87 FR 72 pgs. 22273-22276 - Self-Regulatory Organizations; ICE Clear Europe Limited; Notice of Filing of Proposed Rule Change Relating to Amendments to the ICE Clear Europe Operational Risk Management Policy and Risk Identification Framework
Type: NOTICEVolume: 87Number: 72Pages: 22273 - 22276
Pages: 22273, 22274, 22275, 22276Docket number: [Release No. 34-94649; File No. SR-ICEEU-2022-008]
FR document: [FR Doc. 2022-07950 Filed 4-13-22; 8:45 am]
Agency: Securities and Exchange Commission
Official PDF Version: PDF Version
[top]
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-94649; File No. SR-ICEEU-2022-008]
Self-Regulatory Organizations; ICE Clear Europe Limited; Notice of Filing of Proposed Rule Change Relating to Amendments to the ICE Clear Europe Operational Risk Management Policy and Risk Identification Framework
April 8, 2022.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 ("Act"), 1 and Rule 19b-4 thereunder, 2 notice is hereby given that on March 31, 2022, ICE Clear Europe Limited ("ICE Clear Europe" or the "Clearing House") filed with the Securities and Exchange Commission ("Commission") the proposed rule changes described in Items I, II and III below, which Items have been prepared primarily by ICE Clear Europe. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons.
Footnotes:
1 ?15 U.S.C. 78s(b)(1).
2 ?17 CFR 240.19b-4.
I. Clearing Agency's Statement of the Terms of Substance of the Proposed Rule Change
The principal purpose of the proposed amendments is for ICE Clear Europe to (i) modify its Operational Risk Management Policy (the "Operational Risk Management Policy") to update the Clearing House's operational risk management practices, and (ii) adding to the Clearing House's rule framework the Risk Identification Framework ("Risk Identification Framework") which is a document that provides ICE Clear Europe with a structure to explore, identify and monitor risks. The updates would also make certain other amendments to remove outdated provisions and to make certain other non-substantive amendments.
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change
In its filing with the Commission, ICE Clear Europe included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. ICE Clear Europe has prepared summaries, set forth in sections (A), (B), and (C) below, of the most significant aspects of such statements.
(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change
(a) Purpose
ICE Clear Europe is proposing to amend its Operational Risk Management Policy to make certain clarifications and enhancements to (i) ICE Clear Europe's approach to remediating identified control vulnerabilities and monitoring, (ii) transition to dynamic risk assessment where each risk would be assessed at least annually via a rolling review process, and (iii) the operational risk review process by linking it with the Enterprise Risk Register (described further below), as well as descriptive updates to the Enterprise Risk Register. The appendices to the Operational Risk Management Policy would also be updated to provide certain additional descriptive detail relating to current practices, including titles and impact guidelines and guidance charts in Appendix C. Various other typographical, clarificatory and stylistic improvements would also be made.
ICE Clear Europe is also proposing to add to the Clearing House's set of rules the Risk Identification Framework which would provide the Board with a structure to assist it in exploring, identifying and monitoring risks, as described below.
I. Operational Risk Management Policy
The overall description of operational risk management contained in Section 3 would be clarified to include management as well as identification, management [sic], monitoring and reporting of risk. The same section would also provide that risks would be documented within the Enterprise Risk Register.
[top] Section 3.1 (previously titled "Risk Identification") would be deleted in its entirety and replaced with a new section titled "Enterprise Risk Register". The section would describe the Enterprise Risk Register (attached to the policy as Appendix A, and also referred to as the Risk Register Dashboard) which would serve as an inventory of the material risks faced by the Clearing House, incorporating the Risk Taxonomy (as discussed below). The section would also describe the purpose of the Enterprise Risk Register, which would be to strengthen the businesses' understanding of their risks and allow them to demonstrate to the relevant risk committees and the Board that the risks are managed. The section would also describe the responsibilities with respect to the Enterprise Register, including that the Risk Owners would be responsible for updating and
Section 3.2 (Risk Assessment) would be updated to describe the following five components for facilitating the effective management of enterprise risk: (1) Risk Identification, (2) Level 3 Risk Assessment, 3 (3) Risk Management, (4) Risk Monitoring and (5) Risk Reporting, as described further below. Stylistic and formatting updates would be made to this section to clarify that the five aforementioned components fall under the umbrella of risk assessment.
Footnotes:
3 ?The risk level (Level 1, 2 or 3) represents a hierarchy of risks with Level 3 being the level at which risks are assessed by the relevant Risk Owners. Level 1 and 2 risks are aggregated from Level 3 risk ratings and are listed in the Enterprise Risk Register.
Firstly, a new subsection 3.2.1 (Risk Identification) would be added and would describe risk identification as the process by which each department identifies risks which should be documented within the Risk Taxonomy and the Enterprise Risk Register. The Risk Taxonomy is the list of risks that the Clearing House is exposed to which is reviewed annually for completeness; those risks (and the related control assessment of those risks) are reflected in the Enterprise Risk Register. The amendments would also add that the risk identification could be performed more frequently than annually as part of a dynamic update.
The substance of previous Section 3.3 (Risk Response) would be replaced by new subsections 3.2.2, 3.2.3 and 3.2.3, as described herein. However, the ownership and nature of the Clearing House's risk responses would be substantively unchanged. New subsection 3.2.2. (Control Assessment) would provide descriptions of the Clearing House's risk assessment policies and processes, including the roles of Risk Owners. Risk Owners would be required to assess the expected level of mitigation that each control is expected to provide (High/Medium/Low-more information would be provided in Appendix D), as well as the effectiveness of each control (Satisfactory/Needs Improvement/Unsatisfactory). Key controls would be considered for control monitoring to further review effectiveness of controls. The amendments provide that the control assessment process should be performed at least once a year or more frequently as part of a dynamic control assessment. Dynamic control assessments would be performed to reflect material risk changes. Enterprise Risk Management ("ERM") would be responsible for providing review and challenge of the Risk Owners control assessment. The 'Worst-of Principle' would be applied to Level 1 and 2 ratings, where the parent overall control rating would adopt the 'worst-of' overall control rating of the level below.
The subsection describing the Clearing House's risk assessment processes (now Section 3.2.3) would be updated to provide the role of inherent and residual risk assessments (attached as Appendix C to the policy). In the absence of mitigating controls risks identified are assessed by Risk Owners on an Inherent Risk basis and a Residual Risk basis (taking into consideration mitigating controls) at Level 3. To determine the Residual Risk, Risk Owners would take account of key risk data points.
The risk assessment process would be performed at least once a year through a rolling review process or more frequently as part of a dynamic risk assessments which are performed to reflect material risk changes. ERM would be responsible for providing review and challenge of the Risk Owners risk assessment. The 'Worst-of Principle' would be applied to Level 1 and 2 ratings, where the Parent Overall Control Rating would adopt the 'worst-of' rating of the level below across both inherent and residual risk.
New subsection 3.2.4 (Risk Management) would describe the Clearing House's risk management policies. Residual risks above agreed thresholds would require remediation actions to address the control vulnerability and reduce the level of residual risk to an acceptable level. Such thresholds refer to the Board-approved risk appetite metrics which are currently set as Medium (see Appendix B for Risk Assessment Ratings Grid). Any Risks assessed by the Risk Owners as High or Very High would require remediation actions, which will depend on the particular circumstances and risks involved. Proposed remediations would be escalated to senior management and applicable risk committees or Board. In certain circumstances, risk acceptance may be deemed appropriate dependent upon the Clearing House's risk appetite and Board approval. Recommendations would be assigned a priority rating and remediation timeline as a function of the expected level of risk mitigation and the control effective rating (attached as Appendix E). Remediation recommendations would be entered in the Issue Problems and Threat workflow unless already formally tracked.
The section describing risk monitoring (now subsection 3.2.5) would be updated to provide that in order to ensure that controls identified during the assessment are operating effectively and performing in line with the assessed control ratings; the Clearing House would perform periodic control monitoring on controls considered as "Key" which would be "High" mitigating controls mapped against "Very High" or "High" Inherent Risks. ERM would coordinate with the First, Second and Third Lines to develop control monitoring plans for key controls (described further in Appendix D).
Additionally, a new paragraph would be added providing that to ensure that key controls identified during the assessment are operating effectively, the Clearing House would perform control monitoring, and include a description of such processes. Control monitoring would be performed by either the First Line (Clearing Risk Team), the Second Line (Risk Oversight Department), the Clearing House's internal audit team or independent third parties. The results would be reviewed by the Chief Risk Officer and presented to the senior management team and other governance committees as appropriate.
The amendments would provide that Risk Owners would monitor operational risks on an on-going rather than a daily basis. They would also clarify that the Risk Oversight Department ("ROD") would monitor risks daily or monthly (rather than only daily) and would monitor operational incidents raised by the Risk Owners.
The section describing risk reporting (now subsection 3.2.6) would be revised to include a new paragraph that describes the approval process for the Enterprise Risk Register as being approved monthly at each ERC and reported to each BRC and Board meeting. Stylistic changes would also be made to this section to replace certain terms with their acronym in order to aid with readability. Additionally, information regarding the roles of the Board, ERC and other groups that has been moved to other sections the document would be deleted from this section in order to avoid superfluousness.
[top] Section 4.3 (Oversight of the Policy) would be updated to provide that the
Descriptive titles would be added to the appendices in order to aid with readability. Additionally, a table would be added to Appendix C that would describe the meaning of certain impact guidelines (severe/major/moderate/minor/incidental), the numerical score assigned to such guidelines, and the guidance applied with respect to the risk posed to such impact. A description would be added to Appendix G-Risk Mitigation to provide that the methodology to determine ICE Clear Europe's residual risk involves assessing the impact of ICE Clear Europe's control landscape on its inherent risks as shows by the matrix set out in the appendix.
II. Risk Identification Framework
The amendments would include the formal adoption of the Risk Identification Framework that are intended to formalize certain practices relating to the identification of risks. Section 1 (Introduction) of the Risk Identification Framework would provide an overarching description of the document and its purpose. The purpose of the Risk Identification Framework is to provide the Board with a structure to explore, identify and monitor risks as well as ensure that risk tolerance is articulated and documented, with responsibilities and accountabilities clearly assigned, as described further below. This framework would also support the Board in risk avoidance, mitigation or acceptance.
Section 2 (Components of the Risk Identification Framework) would describe the four components of the Risk Identification Framework: Risk Taxonomy, which provides a single universal risk structure, terminology and hierarchy; Enterprise Risk Register, which serves as an inventory of the material risks faced by the Clearing House; Risk Assessment, which requires risk owners to rate inherent risk, overall control rating and residual risk for each level 3 risk; and Emerging Risk Assessment, which facilitates ongoing identification, discussion and mitigation of emerging risks as Board and executive level. The subsections that follow would provide further descriptions of each component and the responsibilities and frequency relating to review of each.
Section 3 (Review and Governance) would describe the documentation ownership and governance processes in respect of the Risk Identification Framework. The document would be owned by the Chief Risk Officer, any material changes to the document would require Executive Risk Committee and Board Approval. The Executive Risk Committee and Board would review the Risk Identification Framework annually.
The appendices referenced throughout the document would follow and would include appendices providing for a risk register dashboard, rating guidance impact and likelihood and emerging business risks.
(b) Statutory Basis
ICE Clear Europe believes that the proposed amendments to the Operational Risk Management Policy and the adoption of the Risk Identification Framework are consistent with the requirements of Section 17A of the Act? 4 and the regulations thereunder applicable to it. In particular, Section 17A(b)(3)(F) of the Act? 5 requires, among other things, that the rules of a clearing agency be designed to promote the prompt and accurate clearance and settlement of securities transactions and, to the extent applicable, derivative agreements, contracts, and transactions, the safeguarding of securities and funds in the custody or control of the clearing agency or for which it is responsible, and the protection of investors and the public interest.
Footnotes:
4 ?15 U.S.C. 78q-1.
5 ?15 U.S.C. 78q-1(b)(3)(F).
The proposed changes to the Operational Risk Management Policy and the adoption of the Risk Identification Framework are designed to strengthen ICE Clear Europe's tools to manage the risk of losses resulting from operational errors or failures. The amendments and adoption would update and clarify the processes, controls and escalations with respect to the testing and reviewing of the Clearing House's operations as well as outline the responsibilities of the Clearing House's committees, management and the Board in relation to each document. Through better managing risks in operational failure scenarios providing the policies and framework to identify, manage and monitor such risks, the proposed amendments to the Operational Risk Management Policy and the adoption of the Risk Identification Framework would promote the stability of the Clearing House and the prompt and accurate clearance and settlement of cleared contracts. The enhanced risk management is therefore also generally consistent with the protection of investors and the public interest in the safe operation of the Clearing House. (ICE Clear Europe would not expect the amendments to affect the safeguarding of securities and funds in ICE Clear Europe's custody or control or for which it is responsible.) Accordingly, the amendments satisfy the requirements of Section 17A(b)(3)(F). 6
Footnotes:
6 ?15 U.S.C. 78q-1(b)(3)(F).
The amendments to the Operational Risk Management Policy and the adoption of the Risk Identification Framework are also consistent with relevant provisions of Rule 17Ad-22. 7 Rule 17Ad-22(e)(3)(i) provides that "[e]ach covered clearing agency shall establish, implement, maintain and enforce written policies and procedures reasonable designed to, as applicable [. . .] identify, measure, monitor and manage the range of risks that arise in or are borne by the covered clearing agency". 8 As set forth above, the amendments to the Operational Risk Management Policy are intended to clarify and enhance the Clearing House's policies and practices that address operational and other risks, including with respect to the ongoing review, categorization and assessment of risks faced by the Clearing House. The adoption of the Risk Identification Framework would assist the Board in evaluation of risks and consequently facilitate risk avoidance, mitigation or acceptance by the Clearing House. The amendments would thus strengthen the management of operational risks and risk management more generally. In ICE Clear Europe's view, the amendments are therefore consistent with the requirements of Rule 17Ad-22(e)(3)(i). 9
Footnotes:
7 ?17 CFR 240.17Ad-22.
8 ?17 CFR 240.17Ad-22(e)(3)(i).
9 ?17 CFR 240.17Ad-22(e)(3)(i).
Rule 17Ad-22(e)(2) provides that "[e]ach covered clearing agency shall establish, implement, maintain and enforce written policies and procedures reasonable designed to, as applicable [. . .] provide for governance arrangements that are clear and transparent"? 10 and "[s]pecify clear and direct lines of responsibility". 11 The amendments to the Operational Risk Management Policy and the adoption of the Risk Identification Framework each would clarify or provide the responsibilities of the Clearing House's committees, management and the Board in relation to each such document. In ICE Clear Europe's view, the amendments are therefore consistent with the requirements of Rule 17Ad-22(e)(2). 12
Footnotes:
10 ?17 CFR 240.17Ad-22(e)(2)(i).
11 ?17 CFR 240.17Ad-22(e)(2)(v).
12 ?17 CFR 240.17Ad-22(e)(2).
[top] The proposed amendments are also consistent with Rule 17Ad-22(e)(17)(i),
Footnotes:
13 ?17 CFR 240.17Ad-22(e)(17)(i).
14 ?17 CFR 240.17Ad-22(e)(17)(i).
(B) Clearing Agency's Statement on Burden on Competition
ICE Clear Europe does not believe the proposed amendments would have any impact, or impose any burden, on competition not necessary or appropriate in furtherance of the purposes of the Act. The amendments are being adopted to update and clarify the Clearing House's Operational Risk Management Policy and to adopt the Risk Identification Framework, all of which relate to the Clearing House's internal processes for operational risk management. ICE Clear Europe does not believe the amendments and adoption would affect the costs of clearing, the ability of market participants to access clearing, or the market for clearing services generally. Therefore, ICE Clear Europe does not believe the proposed rule change imposes any burden on competition that is inappropriate in furtherance of the purposes of the Act.
(C) Clearing Agency's Statement on Comments on the Proposed Rule Change Received From Members, Participants or Others
Written comments relating to the proposed amendments have not been solicited or received by ICE Clear Europe. ICE Clear Europe will notify the Commission of any written comments received with respect to the proposed rule change and adoption.
III. Date of Effectiveness of the Proposed Rule Change and Timing for Commission Action
Within 45 days of the date of publication of this notice in the Federal Register or within such longer period up to 90 days (i) as the Commission may designate if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the self-regulatory organization consents, the Commission will:
(A) By order approve or disapprove such proposed rule change, or
(B) institute proceedings to determine whether the proposed rule change should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods:
Electronic Comments
• Use the Commission's internet comment form ( http://www.sec.gov/rules/sro.shtml ) or
• Send an email to rule-comments@sec.gov. Please include File Number SR-ICEEU-2022-008 on the subject line.
Paper Comments
• Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number SR-ICEEU-2022-008. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( http://www.sec.gov/rules/sro.shtml ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of such filings will also be available for inspection and copying at the principal office of ICE Clear Europe and on ICE Clear Europe's website at https://www.theice.com/clear-europe/regulation. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-ICEEU-2022-008 and should be submitted on or before May 5, 2022.
For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 15
Footnotes:
15 ?17 CFR 200.30-3(a)(12).
Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2022-07950 Filed 4-13-22; 8:45 am]
BILLING CODE 8011-01-P