[Federal Register Volume 82, Number 155 (Monday, August 14, 2017)]
[Notices]
[Pages 37942-37946]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-17043]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-81338; File Nos. SR-DTC-2017-014; SR-FICC-2017-017; SR-
NSCC-2017-013]
Self-Regulatory Organizations; The Depository Trust Company;
Fixed Income Clearing Corporation; National Securities Clearing
Corporation; Notice of Filings of Proposed Rule Changes To Adopt the
Clearing Agency Operational Risk Management Framework
DATE: August 8, 2017.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of
1934, as amended (``Act'') \1\ and Rule 19b-4 thereunder,\2\ notice is
hereby given that on July 25, 2017, The Depository Trust Company
(``DTC''), Fixed Income Clearing Corporation (``FICC''), and National
Securities Clearing Corporation (``NSCC,'' and together with DTC and
FICC, the ``Clearing Agencies'') filed with the Securities and Exchange
Commission (``Commission'') the proposed rule changes as described in
Items I and II below, which Items have been prepared primarily by the
Clearing Agencies. The Commission is publishing this notice to solicit
comments on the proposed rule changes from interested persons.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------
I. Clearing Agencies' Statement of the Terms of Substance of the
Proposed Rule Changes
The proposed rule changes would adopt the Clearing Agency
Operational Risk Management Framework (``Framework'') of the Clearing
Agencies, described below. The Framework would apply to both of FICC's
divisions, the Government Securities Division (``GSD'') and the
Mortgage-Backed Securities Division (``MBSD''). The Framework would be
maintained by the Clearing Agencies to support their compliance with
Rule 17Ad-22(e)(17) under the Act, as described below.\3\
---------------------------------------------------------------------------
\3\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
Although the Clearing Agencies would consider the Framework to be a
rule, the proposed rule changes do not require any changes to the
Rules, By-laws and Organization Certificate of DTC (``DTC Rules''), the
Rulebook of GSD (``GSD Rules''), the Clearing Rules of MBSD (``MBSD
Rules''), or the Rules & Procedures of NSCC (``NSCC Rules''), as the
Framework would be a standalone document.\4\
---------------------------------------------------------------------------
\4\ Capitalized terms not defined herein are defined in the DTC
Rules, GSD Rules, MBSD Rules, or NSCC Rules, as applicable,
available at http://dtcc.com/legal/rules-and-procedures.
---------------------------------------------------------------------------
[[Page 37943]]
II. Clearing Agencies' Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Changes
In their filings with the Commission, the Clearing Agencies
included statements concerning the purpose of and basis for the
proposed rule changes and discussed any comments they received on the
proposed rule changes. The text of these statements may be examined at
the places specified in Item IV below. The Clearing Agencies have
prepared summaries, set forth in sections A, B, and C below, of the
most significant aspects of such statements.
(A) Clearing Agencies' Statement of the Purpose of, and Statutory Basis
for, the Proposed Rule Changes
1. Purpose
The Clearing Agencies are proposing to adopt the Framework, which
would describe the manner in which each of the Clearing Agencies
manages operational risk, which is defined by the Clearing Agencies in
the Framework as the risk of direct or indirect loss or reputational
harm resulting from an event, internal or external, that is the result
of inadequate or failed processes, people, and systems (``Operational
Risk''). As described in more detail below, the Framework would set
forth the manner in which the Clearing Agencies (1) generally manage
Operational Risk; (2) more specifically manage their information
technology risks; and (3) more specifically manage their business
continuity risks. The processes and systems described in the Framework,
and any policies, procedures or other documents created to support
those processes, support the Clearing Agencies' compliance with the
requirements of Rule 17Ad-22(e)(17).\5\ The Framework would be
maintained by the DTCC Operational Risk Management group (``ORM''), on
behalf of the Clearing Agencies.\6\
---------------------------------------------------------------------------
\5\ 17 CFR 240.17Ad-22(e)(17).
\6\ The parent company of the Clearing Agencies is The
Depository Trust & Clearing Corporation (``DTCC''). DTCC operates on
a shared services model with respect to the Clearing Agencies. Most
corporate functions are established and managed on an enterprise-
wide basis pursuant to intercompany agreements under which it is
generally DTCC that provides a relevant service to a Clearing
Agency.
---------------------------------------------------------------------------
Operational Risk Management
The Framework would describe how the Clearing Agencies generally
manage their Operational Risks. The Framework would describe how ORM is
specifically charged with establishing appropriate systems, policies,
procedures, and controls to enable management to identify plausible
sources of Operational Risk in order to mitigate their impact to the
Clearing Agencies, including through the Risk Tolerance Statements and
Risk Profiles, as described below.
The Framework would describe how the Clearing Agencies identify key
risks and set metrics to categorize such risks (from ``no impact'' to
``severe impact'') through ``Risk Tolerance Statements.'' The Framework
would describe how the Risk Tolerance Statements document the overall
risk reduction or mitigation objectives for the Clearing Agencies with
respect to identified risks to the Clearing Agencies. The Framework
would also describe how the Risk Tolerance Statements document the risk
controls and other measures used to manage such identified risks,
including escalation requirements in the event of risk metric breaches.
The Framework would state that each Risk Tolerance Statement is
reviewed, revised, updated, and/or created, as necessary, by ORM on an
annual basis.
The Framework would also describe how the Clearing Agencies monitor
key risks, including Operational Risk, through ``Risk Profiles,'' which
document the assessment of risk for each of the Clearing Agencies'
businesses and support areas (each a ``Clearing Agency Business'' and/
or ``Clearing Agency Support Area''). The risk assessment documented in
these profiles includes (1) identification and assessment of inherent
risk, which is risk without any mitigating controls; (2) identification
of existing controls, and, as appropriate, any new additional controls,
and evaluation of the same risk against the strength of such controls;
and (3) identification of any residual risk and a determination to
either further mitigate such risk or accept such risk by the applicable
Clearing Agency Business or Clearing Agency Support Area.
The Framework would also provide a description of the
responsibilities of ORM, which is a part of the second line of defense
within the Clearing Agencies' Three Lines of Defense approach to risk
management.\7\ The Framework would identify some of those
responsibilities as including, for example, management of the Risk
Tolerance Statements and working with the Clearing Agency Businesses
and Clearing Agency Support Areas to create and monitor Risk Profiles.
---------------------------------------------------------------------------
\7\ The Three Lines of Defense approach to risk management
identifies the roles and responsibilities of different Clearing
Agency Businesses or Clearing Agency Support Areas in identifying,
assessing, measuring, monitoring, mitigating, and reporting certain
key risks faced by the Clearing Agencies. The Three Lines of Defense
approach is more fully described in a separate framework, the
Clearing Agency Risk Management Framework, maintained by the DTCC
General Counsel's Office. See SR-DTC-2017-013, SR-FICC-2017-016, SR-
NSCC-2017-012, which was filed with the Commission but has not yet
been published in the Federal Register. A copy of these proposed
rule change filings is available at http://www.dtcc.com/legal/sec-rule-filings.
---------------------------------------------------------------------------
Information Technology Risk
The Framework would describe how the Clearing Agencies address
information technology risks. The Framework would state that the DTCC
Technology Risk Management group (``TRM''), on behalf of the Clearing
Agencies, is responsible for establishing appropriate programs,
policies, procedures, and controls with respect to the Clearing
Agencies' information technology risks to help management ensure that
systems have a high degree of security, resiliency, operational
reliability, and adequate, scalable capacity. The Framework would
identify some of the recognized information technology standards that
may be used by TRM, as applicable, in support of executing its
responsibilities.
The Framework would also identify some of TRM's responsibilities,
which include, for example, (1) performing risk assessments to, among
other things, facilitate the determination of the Clearing Agencies'
investment and remediation priorities; (2) facilitating annual
mandatory and periodic information security awareness, education,
training, and communication to personnel of Clearing Agency Businesses
and Clearing Agency Support Areas and relevant external parties; and
(3) creating, implementing, and managing certain programs, including
programs that (i) address information security throughout a system's
lifecycle, (ii) facilitate compliance with evolving and established
regulatory rules and guidelines that govern protection of the
information assets of the Clearing Agencies and their participants,
(iii) identify, prioritize, and manage the level of cyber threats to
the Clearing Agencies, and (iv) assure that access to Clearing Agency
information assets is appropriately authorized and authenticated based
on current business need.
The Framework would state that TRM's risk strategy is closely
aligned to the Clearing Agencies' business drivers and future strategic
direction, such that efforts to achieve information security threat
mitigation objectives, resiliency of infrastructure supporting Clearing
Agency critical business applications,
[[Page 37944]]
and operational reliability are prioritized. The Framework would state
this is also accomplished through TRM's early and consistent
involvement in initiatives to develop new products and systems. The
Framework would state that, by involving TRM from the initial planning
phase, through the design, build and operative phases of those
initiatives, resiliency, operational effectiveness, reliability, and
availability requirements are addressed and incorporated into design
and execution from both a technology and cyber security perspective.
The Framework would also describe the Clearing Agencies' security
strategy and defense, and would state that the Clearing Agencies'
network security framework and preventive controls are designed to
support a reliable and robust tiered security strategy and defense.
These controls include modern and technically advanced security
firewalls, intrusion detection, system and data monitoring, and data
protection tools. The Framework would describe the Clearing Agencies'
enhanced security features and the standards they use to assess
vulnerabilities and potential threats.
Business Continuity Risk
Finally, the Framework would describe how the Clearing Agencies
have established and maintain business continuity plans to address
events that may pose a significant risk of disrupting their operations.
The Framework would describe how the business continuity process for
each Clearing Agency Business and Clearing Agency Support Area is
ranked within a range of tiers, from 0 to 5, based on criticality to
each applicable Clearing Agency's operations (each a ``Tier''), where
Tier 0 equates to critical operations or support of such operations for
which virtually no downtime is permitted under applicable regulatory
standards, and Tier 5 equates to non-essential operations or support of
such operations for which recovery times of greater than five days is
permitted.
The Framework would state that, on an annual basis, each Clearing
Agency Business and Clearing Agency Support Area updates its own
business continuity plan and reviews and ratifies its business impact
analysis. These analyses are used by the DTCC Business Continuity
Management department (``BCM''), on behalf of the Clearing Agencies, to
validate that business' or area's current Tier ranking. The Framework
would identify the key elements of these business impact analyses,
which include (1) an assessment of the criticality of the applicable
Clearing Agency Business or Clearing Agency Support Area, based on
potential impact to the Clearing Agency; (2) an estimation of the
maximum allowable downtime for the applicable Clearing Agency Business
or Clearing Agency Support Area; and (3) the identification of
dependencies, and ranking such dependencies to align with the process
criticality for recovery, of the applicable Clearing Agency Business or
Clearing Agency Support Area.
The Framework would describe the Clearing Agencies' multiple data
centers, and the emergency monitoring and back up systems available at
each site. The Framework would describe the capacity of the various
data centers. The Framework would also describe the Clearing Agencies'
operating centers, and would describe how each Clearing Agency Business
and Clearing Agency Support Area creates and deploys its own work area
recovery strategy to mitigate the loss of primary workspace and/or
associated desktop technology, as well as for purposes of social
distancing among personnel. The Framework would describe how each of
these work area recovery strategies is developed and executed, based on
the applicable Clearing Agency Business' and Clearing Agency Support
Area's current Tier ranking, as described above.
The Framework would describe the responsibilities of BCM in
managing a disruptive business event, which includes coordination with
a team of representatives from each Clearing Agency Business and
Clearing Agency Support Area. Finally, the Framework would describe how
the Clearing Agencies conduct regular exercises used to simulate loss
of Clearing Agency locations, and would describe some of the preventive
measures the Clearing Agencies take with respect to business continuity
risk management.
2. Statutory Basis
The Clearing Agencies believe that the proposed rule changes are
consistent with the requirements of the Act and the rules and
regulations thereunder applicable to a registered clearing agency. In
particular, the Clearing Agencies believe that the Framework is
consistent with Section 17A(b)(3)(F) of the Act \8\ and the subsections
cited below of Rule 17Ad-22(e)(17),\9\ promulgated under the Act, for
the reasons described below.
---------------------------------------------------------------------------
\8\ 15 U.S.C. 78q-1(b)(3)(F).
\9\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
Section 17A(b)(3)(F) of the Act requires, in part, that the rules
of a registered clearing agency be designed to promote the prompt and
accurate clearance and settlement of securities transactions, and to
assure the safeguarding of securities and funds which are in the
custody or control of the clearing agency or for which it is
responsible.\10\ As described above, the Framework would describe how
the Clearing Agencies manage their Operational Risk, technology and
information security risks, and their business continuity risks. The
processes, systems, and controls used by the Clearing Agencies to
identify, manage, and mitigate these risks, as described in the
Framework, and the policies and procedures that support these
activities, assist the Clearing Agencies to continue the prompt and
accurate clearance and settlement of securities transactions and
continue to assure the safeguarding of securities and funds which are
in their custody or control or for which they are responsible
notwithstanding the realization of these risks. Therefore, the Clearing
Agencies believe the Framework is consistent with the requirements of
Section 17A(b)(3)(F) of the Act.\11\
---------------------------------------------------------------------------
\10\ 15 U.S.C. 78q-1(b)(3)(F).
\11\ Id.
---------------------------------------------------------------------------
The Clearing Agencies believe that the Framework is consistent with
the requirements of each of the subsections of Rule 17Ad-22(e)(17),\12\
cited below, for the reasons described below.
---------------------------------------------------------------------------
\12\ 17 CFR 240.17Ad-22(e)(17).
---------------------------------------------------------------------------
Rule 17Ad-22(e)(17)(i) under the Act requires, in part, that each
covered clearing agency establish, implement, maintain and enforce
written policies and procedures reasonably designed to manage the
covered clearing agency's operational risks by identifying the
plausible sources of operational risk, both internal and external, and
mitigating their impact through the use of appropriate systems,
policies, procedures, and controls.\13\ The Framework would describe
how the Risk Tolerance Statements and the Risk Profiles both assist the
Clearing Agencies to identify the plausible sources of Operational
Risk, both internal and external. As described above, the Risk
Tolerance Statements identify both internal and external Clearing
Agency risks, categorize the respective Clearing Agencies' tolerance
for those risks, and then identify governance process applicable to any
breach of those tolerances. In this way, the Risk Tolerance Statements
allow the Clearing Agencies to identify and manage the risks they face.
As described above, the Risk Profiles serve a similar
[[Page 37945]]
function, by serving as a tool for identifying and assessing inherent
risks, and evaluating the controls around those risks. The Framework
also describes the role of ORM, which includes oversight of the Risk
Tolerance Statements and Risk Profiles. By describing the functions of
the Risk Tolerance Statements and Risk Profiles, which, together,
assist the Clearing Agencies in effectively managing their operational
risks by identifying the plausible sources of operational risk, both
internal and external, and by assisting the Clearing Agencies in
mitigating the impact of those risks, and by describing the role of ORM
in facilitating these tools, the Clearing Agencies believe the
Framework is consistent with the requirements of Rule 17Ad-
22(e)(17)(i).\14\
---------------------------------------------------------------------------
\13\ 17 CFR 240.17Ad-22(e)(17)(i).
\14\ Id.
---------------------------------------------------------------------------
Rule 17Ad-22(e)(17)(ii) under the Act requires, in part, that each
covered clearing agency establish, implement, maintain and enforce
written policies and procedures reasonably designed to manage the
covered clearing agency's operational risks by ensuring that systems
have a high degree of security, resiliency, operational reliability,
and adequate, scalable capacity.\15\ The Framework would describe the
role, and some of the responsibilities, of TRM, in managing the
Clearing Agencies' information technology risks and in helping the
Clearing Agencies maintain systems with a high degree of security,
resiliency, operational reliability, and adequate, scalable capacity.
The Framework would also describe the programs, systems, and controls
used by TRM in performing this function, and would identify some of the
standards on information technology risk management that may be used by
TRM in support of its responsibilities. The Framework would also
describe TRM's role in product and project initiatives to address
security issues through the lifecycle of an initiative. Therefore, by
describing the role and responsibilities of TRM in managing the
Clearing Agencies' information technology risks and in helping the
Clearing Agencies maintain systems with a high degree of security,
resiliency, operational reliability, and adequate, scalable capacity,
the Clearing Agencies believe the Framework is consistent with the
requirements of Rule 17Ad-22(e)(17)(ii).\16\
---------------------------------------------------------------------------
\15\ 17 CFR 240.17Ad-22(e)(17)(ii).
\16\ Id.
---------------------------------------------------------------------------
Rule 17Ad-22(e)(17)(iii) under the Act requires, in part, that each
covered clearing agency establish, implement, maintain and enforce
written policies and procedures reasonably designed to manage the
covered clearing agency's operational risks by establishing and
maintaining a business continuity plan that addresses events posing a
significant risk of disrupting operations.\17\ The Framework would
describe how the Clearing Agencies have established and maintain
business continuity plans, and would describe the critical features of
those plans to demonstrate how such plans address events posing a
significant risk of disrupting the Clearing Agencies' operations. The
Framework would also describe how each Clearing Agency Business and
Clearing Agency Support Area reviews and ratifies its respective plan
and its business impact analysis, relative to its assigned Tier.
Therefore, through this description of the establishment, management
and maintenance of the business continuity plans of the Clearing
Agencies, the Clearing Agencies believe the Framework is consistent
with the requirements of Rule 17Ad-22(e)(17)(iii).\18\
---------------------------------------------------------------------------
\17\ 17 CFR 240.17Ad-22(e)(17)(iii).
\18\ Id.
---------------------------------------------------------------------------
(B) Clearing Agencies' Statement on Burden on Competition
None of the Clearing Agencies believe that the Framework would have
any impact, or impose any burden, on competition because the proposed
rule changes reflect some of the existing methods by which the Clearing
Agencies manage Operational Risk, including their management of
information technology and business continuity risks, and would not
effectuate any changes to the Clearing Agencies' processes described
therein as they currently apply to their respective participants.
(C) Clearing Agencies' Statement on Comments on the Proposed Rule
Changes Received From Members, Participants, or Others
The Clearing Agencies have not solicited or received any written
comments relating to this proposal. The Clearing Agencies will notify
the Commission of any written comments received by the Clearing
Agencies.
III. Date of Effectiveness of the Proposed Rule Changes, and Timing for
Commission Action
Within 45 days of the date of publication of this notice in the
Federal Register or within such longer period up to 90 days (i) as the
Commission may designate if it finds such longer period to be
appropriate and publishes its reasons for so finding or (ii) as to
which the clearing agency consents, the Commission will:
(A) By order approve or disapprove such proposed rule changes, or
(B) institute proceedings to determine whether the proposed rule
changes should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed rule
changes are consistent with the Act. Comments may be submitted by any
of the following methods:
Electronic Comments
Use the Commission's Internet comment form (http://www.sec.gov/rules/sro.shtml); or
Send an email to [email protected]. Please include
File Number SR-DTC-2017-014, SR-FICC-2017-017, or SR-NSCC-2017-013 on
the subject line.
Paper Comments
Send paper comments in triplicate to Secretary, Securities
and Exchange Commission, 100 F Street NE., Washington, DC 20549.
All submissions should refer to File Number SR-DTC-2017-014, SR-FICC-
2017-017, or SR-NSCC-2017-013. One of these file numbers should be
included on the subject line if email is used. To help the Commission
process and review your comments more efficiently, please use only one
method. The Commission will post all comments on the Commission's
Internet Web site (http://www.sec.gov/rules/sro.shtml). Copies of the
submission, all subsequent amendments, all written statements with
respect to the proposed rule changes that are filed with the
Commission, and all written communications relating to the proposed
rule changes between the Commission and any person, other than those
that may be withheld from the public in accordance with the provisions
of 5 U.S.C. 552, will be available for Web site viewing and printing in
the Commission's Public Reference Room, 100 F Street NE., Washington,
DC 20549 on official business days between the hours of 10:00 a.m. and
3:00 p.m. Copies of the filing also will be available for inspection
and copying at the principal office of the Clearing Agencies and on
DTCC's Web site (http://dtcc.com/legal/sec-rule-filings.aspx). All
comments received will be posted without change; the Commission does
not edit personal identifying information from submissions. You should
submit only
[[Page 37946]]
information that you wish to make available publicly. All submissions
should refer to File Number SR-DTC-2017-014, SR-FICC-2017-017, or SR-
NSCC-2017-013 and should be submitted on or before September 5, 2017.
---------------------------------------------------------------------------
\19\ 17 CFR 200.30-3(a)(12).
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\19\
Eduardo A. Aleman,
Assistant Secretary.
[FR Doc. 2017-17043 Filed 8-11-17; 8:45 am]
BILLING CODE 8011-01-P