Notice2022-28303
Self-Regulatory Organizations; The Options Clearing Corporation; Order Granting Approval of Proposed Rule Change by The Options Clearing Corporation Concerning a Risk Management Framework and Corporate Risk Management Policy
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
December 29, 2022
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 249 (Thursday, December 29, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 249 (Thursday, December 29, 2022)]
[Notices]
[Pages 80207-80211]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-28303]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-96566; File No. SR-OCC-2022-010]
Self-Regulatory Organizations; The Options Clearing Corporation;
Order Granting Approval of Proposed Rule Change by The Options Clearing
Corporation Concerning a Risk Management Framework and Corporate Risk
Management Policy
December 22, 2022.
I. Introduction
On September 6, 2022, the Options Clearing Corporation (``OCC'')
filed with the Securities and Exchange Commission (``Commission'') the
proposed rule change SR-OCC-2022-010 pursuant to Section 19(b) of the
Securities Exchange Act of 1934 (``Exchange Act'') \1\ and Rule 19b-4
\2\ thereunder. The proposed rule change would replace OCC's current
Risk Management Framework Policy (``RMFP'') with two new documents: a
revised Risk Management Framework (``RMF'') as well as a Corporate Risk
Management Policy (``CRMP''). The proposed rule change was published
for public comment in the Federal Register on September 26, 2022.\3\ On
November 8, 2022, pursuant to Section 19(b)(2) of the Exchange Act,\4\
the Commission designated a longer period within which to approve the
proposed rule change, disapprove the proposed rule change, or institute
proceedings to determine whether to disapprove the proposed rule
change.\5\ The Commission has received no comments regarding the
proposed rule change. For the reasons discussed below, the Commission
is approving the proposed rule change.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Securities Exchange Act Release No. 95842 (Sept. 20, 2022),
87 FR 58409 (Sept. 26, 2022) (File No. SR-OCC-2022-010) (``Notice of
Filing'').
\4\ 15 U.S.C. 78s(b)(2).
\5\ See Securities Exchange Act Release No. 96275 (Nov. 8,
2022), 87 FR 68529 (Nov. 15, 2022) (File No. SR-OCC-2022-010).
---------------------------------------------------------------------------
II. Background <SUP>6</SUP>
---------------------------------------------------------------------------
\6\ Capitalized terms used but not defined herein have the
meanings specified in OCC's Rules and By-Laws, available at <a href="https://www.theocc.com/about/publications/bylaws.jsp">https://www.theocc.com/about/publications/bylaws.jsp</a>.
---------------------------------------------------------------------------
OCC maintains several documents designed to define its framework
for managing its various risks, including financial, legal, and
operational risks. The RMFP describes OCC's risk management framework
as summarizing its overall approach taken to identify, measure,
monitor, and manage all risks faced by OCC in the provision of
clearing, settlement, and risk management services. In addition to the
RMFP, OCC's risk management documents include the Clearing Fund
Methodology Policy, Collateral Risk Management Policy, Default
Management Policy, Margin Policy, Model Risk Management Policy,
Recovery and Orderly Wind-Down Plan, and Third-Party Risk Management
Framework (collectively, the ``OCC Risk Policies''). These OCC Risk
Policies are separate supporting documents containing details on how
OCC's risk management framework is used and applied within OCC.
OCC's RMFP describes, at a high level, OCC's framework for managing
risk. After its routine review of its existing RMFP, OCC proposes to
replace its RMFP with two new, more detailed documents, the RMF and
CRMP, which it believes will enhance the clarity and transparency of
its overall risk management framework.\7\
---------------------------------------------------------------------------
\7\ See Notice of Filing, 87 FR 58409.
---------------------------------------------------------------------------
Specifically, OCC proposes introducing the RMF to provide a broader
overview of OCC's risk universe, including categorizations of risk
management, descriptions of practices across OCC's three lines of
defense model, a discussion of how OCC is prepared with tools to manage
recovery and orderly wind-down, and a narrative about the requirements
related to escalations of exceptions and deviations.
Simultaneously, OCC proposes to introduce the CRMP as a separate
policy because it is intended to support the RMF by providing more
extensive details on OCC's corporate risk management and its practices.
These details include enhanced descriptions of OCC's activities to
identify, measure, monitor, manage, report, and escalate risks to
inform decision-making. Furthermore, OCC proposes to move details of
OCC's corporate risk management program to the CRMP in order to make
OCC's approach to corporate risk consistent with other areas of risk
managed by OCC.
[[Page 80208]]
A. The Risk Management Framework
Overall, OCC is proposing to expand the level of detail provided in
its rules describing OCC's framework for managing risk and is proposing
several changes to the substance of the rules in its RMFP to the extent
they would be moved to the proposed RMF, in an entirely new document.
Among other things, the RMF generally encompasses the RMFP with the
following changes that: (i) replace or update information; (ii) remove
extraneous information; (iii) relocate information; or (iv) add rule
text not currently found in the RMFP:
(i) RMF Changes that Replace or Update Information:
1. Replace the purpose section of the RMFP with a new purpose
section of the RMF and an introduction section of the CRMP that,
collectively, would (i) reflect the reorganization of content across
the two new documents and (ii) explain the purpose of and intention for
each, as well as their place in OCC's overall framework for risk
management.
2. Modify the descriptions of OCC's risk appetite framework,
including the risk universe, risk appetite, and risk tolerances, to be
less detailed in the RMF than in the RMFP, while relocating the risk
appetite framework detail and expanding it in the CRMP for a more
extensive description overall. These changes include replacing the
Identification of Key Risks section in the RMFP with a new OCC Risk
Management section in the RMF, and expanded in the CRMP. Both of these
changes are discussed in detail below.\8\
---------------------------------------------------------------------------
\8\ See ``Additional Rule Text in the RMF not Currently Found in
the RMFP,'' infra at II.A.(iv)1; ``Additional Rule Text in the CRMP
not Currently Found in the RMFP,'' infra at II.B.(i)2.b.
---------------------------------------------------------------------------
3. In the new RMF, revise the descriptions of the responsibilities
of the Management Committee and working groups. The RMF would state
that the Management Committee supports the management and conduct of
its business in accordance with policy directives from the Board. The
RMF would also state that the Management Committee includes officers
responsible for ensuring that the Management Committee's actions and
decisions are consistent with OCC's mission, Code of Conduct, Rules and
By-Laws, policies, procedures, and general principles of sound
corporate governance. The RMF would further state that the Management
Committee would have explicitly-stated authority to form and delegate
authority to subcommittees and working groups to conduct certain of the
Management Committee's activities, and these subcommittees and working
groups would be responsible for reporting and escalating information.
These proposed descriptions vary from the corresponding RMFP
descriptions that primarily relate to the Management Committee's role
and responsibilities in reviewing and recommending changes to OCC's
risk universe and escalating breaches to the Board.\9\
---------------------------------------------------------------------------
\9\ As noted below, OCC proposes to provide a more detailed
description in the CRMP of the Management Committee's role and
responsibilities in reviewing and recommending changes to OCC's risk
universe. See ``CRMP Governance Adjustments,'' infra at II.B.(ii)4.
---------------------------------------------------------------------------
4. Replace the Credit Risk Management Framework section in the RMFP
with proposed Membership Standards, Credit, Clearing Fund, Margin,
Collateral, and Default Management sections in the RMF. These new
sections of the RMF would refer to the same OCC Risk Policies that
address these risks and are currently filed with the Commission as
rules of OCC (e.g., the Margin Policy,\10\ Clearing Fund Methodology
Policy,\11\ Collateral Risk Management Policy,\12\ Default Management
Policy,\13\ and Third-Party Risk Management Framework \14\). There
would be no change to the substance of these sections.
---------------------------------------------------------------------------
\10\ See, e.g., Exchange Act Release No. 82355 (Dec. 19, 2017),
82 FR 61058 (Dec. 26, 2017) (File No. SR-OCC-2017-007).
\11\ See, e.g., Exchange Act Release No. 83735 (July 27, 2018),
83 FR 37855 (Aug. 2, 2018) (File No. SR-OCC-2018-008).
\12\ See, e.g., Exchange Act Release No. 82311 (Dec. 13, 2017),
82 FR 60252 (Dec. 19, 2017) (File No. SR-OCC-2017-008).
\13\ See, e.g., Exchange Act Release No. 82310 (Dec. 13, 2017),
82 FR 60265 (Dec. 19, 2017) (File No. SR-OCC-2017-010).
\14\ See, e.g., Exchange Act Release No. 90797 (Dec. 23, 2020),
85 FR 86592 (Dec. 30, 2020) (File No. SR-OCC-2020-014).
---------------------------------------------------------------------------
5. Revise the process for handling policy violations and
exceptions. Currently, policy violations and exceptions are reviewed by
OCC's Chief Executive Officer and Chief Compliance Officer,
respectively. The proposed changes would instead escalate exceptions
and risk acceptances to OCC's Corporate Risk group \15\ and to escalate
policy deviations to its Compliance department.\16\
---------------------------------------------------------------------------
\15\ The proposed CRMP details requirements related to risk
reporting and escalation. See ``CRMP Governance Adjustments,'' infra
at II.B.(ii)4.
\16\ OCC is making similar changes broadly across policies,
which have different levels of detail regarding exception handling,
because it believes such changes would create consistency with this
practice in their policies and procedures without requiring each to
have its own individual policy exceptions and violations that need
to be updated. See Notice of Filing, 87 FR at 58418.
---------------------------------------------------------------------------
(ii) RMF Changes that Remove Extraneous Information:
In connection with replacing the RMFP with the RMF and CRMP, OCC
believes certain information would be rendered extraneous.\17\
Accordingly, OCC is proposing to remove such extraneous information
currently found in the RMFP but will not replace it with equivalent
sections in either the RMF or CRMP, including the following:
---------------------------------------------------------------------------
\17\ OCC believes the information being removed from its rules
to be extraneous. See Notice of Filing, 87 FR at 58411-58423.
---------------------------------------------------------------------------
1. Delete the Context for Risk Management Framework and Risk
Management Philosophy sections of the RMFP, as these provide history
and background information about OCC that is covered elsewhere in the
content that OCC proposes to migrate from the RMFP to the RMF and CRMP.
2. Move the standalone RMFP section dedicated to the Compliance
Risk Assessment program under the broader Compliance section of the
RMF.\18\
---------------------------------------------------------------------------
\18\ See Notice of Filing, 87 FR at 58417.
---------------------------------------------------------------------------
3. Replace the Control Activities section of the RMFP with more
general descriptions of Compliance's responsibilities under the RMF to
clarify the department's responsibilities for management of compliance
risk more succinctly.
4. Delete the RMFP sections related to project management,
corporate planning and budgeting, and Human Resources and Compliance
Training and Policies that address administrative policies and
practices.
5. Remove the RMFP's Appendix: OCC's Key Risks with CCA, PFMI, and
Reg SCI Mapping to remove detailed risk mapping from OCC high-level
policy documents.\19\
---------------------------------------------------------------------------
\19\ OCC's Corporate Risk group would continue to maintain and
dynamically update the mapping, risks, and manner in which it
defines the risks based on business and market factors. See Notice
of Filing, 87 FR at 58418.
---------------------------------------------------------------------------
(iii) RMF Changes that Relocate Information
The following changes involve relocating information contained in
the RMFP by either moving it to new sections in the RMF or CRMP, or
incorporating it into RMFP sections that are being moved over largely
as-is:
1. Relocate the Risk Management Governance section of the RMFP,
with certain modifications, to a new Governance section of the RMF. The
modifications would include streamlining the description of the
responsibilities of the Board, which generally are already addressed in
the Board of Directors Charter and Corporate Governance principles. The
RMF Governance section would state that the Board is responsible for
advising and overseeing management and that OCC's Chief Risk Officer
[[Page 80209]]
(``CRO'') would present a review of the RMF to the Board for approval
at least annually. Further, OCC would streamline discussion of the
Management Committee and working groups to be consistent with changes
in responsibility discussed above.\20\
---------------------------------------------------------------------------
\20\ Discussion of responsibilities related to the Management
Committee's role and responsibilities in reviewing and recommending
changes to OCC's risk universe, including risk appetites and
tolerances, and escalating breaches to the Board would be moved to
the CRMP. See, e.g., ``CRMP Governance Adjustments'' infra at
II.B.(ii)4.
---------------------------------------------------------------------------
2. Relocate the Risk Management Practice, Enterprise Risk
Assessment program, and Risk Reporting sections from the RMFP to the
CRMP, with the changes described below.\21\
---------------------------------------------------------------------------
\21\ See Order Granting Approval infra ``CRMP Changes that Add
Context'' at II.B.(i)2.a.
---------------------------------------------------------------------------
3. Relocate the discussion of OCC's Scenario Analysis Program from
the RMFP to the CRMP, with revisions designed to more accurately and
completely describe the scenario analysis process.\22\
---------------------------------------------------------------------------
\22\ Id.
---------------------------------------------------------------------------
(iv) Additional Rule Text in the RMF not Currently Found in the RMFP:
1. Add new rule text describing the responsibilities of OCC
employees to contain risk escalation reporting, consultations with
Legal on legal and regulatory matters, and training on a culture of
risk and control awareness. This new rule text would be located in the
Governance section of the RMF.
2. Include a discussion of OCC's ``three lines of defense'' model
in the OCC Risk Management section of the RMF that would be similar to
the discussion currently provided in the RMFP. OCC's three lines of
defense model would remain unchanged, while the additional information
proposed for the RMF would clarify who has ownership and accountability
for risk management.
3. Add text in a Security section stating that OCC's Security
department manages information, physical, and personnel security risk
to safeguard the confidentiality, integrity, and availability of
corporate information systems and data assets implemented and
maintained by Information Technology.
4. Add a summary of OCC's Recovery and Orderly Wind-Down Plan to
the RMF, in order to describe this aspect of OCC's risk management
framework. The RMF would state that OCC employs a set of recovery tools
in the event of severe financial, operational, or general business
stress, to continue to provide critical clearing and settlement
services. It would further state that OCC has a wind-down plan that
provides for OCC's orderly resolution if it is determined that recovery
efforts would be unsuccessful or insufficient.\23\
---------------------------------------------------------------------------
\23\ See Notice of Filing, 87 FR at 58418.
---------------------------------------------------------------------------
B. The Corporate Risk Management Policy
Among other things, the CRMP would contain some of the information
in OCC's RMFP and expand upon certain topics by (i) adding rule text
not currently found in the RMFP and (ii) introducing certain governance
adjustments. Such changes would include the following:
(i) Additional Rule Text in the CRMP not Currently Found in the RMFP:
1. Support the RMF by explaining OCC's risk management activities
and provide an overview of the activities overseen by OCC's Corporate
Risk group to identify, measure, monitor, manage, report, and escalate
risks.
2. As noted above,\24\ the CRMP would expand the discussion of
OCC's risk appetite framework in the OCC Risk Management Practice
section of the RMF.
---------------------------------------------------------------------------
\24\ See ``RMF Changes that Replace or Update Information,''
supra II.A.(i)2.
---------------------------------------------------------------------------
a. Other than the Compliance Risk Assessment,\25\ the information
currently provided in the Risk Management Practice section of the RMFP
would be moved as-is to the Risk Management Practice section of the
CRMP and revised to more accurately and completely describe the risk
assessment, monitoring, and reporting processes conducted by Corporate
Risk. Specifically, the CRMP would include revised discussions of
Enterprise Risk Assessments, the Scenario Analysis Program, and Risk
Reporting to provide more detail about how these processes function,
such as Corporate Risk's obligations, the quarterly results reporting
duties of the CRO and the use of residual risk, risk tolerances, and
risk warnings and associated reporting.
---------------------------------------------------------------------------
\25\ As noted above, the substance of Compliance Risk Assessment
section of the RMFP would now be addressed in the Compliance section
of the RMF, and would not be part of the Risk Management Practice
section of the RMF on which the CRMP expands.
---------------------------------------------------------------------------
b. Modify the description of OCC's risk appetite framework as well
as revise terminology in the risk universe, including changes to the
Key Risks, Sub-Categories, and Definitions in the RMFP. In adopting the
CRMP, OCC would remove the more general risk appetite statement
definitions (i.e., no appetite, low appetite, moderate appetite, and
high appetite), which are currently described in the RMFP, enabling OCC
to use more detailed qualitative risk appetite statements for each risk
sub-category. As a result, the CRMP describes OCC's risk universe
terminology as being classified into: (i) risk categories, which are
the highest-level groups of risk aggregation; (ii) risk sub-categories,
which further classify risks within risk categories into detailed
groups; and (iii) risk statements, which are descriptions of the
drivers, events and consequences of risks. OCC believes that the
proposed terms are better at describing the elements that comprise
OCC's risk universe and the relationship between them.\26\
---------------------------------------------------------------------------
\26\ See Notice of Filing, 87 FR at 58411.
---------------------------------------------------------------------------
3. Describe Corporate Risk's process for escalating risks to the
CRO, Management Committee, and Board, and for training employees about
risk to support risk management and decision-making.
4. Introduce the concept of risk rating scales, which reflect how
large the effect of an event's occurrence would be and the likelihood
of it occurring when considering a range of repercussions on OCC's
business. The CRMP would state that the likelihood risk rating scale
considers a 10-year financial cycle and yearly corporate planning
activities, and they are used to measure both inherent and residual
risk. Corporate Risk and Risk Owners would be required to review
changes to the risk scales, and the CRO would approve them. The
Management Committee and Board would be notified of changes to the risk
rating scales.
(ii) CRMP Governance Adjustments:
1. Transfer responsibility for maintaining inventory of all
business processes, risks, and associated controls from Compliance to
Corporate Risk. Revise descriptions related to risk assessment,
monitoring, and reporting conducted by Corporate Risk to indicate
Corporate Risk and Risk Owners would be required at least every twelve
months to review the risk universe, risk tolerances, and risk appetites
within established tolerances and make adjustments at a risk sub-
category level. This revision is a change from the RMFP because it
requires Corporate Risk and Risk Owners to do the review instead of the
Management Committee, and it requires these reviews at least every
twelve months instead of at least annually.
2. Introduce the concept of a risk universe, and state that the CRO
has (i) authority to approve OCC's risk universe and (ii) an obligation
to provide the risk universe to the Management Committee and the Board.
[[Page 80210]]
3. Add new sections to provide additional details regarding OCC's
processes for (i) monitoring qualitative or quantitative risk metrics
as well as operational risk events, (ii) managing risks against OCC's
tolerances and appetites, (iii) escalation, and (iv) training.
4. Provide additional details around the internal governance
process for reviewing and approving risk categories, appetites, and
tolerances for monitoring risk tolerances. Corporate Risk would approve
Risk statements, while it would notify the Management Committee and
Board of updates.
a. Risk appetites would be established at the risk subcategory
level and the CRO and Management Committee would present them along
with any changes to the Board, or to the Risk Committee if the Board
has delegated such authority, for approval.
b. The CRO would be responsible for escalating risk appetite
breaches to the Management Committee, Risk Committee, and Board.
c. Risk Owners would be responsible for developing risk treatment
plans to reduce risks that exceed OCC's risk appetites.
C. Conforming Changes to OCC Risk Policies
In addition to adopting the RMF and the CRMP, OCC proposes to make
conforming changes to its OCC Risk Policies by replacing or removing
references throughout that would become inaccurate (e.g., references to
the RMFP) and removing the policy-specific references to exceptions and
violations that would be uniformly covered by the new Risk Acceptance
and Deviations section of the RMF.\27\ OCC also proposes to make
administrative updates to cross-references to other internal OCC
policies and procedures that would not affect the substance of OCC's
rules.
---------------------------------------------------------------------------
\27\ See ``RMF Changes that Replace or Update Information''
supra at II.A.(i)5.
---------------------------------------------------------------------------
III. Discussion and Commission Findings
Section 19(b)(2)(C) of the Exchange Act directs the Commission to
approve a proposed rule change of a self-regulatory organization if it
finds that such proposed rule change is consistent with the
requirements of the Exchange Act and the rules and regulations
thereunder applicable to such organization.\28\ After carefully
considering the proposed rule change, the Commission finds that the
proposal is consistent with the requirements of the Exchange Act and
the rules and regulations thereunder applicable to OCC. More
specifically, the Commission finds that the proposal is consistent with
Section 17A(b)(3)(F) of the Exchange Act,\29\ Rules 17Ad-22(e)(2)(v)
\30\, and Rule 17Ad-22(e)(3)(i) \31\ as described in detail below.
---------------------------------------------------------------------------
\28\ 15 U.S.C. 78s(b)(2)(C).
\29\ 15 U.S.C. 78q-1(b)(3)(F).
\30\ 17 CFR 240.17Ad-22(e)(2)(v).
\31\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
A. Consistency With Section 17A(b)(3)(F) of the Exchange Act
Section 17A(b)(3)(F) of the Exchange Act requires, among other
things, that a clearing agency's rules are designed to promote the
prompt and accurate clearance and settlement of securities
transactions.\32\
---------------------------------------------------------------------------
\32\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
The Commission believes that the proposed changes strengthen and
expand on the foundation of OCC's risk management policies, procedures,
and systems that make up OCC's broader risk management framework. Among
other things, the changes clarify lines of reporting and escalation,
designate responsibility, and provide more transparency around updates
while making the update process simpler. More specifically, the
proposed changes both (i) streamline key risk concepts, such as policy
exceptions to OCC's process for escalating exceptions and deviations to
develop and mature without requiring individual section updates, and
(ii) introduce concepts such as the risk rating scales. As a result,
the Commission believes that the proposed replacement of the RMFP with
the RMF and CRMP would strengthen OCC's risk management processes,
which, in turn, would allow OCC to manage such risks in a comprehensive
manner. The additional conforming changes to the OCC Risk Policies
would also serve to enhance consistency across the documents comprising
OCC's framework for managing risks. The comprehensive management of
risk would reduce the likelihood of a failure or disruption of OCC in
its role as central counterparty for the listed options.
The Commission believes, therefore, that the proposal is consistent
with the requirements of Section 17A(b)(3)(F) of the Exchange Act.
B. Consistency With Rule 17Ad-22(e)(2)(v) of the Exchange Act
Rules 17Ad-22(e)(2)(v) requires that a covered clearing agency
establish, implement, maintain and enforce written policies and
procedures reasonably designed to provide for governance arrangements
that specify clear and direct lines of responsibility.\33\
---------------------------------------------------------------------------
\33\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------
As described above in section II.B.(ii), the proposal contained in
the Notice of Filing would replace the current RMFP with amended rules
describing OCC's risk management and governance arrangements in the
RMF, including the roles and responsibilities of the Board, Management
Committee, and OCC's internal working groups. The CRMP would provide
additional descriptions and requirements complementing the rules in the
RMF by introducing concepts and governance details, including the CRO
owning and approving the risk universe and then providing it to the
Management Committee. Furthermore, the proposal would transfer
responsibility for all business processes, risks, and associated
controls from Compliance to Corporate Risk, which would also be
responsible for monitoring, escalating, and training processes.
Additionally, the proposed changes in the RMF and CRMP together would
specify clearer lines of reporting, responsibility, and escalation,
provide definitive update schedules, and create more streamlined set of
documents requiring updates than are present in the RMF. The Commission
believes these proposed changes would improve OCC's risk framework by
presenting a clearer description of OCC's governance arrangements as
they relate to the management of risk within OCC.
The Commission believes, therefore, that the proposal is consistent
with the requirements of Rule 17Ad-22(e)(2)(v) of the Exchange Act.\34\
---------------------------------------------------------------------------
\34\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------
C. Consistency With Rule 17Ad-22(e)(3)(i) Under the Exchange Act
Rule 17Ad-22(e)(3) under the Exchange Act requires that a covered
clearing agency establish, implement, maintain, and enforce written
policies and procedures reasonably designed to maintain a sound risk
management framework for comprehensively managing legal, credit,
liquidity, operational, general business, investment, custody, and
other risks that arise in or are borne by the covered clearing
agency.\35\ Rule 17Ad-22(e)(3)(i) requires that such policies and
procedures include risk management policies, procedures, and systems
designed to identify, measure, monitor, and manage the range of risks
that arise in or are borne by the covered clearing agency that are
subject to review on a
[[Page 80211]]
specified periodic basis and approved by the board of directors
annually.\36\
---------------------------------------------------------------------------
\35\ 17 CFR 240.17Ad-22(e)(3)(i).
\36\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------
The Commission previously found the OCC's RMFP, and subsequent
revisions thereto, to be consistent with Rule 17Ad-22(e)(3)(i).\37\ As
described above, the proposal contained in the Notice of Filing would
replace OCC's RMFP with the RMF and CRMP. In replacing the RMFP, OCC
proposes to (i) replace or update rules currently in the RMFP,\38\ (ii)
remove information currently in the RMFP from OCC's rules,\39\ (iii)
relocate rules from the RMFP to the RMF and CRMP,\40\ and (iv) add new
rule text expanding on what exists in the RMFP.\41\ The Commission
believes that, overall, the propose changes would maintain, clarify,
and expand on OCC's framework for managing risk. Additionally, OCC
proposes to make conforming changes to other policies that reference
the RMFP.
---------------------------------------------------------------------------
\37\ See Exchange Act Release No. 82232 (Dec. 7, 2017), 82 FR
58662 (Dec. 13, 2017) (File No. SR-OCC-2017-005) (approving adoption
of the RMFP). See also, e.g., Exchange Act Release No. 90797 (Dec.
23, 2020), 85 FR 86592 (Dec. 30, 2020) (File No. SR-OCC-2020-014)
(approving changes to the RMF related to the adoption of Third-Party
Risk Management Framework).
\38\ See supra sections II.A.(i).
\39\ See supra sections II.A.(ii).
\40\ See supra sections II.A.(iii).
\41\ See supra sections II.A.(iv), II.B.(i).
---------------------------------------------------------------------------
As described above, OCC proposes replacing and updating rules
currently in the RMFP. For example, OCC proposes replacing a
description of the purpose of the RMFP with a description of the
purpose of the RMF and an introduction to the CRMP. Further, OCC
proposes relocating rules currently found in the RMFP without changing
the substance of those rules. For example, OCC proposes to move the
substance of the Risk Management Governance section of the RMFP under
the broader Governance section the RMF. The Commission believes that
such changes serve to accurately reflect the proposed organization of
OCC's policies and procedures that comprise its framework for managing
risk.
Additionally, OCC proposes removing information such as the history
and background found in the Risk Management Philosophy section of the
RFMP. The Commission believes that the removal of background and
historical information would not change OCC's processes or systems for
identifying, measuring, monitoring, or managing risk.
Finally, OCC proposes changes to expand the rules currently
captured in the RMFP. For example, the RMF would describe OCC's
reorganized framework for managing risk and provide an overview of
OCC's risk appetite framework, including OCC's risk universe, risk
appetite, and risk tolerances that would be described in the CRMP in
greater detail. It would include an expanded discussion of OCC's three
lines of defense model while relocating detailed discussions of the
Risk Management Practice, Enterprise Risk Assessment program, and Risk
Reporting to the CRMP. The RMF would state that the Board is
responsible for advising and overseeing management, and that OCC's CRO
would present a review of the RMF to the Board for approval at least
annually. The discussion of Control activities would be revised to give
general descriptions of Compliance while also updating OCC's processes
for handling policy exceptions. The RMF would also include a new
section discussing the Recovery and Orderly Wind-Down plan.
Additionally, the CRMP would contain new rule text regarding OCC's risk
monitoring processes. Furthermore, the key risk universe definitions
provided in the CRMP would use detailed qualitative risk appetite
statements for each risk sub-category to better describe the elements
that comprise OCC's risk universe and the relationship between them
while providing additional details for internal governance and
monitoring. Finally, the CRMP would introduce risk rating scales, which
reflect how large the effect of an event's occurrence would be and the
likelihood of it occurring when considering a range of repercussions on
OCC's business. The Commission believes that the proposed changes
provide a more comprehensive and transparent discussion of OCC's
overall framework for managing its range of risks, including legal,
credit, liquidity, operational, general business, investment, custody,
among others, as referenced in detail in its first line of defense and
supported through the challenge and assurance functions in OCC's second
and third lines of defense. The Commission also believes that certain
proposed changes clarify and strengthen the risk management framework.
For example, Corporate Risk and Risk Owners would be required to review
the risk universe, risk tolerances, and risk appetites within
established tolerances at least every twelve months instead of at least
annually, which could otherwise result in gaps of time between reviews
ranging as long as twenty-two months.
The Commission believes, therefore, that the proposal is consistent
with the requirements of Rule 17Ad-22(e)(3)(i) of the Exchange Act.\42\
---------------------------------------------------------------------------
\42\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
VI. CONCLUSION
On the basis of the foregoing, the Commission finds that the
proposed rule change, is consistent with the requirements of the
Exchange Act, and in particular, the requirements of Section 17A of the
Exchange Act \43\ and the rules and regulations thereunder.
---------------------------------------------------------------------------
\43\ In approving this proposed rule change, the Commission has
considered the proposed rules' impact on efficiency, competition,
and capital formation. See 15 U.S.C. 78c(f).
---------------------------------------------------------------------------
It Is Therefore Ordered, pursuant to Section 19(b)(2) of the
Exchange Act,\44\ that the proposed rule change (SR-OCC-2022-010) be,
and hereby is, approved
---------------------------------------------------------------------------
\44\ 15 U.S.C. 78s(b)(2).
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\45\
---------------------------------------------------------------------------
\45\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2022-28303 Filed 12-28-22; 8:45 am]
BILLING CODE 8011-01-P
</pre></body>
</html>Indexed from Federal Register on December 29, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.