I. Introduction

On September 6, 2022, the Options Clearing Corporation (“OCC”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change SR-OCC-2022-010 pursuant to Section 19(b) of the Securities Exchange Act of 1934 (“Exchange Act”) ^[1] and Rule 19b-4 ^[2] thereunder. The proposed rule change would replace OCC's current Risk Management Framework Policy (“RMFP”) with two new documents: a revised Risk Management Framework (“RMF”) as well as a Corporate Risk Management Policy (“CRMP”). The proposed rule change was published for public comment in the Federal Register on September 26, 2022.^[3] On November 8, 2022, pursuant to Section 19(b)(2) of the Exchange Act,^[4] the Commission designated a longer period within which to approve the proposed rule change, disapprove the proposed rule change, or institute proceedings to determine whether to disapprove the proposed rule change.^[5] The Commission has received no comments regarding the proposed rule change. For the reasons discussed below, the Commission is approving the proposed rule change.

II. Background ^[6]

OCC maintains several documents designed to define its framework for managing its various risks, including financial, legal, and operational risks. The RMFP describes OCC's risk management framework as summarizing its overall approach taken to identify, measure, monitor, and manage all risks faced by OCC in the provision of clearing, settlement, and risk management services. In addition to the RMFP, OCC's risk management documents include the Clearing Fund Methodology Policy, Collateral Risk Management Policy, Default Management Policy, Margin Policy, Model Risk Management Policy, Recovery and Orderly Wind-Down Plan, and Third-Party Risk Management Framework (collectively, the “OCC Risk Policies”). These OCC Risk Policies are separate supporting documents containing details on how OCC's risk management framework is used and applied within OCC.

OCC's RMFP describes, at a high level, OCC's framework for managing risk. After its routine review of its existing RMFP, OCC proposes to replace its RMFP with two new, more detailed documents, the RMF and CRMP, which it believes will enhance the clarity and transparency of its overall risk management framework.^[7]

Specifically, OCC proposes introducing the RMF to provide a broader overview of OCC's risk universe, including categorizations of risk management, descriptions of practices across OCC's three lines of defense model, a discussion of how OCC is prepared with tools to manage recovery and orderly wind-down, and a narrative about the requirements related to escalations of exceptions and deviations.

Simultaneously, OCC proposes to introduce the CRMP as a separate policy because it is intended to support the RMF by providing more extensive details on OCC's corporate risk management and its practices. These details include enhanced descriptions of OCC's activities to identify, measure, monitor, manage, report, and escalate risks to inform decision-making. Furthermore, OCC proposes to move details of OCC's corporate risk management program to the CRMP in order to make OCC's approach to corporate risk consistent with other areas of risk managed by OCC. Start Printed Page 80208

A. The Risk Management Framework

Overall, OCC is proposing to expand the level of detail provided in its rules describing OCC's framework for managing risk and is proposing several changes to the substance of the rules in its RMFP to the extent they would be moved to the proposed RMF, in an entirely new document. Among other things, the RMF generally encompasses the RMFP with the following changes that: (i) replace or update information; (ii) remove extraneous information; (iii) relocate information; or (iv) add rule text not currently found in the RMFP:

(i) RMF Changes that Replace or Update Information:

1. Replace the purpose section of the RMFP with a new purpose section of the RMF and an introduction section of the CRMP that, collectively, would (i) reflect the reorganization of content across the two new documents and (ii) explain the purpose of and intention for each, as well as their place in OCC's overall framework for risk management.

2. Modify the descriptions of OCC's risk appetite framework, including the risk universe, risk appetite, and risk tolerances, to be less detailed in the RMF than in the RMFP, while relocating the risk appetite framework detail and expanding it in the CRMP for a more extensive description overall. These changes include replacing the Identification of Key Risks section in the RMFP with a new OCC Risk Management section in the RMF, and expanded in the CRMP. Both of these changes are discussed in detail below.^[8]

3. In the new RMF, revise the descriptions of the responsibilities of the Management Committee and working groups. The RMF would state that the Management Committee supports the management and conduct of its business in accordance with policy directives from the Board. The RMF would also state that the Management Committee includes officers responsible for ensuring that the Management Committee's actions and decisions are consistent with OCC's mission, Code of Conduct, Rules and By-Laws, policies, procedures, and general principles of sound corporate governance. The RMF would further state that the Management Committee would have explicitly-stated authority to form and delegate authority to subcommittees and working groups to conduct certain of the Management Committee's activities, and these subcommittees and working groups would be responsible for reporting and escalating information. These proposed descriptions vary from the corresponding RMFP descriptions that primarily relate to the Management Committee's role and responsibilities in reviewing and recommending changes to OCC's risk universe and escalating breaches to the Board.^[9]

4. Replace the Credit Risk Management Framework section in the RMFP with proposed Membership Standards, Credit, Clearing Fund, Margin, Collateral, and Default Management sections in the RMF. These new sections of the RMF would refer to the same OCC Risk Policies that address these risks and are currently filed with the Commission as rules of OCC ( e.g., the Margin Policy,^[10] Clearing Fund Methodology Policy,^[11] Collateral Risk Management Policy,^[12] Default Management Policy,^[13] and Third-Party Risk Management Framework ^[14] ). There would be no change to the substance of these sections.

5. Revise the process for handling policy violations and exceptions. Currently, policy violations and exceptions are reviewed by OCC's Chief Executive Officer and Chief Compliance Officer, respectively. The proposed changes would instead escalate exceptions and risk acceptances to OCC's Corporate Risk group ^[15] and to escalate policy deviations to its Compliance department.^[16]

( ii) RMF Changes that Remove Extraneous Information:

In connection with replacing the RMFP with the RMF and CRMP, OCC believes certain information would be rendered extraneous.^[17] Accordingly, OCC is proposing to remove such extraneous information currently found in the RMFP but will not replace it with equivalent sections in either the RMF or CRMP, including the following:

1. Delete the Context for Risk Management Framework and Risk Management Philosophy sections of the RMFP, as these provide history and background information about OCC that is covered elsewhere in the content that OCC proposes to migrate from the RMFP to the RMF and CRMP.

2. Move the standalone RMFP section dedicated to the Compliance Risk Assessment program under the broader Compliance section of the RMF.^[18]

3. Replace the Control Activities section of the RMFP with more general descriptions of Compliance's responsibilities under the RMF to clarify the department's responsibilities for management of compliance risk more succinctly.

4. Delete the RMFP sections related to project management, corporate planning and budgeting, and Human Resources and Compliance Training and Policies that address administrative policies and practices.

5. Remove the RMFP's Appendix: OCC's Key Risks with CCA, PFMI, and Reg SCI Mapping to remove detailed risk mapping from OCC high-level policy documents.^[19]

(iii) RMF Changes that Relocate Information

The following changes involve relocating information contained in the RMFP by either moving it to new sections in the RMF or CRMP, or incorporating it into RMFP sections that are being moved over largely as-is:

1. Relocate the Risk Management Governance section of the RMFP, with certain modifications, to a new Governance section of the RMF. The modifications would include streamlining the description of the responsibilities of the Board, which generally are already addressed in the Board of Directors Charter and Corporate Governance principles. The RMF Governance section would state that the Board is responsible for advising and overseeing management and that OCC's Chief Risk Officer Start Printed Page 80209 (“CRO”) would present a review of the RMF to the Board for approval at least annually. Further, OCC would streamline discussion of the Management Committee and working groups to be consistent with changes in responsibility discussed above.^[20]

2. Relocate the Risk Management Practice, Enterprise Risk Assessment program, and Risk Reporting sections from the RMFP to the CRMP, with the changes described below.^[21]

3. Relocate the discussion of OCC's Scenario Analysis Program from the RMFP to the CRMP, with revisions designed to more accurately and completely describe the scenario analysis process.^[22]

(iv) Additional Rule Text in the RMF not Currently Found in the RMFP:

1. Add new rule text describing the responsibilities of OCC employees to contain risk escalation reporting, consultations with Legal on legal and regulatory matters, and training on a culture of risk and control awareness. This new rule text would be located in the Governance section of the RMF.

2. Include a discussion of OCC's “three lines of defense” model in the OCC Risk Management section of the RMF that would be similar to the discussion currently provided in the RMFP. OCC's three lines of defense model would remain unchanged, while the additional information proposed for the RMF would clarify who has ownership and accountability for risk management.

3. Add text in a Security section stating that OCC's Security department manages information, physical, and personnel security risk to safeguard the confidentiality, integrity, and availability of corporate information systems and data assets implemented and maintained by Information Technology.

4. Add a summary of OCC's Recovery and Orderly Wind-Down Plan to the RMF, in order to describe this aspect of OCC's risk management framework. The RMF would state that OCC employs a set of recovery tools in the event of severe financial, operational, or general business stress, to continue to provide critical clearing and settlement services. It would further state that OCC has a wind-down plan that provides for OCC's orderly resolution if it is determined that recovery efforts would be unsuccessful or insufficient.^[23]

B. The Corporate Risk Management Policy

Among other things, the CRMP would contain some of the information in OCC's RMFP and expand upon certain topics by (i) adding rule text not currently found in the RMFP and (ii) introducing certain governance adjustments. Such changes would include the following:

(i) Additional Rule Text in the CRMP not Currently Found in the RMFP:

1. Support the RMF by explaining OCC's risk management activities and provide an overview of the activities overseen by OCC's Corporate Risk group to identify, measure, monitor, manage, report, and escalate risks.

2. As noted above,^[24] the CRMP would expand the discussion of OCC's risk appetite framework in the OCC Risk Management Practice section of the RMF.

a. Other than the Compliance Risk Assessment,^[25] the information currently provided in the Risk Management Practice section of the RMFP would be moved as-is to the Risk Management Practice section of the CRMP and revised to more accurately and completely describe the risk assessment, monitoring, and reporting processes conducted by Corporate Risk. Specifically, the CRMP would include revised discussions of Enterprise Risk Assessments, the Scenario Analysis Program, and Risk Reporting to provide more detail about how these processes function, such as Corporate Risk's obligations, the quarterly results reporting duties of the CRO and the use of residual risk, risk tolerances, and risk warnings and associated reporting.

b. Modify the description of OCC's risk appetite framework as well as revise terminology in the risk universe, including changes to the Key Risks, Sub-Categories, and Definitions in the RMFP. In adopting the CRMP, OCC would remove the more general risk appetite statement definitions ( i.e., no appetite, low appetite, moderate appetite, and high appetite), which are currently described in the RMFP, enabling OCC to use more detailed qualitative risk appetite statements for each risk sub-category. As a result, the CRMP describes OCC's risk universe terminology as being classified into: (i) risk categories, which are the highest-level groups of risk aggregation; (ii) risk sub-categories, which further classify risks within risk categories into detailed groups; and (iii) risk statements, which are descriptions of the drivers, events and consequences of risks. OCC believes that the proposed terms are better at describing the elements that comprise OCC's risk universe and the relationship between them.^[26]

3. Describe Corporate Risk's process for escalating risks to the CRO, Management Committee, and Board, and for training employees about risk to support risk management and decision-making.

4. Introduce the concept of risk rating scales, which reflect how large the effect of an event's occurrence would be and the likelihood of it occurring when considering a range of repercussions on OCC's business. The CRMP would state that the likelihood risk rating scale considers a 10-year financial cycle and yearly corporate planning activities, and they are used to measure both inherent and residual risk. Corporate Risk and Risk Owners would be required to review changes to the risk scales, and the CRO would approve them. The Management Committee and Board would be notified of changes to the risk rating scales.

(ii) CRMP Governance Adjustments:

1. Transfer responsibility for maintaining inventory of all business processes, risks, and associated controls from Compliance to Corporate Risk. Revise descriptions related to risk assessment, monitoring, and reporting conducted by Corporate Risk to indicate Corporate Risk and Risk Owners would be required at least every twelve months to review the risk universe, risk tolerances, and risk appetites within established tolerances and make adjustments at a risk sub-category level. This revision is a change from the RMFP because it requires Corporate Risk and Risk Owners to do the review instead of the Management Committee, and it requires these reviews at least every twelve months instead of at least annually.

2. Introduce the concept of a risk universe, and state that the CRO has (i) authority to approve OCC's risk universe and (ii) an obligation to provide the risk universe to the Management Committee and the Board. Start Printed Page 80210

3. Add new sections to provide additional details regarding OCC's processes for (i) monitoring qualitative or quantitative risk metrics as well as operational risk events, (ii) managing risks against OCC's tolerances and appetites, (iii) escalation, and (iv) training.

4. Provide additional details around the internal governance process for reviewing and approving risk categories, appetites, and tolerances for monitoring risk tolerances. Corporate Risk would approve Risk statements, while it would notify the Management Committee and Board of updates.

a. Risk appetites would be established at the risk subcategory level and the CRO and Management Committee would present them along with any changes to the Board, or to the Risk Committee if the Board has delegated such authority, for approval.

b. The CRO would be responsible for escalating risk appetite breaches to the Management Committee, Risk Committee, and Board.

c. Risk Owners would be responsible for developing risk treatment plans to reduce risks that exceed OCC's risk appetites.

C. Conforming Changes to OCC Risk Policies

In addition to adopting the RMF and the CRMP, OCC proposes to make conforming changes to its OCC Risk Policies by replacing or removing references throughout that would become inaccurate ( e.g., references to the RMFP) and removing the policy-specific references to exceptions and violations that would be uniformly covered by the new Risk Acceptance and Deviations section of the RMF.^[27] OCC also proposes to make administrative updates to cross-references to other internal OCC policies and procedures that would not affect the substance of OCC's rules.

III. Discussion and Commission Findings

Section 19(b)(2)(C) of the Exchange Act directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Exchange Act and the rules and regulations thereunder applicable to such organization.^[28] After carefully considering the proposed rule change, the Commission finds that the proposal is consistent with the requirements of the Exchange Act and the rules and regulations thereunder applicable to OCC. More specifically, the Commission finds that the proposal is consistent with Section 17A(b)(3)(F) of the Exchange Act,^[29] Rules 17Ad-22(e)(2)(v) ^[30] , and Rule 17Ad-22(e)(3)(i) ^[31] as described in detail below.

A. Consistency With Section 17A(b)(3)(F) of the Exchange Act

Section 17A(b)(3)(F) of the Exchange Act requires, among other things, that a clearing agency's rules are designed to promote the prompt and accurate clearance and settlement of securities transactions.^[32]

The Commission believes that the proposed changes strengthen and expand on the foundation of OCC's risk management policies, procedures, and systems that make up OCC's broader risk management framework. Among other things, the changes clarify lines of reporting and escalation, designate responsibility, and provide more transparency around updates while making the update process simpler. More specifically, the proposed changes both (i) streamline key risk concepts, such as policy exceptions to OCC's process for escalating exceptions and deviations to develop and mature without requiring individual section updates, and (ii) introduce concepts such as the risk rating scales. As a result, the Commission believes that the proposed replacement of the RMFP with the RMF and CRMP would strengthen OCC's risk management processes, which, in turn, would allow OCC to manage such risks in a comprehensive manner. The additional conforming changes to the OCC Risk Policies would also serve to enhance consistency across the documents comprising OCC's framework for managing risks. The comprehensive management of risk would reduce the likelihood of a failure or disruption of OCC in its role as central counterparty for the listed options.

The Commission believes, therefore, that the proposal is consistent with the requirements of Section 17A(b)(3)(F) of the Exchange Act.

B. Consistency With Rule 17Ad-22(e)(2)(v) of the Exchange Act

Rules 17Ad-22(e)(2)(v) requires that a covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to provide for governance arrangements that specify clear and direct lines of responsibility.^[33]

As described above in section II.B.(ii), the proposal contained in the Notice of Filing would replace the current RMFP with amended rules describing OCC's risk management and governance arrangements in the RMF, including the roles and responsibilities of the Board, Management Committee, and OCC's internal working groups. The CRMP would provide additional descriptions and requirements complementing the rules in the RMF by introducing concepts and governance details, including the CRO owning and approving the risk universe and then providing it to the Management Committee. Furthermore, the proposal would transfer responsibility for all business processes, risks, and associated controls from Compliance to Corporate Risk, which would also be responsible for monitoring, escalating, and training processes. Additionally, the proposed changes in the RMF and CRMP together would specify clearer lines of reporting, responsibility, and escalation, provide definitive update schedules, and create more streamlined set of documents requiring updates than are present in the RMF. The Commission believes these proposed changes would improve OCC's risk framework by presenting a clearer description of OCC's governance arrangements as they relate to the management of risk within OCC.

The Commission believes, therefore, that the proposal is consistent with the requirements of Rule 17Ad-22(e)(2)(v) of the Exchange Act.^[34]

C. Consistency With Rule 17Ad-22(e)(3)(i) Under the Exchange Act

Rule 17Ad-22(e)(3) under the Exchange Act requires that a covered clearing agency establish, implement, maintain, and enforce written policies and procedures reasonably designed to maintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by the covered clearing agency.^[35] Rule 17Ad-22(e)(3)(i) requires that such policies and procedures include risk management policies, procedures, and systems designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by the covered clearing agency that are subject to review on a Start Printed Page 80211 specified periodic basis and approved by the board of directors annually.^[36]

The Commission previously found the OCC's RMFP, and subsequent revisions thereto, to be consistent with Rule 17Ad-22(e)(3)(i).^[37] As described above, the proposal contained in the Notice of Filing would replace OCC's RMFP with the RMF and CRMP. In replacing the RMFP, OCC proposes to (i) replace or update rules currently in the RMFP,^[38] (ii) remove information currently in the RMFP from OCC's rules,^[39] (iii) relocate rules from the RMFP to the RMF and CRMP,^[40] and (iv) add new rule text expanding on what exists in the RMFP.^[41] The Commission believes that, overall, the propose changes would maintain, clarify, and expand on OCC's framework for managing risk. Additionally, OCC proposes to make conforming changes to other policies that reference the RMFP.

As described above, OCC proposes replacing and updating rules currently in the RMFP. For example, OCC proposes replacing a description of the purpose of the RMFP with a description of the purpose of the RMF and an introduction to the CRMP. Further, OCC proposes relocating rules currently found in the RMFP without changing the substance of those rules. For example, OCC proposes to move the substance of the Risk Management Governance section of the RMFP under the broader Governance section the RMF. The Commission believes that such changes serve to accurately reflect the proposed organization of OCC's policies and procedures that comprise its framework for managing risk.

Additionally, OCC proposes removing information such as the history and background found in the Risk Management Philosophy section of the RFMP. The Commission believes that the removal of background and historical information would not change OCC's processes or systems for identifying, measuring, monitoring, or managing risk.

Finally, OCC proposes changes to expand the rules currently captured in the RMFP. For example, the RMF would describe OCC's reorganized framework for managing risk and provide an overview of OCC's risk appetite framework, including OCC's risk universe, risk appetite, and risk tolerances that would be described in the CRMP in greater detail. It would include an expanded discussion of OCC's three lines of defense model while relocating detailed discussions of the Risk Management Practice, Enterprise Risk Assessment program, and Risk Reporting to the CRMP. The RMF would state that the Board is responsible for advising and overseeing management, and that OCC's CRO would present a review of the RMF to the Board for approval at least annually. The discussion of Control activities would be revised to give general descriptions of Compliance while also updating OCC's processes for handling policy exceptions. The RMF would also include a new section discussing the Recovery and Orderly Wind-Down plan. Additionally, the CRMP would contain new rule text regarding OCC's risk monitoring processes. Furthermore, the key risk universe definitions provided in the CRMP would use detailed qualitative risk appetite statements for each risk sub-category to better describe the elements that comprise OCC's risk universe and the relationship between them while providing additional details for internal governance and monitoring. Finally, the CRMP would introduce risk rating scales, which reflect how large the effect of an event's occurrence would be and the likelihood of it occurring when considering a range of repercussions on OCC's business. The Commission believes that the proposed changes provide a more comprehensive and transparent discussion of OCC's overall framework for managing its range of risks, including legal, credit, liquidity, operational, general business, investment, custody, among others, as referenced in detail in its first line of defense and supported through the challenge and assurance functions in OCC's second and third lines of defense. The Commission also believes that certain proposed changes clarify and strengthen the risk management framework. For example, Corporate Risk and Risk Owners would be required to review the risk universe, risk tolerances, and risk appetites within established tolerances at least every twelve months instead of at least annually, which could otherwise result in gaps of time between reviews ranging as long as twenty-two months.

The Commission believes, therefore, that the proposal is consistent with the requirements of Rule 17Ad-22(e)(3)(i) of the Exchange Act.^[42]

VI. CONCLUSION

On the basis of the foregoing, the Commission finds that the proposed rule change, is consistent with the requirements of the Exchange Act, and in particular, the requirements of Section 17A of the Exchange Act ^[43] and the rules and regulations thereunder.

It Is Therefore Ordered, pursuant to Section 19(b)(2) of the Exchange Act,^[44] that the proposed rule change (SR-OCC-2022-010) be, and hereby is, approved

Footnotes