I. Introduction

On July 19, 2022, ICE Clear Europe Limited (“ICE Clear Europe” or “ICEEU”) filed with the Securities and Exchange Commission (“Commission”), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (the “Act”),^[1] and Rule 19b-4 thereunder,^[2] a proposed rule change to adopt an Outsourcing Policy. The proposed rule change was published for comment in the Federal Register on August 4, 2022.^[3] The Commission did not receive comments regarding the proposed rule change. For the reasons discussed below, the Commission is approving the proposed rule change.

II. Description of the Proposed Rule Change

The proposed rule change would create an Outsourcing Policy to describe, in a consolidated document, ICEEU's procedures for management of its outsourcing arrangements with third-party providers and affiliates, including how ICEEU's board maintains oversight of these outsourcing arrangements.^[4]

The Outsourcing Policy, as a rule of the clearing agency, is designed to complement two of ICE Clear Europe's policies: the Vendor Management Policy (“VMP”) and the Outsourcing Operating Manual (“OOM”). The VMP describes certain group-wide policies of ICEEU's parent, Intercontinental Exchange, Inc., with respect to its outsourcing arrangements with third parties. The OOM sets out additional details concerning the steps it follows in order to introduce, amend and maintain outsourcing arrangements. Together with the VMP, the proposed Outsourcing Policy would document how the ICEEU assesses the risks of outsourcing certain functions. The Outsourcing Policy would not represent a change in the ICEEU's current practices, but rather more clearly document those practices in an overall policy.

The Outsourcing Policy would include an introduction section that describes the differences between outsourcing and purchasing services, the former described as ICEEU's use of a service provider to perform an ongoing activity that would usually be performed by ICEEU and which often involves transferring or sharing related non-public proprietary information, and the latter being ICEEU's purchases of services, goods and facilities and which would typically not include any transfer of non-public proprietary information.

The Outsourcing Policy would also differentiate ICEEU's outsourcing practices and purchasing arrangements with third-party providers from those with its affiliates. The Outsourcing Policy would state that outsourcing through its affiliates typically have a lower risk profile for ICEEU because affiliates tend to be regulated entities with the same or similar systems, risk appetites, standards and processes, among other commonalities, as ICE Clear Europe. The Outsourcing Policy would also set out ICEEU's overall objectives when considering outsourcing.

The Outsourcing Policy would include a discussion of outsourcing to third parties and to ICEEU's affiliates. As mentioned, outsourcing to third parties is covered under the VMP, which covers due diligence, risk assessment, suitability, and performance management, among other topics. Outsourcing to affiliates of ICEEU would follow the same process and standards as under the VMP; however, assessments would be performed by ICEEU's senior management rather than the ICEEU's Vendor Management Office. ICEEU represented that, in all cases, it would look to ensure that all service provider-related incidents (such as service interruptions) are recorded, monitored, and escalated to ICEEU's Start Printed Page 56130 senior management in a consistent manner.^[5]

The Outsourcing Policy would provide that ICEEU would consider, in its assessment of service providers, the lower risk associated in outsourcing functions to third parties that are also regulated or authorized. ICEEU would also consider in its assessment of a service provider how the service provider's presence in a different jurisdiction impacts the risks associated with outsourcing functions to that service providers.

The Outsourcing Policy would also state that ICEEU would look to manage any potential or actual conflicts of interest resulting from its outsourcing arrangements, particularly in respect of outsourcing arrangements it has with its affiliates.

Additionally, ICE Clear Europe proposes to include in the Outsourcing Policy that it looks to reserve independent audit rights to check compliance with legal and regulatory requirements and policies in its outsourcing agreements with third-party and affiliate service providers, as required.

ICE Clear Europe also proposes to include in the Outsourcing Policy information about its cloud-based outsourcing arrangements. Outsourcing to the cloud is generally covered under the existing VMP. Relevant ICE Clear Europe and ICE Group policies, such as the Corporate Information Security Policy, would also be considered when engaging in cloud outsourcing arrangements. Adding a new or significantly changing an existing cloud outsource arrangement would be covered under the OOM.

The Outsourcing Policy would include a section describing ICEEU's considerations when deciding whether to outsource a function considered “critical or important.” A function is considered by ICEEU to be “critical or important” where a defect or failure in its performance would materially impair the ICEEU's continuing compliance with the conditions and obligations or its authorizations or other obligations, financial performance, or the soundness or continuity of its services and activities.

The Outsourcing Policy would include an acknowledgment by ICEEU that outsourcing “critical or important” functions could impact ICEEU's risk profile, ability to oversee the service provider and manage risks, business continuity measures, and performance of its business activities. Under the proposed Outsourcing Policy, ICEEU would ensure that such matters would be considered in the decision-making processes with respect to outsourcing. Additionally, “critical or important” functions would impact how an outsourcing arrangement is assessed, documented and managed by ICEEU (including by having an exit plan, if practical). Also, if a function to be outsourced is or would be a dependency to the delivery of one or more of ICEEU's important business services under its operational resilience framework, such function would be mapped accordingly with appropriate consideration given to potential vulnerabilities, resiliency, and impact to the relevant impact tolerances.

The Outsourcing Policy would also include a discussion of additional considerations of particular importance to ICEEU, in light of its position as a systemically important financial market infrastructure and in alignment with its regulatory oversight. The proposed Outsourcing Policy would highlight the following additional items that ICEEU would consider with respect to its outsourcing arrangements: (i) business continuity arrangements, (ii) incident management responsiveness and reporting, (iii) independent assurances, and (iv) redundancies, notice periods and exit strategies. Regarding business continuity arrangements, the proposed rule change would state that, during the onboarding process and through periodic reviews and testing, ICEEU would assess the service provider's business continuity plans to ensure that they are fit for the relevant purposes. The proposal would state that incident management and responsiveness and timely reporting are important factors in ICEEU's outsourcing arrangements, given the services that ICEEU operates. Accordingly, the proposal would require that outsourcing providers have appropriate mechanisms for timely response and incident management. Regarding independent assurances, the proposal would state that where possible and practicable, ICEEU would look to collect independent assurances of the outsourcing providers' services, which may include but are not limited to SOC2 audits, Regulation SCI audits, and enterprise technology risk assessments. Finally, the proposed Outsourcing Policy would state that where possible and practicable, the ICEEU would look to mitigate the risk of disruption to its services from outsourcing providers ceasing to provide their services to ICEEU, through redundancies (the use of multiple providers), sufficient notice periods, or exit strategies.

The proposed Outsourcing Policy would also include a section describing ICEEU's Board oversight of outsourcing arrangements. The Board oversees ICEEU's outsourcing arrangements through risk appetite metrics that include service and incident reporting, operational risk reporting that covers incidents observed in the relevant period, their resolution and other performance metrics, and an Annual Outsourcing Assessment Report.

The proposed Outsourcing Policy would state that the COO or its delegate would prepare the Annual Outsourcing Assessment Report, which would be reviewed by the Board each year directly or via its committees. The Annual Outsourcing Assessment Report would cover the following topics: (i) the activities and services that are outsourced, (ii) the identities of the outsource providers, (iii) the performance of the outsourcing providers and their adherence to agreed service levels, (iv) where relevant, the security measures of the outsourcing providers, (v) risk reviews of the outsourcing providers, particularly those providing critical or important cloud outsourcing arrangements, (vi) exit strategies and contingency arrangements associated with outsourcing critical or important functions, and (vii) results and conclusions of additional assurance mechanisms (for example, SOC2 audits) where applicable.

Finally, the proposed Outsourcing Policy would describe governance and exception handling. The document owner would be responsible for ensuring that it remains up to date and reviewed in accordance with ICEEU's governance processes. Exceptions to the Outsourcing Policy would also be approved in accordance with such governance processes. Any deviations from the Outsourcing Policy would have to be appropriately escalated and reported in a timely manner by the document owner, and the document owner would also be responsible for reporting any material breaches or deviations to the President of ICE Clear Europe and the Risk Oversight Department in order to determine the appropriate governance escalation and notification requirements.

III. Discussion and Commission Findings

Section 19(b)(2)(C) of the Act directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder Start Printed Page 56131 applicable to such organization.^[6] For the reasons discussed below, the Commission finds that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act,^[7] and Rules 17Ad-22(e)(2)(v) and (e)(3)(i) thereunder.^[8]

A. Consistency With Section 17A(b)(3)(F) of the Act

Section 17A(b)(3)(F) of the Act requires, among other things, that the rules of ICE Clear Europe be designed to promote the prompt and accurate clearance and settlement of securities transactions and, to the extent applicable, derivative agreements, contracts, and transactions.^[9] As noted above, the proposed rule change would create a consolidated policy-level document for managing outsourcing of services with both third-party providers and affiliates of ICEEU. Specifically, the proposed rule change would lay out in detail certain key considerations of ICEEU in outsourcing, including assessing service providers' operational capabilities, dependencies, resilience, financial, reputational, legal, and regulatory standing. The proposed rule change would also include an acknowledgment by ICEEU that outsourcing critical or important functions could impact its risk profile, ability to oversee the service provider and manage risks, business continuity measures, and performance of its business activities, and would be considered in outsourcing decisions. The proposed Outsourcing Policy would also include that ICEEU looks to manage any potential or actual conflicts of interest resulting from its outsourcing arrangements. The Commission believes that these overarching considerations, combined with a description of ICEEU's Board oversight of outsourcing arrangements, would enhance ICEEU's ability to manage risks associated with outsourcing as they arise as well as its ability to regularly assess outsourcing providers. The Commission believes that this in turn should strengthen ICEEU's ability to carry out its operations, thereby promoting the prompt and accurate clearance and settlement of securities transactions.

For these reasons, the Commission believes that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act.^[10]

B. Consistency With Rule 17Ad-22(e)(2)(v) Under the Act

Rule 17Ad-22(e)(2)(v) requires, in relevant part, that ICEEU establish, implement, maintain, and enforce written policies and procedures reasonably designed, as applicable, to provide for governance arrangements that specify clear and direct lines of responsibility.^[11]

As noted above, the proposed Outsourcing Policy would explain the Board's role in overseeing outsourcing arrangements, including through utilization of risk metrics, operational risk reporting, and the review of the annual outsourcing assessment report (prepared by the COO). Further, the proposed rule change would state that the document owner is responsible for updating the proposed Outsourcing Policy, that any exceptions to the document would be escalated and reported by the document holder, and that the document owner would report any material breaches or deviations to the President of ICEEU and will notify the Risk Oversight Department in order to determine the appropriate governance escalation and notification requirements. The Commission believes that documenting the roles and responsibilities for managing the proposed Outsourcing Policy in this way provides for governance arrangements that specify clear and direct lines of responsibility.

For these reasons, the Commission believes that the proposed rule change is consistent with Rule 17Ad-22(e)(2)(v).^[12]

C. Consistency With Rule 17Ad-22(e)(3)(i) Under the Act

Rule 17Ad-22(e)(3)(i) requires that ICEEU establish, implement, maintain, and enforce written policies and procedures reasonably designed to, as applicable, maintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by ICEEU, which includes risk management policies, procedures, and systems designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by ICEEU, that are subject to review on a specified periodic basis and approved by ICEEU's board of directors annually.^[13]

Because the proposed Outsourcing Policy described above sets forth considerations and approaches to measuring, monitoring, and identifying the risks related to outsourcing arrangements and lays out governance of this process on an annual basis, the Commission believes that it strengthens ICEEU's management of a range of risks borne by it which is also subject to periodic and annual Board review. For example, the Commission believes that the proposed procedures related to identifying critical functions (defining a function as “critical or important”), the regular assessment of service providers (assessment of service provider's business continuity plans and timely response to incidents), and mitigation of risk (through redundancies, notice periods and exit strategies) from service providers, all support and strengthen ICEEU's ability to identify, monitor, and measure the risks related to outsourcing arrangements.

For these reasons, the Commission believes that the proposed rule change is consistent with Rule 17Ad-22(e)(3)(i).^[14]

IV. Conclusion

On the basis of the foregoing, the Commission finds that the proposed rule change is consistent with the requirements of the Act, and in particular, with the requirements of Section 17A(b)(3)(F) of the Act,^[15] and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(3)(i).^[16]

It is therefore ordered pursuant to Section 19(b)(2) of the Act ^[17] that the proposed rule change (SR-ICEEU-2022-014), be, and hereby is, approved.^[18]

Footnotes