82 FR 46332 - Self-Regulatory Organizations; The Depository Trust Company; National Securities Clearing Corporation; Fixed Income Clearing Corporation; Order Approving Proposed Rule Changes To Adopt the Clearing Agency Operational Risk Management Framework
SECURITIES AND EXCHANGE COMMISSION Federal Register Volume 82, Issue 191 (October 4, 2017)
Federal Register Volume 82, Issue 191 (October 4, 2017)
| Page Range | 46332-46335 | |
| FR Document | 2017-21273 |
[Federal Register Volume 82, Number 191 (Wednesday, October 4, 2017)] [Notices] [Pages 46332-46335] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-21273] ----------------------------------------------------------------------- SECURITIES AND EXCHANGE COMMISSION [Release No. 34-81745; File Nos. SR-DTC-2017-014; SR-NSCC-2017-013; SR- FICC-2017-017] Self-Regulatory Organizations; The Depository Trust Company; National Securities Clearing Corporation; Fixed Income Clearing Corporation; Order Approving Proposed Rule Changes To Adopt the Clearing Agency Operational Risk Management Framework September 28, 2017. I. Introduction On July 25, 2017, The Depository Trust Company (``DTC''), Fixed Income Clearing Corporation (``FICC''), and National Securities Clearing Corporation (``NSCC,'' each a ``Clearing Agency,'' and collectively with DTC and FICC, the ``Clearing Agencies''), filed with the Securities and Exchange Commission (``Commission'') proposed rule changes SR-DTC-2017-014, SR-NSCC-2017-013, and SR-FICC-2017-017, respectively, pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (``Act'') \1\ and Rule 19b-4 thereunder.\2\ The proposed rule changes were published for comment in the Federal Register on August 14, 2017.\3\ The Commission did not receive any comment letters on the proposed rule changes. For the reasons discussed below, the Commission approves the proposed rule changes. --------------------------------------------------------------------------- \1\ 15 U.S.C. 78s(b)(1). \2\ 17 CFR 240.19b-4. \3\ Securities Exchange Act Release No. 81338 (August 8, 2017), 82 FR 36049 (August 14, 2017) (SR-DTC-2017-014, SR-NSCC-2017-013, SR-FICC-2017-017) (``Notice''). --------------------------------------------------------------------------- II. Description of the Proposed Rule Changes The proposed rule changes would adopt the Clearing Agency Operational Risk Management Framework (``Framework'') of the Clearing Agencies, as described below. A. Overview of the Framework The Framework would describe how each of Clearing Agency manages operational risk. Operational risk is defined by the Clearing Agencies in the Framework as the risk of direct or indirect loss or reputational harm resulting from an event, internal or external, that is the result of inadequate or failed processes, people, and systems (``Operational Risk'').\4\ More specifically, the Framework would describe how the Clearing Agencies (i) manage Operational Risk; (ii) manage their information technology risks; and (iii) manage their business continuity risks.\5\ The DTCC Operational Risk Management group (``ORM'') would maintain the Framework, on behalf of the Clearing Agencies.\6\ --------------------------------------------------------------------------- \4\ Notice, 82 FR at 37943. \5\ Id. \6\ Id. The parent company of the Clearing Agencies is The Depository Trust & Clearing Corporation (``DTCC''). DTCC operates on a shared services model with respect to the Clearing Agencies. Most corporate functions are established and managed on an enterprise- wide basis pursuant to intercompany agreements under which it is generally DTCC that provides a relevant service to a Clearing Agency. --------------------------------------------------------------------------- B. Operational Risk Management The Framework would describe how ORM is charged with establishing appropriate systems, policies, procedures, and controls to enable the Clearing Agencies to identify plausible sources of Operational Risk.\7\ --------------------------------------------------------------------------- \7\ Notice, 82 FR at 37943. --------------------------------------------------------------------------- Specifically, the Framework would describe how the Clearing Agencies identify key risks, including Operational Risk, and set metrics to categorize such risks (e.g., from ``no impact'' to ``severe impact'') through ``Risk Tolerance Statements.'' \8\ The Framework would describe how the Risk Tolerance Statements identify the overall risk reduction or mitigation objectives of the Clearing Agencies, with respect to identified risks to the Clearing Agencies.\9\ The Framework would also explain how the Risk Tolerance Statements document the risk controls and other measures the Clearing Agencies would use to manage such identified risks (including escalation requirements in the event of risk metric breaches). The Framework would state that ORM would annually review, revise, update, and/or create, as necessary, each Risk Tolerance Statement.\10\ --------------------------------------------------------------------------- \8\ Id. \9\ Id. \10\ Id. --------------------------------------------------------------------------- The Framework would also describe how the Clearing Agencies monitor key risks, including Operational Risk, through ``Risk Profiles.'' \11\ The Framework would state that ``Risk Profiles'' identify how risk is assessed for each of the Clearing Agencies' businesses and support areas (each a ``Clearing Agency Business'' and/or ``Clearing Agency Support Area'').\12\ The Framework would explain that the risk assessment documented in these profiles includes (1) assessment of inherent risk (i.e., risk without any mitigating controls); (2) evaluation of existing controls and, as appropriate, any new additional controls, as well as the evaluation of the same risk against the strength of such controls; and (3) identification of any residual risk and a determination to either further mitigate such risk or accept such risk by the applicable Clearing Agency Business or Clearing Agency Support Area.\13\ --------------------------------------------------------------------------- \11\ Id. \12\ Id. \13\ Id. --------------------------------------------------------------------------- The Framework would then describe generally the responsibilities of ORM, which is part of the second line of defense within the Clearing Agencies' ``Three Lines of Defense'' approach to risk management.\14\ The Framework would identify ORM responsibilities [[Page 46333]] including, but not limited to, management of the Risk Tolerance Statements, and working with the Clearing Agency Businesses and Clearing Agency Support Areas to create and monitor Risk Profiles.\15\ --------------------------------------------------------------------------- \14\ Id. The Three Lines of Defense approach to risk management identifies the roles and responsibilities of different Clearing Agency Businesses or Clearing Agency Support Areas in identifying, assessing, measuring, monitoring, mitigating, and reporting certain key risks faced by the Clearing Agencies. The Three Lines of Defense approach is more fully described in a separate framework, the Clearing Agency Risk Management Framework. See Securities Exchange Act Release No. 81635 (September 15, 2017), 82 FR 44224 (September 21, 2017)(SR-DTC-2017-013, SR-NSCC-2017-012, SR-FICC-2017-016). \15\ Notice, 82 FR at 37943. --------------------------------------------------------------------------- C. Information Technology Risks The Framework would describe how the Clearing Agencies address information technology risks.\16\ The Framework would state that the DTCC Technology Risk Management group (``TRM''), on behalf of the Clearing Agencies, is responsible for establishing appropriate programs, policies, procedures, and controls with respect to the Clearing Agencies' information technology risks.\17\ The Framework would indicate that these responsibilities would help respective Clearing Agency's management to ensure that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity.\18\ The Framework would describe some of the recognized information technology standards that TRM may use to execute its responsibilities (as applicable).\19\ --------------------------------------------------------------------------- \16\ Id. \17\ Id. \18\ Id. \19\ Id. --------------------------------------------------------------------------- The Framework would also identify some of TRM's responsibilities, including (1) performing risk assessments to, among other things, facilitate the determination of the Clearing Agencies' investment and remediation priorities; (2) facilitating annual mandatory and periodic information security awareness, education, training, and communication to personnel of Clearing Agency Businesses and Clearing Agency Support Areas and relevant external parties; and (3) creating, implementing, and managing certain programs, including programs that (i) address information security throughout a system's lifecycle, (ii) facilitate compliance with evolving and established regulatory rules and guidelines that govern protection of the information assets of the Clearing Agencies and their participants, (iii) identify, prioritize, and manage the level of cyber threats to the Clearing Agencies, and (iv) assure that access to Clearing Agency information assets is appropriately authorized and authenticated based on current business need.\20\ --------------------------------------------------------------------------- \20\ Id. --------------------------------------------------------------------------- Additionally, the Framework would note that TRM's risk strategy is closely aligned to the Clearing Agencies' business drivers and future strategic direction.\21\ The Framework would state that such risk strategy allows the Clearing Agencies to achieve information security threat mitigation objectives, resiliency of infrastructure supporting Clearing Agency critical business applications, and operational reliability.\22\ The Framework would also describe how TRM's early and consistent involvement in initiatives to develop new products and systems establishes this priority.\23\ The Framework would state that TRM is involved from the initial planning phase through the design, build, and operative phases of those initiatives, to address certain requirements.\24\ The Framework would then explain that TRM's involvement specifically addresses effectiveness, reliability, and availability requirements of those initiatives, incorporating those requirements into the initiatives' design and execution (from both a technology and cyber security perspective).\25\ --------------------------------------------------------------------------- \21\ Id. \22\ Notice, 82 FR at 37943-44. \23\ Notice, 82 FR at 37944. \24\ Id. \25\ Id. --------------------------------------------------------------------------- The Framework would next describe the Clearing Agencies' security strategy and defense, stating that the Clearing Agencies' network security framework and preventive controls are designed to support a reliable and robust tiered security strategy and defense.\26\ The Framework would state that these controls include modern and technically advanced security firewalls, intrusion detection, system and data monitoring, and data protection tools.\27\ The Framework would also describe the Clearing Agencies' enhanced security features and the standards they use to assess vulnerabilities and potential threats.\28\ --------------------------------------------------------------------------- \26\ Id. \27\ Id. \28\ Id. --------------------------------------------------------------------------- D. Business Continuity Risks Finally, the Framework would describe how the Clearing Agencies establish and maintain business continuity plans to address events that may pose significant business continuity risks (i.e., disrupting of Clearing Agency operations).\29\ The Framework would identify how the business continuity process for each Clearing Agency Business and Clearing Agency Support Area is ranked by the significance of a possible disruption to its operation.\30\ The Framework would explain that these rankings fall within a range of tiers, from 0 to 5, based on criticality to each applicable Clearing Agency's operations (each a ``Tier''), where Tier 0 equates to critical operations or support of such operations for which virtually no downtime is permitted under applicable regulatory standards, and Tier 5 equates to non-essential operations or support of such operations for which recovery times of greater than five days is permitted.\31\ --------------------------------------------------------------------------- \29\ Id. \30\ Id. \31\ Id. --------------------------------------------------------------------------- The Framework would state that each Clearing Agency Business and Clearing Agency Support Area annually updates its own business continuity plan, as well as reviews and ratifies its business impact analysis.\32\ The Framework would describe that the DTCC Business Continuity Management department (``BCM'') uses that analysis, on behalf of the Clearing Agencies, to validate the Business' or Support Area's current Tier ranking, described above.\33\ The Framework would identify the key elements of the business impact analysis, including (1) an assessment of the criticality of the applicable Clearing Agency Business or Clearing Agency Support Area, based on potential impact to the Clearing Agency; (2) an estimation of the maximum allowable downtime for the applicable Clearing Agency Business or Clearing Agency Support Area; and (3) the identification of dependencies, and the ranking of such dependencies to align with the criticality of the applicable Clearing Agency Business's, or Clearing Agency Support Area's, recovery.\34\ --------------------------------------------------------------------------- \32\ Id. \33\ Id. \34\ Id. --------------------------------------------------------------------------- The Framework would describe the Clearing Agencies' multiple data centers, and the emergency monitoring and back-up systems available at each site.\35\ The Framework would explain the capacity of the various data centers (including emergency monitoring and back-up systems).\36\ The Framework would also describe how the Clearing Agencies' operating centers (which may include data centers) assist in recovery efforts, and explain how each Clearing Agency Business and Clearing Agency Support Area creates and deploys its own work-area recovery strategy to mitigate the loss of primary workspace and/or associated desktop technology, as well as for purposes of appropriately locating personnel.\37\ The Framework would further indicate how each work-area recovery strategy is developed and [[Page 46334]] executed (based on the applicable Clearing Agency Business' and Clearing Agency Support Area's current Tier ranking, as described above).\38\ --------------------------------------------------------------------------- \35\ Id. \36\ Id. \37\ Id. \38\ Id. --------------------------------------------------------------------------- The Framework would describe the responsibilities of BCM in managing a disruptive business event.\39\ The Framework would state that managing a disruptive business event would include coordination with a team of representatives from each Clearing Agency Business and Clearing Agency Support Area.\40\ Finally, the Framework would describe how the Clearing Agencies conduct regular exercises used to simulate loss of Clearing Agency locations, and would describe some of the preventive measures the Clearing Agencies take with respect to business continuity risk management.\41\ --------------------------------------------------------------------------- \39\ Id. \40\ Id. \41\ Id. --------------------------------------------------------------------------- III. Discussion and Commission Findings Section 19(b)(2)(C) of the Act directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and rules and regulations thereunder applicable to such organization.\42\ After carefully considering the proposed rule changes, the Commission finds that the proposed rule changes are consistent with the requirements of the Act and the rules and regulations thereunder applicable to the Clearing Agencies. Specifically, the Commission finds that the proposed rule changes are consistent with Section 17A(b)(3)(F) of the Act \43\ and Rules 17Ad- 22(e)(17)(i)-(iii) under the Act.\44\ --------------------------------------------------------------------------- \42\ 15 U.S.C. 78s(b)(2)(C). \43\ 15 U.S.C. 78q-1(b)(3)(F). \44\ 17 CFR 240.17Ad-22(e)(17)(i)-(iii). --------------------------------------------------------------------------- A. Consistency With Section 17A(b)(3)(F) of the Act Section 17A(b)(3)(F) of the Act requires, in part, that the rules of a registered clearing agency be designed to assure the safeguarding of securities and funds which are in the custody or control of the Clearing Agencies or for which they are responsible.\45\ --------------------------------------------------------------------------- \45\ 15 U.S.C. 78q-1(b)(3)(F). --------------------------------------------------------------------------- As described above, the Framework would describe how the Clearing Agencies manage their Operational Risk. Specifically, the Frameworks would describe how the Clearing Agencies address their technology risks, information security risks, and their business continuity risks. The Framework would describe the processes, systems, and controls (as well as the supporting policies and procedures) used by the Clearing Agencies to identify, manage, and mitigate risks which threaten the Clearing Agencies' ability to function. By describing their Operational Risk practices in a clear and comprehensive manner, the Framework is designed to help the Clearing Agencies prevent and manage the risks that arise in, or are borne by, the Clearing Agencies. The Framework would explain how the Clearing Agencies identify and mitigate risks generally (through the Three Lines of Defense, Risk Tolerance Statements, and Risk Profiles), as well as how they specially identify and mitigate information technology risk (through the TRM's efforts) and business continuity risk (through data centers and operational centers). By better managing the risks that arise in or are bone by the Clearing Agencies through such risk mitigation practices, the Framework is designed to help reduce the possibility that a Clearing Agency fails. By better positioning the Clearing Agencies to continue their critical operations and services, and mitigating the risk of financial loss contagion caused by a Clearing Agency failure, the Framework is designed to help assure the safeguarding of securities and funds which are in the custody or control of the Clearing Agencies, or for which they are responsible. Accordingly, the Commission believes that the proposed rule changes are consistent with Section 17A(b)(3)(F) of the Act.\46\ --------------------------------------------------------------------------- \46\ Id. --------------------------------------------------------------------------- B. Consistency With Rule 17Ad-22(e)(17)(i) Rule 17Ad-22(e)(17)(i) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.\47\ --------------------------------------------------------------------------- \47\ 17 CFR 240.17Ad-22(e)(17)(i). --------------------------------------------------------------------------- As described above, the Framework would describe how the Risk Tolerance Statements and the Risk Profiles assist the Clearing Agencies identify and mitigate the plausible sources of Operational Risk, both internal and external. As described above, the Framework explains how the Risk Tolerance Statements (i) identify both internal and external Clearing Agency risks; (ii) categorize the respective Clearing Agencies' tolerance for those risks; and (iii) then identify governance process applicable to any breach of those tolerances. In this way, the Risk Tolerance Statements are designed to help the Clearing Agencies to identify and manage the internal and external risks. As also described above, the Framework would describe how the Risk Profiles are designed to serve a similar function, by serving as a tool for identifying and assessing inherent risks, and evaluating the controls around those risks. The Framework also describes the role of ORM, which includes oversight of both the Risk Tolerance Statements and Risk Profiles. By describing the functions of the Risk Tolerance Statements and Risk Profiles, (which, together, are designed to (i) assist the Clearing Agencies in effectively managing their operational risks by identifying the plausible sources of operational risk, both internal and external, and (ii) assist the Clearing Agencies in mitigating the impact of those risks), and by describing the role of ORM in overseeing the Risk Tolerance Statements and Risk Profiles, the Commission believes the Framework is consistent with the requirements of Rule 17Ad-22(e)(17)(i).\48\ --------------------------------------------------------------------------- \48\ Id. --------------------------------------------------------------------------- C. Consistency With Rule 17Ad-22(e)(17)(ii) Rule 17Ad-22(e)(17)(ii) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by ensuring that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity.\49\ --------------------------------------------------------------------------- \49\ 17 CFR 240.17Ad-22(e)(17)(ii). --------------------------------------------------------------------------- As noted above, the Framework would describe how the Clearing Agencies manage their Operational Risk. Specifically, the Framework would describe TRM's role and responsibilities in managing the Clearing Agencies' information technology risks. In particular, the Framework would identify TRM's (i) programs, systems, and controls; (ii) information technology risk management standards; and (iii) continuous role in product and project initiatives to address security issues through the lifecycle of Clearing Agency initiatives. The Framework thereby describes how TRM is designed to safeguard the integrity of the Clearing Agencies' information technology, as well as the standards against which TRM's safeguards would be evaluated. In this manner, the Framework is designed to [[Page 46335]] ensure that the Clearing Agencies' systems have a high degree of security, resiliency, and operational reliability. Furthermore, as the Framework indicates TRM's early and continuous involvement in the Clearing Agencies' initiatives, the Framework reveals how TRM would enable the Clearing Agencies to grow and evolve while accounting for technology and cyber security concerns, thereby ensuring the Clearing Agencies' adequate and scalable capacity. Therefore, by describing TRM's role and responsibilities in helping the Clearing Agencies maintain systems with a high degree of security, resiliency, operational reliability, and adequate, scalable capacity, the Commission believes the Framework is consistent with the requirements of Rule 17Ad-22(e)(17)(ii).\50\ --------------------------------------------------------------------------- \50\ Id. --------------------------------------------------------------------------- D. Consistency With Rule 17Ad-22(e)(17)(iii) Rule 17Ad-22(e)(17)(iii) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by establishing and maintaining a business continuity plan that addresses events posing a significant risk of disrupting operations.\51\ --------------------------------------------------------------------------- \51\ 17 CFR 240.17Ad-22(e)(17)(iii). --------------------------------------------------------------------------- As described above, the Framework would describe how the Clearing Agencies establish and maintain business continuity plans. Specifically, the Framework would describe the critical features of the Clearing Agencies' business continuity plans to demonstrate how they are designed to address events posing a significant risk of disrupting the Clearing Agencies' operations. The Framework would also indicate how each Clearing Agency Business and Clearing Agency Support Area reviews and ratifies its respective plan and its business impact analysis, relative to its assigned Tier. Therefore, as the Framework describes how the Clearing Agencies establish and maintain their business continuity plans, which are designed to address events posing a significant risk of disrupting operations, the Commission believes that the Framework is consistent with the requirements of Rule 17Ad- 22(e)(17)(iii).\52\ --------------------------------------------------------------------------- \52\ Id. --------------------------------------------------------------------------- IV. Conclusion On the basis of the foregoing, the Commission finds that the proposed rule changes are consistent with the requirements of the Act and in particular with the requirements of Section 17A of the Act \53\ and the rules and regulations thereunder. --------------------------------------------------------------------------- \53\ 15 U.S.C. 78q-1. --------------------------------------------------------------------------- It is therefore ordered, pursuant to Section 19(b)(2) of the Act, that proposed rule changes SR-DTC-2017-014, SR-NSCC-2017-013, and SR- FICC-2017-017 be, and hereby are, approved.\54\ --------------------------------------------------------------------------- \54\ In approving the Proposed Rule Changes, the Commission considered the proposals' impact on efficiency, competition and capital formation. 15 U.S.C. 78c(f). For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.\55\ --------------------------------------------------------------------------- \55\ 17 CFR 200.30-3(a)(12). --------------------------------------------------------------------------- Eduardo A. Aleman, Assistant Secretary. [FR Doc. 2017-21273 Filed 10-3-17; 8:45 am] BILLING CODE 8011-01-P
![46332 Federal Register / Vol. 82, No. 191 / Wednesday, October 4, 2017 / Notices
rising interest rates. Applicant states SR–DTC–2017–014, SR–NSCC–2017– Risk, and set metrics to categorize such
that this projection also reflects 013, and SR–FICC–2017–017, risks (e.g., from ‘‘no impact’’ to ‘‘severe
anticipated increases in its holdings of respectively, pursuant to Section impact’’) through ‘‘Risk Tolerance
investment securities should the 19(b)(1) of the Securities Exchange Act Statements.’’ 8 The Framework would
Commission grant the requested Order; of 1934 (‘‘Act’’) 1 and Rule 19b–4 describe how the Risk Tolerance
however, Applicant does not anticipate thereunder.2 The proposed rule changes Statements identify the overall risk
that its interest income from investment were published for comment in the reduction or mitigation objectives of the
securities would ever represent other Federal Register on August 14, 2017.3 Clearing Agencies, with respect to
than a small amount as compared to its The Commission did not receive any identified risks to the Clearing
total revenues. Applicant further states comment letters on the proposed rule Agencies.9 The Framework would also
that its projected increase in interest changes. For the reasons discussed explain how the Risk Tolerance
income will not result in any material below, the Commission approves the Statements document the risk controls
increase in net income for Applicant proposed rule changes. and other measures the Clearing
because (a) it passes through to its Agencies would use to manage such
II. Description of the Proposed Rule
Members substantially all of its earnings identified risks (including escalation
Changes
on Clearing Fund cash and (b) its requirements in the event of risk metric
earnings on CP Program proceeds are The proposed rule changes would breaches). The Framework would state
substantially offset by its interest adopt the Clearing Agency Operational that ORM would annually review,
expense on the commercial paper notes Risk Management Framework revise, update, and/or create, as
and extendible notes that are issued to (‘‘Framework’’) of the Clearing necessary, each Risk Tolerance
holders. Agencies, as described below. Statement.10
5. Applicant asserts that its historical A. Overview of the Framework The Framework would also describe
development, its public representations how the Clearing Agencies monitor key
of policy, the activities of its officers The Framework would describe how risks, including Operational Risk,
and directors and its sources of revenue, each of Clearing Agency manages through ‘‘Risk Profiles.’’ 11 The
as discussed in the application, operational risk. Operational risk is Framework would state that ‘‘Risk
demonstrate that it is engaged primarily defined by the Clearing Agencies in the Profiles’’ identify how risk is assessed
in the business of providing clearing, Framework as the risk of direct or for each of the Clearing Agencies’
settlement, risk management, CCP and indirect loss or reputational harm businesses and support areas (each a
ancillary services to its Members, and resulting from an event, internal or ‘‘Clearing Agency Business’’ and/or
not in an investment business. external, that is the result of inadequate ‘‘Clearing Agency Support Area’’).12 The
Applicant thus asserts that it satisfies or failed processes, people, and systems Framework would explain that the risk
the criteria for issuing an order under (‘‘Operational Risk’’).4 More assessment documented in these
Section 3(b)(2) of the Act. specifically, the Framework would profiles includes (1) assessment of
describe how the Clearing Agencies (i) inherent risk (i.e., risk without any
For the Commission, by the Division of manage Operational Risk; (ii) manage
Investment Management, under delegated mitigating controls); (2) evaluation of
authority. their information technology risks; and existing controls and, as appropriate,
Eduardo A. Aleman,
(iii) manage their business continuity any new additional controls, as well as
risks.5 The DTCC Operational Risk the evaluation of the same risk against
Assistant Secretary.
Management group (‘‘ORM’’) would the strength of such controls; and (3)
[FR Doc. 2017–21282 Filed 10–3–17; 8:45 am]
maintain the Framework, on behalf of identification of any residual risk and a
BILLING CODE 8011–01–P the Clearing Agencies.6 determination to either further mitigate
B. Operational Risk Management such risk or accept such risk by the
SECURITIES AND EXCHANGE applicable Clearing Agency Business or
The Framework would describe how Clearing Agency Support Area.13
COMMISSION ORM is charged with establishing The Framework would then describe
[Release No. 34–81745; File Nos. SR–DTC– appropriate systems, policies, generally the responsibilities of ORM,
2017–014; SR–NSCC–2017–013; SR–FICC– procedures, and controls to enable the which is part of the second line of
2017–017] Clearing Agencies to identify plausible defense within the Clearing Agencies’
sources of Operational Risk.7 ‘‘Three Lines of Defense’’ approach to
Self-Regulatory Organizations; The Specifically, the Framework would risk management.14 The Framework
Depository Trust Company; National describe how the Clearing Agencies would identify ORM responsibilities
Securities Clearing Corporation; Fixed identify key risks, including Operational
Income Clearing Corporation; Order 8 Id.
Approving Proposed Rule Changes To 1 15 U.S.C. 78s(b)(1). 9 Id.
Adopt the Clearing Agency Operational 2 17 CFR 240.19b–4. 10 Id.
Risk Management Framework 3 Securities Exchange Act Release No. 81338 11 Id.
(August 8, 2017), 82 FR 36049 (August 14, 2017) 12 Id.
September 28, 2017. (SR–DTC–2017–014, SR–NSCC–2017–013, SR– 13 Id.
FICC–2017–017) (‘‘Notice’’). 14 Id. The Three Lines of Defense approach to risk
I. Introduction 4 Notice, 82 FR at 37943.
management identifies the roles and responsibilities
5 Id.
On July 25, 2017, The Depository of different Clearing Agency Businesses or Clearing
6 Id. The parent company of the Clearing
Trust Company (‘‘DTC’’), Fixed Income Agency Support Areas in identifying, assessing,
sradovich on DSK3GMQ082PROD with NOTICES
Agencies is The Depository Trust & Clearing measuring, monitoring, mitigating, and reporting
Clearing Corporation (‘‘FICC’’), and Corporation (‘‘DTCC’’). DTCC operates on a shared certain key risks faced by the Clearing Agencies.
National Securities Clearing Corporation services model with respect to the Clearing The Three Lines of Defense approach is more fully
(‘‘NSCC,’’ each a ‘‘Clearing Agency,’’ Agencies. Most corporate functions are established described in a separate framework, the Clearing
and collectively with DTC and FICC, the and managed on an enterprise-wide basis pursuant Agency Risk Management Framework. See
to intercompany agreements under which it is Securities Exchange Act Release No. 81635
‘‘Clearing Agencies’’), filed with the generally DTCC that provides a relevant service to (September 15, 2017), 82 FR 44224 (September 21,
Securities and Exchange Commission a Clearing Agency. 2017)(SR–DTC–2017–013, SR–NSCC–2017–012,
(‘‘Commission’’) proposed rule changes 7 Notice, 82 FR at 37943. SR–FICC–2017–016).
VerDate Sep<11>2014 20:18 Oct 03, 2017 Jkt 244001 PO 00000 Frm 00122 Fmt 4703 Sfmt 4703 E:\FR\FM\04OCN1.SGM 04OCN1](https://thefederalregister.org/doc/82_FR_46523/page/1.svg)
![Federal Register / Vol. 82, No. 191 / Wednesday, October 4, 2017 / Notices 46335
ensure that the Clearing Agencies’ rule changes are consistent with the Section 15B(a)(4) of the Securities
systems have a high degree of security, requirements of the Act and in Exchange Act of 1934 (the ‘‘Exchange
resiliency, and operational reliability. particular with the requirements of Act’’) provides that the Securities and
Furthermore, as the Framework Section 17A of the Act 53 and the rules Exchange Commission (the
indicates TRM’s early and continuous and regulations thereunder. ‘‘Commission’’), by rule or order, upon
involvement in the Clearing Agencies’ It is therefore ordered, pursuant to its own motion or upon application,
initiatives, the Framework reveals how Section 19(b)(2) of the Act, that may conditionally or unconditionally
TRM would enable the Clearing proposed rule changes SR–DTC–2017– exempt any broker, dealer, municipal
Agencies to grow and evolve while 014, SR–NSCC–2017–013, and SR– securities dealer or municipal advisor,
accounting for technology and cyber FICC–2017–017 be, and hereby are, or class of brokers, dealers, municipal
security concerns, thereby ensuring the approved.54 securities dealers, or municipal advisors
Clearing Agencies’ adequate and For the Commission, by the Division of from any provision of Section 15B or the
scalable capacity. Trading and Markets, pursuant to delegated rules or regulations thereunder, if the
Therefore, by describing TRM’s role authority.55 Commission finds that such exemption
and responsibilities in helping the Eduardo A. Aleman, is consistent with the public interest,
Clearing Agencies maintain systems Assistant Secretary. the protection of investors and the
with a high degree of security, [FR Doc. 2017–21273 Filed 10–3–17; 8:45 am]
purposes of Section 15B.
resiliency, operational reliability, and Section 36 of the Exchange Act
BILLING CODE 8011–01–P
adequate, scalable capacity, the authorizes the Commission, by rule,
Commission believes the Framework is regulation or order, to exempt, either
consistent with the requirements of Rule conditionally or unconditionally, any
SECURITIES AND EXCHANGE
17Ad–22(e)(17)(ii).50 person, security or transaction, or any
COMMISSION
class or classes of persons, securities or
D. Consistency With Rule 17Ad– [SECURITIES EXCHANGE ACT OF 1934 transactions, from any provision or
22(e)(17)(iii) Release No. 81760/September 28, 2017: provisions of the Exchange Act or any
Rule 17Ad–22(e)(17)(iii) under the INVESTMENT COMPANY ACT OF 1940 rule or regulation thereunder, to the
Release No. 32842/September 28, 2017] extent that such exemption is necessary
Act requires, in part, that each covered
clearing agency establish, implement, Exemptive Relief for Individuals and or appropriate in the public interest,
maintain and enforce written policies Entities Affected by Hurricanes and is consistent with the protection of
and procedures reasonably designed to Harvey, Irma or Maria investors.
manage the covered clearing agency’s Section 17A(c)(1) of the Exchange Act
operational risks by establishing and Order Under Section 15b, Section 17a And provides that the appropriate regulatory
maintaining a business continuity plan Section 36 Of The Securities Exchange Act agency, by rule or by order, upon its
that addresses events posing a Of 1934 Granting Exemptions From Specified own motion or upon application, may
significant risk of disrupting Provisions Of The Exchange Act And Certain conditionally or unconditionally
Rules Thereunder exempt any person or security or class
operations.51 Order Under Section 6(C) And Section
As described above, the Framework of persons or securities from any
38(A) Of The Investment Company Act Of
would describe how the Clearing 1940 Granting Exemptions From Specified
provision of Section 17A or any rule or
Agencies establish and maintain Provisions Of The Investment Company Act regulation prescribed under Section
business continuity plans. Specifically, And Certain Rules Thereunder 17A, if the appropriate regulatory
the Framework would describe the agency 1 finds that such exemption is in
In late August 2017, Hurricane Harvey
critical features of the Clearing the public interest and consistent with
caused catastrophic damage along the
Agencies’ business continuity plans to the protection of investors and the
Texas and Louisiana coast, in early
demonstrate how they are designed to purposes of Section 17A, including the
September 2017, Hurricane Irma caused
address events posing a significant risk prompt and accurate clearance and
catastrophic damage to the U.S. Virgin
of disrupting the Clearing Agencies’ settlement of securities transactions and
Islands, Puerto Rico and the Florida
operations. The Framework would also the safeguarding of securities and funds.
coast, and, in mid-September 2017,
indicate how each Clearing Agency Section 17A(c)(1) also requires that the
Hurricane Maria caused additional
Business and Clearing Agency Support Commission not object to the use of
catastrophic damage to the U.S. Virgin
Area reviews and ratifies its respective exemptive authority in instances where
Islands and Puerto Rico. The storms and
plan and its business impact analysis, an appropriate regulatory authority
subsequent flooding have displaced
relative to its assigned Tier. Therefore, other than the Commission is providing
individuals and businesses and
as the Framework describes how the exemptive relief.
disrupted communications and Section 6(c) of the Investment
Clearing Agencies establish and transportation across the affected
maintain their business continuity Company Act of 1940 (the ‘‘Company
regions. We are issuing this Order to Act’’) provides that the Commission
plans, which are designed to address address the needs of companies and
events posing a significant risk of may conditionally or unconditionally
individuals with obligations under the exempt any person, security or
disrupting operations, the Commission federal securities laws who have been
believes that the Framework is transaction, or any class or classes of
directly or indirectly affected by persons, securities or transactions, from
consistent with the requirements of Rule Hurricane Harvey, Hurricane Irma or
17Ad–22(e)(17)(iii).52 any provision or provisions of the
Hurricane Maria and their respective
sradovich on DSK3GMQ082PROD with NOTICES
Company Act, or any rule or regulation
IV. Conclusion aftermaths. thereunder, if and to the extent that
On the basis of the foregoing, the 53 15
such exemption is necessary or
U.S.C. 78q–1.
Commission finds that the proposed 54 In approving the Proposed Rule Changes, the
appropriate in the public interest and
Commission considered the proposals’ impact on consistent with the protection of
50 Id.
efficiency, competition and capital formation. 15
51 17 CFR 240.17Ad–22(e)(17)(iii). U.S.C. 78c(f). 1 Section 3(a)(34)(B) of the Exchange Act defines
52 Id. 55 17 CFR 200.30–3(a)(12). ‘‘appropriate regulatory authority.’’
VerDate Sep<11>2014 20:18 Oct 03, 2017 Jkt 244001 PO 00000 Frm 00125 Fmt 4703 Sfmt 4703 E:\FR\FM\04OCN1.SGM 04OCN1](https://thefederalregister.org/doc/82_FR_46523/page/4.svg)
Document Created: 2018-10-25 09:56:08
Document Modified: 2018-10-25 09:56:08
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| FR Citation | 82 FR 46332 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR