I. Introduction

On July 10, 2023, ICE Clear Europe Limited (“ICE Clear Europe”) filed with the Securities and Exchange Commission (“Commission”), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (the “Act”),^[1] and Rule 19b–4 thereunder,^[2] a proposed rule change to amend its Outsourcing Policy (to be renamed the Outsourcing and Third Party Risk Management Policy) (the “Outsourcing Policy”). On July 11, 2023, ICE Clear Europe filed Amendment No. 1 to the proposed rule change to make certain changes to the Form 19b–4 and Exhibit 1A for file no. SR–ICEEU–2023–018; ^[3] and on July 24, 2023, ICE Clear Europe filed Partial Amendment No. 2 to the proposed rule Start Printed Page 64954 change to make a certain change to Exhibit 5 of file no. SR–ICEEU–2023–018 ^[4] (together, “proposed rule change”). The proposed rule change was published for comment in the Federal Register on July 31, 2023.^[5] The Commission did not receive comments regarding the proposed rule change. For the reasons discussed below, the Commission is approving the proposed rule change.

II. Description of the Proposed Rule Change

ICE Clear Europe is registered with the Commission as a clearing agency for the purpose of clearing security-based swaps.^[6] In its role as a clearing agency for clearing security-based swaps, ICE Clear Europe regularly enters into arrangements with affiliates and third-party service providers to perform certain functions or activities. Such arrangements often come with a variety of risks, including legal, operational, general business, and other types of risks. To reduce risk exposure from such outsourcing arrangements, ICE Clear Europe created its Outsourcing Policy to describe, in a consolidated document, procedures for managing outsourcing arrangements with affiliates and third-party service providers, including how ICE Clear Europe's Board of Directors (“Board”) maintains oversight of these outsourcing arrangements.^[7]

The proposed rule change would amend ICE Clear Europe's Outsourcing Policy to extend coverage to third-party service provider arrangements that technically may not constitute outsourcing, to describe in more detail third-party risk management, to add the execution of risk assessments, and to update the Document Governance and Exception Handling language, among other changes.

As proposed, the purpose of the Outsourcing Policy would clarify that it would extend to arrangements in which services are provided by third parties to ICE Clear Europe, regardless of whether such services are considered outsourcing, including to assessing the risks of such services. The definition of “outsourcing” would be clarified as the use of third-party service providers, either an external party or an affiliate, and either directly or through sub-outsourcing, to provide a service that would otherwise be performed by ICE Clear Europe itself and is therefore subject to the Board's oversight. The proposed rule change would more clearly distinguish outsourcing from a purchasing arrangement, which would not involve an arrangement otherwise performed by ICE Clear Europe and therefore typically would not be subject to Board oversight. Regarding outsourced activities, the Outsourcing Policy would explicitly state that ICE Clear Europe would remain responsible for discharging its obligations, the outsourcing arrangement would not result in the delegation of ICE Clear Europe's responsibility, and the outsourced activities would conform to the same standards that would be required if the activities were completed internally.

Under the proposed rule change, the Outsourcing Policy would more clearly distinguish between affiliates and external third-party service providers by adding a definition of the term “third party,” which would include any organization (whether or not affiliated) that has entered into a business relationship or contract with ICE Clear Europe to provide products, services, processes, activities or business functions. The use of external third parties ( i.e., those not affiliated with ICE Clear Europe in any way) would be managed consistently at the group level through the existing Vendor Management Policy (“VMP”). The proposed rule change would more clearly describe current practice under the Outsourcing Policy by stating that outsourcing through affiliates typically has a lower residual risk profile because, among listed reasons in the existing Policy, the affiliates would have a similar higher standard of operational resilience (rather than referring to business continuity resilience) and ICE Clear Europe would have greater influence (not just control) over the operation of the affiliate's services.

The proposed rule change would add detail to existing statements in the Outsourcing Policy about the objective of and processes for entering into different types of contracting arrangements. Rather than covering solely outsourcing arrangements, the objective would extend to utilizing service providers more generally. The amended Outsourcing Policy would clarify the process of making assessments of service providers in various situations, such as regulated parties and parties in different jurisdictions; the management of outsourcing; and considerations about conflicts of interest and independent audit rights. The Outsourcing Policy would continue to reference ICE Clear Europe's Outsourcing Operating Manual, albeit renamed to cover risk management of additional third-party service providers, rather than just outsourcing arrangements. The Outsourcing Policy would state that contracting with third parties is covered consistently at a group level under the VMP, and would clarify, consistent with current practice, that ICE Clear Europe would use the VMP process as an input for the risk-based assessment of each service provider. ICE Clear Europe, where appropriate, would make external third parties aware of relevant internal policies so that they may gain a better understanding of ICE Clear Europe's regulatory obligations and expected service levels. When contracting with affiliates, ICE Clear Europe's relevant assessment would be made in accordance with its ordinary governance practices, and not necessarily by the senior management. As is current practice, ICE Clear Europe follows its Conflicts of Interest Policy when managing any potential conflicts of interests as a result of its service arrangements, but the proposed rule change would add an explicit reference to the Conflicts of Interest Policy. An additional assessment would be added with respect to cloud outsourcing, where ICE Clear Europe would consider, understand, and manage any risks related to Clearing Members connecting to its services via cloud service providers.

The proposed rule change would add a new Risk Assessments subsection to the processes for entering into different types of contracting arrangements that would set out the proportional risk assessment that would be performed on a service provider, regardless of whether the proposed arrangement falls within the definition of outsourcing, in order to identify, measure, and mitigate risks. The Risk Assessments subsection would include but would not be limited to certain considerations, such as whether the service is a critical or important function or a dependence to the delivery of one of ICE Clear Europe's services, whether the activity is outsourcing, whether the service relies on cloud-based technology that may pose new or additional risks, whether the service Start Printed Page 64955 provider is an external third party or an affiliate, the legal jurisdiction of the service provider, conflicts of interest, operational resilience considerations, data security, exit plans, contractual terms, and availability of alternative or back-up providers. For outsourced or critical non-outsourced services, the risk assessment would be performed at least annually, and on an ad-hoc basis following a material incident or service disruption event or material service agreement breach. Such risk assessments would be required to include a review of the service provider's performance against the agreed service levels. The responsibilities of executing risk assessments and related testing would be required to be overseen by ICE Clear Europe's Chief Operating Officer or the COO's delegate, with ownership of each service and the related resiliency arrangements resting with the relevant Head of Department.

The proposed rule change would extend existing provisions about the identification of critical or important functions to acquired services generally, rather than applying only to outsourcing, as is currently written. The proposed rule change would clarify that in identifying critical or important functions, ICE Clear Europe would consider the continuity of its important business services or operation as a CCP that could threaten its financial stability or impact its resolvability. As proposed, a third party would be treated as critical if it is contracted to perform such a critical function, with the determination of criticality to be reassessed on at least an annual basis. The Outsourcing Policy would clarify that any outsourcing of critical or important functions could impact ICE Clear Europe's operational resilience measures more generally, rather than affecting the narrower category of business continuity measures. Exit plans for critical and important functions would be required to be tested periodically. As part of its operational resilience framework, ICE Clear Europe would examine purchased services, as well as outsourced or sub-outsourced services, that are a dependence for its important business services. Additional language would require that the operational resilience framework shall include extreme but plausible test scenarios relating to the disruption of critical third-party services.

Under the proposed rule change, the Outsourcing Policy would amend the discussion of additional considerations of particular importance to ICE Clear Europe to ensure that considerations would be given to important business services and critical functions that are affected by third party service arrangements, including with respect to business continuity arrangements, incident management responsiveness and reporting, independent assurances, redundancies, and notice periods and exit strategies. A new subsection detailing Contractual Agreements would be added, specifying that for outsourcing arrangements in particular, ICE Clear Europe's Legal team would review any written service agreements to confirm the inclusion of all relevant contractual safeguards so that ICE Clear Europe could monitor relevant risks, regulatory requirements, and expectations. ICE Clear Europe would look to ensure that the agreements outline the rights, obligations, and responsibilities of all the parties, and include provisions associated with data security; access, audit and information rights; sub-outsourcing; service resilience; service levels; incident management; termination; and exit plans. Arrangements for purchased services would be similarly reviewed, but the Outsourcing Policy would acknowledge that some purchased services may be subject to non-negotiable terms set by the third party, which would be considered during the pre-execution risk assessment phase. The new Contractual Agreements subsection also would require that ICE Clear Europe periodically exercise its audit rights, as appropriate, regarding critical outsourcing arrangements, and that this may include on-site visits.

The proposed rule change would revise provisions related to Board oversight to provide that the Board must approve new or materially amended outsourcing arrangements. Certain clarifications would be made to the requirements for the annual outsourcing assessment report to be prepared by the Chief Operating Officer, including the addition of a summary of critical non-outsourcing services received. The proposed rule change would add a new subsection on regulatory engagement, setting out that ICE Clear Europe shall engage with regulatory authorities before executing or materially amending a critical service arrangement, regardless of whether it falls within the definition of outsourcing, with due regard to relevant regulatory requirements or expectations.

Lastly, the proposed rule change would revise provisions related to document governance, breach management, and exception handling, to ensure consistency with other ICE Clear Europe policies. As proposed, the document owner identified by ICE Clear Europe would be responsible for ensuring that the Outsourcing Policy remains up-to-date and reviewed in accordance with the internal governance processes. Document reviews would be conducted by the document owner and related staff, with sign off by the head of department and the Chief Risk Officer, or their respective delegates. Document reviews would encompass at the minimum regulatory compliance, documentation and purpose, implementation, use and open items from previous validations or reviews. Results of the review would be reported to the Executive Risk Committee or, in certain cases, to the Model Oversight Committee. The document owner would aim to remediate the findings, complete internal governance, and receive regulatory approvals before the next annual review is due. The document owner also would be responsible for reporting any material breaches or deviations to the Head of Department, Chief Risk Officer and Head of Regulation and Compliance in order to determine if further escalation is required. The Outsourcing Policy would state explicitly that changes to it would have to be approved in accordance with ICE Clear Europe's governance process and would take effect following completion of required internal and regulatory approvals. Exceptions to the Outsourcing Policy likewise would be approved according to the governance processes for approvals of changes to the Outsourcing Policy.

III. Discussion and Commission Findings

Section 19(b)(2)(C) of the Act directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to such organization.^[8] For the reasons discussed below, the Commission finds that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act,^[9] and Rules 17Ad–22(e)(2)(v) and (e)(3)(i) thereunder.^[10]

A. Consistency With Section 17A(b)(3)(F) of the Act

Section 17A(b)(3)(F) of the Act requires, among other things, that the rules of ICE Clear Europe be designed to promote the prompt and accurate clearance and settlement of securities transactions and, to the extent applicable, derivative agreements, Start Printed Page 64956 contracts, and transactions.^[11] As noted above, the proposed rule change would revise ICE Clear Europe's Outsourcing Policy to expand its application to a wider variety of affiliated and third party service arrangements, rather than solely covering outsourcing, as well as clarify and add to existing provisions that govern agreements for performing certain functions and activities. Some of these functions and activities relate to ICE Clear Europe's operations and business, while others may have to do with its clearance and settlement obligations. As proposed, the Outsourcing Policy would provide greater clarity as to the processes for entering into different types of contracting arrangements; and add detailed and, where applicable, annual risk assessments of potential service providers. Such detailed risk assessments would include considerations of whether the service is a critical or important function or a dependence to the delivery of one of ICE Clear Europe's services, among other things. The proposed rule change also would clarify provisions about the identification of critical or important functions, including that in identifying such functions, ICE Clear Europe would consider the continuity of its important business services or operation as a CCP that could threaten its financial stability or impact its resolvability. Additional language on Contractual Agreements would more clearly guide ICE Clear Europe in making sure that service agreements outline the rights, obligations, and responsibilities of all involved parties, and include provisions regarding service levels, service resilience, and incident management, among others. Taken together, these amendments would clarify how ICE Clear Europe can continue to meet its security-based swap obligations and help prevent service interruptions through carefully drafted and managed service agreements with third parties or affiliates, thus promoting the prompt and accurate clearance and settlement of securities transactions and, to the extent applicable, derivative agreements, contracts, and transactions.

For these reasons, the Commission believes that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act.^[12]

B. Consistency With Rule 17Ad–22(e)(2)(v) Under the Act

Rule 17Ad–22(e)(2)(v) requires, in relevant part, that ICE Clear Europe establish, implement, maintain, and enforce written policies and procedures reasonably designed, as applicable, to provide for governance arrangements that specify clear and direct lines of responsibility.^[13]

As amended, the Outsourcing Policy would clarify, in various provisions throughout the document, the responsibilities, ownership, and reporting obligations of certain personnel and departments in relation to risk management of service arrangements. For example, the proposed rule change would more clearly distinguish between outsourcing, which is subject to Board oversight, and purchasing arrangements, which are not. The Board would additionally and explicitly be responsible for the approval of new or materially amended outsourcing arrangements. When contracting with affiliates, ICE Clear Europe's relevant assessment would be made in accordance with its ordinary governance practices, and not necessarily by the senior management. The responsibilities of executing detailed risk assessments and related testing would be overseen by ICE Clear Europe's Chief Operating Officer or delegate, with ownership of each service and the related resiliency arrangements resting with the relevant Head of Department. The proposed Outsourcing Policy specifies that the Legal team would be responsible for drafting and/or reviewing written service agreements to ensure that relevant contractual safeguards are in place. New provisions would be added to ensure appropriate document governance and exception handling. Overall, the proposed rule change inserted and clarified the decision-making responsibilities and reporting chains of command with respect to a variety of aspects of the Outsourcing Policy, thus providing for governance arrangements that specify clear and direct lines of responsibility.

For these reasons, the Commission believes that the proposed rule change is consistent with Rule 17Ad–22(e)(2)(v).^[14]

C. Consistency With Rule 17Ad–22(e)(3)(i) Under the Act

Rule 17Ad–22(e)(3)(i) requires that ICE Clear Europe establish, implement, maintain, and enforce written policies and procedures reasonably designed to, as applicable, maintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by ICE Clear Europe, which includes risk management policies, procedures, and systems designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by ICE Clear Europe, that are subject to review on a specified periodic basis and approved by ICE Clear Europe's board of directors annually.^[15]

The Commission believes that the proposed revisions to the existing Outsourcing Policy not only would extend the scope of its application beyond traditional outsourcing arrangements to more comprehensively capture other types of service agreements with similar risks, but also would detail the factors against which risk assessments and contractual agreements are to be made and monitored, with existing relevant provisions for the Board's annual review of the Outsourcing Policy. As noted above, the new Risk Assessments subsection would require ICE Clear Europe to consider, among other things, whether the service is a critical or important function or a dependence to the delivery of one of ICE Clear Europe's services, whether the service relies on cloud-based technology that may pose new or additional risks, conflicts of interest, and data security. Likewise, the newly added Contractual Agreements subsection requires such contracts address data security; access, audit and information rights; and incident management, among other things. Overall, these considerations touch upon the various risks that may emerge when contracting with affiliates or third parties for services and by addressing them in detail in the proposed revisions to the Outsourcing Policy, the Commission believes that ICE Clear Europe is strengthening its ability to identify, monitor, and measure the risks related to such arrangements.

For these reasons, the Commission believes that the proposed rule change is consistent with Rule 17Ad–22(e)(3)(i).^[16]

IV. Conclusion

On the basis of the foregoing, the Commission finds that the proposed rule change is consistent with the requirements of the Act, and in particular, with the requirements of Section 17A(b)(3)(F) of the Act,^[17] and Rules 17Ad–22(e)(2)(v) and 17Ad–22(e)(3)(i).^[18]

It is therefore ordered pursuant to Section 19(b)(2) of the Act ^[19] that the proposed rule change (SR–ICEEU–2023–018), be, and hereby is, approved.^[20]

Footnotes