2023-23941. Self-Regulatory Organizations; ICE Clear Europe Limited; Order Approving Proposed Rule Change, as Modified by Amendment No. 1, Relating to Amendments to its Operational Risk and Resilience Policy  

  • Start Preamble October 25, 2023.

    I. Introduction

    On August 15, 2023, ICE Clear Europe Limited (“ICE Clear Europe” or “Clearing House”) filed with the Securities and Exchange Commission (“Commission”), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (the “Act”) [1] and Rule 19b–4 thereunder,[2] a proposed rule change to amend its Operational Risk and Resilience Policy (the “Policy”). On August 24, 2023, ICE Clear Europe filed Amendment No. 1 to the proposed rule change to make certain changes to the Exhibits 5.[3] Notice of the proposed rule change, as modified by Amendment No. 1, was published for comment in the Federal Register on September 5, 2023.[4] On October 3, 2023, the Commission designated a longer period for Commission action on the proposed rule change until December 4, 2023.[5] The Commission has not received comments regarding the proposed rule change. For the reasons discussed below, the Commission is approving the proposed rule change, as modified by Amendment No. 1 (hereinafter “the Proposed Rule Change”).

    II. Description of the Proposed Rule Change

    A. Background

    ICE Clear Europe is registered with the Commission as a clearing agency for Start Printed Page 74548 the purpose of clearing security-based swaps. In its role as a clearing agency for security-based swaps, ICE Clear Europe maintains the Policy to address how ICE Clear Europe identifies, assesses, manages, monitors, and reports its operational risks. ICE Clear Europe is proposing to amend the Policy to add new scenario analysis and testing relating to operational risk and resilience, require that ICE Clear Europe assess emerging risks, and update the review process for the Policy. The Policy has five sections: (1) Introduction, (2) Operational Risk and Resilience Framework, (3) Risk and Control Assessments, (4) Governance and Oversight, and (5) Appendix. To effect these amendments, the Proposed Rule Change would amend all sections except the Introduction, renumber or relabel various provisions throughout the Policy, and update the version history to reflect these changes.

    B. Operational Risk and Resilience Framework

    Section 2 of the Policy, “Operational Risk and Resilience Framework,” describes the overall framework that ICE Clear Europe uses to address operational risk [6] and maintain operational resilience. Specifically, ICE Clear Europe uses this framework to reduce the likelihood of an operational disruption event within acceptable tolerance, and mitigate and quickly recover from an operational disruption event. In addition to the Policy itself, the policies and procedures in the framework are: (i) the Incident Management Policy; (ii) the Business Continuity & Disaster Recovery Policy; (iii) the Information Security Policy and Cyber Security Strategy; (iv) the Outsourcing Policy; and (v) the Vendor Management Policy.[7]

    ICE Clear Europe proposes to update the description of the operational risk and resilience framework to reflect the new name of the Outsourcing Policy. ICE Clear Europe recently changed the name of the Outsourcing Policy to the Outsourcing and Third Party Risk Management Policy, and the Proposed Rule Change would reflect this update.[8] The Proposed Rule Change also would add language to reflect that the updated policy has been approved by the Board and is pending regulatory approval.[9]

    ICE Clear Europe proposes to update the description of its scenario analysis and testing found in Section 2.6 of the Policy. As noted in the Policy, ICE Clear Europe has scenario analysis and testing in place to identity any operational resilience weakness, and it conducts such testing on important business services to determine if it can remain within the impact tolerances under a range of extreme but plausible disruption scenarios. ICE Clear Europe proposes to make additions to this section without deleting any language, except for one exception noted below relating to the Board.

    Specifically, the Proposed Rule Change would add a requirement that the Clearing House must maintain an inventory of scenarios for the purposes of scenario analysis and testing. Moreover, the Policy currently specifies that the testing should include scenarios which disrupt more than one important business service simultaneously and take into account dependencies.[10] The Proposed Rule Change would specify that such dependencies should be both internal and external. The Proposed Rule Change would also add language stating that a portion of the scenarios should be identified and selected for reverse stress testing (through a practical test where possible or a desk top exercise), and that, over a three-year cycle, all scenarios would have to be tested at least once by either a practical test or a desk top exercise. In addition, the inventory of scenarios would need to be reviewed on at least an annual basis in order to determine if the scenarios are still fit for purpose and if updates are required. The annual review of the inventory would be the responsibility of the First Line with Second Line review, and would be approved by the Executive Risk Committee (“ERC”).[11] The ERC would also be responsible for approving any changes to the list of scenarios outside of the annual review cycle. The detailed scope of the testing based on the scenarios in the inventory and the results of testing and assessment against the risk register would be shared with the Second Line for review. The Proposed Rule Change would also specify that the scenario analysis and testing results would be submitted to the ERC or relevant Board sub-committee by removing a reference to the Board and replacing it with the relevant Board sub-committee.

    C. Risk and Control Assessments

    Section 3 of the Policy, “Risk and Control Assessments,” addresses the process that identifies, assesses, manages, monitors, and reports operational risk. The Proposed Rule Change would add a new section on control validation and assessment, outlining that upon entry to the risk register or when a material change is made to a Key Control, Enterprise Risk Management (“ERM”) will confirm that validation of Key Controls is carried out. Additionally, the amendments would state that validation may be verified directly by ERM or through ERM's oversight of validations performed by the First Line. The amendments would also replace two references to control testing with control validation throughout the Policy to be consistent with the new section. The Proposed Rule Change does not redefine control testing and is meant to align with the Clearing House's Global Enterprise Risk Management Policy.

    In Section 3.2, “Risk Assessment,” the amendments would address emerging risks by adding a paragraph stating that there should be an assessment of the Velocity for emerging risks. Velocity would be defined as an estimate of the time frame within which impact of a risk may be realized, and would be considered as an additional factor utilized in prioritizing Emerging Risks. Other non-substantive drafting clarifications would be made in this section, such as renumbering to account for the new section on control validation and assessment. Start Printed Page 74549

    D. Governance and Oversight

    In Section 4, “Governance and Oversight,” the amendments would add three new sections: “Reviews,” “Breach Management,” and “Exception Handling.”

    The “Reviews” section would replace the previous “Oversight of the Policy” section, which stated only that the Policy is subject to the oversight of the Risk Oversight Department and that failure to comply with the Policy shall be escalated to the Board. This statement must be removed to ensure consistency with the Operational Risk and Resilience Framework section discussed above, which specifies that the First Line of defense is responsible for ensuring adherence to all the requirements in the Policy, with the Risk Oversight Department and Enterprise Risk Management acting as the Second Line of defense, with responsibility for challenging the First Line and monitoring adherence to the requirement of the Policy.

    Instead, the new “Reviews” section of the Policy would include a number of provisions governing the oversight and review of the Policy. First, it would specify that the owner of the Policy would be responsible for ensuring that the Policy remains up to date and is reviewed in accordance with ICE Clear Europe's governance processes. It would also provide that, unless otherwise stated, a document review will be conducted by the document owner and/or relevant staff as appropriate, with sign off being provided by the head of the department (or their delegate) and the Chief Risk Officer. Such document reviews would need to encompass, at a minimum, regulatory compliance; documentation and purpose; implementation; use; and open items from previous validations or reviews (where appropriate). The results of the review, including any findings, would need to be reported to ICE Clear Europe's Executive Risk Committee, along with the priority of findings, proposed remediations, and target due date to remediate the findings. Finally, the “Reviews” section would specify that the document owner will aim to remediate the findings, complete internal governance, and receive regulatory approvals (where applicable) before the next annual review is due.

    The new “Breach Management” section would specify that the document owner would be responsible for reporting material breaches or unapproved deviations from the Policy to their Head of Department, the Chief Risk Officer, and the Head of Regulation and Compliance (or, as applicable, their respective delegates). Those individuals together would determine if further escalation should be made to relevant senior executives, the Board, and/or competent authorities.

    Finally, the new “Exception Handling” section would specify that exceptions to the Policy must be approved in accordance with ICE Clear Europe's governance process for the approval of changes, which would only take effect after completion of all necessary internal and regulatory approvals.

    E. Appendix

    The Proposed Rule Change also would modify and update three of the appendixes, add one new appendix, and remove a section from one appendix.

    Specifically, the Proposed Rule Change would modify and update the table included as Appendix D, “Assessment of Expected Level of Risk Mitigation,” by renaming the current “Mitigation” column as “Rating” and adding a new column labeled “Examples,” which would include specific examples for each level of rating (high, medium, and low).

    The Proposed Rule Change would update and modify the table included as Appendix E, “Control Effectiveness Ratings,” by renaming the current “Effectiveness” and “Guidelines” columns as “Rating” and “Control Assessment Guidelines,” respectively. In addition, an additional bullet point would be in the guideline column for the “Unsatisfactory” rating, specifying that this rating would apply where the control validation and/or assessment and audit programs result in major findings.

    The columns for the table included as Appendix F, “Control Remediation Recommendation & Timelines,” (Appendix F) would also be renamed. The current heading labeled Control Effectiveness would be renamed to Control Effectiveness Rating, and the heading labeled Mitigation would be renamed to Level of Risk Mitigation. In addition, for the scenario with a Control Effectiveness Rating of Needs Improvement and a High Level of Risk Mitigation, the recommendation would be changed from Medium to High.

    A new table would be added as Appendix G, “Velocity Assessment Guidance,” in connection with the amendments to Section 3.2 discussed above relating to an assessment of the velocity of emerging risks. This section would include a chart separating the Velocity Rating into categories of Immediate (less than six months), Short Term (between six and 18 months), and Medium Term (greater than 18 months), and a description noting that each rating is assessed based on the time in which the impact of a risk may be realized if the risk is unmitigated ( e.g., an immediate risk is one for which the impact may be realized within six months of the risk event occurring if the risk is unmitigated).

    Finally, the amendments would remove the section labeled Control Testing Scope following the chart on Risk Mitigation in Appendix H, to conform to the change in the Policy to refer to control validation rather than control testing.

    III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act directs the Commission to approve a Proposed Rule Change of a self-regulatory organization if it finds that such Proposed Rule Change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to such organization.[12] For the reasons discussed below, the Commission finds that the Proposed Rule Change is consistent with Section 17A(b)(3)(F) of the Act,[13] and Rules 17Ad–22(e)(2)(v) and 17Ad–22(e)(17) thereunder.[14]

    i. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires, among other things, that the rules of ICE Clear Europe be designed to promote the prompt and accurate clearance and settlement of securities transactions and, to the extent applicable, derivative agreements, contracts, and transactions.[15] Based on its review of the record, and for the reasons discussed below, the Commission finds that the proposed changes to the Policy are consistent with the promotion of the prompt and accurate clearance and settlement of securities transactions.

    As a registered clearing agency, ICE Clear Europe faces a number of operational risks that could impact or threaten its ability to clear and settle transactions if they are not eliminated or mitigated. As noted above, ICE Clear Europe maintains the Policy to address how it identifies, assesses, manages, monitors, and reports such operational risks. Improving or enhancing the Policy likewise improves or enhances ICE Clear Europe's ability to manage or mitigate its operational risks and Start Printed Page 74550 therefore ensure that it can continue to clear and settle securities transactions.

    For example, as discussed above, the Proposed Rule Change would update the Policy to require ICE Clear Europe to maintain an inventory of scenarios for the purposes of scenario analysis and testing, which inventory would need to be reviewed on at least an annual basis in order to determine if the scenarios are still fit for purpose and if updates are required. These new requirements should help ensure that ICE Clear Europe personnel identify and maintain an appropriate inventory of scenarios, determine in a timely manner if updates to the inventory or scenarios are needed, and identify any gaps and necessary resolutions or updates to the inventory and scenarios sooner than what is currently required.

    Taken together, these enhancements to the Policy should enhance ICE Clear Europe's operational resilience, which in turn should decrease the likelihood that operational incidents would disrupt its ability to promptly and accurately clear and settle securities transactions. Accordingly, the Commission finds that the Proposed Rule Change is consistent with Section 17A(b)(3)(F) of the Act.[16]

    ii. Consistency With Rule 17Ad–22(e)(2)(v)

    Rule 17Ad–22(e)(2)(v) require that ICE Clear Europe establish, implement, maintain, and enforce written policies and procedures reasonably designed to provide governance arrangements that, among other things, are clear and transparent and specify clear and direct lines of responsibility.[17]

    As discussed above, the Proposed Rule Change would add new sections to the Policy addressing reviews, breach management, and exception handling. Among other things, the section addressing reviews would make the document owner responsible for ensuring that the Policy remains up-to-date and is reviewed in accordance with ICE Clear Europe's governance processes. Additionally, document reviews will be conducted by the document owner and signed off by the head of the department (or their delegate) and the Chief Risk Officer. These reviews would encompass, at a minimum, regulatory compliance; documentation and purpose; implementation; use; and, where appropriate, open items from previous validations or reviews.

    Under the new section covering breach management, the document owner also would be responsible for reporting material breaches or unapproved deviations from the Policy to their Head of Department, the Chief Risk Officer, and the Head of Regulation and Compliance (or, as applicable, their respective delegates).

    Under the new section addressing exception handling, exceptions to the Policy would need to be approved in accordance with ICE Clear Europe's governance process for the approval of changes, and could only take effect after completion of all necessary internal and regulatory approvals.

    Additionally, the Proposed Rule Change would add a new section to the Policy on control validation and assessment, outlining that upon entry to the risk register or when a material change is made to a Key Control, ERM will confirm that validation of Key Controls is carried out. The Proposed Rule Change would also amend the Policy to state that validation may be verified directly by ERM or through ERM's oversight of validations performed by the First Line.

    Taken together, these changes would help establish clear and direct responsibilities for the document owner of the Policy. Accordingly, the Commission finds that the Proposed Rule Change is consistent with Rule 17Ad–22(e)(2)(v).[18]

    iii. Consistency With Rule 17Ad–22(e)(17)

    Rule 17Ad–22(e)(17) requires that ICE Clear Europe establish, implement, maintain, and enforce written policies and procedures reasonably designed to manage its operational risks by, among other things, identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.[19]

    By adding a requirement to maintain an inventory of scenarios for the purposes of scenario analysis and test and review those scenarios annually, the Proposed Rule Change would support ICE Clear Europe's ability to identify plausible sources of operational risk, both internal and external, and mitigate their impact through the Policy, which supports Ice Clear Europe's efforts to manage and mitigate its operational risks. Accordingly, the Commission finds that the Proposed Rule Change is consistent with Rule 17Ad–22(e)(17).[20]

    IV. Conclusion

    On the basis of the foregoing, the Commission finds that the Proposed Rule Change, as modified by Amendment no. 1, is consistent with the requirements of the Act, and in particular, with the requirements of Section 17A(b)(3)(F) of the Act,[21] and Rules 17Ad–22(e)(2)(v) and 17Ad–22(e)(17) thereunder.[22]

    It is therefore ordered pursuant to Section 19(b)(2) of the Act [23] that the Proposed Rule Change (SR–ICEEU–2023–021) be, and hereby is, approved.[24]

    For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.[25]

    Start Signature

    Sherry R. Haywood,

    Assistant Secretary.

    End Signature End Preamble

    Footnotes

    3.  Amendment No. 1 corrects the presentation of changes in Exhibit 5 by reflecting the deletion of the prior “Oversight of the Policy” section as part of the updated governance and oversight provisions. This amendment was filed with the Commission on August 24, 2023.

    Back to Citation

    4.  Self-Regulatory Organizations; ICE Clear Europe Limited; Notice of Filing of Proposed Rule Change, as Modified by Amendment No. 1, Relating to Amendments to its Operational Risk and Resilience Policy, Exchange Act Release No. 98237 (Aug. 29, 2023); 88 FR 60727 (Sep. 5, 2023) (SR–ICEEU–2023–021) (“Notice”).

    Back to Citation

    5.  Self-Regulatory Organizations; ICE Clear Europe Limited; Notice of Designation of Longer Period for Commission Action on Proposed Rule Change, as Modified by Amendment No. 1, Relating to Amendments to its Operational Risk and Resilience Policy; Exchange Act Release No. 98573 (Sep. 27, 2023), 88 FR 68240 (Oct. 3, 2023) (File No. SR–ICEEU–2023–021).

    Back to Citation

    6.  The Policy defines operational risk as the risk of an event occurring which negatively impacts the achievement of business objectives resulting from inadequate or failed internal operational controls, people, systems, or external events.

    Back to Citation

    7.   See Self-Regulatory Organizations; ICE Clear Europe Limited; Order Approving Proposed Rule Change Relating to ICE Clear Europe Operational Risk and Resilience Policy, Exchange Act Release No. 96351 (Nov. 18, 2022); 87 FR 72553 (Nov. 25, 2022) (SR–ICEEU–2022–015).

    Back to Citation

    8.  For more information regarding the changes relating to the Outsourcing and Third Party Risk Management Policy, See Self-Regulatory Organizations; ICE Clear Europe Limited; Order Approving Proposed Rule Change, as Modified by Amendment No. 1 and Partial Amendment No. 2, Relating to Amendments to the Outsourcing Policy, Exchange Act Release No. 98387 (Sep. 14, 2023); 88 FR 64953 (Sep. 20, 2023) (SR–ICEEU–2023–018).

    Back to Citation

    9.  Following publication of the Notice, the Commission approved ICE Clear Europe's proposed change to the name of the Outsourcing Policy, as well as other changes to the Outsourcing Policy. See Self-Regulatory Organizations; ICE Clear Europe Limited; Order Approving Proposed Rule Change, as Modified by Amendment No. 1 and Partial Amendment No. 2, Relating to Amendments to the Outsourcing Policy, Exchange Act Release No. 98387 (Sep. 14, 2023); 88 FR 64953 (Sep. 20, 2023) (SR–ICEEU–2023–019).

    Back to Citation

    10.  The Clearing House requires that for each important business service, the following dependencies must be identified: people, processes, technology, facilities, and underlying information.

    Back to Citation

    11.  Enteprise Risk Management is the Second Line of defense and is responsible for challenging the First Line and monitoring adherence to the requirement of this policy. Key Controls have an expected high level of mitigation and the associated risks have an inherent risk score of “High” or “Very High”. First Line refers to the defense (or Risk Owner) responsible for managing the risks to within the Board appetite and ensuring adherence to all the requirements in the Policy.

    Back to Citation

    24.  In approving the Proposed Rule Change, the Commission considered the proposal's impact on efficiency, competition, and capital formation. 15 U.S.C. 78c(f).

    Back to Citation

    [FR Doc. 2023–23941 Filed 10–30–23; 8:45 am]

    BILLING CODE 8011–01–P

Document Information

Published:
10/31/2023
Department:
Securities and Exchange Commission
Entry Type:
Notice
Document Number:
2023-23941
Pages:
74547-74550 (4 pages)
Docket Numbers:
Release No. 34-98799, File No. SR-ICEEU-2023-021
PDF File:
2023-23941.pdf