in case of extreme circumstances, including if there is data loss or corruption; and that it has geographically dispersed staff who can effectively run the operations and manage the business of the designated FMU. --------------------------------------------------------------------------- \44\ These tests would be subject to the general testing requirements described in section III.C.1 above. --------------------------------------------------------------------------- In Sec. 234.3(a)(17)(viii)(F), the Board proposed to require a designated FMU to review its business continuity plans, pursuant to the general review requirements described in section III.C.1 above, at least annually, to: (1) incorporate lessons learned from actual and averted disruptions, and (2) update the scenarios considered and assumptions built into the plan in order to ensure responsiveness to the evolving risk environment and incorporate new and evolving sources of operational risk (e.g., extreme cyber events). 1. Two Sites Providing for Sufficient Redundancy--Section 234.3(a)(17)(viii)(A) (a) Summary of Comments The Board received no comments on proposed Sec. 234.3(a)(17)(viii)(A). (b) Final Rule The Board is adopting Sec. 234.3(a)(17)(viii)(A) as proposed. This amendment accommodates data center arrangements with multiple production sites, rather than reflecting only the traditional arrangement where one site is considered ``primary'' and another site is treated distinctly as a backup site. A designated FMU will still be required, however, to maintain a minimum of two locations that are sufficiently geographically distant from each other to have distinct risk profiles. Consistent with the Board's explanation when it adopted the current text of Regulation HH in 2014, the Board noted in the [[Page 18758]] NPRM that it would consider sites to have ``distinct risk profiles'' if, for example, they are not located in areas that would be susceptible to the same severe weather event (e.g., the same hurricane zone) or on the same earthquake fault line. These sites would likely also have distinct power and telecommunications providers and be operated by geographically dispersed staff. 2. Recovery and Resumption--Section 234.3(a)(17)(viii)(B) and (C) (a) Summary of Comments Two commenters suggested that the Board incorporate into the text of Regulation HH the Board's statement in the NPRM that the recovery time objectives set forth in Sec. 234.3(a)(17)(vii)(B) and (C) (renumbered as Sec. 234.3(a)(17)(viii)(B) and (C)) should not be interpreted as a requirement for a designated FMU to resume operations in a compromised or otherwise untrusted state.\45\ One of these commenters expressed the concern that, absent clarification of the text of Regulation HH, a designated FMU could be required under Regulation HH to resume critical operations in an untrusted state in order to comply with the recovery time objectives. --------------------------------------------------------------------------- \45\ See 87 FR 60314, 60320 (Oct. 5, 2022). --------------------------------------------------------------------------- (b) Final Rule The Board is adopting this section as proposed, without substantive change from the previous version of the rule. Regulation HH requires a designated FMU to have a business continuity plan that is designed to enable the designated FMU to meet these objectives. The Board reiterates that the recovery time objectives should not be interpreted as a requirement for a designated FMU to resume operations in a compromised or otherwise untrusted state. Since the Board established these requirements in Regulation HH, the two-hour recovery time objective has been a particular area of focus during bilateral discussions with Board-supervised designated FMUs, as well as in broader domestic and international fora, specifically in the context of extreme cyber events. At the center of those discussions is the balance between (i) timely recovery and resumption of critical operations and (ii) appropriate assurance that critical operations are restored to a trusted state. The Board continues to believe it is imperative to financial stability that a designated FMU be able to recover and resume its critical operations and services quickly after disruptive events, both physical and cyber, and to complete settlement by the end of the day of the disruption. In related discussions with Board-supervised designated FMUs, and supported by provisions in the CPMI-IOSCO Cyber Guidance, Board staff has emphasized that recovery time objectives are necessary and critical targets around which plans, systems, and processes should be designed.\46\ However, these recovery time objectives should not be interpreted as a requirement for a designated FMU to resume operations in a compromised or otherwise untrusted state. --------------------------------------------------------------------------- \46\ For example, paragraph 6.2.2 of the Cyber Guidance notes that the objectives for resuming operations set goals for, ultimately, the sound functioning of the financial system, which should be planned for and tested against. It further notes the criticality of the recovery and resumption objectives under Principle 17, Key Consideration 6 of the PFMI, while also acknowledging that financial market infrastructures should exercise judgment in effecting resumption so that risks to itself or its ecosystem do not thereby escalate. For additional details, see CPMI- IOSCO, Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016) at section 6, https://www.bis.org/cpmi/publ/d146.htm (``Response and Recovery''). --------------------------------------------------------------------------- Threats to designated FMUs' operations continue to evolve, and the Board expects that a designated FMU will update on an ongoing basis the scenarios in its plan to reflect evolving threats. The Board also expects that a designated FMU will seek and implement solutions that are designed to enable it to meet its recovery and resumptions objectives. For many types of disruptive scenarios, technologies and methods already exist to enable a designated FMU to recover and resume operations within two hours of the disruption. For example, if an earthquake damages a designated FMU's infrastructure and disrupts operations at one data center, the designated FMU may continue to operate from or fail over to another location that is outside the earthquake radius. The Board recognizes, however, that certain threats to designated FMUs' operations, as well as the technology to mitigate those threats, are continually evolving. In areas where threats and technology are still evolving, such as is the case for extreme cyberattacks (e.g., where significant data loss or corruption occurs across its data centers), the Board recognizes that a designated FMU will need to take a holistic approach that integrates protective, detective, and containment measures with response, recovery, and resumption solutions. The Board continues to expect that a designated FMU's business continuity planning will be a dynamic process in which the designated FMU works on an ongoing basis to update its plan to recover and resume operations in light of these evolving threats. Federal Reserve supervisors will also continue to work with designated FMUs through the supervisory process as designated FMUs identify reasonable approaches to prepare for and recover from such attacks. As development of adequate solutions for extreme cyberattacks continues, designated FMUs should also plan for contingency scenarios in which planned recovery and resumption objectives cannot be achieved. Planning for such scenarios would be in accordance with national policies aimed at improving the cybersecurity posture of U.S. critical infrastructures.\47\ --------------------------------------------------------------------------- \47\ See, e.g., Presidential Policy Directive/PPD-21, Critical Infrastructure Security and Resilience (Feb. 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil. --------------------------------------------------------------------------- 3. Reestablishment of Availability After a Disruption to the Designated FMU's Critical Operations or Services--Section 234.3(a)(17)(viii)(D) (a) Summary of Comments One commenter expressed support for the proposal's requirement that a designated FMU have plans in place regarding reconnection to its participants following a cybersecurity disruption. Another commenter indicated that the criteria and processes for reconnection should be risk-based to account for the fact that a reconnection process may not be necessary for all disruptions or that aspects of such a process may not be needed in all cases. Another commenter suggested removing the term ``reconnection'' because not all disruptions result in a disconnection, thus a reconnection may not be required. This commenter suggested revising proposed Sec. 234.3(a)(17)(viii)(D) to use the phrase ``resumption of access'' rather than ``reconnection,'' and to specify that resumption of access to the designated FMU includes resumption of access to relevant functionalities. The commenter noted that, in a cyberattack scenario, in addition to disconnection, risk mitigants might include limiting or restricting a participant's access to the designated FMU or a particular functionality. (b) Final Rule The Board has amended the text of proposed Sec. 234.3(a)(17)(viii)(D) to require a designated FMU's business continuity plan to set out criteria and processes by which the designated financial market utility will ``reestablish availability'' for ``affected'' participants and other entities following a disruption to the designated FMU's critical [[Page 18759]] operations or services.\48\ In the NPRM, the Board noted that it would consider a disruption to a designated FMU's critical operations or services broadly as a form of ``disconnection'' to external parties. However, some disruptions may not, as a technical matter, result in a designated FMU severing a participant's or other entity's connection to the designated FMU. --------------------------------------------------------------------------- \48\ The NIST definitions of ``availability'' and ``disruption'' are consistent with the final rule. The NIST glossary, which can be found at https://csrc.nist.gov/glossary, defines ``availability'' as ``timely, reliable access to data and information services for authorized users'' and ``disruption'' as ``an unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).'' https://csrc.nist.gov/glossary, defines ``availability'' as ``timely, reliable access to data and information services for authorized users'' and ``disruption'' as ``an unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).'' --------------------------------------------------------------------------- The Board believes that the term ``reestablish availability'' better captures the Board's expectations for designated FMUs. Proposed Sec. 234.3(a)(17)(viii)(D) was intended to emphasize the importance of ex ante criteria and processes addressing when and how a designated FMU will make itself available to participants and other entities after a disruption causes the designated FMU's critical operations or services to become unavailable--regardless of whether there is a technical disconnection. This would include situations, as noted in the NPRM, in which a designated FMU deliberately takes itself offline such that participants cannot access its services (e.g., if it experiences a major cyberattack that it needs to contain); it would also include situations where a designated FMU becomes unavailable due to another type of external event (e.g., if its production site loses power due to a severe weather event in its region). In such situations, there may be a gap in availability, but not a disconnection by the designated FMU of participants or other entities from its services. The Board has also clarified that a designated FMU's criteria and processes should address resumption of availability to ``affected'' participants and other entities. For the reasons discussed in section III.A, supra, the Board has not referred to a risk-based and proportionate approach in the final rule. Nevertheless, the Board recognizes that the way in which a designated FMU applies its criteria and processes for reestablishing availability may differ from one type of disruption to another. Some disruptions may be more straightforward and pose little risk to participants or other entities, while others may present greater risk of contagion. Given the current threat landscape and the ability for malware to spread, the Board believes it is crucial for a designated FMU to balance the need to quickly recover and resume its critical operations against the risk of contagion to its ecosystem should it resume operations in a compromised or otherwise untrusted state. For cyber incidents, it is particularly important for a designated FMU to be prepared to assure its participants, other connected entities, and regulator(s) that it has achieved an uncompromised and trusted state.\49\ A designated FMU should consider establishing a phased approach to reestablishing availability, transaction testing with selected participants, and heightened monitoring for an appropriate period of time after reestablishing availability. --------------------------------------------------------------------------- \49\ A designated FMU might consider leveraging third-party experts to verify its remediation efforts. --------------------------------------------------------------------------- 4. Business Continuity Testing and Review--Section 234.3(a)(17)(viii)(E) and (F) (a) Summary of Comments Two commenters noted that there may be circumstances in which recovery within two hours following disruptive events is not currently possible. One commenter expressed concern specifically with respect to Sec. 234.3(a)(17)(viii)(E)(2), which proposed to require a designated FMU to demonstrate that its solutions for data recovery and reconciliation would enable it to meet its recovery and resumption objectives, even in case of extreme circumstances, including in the event of data loss or data corruption. That commenter encouraged the Board to amend proposed Sec. 234.3(a)(17)(viii)(E)(2) to recognize the ever-evolving nature of cyber-threats and solutions to address them. Specifically, the commenter recommended that Sec. 234.3(a)(17)(viii)(E)(2) be amended to require a designated FMU, in consultation with its supervisors, to identify reasonable approaches to prepare for and recover from extreme cyber-attacks. The Board did not receive comments on the proposed requirements for business continuity testing and review in Sec. 234.3(a)(17)(viii)(E)(1) or (3) or (a)(17)(viii)(F). (b) Final Rule The Board recognizes the ever-evolving nature of cyber threats and acknowledges that there are certain cyber scenarios which may result in extreme data loss or data corruption for which the designated FMU may not be able to demonstrate that its solutions for data recovery and data reconciliation enable it to meet the recovery and resumption objectives under Sec. 234.3(a)(17)(viii)(B) and (C). The Board has therefore amended the final rule text in Sec. 234.3(a)(17)(viii)(E)(2), and made conforming edits in Sec. 234.3(a)(17)(viii)(E)(1) and (3), to clarify that a designated FMU's testing should assess the capability of its systems and the effectiveness of its procedures for data recovery and data reconciliation to meet the recovery and resumption objectives under Sec. 234.3(a)(17)(viii)(B) and (C), even in case of extreme circumstances, including in the event of data loss or data corruption. Designated FMUs should continue to plan for and test extreme scenarios from which they may need to recover, including wide-scale and major disruptions. Scenario testing should include functional testing of the designated FMU's ability to recover and resume settlement in the case of extreme cyber-based scenarios that cause data loss or data corruption. In some circumstances, a designated FMU may not be able to demonstrate that it can recover and resume operations within two hours, or complete settlement by end of day. The designated FMU should be able to demonstrate to supervisors, however, that (1) it is assessing the capability of its systems and effectiveness of its procedures against its recovery, resumption, and settlement objectives; and (2) it has an understanding of the circumstances in which it may not be able to recover and resume critical operations and services within two hours following disruptive events or complete settlement by the end of the day. The designated FMU should also be able to demonstrate that it is working to increase the capability of its systems and effectiveness of its procedures to be able to meet those objectives in the future. The Board reiterates that Federal Reserve supervisors will continue to work with designated FMUs through the supervisory process as designated FMUs identify reasonable approaches to prepare for and recover from extreme cyber-attacks. [[Page 18760]] F. Third-Party Risk Management The Board expects a designated FMU to conduct its activities-- whether conducted directly by the designated FMU or through a service provider--in a safe and sound manner.\50\ Accordingly, the Board proposed to establish third-party risk management requirements in Sec. 234.3(a)(17)(ix). The Board proposed these requirements because of the importance of ensuring that a designated FMU's activities do not become less safe when they are outsourced to third parties and because of the importance of managing operational risk associated with third-party relationships, including ``supply chain risk.'' \51\ --------------------------------------------------------------------------- \50\ The Board believes that this expectation is consistent with section 807(b) of the Dodd-Frank Act, which provides each Supervisory Agency of a designated FMU with authority to examine the provision of any service integral to the operation of the designated FMU for compliance with applicable law, rules, orders, and standards to the same extent as if the designated FMU were performing the service on its own premises. 12 U.S.C. 5466(b). \51\ Supply chain risk encompasses the potential for harm or compromise to a designated FMU that arises as a result of security risks from its third parties' subcontractors or suppliers, as well as the subcontractors' or suppliers' supply chains, and their products or services (including software that may be used by the third party or the designated FMU). This definition is consistent with NIST's definition of ``supply chain risk'' in the NIST computer-security incident handling guide. See NIST, Computer Security Incident Handling Guide (Special Publication 800-61, rev. 2), https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf. The Board identified supply chain risk as a threat on which the Board is focused in its report on cybersecurity and financial system resilience. See Board of Governors of the Federal Reserve System, Report to Congress: Cybersecurity and Financial System Resilience Report (September 2021), https://www.federalreserve.gov/publications/files/cybersecurity-report-202109.pdf. --------------------------------------------------------------------------- Specifically, the Board proposed to add a definition of ``third party'' in Sec. 234.2(n), and to add Sec. 234.3(a)(17)(ix) regarding the management of risks associated with third-party relationships. In Sec. 234.2(n), the Board proposed to define ``third party'' as ``any entity with which a designated FMU maintains a business arrangement, by contract or otherwise.'' \52\ For purposes of proposed Sec. 234.3(a)(17)(ix), the Board noted that it would consider third-party relationships to include vendor relationships for products such as software and arrangements for any services that third parties perform for a designated FMU. --------------------------------------------------------------------------- \52\ This definition was consistent with the definition of ``third-party relationship'' in then-proposed interagency guidance for banking organizations on third-party relationships. See 86 FR 38182, 38186-87 (July 19, 2021). The Board explained in the NPRM that the Board viewed the requirements of proposed Sec. 234.3(a)(17)(ix) as broadly consistent with the proposed interagency guidance. The Board, OCC, and FDIC have since adopted final Interagency Guidance on Third-Party Relationships: Risk Management. 88 FR 37920 (June 9, 2023). The Board continues to believe that the final amendments to Regulation HH remain broadly consistent with the final interagency guidance. In examining designated FMUs under Regulation HH, Board examiners will continue to reference guidance on third-party risk management. --------------------------------------------------------------------------- In Sec. 234.3(a)(17)(ix), the Board proposed to require a designated FMU to have systems, policies, procedures, and controls that effectively identify, monitor, and manage risks associated with third- party relationships. Additionally, for any service that is performed for the designated FMU by a third party, a designated FMU's systems, policies, procedures, and controls would need to ensure that risks are identified, monitored, and managed to the same extent as if the designated FMU were performing the service itself.\53\ --------------------------------------------------------------------------- \53\ As noted in the NPRM, the Board believes that where a designated FMU outsources the provision of services to a third party, the designated FMU retains the responsibility for meeting the risk-management standards in Regulation HH. --------------------------------------------------------------------------- In Sec. 234.3(a)(17)(ix)(A) and (B), the Board proposed specific requirements for three components of third-party risk management: risk assessments, information-sharing arrangements, and business continuity management and testing. In Sec. 234.3(a)(17)(ix)(A), the Board proposed to require a designated FMU to regularly conduct risk assessments of its third-party relationships and establish, as appropriate, information-sharing arrangements with third parties. In Sec. 234.3(a)(17)(ix)(B), the Board proposed to require a designated FMU to include third parties in its business continuity management and testing, as appropriate.\54\ --------------------------------------------------------------------------- \54\ In the final rule, the Board has reorganized risk assessment, information sharing, and business continuity management and testing into separate paragraphs (a)(17)(ix)(A), (B), and (C) of Sec. 234.3, respectively. The headings used in this SUPPLEMENTARY INFORMATION refer to these reorganized paragraphs. --------------------------------------------------------------------------- 1. Definition of Third-Party Risk; Identification, Monitoring, and Management of Risks Associated With Third-Party Relationships--Section 234.2(n); Section 234.3(a)(17)(ix) (a) Summary of Comments Two commenters supported the addition of the third-party risk management rule to Regulation HH, but one of these commenters suggested the rule incorporate concepts of proportionality and criticality. Two commenters expressed concern with the scope of the definition of ``third party.'' These commenters suggested narrowing the definition in a number of ways. One commenter suggested distinguishing between services the commenter considered ``outsourced'' and other third-party services. One commenter noted that the proposed definition may unintentionally capture entities with which a designated FMU has a business relationship, such as participants in a designated FMU and employees, but which it does not treat as traditional service-providing vendors. One commenter suggested that the ``third party'' definition should include only entities that could have a material impact on the designated FMU's designated activities. One commenter suggested Sec. 234.3(a)(17)(ix) be amended to permit the designated FMU to have risk-based systems, policies, procedures, and controls and to be flexible in managing third party risk. Another commenter explained that a designated FMU should be able to apply its most stringent risk management controls to third parties that provide services essential to performing the services for which the FMU was designated as systemically important. Both of these commenters also provided comments to the more specific requirements set forth in proposed Sec. 234.3(a)(17)(ix)(A) and (B), which are addressed in sections III.F.2 and III.F.3, infra. Finally, these commenters noted that the definition of third party would include central banks and other entities that may be unable or unwilling to establish formal information-sharing relationships or participate in a designated FMU's business continuity management and testing. Both commenters suggested excluding central banks from the definition, and one commenter recommended narrowing the definition by expressly excluding real-time gross settlement systems and their operators from the definition of ``third party.'' (b) Final Rule After considering the comments received, the Board has made one modification to the definition of ``third party.'' Additionally, the Board is adopting as proposed the risk-management standards requirement set forth in the introductory portion of Sec. 234.3(a)(17)(ix), but the Board has amended the specific requirements set forth in proposed Sec. 234.3(a)(17)(ix)(A) and (B) to more expressly recognize that not all third parties present the same risk to a designated FMU. As discussed in the NPRM, products and services provided by third parties can include a wide variety of arrangements, from heating, ventilation, and air conditioning (often referred to as HVAC) services that support the physical infrastructure of a designated [[Page 18761]] FMU to technology platforms or financial risk management modeling that are essential to executing a designated FMU's payment, clearing, or settlement activities. The Board does not believe it is appropriate to narrow the definition of third party to vendor, outsourcing, or other types of arrangements for purposes of the Board's third-party risk- management standards. Doing so could result in third-party risks being overlooked. The Board is concerned that limitations to ``outsourced'' or ``traditional vendor'' activities could result in inconsistent treatment of third parties, depending on how a particular designated FMU decides to categorize various third-party relationships. Moreover, the Board has observed that operational risk, and in particular cyber risk, has the potential to arise from unexpected sources, which may not be considered outsourced or even directly related to a designated FMU's critical operations or services. Thus, the Board believes that a designated FMU's systems, policies, procedures, and controls should address third parties more broadly. A broad definition of third party does not mean, however, that the Board expects a designated FMU to address all third parties in the same manner. Although the Board, for the reasons described in section III.A, supra, has not expressly referred to a risk-based and proportionate approach in the final rule, the Board believes that Sec. 234.3(a)(17)(ix) is consistent with such an approach. As the Board stated in the NPRM, a designated FMU should adopt risk management practices that are commensurate with the level of risk posed by its third-party relationships, as identified through the risk assessments it conducts. While the Board generally believes a broad definition of third party is appropriate, the Board has, in response to comments, clarified in the final rule that relationships between a designated FMU and its participants are not ``third-party'' relationships when the participant is acting in that capacity only.\55\ If a participant maintains other relationships with a designated FMU--such as acting as a provider of pricing data, financial risk modeling services, liquidity, or asset custody services--the participant would be within the scope of the definition of ``third party'' as it relates to its other business arrangements with the designated FMU.\56\ --------------------------------------------------------------------------- \55\ The Board also does not consider the relationship between a designated FMU and an employee to be a third-party relationship. \56\ The Board acknowledges that recent interagency guidance for banking organizations does not categorically exclude customer relationships from the scope of ``business arrangements'' within the scope of that guidance. 88 FR 37920, 37922 (June 9, 2023). In adopting the final interagency guidance, the agencies explained that some business relationships may incorporate elements or features of a customer relationship. Whereas banking organizations may enter into different types of arrangements, designated FMUs' arrangements with their participants are standardized and governed by a uniform set of terms applicable to each participant or class of participants, and risk management of participants is addressed in another section of Regulation HH. Specifically, Sec. 234.3(a)(18) of Regulation HH requires a designated FMU to have objective, risk- based, and publicly disclosed criteria for participation; monitor compliance with its participation requirements on an ongoing basis; and have the authority to impose risk controls on a participant in situations where the designated FMU determines the participant poses heightened risk to the designated FMU. 12 CFR 234.3(a)(18). --------------------------------------------------------------------------- 2. Assessment of Third Party Risk--Section 234.3(a)(17)(ix)(A) (a) Summary of Comments As discussed in section III.F.1, commenters raised concerns about the scope of the definition of third party. As an alternative to definitional changes, one commenter suggested that the requirement to conduct risk assessments could apply broadly, but that specific information-sharing and business continuity testing requirements should apply only to third parties that provide critical services. Comments on the information-sharing and business continuity management and testing requirements are discussed in section III.F.3, infra. (b) Final Rule The Board is adopting the risk assessment requirement in Sec. 234.3(a)(17)(ix)(A) substantially as proposed but has moved the information sharing requirement to Sec. 234.3(a)(17)(ix)(B) (and, consequently, the business continuity management and testing requirement to Sec. 234.3(a)(17)(ix)(C)). To assess risk levels of third parties and monitor any changes in these risk levels that may affect a designated FMU and its ecosystem, the Board expects the designated FMU to regularly conduct risk assessments for each third party with which it maintains a business relationship. The Board expects that a designated FMU could incorporate a risk-based approach to prioritizing and determining the frequency and scope of risk assessments. In general, and as discussed in the NPRM, the Board expects a designated FMU to take a rigorous and comprehensive approach to identifying, monitoring, and managing risks associated with third-party relationships. To do this effectively, it would be prudent for the designated FMU to understand ex ante any risks associated with the third party, including details on the services or products the third party will provide and the security controls and business continuity planning that the third party has in place. Before entering into a third-party relationship, the designated FMU should have a plan in place to address how it will effectively identify, monitor, and manage the relationship and its associated risks, in order to ensure that the designated FMU can continue to meet the risk-management requirements in Regulation HH. 3. Information Sharing Arrangements and Business Continuity and Testing--Section 234.3(a)(17)(ix)(B) and (C) (a) Summary of Comments Two commenters raised concerns about the requirement to enter into information-sharing arrangements with third parties and include third parties in business continuity and testing, as appropriate. One of the commenters suggested that, in lieu of narrowing the proposed definition of ``third party,'' the Board could apply information-sharing and business continuity management and testing requirements only to third parties that provide critical services. That commenter also requested further clarification with respect to any specific expectations or relevant objectives in connection with information-sharing arrangements and business continuity management and testing. The same commenters noted that a designated FMU may not have the negotiating power to require certain third parties to enter into information-sharing arrangements or participate in the designated FMU's business continuity management and testing.\57\ One of the commenters also raised concerns that third parties outside the United States could have limitations on their ability to share information with a designated FMU. To address these types of concerns, one commenter suggested that a designated FMU could implement alternative risk mitigants. For example, if a telecommunication provider would not enter into an information-sharing arrangement, the commenter suggested that a designated FMU could have [[Page 18762]] redundant or diverse telecommunication channels. --------------------------------------------------------------------------- \57\ One commenter proposed that the Board require the Federal Reserve Banks to provide designated FMUs with necessary information for the designated FMU to perform its third-party risk management. --------------------------------------------------------------------------- The Board received a comment outside the scope of the proposal. The commenter noted that several third parties provide services to multiple designated FMUs and foreign systemically important FMIs. The commenter suggested that the Board and its foreign counterparts arrange scenario exercises involving designated FMUs and foreign FMIs. The commenter also recommended that the Board evaluate whether to have direct or collective oversight over certain third parties. (b) Final Rule The Board is adopting Sec. 234.3(a)(17)(ix)(B) and (C) with two substantive revisions in response to comments received. In addition, the Board has made structural changes to the rule text: the information-sharing requirement has been moved from proposed Sec. 234.3(a)(17)(ix)(A) to Sec. 234.3(a)(17)(ix)(B) and the business continuity management and testing requirement in proposed Sec. 234.3(a)(17)(ix)(B) has been moved to new Sec. 234.3(a)(17)(ix)(C). First, the Board has amended the information-sharing and business continuity management and testing requirements to apply only with respect to third parties that provide services material to any of the designated FMU's critical operations or services. The Board believes that this limitation strikes an appropriate balance between effective risk management and the efficient use of resources by designated FMUs. A designated FMU should use the risk assessments conducted pursuant to final rule Sec. 234.3(a)(17)(ix)(A) to inform its determinations of which third parties are in scope for purposes of Sec. 234.3(a)(17)(ix)(B) and (C). Second, the Board has amended the business continuity management and testing requirement to accommodate more clearly approaches to business continuity management and testing that do not include the participation of each third party in a designated FMU's testing. Specifically, the final rule provides that a designated FMU must ``address'' (rather than ``include'') in its business continuity management and testing, as appropriate, third parties that provide services material to any of the designated FMU's critical operations or services. The Board recognizes that there are effective approaches to testing that do not involve participation of a third party, such as planning for alternatives to be used in the event of a third party's unavailability. A designated FMU is expected to determine, through internal risk analysis, an appropriate way to address each covered third party, in business continuity management and testing, keeping in mind the overall requirement in Sec. 234.3(a)(17)(ix) that the designated FMU effectively identify, monitor, and manage risks associated with third-party relationships. The final rule, like the proposed rule, continues to apply an ``as appropriate'' qualification to the provisions related to information- sharing arrangements and business continuity management and testing. It does not set forth prescriptive requirements that a designated FMU must follow in all circumstances. The Board does not believe that prescriptive requirements would be appropriate, in light of different facts and circumstances a designated FMU may face with respect to each of its covered third parties. A designated FMU should consider what is appropriate in accordance with the risk-management standards articulated in the introductory portion of Sec. 234.3(a)(17)(ix) and the risk assessments it conducts pursuant to Sec. 234.3(a)(17)(ix)(A). With respect to information-sharing arrangements, a designated FMU should conduct appropriate due diligence on third parties and ensure it obtains the information necessary to appropriately identify, monitor, and manage third-party risk. Information-sharing arrangements should include, where necessary, expectations related to when the designated FMU will be notified of material operational incidents or outages. They should also include, where appropriate, expectations with respect to information regarding the third party's information security controls, operational resilience objectives and capabilities, the third-party's arrangements with its own vendors, and changes in security controls at the third party. Consistent with a risk-based approach, a designated FMU should consider heightened requirements where there is higher risk. For example, with certain third parties that are essential to its critical operations and services, a designated FMU might require mandatory approval from the designated FMU before the service provider may outsource any material elements of its service to another party, in order to manage supply chain risks. A designated FMU would generally be expected to make reasonable efforts to enter into contractual information-sharing arrangements, given the application of Sec. 234.3(a)(17)(ix)(B) to third parties that provide services material to the designated FMU's critical operations or services. The Board, however, understands that there may be circumstances in which a designated FMU may not be able to negotiate a contractual information sharing arrangement with certain third parties or all of the designated FMU's desired terms. For example, utility operators such as electricity providers, as well as central banks or other operators of FMIs, may have particular needs for uniformity in how they interact with participants and customers. In such situations, a designated FMU should consider whether it is appropriate to rely on non-contractual arrangements or other risk mitigants. In some cases, such as with central banks, the designated FMU may appropriately rely on informal information-sharing arrangements or, where available, other factors that may mitigate the risk associated with the lack of a contractual arrangement. For example, a designated FMU could consider the availability of public information about a third party or consider whether the designated FMU has sufficient contingency arrangements that would allow the designated FMU to continue to carry out its critical operations and services in a safe and sound manner in the absence of contractual information-sharing arrangements. A designated FMU might also consider the existence of backups, redundant services, or other means of managing third-party risk. If a designated FMU cannot with confidence ascertain and demonstrate that informal arrangements or other mitigants are sufficient, the designated FMU should consider whether it is appropriate to transition to an alternative third party, if available, or choose to keep a service in-house. The Board expects that a designated FMU would evaluate the sufficiency of its business continuity arrangements with a third party in light of how the designated FMU addresses the third party in its business continuity management and testing. In some circumstances, a designated FMU may determine that it is appropriate for a third party to participate directly in the designated FMU's scenario exercises to ensure that the designated FMU can effectively manage any instances in which the third party experiences an incident causing disruption or material degradation to the designated FMU's critical operations or services. For example, where a cyberattack on a third party could impair the third party's ability to enable a designated FMU to fulfill its obligations on time, it may be necessary for the designated FMU to include the third party in scenario exercises to enable the designated FMU [[Page 18763]] to be prepared to react, such as by switching to a contingency plan. If a designated FMU determines that it is essential for a third party to participate in business continuity testing, the Board would, in line with the discussion above regarding information-sharing arrangements, generally expect the designated FMU to make reasonable efforts to require that participation by contract. It may be reasonable in some circumstances for a designated FMU to rely on non-contractual arrangements with third parties, such as central banks, to participate in the designated FMU's business continuity planning. In other circumstances, a designated FMU may have contingencies in place such that participation by a particular third party in business continuity testing is not essential. If participation is not essential, a designated FMU should consider whether its information-sharing arrangements or other available sources of information afford the designated FMU with access to sufficient information to effectively address the third party in business continuity testing. The sufficiency of information may depend on the services provided by the third party and a designated FMU's ability to conduct critical operations and services safely and soundly in contingency scenarios without the third party. A designated FMU should consider the third party's business continuity planning in any risk assessment of the third party that the designated FMU completes, and, where appropriate, the designated FMU should include information about a third party's own business continuity planning in information-sharing arrangements it establishes with a third party. G. Technical Revisions 1. Definition of Operational Risk (a) Proposed Rule In Sec. 234.2(h), the Board proposed to add ``operational risk'' as a defined term in Regulation HH. The Board proposed to define this term as ``the risk that deficiencies in information systems or internal processes, human errors, management failures, or disruptions from external events will result in the reduction, deterioration, or breakdown of services provided by the designated financial market utility.'' (b) Summary of Comments The Board received one comment that supported the proposed definition of operational risk. (c) Final Rule The Board is adopting the definition of ``operational risk'' as proposed. This definition is consistent with the definition of operational risk in the PFMI and the Board's definition in part I of the Federal Reserve Policy on Payment System Risk (PSR policy).\58\ In the supplementary information of its 2014 notice of proposed rulemaking, the Board had provided this definition of operational risk when it proposed amendments to Regulation HH based on the PFMI.\59\ --------------------------------------------------------------------------- \58\ Part I of the PSR policy sets out the Board's views, and related standards, regarding the management of risks in financial market infrastructures, including those operated by the Reserve Banks. The Board concurrently amended the risk-management standards in Regulation HH and revised part I of the PSR policy based on the PFMI in 2014. The PSR policy is available at https://www.federalreserve.gov/paymentsystems/files/psr_policy.pdf. \59\ 79 FR 3666, 3683 (Jan. 22, 2014). --------------------------------------------------------------------------- 2. Definition of Critical Operations and Critical Services (a) Proposed Rule In Sec. 234.2(d), the Board proposed to add ``critical operations'' and ``critical services'' as defined terms in Regulation HH, in order to streamline references to these terms. Under the proposal, these terms were defined as ``any operations or services that the designated financial market utility identifies under 12 CFR 234.3(a)(3)(iii)(A).'' (b) Summary of Comments The Board received one comment on the definition of critical operations and critical services, which was supportive of the revision. (c) Final Rule The Board is adopting the definition of critical operations and critical services as proposed. Under Sec. 234.3(a)(3)(iii)(A), a designated FMU must identify its critical operations and services related to payment, clearing, and settlement for purposes of developing its integrated plans for recovery and orderly wind-down. The Board's amendments to Sec. 234.3(a)(17), related to review and testing, incident management and planning, and business continuity management planning, refer to a designated FMU's critical operations and/or services in multiple places. Amending Regulation HH to include definitions of ``critical operations'' and ``critical services'' clarifies that the critical operations or services that the designated FMU should consider under paragraph (a)(17) are the same set of critical operations and services that the designated FMU has identified under paragraph (a)(3). 3. Cross-Reference to ``Other Entities'' Identified in Sec. 234.3(a)(3) on Comprehensive Management of Risk (a) Proposed Rule The Board proposed to streamline and replace the reference to ``financial market utilities and trade repositories, if any'' in Sec. 234.3(a)(17)(ii) with the phrase ``relevant entities such as those referenced in paragraph (a)(3)(ii).'' In connection with this, the Board proposed to include ``trade repositories'' in the list of entities listed under Sec. 234.3(a)(3)(ii).\60\ --------------------------------------------------------------------------- \60\ Because of the differences in the definition for financial market infrastructure in the PFMI, which includes trade repositories, and the definition of FMU in the Dodd-Frank Act, which does not, the Board had previously inadvertently excluded the reference to ``trade repositories'' in Sec. 234.3(a)(3)(ii). --------------------------------------------------------------------------- (b) Summary of Comments One commenter had no objection to the addition of the term ``trade repositories'' to Sec. 234.3(a)(3)(ii), but suggested changing the term ``relevant entities'' as used in Sec. 234.3(a)(17)(ii) to ``identified entities.'' The commenter noted that change would allow the word ``relevant'' to be used elsewhere in the rule when discussing the entities referenced in Sec. 234.3(a)(17)(ii). (c) Final Rule The Board has adopted the proposed revisions to Sec. 234.3(a)(3)(ii) and (a)(17)(ii) but has removed the word ``relevant'' from the latter revision. Upon review, the Board believes that the reference to entities listed in Sec. 234.3(a)(3)(ii) is sufficiently clear without including a modifier like ``relevant'' or ``identified.'' The Board believes that, as adopted, Sec. 234.3(a)(17)(ii) is consistent with the requirement under paragraph (a)(3)(ii) for the designated FMU to identify, measure, monitor, and manage the material risks that it poses due to interdependencies with other entities, such as other FMUs, settlement banks, liquidity providers, and service providers. 4. Operational Capabilities To Ensure High Degree of Security and Operational Reliability (a) Proposed Rule Section 234.3(a)(17)(iii) requires a designated FMU to have ``policies and systems'' that are designed to achieve clearly defined objectives to ensure a high degree of security and operational reliability. A designated FMU is implicitly required to have the operational [[Page 18764]] capability to achieve these objectives. In Sec. 234.3(a)(17)(iii), the Board proposed to make this requirement explicit by clarifying that a designated FMU must have ``operational capabilities''--in addition to the existing reference to ``policies and systems''--that are designed to achieve clearly defined objectives to ensure a high degree of security and operational reliability. (b) Summary of Comments One commenter suggested removing the reference to ``operational capabilities'' in proposed Sec. 234.3(a)(17)(iii) and instead adding a reference to ``processes and controls,'' in addition to ``policies and systems.'' The commenter noted this drafting would better align with the terminology used throughout Regulation HH. (c) Final Rule Upon consideration of the comment, the Board has removed the term ``operational capabilities'' in proposed Sec. 234.3(a)(17)(iii) and replaced it with ``procedures and controls.'' This change aligns the language in Sec. 234.3(a)(17)(iii) with terminology used elsewhere in Regulation HH. Regulation HH frequently uses the term ``procedures and controls,'' and the Board believes the phrase achieves the suggested drafting consistency and the intended meaning. The Board expects a designated FMU to establish clearly defined objectives to ensure a high degree of security and operational reliability; to have systems, procedures, and controls designed to achieve these objectives; and to have policies, such as benchmarks, in place for the designated FMU to evaluate its systems' performance against these objectives. 5. Identify, Monitor, and Manage Potential and Evolving Vulnerabilities and Threats (a) Proposed Rule Section 234.3(a)(17)(v) requires a designated FMU to have comprehensive physical, information, and cyber security policies, procedures, and controls ``that address'' potential and evolving vulnerabilities and threats. The Board proposed a technical change to clarify what it means to ``address'' potential and evolving vulnerabilities and threats. Specifically, the Board proposed to replace the phrase ``that address'' with the phrase ``that enable the designated financial market utility to identify, monitor, and manage'' potential and evolving vulnerabilities and threats. (b) Summary of Comments One commenter supported the proposed change. No other comments were received in response to this proposed revision of Sec. 234.3(a)(17)(v). (c) Final Rule The Board is adopting the technical revision as proposed. IV. Administrative Law Matters A. Regulatory Flexibility Act Analysis The Regulatory Flexibility Act (RFA) generally requires that, in connection with a final rulemaking, an agency prepare and make available a final regulatory flexibility analysis describing the impact of the final rule on small entities.\61\ However, a final regulatory flexibility analysis is not required if the agency certifies that the final rule will not have a significant economic impact on a substantial number of small entities. --------------------------------------------------------------------------- \61\ 5 U.S.C. 601 et seq. --------------------------------------------------------------------------- The Small Business Administration (SBA) has adopted size standards for determining whether a particular entity is considered a ``small entity'' for purposes of the RFA. The Board believes that the most appropriate SBA size standard to apply in determining whether a designated FMU is a small entity is the SBA size standard for financial transactions processing, reserve, and clearinghouse activities. Under this standard, a designated FMU is considered a small entity if its annual receipts are less than $47 million.\62\ The Board includes the assets of all domestic and foreign affiliates in determining whether to classify a designated FMU as a small entity.\63\ For the reasons described below and under section 605(b) of the RFA, the Board certifies that the final rule will not have a significant economic impact on a substantial number of small entities.\64\ --------------------------------------------------------------------------- \62\ 13 CFR 121.201 (subsector 522320). Alternatively, the SBA size standards for (1) securities and commodities exchanges; (2) trust, fiduciary, and custody activities; or (3) international, secondary market, and all other nondepository credit intermediation activities could also apply to certain designated FMUs; these size standards are currently the same as the size standard for financial transactions processing, reserve, and clearinghouse activities (i.e., annual receipts of less than $47 million). Id. (subsectors 523210, 523991, and 522299). \63\ 13 CFR 121.103. \64\ 5 U.S.C. 605(b). --------------------------------------------------------------------------- In connection with the proposed rule, the Board stated that it did not believe that the proposal would have a significant economic impact on a substantial number of small entities. Nevertheless, the Board published and invited comment on an initial regulatory flexibility analysis of the proposal. No comments were received on the initial regulatory flexibility analysis. The Board is finalizing amendments to Regulation HH that would affect the regulatory requirements that apply to designated FMUs other than derivatives clearing organizations registered with the CFTC and clearing agencies registered with the SEC. At present, the FSOC has designated eight FMUs as systemically important; two of these designated FMUs are subject to the Board's Regulation HH. The reasons and justification for the final rule are described above in more detail in this SUPPLEMENTARY INFORMATION. The Board has considered whether to conduct a final regulatory flexibility analysis in connection with the final rule. However, the annual receipts of designated FMUs subject to this final rule exceed the $47 million threshold under which a designated FMU is considered a ``small entity'' under SBA regulations. Because the final rule is not likely to apply to any company with annual receipts of $47 million or less, it is not expected to apply to any small entity for purposes of the RFA. In light of the foregoing, the Board certifies that the final rule will not have a significant economic impact on a substantial number of small entities. B. Competitive Impact Analysis As a matter of policy, the Board conducts a competitive impact analysis in connection with any operational or legal changes that could have a substantial effect on payment system participants, even if competitive effects are not apparent on the face of the proposal. Pursuant to this policy, the Board assesses whether proposed changes ``would have a direct and material adverse effect on the ability of other service providers to compete effectively with the Federal Reserve in providing similar services'' and whether any such adverse effect ``was due to legal differences or due to a dominant market position deriving from such legal differences.'' If, as a result of this analysis, the Board identifies an adverse effect on competition, the Board then assesses whether the associated benefits--such as improvements to payment system efficiency or integrity--can be achieved while minimizing the adverse effect on competition.\65\ --------------------------------------------------------------------------- \65\ See Policies: The Federal Reserve in the Payments System (issued 1984; revised 1990 and January 2001), https://www.federalreserve.gov/paymentsystems/pfs_frpaysys.htm. --------------------------------------------------------------------------- Designated FMUs are subject to the supervisory framework established under Title VIII of the Dodd-Frank Act. The final rule amends current [[Page 18765]] Regulation HH operational risk-management standards for certain designated FMUs. At least one designated FMU that is currently subject to Regulation HH competes with the Fedwire[supreg] \66\ Funds Service provided by the Reserve Banks. --------------------------------------------------------------------------- \66\ Fedwire is a registered service mark of the Reserve Banks. A list of marks related to financial service products that are offered to financial institutions by the Reserve Banks is available at FRBservices.org. --------------------------------------------------------------------------- Under the Federal Reserve Act, the Board has general supervisory authority over the Reserve Banks, including the Reserve Banks' provision of payment and settlement services. This general supervisory authority is more extensive in scope than the Board's authority over certain designated FMUs under Title VIII. In practice, Board oversight of the Reserve Banks goes beyond the typical supervisory framework for private-sector entities, including the framework provided by Title VIII. The Fedwire Funds Service and Fedwire Securities Service (collectively, Fedwire Services) are subject to the risk-management standards in part I of the PSR policy, including applicable principles from the PFMI as set forth in an appendix to the PSR policy. The Board is guided by its interpretation of the corresponding provisions of Regulation HH in its application of the risk management expectations in the PSR policy.\67\ --------------------------------------------------------------------------- \67\ See section I.B.1 of the PSR policy. --------------------------------------------------------------------------- One commenter expressed its appreciation for the Board's commitment to apply risk-management standards to the Fedwire Funds Service that are at least as stringent as those in Regulation HH, but asked the Board to amend the appendix to the PSR policy to more closely align with Regulation HH. The commenter also requested that the Board revise the PSR policy to include the Reserve Banks' National Settlement Service (NSS), along with the Fedwire Services, as a service subject to the appendix of the PSR policy. The Board recognizes the critical role that the Fedwire Services play in the financial system and, as noted in the proposal, the Board remains committed to applying risk-management standards to the Fedwire Funds Service that are at least as stringent as the Regulation HH standards that are applied to designated FMUs that provide similar services. At the same time, however, the Board continues to believe that a different level of detail is required for Regulation HH than for part I of the PSR policy. Regulation HH is an enforceable rule applicable to designated FMUs other than those supervised by the CFTC or SEC, so additional detail provides greater clarity on the Board's expectations. The PSR policy, on the other hand, is a policy statement that provides guidance about (as relevant here) the Board's exercise of its other supervisory or regulatory authority over other financial market infrastructures (including those operated by the Reserve Banks) or their participants. The Board continues to believe that the current approach to the appendix to the PSR policy is consistent with the purpose of the document and the Board's long-standing supervisory approach under the PSR policy. In light of the Federal Reserve's oversight framework for the Fedwire Services, the Board does not believe that the amendments to Regulation HH will have any direct and material adverse effect on the ability of other service providers to compete with the Reserve Banks. Finally, the Board does not believe that the exclusion of NSS from the list of Federal Reserve services subject to the appendix of the PSR policy has a direct and material effect on the ability of other service providers to compete with the Reserve Banks. NSS provides services to a number of financial market infrastructures, but is not itself a competitor with other service providers, and in particular with any service providers to which Regulation HH applies. C. Paperwork Reduction Act Analysis In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR part 1320, appendix A, section 1), the Board reviewed the final rule under the authority delegated to the Board by the Office of Management and Budget. As noted in the NPRM, for purposes of the Paperwork Reduction Act, a ``collection of information'' involves 10 or more respondents. Any recordkeeping, disclosure, or reporting requirement that is contained in a rule of general applicability or that is addressed to all or a substantial majority of an industry is presumed to involve 10 or more respondents (5 CFR 1320.3(c), 1320.3(c)(4)). Regulation HH applies to fewer than 10 persons, and these persons do not represent all or a substantial majority of the participants in payment, clearing, and settlement systems. Additionally, Regulation HH is not a rule of general applicability. Therefore, no collections of information under the Paperwork Reduction Act are contained in the final rule. The Board did not receive any comments on this analysis. List of Subjects in 12 CFR Part 234 Banks, Banking, Credit, Electronic funds transfers, Financial market utilities, Securities. Authority and Issuance For the reasons set forth in the preamble, the Board is amending part 234 of chapter II of title 12 of the Code of Federal Regulations as follows: PART 234--DESIGNATED FINANCIAL MARKET UTILITIES (REGULATION HH) 0 1. The authority citation for part 234 continues to read as follows: Authority: 12 U.S.C. 5461 et seq. 0 2. Revise Sec. 234.2 to read as follows: Sec. 234.2 Definitions. (a) Backtest means the ex post comparison of realized outcomes with margin model forecasts to analyze and monitor model performance and overall margin coverage. (b) Central counterparty means an entity that interposes itself between counterparties to contracts traded in one or more financial markets, becoming the buyer to every seller and the seller to every buyer. (c) Central securities depository means an entity that provides securities accounts and central safekeeping services. (d) Critical operations and critical services refer to any operations or services that the designated financial market utility identifies under Sec. 234.3(a)(3)(iii)(A). (e) Designated financial market utility means a financial market utility that is currently designated by the Financial Stability Oversight Council under section 804 of the Dodd-Frank Act (12 U.S.C. 5463). (f) Financial market utility has the same meaning as the term is defined in section 803(6) of the Dodd-Frank Act (12 U.S.C. 5462(6)). (g) Link means, for purposes of Sec. 234.3(a)(20), a set of contractual and operational arrangements between two or more central counterparties, central securities depositories, or securities settlement systems, or between one or more of these financial market utilities and one or more trade repositories, that connect them directly or indirectly, such as for the purposes of participating in settlement, cross margining, or expanding their services to additional instruments and participants. (h) Operational risk means the risk that deficiencies in information systems or internal processes, human errors, management failures, or disruptions from external events will result in the [[Page 18766]] reduction, deterioration, or breakdown of services provided by the designated financial market utility. (i) Orderly wind-down means the actions of a designated financial market utility to effect the permanent cessation, sale, or transfer of one or more of its critical operations or services in a manner that would not increase the risk of significant liquidity or credit problems spreading among financial institutions or markets and thereby threaten the stability of the U.S. financial system. (j) Recovery means, for purposes of Sec. 234.3(a)(3) and (15), the actions of a designated financial market utility, consistent with its rules, procedures, and other ex ante contractual arrangements, to address any uncovered loss, liquidity shortfall, or capital inadequacy, whether arising from participant default or other causes (such as business, operational, or other structural weaknesses), including actions to replenish any depleted prefunded financial resources and liquidity arrangements, as necessary to maintain the designated financial market utility's viability as a going concern and to continue its provision of critical services. (k) Securities settlement system means an entity that enables securities to be transferred and settled by book entry and allows transfers of securities free of or against payment. (l) Stress test means the estimation of credit or liquidity exposures that would result from the realization of potential stress scenarios, such as extreme price changes, multiple defaults, and changes in other valuation inputs and assumptions. (m) Supervisory Agency has the same meaning as the term is defined in section 803(8) of the Dodd-Frank Act (12 U.S.C. 5462(8)). (n) Third party means any entity, other than a participant of a designated financial market utility acting in that capacity, with which a designated financial market utility maintains a business arrangement, by contract or otherwise. (o) Trade repository means an entity that maintains a centralized electronic record of transaction data, such as a swap data repository or a security-based swap data repository. 0 3. In Sec. 234.3: 0 a. Revise the section heading; 0 b. Add the words ``trade repositories,'' after the words ``such as other financial market utilities,'' in paragraph (a)(3)(ii); 0 c. Remove the word ``following'' and add in its place ``after'', in paragraph (a)(3)(iii)(G); 0 d. Revise paragraph (a)(17); and 0 e. Remove the word ``following'' and add in its place the words ``to reflect'', in paragraph (a)(23)(v). The revisions read as follows: Sec. 234.3 Standards for designated financial market utilities. (a) * * * (17) Operational risk. The designated financial market utility manages its operational risks by establishing a robust operational risk-management framework that is approved by the board of directors. In this regard, the designated financial market utility-- (i) Identifies the plausible sources of operational risk, both internal and external, and mitigates their impact through the use of appropriate systems, policies, procedures, and controls--including those specific systems, policies, procedures, or controls required pursuant to this paragraph (a)(17)--that are reviewed, audited, and tested periodically and after major changes such that-- (A) The designated financial market utility conducts tests-- (1) In accordance with a documented testing framework that addresses, at a minimum, scope, frequency, participation, interdependencies, and reporting; and (2) That assess whether the designated financial market utility's systems, policies, procedures, or controls function as intended; (B) The designated financial market utility reviews the design, implementation, and testing of affected and similar systems, policies, procedures, and controls, after material operational incidents, including the material operational incidents described in paragraph (a)(17)(vi)(A) of this section, or after changes to the environment in which the designated financial market utility operates that could significantly affect the plausible sources or mitigants of operational risk; and (C) The designated financial market utility remediates as soon as possible, following established governance processes, deficiencies in systems, policies, procedures, or controls identified in the process of review or testing; (ii) Identifies, monitors, and manages the risks its operations might pose to other entities such as those referenced in paragraph (a)(3)(ii) of this section; (iii) Has systems, policies, procedures, and controls that are designed to achieve clearly defined objectives to ensure a high degree of security and operational reliability; (iv) Has systems that have adequate, scalable capacity to handle increasing stress volumes and achieve the designated financial market utility's service-level objectives; (v) Has comprehensive physical, information, and cyber security policies, procedures, and controls that enable the designated financial market utility to identify, monitor, and manage potential and evolving vulnerabilities and threats; (vi) Has a documented framework for incident management that provides for the prompt detection, analysis, and escalation of an incident, appropriate procedures for addressing an incident, and incorporation of lessons learned following an incident. This framework includes a plan for notification and communication of material operational incidents to identified relevant entities that ensures the designated financial market utility-- (A) Immediately notifies the Board, in accordance with the process established by the Board, when the designated financial market utility activates its business continuity plan or has a reasonable basis to conclude that-- (1) There is an actual or likely disruption, or material degradation, to any critical operations or services, or to its ability to fulfill its obligations on time; or (2) There is unauthorized entry or a vulnerability that could allow unauthorized entry into the designated financial market utility's computer, network, electronic, technical, automated, or similar systems that affects or has the potential to affect its critical operations or services; and (B) Establishes criteria and processes providing for timely communication and responsible disclosure of material operational incidents to the designated financial market utility's participants and other relevant entities, such that-- (1) Affected participants are notified immediately of actual disruptions or material degradations to any critical operations or services, or to the designated financial market utility's ability to fulfill its obligations on time; and (2) Participants and other relevant entities, as identified in the designated financial market utility's plan for notification and communication, are notified in a timely manner of material operational incidents described in paragraph (a)(17)(vi)(A) of this section, as appropriate, taking into account the risks and benefits of the disclosure to the designated financial market utility and such participants and other relevant entities; (vii) Has business continuity management that provides for rapid recovery and timely resumption of critical operations and services and [[Page 18767]] fulfillment of its obligations, including in the event of a wide-scale disruption or a major disruption; (viii) Has a business continuity plan that-- (A) Incorporates the use of two sites providing for sufficient redundancy supporting critical operations that are located at a sufficient geographical distance from each other to have a distinct risk profile; (B) Is designed to enable critical systems, including information technology systems, to recover and resume critical operations and services no later than two hours following disruptive events; (C) Is designed to enable it to complete settlement by the end of the day of the disruption, even in case of extreme circumstances; (D) Sets out criteria and processes by which the designated financial market utility will reestablish availability for affected participants and other entities following a disruption to the designated financial market utility's critical operations or services; (E) Provides for testing, pursuant to the requirements under paragraphs (a)(17)(i)(A) and (C) of this section, at least annually, of the designated financial market utility's business continuity arrangements, including the people, processes, and technologies of the sites required under paragraph (a)(17)(viii)(A) of this section, such that-- (1) The designated financial market utility can demonstrate that it can run live production at the sites required under paragraph (a)(17)(viii)(A) of this section; (2) The designated financial market utility assesses the capability of its systems and effectiveness of its procedures for data recovery and data reconciliation to meet the recovery and resumption objectives under paragraphs (a)(17)(viii)(B) and (C) of this section, even in case of extreme circumstances, including in the event of data loss or data corruption; and (3) The designated financial market utility can demonstrate that it has geographically dispersed staff who can effectively run the operations and manage the business of the designated financial market utility; and (F) Is reviewed, pursuant to the requirements under paragraphs (a)(17)(i)(B) and (C) of this section, at least annually, in order to-- (1) Incorporate lessons learned from actual and averted disruptions; and (2) Update scenarios and assumptions in order to ensure responsiveness to the evolving risk environment and incorporate new and evolving sources of operational risk; and (ix) Has systems, policies, procedures, and controls that effectively identify, monitor, and manage risks associated with third- party relationships, and that ensure that, for any service that is performed for the designated financial market utility by a third party, risks are identified, monitored, and managed to the same extent as if the designated financial market utility were performing the service itself. In this regard, the designated financial market utility-- (A) Regularly conducts risk assessments of third parties; (B) Establishes information-sharing arrangements, as appropriate, with third parties that provide services material to any of the designated financial market utility's critical operations or services; and (C) Addresses in its business continuity management and testing, as appropriate, third parties that provide services material to any of the designated financial market utility's critical operations or services. * * * * * By order of the Board of Governors of the Federal Reserve System. Ann E. Misback, Secretary of the Board. [FR Doc. 2024-05322 Filed 3-14-24; 8:45 am] BILLING CODE 6210-01-P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
