Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) ^[1] and Rule 19b-4 thereunder,^[2] notice is hereby given that on December 1, 2020, The Depository Trust Company (“DTC”), Fixed Income Clearing Corporation (“FICC”), and National Securities Clearing Corporation (“NSCC,” and collectively, the “Clearing Agencies”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule changes as described in Items I, II and III below, which Items have been primarily prepared by the Clearing Agencies. The Clearing Agencies filed the proposed rule changes pursuant to Section 19(b)(3)(A) of the Act ^[3] and Rule 19b-4(f)(3) thereunder.^[4] The Commission is publishing this notice to solicit comments on the proposed rule changes from interested persons.

I. Clearing Agencies' Statement of the Terms of Substance of the Proposed Rule Changes

The proposed rule changes consist of amendments to the Clearing Agency Operational Risk Management Framework (“ORM Framework” or “Framework”) of Clearing Agencies. Specifically, the proposed rule changes would (1) include a description of the Clearing Agencies' incident management procedures; (2) update the ORM Framework to reflect recent changes to group names and responsibilities, and other processes and matters described in the Framework; and (3) enhance the descriptions of certain matters within the ORM Framework to improve its clarity and comprehensiveness, as further described below.

II. Clearing Agencies' Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Changes

In their filings with the Commission, the Clearing Agencies included statements concerning the purpose of and basis for the proposed rule changes and discussed any comments they received on the proposed rule changes. The text of these statements may be examined at the places specified in Item IV below. The Clearing Agencies have prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements.

(A) Clearing Agencies' Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Changes

1. Purpose

The Clearing Agencies adopted the ORM Framework ^[5] to provide an outline for how each of the Clearing Agencies manages its operational risks. In this way, the Framework supports the Clearing Agencies' compliance with Rules 17Ad-22(e)(17) of the Standards for Covered Clearing Agencies (“Standards”) under the Act,^[6] as described in the Initial Filing. In addition to setting forth the manner in which each of the Clearing Agencies addresses these requirements, the ORM Framework also contains a section titled “Framework Ownership and Change Management” that, among other matters, describes the Framework ownership and the required governance process for review and approval of changes to the Framework.

In connection with the annual review and approval of the Framework by the Boards of Directors of each of the Clearing Agencies (each a “Board” and collectively, the “Boards”), the Clearing Agencies are proposing to make certain revisions to the Framework.

Such proposed changes would include a description of the Clearing Agencies' incident management procedures in connection with its information technology risk management. The proposed changes would also update the ORM Framework to reflect recent changes to group names and responsibilities, certain processes and other matters described in the Framework. Finally, the proposed changes would enhance the descriptions of certain matters within the ORM Framework to improve its clarity and comprehensiveness. Each of these proposed changes are further described below.

i. Proposed Amendments To Describe Incident Management Procedures

First, the proposed changes would add a description of the Clearing Agencies' incident management procedures in Section 5 of the Framework, which currently describes information technology management. The Clearing Agencies currently follow these incident management procedures, which support the Clearing Agencies' compliance with the requirements of Rule 17Ad-22(e)(17)(i) and (ii) and define the actions that are taken following detection of systems incidents.^[7] The purpose of these procedures, as proposed to be described in Section 5 of the Framework, is to define the actions that are taken following the detection of systems incidents. Generally, these actions include identification and classification, investigation and diagnosis, and resolution and recovery of the incidents that affect the Clearing Agencies' systems.

The proposed change would be to include a description of these existing procedures in the Framework in connection with its description of information technology management. This proposed change would improve the Framework by including this important aspect of operational risk management and providing a more complete description of the Clearing Agencies' processes that support their compliance with the requirements of Rule 17Ad-22(e)(17)(i) and (ii).

ii. Proposed Amendments To Update the Framework

Second, the proposed changes would update the ORM Framework to reflect recent developments with respect to the names and responsibilities of groups that take certain actions described in the Framework. The proposed changes would also reflect updates to processes and other matters described in the Framework, as described below. These proposed changes do not substantively impact how the Clearing Agencies manage operational risk in compliance with the requirements of Rule 17Ad-22(e)(17).^[8]

1. Proposed Change to the Name of Business Continuity Management

Section 6 of the ORM Framework describes the Clearing Agencies' management of business continuity risk and the business continuity plans that Start Printed Page 81532have been established and maintained by the Clearing Agencies in compliance with the requirements of Rule 17Ad-22(e)(17)(iii).^[9] The group responsible for these activities was previously called Business Continuity Management. While the role and responsibilities of this risk management function have not changed, its name has been changed to “Business Continuity & Resiliency” to reflect an increased focus on strengthening the resiliency of the Clearing Agencies and the ability of their systems to sustain and recover from numerous incidents. The Framework would be updated to reflect the change to the name of this group.

2. Proposed Change To Revise Description of Document Repository

Section 4.1 of the ORM Framework describes Risk Tolerance Statements, which document the overall risk reduction or mitigation objectives for the Clearing Agencies with respect to identified risks to the Clearing Agencies. Risk Tolerance Statements also document the risk controls and other measures used to manage identified risks, including escalation requirements in the event of risk metric breaches. Currently, Section 4.1 states that Risk Tolerance Statements are located in the DTCC Enterprise Policy Repository.

The name of the repository where all policies, procedures and related documents are maintained has changed. Therefore, the Clearing Agencies are proposing to update this Section of the Framework to refer generally to the central repository for all policies, procedures and related documents, rather than refer to the specific name of that central repository. This proposed change would allow the Framework to accurately describe where Risk Tolerance Statements are maintained, notwithstanding this recent, and any potential future, change to the name of that document management tool.

3. Proposed Change To Reflect Expansion of Operating Centers

Section 6 of the ORM Framework, which describes business continuity risk management, currently includes a statement that the operating centers that support the Clearing Agencies are run from no fewer than three geographic regions in the United States. Since the ORM Framework was adopted the Clearing Agencies have expanded the geographic spread and diversity of their operating centers. In order to reflect this change, the ORM Framework would be updated to state that these operating centers are run from geographic regions globally (i.e., without the limitation that they are located in the United States).

iii. Proposed Amendments To Clarify and Enhance Descriptions in the Framework

Finally, the proposed changes would enhance the descriptions of certain matters within the ORM Framework to improve its clarity and comprehensiveness, as described below.

1. Proposed Change To Describe Annual Approval of Framework by Boards

Section 2 of the ORM Framework addresses the Framework's ownership and change management. This section currently states that the Framework should be reviewed by the document owner no less frequently than annually but does not specify the regulatory requirement that the Framework also be approved by the Boards on an annual basis. The Clearing Agencies are proposing to amend Section 2 of the Framework to include the requirement that the Framework be approved by the Boards, or a duly authorized committee of the Boards, annually.

Rule 17Ad-22(e)(3) under the Act requires that the Clearing Agencies maintain a sound risk management framework for comprehensively managing the risks that arise in or are borne by the Clearing Agencies, including operational risks.^[10] Rule 17Ad-22(e)(3)(i) under the Act requires that the risk management policies, procedures, and systems that are maintained in compliance with Rule 17Ad-22(e)(3) be subject to review on a specified periodic basis and be approved by the Boards annually.^[11] As stated above, the Framework provides an outline for how each of the Clearing Agencies manage operational risks, as required by both Rules 17Ad-22(e)(3) and (17) under the Act.^[12] Therefore, the ORM Framework is reviewed and approved by the Boards annually, as required by Rule 17Ad-22(e)(3)(i) under the Act.^[13]

The Clearing Agencies are proposing to amend Section 2 of the Framework to state that the Framework shall be approved by the Boards, or a duly authorized committee of the Boards, annually. The proposed change would enhance the comprehensiveness of the Framework to specify this requirement, which is aligned with the applicable requirements of Rule 17Ad-22(e)(3)(i) under the Act.^[14]

2. Proposed Change To Clarify Description of Risk Profiles

Section 4.2 of the ORM Framework describes the Risk Profiles, which are tools used by the Operational Risk Management group within the Group Chief Risk Office of The Depository Trust & Clearing Corporation (“ORM”) ^[15] to document risk assessments and consolidate pertinent operational risk and control data, including, without limitation, incidents, audit findings, compliance testing results, and risk metrics, to support an overall assessment of the applicable Clearing Agency Business' or Clearing Agency Support Area's inherent risk and residual risk. The Clearing Agencies are proposing changes to this Section to clarify and simplify the description of Risk Profiles.

First, the proposed changes would clarify that the assessments documented in Risk Profiles both (1) assess inherent risks, and (2) identify residual risks. The proposed changes would do this by revising the relevant sentence and by removing the current description of risk acceptance of residual risks, which is a process that is separate from the description of Risk Profiles. The proposed changes would focus the description on the two types of risks that are relevant to the Risk Profiles.

Second, the proposed change would simplify the description of how the Risk Profiles are created by removing reference to ORM as the responsible group. Currently, both ORM and the Clearing Agency business and support areas are jointly responsible for the tasks related to creating and documenting Risk Profiles. Over time, the responsibility for these tasks has shifted away from ORM, and to the Clearing Agency business and support areas. The proposed changes would continue to identify the crucial tasks related to the creation and maintenance of Risk Profiles but would simplify this section of the Framework by removing reference to the division of responsibilities among these groups.

Third, the proposed changes would clarify that Clearing Agency businesses and support areas are responsible for the day-to-day management of all risk applicable to their area. Currently, Section 4.2 states that these groups are only responsible for the management of residual risks. The proposed change Start Printed Page 81533would correct this statement and clarify these groups' responsibilities.

Finally, the proposed changes would clarify that the Clearing Agency businesses and support areas are responsible for updating their policies and procedures to support risk management at the Clearing Agencies. Currently, the relevant sentence in Section 4.2 states that such policies and procedures support operational risk management at the Clearing Agencies. The proposed change would clarify the responsibilities of these groups and the role of policies and procedures in risk management.

3. Proposed Change To Clarify the Responsibilities of the ORM Group

Section 4.3 of the ORM Framework describes the responsibilities of ORM. Currently, this Section states that this group is responsible for reviewing, revising and creating Risk Tolerance Statements. However, ORM is responsible for working with the businesses that own the relevant risks in reviewing, revising and creating Risk Tolerance Statements. Therefore, the proposed changes would clarify ORM's responsibilities with respect to Risk Tolerance Statements.

4. Proposed Changes To Clarify Description of Business Continuity Risk Management

Section 6 of the ORM Framework describes how the Clearing Agencies manage business continuity risks. The Clearing Agencies are proposing changes to this section to clarify the description of business continuity risk management and to make this section more comprehensive.

First, the proposed changes would include a reference to events that have the potential to disrupt the Clearing Agencies' businesses in a statement that refers generally to the types of events that could impact the Clearing Agencies. This update would make the statement more comprehensive by including events that are considered “near-miss” events, or events that did not have had an impact on the Clearing Agencies but had the potential of causing an impact on their businesses. This proposed change would align the description to current practice, by which the Clearing Agencies take into account “near-miss” events in its risk management processes.

Second, the proposed changes would update the description of the “tiers” that are used to rank the criticality of the Clearing Agencies' businesses and support areas. The proposed changes would not impact the way these tiered rankings are applied and would align the description in the Framework to the current description in the Clearing Agencies' internal procedures. Among the updates to the description of the tiers, the proposed changes would include a clarifying statement that the Clearing Agencies' support areas are automatically assigned the same tier as the Clearing Agency business that they support, and would remove references to the Clearing Agency support areas in the description of the process that results in a group's tier.

Finally, the proposed changes to Section 6 would clarify statements in connection with the creation of business impact analyses (“BIA”), which are used to assign each Clearing Agency business with a tier. The proposed changes would clarify, for example, that appropriate risk controls may be applied with respect to an applicable Clearing Agency business at any time, and not only during a business continuity event. The proposed changes would also clarify that the BIA identify product dependencies within an applicable Clearing Agency business. While the process for creating BIA has not changed, the proposed changes to Section 6 of the Framework would enhance the description of the process by making it clearer and more comprehensive.

2. Statutory Basis

The Clearing Agencies believe that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act ^[16] and Rule 17Ad-22(e)(3)(i), and (17)(i) and (ii) promulgated under the Act,^[17] for the reasons described below.

The Clearing Agencies believe that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act, which requires, in part, that the rules of a registered clearing agency be designed to promote the prompt and accurate clearance and settlement of securities transactions, and to assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible, for the reasons described below.^[18] The proposed changes would update and clarify the Framework and would make it more comprehensive in how it describes operational risk management of the Clearing Agencies, as described above. By creating clearer, updated and more comprehensive descriptions, the Clearing Agencies believe the proposed changes would make the ORM Framework more effective in providing an overview of the important risk management activities described therein.

As described in the Initial Filing, the risk management functions described in the ORM Framework allow the Clearing Agencies to continue the prompt and accurate clearance and settlement of securities and can continue to assure the safeguarding of securities and funds which are in their custody or control or for which they are responsible notwithstanding the default of a member of an affiliated family. The proposed changes to improve the clarity and accuracy of the descriptions of these functions within the ORM Framework would assist the Clearing Agencies in carrying out these risk management functions. Therefore, the Clearing Agencies believe the proposed changes are consistent with the requirements of Section 17A(b)(3)(F) of the Act.^[19]

Rule 17Ad-22(e)(3)(i) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to maintain a sound risk management framework for comprehensively managing operational risks that arise in or are borne by the covered clearing agency, which includes risk management policies, procedures, and systems that are subject to review on a specified periodic basis and approved by the board of directors annually.^[20] As described above, the Framework is currently approved by the Board annually, in compliance with the requirements of Rule 17Ad-22(e)(3)(i). The proposed changes would describe this annual approval in Section 2 of the Framework, where the Framework's ownership and change management is addressed. By including a description of the required annual Board approval of the Framework, the proposed changes are consistent with the requirements of Rule 17Ad-22(e)(3)(i) under the Act.^[21]

Rule 17Ad-22(e)(17) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by (i) identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls; and (ii) ensuring that systems have a high degree of security, resiliency, Start Printed Page 81534operational reliability, and adequate, scalable capacity.^[22]

The Framework would be amended to include a description of the Clearing Agencies' incident management procedures. As described above, these procedures address how the Clearing Agencies detect, identify, investigate and resolve incidents that affect the Clearing Agencies' systems. These procedures are designed to help address the Clearing Agencies' compliance with the requirements of Rule 17Ad-22(e)(17)(i) and (ii).^[23] Therefore, the Clearing Agencies believe that the proposed rule changes to include a description of these procedures in the Risk Management Framework is consistent with Rule 17Ad-22(e)(17)(i) and (ii).^[24]

(B) Clearing Agencies' Statement on Burden on Competition

The Clearing Agencies do not believe that the proposed changes to the ORM Framework described above would have any impact, or impose any burden, on competition. As described above, the proposed rule changes would update the Framework and would improve the clarity and comprehensiveness of the descriptions of certain matters within the Framework. Therefore, the proposed changes are technical and non-material in nature, relating mostly to the operation of the ORM Framework rather than the risk management functions described therein. As such, the Clearing Agencies do not believe that the proposed rule changes would have any impact on competition.

(C) Clearing Agencies' Statement on Comments on the Proposed Rule Changes Received From Members, Participants, or Others

The Clearing Agencies have not solicited or received any written comments relating to this proposal. The Clearing Agencies will notify the Commission of any written comments received by the Clearing Agencies.

III. Date of Effectiveness of the Proposed Rule Changes, and Timing for Commission Action

The foregoing rule changes have become effective pursuant to Section 19(b)(3)(A) ^[25] of the Act and paragraph (f) ^[26] of Rule 19b-4 thereunder. At any time within 60 days of the filing of the proposed rule changes, the Commission summarily may temporarily suspend such rule changes if it appears to the Commission that such action is necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Act.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule changes are consistent with the Act. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form

(http://www.sec.gov/​rules/​sro.shtml); or

• Send an email to rule-comments@sec.gov. Please include File Number SR-DTC-2020-015, SR-FICC-2020-016, or SR-NSCC-2020-019 on the subject line.

Paper Comments

• Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

All submissions should refer to File Number SR-DTC-2020-015, SR-FICC-2020-016, or SR-NSCC-2020-019. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website (http://www.sec.gov/​rules/​sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule changes that are filed with the Commission, and all written communications relating to the proposed rule changes between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the principal office of the Clearing Agencies and on DTCC's website (http://dtcc.com/​legal/​sec-rule-filings.aspx). All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-DTC-2020-015, SR-FICC-2020-016, or SR-NSCC-2020-019 and should be submitted on or before January 6, 2021.

Footnotes