Self-Regulatory Organizations; ICE Clear Europe Limited; Order Approving Proposed Rule Change, as Modified by Amendment No. 1 and Partial Amendment No. 2, Relating to Amendments to the Outsourcing Policy

Issuing agencies

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 181 (Wednesday, September 20, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 181 (Wednesday, September 20, 2023)]
[Notices]
[Pages 64953-64957]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-20306]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-98387; File No. SR-ICEEU-2023-018]


Self-Regulatory Organizations; ICE Clear Europe Limited; Order 
Approving Proposed Rule Change, as Modified by Amendment No. 1 and 
Partial Amendment No. 2, Relating to Amendments to the Outsourcing 
Policy

September 14, 2023.

I. Introduction

    On July 10, 2023, ICE Clear Europe Limited (``ICE Clear Europe'') 
filed with the Securities and Exchange Commission (``Commission''), 
pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 
(the ``Act''),\1\ and Rule 19b-4 thereunder,\2\ a proposed rule change 
to amend its Outsourcing Policy (to be renamed the Outsourcing and 
Third Party Risk Management Policy) (the ``Outsourcing Policy''). On 
July 11, 2023, ICE Clear Europe filed Amendment No. 1 to the proposed 
rule change to make certain changes to the Form 19b-4 and Exhibit 1A 
for file no. SR-ICEEU-2023-018; \3\ and on July 24, 2023, ICE Clear 
Europe filed Partial Amendment No. 2 to the proposed rule

[[Page 64954]]

change to make a certain change to Exhibit 5 of file no. SR-ICEEU-2023-
018 \4\ (together, ``proposed rule change''). The proposed rule change 
was published for comment in the Federal Register on July 31, 2023.\5\ 
The Commission did not receive comments regarding the proposed rule 
change. For the reasons discussed below, the Commission is approving 
the proposed rule change.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Amendment No. 1 amended and restated in its entirety the 
Form 19b-4 and Exhibit 1A to correct the narrative description of 
the proposed rule change. Amendment No. 1 did not change the purpose 
or basis of the proposed rule change.
    \4\ Partial Amendment No. 2 amended and restated in its entirety 
Exhibit 5 to correct an inadvertent omission of a single word. 
Partial Amendment No. 2 did not change the purpose or basis of the 
proposed rule change.
    \5\ Self-Regulatory Organizations; ICE Clear Europe Limited; 
Notice of Filing of Proposed Rule Change, as Modified by Amendment 
No. 1 and Partial Amendment No. 2, Relating to Amendments to the 
Outsourcing Policy, Exchange Act Release No. 97974 (July 25, 2023); 
88 FR 49545 (July 31, 2023) (File No. SR-ICEEU-2023-018) 
(``Notice'').
---------------------------------------------------------------------------

II. Description of the Proposed Rule Change

    ICE Clear Europe is registered with the Commission as a clearing 
agency for the purpose of clearing security-based swaps.\6\ In its role 
as a clearing agency for clearing security-based swaps, ICE Clear 
Europe regularly enters into arrangements with affiliates and third-
party service providers to perform certain functions or activities. 
Such arrangements often come with a variety of risks, including legal, 
operational, general business, and other types of risks. To reduce risk 
exposure from such outsourcing arrangements, ICE Clear Europe created 
its Outsourcing Policy to describe, in a consolidated document, 
procedures for managing outsourcing arrangements with affiliates and 
third-party service providers, including how ICE Clear Europe's Board 
of Directors (``Board'') maintains oversight of these outsourcing 
arrangements.\7\
---------------------------------------------------------------------------

    \6\ Capitalized terms used but not defined herein have the 
meanings specified in the ICE Clear Europe Clearing Rules and the 
Outsourcing Policy.
    \7\ Self-Regulatory Organizations; ICE Clear Europe Limited; 
Order Approving Proposed Rule Change Relating to the ICE Clear 
Europe Outsourcing Policy, Exchange Act Release No. 95685 (Sept. 7, 
2022); 87 FR 56129 (Sept. 13, 2022) (File No. SR-ICEEU-2022-014).
---------------------------------------------------------------------------

    The proposed rule change would amend ICE Clear Europe's Outsourcing 
Policy to extend coverage to third-party service provider arrangements 
that technically may not constitute outsourcing, to describe in more 
detail third-party risk management, to add the execution of risk 
assessments, and to update the Document Governance and Exception 
Handling language, among other changes.
    As proposed, the purpose of the Outsourcing Policy would clarify 
that it would extend to arrangements in which services are provided by 
third parties to ICE Clear Europe, regardless of whether such services 
are considered outsourcing, including to assessing the risks of such 
services. The definition of ``outsourcing'' would be clarified as the 
use of third-party service providers, either an external party or an 
affiliate, and either directly or through sub-outsourcing, to provide a 
service that would otherwise be performed by ICE Clear Europe itself 
and is therefore subject to the Board's oversight. The proposed rule 
change would more clearly distinguish outsourcing from a purchasing 
arrangement, which would not involve an arrangement otherwise performed 
by ICE Clear Europe and therefore typically would not be subject to 
Board oversight. Regarding outsourced activities, the Outsourcing 
Policy would explicitly state that ICE Clear Europe would remain 
responsible for discharging its obligations, the outsourcing 
arrangement would not result in the delegation of ICE Clear Europe's 
responsibility, and the outsourced activities would conform to the same 
standards that would be required if the activities were completed 
internally.
    Under the proposed rule change, the Outsourcing Policy would more 
clearly distinguish between affiliates and external third-party service 
providers by adding a definition of the term ``third party,'' which 
would include any organization (whether or not affiliated) that has 
entered into a business relationship or contract with ICE Clear Europe 
to provide products, services, processes, activities or business 
functions. The use of external third parties (i.e., those not 
affiliated with ICE Clear Europe in any way) would be managed 
consistently at the group level through the existing Vendor Management 
Policy (``VMP''). The proposed rule change would more clearly describe 
current practice under the Outsourcing Policy by stating that 
outsourcing through affiliates typically has a lower residual risk 
profile because, among listed reasons in the existing Policy, the 
affiliates would have a similar higher standard of operational 
resilience (rather than referring to business continuity resilience) 
and ICE Clear Europe would have greater influence (not just control) 
over the operation of the affiliate's services.
    The proposed rule change would add detail to existing statements in 
the Outsourcing Policy about the objective of and processes for 
entering into different types of contracting arrangements. Rather than 
covering solely outsourcing arrangements, the objective would extend to 
utilizing service providers more generally. The amended Outsourcing 
Policy would clarify the process of making assessments of service 
providers in various situations, such as regulated parties and parties 
in different jurisdictions; the management of outsourcing; and 
considerations about conflicts of interest and independent audit 
rights. The Outsourcing Policy would continue to reference ICE Clear 
Europe's Outsourcing Operating Manual, albeit renamed to cover risk 
management of additional third-party service providers, rather than 
just outsourcing arrangements. The Outsourcing Policy would state that 
contracting with third parties is covered consistently at a group level 
under the VMP, and would clarify, consistent with current practice, 
that ICE Clear Europe would use the VMP process as an input for the 
risk-based assessment of each service provider. ICE Clear Europe, where 
appropriate, would make external third parties aware of relevant 
internal policies so that they may gain a better understanding of ICE 
Clear Europe's regulatory obligations and expected service levels. When 
contracting with affiliates, ICE Clear Europe's relevant assessment 
would be made in accordance with its ordinary governance practices, and 
not necessarily by the senior management. As is current practice, ICE 
Clear Europe follows its Conflicts of Interest Policy when managing any 
potential conflicts of interests as a result of its service 
arrangements, but the proposed rule change would add an explicit 
reference to the Conflicts of Interest Policy. An additional assessment 
would be added with respect to cloud outsourcing, where ICE Clear 
Europe would consider, understand, and manage any risks related to 
Clearing Members connecting to its services via cloud service 
providers.
    The proposed rule change would add a new Risk Assessments 
subsection to the processes for entering into different types of 
contracting arrangements that would set out the proportional risk 
assessment that would be performed on a service provider, regardless of 
whether the proposed arrangement falls within the definition of 
outsourcing, in order to identify, measure, and mitigate risks. The 
Risk Assessments subsection would include but would not be limited to 
certain considerations, such as whether the service is a critical or 
important function or a dependence to the delivery of one of ICE Clear 
Europe's services, whether the activity is outsourcing, whether the 
service relies on cloud-based technology that may pose new or 
additional risks, whether the service

[[Page 64955]]

provider is an external third party or an affiliate, the legal 
jurisdiction of the service provider, conflicts of interest, 
operational resilience considerations, data security, exit plans, 
contractual terms, and availability of alternative or back-up 
providers. For outsourced or critical non-outsourced services, the risk 
assessment would be performed at least annually, and on an ad-hoc basis 
following a material incident or service disruption event or material 
service agreement breach. Such risk assessments would be required to 
include a review of the service provider's performance against the 
agreed service levels. The responsibilities of executing risk 
assessments and related testing would be required to be overseen by ICE 
Clear Europe's Chief Operating Officer or the COO's delegate, with 
ownership of each service and the related resiliency arrangements 
resting with the relevant Head of Department.
    The proposed rule change would extend existing provisions about the 
identification of critical or important functions to acquired services 
generally, rather than applying only to outsourcing, as is currently 
written. The proposed rule change would clarify that in identifying 
critical or important functions, ICE Clear Europe would consider the 
continuity of its important business services or operation as a CCP 
that could threaten its financial stability or impact its 
resolvability. As proposed, a third party would be treated as critical 
if it is contracted to perform such a critical function, with the 
determination of criticality to be reassessed on at least an annual 
basis. The Outsourcing Policy would clarify that any outsourcing of 
critical or important functions could impact ICE Clear Europe's 
operational resilience measures more generally, rather than affecting 
the narrower category of business continuity measures. Exit plans for 
critical and important functions would be required to be tested 
periodically. As part of its operational resilience framework, ICE 
Clear Europe would examine purchased services, as well as outsourced or 
sub-outsourced services, that are a dependence for its important 
business services. Additional language would require that the 
operational resilience framework shall include extreme but plausible 
test scenarios relating to the disruption of critical third-party 
services.
    Under the proposed rule change, the Outsourcing Policy would amend 
the discussion of additional considerations of particular importance to 
ICE Clear Europe to ensure that considerations would be given to 
important business services and critical functions that are affected by 
third party service arrangements, including with respect to business 
continuity arrangements, incident management responsiveness and 
reporting, independent assurances, redundancies, and notice periods and 
exit strategies. A new subsection detailing Contractual Agreements 
would be added, specifying that for outsourcing arrangements in 
particular, ICE Clear Europe's Legal team would review any written 
service agreements to confirm the inclusion of all relevant contractual 
safeguards so that ICE Clear Europe could monitor relevant risks, 
regulatory requirements, and expectations. ICE Clear Europe would look 
to ensure that the agreements outline the rights, obligations, and 
responsibilities of all the parties, and include provisions associated 
with data security; access, audit and information rights; sub-
outsourcing; service resilience; service levels; incident management; 
termination; and exit plans. Arrangements for purchased services would 
be similarly reviewed, but the Outsourcing Policy would acknowledge 
that some purchased services may be subject to non-negotiable terms set 
by the third party, which would be considered during the pre-execution 
risk assessment phase. The new Contractual Agreements subsection also 
would require that ICE Clear Europe periodically exercise its audit 
rights, as appropriate, regarding critical outsourcing arrangements, 
and that this may include on-site visits.
    The proposed rule change would revise provisions related to Board 
oversight to provide that the Board must approve new or materially 
amended outsourcing arrangements. Certain clarifications would be made 
to the requirements for the annual outsourcing assessment report to be 
prepared by the Chief Operating Officer, including the addition of a 
summary of critical non-outsourcing services received. The proposed 
rule change would add a new subsection on regulatory engagement, 
setting out that ICE Clear Europe shall engage with regulatory 
authorities before executing or materially amending a critical service 
arrangement, regardless of whether it falls within the definition of 
outsourcing, with due regard to relevant regulatory requirements or 
expectations.
    Lastly, the proposed rule change would revise provisions related to 
document governance, breach management, and exception handling, to 
ensure consistency with other ICE Clear Europe policies. As proposed, 
the document owner identified by ICE Clear Europe would be responsible 
for ensuring that the Outsourcing Policy remains up-to-date and 
reviewed in accordance with the internal governance processes. Document 
reviews would be conducted by the document owner and related staff, 
with sign off by the head of department and the Chief Risk Officer, or 
their respective delegates. Document reviews would encompass at the 
minimum regulatory compliance, documentation and purpose, 
implementation, use and open items from previous validations or 
reviews. Results of the review would be reported to the Executive Risk 
Committee or, in certain cases, to the Model Oversight Committee. The 
document owner would aim to remediate the findings, complete internal 
governance, and receive regulatory approvals before the next annual 
review is due. The document owner also would be responsible for 
reporting any material breaches or deviations to the Head of 
Department, Chief Risk Officer and Head of Regulation and Compliance in 
order to determine if further escalation is required. The Outsourcing 
Policy would state explicitly that changes to it would have to be 
approved in accordance with ICE Clear Europe's governance process and 
would take effect following completion of required internal and 
regulatory approvals. Exceptions to the Outsourcing Policy likewise 
would be approved according to the governance processes for approvals 
of changes to the Outsourcing Policy.

III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act directs the Commission to approve a 
proposed rule change of a self-regulatory organization if it finds that 
such proposed rule change is consistent with the requirements of the 
Act and the rules and regulations thereunder applicable to such 
organization.\8\ For the reasons discussed below, the Commission finds 
that the proposed rule change is consistent with Section 17A(b)(3)(F) 
of the Act,\9\ and Rules 17Ad-22(e)(2)(v) and (e)(3)(i) thereunder.\10\
---------------------------------------------------------------------------

    \8\ 15 U.S.C. 78s(b)(2)(C).
    \9\ 15 U.S.C. 78q-1(b)(3)(F).
    \10\ 17 CFR 240.17Ad-22(e)(2)(v) and (e)(3)(i).
---------------------------------------------------------------------------

A. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires, among other things, that 
the rules of ICE Clear Europe be designed to promote the prompt and 
accurate clearance and settlement of securities transactions and, to 
the extent applicable, derivative agreements,

[[Page 64956]]

contracts, and transactions.\11\ As noted above, the proposed rule 
change would revise ICE Clear Europe's Outsourcing Policy to expand its 
application to a wider variety of affiliated and third party service 
arrangements, rather than solely covering outsourcing, as well as 
clarify and add to existing provisions that govern agreements for 
performing certain functions and activities. Some of these functions 
and activities relate to ICE Clear Europe's operations and business, 
while others may have to do with its clearance and settlement 
obligations. As proposed, the Outsourcing Policy would provide greater 
clarity as to the processes for entering into different types of 
contracting arrangements; and add detailed and, where applicable, 
annual risk assessments of potential service providers. Such detailed 
risk assessments would include considerations of whether the service is 
a critical or important function or a dependence to the delivery of one 
of ICE Clear Europe's services, among other things. The proposed rule 
change also would clarify provisions about the identification of 
critical or important functions, including that in identifying such 
functions, ICE Clear Europe would consider the continuity of its 
important business services or operation as a CCP that could threaten 
its financial stability or impact its resolvability. Additional 
language on Contractual Agreements would more clearly guide ICE Clear 
Europe in making sure that service agreements outline the rights, 
obligations, and responsibilities of all involved parties, and include 
provisions regarding service levels, service resilience, and incident 
management, among others. Taken together, these amendments would 
clarify how ICE Clear Europe can continue to meet its security-based 
swap obligations and help prevent service interruptions through 
carefully drafted and managed service agreements with third parties or 
affiliates, thus promoting the prompt and accurate clearance and 
settlement of securities transactions and, to the extent applicable, 
derivative agreements, contracts, and transactions.
---------------------------------------------------------------------------

    \11\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    For these reasons, the Commission believes that the proposed rule 
change is consistent with Section 17A(b)(3)(F) of the Act.\12\
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

B. Consistency With Rule 17Ad-22(e)(2)(v) Under the Act

    Rule 17Ad-22(e)(2)(v) requires, in relevant part, that ICE Clear 
Europe establish, implement, maintain, and enforce written policies and 
procedures reasonably designed, as applicable, to provide for 
governance arrangements that specify clear and direct lines of 
responsibility.\13\
---------------------------------------------------------------------------

    \13\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------

    As amended, the Outsourcing Policy would clarify, in various 
provisions throughout the document, the responsibilities, ownership, 
and reporting obligations of certain personnel and departments in 
relation to risk management of service arrangements. For example, the 
proposed rule change would more clearly distinguish between 
outsourcing, which is subject to Board oversight, and purchasing 
arrangements, which are not. The Board would additionally and 
explicitly be responsible for the approval of new or materially amended 
outsourcing arrangements. When contracting with affiliates, ICE Clear 
Europe's relevant assessment would be made in accordance with its 
ordinary governance practices, and not necessarily by the senior 
management. The responsibilities of executing detailed risk assessments 
and related testing would be overseen by ICE Clear Europe's Chief 
Operating Officer or delegate, with ownership of each service and the 
related resiliency arrangements resting with the relevant Head of 
Department. The proposed Outsourcing Policy specifies that the Legal 
team would be responsible for drafting and/or reviewing written service 
agreements to ensure that relevant contractual safeguards are in place. 
New provisions would be added to ensure appropriate document governance 
and exception handling. Overall, the proposed rule change inserted and 
clarified the decision-making responsibilities and reporting chains of 
command with respect to a variety of aspects of the Outsourcing Policy, 
thus providing for governance arrangements that specify clear and 
direct lines of responsibility.
    For these reasons, the Commission believes that the proposed rule 
change is consistent with Rule 17Ad-22(e)(2)(v).\14\
---------------------------------------------------------------------------

    \14\ 17 CFR 240.17 Ad-22(e)(2)(v).
---------------------------------------------------------------------------

C. Consistency With Rule 17Ad-22(e)(3)(i) Under the Act

    Rule 17Ad-22(e)(3)(i) requires that ICE Clear Europe establish, 
implement, maintain, and enforce written policies and procedures 
reasonably designed to, as applicable, maintain a sound risk management 
framework for comprehensively managing legal, credit, liquidity, 
operational, general business, investment, custody, and other risks 
that arise in or are borne by ICE Clear Europe, which includes risk 
management policies, procedures, and systems designed to identify, 
measure, monitor, and manage the range of risks that arise in or are 
borne by ICE Clear Europe, that are subject to review on a specified 
periodic basis and approved by ICE Clear Europe's board of directors 
annually.\15\
---------------------------------------------------------------------------

    \15\ 17 CFR 240.17 Ad-22(e)(3)(i).
---------------------------------------------------------------------------

    The Commission believes that the proposed revisions to the existing 
Outsourcing Policy not only would extend the scope of its application 
beyond traditional outsourcing arrangements to more comprehensively 
capture other types of service agreements with similar risks, but also 
would detail the factors against which risk assessments and contractual 
agreements are to be made and monitored, with existing relevant 
provisions for the Board's annual review of the Outsourcing Policy. As 
noted above, the new Risk Assessments subsection would require ICE 
Clear Europe to consider, among other things, whether the service is a 
critical or important function or a dependence to the delivery of one 
of ICE Clear Europe's services, whether the service relies on cloud-
based technology that may pose new or additional risks, conflicts of 
interest, and data security. Likewise, the newly added Contractual 
Agreements subsection requires such contracts address data security; 
access, audit and information rights; and incident management, among 
other things. Overall, these considerations touch upon the various 
risks that may emerge when contracting with affiliates or third parties 
for services and by addressing them in detail in the proposed revisions 
to the Outsourcing Policy, the Commission believes that ICE Clear 
Europe is strengthening its ability to identify, monitor, and measure 
the risks related to such arrangements.
    For these reasons, the Commission believes that the proposed rule 
change is consistent with Rule 17Ad-22(e)(3)(i).\16\
---------------------------------------------------------------------------

    \16\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

IV. Conclusion

    On the basis of the foregoing, the Commission finds that the 
proposed rule change is consistent with the requirements of the Act, 
and in particular, with the requirements of Section 17A(b)(3)(F) of the 
Act,\17\ and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(3)(i).\18\
---------------------------------------------------------------------------

    \17\ 15 U.S.C. 78q-1(b)(3)(F).
    \18\ 17 CFR 240.17Ad-22(e)(2)(i) and (v) and 17 CFR 240.17Ad-
22(e)(3)(i).

---------------------------------------------------------------------------

[[Page 64957]]

    It is therefore ordered pursuant to Section 19(b)(2) of the Act 
\19\ that the proposed rule change (SR-ICEEU-2023-018), be, and hereby 
is, approved.\20\
---------------------------------------------------------------------------

    \19\ 15 U.S.C. 78s(b)(2).
    \20\ In approving the proposed rule change, the Commission 
considered the proposal's impact on efficiency, competition, and 
capital formation. 15 U.S.C. 78c(f).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\21\
---------------------------------------------------------------------------

    \21\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2023-20306 Filed 9-19-23; 8:45 am]
BILLING CODE 8011-01-P


</pre></body>
</html>