2022-20728. Self-Regulatory Organizations; the Options Clearing Corporation Notice of Filing of Proposed Rule Change by the Options Clearing Corporation Concerning a Risk Management Framework and Corporate Risk Management Policy  

  • Start Preamble September 20, 2022.

    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Exchange Act” or “Act”),[1] and Rule 19b-4 thereunder,[2] notice is hereby given that on September 6, 2022, the Options Clearing Corporation (“OCC”) filed with the Securities and Exchange Commission (“SEC” or “Commission”) the proposed rule change as described in Items I, II, and III below, which Items have been prepared by OCC. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons.

    I. Clearing Agency's Statement of the Terms of Substance of the Proposed Rule Change

    OCC files this proposed rule change to adopt a revised Risk Management Framework (“RMF”) as well as a new Corporate Risk Management Policy (“CRMP”). The RMF and CRMP are provided as in Exhibits 5A and 5B of File No. SR-OCC-2022-010. The RMF and CRMP would replace the current OCC Risk Management Framework Policy (“RMF Policy”). These documents are being submitted without marking to improve readability and are being submitted in their entirety as new rule text. The RMF Policy, provided as Exhibit 5C of File No. SR-OCC-2022-010, is submitted entirely in strikethrough text to indicate its retirement. In addition, OCC submits corresponding changes to its Clearing Fund Methodology Policy, Collateral Risk Management Policy, Default Management Policy, Margin Policy, Model Risk Management Policy, Recovery and Orderly Wind-Down Plan, and Third-Party Risk Management Framework (“TPRMF”) (collectively, the “OCC Risk Policies”) to update any reference to the RMF Policy to refer instead to the proposed RMF. The OCC Risk Policies are provided as Exhibits 5D-5J of File SR-OCC-2022-010. OCC submitted Exhibits 5D through 5I subject to a confidential treatment request under SEC Rule 24b-2.[3]

    The proposed rule change does not require any changes to the text of OCC's By-Laws or Rules. All terms with initial capitalization that are not otherwise defined herein have the same meaning as set forth in the OCC By-Laws and Rules.[4]

    II. Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

    In its filing with the Commission, OCC included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed Start Printed Page 58410 rule change. The text of these statements may be examined at the places specified in Item IV below. OCC has prepared summaries, set forth in sections (A), (B), and (C) below, of the most significant aspects of these statements.

    (A) Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

    (1) Purpose

    OCC maintains various documents designed to define a comprehensive framework for managing OCC's various risks, including financial risks, legal, and operational risks. OCC's RMF Policy serves as an umbrella document describing OCC's framework for managing risk at a high level. As required by SEC Rule 17Ad.22(e)(3)(i), OCC routinely reviews its policies and procedures for potential improvements, such as providing more comprehensive descriptions and definitions as well as making the documents more clear, internally consistent, and well organized. Based on its routine review of the existing RMF Policy, OCC believes it should replace its current RMF Policy with two, more detailed documents. By making this change, described in detail below, OCC intends to enhance the clarity and transparency of its overall risk management framework. The change to OCC's documents will not affect OCC's members or other market participants. Rather, it is intended to better describe and strengthen OCC's internal risk management processes.

    Background

    OCC proposes to amend its existing RMF Policy [5] by establishing the RMF and CRMP. OCC believes the revised documents enhance the clarity and transparency of its overall risk management framework and once approved, OCC plans to make the RMF and CRMP publicly available on its website ( www.theocc.com). OCC believes the proposed revised RMF would continue to provide a foundation to support and describe the risk management policies, procedures, and systems that make up OCC's sound risk management framework.

    In undertaking this revision of the RMF Policy, OCC is seeking to present its approach to risk management more clearly. The RMF Policy presents detailed information about OCC's second line functions, while also summarizing information about other risk management functions at OCC. OCC believes that the proposed RMF presents a clear summary of OCC's overall approach to risk management across its three lines of defense and, if necessary, its planning for recovery and wind-down. Consistent with the presentation of OCC's risk management across its three lines of defense, the RMF would refer to the CRMP, which would contain the detail behind OCC's second line corporate risk management program. OCC believes this is consistent with its approach to providing detailed information about its various functions in documents that stand separate from, but support and provide detail about the risk management activities summarized in, its proposed RMF.[6]

    The proposed RMF would provide an overview of risk management at OCC. The proposed RMF introduces the categories of risk OCC faces and then explains how OCC manages these risks. The proposed RMF includes an overview of OCC's risk universe, descriptions of risk management practices across OCC's three lines of defense model, a discussion of how OCC is also prepared, if necessary, with tools to manage both recovery and orderly wind-down, and the requirement to escalate exceptions to and deviations from OCC's risk management frameworks and policies to OCC's Corporate Risk Management and Compliance departments.

    The proposed CRMP would support the proposed RMF by explaining in greater detail OCC's risk management activities related to the second line of defense corporate risk management program. The proposed CRMP would explain that the OCC Corporate Risk Management department (“Corporate Risk”), formerly referred to as the Enterprise Risk Management department (“ERM”),[7] evaluates risks that may affect OCC's ability to perform the functions detailed in the proposed RMF. As discussed below, the proposed CRMP would provide an overview of the activities overseen by Corporate Risk to identify, measure, monitor, manage, report, and escalate risks. Certain of this information is currently included in the RMF Policy, but OCC believes, consistent with other areas of risk managed by OCC, the details about its corporate risk management program should reside in the proposed CRMP. Other information would be new, including sections to describe Corporate Risk's risk monitoring, risk treatment, and risk escalation and training processes. Exhibit 3 to File No. SR-OCC-2022-010 summarizes the proposed reorganization of the RMF Policy into the RMF and CRMP.

    Proposed Changes to Risk Management Framework Policy

    The proposed revisions to the RMF Policy are designed to present OCC's approach to risk management more clearly. For example, the RMF Policy currently presents detailed information about both the financial and corporate risk management functions at OCC. OCC proposes to adopt a new RMF to more clearly describe its overall risk framework. OCC also proposes to adopt a new CRMP to describe its approach to corporate risk management in more detail. The proposed changes to the current RMF Policy are discussed in detail below.

    Purpose Section

    The purpose section of the RMF Policy would be replaced with purpose and introduction sections of the new RMF and CRMP, respectively. These sections would be revised to reflect the reorganization of content in the RMF Policy in the new RMF and CRMP, focusing on the purpose and intent of each of the newly proposed documents. For example, the purpose of the proposed RMF would be to: (i) describe how OCC manages risk while providing efficient and effective clearing and settlement services to the markets it serves; (ii) explain how OCC's governance model and three lines of defense facilitate risk management; and (iii) address OCC's ability to employ recovery tools and facilitate an orderly wind-down. The purpose of the proposed CRMP would be to describe OCC's corporate risk management approach, including activities to identify, measure, monitor, manage, report, and escalate risks to inform decision-making.

    Context for Risk Management Framework and Risk Management Philosophy

    OCC proposes to delete the Context for Risk Management Framework and Risk Management Philosophy sections of the RMF Policy from the proposed RMF. OCC believes these sections provide history and background Start Printed Page 58411 information about OCC and its purpose in the financial markets, but do not contain rules of OCC. Additionally, OCC believes the information presented in the Risk Management Philosophy section serves as an additional purpose section and that all items highlighted in this section are covered in the proposed RMF or CRMP. For example, OCC's approach relative to risk appetite is mentioned in the Risk Management Philosophy section but is covered in more comprehensive detail in the CRMP.

    Risk Appetite Framework and Tolerance

    The RMF Policy describes OCC's risk appetite framework, including descriptions of OCC's use of a risk universe, risk appetites,[8] and risk tolerances.[9] The RMF Policy also describes the use of Key Risks [10] and Risk Sub-categories to define the universe of risks faced by OCC and the Risk Appetite Statements [11] assigned to such risks. OCC proposes to relocate this information to the Risk Governance section of the proposed CRMP. However, an overview of OCC's risk universe would be retained in the RMF, including a description of the main risk categories and that, pursuant to the CRMP, these categories are broken down to risk-subcategories and risk statements, as described below, which comprise OCC's risk universe that OCC manages through the three lines of defense model to maintain effective clearing and settlement operations.

    The proposed CRMP would state that the establishment and maintenance of OCC's risk universe, risk appetites, risk tolerances, and risk rating scales is facilitated by Corporate Risk and used across OCC to create a transparent means to manage risk. The proposed CRMP would also state that Corporate Risk establishes the risk universe, which organizes OCC's risks into the following three layers to classify and aggregate risks:

    • Risk categories, which are the highest-level groups of risk aggregation;
    • Risk sub-categories, which further classify risks within risk categories into detailed groups; and
    • Risk statements, which are descriptions of the drivers, events, and consequences of risks.

    The terms “risk categories,” “risk sub-categories,” and “risk statements” essentially represent the Key Risks, Sub-categories, and Definitions that are discussed in the current RMF Policy. OCC believes the proposed terms better describe the elements that comprise OCC's risk universe and the relationship between them.

    Risk categories, sub-categories, appetites, and tolerances would continue to be reviewed on at least an annual basis. Under the current RMF, Key Risks are approved by OCC's Board and risk appetites for Key Risks are set by the business departments responsible for those risk in cooperation with ERM. Under the proposed CRMP, the risk universe would be owned and approved by the Chief Risk Officer (“CRO”) and provided to the Management Committee. OCC believes the Chief Risk Officer, who is responsible for OCC's corporate risk management function, is the officer best situated to manage the risk universe. Changes to the RMF to reflect any changes to risk categories would continue to require Board approval. In addition, the Board or the Risk Committee, if the Board has delegated the Risk Committee such authority,[12] would ultimately be responsible for approving risk appetites, which establish the type and amount of risk OCC is willing to accept. OCC believes that the Board or Risk Committee are best positioned to approve risk appetites because of their oversight role with respect to OCC's risk management. Additionally, the Board or Risk Committee would continue to be responsible for approving risk tolerances.

    The proposed CRMP would also provide additional details around the internal governance process for reviewing and approving risk categories, appetites, and tolerances and for monitoring risk tolerances. For example, the proposed CRMP would state that at least every twelve months, Corporate Risk determines whether updates to the risk universe are necessary to better align risk categories, sub-categories, and statements with OCC's clearance, settlement and risk management services. The proposed CRMP would require that risk category and sub-category updates are approved by the CRO while risk statements are approved by Corporate Risk management. The proposed CRMP would further provide that the Management Committee and Board are then notified of updates to risk categories and sub-categories.

    The proposed CRMP would state that at least every twelve months, risk appetites are established at a risk sub-category level and presented by the CRO to the Management Committee for recommendation to the Board or Risk Committee for approval. The proposed CRMP would require that Risk Owners manage the level of risk exposure posed by a process against risk appetites.[13] The proposed CRMP would state that Corporate Risk monitors risks to identify breaches of risk appetite. The proposed CRMP would also provide that risk appetite breaches are escalated by the CRO to the Management Committee, Risk Committee, and Board. The proposed CRMP would state that Risk Owners, with input from relevant business areas, develop and execute risk treatment plans to reduce risks that exceed OCC's risk appetites.[14] The proposed CRMP would state that at least every twelve months, Corporate Risk and Risk Owners review risk appetites and, where necessary, make adjustments to align with OCC's clearance, settlement and risk management services. The proposed CRMP would state that the CRO reviews and presents changes to risk appetites to the Management Committee for recommendation to the Board for approval. OCC proposes to remove the more general risk appetite statement definitions ( i.e., no appetite, low appetite, moderate appetite, and high appetite), which are currently described in the RMF Policy, and would instead use more detailed qualitative risk appetite statements for each risk sub-category following the governance process described above.

    With respect to risk tolerances, the proposed CRMP would state that Risk Owners are responsible for managing applicable risks within established tolerances and developing risk treatment plans to resolve breaches of risk tolerance. The proposed CRMP would require that risk tolerance breaches are escalated by the CRO to the Management Committee, Risk Committee, and Board. The proposed CRMP would state that at least every twelve months, Corporate Risk and Risk Owners review risk tolerances and, where necessary, make adjustments to align with OCC's services. The proposed Start Printed Page 58412 CRMP would state that the CRO reviews and presents changes to risk tolerances to the Management Committee for recommendation to the Board for approval. As discussed below in connection with the monitoring of key risk indicators, the CRO would also monitor and report risk, including risk tolerance breaches, to the Board at each regularly scheduled meeting. OCC notes that it also proposes to change the reporting cadence to align with the timing of Board meetings to reflect that Board meetings typically, but do not always, occur on a quarterly schedule.[15]

    The proposed CRMP would also introduce the concept of risk rating scales, which provide an assessment of risk from an impact and likelihood perspective consistently across OCC. The proposed CRMP would state that OCC's risk rating scales rate the magnitude of impact an event will have on a process and the likelihood an event will occur. The proposed CRMP would state that the impact risk rating scale considers operational, internal financial, external financial, legal and regulatory, and reputational impacts. The proposed CRMP would state that the likelihood risk rating scale considers a 10-year financial cycle and yearly corporate planning activities. The proposed CRMP would state that these risk rating scales are used to measure inherent and residual risk at a risk statement level. The proposed CRMP would state that inherent risk is the level of risk exposure posed by a process absent any controls to reduce the likelihood or severity of an event. The proposed CRMP would state that residual risk is the level of risk exposure posed by a process or activity after the application of controls or other risk-mitigating factors. The proposed CRMP would state that at least every twelve months, Corporate Risk and Risk Owners perform a review of the risk rating scales. The proposed CRMP would state that the CRO reviews and approves changes to the risk scales. The proposed CRMP would state that the Management Committee and Board are notified of changes to the risk rating scales.

    OCC believes the proposed CRMP would provide a more comprehensive overview of OCC's risk governance framework and would include changes intended to improve certain processes therein. The proposed CRMP would provide additional details around the internal governance process for reviewing and approving risk categories, appetites, and tolerances and for monitoring risk tolerances and would describe OCC's risk rating scale process. The proposed changes would also improve the governance process for the risk universe by allowing the CRO to modify risk categories as needed, with oversight of Management Committee, the Risk Committee and the Board, and provide the Board or Risk Committee with more direct responsibility for setting the appetites for those risks.

    Risk Management Governance

    OCC proposes to relocate the Risk Management Governance section of the current RMF Policy to a new Governance section of the proposed RMF with certain modifications. OCC proposes to update the description of the responsibilities of the Board, which are generally already addressed in the Board of Directors Charter and Corporate Governance Principles (“Board Charter”),[16] which is filed with the Commission as a rule of OCC.[17] The proposed RMF would state that the Board is responsible for advising and overseeing management. The proposed RMF would state that pursuant to the OCC Board of Directors Charter and Corporate Governance Principles, the CRO presents a review of the RMF to the Board for approval at least annually. The proposed RMF would state that the Board may delegate the oversight of specific risks to Board-level committees (“Committees”).[18] The proposed RMF would state that the Board may form or disband committees, including subcommittees to manage specific risks, as it from time to time deems appropriate, and may delegate authority to one or more designated members of such committees. The proposed RMF would state that the responsibilities of Board committees regarding managing risks are outlined in committee charters.

    OCC also proposes to update the description of the responsibilities of the Management Committee and working groups in the new RMF. The proposed RMF would state that OCC's Management Committee supports the management and conduct of its business in accordance with policy directives from the Board. The proposed RMF would state that the Management Committee includes officers [19] responsible for ensuring that its actions and decisions are consistent with OCC's mission, Code of Conduct, Rules and By-Laws, policies, procedures, and general principles of sound corporate governance. The proposed RMF would state that the CRO is a member of the Management Committee and reports to the Risk Committee. The proposed RMF would state that the Management Committee may form and delegate authority to subcommittees and working groups of employees to conduct certain of its activities. The proposed RMF would state that subcommittees and working groups are responsible for reporting and escalating information as may be appropriate. This would replace the current description in the RMF Policy, which primarily relates to the committee's role and responsibilities in reviewing and recommending changes to OCC's risk universe, including risk appetites and tolerances, and escalating breaches of such to the Board. These responsibilities would now be addressed in the proposed CRMP (as discussed in the Risk Appetite Framework and Tolerance section above).

    The Governance section of the proposed RMF would also be updated to include a description of the responsibilities of OCC employees. The proposed RMF would state that OCC considers risk management during employee recruitment, development, training, and succession planning. The proposed RMF would state that OCC recruits and retains personnel with appropriate risk management knowledge, skills, and competencies. The proposed RMF would state that OCC also identifies successors for designated officers based on knowledge and experience. The proposed RMF would state that OCC provides internal and external development opportunities including required training related to risk, compliance, security, conflicts of interest, escalation of concerns, and the OCC Code of Conduct. The proposed RMF would state that OCC provides outlets for employees to anonymously report concerns that are reviewed by Start Printed Page 58413 OCC's Compliance, Human Resources, and Legal departments.

    Identification of Key Risks

    The RMF Policy currently contains an Identification of Key Risks section that defines OCC's Key Risks and provides a brief description of OCC's policies and procedures for managing each of those Key Risk and their respective Risk Sub-Categories. OCC proposes to replace the Identification of Key Risks section with a new OCC Risk Management section of the proposed RMF, which would be reorganized to focus on the three lines of defense model currently described in the RMF Policy and describe the types of risks managed by each line of defense. The new OCC Risk Management section of the RMF would: (i) restate existing content of the RMF; (ii) introduce new content not currently contained in OCC's RMF Policy; and (iii) delete certain aspects of the RMF Policy. The changes are discussed in detail below.

    The proposed RMF would state that OCC employs a three lines of defense model. The proposed RMF would state that the model clarifies ownership and accountability and enhances communication for expectations around risk management throughout the organization. The proposed RMF would state that the first line of defense maintains policies, procedures, processes, and controls established for day-to-day risk management. The proposed RMF would state that the second line of defense evaluates and provides effective challenge to the first line by executing critical analysis to identify process limitations and recommending changes to relevant policies, procedures, processes, systems, and controls. Lastly, the proposed RMF would state that the third line of defense is an internal audit function that reviews and provides objective assurance to the first and second lines. The proposed RMF would state that OCC employees report to members of the Management Committee. Consistent with the OCC Employee Code of Conduct, employees are expected to escalate risk information through their reporting line or to other members of management. The proposed RMF would state that risks identified at OCC are reported to the Management Committee and Board consistent with relevant charters and policies.

    First Line of Defense

    The proposed RMF would state that the risk inherent in OCC's clearing and settlement services is managed by the first line of defense, which is responsible for owning and managing risks by maintaining policies, procedures, processes, systems, and controls that manage relevant risks. The proposed RMF would state that the first line of defense is comprised of OCC's operational business units, including Financial Risk Management (“FRM”), Business Operations, Information Technology, and Corporate Finance, and also includes corporate functions such as human resources and project management. The proposed RMF would state that the first line of defense is also accountable for maintaining internal controls, control self-testing, and implementing corrective action to address control deficiencies. The proposed RMF would state that the first line of defense maintains policies and associated procedures that detail the processes and controls implemented across business units which are used to execute risk management related to the clearing and settlement services detailed below.

    Membership Standards

    The proposed RMF would state that Membership standards are established by the Board and risk managed by OCC's Business Operations, FRM and Information Technology in accordance with OCC's TPRMF. The proposed RMF would state that OCC has risk-based clearing membership standards to manage the risks arising from Clearing Members. The proposed RMF would state that these requirements include applicable registrations, net capital requirements, creditworthiness, adequate operational capabilities, and maintaining qualified personnel. The proposed RMF would state that the Risk Committee reviews these standards to ensure OCC provides fair and open access to clearing and settlement services. The proposed RMF would state that Clearing Members that fail to meet the membership standards face the possibility of consequences up to and including suspension.

    Credit

    The proposed RMF would state that OCC's credit risk is managed by Business Operations, FRM, and Corporate Finance. The proposed RMF would state that OCC is exposed to credit risk based on its role as guarantor of cleared contracts. The proposed RMF would state that OCC has credit risk related to Clearing Members and manages this exposure by collecting margin and Clearing Fund resources based on a Clearing Member's risk profile. The proposed RMF would state that OCC also faces credit risk from other financial institutions that facilitate payment, clearing, and settlement activities ( e.g., clearing banks, custodians, and linked financial market utilities). The proposed RMF would state that FRM monitors its credit risk related to Clearing Members and financial institutions consistent with the TPRMF. The proposed RMF would state that FRM analyzes the creditworthiness of each financial institution, in addition to other information that could impact the financial institution's ability to facilitate payment, clearing, and settlement services.

    Clearing Fund

    The proposed RMF would state that OCC's Clearing Fund is managed by FRM and Business Operations. The proposed RMF would state that OCC maintains a Clearing Fund comprised of high-quality liquid assets to cover its credit risk exposure from Clearing Members in accordance with OCC's confidential Clearing Fund Methodology Policy and Chapter X of OCC's Rules. The proposed RMF would state that FRM uses stress tests to project the Clearing Fund size necessary to maintain prefunded financial resources to cover losses arising from the default of the two Clearing Member Groups that would potentially cause the largest aggregate credit exposure to OCC in extreme but plausible market conditions. The proposed RMF would state that FRM also uses stress test results to determine the sufficiency of the Clearing Fund size and determine whether to issue calls for additional collateral or perform an intra-month Clearing Fund resizing. The proposed RMF would state that FRM reviews the adequacy of its Clearing Fund models through sensitivity analysis and an analysis of its parameters and assumptions. The proposed RMF would state that FRM reports the results of Clearing Fund model reviews to the Board.

    Margin

    The proposed RMF would state that OCC's margin is managed by FRM and Business Operations. The proposed RMF would state that FRM utilizes a risk-based margin methodology to calculate Clearing Member margin requirements in accordance with OCC's confidential Margin Policy and Chapter VI of OCC's Rules. The proposed RMF would state that FRM calculates margin daily for Clearing Member accounts. The proposed RMF would state that Intra-day margin calls may also be made for accounts incurring significant losses. The proposed RMF would state that FRM reviews the adequacy of its margin models through sensitivity analysis, backtests, and an analysis of its Start Printed Page 58414 parameters and assumptions. The proposed RMF would state that FRM reports the results of margin model reviews to the Board.

    Collateral

    The proposed RMF would state that OCC's collateral risk is managed by Business Operations, Corporate Finance, and FRM in accordance with OCC's confidential Collateral Risk Policy and OCC Rules 604 and 1002. The proposed RMF would state that OCC requires its Clearing Members to deposit collateral as margin and Clearing Fund. The proposed RMF would state that OCC limits acceptable assets to those with low credit, market, and liquidity risks, and employs other risk mitigation tools, including collateral concentration limits. The proposed RMF would state that FRM applies risk-based haircuts and Business Operations revalues collateral daily to ensure margin and Clearing Fund requirements are met.

    Default Management

    The proposed RMF would state that OCC's default management risk is managed by FRM in accordance with OCC's confidential Default Management Policy and Chapter XI of OCC's Rules. The proposed RMF would state that in the event of a Clearing Member default, OCC takes timely action to contain losses and liquidity pressures and continue to meet its obligations. The proposed RMF would state that OCC closes open positions in an orderly manner, which may include performing auctions, utilizing liquidation agents, or applying hedges. The proposed RMF would state that Margin and Clearing Fund deposits of the defaulting Clearing Member are used to offset these losses, followed by other financial resources. The proposed RMF would state that OCC performs default testing with the participation of designated Clearing Members and other stakeholders to evaluate its processes and systems, including close-out processes.

    The newly proposed Membership Standards, Credit, Clearing Fund, Margin, Collateral, and Default Management sections of the RMF would effectively replace the Credit Risk Management Framework section of OCC's RMF Policy and refer to the same OCC Risk Policies currently maintained by OCC (and described in the RMF) to address such risks and which are currently filed with the Commission as rules of OCC ( e.g., the Margin Policy,[20] Clearing Fund Methodology Policy,[21] Collateral Risk Management Policy,[22] Default Management Policy,[23] and TPRMF [24] ).

    Liquidity

    The proposed RMF would state that OCC's liquidity risk is managed by FRM and Corporate Finance. The proposed RMF would state that OCC manages its liquidity risk in accordance with its confidential Liquidity Risk Management Framework by maintaining a reliable and diverse set of committed resources and liquidity providers, establishing a contingent funding plan to collect additional resources, and performing stress testing that covers a wide range of scenarios that include the default of the Clearing Member Group that would generate the largest aggregate liquidity obligation in extreme but plausible market conditions. The proposed RMF would state that FRM also tests the sufficiency of its resources by forecasting daily settlement under normal and stressed market conditions and compares these results to the liquid resources maintained. The proposed RMF would state that FRM reports the results of these reviews to the Board. The new Liquidity section of the proposed RMF would replace the Liquidity Risk Management Framework section of the current RMF Policy and would summarize and refer to OCC's Liquidity Risk Management Framework as the governing document for managing OCC's liquidity risks while removing certain summary information that is more specifically addressed in the Liquidity Risk Management Framework.[25]

    Settlement

    The proposed RMF would add a new section specifically discussing settlement risk (which is currently addressed indirectly in the Operational Risk section of the RMF Policy). The proposed RMF would state that OCC's settlement risk is managed by Business Operations in accordance with Chapters V and IX of OCC's Rules. The proposed RMF would state that OCC uses clearing banks to facilitate settlements on at least a daily basis. The proposed RMF would state that OCC issues instructions to clearing banks to debit or credit the account of a Clearing Member, and correspondingly debit or credit OCC's account, with a specific dollar amount by a specified time. The proposed RMF would state that settlement finality occurs when a clearing bank confirms the settlement instruction or is silent past the applicable deadline.

    Custody and Investment

    The proposed RMF would state that OCC's custody and investment risk is managed by its Corporate Finance department, Business Operations, and FRM in accordance with OCC Rules 604 and 1002(b). The proposed RMF would state that OCC holds its own and its Clearing Members' assets at settlement and custodian banks, as well as at other financial market utilities. The proposed RMF would state that OCC requires settlement and custodian banks to meet minimum financial and operational requirements. The proposed RMF would state that OCC complies with applicable customer protection and segregation requirements for the handling of customer funds. The proposed RMF would state that OCC maintains working capital and non-invested Clearing Member cash in accounts that minimize delays in access to funds. The proposed RMF would state that OCC maintains accounts at the Federal Reserve to custody funds. The proposed RMF would state that OCC invests in instruments with minimal credit, market, and liquidity risks. The new Custody and Investment section of the proposed RMF would effectively replace the Investment Risk section of the RMF Policy, which also discusses OCC's use of Federal Reserve bank accounts and the investment of funds not held at the Federal Reserve.

    General Business

    The proposed RMF would state that OCC's general business risk is managed by Corporate Finance, Information Technology, Business Operations and Financial Risk Management. The proposed RMF would state that Corporate Finance performs financial planning and analysis, reviews operating budgets and fee structures, and reviews business performance. The proposed RMF would state that OCC maintains liquid net assets funded by equity sufficient to cover potential general business losses and comply with financial resource requirements in accordance with its confidential Capital Start Printed Page 58415 Management Policy.[26] Furthermore, the proposed RMF would state that Information Technology reviews OCC's ability to maintain its critical services under a range of scenarios, including adverse market conditions. The proposed RMF would state that Business Operations and Financial Risk Management also perform assessments to determine if potential new business opportunities fit within OCC's models and risk management systems. The new General Business section of the proposed RMF would replace the General Business Risk section (and in part, the Reputational Risk section) of the current RMF Policy, continue to refer to OCC's Capital Management Policy as the governing document for managing OCC's general business risks, and remove certain summary information that is more specifically addressed in OCC's Capital Management Policy.[27]

    Technology

    The proposed RMF would state that OCC's technology risk is managed by OCC's Information Technology. The proposed RMF would state that OCC uses technology solutions to manage risk and facilitate clearing and settlement by utilizing systems that have adequate levels of availability, security, resiliency, integrity, and adequate, scalable capacity based on their criticality. The proposed RMF would state that Information Technology manages technology risk by utilizing a structured technology delivery approach that provides for consistency and establishes responsibilities and requirements. The proposed RMF would state that Information Technology monitors and evaluates technology performance in part based on service levels related to data integrity, system availability, data timeliness, and data quality to manage technology risk. The proposed RMF would state that to achieve these service levels, Information Technology manages OCC's efforts across technology incidents, changes, configurations, system capacity, and evaluates system recoverability through disaster recovery testing. The Technology section of the proposed RMF, along with the Security section (discussed below), are intended to replace the Operational Risk—Information Technology section of the RMF Policy. These general details in the RMF would replace more specific information concerning OCC's quality standards program, cybersecurity program, and system functionality and capacity.[28]

    Legal

    The proposed RMF would state that OCC's legal risk is managed through efforts across OCC that are advised by OCC's Legal department (“Legal”). The proposed RMF would state that OCC manages its legal risk by establishing, implementing and enforcing written documents that are reasonably designed to provide a well-founded, clear, transparent, and enforceable legal basis for each aspect of OCC's activities in all relevant jurisdictions and comply with applicable legal and regulatory requirements. The proposed RMF would state that in order to manage legal risk across OCC, employees are required to consult with Legal on legal and regulatory matters, including but not limited to interpretation of laws and regulations applicable to OCC, including OCC's Rules and By-Laws, legal claims against OCC, government or regulatory requests or inspections, and matters that may be the subject of a proposed rule change filing. The Legal section of the proposed RMF would replace, in part, the Legal Risk section of the RMF Policy, including by replacing a specific sub-section discussing OCC's maintenance of contracts with more general requirements that OCC establish, implement, and enforce written documents, including legal agreements, and maintain documents that are reasonably designed to provide a well-founded, clear, transparent, and enforceable legal basis for each aspect of OCC's activities, which would include any contracts regarding the material aspects of OCC's clearing, settlement, and risk management activities as discussed in the RMF Policy.

    Second Line of Defense

    The proposed RMF would state that OCC's second line of defense includes compliance, corporate risk, third-party risk, model risk management, security, and business continuity. The proposed RMF would state that the second line has no operational authority or responsibility for the first line to prevent conflicts of interest. The proposed RMF would state that the second line provides objective analysis to identify potential enhancements and improvements to first line processes to help ensure compliance with applicable laws and regulations and prudent risk management. The proposed RMF would state that second line management reports to Board committees and has the authority to escalate information to the first line, Management Committee, and the Board. Additionally, the proposed RMF would state that second line management provides reports to the Board at least quarterly at its scheduled meetings.

    Compliance

    The proposed RMF would state that OCC's Compliance department (“Compliance”) oversees OCC's management of compliance risk by adhering to applicable rules and regulations, policies, procedures, processes, controls, and standards of conduct. The proposed RMF would state that Compliance manages compliance risk by establishing processes to prevent, detect, respond to, and report on compliance risk. The proposed RMF would state that Compliance supports and assesses the management of compliance risk through advising, monitoring, reporting, testing, and training activities and maintains mechanisms for reporting unethical or fraudulent behavior or misconduct. The Compliance section of the proposed RMF would replace the Regulatory Compliance section of the RMF Policy and reframe this section based on the Compliance department's role in helping OCC manage compliance risk.

    Corporate Risk

    The proposed RMF would state that Corporate Risk evaluates enterprise risk by identifying, measuring, monitoring, managing, reporting, and escalating risks to inform decision-making in accordance with the CRMP. The proposed RMF would state that Corporate Risk evaluates enterprise risk to provide an understanding of inherent and residual risks as compared against Board-approved levels.

    Third-Party Risk

    The proposed RMF would state that OCC's Third-Party Risk Management business unit evaluates risks posed to OCC by third parties by identifying, measuring, monitoring, managing, reporting, and escalating risks as described in the TPRMF. The proposed RMF would state that Third-Party Risk Management aggregates information about the risks presented by third parties based on their relationships to OCC. The new Third-Party Risk section of the proposed RMF would replace the Third-Party Monitoring Program section of the RMF Policy and remove certain Start Printed Page 58416 details which are more comprehensively addressed in the TPRMF.[29]

    Model Risk Management

    The proposed RMF would state that Model Risk Management performs independent model validation, evaluates model parameters and assumptions, assesses mitigating factors, and provides effective and independent challenge throughout OCC's model lifecycle in accordance with its confidential Model Risk Management Policy. The proposed RMF would state that Models are governed and independently assessed and certified to determine adequate performance. The proposed RMF would state that this includes model testing and performance monitoring ( e.g., backtesting, sensitivity analysis). The new Model Risk Management section of the proposed RMF would replace the Model Risk section of the RMF Policy. This new section of the RMF would focus on Model Risk Management's role in helping OCC manage model risk and would remove certain details that are more comprehensively addressed in the Model Risk Management Policy.[30]

    Security

    The proposed RMF would include new rule text stating that OCC's Security department (“Security”) manages information, physical, and personnel security risk to safeguard the confidentiality, integrity, and availability of corporate information systems and data assets implemented and maintained by Information Technology. The proposed RMF would state that Security employs a risk-based methodology and controls to manage information governance, system resiliency, and cyber security. In addition, the proposed RMF would state that Security maintains policies and procedures that require appropriate protective controls and event detection via security monitoring. The proposed RMF would state that Security evaluates its processes and controls through internal and external testing, scanning for threats and vulnerabilities, and benchmarking against industry standards.

    In addition, the proposed RMF would incorporate an existing portion of the RMF Policy concerning IT risk assessments conducted by Security prior to the procurement, development, installation and operation of IT services and systems, including the triggers that may change IT risks at OCC.[31] Cross-references found in the RMF Policy to procedures that outline IT risk assessments at a procedural level would be removed. OCC does not believe that identifying the underlying procedure is necessary for understanding the process at a policy level.

    Business Continuity

    The proposed RMF would state that Business Continuity maintains a business continuity program that establishes OCC's plan for maintaining backup and recovery capabilities that are sufficiently resilient and geographically diverse to address both internal and external events that could impact OCC's operations.[32]

    Third Line of Defense

    The proposed RMF would state that OCC's third line of defense consists of Internal Audit. Internal Audit is independent and reports directly to the Audit Committee of the Board (“Audit Committee”) to ensure this independence; the Audit Committee oversees the activities performed by Internal Audit in accordance with the Audit Committee Charter. The proposed RMF would state that Internal Audit has no responsibility for first- or second-line functions. The proposed RMF would state that Internal Audit designs, implements, and maintains an audit program that provides the Management Committee and Audit Committee independent and objective assurance related to the quality of OCC's risk management, governance, compliance, controls, and business processes in accordance with the confidential Internal Audit Policy. The proposed RMF would state that Internal Audit issues independent reports to the first and second line as well as the Audit Committee and Board. This section of the RMF would replace a discussion of the third line of defense in OCC's current RMF Policy and would remove certain details that are more comprehensively addressed in the Internal Audit Policy.[33]

    Risk Management Practice

    The RMF Policy currently contains a Risk Management Practice section that describes OCC's three lines of defense model and Enterprise Risk Assessment program. As discussed above, OCC would relocate the discussion of its three lines of defense model to the new RMF. In addition, OCC proposes to relocate the discussion of its Enterprise Risk Assessment program to the new CRMP. OCC also proposes to relocate the Risk Reporting section of the RMF Policy to the CRMP. Additionally, OCC would eliminate the specific Compliance Risk Assessment section of the RMF Policy.

    Enterprise Risk Assessment and Scenario Analysis Program

    The RMF Policy currently describes the Enterprise Risk Assessment process conducted by the first line and Corporate Risk. The RMF Policy provides that Enterprise Risk Assessments shall analyze Inherent Risk,[34] the quality of risk management, and Residual Risk [35] of the sub-categories of Key Risks and use analysis of Residual Risk in conjunction with metrics related to risk tolerances to develop a risk profile and determine whether a Key Risk is within its risk appetite. The RMF Policy also requires that Corporate Risk's analysis of Residual Risk be provided to the Management Committee and Board (or committee thereof) to inform them on the quantity of risk in a certain functional area or business area, and provide a mechanism to prioritize risk mitigation activities.

    The proposed CRMP would revise this description to more accurately and completely describe the risk assessment, monitoring, and reporting processes conducted by Corporate Risk. The proposed CRMP would state that enterprise risk assessments are a quarterly activity where the control environment is evaluated to determine its effectiveness in preventing or mitigating inherent risks identified to arrive at a residual risk rating for each risk statement. The proposed CRMP would state that Corporate Risk (and not Compliance, as specified in the RMF Policy) maintains an inventory of all Start Printed Page 58417 business processes, risks, and associated controls in a database used by OCC to manage Enterprise Governance, Risk and Compliance. The CRMP would state that Corporate Risk uses data from a variety of sources ( e.g., risk events, Internal Audit findings, security risk assessments and observations, third-party observations, control design assessments, management control self-testing results, and business impact analyses) to rate the impact and likelihood of a risk and assess the quality of the control environment. The proposed CRMP would state that enterprise risk assessments are conducted through workshops across the first and second lines of defense and are supplemented by including information from emerging risk surveys (top-down), process-based risk assessments (bottom-up), and enterprise technology assessments. The proposed CRMP would state that quarterly, the results of the enterprise risk assessment (the levels of residual risk) are aggregated and provided to the CRO for approval and presented to the Management Committee and Board by the CRO. The CRMP would also elaborate on the use of residual risk, risk tolerances, and risk ratings and associated reporting as discussed in the Risk Governance section of the proposed CRMP and would also provide details on Corporate Risk's risk monitoring and risk treatment activities in new sections of the CRMP (as discussed further below).

    The RMF Policy also describes OCC's Scenario Analysis Program, which is an industry-standard method of identifying operational risks that may not be otherwise captured by the Enterprise Risk Assessment program. Pursuant to the RMF Policy, Corporate Risk and the first line design simulations of potential business disruptions, and business unit staff shall use such simulations to identify risks that may not have been previously uncovered or identify weaknesses in current controls. Corporate Risk includes the potential risks identified through the Scenario Analysis Program in its analysis of, and reporting on, the quantity of risk within a certain Key Risk and whether the Key Risk is within its risk appetite.

    OCC proposes to relocate the discussion of its Scenario Analysis Program to the CRMP with revisions designed to more accurately and completely describe the scenario analysis process. The proposed CRMP would state that operational scenario analysis is the process of leveraging OCC subject matter expertise to identify potential operational risks and assess the potential outcomes of stressed operations. The proposed CRMP would state that operational scenarios consider both internal and external scenarios that may impact OCC's ability to perform its clearance, settlement and risk management services. The proposed CRMP would state that Corporate Risk, through workshops with the first and second lines of defense, designs operational scenarios utilizing available information ( e.g., annual top-risk survey conducted by Corporate Risk, Management Committee recommendation, enterprise risk assessments). The proposed CRMP would state that the workshops are designed to identify risks that may not have been previously uncovered or weaknesses in current controls. The proposed CRMP would state that operational scenarios are used to assess the potential that future extreme but plausible business disruptions may impact OCC's clearance, settlement and risk management services and are inputs in OCC's target capital requirements and recovery and wind-down planning. The proposed CRMP would state that Risk Owners use scenarios to identify new and existing risks and identify weaknesses in current controls. The proposed CRMP would state that Corporate Risk includes potential risks identified through operational scenario analysis when analyzing and reporting across risk categories and sub-categories.

    Risk Reporting

    The proposed CRMP would contain a revised Risk Reporting section. The proposed CRMP would state that risk reporting provides a view of OCC's risks to facilitate risk management and inform decision-making. The proposed CRMP would state that Corporate Risk reports risks based on its risk identification, measurement, and monitoring activities to assist in the understanding of the risks OCC faces and whether these risks are being managed within OCC's risk tolerances and appetites. The proposed CRMP would state that quarterly, the CRO reports risks ( e.g., risk appetite or risk tolerance breaches, material operational risk events, summary of risk acceptances, and risk mitigation) to the Management Committee, Board, and relevant Board committees.

    Compliance Risk Assessment

    OCC proposes to remove a section of the RMF Policy specifically dedicated to the Compliance Risk Assessment program. This section currently provides a brief discussion of the Compliance department's program used to identify and measure the risks faced by OCC regarding regulatory compliance and prioritize the testing and training activities associated with such risks. OCC believes this section is appropriately addressed in the Compliance section of the proposed RMF (discussed in detail above), which provides that Compliance manages compliance risk by establishing processes to prevent, detect, respond to, and report on compliance risk and assesses the management of compliance risk through advising, monitoring, reporting, testing, and training activities and maintains mechanisms for reporting unethical or fraudulent behavior or misconduct. This would include the activities performed by Compliance in the Compliance Risk Assessment program.

    Control Activities

    OCC proposes to eliminate the Control Activities section of the RMF Policy, which describes certain activities performed by OCC's Compliance department relating to the maintenance of business process and control inventories and annual training of OCC staff. This would be replaced by more general descriptions of Compliance's responsibilities under the proposed RMF. As discussed above, the RMF would more generally describe the department's responsibilities for the management of compliance risk, including by: (i) establishing processes to prevent, detect, respond to, and report on compliance risk; (ii) assessing the management of compliance risk through advising, monitoring, reporting, testing, and training activities; and (iii) maintaining mechanisms for reporting unethical or fraudulent behavior or misconduct. Additionally, as noted above, the proposed CRMP would transfer responsibility for maintaining OCC's inventory of all business processes, risks, and associated controls from Compliance to Corporate Risk.

    Policy Exceptions and Violations

    OCC proposes to replace the Policy Exceptions and Violations sections in the current RMF Policy with a new Risk Acceptances and Deviations section in the RMF. The RMF would require that risk acceptances,[36] including exceptions to OCC's risk management frameworks and policies, shall be escalated to Corporate Risk in accordance with the CRMP. In addition, the RMF would Start Printed Page 58418 require that deviations from OCC's risk management frameworks and policies shall be escalated to Compliance in accordance with the Policy Governance Policy (“PGP”).[37] By including this generally applicable provision in the RMF, OCC would no longer include this information in each individual policy and procedure. Policy exceptions would continue to be escalated as part of OCC's risk acceptance process and policy violations would be escalated as part of OCC's PGP document deviation risk event process. The proposed change would allow OCC to remain consistent with this practice in its policies and procedures without requiring each to have its own individual Policy Exceptions and Violations sections that would need to be updated as OCC's process for escalating exceptions and deviations develops and matures.

    Other Deleted Sections of the RMF Policy

    Project Management, Budgeting, and Training Changes

    OCC proposes to delete from its rules certain sections of the RMF Policy related to project management, corporate planning and budgeting, and Human Resources and Compliance Training and Policies. OCC believes that these sections deal with policies and practices that are administrative in nature and do not constitute material aspects of the operation of the facilities of OCC.[38] OCC would not maintain these details in the RMF or CRMP; however, OCC would continue to maintain and update these details when necessary in other internal policies, procedures, or OCC documentation maintained for such purposes.

    Risk Universe

    Finally, OCC proposes to remove the RMF Policy's Appendix: OCC's Key Risks with CCA, PFMI, and Reg SCI Mapping. The proposed CRMP would require that Corporate Risk continue to maintain the risk universe, and OCC has included its risk categories in Section II of the proposed RMF but proposes that the additional detailed documentation and mapping be maintained internally by Corporate Risk. OCC believes it may need to update the mapping and risks, as well as how OCC defines them, dynamically based on business and market factors. OCC believes by following the governance outlined in the proposed CRMP, proper scrutiny will be given to any revisions to this information. Moreover, OCC believes that the policies and processes maintained by OCC to establish, maintain, review and update its risk universe, which reflects the universe of risks that OCC must monitor and manage, constitute material aspects of the operation of the facilities of OCC, but the risk universe itself is the output of those processes and simply lists those risks that OCC has identified pursuant to the requirements of the RMF Policy (and the proposed CRMP).

    New Sections in the RMF and CRMP

    OCC proposes to add new sections to its RMF and CRMP to describe certain aspects of its risk management framework and approach to enterprise risk management, which are discussed in detail below.

    RMF: Recovery and Orderly Wind-Down Plan

    The proposed RMF would include a new section discussing OCC's Recovery and Orderly Wind-Down Plan. The proposed RMF would state that in the event of extreme financial, operational, or general business stress, Corporate Risk maintains a confidential Recovery and Orderly Wind-Down Plan which details the departments responsible for executing the plan. The proposed RMF would state that OCC employs a set of recovery tools in the event of severe financial, operational, or general business stress, to continue to provide critical clearing and settlement services. The proposed RMF would state that should OCC's recovery efforts be unsuccessful or if, based on facts and circumstances, it is determined that its recovery tools would be insufficient, OCC has a wind-down plan that provides for the orderly resolution of the firm.

    CRMP: Risk Monitoring

    The CRMP would introduce a new section to describe Corporate Risk's Risk Monitoring process, including key risk indicator monitoring and operational risk even monitoring. The proposed CRMP would state that Corporate Risk and Risk Owners monitor internal and external risks to determine whether OCC's risk management practices continue to operate effectively. The proposed CRMP would state that the information gathered during this monitoring is used to inform enterprise risk assessments.

    Key Risk Indicator Monitoring

    The proposed CRMP would state that key risk indicators (“KRIs”) are qualitative or quantitative metrics designed to identify changes to risks. The proposed CRMP would state that Corporate Risk and Risk Owners utilize KRIs to measure and monitor levels of risk against risk appetite and risk tolerances. The proposed CRMP would state that KRIs are established at a risk sub-category level. KRIs include three thresholds: green, amber, and red. The proposed CRMP would state that green indicates a low risk of breaching tolerance, amber indicates a moderate risk of breaching tolerance, and red indicates a breach of tolerance. The proposed CRMP would state that amber and red thresholds are points of escalation to the CRO, Management Committee, and the Board.

    The proposed CRMP would state that Risk Owners, in collaboration with Corporate Risk, develop KRIs by considering business ( e.g., process and controls) and regulatory requirements. The proposed CRMP would state that Corporate Risk facilitates identifying, modifying, and reviewing KRIs with a designated Management Committee member, including defining and reviewing the risk tolerance and risk thresholds for the KRI. The proposed CRMP would state that KRIs that breach the red threshold result in the development and execution of risk treatment plans by Risk Owners. The proposed CRMP would state that Corporate Risk reports against red, amber, and green thresholds to the CRO and Management Committee on a quarterly basis and to the Board at each regularly scheduled meeting.

    Operational Risk Event Monitoring

    The proposed CRMP would state that an operational risk event is an event which results in a financial loss or an adverse impact to OCC or its ability to deliver its services. The proposed CRMP would state that such events arise from Start Printed Page 58419 failed or inadequate internal processes, people, systems, or exposure to external events. The proposed CRMP would state that Risk Owners are responsible for identifying, assessing, and escalating operational risk events. The proposed CRMP would provide that Corporate Risk is responsible for ensuring that material operational risk events, as well as identified trends, are reported to the CRO and Management Committee on a quarterly basis and to the Board at each regularly scheduled meeting. The proposed CRMP would state that Risk Owners perform root cause analysis and enhance or develop processes that would reduce the impact or likelihood of similar events occurring in the future. The proposed CRMP would state that Risk Owners are responsible for escalating operational risk events causing serious and extended disruptions in production operations. The proposed CRMP would state that risk events that have a major or extreme impact to OCC's ability to perform its clearance, settlement and risk management services are immediately reported to the Management Committee and Board.

    CRMP: Risk Treatment

    The CRMP would introduce a new section to describe OCC's risk treatment process, which is the process by which Risk Owners manage risk exposures by utilizing risk treatment methods to remain within risk appetites and tolerances. The proposed CRMP would state that risk treatment methods are implemented by Risk Owners and include the decision to mitigate, avoid, transfer, or accept an identified risk. The proposed CRMP would state that mitigation is a risk treatment method where controls including policies, procedures, processes, and systems can be implemented to manage a risk within established risk appetites and tolerances ( e.g., OCC creates a procedure to document a process including implementing controls to mitigate a risk).

    The proposed CRMP would state that avoidance is a risk treatment method that may be used when controls are ineffective at preventing or mitigating a risk within approved risk appetites or tolerances ( e.g., OCC does not onboard a clearing member due to poor financial health). The proposed CRMP would state that transference is a risk treatment method where risks are moved to a third-party usually through the purchase of insurance ( e.g., fraud, general liability, and employment insurance). Insurance covered would be coordinated by the Corporate Finance team, with involvement from other first and second line stakeholders, and subject to review by the Management Committee and the Board.

    The proposed CRMP would state that acceptance is a risk treatment method that may be used to acknowledge when the cost or complexity of avoiding, mitigating, or transferring the risk exceeds the potential impact ( e.g., OCC accepts a risk temporarily and implements short-term mitigants, knowing that a long-term solution is planned). The proposed CRMP would state that Corporate Risk evaluates risk acceptances submitted by Risk Owners. The proposed CRMP would state that any risks presented for acceptance that are outside of risk appetite or risk tolerance must be approved by the Management Committee annually. The proposed CRMP would state that Corporate Risk reports on risks accepted above approved risk appetite or risk tolerance to the CRO, Management Committee, and Board.

    CRMP: Risk Escalation, and Training

    The proposed CRMP would also describe Corporate Risk's process for escalating risks to the CRO, Management Committee, and Board and training employees about risk to support risk management and decision-making.

    Escalation

    The proposed CRMP would state that OCC employees are responsible for escalating risks through timely identification and reporting. The proposed CRMP would state that in accordance with OCC's Employee Handbook and Policy Governance Policy, OCC employees are expected to escalate risks through their reporting line, OCC's internal working groups, or to the Management Committee. The proposed CRMP would state that quarterly, Corporate Risk, through the CRO, escalates breaches of risk appetites and risk tolerances to the Management Committee, Board, and relevant Board committees. The proposed CRMP would state that escalation occurs (i) consistent with obligations established in the Management Committee Charter, Board Charter, Board Committee Charters, policies, and procedures, or (ii) anytime through the CRO directly to the Board.

    Training

    The proposed CRMP would state that OCC employees are trained to promote a culture of risk and control awareness. The proposed CRMP would state that Corporate Risk collaborates with other OCC departments to create and disseminate training to enable accountability, empower decision-making, promote risk awareness, and detail escalation. The proposed CRMP would state that this training promotes awareness of OCC's regulatory requirements, policies, procedures, processes, controls, and standards of conduct.

    Conforming Changes to OCC Risk Policies

    Finally, OCC proposes to update other OCC Risk Policies to be consistent with the proposed RMF. Specifically, OCC would update references to the RMF Policy, including the summary of the RMF Policy in the Recovery and Orderly Wind-Down Plan, to refer to the RMF and CRMP. References to the “Enterprise Risk Management” department or “ERM” would be changed to “Corporate Risk Management” or “Corporate Risk” to reflect that department's name. In the case of the Collateral Risk Management Policy, OCC would delete reference to the Enterprise Risk Management Policy's annual review of concentration limits because that review is conducted by the Model Risk Management, which is part of Corporate Risk. The OCC Risk Policies would be further conformed to reflect that what was formerly referred to as OCC's Model Validation Group is now referred to as Model Risk Management. OCC would also remove the Policy Exceptions and Violations sections of the applicable OCC Risk Policies as the exception and violation processes for all of the OCC Risk Policies would be covered by the new Risk Acceptances and Deviations section of the proposed RMF (as discussed above).

    OCC also propose to make administrative updates to cross-references to other internal OCC policies and procedures and other administrative changes arising from OCC's annual review of its risk management frameworks and procedures. Specifically, OCC would also revise the TPRMF to:

    • include General Business Risk as a type of risk that may be presented by third-party relationships;
    • Revise the introduction of the on-boarding and off-boarding monitoring of counterparties with multiple relationships with OCC to reference the respective procedures and work groups in the Third-Party Relationship Management section, which as evident from the existing TPRMF is not limited to monitoring by the Credit and Liquidity Risk Working Group, as that current introduction suggests;

    • Delete reference to specific OCC Rules in favor of reference to Chapters of OCC's Rulebook because the specific Rules currently identified are not a Start Printed Page 58420 complete list of those in the identified Chapters that give OCC authority to act to protect OCC from exposure presented by a Clearing Member.

    Make other administrative changes to business unit names

    (2) Statutory Basis

    OCC believes the proposed rule change is consistent with Section 17A of the Exchange Act [39] and Rule 17Ad-22(e)(3). Section 17A(b)(3)(F) of the Act [40] requires, in part, that the rules of a clearing agency be designed to promote the prompt and accurate clearance and settlement of securities transactions, to assure the safeguarding of securities and funds in the custody or control of the clearing agency or for which it is responsible, and in general, to protect investors and the public interest. Rule 17Ad-22(e)(3)(i) [41] requires, in part, that a covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to maintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by the covered clearing agency, which includes risk management policies, procedures, and systems designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by the covered clearing agency, that are subject to review on a specified periodic basis and approved by the board of directors annually. For the reasons addressed below, OCC believe the proposed changes are consistent with these requirements.

    Consistency With Section 17A(b)(3)(F) of the Exchange Act

    The proposed RMF and associated policies, including the CRMP, would be the foundation for a risk management framework designed to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in the OCC's custody or control, and in general, protect investors and the public interest. Risk management is the means by which OCC guards against disruption to OCC's clearance and settlement services and loss of financial resources necessary to maintain OCC as a going concern or in OCC's custody or control to address member defaults and liquidity shortfalls. As a clearing agency that has been designated a systemically important financial market utility by the Federal Stability Oversight Counsel, such disruption or losses may present systemic risks to the markets OCC serves, OCC's Clearing Members, and other market participants, including investors, thereby harming the public interest.

    As described above, the proposed RMF would be designed to provide a foundation to support the risk management policies, procedures, and systems that make up OCC's sound risk management framework. The proposed RMF would describe OCC's overall framework for comprehensive risk management, including OCC's framework to identify, measure, monitor and manage the risks faced by OCC in the provision of clearing, settlement and risk management services. The proposed RMF would provide the context for OCC's risk management framework, identify OCC's risk categories, describe the governance arrangements that implement risk management, and describe OCC's program for risk management, including the three lines of defense structure. In addition, the proposed CRMP would support the proposed RMF by explaining OCC's risk management activities related to enterprise risk. These changes are not meant to significantly alter OCC's approach to risk management, but rather to present OCC's approach to enterprise risk in a standalone policy, similar to OCC's approach with OCC's risk management. OCC believes that more clearly delineating its overall approach to risk management and its approach to enterprise risk through two separate policies helps support risk management processes designed to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody, and in general, protect investors and the public interest. Accordingly, OCC believes that establishing the RMF and CRMP is consistent with Section 17A(b)(3)(F) of the Act.[42]

    The proposed RMF and CRMP would also make a number of substantive changes to OCC's rules beyond the reorganization and restatement of existing OCC rules. Consistency of these changes with Section 17A(b)(3)(F) of the Act [43] are discussed below.

    RMF Policy: Purpose Section

    The purpose section of the RMF Policy would be revised to reflect the reorganization of content in the RMF Policy in the new RMF and CRMP, focusing on the purpose and intent of each of the newly proposed documents. The proposed change is designed to clearly explain the purpose of the proposed RMF and CRMP and their place in OCC's overall framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne. OCC believes that providing this enhanced clarity in two of its key risk management policies would strengthen risk management processes designed to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes the proposed changes are consistent with Section 17A(b)(3)(F) of the Act.[44]

    RMF Policy: Context for Risk Management Framework and Risk Management Philosophy

    OCC would delete the Context for Risk Management Framework and Risk Management Philosophy sections of the RMF Policy from the proposed RMF. These sections provide history and background information about OCC and its purpose in the financial market, but do not contain rules of OCC. Additionally, the information presented in the Risk Management Philosophy section serves as an additional purpose section and all items highlighted in this section are covered in the proposed RMF and CRMP. OCC believes that removing this extraneous information would enhance the clarity of these risk policies by focusing on the rules governing OCC's overall risk framework and corporate risk management program and would strengthen risk management processes designed to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes that revising the purposes changes are consistent with Section 17A(b)(3)(F) of the Act.[45]

    RMF Policy: Risk Appetite Framework and Tolerance

    OCC proposes to make certain modifications to the description of its risk appetite framework, including descriptions of OCC's use of a risk universe, risk appetites and risk tolerances, in the new CRMP. As Start Printed Page 58421 described above, the proposed CRMP would revise certain terminology in OCC's risk universe, such as organizing the universe into “risk categories,” “risk sub-categories,” and “risk statements” to effectively represent the Key Risks, Sub-categories, and Definitions that are discussed in the current RMF Policy. OCC would also modify certain governance requirements for the risk universe. Under the current RMF, Key Risks are approved by OCC's Board and risk appetites for Key Risks are set by the business departments responsible for those risk in cooperation with Corporate Risk. Under the proposed CRMP, the risk universe would be owned and approved by OCC's CRO and provided to the Management Committee and Board. The Board or the Risk Committee would ultimately be responsible for approving risk appetites and would continue to approve risk tolerances. The proposed CRMP would also provide additional details around the internal governance process for reviewing and approving risk categories, appetites, and tolerances and for monitoring risk tolerances. OCC would also remove the more general risk appetite statement definitions ( i.e., no appetite, low appetite, moderate appetite, and high appetite), which are currently described in the RMF Policy, enabling OCC to use more detailed, qualitative risk appetite statements for each risk sub-category following the governance processes described above. In addition, OCC would change the cadence of risk reporting, including risk tolerance breaches, to align with the timing of OCC's regular Board meetings. The proposed CRMP would also introduce the concept of risk rating scales, which provide an assessment of risk from an impact and likelihood perspective consistently across OCC and would be used to measure inherent and residual risk at a risk statement level.

    OCC believes the proposed CRMP would provide a more comprehensive overview of the governance of OCC's risk universe and enhance certain processes therein. The proposed CRMP would provide additional details around the internal governance process for reviewing and approving risk categories, appetites, and tolerances and for monitoring risk tolerances and improve the governance process for the risk universe by allowing the CRO to modify risk categories as needed, with oversight of Management Committee and Board, and provide the Board or Risk Committee with more direct responsibility for setting the appetites for those risk. For these reasons, OCC believes the proposed changes would strengthen risk management processes designed to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act.[46]

    RMF Policy: Risk Management Governance

    OCC proposes to modify certain descriptions of its risk management governance arrangements in the new RMF. For example, OCC would update and streamline the description of the responsibilities of its Board as they are generally already addressed in the Board Charter.[47] OCC also proposes to update the description of the responsibilities of the Management Committee, which primarily relates to the committee's role and responsibilities in reviewing and recommending changes to OCC's risk universe, as this would not be addressed in the proposed CRMP (as discussed above). OCC would also update the discussion of working groups and their responsibilities and include a description of the responsibilities of and development opportunities for OCC employees. OCC believes the proposed changes would improve OCC's risk framework by presenting a more concise, clear, and transparent description of OCC's risk management governance and thereby promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act.[48]

    RMF Policy: Identification of Key Risks

    OCC proposes to replace the Identification of Key Risks section of the RMF Policy, which provides a brief description of OCC's policies and procedures for managing each of those Key Risk and their respective Risk Sub-Categories, with a new OCC Risk Management section of the proposed RMF. The proposed RMF would reorganize the focus of this description to align with the three lines of defense model currently described in the RMF Policy and describe the types of risks managed by each line of defense. The new OCC Risk Management section of the RMF would: (i) restate existing content of the RMF; (ii) introduce new content not currently contained in OCC's RMF Policy; and (iii) delete certain aspects of the RMF Policy. The proposed RMF would continue to refer to the same rules and OCC Risk Policies currently maintained by OCC (and described in the RMF) to address such risks and which are currently filed with the Commission as rules of OCC.[49]

    OCC also proposes to remove certain details concerning its management of operational risk ( e.g., quality standards program, cybersecurity program, system functionality and capacity, and business continuity program) as these aspects of its operational risk management would be contained in a new Operational Risk Management Framework document, which is currently being finalized by OCC, and will contain a more detailed and comprehensive overview of OCC's framework for managing operational risk.

    OCC believes these proposed changes would present a comprehensive, clear, and transparent description of the key risks faced by OCC and the assignment of responsibility for managing such risk, thereby strengthening risk management processes designed to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act.[50]

    RMF Policy: Risk Management Practice

    OCC proposes to relocate the discussion of its enterprise risk assessments, scenario analysis program, and risk reporting process to the new CRMP. As discussed above, the proposed CRMP is designed to more accurately and completely describe the risk assessment, monitoring, and reporting processes conducted by Corporate Risk. Additionally, OCC would eliminate the specific IT Risk Assessment section of the RMF Policy, as these details would be more appropriately addressed in the forthcoming Operational Risk Management Framework document, and would also remove the Compliance Risk Assessment section of the RMF Policy because this information is appropriately covered in the Compliance section of the proposed Start Printed Page 58422 RMF. OCC believes the proposed changes would result in an improved description of Corporate Risk's risk assessment, scenario analysis, and risk reporting responsibilities and thereby strengthen risk management processes designed to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes the proposed changes are consistent with Section 17A(b)(3)(F) of the Act.[51]

    RMF Policy: Control Activities

    OCC proposes to replace the Control Activities section of the RMF Policy with more general and broader descriptions of Compliance's responsibilities in the proposed RMF. In addition, under the proposed CRMP, responsibility for maintaining OCC's inventory of all business processes, risks, and associated controls would move from Compliance to Corporate Risk. As such, Corporate Risk would be responsible for reviewing the design of controls. Compliance would continue to perform design testing. OCC believes that assigning responsibility for reviewing control design to Corporate Risk is appropriate given its responsibilities in the enterprise risk assessment process, as part of which Corporate Risk leads quarterly workshops that assess the likelihood and impact of risks by reviewing data from across OCC, including risk events, Internal Audit findings, security risk assessments and observations, third-party observations, control design assessments, management control self-testing results, and business impact analyses, supplemented by information from emerging risk surveys (top-down), process-based risk assessments (bottom-up), and enterprise technology assessments. This enterprise risk assessment process affords Corporate Risk a holistic view of risk and controls, which OCC believes puts Corporate Risk in a unique position to review and improve control design with respect to controls intended to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes the proposed changes are consistent with Section 17A(b)(3)(F) of the Act.[52]

    RMF Policy: Exceptions and Violations

    OCC proposes to replace the individual Policy Exceptions and Violations sections in the current RMF Policy and other OCC Risk Policies with a new Risk Acceptances and Deviations section in the RMF. The proposed change would provide for a single framework for risk acceptances, exceptions, deviations, and the escalation of deviations across OCC's filed policies rather than requiring each policy to have its own individual Policy Exceptions and Violations sections, which may over time become inconsistent as policies are updated at different times. Such inconsistency could create confusion about escalation obligations and procedures, which could in turn lead to failure to escalate issues appropriately. Accordingly, OCC believes that improving the documentation for its escalation process would strengthen risk management processes designed to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act.[53]

    New Sections in Proposed RMF and CRMP

    OCC proposes to add new sections to the proposed RMF and CRMP to provide additional details concerning its overall framework for managing risk and its approach to enterprise risk management. For example, the proposed RMF would include a new section discussing OCC's Recovery and Orderly Wind-Down Plan. In addition, the CRMP would introduce a new section to describe Corporate Risk's Risk Monitoring process, including key risk indicator monitoring and operational risk even monitoring. The CRMP would also introduce a new section to describe OCC's risk treatment process, which is the process by which Risk Owners manage risk exposures by utilizing risk treatment methods to remain within risk appetites and tolerances. Additionally, the proposed CRMP would also describe Corporate Risk's process for escalating risks to the CRO, Management Committee, and Board and training employees about risk to support risk management and decision-making. The proposed changes would provide a more comprehensive and transparent discussion of OCC's overall framework for managing risk and its approach to enterprise risk management. OCC believes the proposed enhancements to its risk management documentation would serve to promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in OCC's custody or control or for which it is responsible, and in general, protect investors and the public interest. Accordingly, OCC believes that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act.[54]

    For the reasons set forth above, OCC believes the proposed rule change would promote the prompt and accurate clearance and settlement of securities transactions, assure the safeguarding of securities and funds in the custody or control of the clearing agency or for which it is responsible, and in general, to protect investors and the public interest in accordance with Section 17A(b)(3)(F) of the Act.[55]

    Consistency With Rule 17Ad-22 Under the Exchange Act

    OCC believes that the proposed rule change is generally consistent with Rule 17Ad-22(e)(3)(i) [56] because the proposed RMF would describe OCC's comprehensive framework for identifying, measuring, monitoring and managing the risks that arise within OCC or are borne by it, including legal, credit, liquidity, operational, general business, investment and custody risk. Moreover, the proposed CRMP would explain that Corporate Risk evaluates risks that may affect OCC's ability to perform the services detailed in the proposed RMF. The proposed RMF would explain how OCC employs established practices, such as the three lines of defense model for enterprise-wide risk management, to ensure that OCC maintains and operates a resilient, effective and reliable risk management and internal control infrastructure that assures risk management and processing outcomes expected by OCC stakeholders. The proposed CRMP would describe how OCC's second line of defense monitors the risks that arise in or are borne by OCC through a variety of risk assessment, risk reporting, evaluation and internal control management activities, consistent with the requirements of Rule 17Ad-22(e)(3)(i).[57]

    The proposed CRMP would describe OCC's use of risk appetites and risk tolerances to evaluate OCC's risks across Start Printed Page 58423 its risk universe to ensure that OCC sets appropriate levels and types risk that OCC is willing and able to assume in accordance with OCC's mission as a systemically important financial market utility. For example, the use of risk appetites allows OCC to carefully calibrate the levels of risk it accepts in a manner consistent with OCC's core mission of promoting financial stability in the markets it serves. In addition, the use of risk tolerances helps to inform whether risks are within Board-approved risk appetites. As a result, OCC believes the proposed RMF, as supported by the CRMP, is reasonably designed to provide for a sound, comprehensive framework for identifying, measuring, monitoring and managing the range of risks that arise in or are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).[58]

    RMF Policy: Risk Appetite Framework and Tolerance

    As described herein, OCC proposes to make certain modifications to the description of its risk appetite framework, including descriptions of OCC's use of a risk universe, risk appetites and risk tolerances and the governance process for maintain the risk universe, in the proposed CRMP. The proposed CRMP would also introduce the concept of risk rating scales, which provide an assessment of risk from an impact and likelihood perspective consistently across OCC and would be used to measure inherent and residual risk at a risk statement level. OCC believes the proposed CRMP would provide a more comprehensive overview of the governance of OCC's risk universe and enhance certain processes therein. The proposed CRMP would also provide additional details around the internal governance process for reviewing and approving risk categories, appetites, and tolerances and for monitoring risk tolerances and improve the governance process for the risk universe by allowing the CRO to modify risk categories as needed, with oversight of Management Committee and Board, and provide the Board or Risk Committee with more direct responsibility for setting the appetites for those risk. OCC believes the propose changes are reasonably designed to provide for a sound, comprehensive framework for identifying, measuring, monitoring and managing the range of risks that arise in or are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).[59]

    RMF Policy: Risk Management Governance

    Rules 17Ad-22(e)(2)(i) and (ii) [60] require that a covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to provide for governance arrangements that (i) are clear and transparent and (ii) clearly prioritize the safety and efficiency of the covered clearing agency. As discussed above, OCC proposes to modify certain descriptions of its risk management governance arrangements in the new RMF, including the roles and responsibilities of the Board, Management Committee, and OCC's internal working groups. OCC believes the proposed changes would improve OCC's risk framework by presenting a more clear, concise, and transparent description of OCC's governance arrangements as they relate to the management of risk within OCC. As a result, OCC believes the proposed changes are reasonably designed to provide for governance arrangements that (i) are clear and transparent and (ii) clearly prioritize the safety and efficiency of the covered clearing agency in accordance with Rules 17Ad-22(e)(2)(i) and (ii).[61]

    RMF Policy: Identification of Key Risks

    As described above, OCC proposes to replace the Identification of Key Risks section of the RMF Policy with a new OCC Risk Management section of the proposed RMF. The proposed RMF would reorganize the focus of this description to align with the three lines of defense model currently described in the RMF Policy and describe the types of risks managed by each line of defense. As described herein, the new OCC Risk Management section of the RMF would: (i) restate existing content of the RMF; (ii) introduce new content not currently contained in OCC's RMF Policy; and (iii) delete certain aspects of the RMF Policy. The proposed RMF would continue to refer to the same rules and OCC Risk Policies currently maintained by OCC (and described in the RMF) to address such risks and which are currently filed with the Commission as rules of OCC.[62] OCC believes the proposed changes would present a more comprehensive, clear, and transparent description of the key risks faced by OCC and the assignment of responsibility for managing such risks. As a result, OCC believes the proposed RMF, as supported by the CRMP, is reasonably designed to provide for a sound, comprehensive framework for identifying, measuring, monitoring and managing the range of risks that arise in or are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).[63]

    RMF Policy: Risk Management Practice

    OCC proposes to relocate the discussion of its enterprise risk assessments, scenario analysis program, and risk reporting process to the new CRMP. As discussed above, the proposed CRMP is designed to more accurately and completely describe the risk assessment, monitoring, and reporting processes conducted by Corporate Risk. OCC believes the proposed changes would result in an improved description of Corporate Risk's risk assessment, scenario analysis, and risk reporting responsibilities and is therefore reasonably designed to support a sound, comprehensive framework for identifying, measuring, monitoring and managing the range of risks that arise in or are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).[64]

    RMF Policy: Exceptions and Violations

    OCC proposes to replace the individual Policy Exceptions and Violations sections in the current RMF Policy and other OCC Risk Policies with a new Risk Acceptances and Deviations section in the RMF. The proposed change would provide for a single framework for risk acceptances and deviations, and the escalation of deviations across OCC's filed policies rather than requiring each policy to have its own individual Policy Exceptions and Violations sections, which may over time become inconsistent as OCC's individual risk policies evolve. This single framework would help to avoid ambiguities or confusion about escalation obligations or procedures that might otherwise arise if changes to such procedures were not applied consistently. The change would also reduce the administrative burden of having to update each document within OCC's universe of policies and procedures as OCC's process for escalating risk acceptance and deviations from those policies and procedures matures over time. OCC believes that improving the documentation for its escalation processes is reasonably designed to support its comprehensive framework for identifying, measuring, monitoring and managing the range of risks that arise in or are borne by OCC in a Start Printed Page 58424 manner consistent with Rule 17Ad-22(e)(3)(i).[65]

    New Sections in Proposed RMF and CRMP

    OCC proposes to add new sections to the proposed RMF and CRMP to provide additional details concerning its overall framework for managing risk and its approach to enterprise risk management. For example, the proposed RMF would include a new section discussing OCC's Recovery and Orderly Wind-Down Plan [66] and introduce a new section to describe Corporate Risk's Risk Monitoring process, including key risk indicator monitoring and operational risk even monitoring. The CRMP would also introduce a new section to describe OCC's risk treatment process and would also describe Corporate Risk's process for escalating risks to the CRO, Management Committee, and Board and training employees about risk to support risk management and decision-making. The proposed changes would provide a more comprehensive and transparent discussion of OCC's overall framework for managing risk and its approach to enterprise risk management. OCC believes the proposed changes are therefore reasonably designed to provide for a sound, comprehensive framework for identifying, measuring, monitoring and managing the range of risks that arise in or are borne by OCC in a manner consistent with Rule 17Ad-22(e)(3)(i).[67]

    Consistency With Section 19(b) of the Exchange Act

    Section 19(b)(1) of the Act [68] and Rule 19b-4 [69] thereunder set forth the requirements for SRO proposed rule changes, including the regulatory filing requirements for “stated policies, practices and interpretations.” [70] OCC proposes to retire its existing RMF Policy, which was, in part, previously filed as an OCC “rule” with the Commission, as the RMF and CRMP would replace the RMF Policy in its entirety. Under the proposal, the material aspects of OCC's overall risk management framework and Corporate Risk program would be contained in the proposed RMF and CRMP described herein. As described in detail herein, various details in the current RMF Policy would no longer be OCC rule text following adoption of the RMF and CRMP. Specifically, OCC believes the removing the following sections of the current RMF Policy from OCC's rule text are consistent with Section 19(b)(1) of the Act and Rule 19b-4 because they are administrative in nature and do not address material aspects of the of the operation of the facilities of OCC:

    • The Context for Risk Management Framework and Risk Management Philosophy sections providing history and background information about OCC and its purpose in the financial markets; [71]

    • Sections of the RMF Policy related to project planning, corporate budgeting, and Human Resources and Compliance training; and
    • The Risk Universe, which reflects the output of policies and processes described in the RMF Policy (and eventually, the proposed CRMP).

    Accordingly, OCC believes the proposed changes would be consistent with the requirements of Section 19(b)(1) of the Act and Rule 19b-4 thereunder.[72]

    (B) Clearing Agency's Statement on Burden on Competition

    Section 17A(b)(3)(I) of the Act [73] requires that the rules of a clearing agency not impose any burden on competition not necessary or appropriate in furtherance of the purposes of the Act. OCC does not believe that the proposed rule changes would impact or impose any burden on competition. The proposed rule change clearly and transparently presents the framework OCC uses to identify, monitor and manage its risks. While the proposed rule change would enhance OCC's framework of risk management documentation, these updates do not affect Clearing Members' access to OCC's services or impose any direct burdens on Clearing Members. Accordingly, the proposed rule change would not unfairly inhibit access to OCC's services or disadvantage or favor any particular user in relationship to another user.

    For the foregoing reasons, OCC believes that the proposed rule change is in the public interest, would be consistent with the requirements of the Act applicable to clearing agencies, and would not impact or impose a burden on competition.

    (C) Clearing Agency's Statement on Comments on the Proposed Rule Change Received From Members, Participants or Others

    Written comments on the proposed rule change were not and are not intended to be solicited with respect to the proposed rule change and none have been received.

    III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action

    Within 45 days of the date of publication of this notice in the Federal Register or within such longer period up to 90 days (i) as the Commission may designate if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the self regulatory organization consents, the Commission will: (A) by order approve or disapprove such proposed rule change, or (B) institute proceedings to determine whether the proposed rule change should be disapproved. The proposal shall not take effect until all regulatory actions required with respect to the proposal are completed.

    IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods:

    Electronic Comments

    • Use the Commission's internet comment form ( http://www.sec.gov/​rules/​sro.shtml); or

    • Send an email to rule-comments@sec.gov. Please include File Number SR-OCC-2022-010 on the subject line.

    Paper Comments

    • Send paper comments in triplicate to Vanessa Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

    All submissions should refer to File Number SR-OCC-2022-010. This file number should be included on the subject line if email is used. To help the Commission process and review your Start Printed Page 58425 comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( http://www.sec.gov/​rules/​sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of such filing also will be available for inspection and copying at the principal office of OCC and on OCC's website at https://www.theocc.com/​Company-Information/​Documents-and-Archives/​By-Laws-and-Rules.

    All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly.

    All submissions should refer to File Number SR-OCC-2022-010 and should be submitted on or before October 17, 2022.

    Start Signature

    For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.[74]

    J. Matthew DeLesDernier,

    Deputy Secretary.

    End Signature End Preamble

    Footnotes

    5.   See Exchange Act Release No. 34-82232 (Dec. 7, 2017), 82 FR 58662 (Dec. 13, 2017) (File No. SR-OCC-2017-005).

    Back to Citation

    6.  For example, the RMF addresses risks managed by OCC's first line of defense through supporting policies and procedures, including, among other rule-filed policies, the Margin Policy, Collateral Risk Management Policy, Liquidity Risk Management Framework, and the Default Management Policy.

    Back to Citation

    7.  As part of the proposed rule change, OCC would reflect that OCC has renamed its ERM department as Corporate Risk and make conforming changes throughout the OCC Risk Policies. In addition to functions specific to enterprise risk monitoring, Corporate Risk includes other functions such as Model Risk Management and Third-Party Risk Management.

    Back to Citation

    8.  Risk appetites are qualitative articulations of the amount of risk OCC is willing to accept and establish expectations for OCC's risk management.

    Back to Citation

    9.  Risk tolerances are qualitative or quantitative measures that help inform whether risks are within risk appetites.

    Back to Citation

    10.  The RMF Policy defines Key Risk to mean risk that is related to the foundational aspects of CCP clearing, settlement, and risk management services.

    Back to Citation

    11.  The RMF Policy defines Risk Appetite Statement to mean a statement that expresses OCC's judgment, for each of OCC's Key Risks, regarding the level of risk OCC is willing to accept related to the provision of CCP services.

    Back to Citation

    12.  The Board has approved such delegation of authority to the Risk Committee. See Exchange Act Release No. 94988 (May 26, 2022); 87 FR 33535 (June 2, 2022) (File No. SR-OCC-2022-002).

    Back to Citation

    13.  The proposed CRMP defines “Risk Owner” to mean an employee with the accountability and authority to manage the risk.

    Back to Citation

    14.  The proposed CRMP would state that risk treatment is the process to manage a risk through avoidance, mitigation, transference, or acceptance.

    Back to Citation

    15.   See, e.g., Exchange Act Release No. 94988, 87 FR at 33539 (updating cadence of certain Board reporting to reflect that such reporting occurs at regular Board meetings).

    Back to Citation

    16.  The Board Charter can be found on OCC's public website: https://www.theocc.com/​about/​corporate-information/​board-charter.

    Back to Citation

    17.   See, e.g., Exchange Act Release No. 84473 (Oct. 23, 2018), 83 FR 54385 (Oct. 29, 2018) (File No. SR-OCC-2018-012).

    Back to Citation

    18.  The Board has delegated oversight of specific risks to Committees through the Committee Charters. For example, the Board has delegated oversight of OCC's financial, collateral, risk model and third-party risk management processes to the Risk Committee. See Exchange Act Release No. 94988, 87 FR at 33539 (File No. SR-OCC-2022-002).

    Back to Citation

    19.  The proposed RMF would state that The Management Committee may include, but is not limited to the following officers: Executive Chairman, Chief Executive Officer, Chief Operating Officer, Chief Financial Risk Officer, Chief External Relations Officer, Chief Risk Officer, Chief Audit Executive, Chief Compliance Officer, Chief Financial Officer, Chief Human Resources Officer, Chief Information Officer, Chief Security Officer, Chief Legal Officer and General Counsel, Chief Clearing and Settlement Services Officer, and Chief Regulatory Counsel.

    Back to Citation

    20.   See, e.g., Exchange Act Release No. 82355 (Dec. 19, 2017), 82 FR 61058 (Dec. 26, 2017) (File No. SR-OCC-2017-007).

    Back to Citation

    21.   See, e.g., Exchange Act Release No. 83735 (July 27, 2018), 83 FR 37855 (Aug. 2, 2018) (File No. SR-OCC-2018-008).

    Back to Citation

    22.   See, e.g., Exchange Act Release No. 82311 (Dec. 13, 2017), 82 FR 60252 (Dec. 19, 2017) (File No. SR-OCC-2017-008).

    Back to Citation

    23.   See, e.g., Exchange Act Release No. 82310 (Dec. 13, 2017), 82 FR 60265 (Dec. 19, 2017) (File No. SR-OCC-2017-010).

    Back to Citation

    24.   See, e.g., Exchange Act Release No. 90797 (Dec. 23, 2020), 85 FR 86592 (Dec. 30, 2020) (File No. SR-OCC-2020-014).

    Back to Citation

    25.   See, e.g., Exchange Act Release 89014 (June 4, 2020), 85 FR 35446 (June 10, 2020) (File No. SR-OCC-2020-003).

    Back to Citation

    26.   See, e.g., Exchange Act Release 88029 (Jan. 24, 2020), 85 FR 5500 (Jan. 30, 2020) (File No. SR-OCC-2019-007).

    Back to Citation

    27.   See id.

    Back to Citation

    28.  OCC intends to include a detailed discussion of these aspects of its operational risk management in a new Operational Risk Management Framework document, which is currently being finalized by OCC and will be filed with the Commission when it is complete.

    Back to Citation

    29.   See supra note 24.

    Back to Citation

    30.   See, e.g., Exchange Act Release No. 82785 (Feb. 27, 2018), 83 FR 9345 (Mar. 5, 2018) (File No. SR-OCC-2017-011).

    Back to Citation

    31.  This discussion would replace the IT Risk Assessment section of the current RMF Policy. OCC intends to include a detailed discussion of its IT risk assessment in a new Operational Risk Management Framework document, which is currently being finalized by OCC and will be filed with the Commission when it is complete.

    Back to Citation

    32.  The Business Continuity section of the RMF would replace the Business Continuity Program section of the current RMF Policy. OCC intends to include a detailed discussion of its Business Continuity Program in a new Operational Risk Management Framework document, which is currently being finalized by OCC and will be filed with the Commission when it is complete.

    Back to Citation

    33.  Such details include requirements related to the diversity and skills of Internal Audit personnel and the external standards of professionalism pursuant to which Internal Audit performs its functions.

    Back to Citation

    34.  The RMF Policy defines “Inherent Risk” to mean the absolute level of risk exposure posed by a process or activity prior to the application of controls or other risk-mitigating factors.

    Back to Citation

    35.  The RMF Policy defines “Residual Risk” to mean the level of risk exposure posed to a process or activity after the application of controls or other risk-mitigating factors.

    Back to Citation

    36.  As discussed in more detail below with respect to the proposed Risk Treatment section of the CRMP, acceptance is a risk treatment method that may be used to acknowledge when the cost or complexity of avoiding, mitigating, or transferring the risk exceeds the potential impact ( e.g., OCC accepts a risk temporarily and implements short-term mitigants, knowing that a long-term solution is planned).

    Back to Citation

    37.  OCC proposes to use the term “deviation” rather than “violation” as found in the current RMF Policy to align with the terminology used in the PGP.

    Back to Citation

    38.  Section 19(b)(1) of the Exchange Act requires a self-regulatory organization (“SRO”) such as OCC to file with the Commission any proposed rule or any proposed change in, addition to, or deletion from the rules of such SRO. See15 U.S.C. 78s(b)(1). Section 3(a)(27) of the Exchange Act defines “rules of a clearing agency” to mean its (1) constitution, (2) articles of incorporation, (3) bylaws, (4) rules, (5) instruments corresponding to the foregoing and (6) such “stated policies, practices and interpretations” (“SPPI”) as the Commission may determine by rule. See15 U.S.C. 78c(a)(27). Exchange Act Rule 19b-4(a)(6) defines the term “SPPI” to include (i) any material aspect of the operation of the facilities of an SRO and (ii) statements made generally available to membership of, to all participants in, or to persons having or seeking access to facilities of an SRO that establishes or changes certain standards, limits, or guidelines. See17 CFR 240.19b-4(a)(6). Rule 19b-4(c) provides, however, that an SPPI may not be deemed to be a proposed rule change if it is: (i) reasonably and fairly implied by an existing rule of the SRO or (ii) concerned solely with the administration of the SRO and is not an SPPI with respect to the meaning, administration, or enforcement of an existing rule the SRO. See17 CFR 240.19b-4(c).

    Back to Citation

    43.   Id.

    Back to Citation

    47.   See supra notes 16 and 17.

    Back to Citation

    49.   See supra notes 20-26 and associated text.

    Back to Citation

    56.   Id.

    Back to Citation

    57.   Id.

    Back to Citation

    58.   Id.

    Back to Citation

    59.   Id.

    Back to Citation

    61.   Id.

    Back to Citation

    62.   See supra notes 20-26 and associated text.

    Back to Citation

    64.   Id.

    Back to Citation

    65.   Id.

    Back to Citation

    66.  OCC believes this proposed change also supports compliance with Exchange Act Rule 17Ad-22(e)(3)(ii), which requires a covered clearing agency to maintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by the covered clearing agency, which includes plans for the recovery and orderly wind-down of the covered clearing agency necessitated by credit losses, liquidity shortfalls, losses from general business risk, or any other losses. See17 CFR 240.17Ad-22(e)(3)(ii).

    Back to Citation

    70.   See supra note 38.

    Back to Citation

    71.  Additionally, OCC believes the information presented in the Risk Management Philosophy section serves as an additional purpose section and that all items highlighted in this section would be covered in, or otherwise reasonably and fairly implied by, the proposed RMF and CRMP.

    Back to Citation

    [FR Doc. 2022-20728 Filed 9-23-22; 8:45 am]

    BILLING CODE 8011-01-P

Document Information

Published:
09/26/2022
Department:
Securities and Exchange Commission
Entry Type:
Notice
Document Number:
2022-20728
Pages:
58409-58425 (17 pages)
Docket Numbers:
Release No. 34-95842, File No. SR-OCC-2022-010
PDF File:
2022-20728.pdf