Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2026-10833
Notice2026-10833

Self-Regulatory Organizations; CME Securities Clearing Inc.; Order Approving Proposed Rule Change to Establish the CME Securities Clearing Inc. Enterprise Risk Management Framework

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
June 1, 2026

Issuing agencies

Securities and Exchange Commission

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 104 (Monday, June 1, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 104 (Monday, June 1, 2026)]
[Notices]
[Pages 32464-32467]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-10833]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-105561; File No. SR-CMESC-2026-003]


Self-Regulatory Organizations; CME Securities Clearing Inc.; 
Order Approving Proposed Rule Change to Establish the CME Securities 
Clearing Inc. Enterprise Risk Management Framework

May 27, 2026.

I. Introduction

    On April 1, 2026, CME Securities Clearing Inc. (``CMESC'') filed 
with the Securities and Exchange Commission (``Commission'') proposed 
rule change SR-CMESC-2026-003, pursuant to Section 19(b)(1) of the 
Securities Exchange Act of 1934 (the ``Act'') \1\ and Rule 19b-4 
thereunder.\2\ The proposed rule change would establish a new 
Enterprise Risk Management Framework (``ERMF'') to identify, assess, 
mitigate, and monitor enterprise risks. The proposed rule change was 
published for comment in the Federal Register on April 17, 2026.\3\ The 
Commission has received no comments on the changes proposed. For the 
reasons discussed below, the Commission is approving the proposed rule 
change.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Securities Exchange Act Release No. 114433 (Apr. 14, 2026), 
91 FR 20179 (Apr. 17, 2026) (File No. SR-CMESC-2026-003) (``Notice 
of Filing'').
---------------------------------------------------------------------------

II. Background

    On December 1, 2025, the Commission approved CMESC's application 
for registration as a clearing agency to provide central counterparty 
services for U.S. Treasury Securities.\4\ As a part of its application, 
CMESC submitted a Risk Management Framework (``RMF''). CMESC states 
that the RMF is designed to identify, measure, monitor, and manage the 
range of risks that arise in or are borne by the covered clearing 
agency, consistent with Rule 17ad-22(e)(3).\5\ The RMF refers to 
CMESC's Enterprise Risk Management Framework (``ERMF''). However, the 
ERMF was not included as part of CMESC's application.\6\
---------------------------------------------------------------------------

    \4\ Securities Exchange Act Release No. 104281 (Dec. 1, 2025), 
90 FR 55926 (Dec. 4, 2025).
    \5\ Notice of Filing, supra note 3, at 20719; see also 17 CFR 
240.17ad-22(e)(3).
    \6\ See Notice of Filing, supra note 3, at 20719.
---------------------------------------------------------------------------

III. Description of the Proposed Rule Change

    The proposed rule change would establish the ERMF to enhance 
CMESC's enterprise risk management policies. CMESC states that the ERMF 
is designed to work cohesively with the RMF to identify, assess, and 
manage the potential risks that may affect CMESC's operations and 
services.\7\ The ERMF contains a preamble describing its general 
purpose and applicability to all CMESC personnel.\8\ Additionally, as 
discussed more fully below, the proposed ERMF describes the: (1) ERMF's 
governance framework; (2) process through which the ERMF determines the 
universe of risks CMESC may face (``Risk Universe''); and (3) ``ERM 
Lifecycle,'' which includes components regarding (i) the aggregate 
amount of residual risk CMESC is willing to accept in a given risk 
category before taking action to reduce such risk (``Risk Appetite''), 
(ii) the acceptable boundary of risk CMESC is willing to accept in 
pursuit of its business objectives (``Risk Tolerance''), (iii) CMESC's 
risk assessment mechanism, (iv) CMESC's risk response methodology, and 
(v) the risk monitoring and reporting process to monitor the ERM 
program's adequacy.\9\
---------------------------------------------------------------------------

    \7\ Id.
    \8\ See Notice of Filing, supra note 3, at 20720.
    \9\ See Notice of Filing, supra note 3, at 20720-21.

---------------------------------------------------------------------------

[[Page 32465]]

A. Governance

    The proposed ERMF includes a section describing its governance 
framework.\10\ Specifically, the ERMF would be maintained by CMESC's 
Compliance and ERM team, which supports CMESC's Chief Compliance 
Officer (``CCO'') in implementing the ERMF.\11\ On at least an annual 
basis, the CCO would recommend the ERMF for review to CMESC's Risk 
Management Committee, which would subsequently recommend the ERMF to 
CMESC's Board (``Board'') for approval.\12\ Any substantive changes 
outside of the annual review process would similarly require review and 
approval by CMESC's Risk Management Committee, and changes with a 
significant impact on CMESC's risk profile would require Board 
approval.\13\
---------------------------------------------------------------------------

    \10\ See Notice of Filing, supra note 3, at 20720.
    \11\ Id.
    \12\ Id.
    \13\ Id.
---------------------------------------------------------------------------

    The proposed ERMF also provides a description of the Board's 
oversight of overall risk management at CMESC, supported by various 
committees and individuals with powers delegated by the Board.\14\
---------------------------------------------------------------------------

    \14\ Id.
---------------------------------------------------------------------------

B. Risk Universe

    The proposed ERMF includes a section describing how CMESC would 
evaluate and monitor the risks it may face.\15\ Specifically, CMESC 
would identify its ``Risk Universe'' by aligning identified risks with 
enterprise risk categories and sub-risk categories assigned with risk 
owners responsible for assessing and monitoring potential threats to 
CMESC and risk impacts on CMESC's business objectives.\16\ The 
enterprise risk categories (initially consisting of Financial 
Resources, Operations, Regulatory Compliance, and Service Provider 
risks) are the highest level of risk aggregation and would be subject 
to Board oversight.\17\ The sub-risk categories would further classify 
risks into more detailed groups designed to identify the specific 
processes underlying each enterprise risk category.\18\
---------------------------------------------------------------------------

    \15\ Id.
    \16\ Id.
    \17\ Id.
    \18\ Id.
---------------------------------------------------------------------------

C. ERM Lifecycle

    The proposed ERMF discusses the components of CMESC's risk 
management lifecycle.\19\ The proposed ERMF defines ``Risk Appetite'' 
as ``the aggregate amount of residual risk, on a broad level, CMESC is 
willing to accept in any given category in pursuit of its strategic 
objectives before additional action is deemed necessary to reduce the 
risk.'' \20\ The proposed ERMF describes the five-point risk rating 
system CMESC would use to develop guidance or parameters on the level 
of risk exposure CMESC is willing to accept regarding specific 
enterprise risk categories and sub-risk categories within the Risk 
Universe.\21\
---------------------------------------------------------------------------

    \19\ See Notice of Filing, supra note 3, at 20720-21.
    \20\ See Notice of Filing, supra note 3, at 20720.
    \21\ Id.
---------------------------------------------------------------------------

    The proposed ERMF defines ``Risk Tolerance'' as ``the acceptable 
boundary of risk that CMESC is willing to accept in pursuit of its 
business objectives and to ensure that those boundaries are not 
breached.'' \22\ The ERMF describes Risk Tolerance as the quantitative 
and tactical counterpart to Risk Appetite.\23\ CMESC would evaluate 
whether risks are within its Risk Tolerance levels by monitoring key 
risk indicators (``KRIs''), which are metrics designed to provide an 
early signal of potential increasing risk exposure, allowing CMESC to 
take corrective action to maintain risks within the tolerance 
levels.\24\ KRIs are tied to a tiered escalation protocol for the 
action required, ranging from ongoing monitoring to reporting and 
escalation to the Board.\25\
---------------------------------------------------------------------------

    \22\ Id.
    \23\ Id.
    \24\ Id.
    \25\ Id.
---------------------------------------------------------------------------

    The proposed ERMF describes CMESC's risk assessment mechanism, 
which would be used to identify, aggregate, and quantify risks, and to 
determine the appropriate response to mitigate, monitor, and reduce 
risks.\26\ The proposed ERMF differentiates inherent risks (i.e., the 
level of risk absent any controls) from residual risks (i.e., the level 
of risk after accounting for compensating controls), and identifies the 
timing of risk assessments for each type of risk.\27\ Specifically, 
inherent risk assessments would be performed annually, whereas residual 
risk assessments would be performed on a quarterly basis.\28\ CMESC 
states that residual risk assessments would be more frequent because 
they are designed to ensure the internal control environment remains 
responsive to emerging threats and the residual risk profile aligns 
with CMESC's Risk Appetite.\29\ Residual risk assessment requires risk 
owners and senior CMESC management to identify risks in their areas of 
responsibility and to implement appropriate qualitative and 
quantitative measures to evaluate, prioritize, and manage risk.\30\ The 
proposed ERMF also describes the concept of ``risk outlook,'' which 
CMESC considers within the context of making risk assessments.\31\ Risk 
outlook represents the expected forward-looking trend for the risk over 
the upcoming 12-month period and is used to show increasing, elevated, 
stable or decreasing risk to CMESC.\32\ The proposed ERMF describes 
control testing that would be conducted to assess the design and 
effectiveness of CMESC's internal controls and CMESC's monitoring of 
service providers to assess third-party risk.\33\ Control testing 
results would be used to determine the effectiveness of a given control 
and inform the assessment of the overall level of residual risk.\34\ An 
annual control testing schedule would be established using a risk-based 
approach, where the frequency of testing is determined by the sum of 
factors essential to a control's significance in reducing residual 
risk.\35\
---------------------------------------------------------------------------

    \26\ See Notice of Filing, supra note 3, at 20721.
    \27\ Id.
    \28\ Id.
    \29\ Id.
    \30\ Id.
    \31\ Id.
    \32\ Id.
    \33\ Id.
    \34\ Id.
    \35\ Such factors would include, for example, the inherent risk 
rating of the risk category the control is mitigating, the extent 
that the control is manual or automated, nature, critically and 
complexity of the control, frequency at which the control is 
applied, and whether it directly fulfills a CMESC regulatory 
requirements. See id.
---------------------------------------------------------------------------

    The proposed ERMF describes CMESC's risk response methodology for 
evaluating options and identifying actions to enhance opportunities and 
reduce risks associated with the pursuit of business objectives.\36\ 
The risk response methodology would be used by risk owners to 
facilitate determining the appropriate strategy for maintaining risks 
within the acceptable Risk Appetite.\37\ The proposed ERMF discusses 
various strategies to mitigate, transfer, or accept risk, and 
establishes that once strategies are identified, a four-point 
methodology would be used to prioritize the specific response.\38\ The 
proposed ERMF also describes the process for reporting, approving, and 
remediating a risk that CMESC determines exceeds its Risk Appetite.\39\
---------------------------------------------------------------------------

    \36\ Id.
    \37\ Id.
    \38\ Id.
    \39\ Id.
---------------------------------------------------------------------------

    Finally, the proposed ERMF describes the risk monitoring and 
reporting process to monitor the ERM program's adequacy.\40\ Risk 
monitoring includes overall governance and ongoing validation efforts, 
such as control testing

[[Page 32466]]

and audit assurance designed to ensure that risk taking is aligned with 
CMESC's strategic objectives and Risk Appetite.\41\ Risk reporting 
includes collating ongoing risk assessments into quarterly reports to 
senior CMESC management.\42\
---------------------------------------------------------------------------

    \40\ Id.
    \41\ Id.
    \42\ Id.
---------------------------------------------------------------------------

IV. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act \43\ directs the Commission to 
approve a proposed rule change of a self-regulatory organization if it 
finds that such proposed rule change is consistent with the 
requirements of the Act and rules and regulations thereunder applicable 
to such organization. After carefully considering the proposed rule 
change, the Commission finds that the proposed rule change is 
consistent with the requirements of the Act and the rules and 
regulations thereunder applicable to CMESC. In particular, the 
Commission finds that the proposed rule change is consistent with 
Sections 17A(b)(3)(F) of the Act,\44\ Rule 17ad-22(e)(2),\45\ and Rule 
17ad-22(e)(3).\46\
---------------------------------------------------------------------------

    \43\ 15 U.S.C. 78s(b)(2)(C).
    \44\ 15 U.S.C. 78q-1(b)(3)(F).
    \45\ 17 CFR 240.17ad-22(e)(2).
    \46\ 17 CFR 240.17ad-22(e)(3).
---------------------------------------------------------------------------

A. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires, in part, that the rules 
of a clearing agency be designed to promote the prompt and accurate 
clearance and settlement of securities transactions and assure the 
safeguarding of securities and funds which are in the custody or 
control of the clearing agency or for which it is responsible.\47\
---------------------------------------------------------------------------

    \47\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    As described above in Section III, CMESC proposes to establish the 
ERMF, which would describe: (1) the ERMF governance framework; (2) 
CMESC's Risk Universe; and (3) the ERM Lifecycle, which includes 
components regarding CMESC's Risk Appetite, Risk Tolerance, Risk 
Assessment, Risk Response, and Risk Monitoring and Reporting. The ERMF 
would enhance CMESC's risk management by establishing risk management 
policies enabling CMESC to identify potential events that may affect 
CMESC, manage and report on the associated risks, and reasonably assure 
that risks are managed in accordance with CMESC's Risk Appetite.
    Adopting a more robust risk management framework should enhance 
CMESC's ability to better identify, assess, and mitigate potential 
risks that may impact its operations, reducing the likelihood of 
disruptions to its clearance and settlement services and thereby 
promoting the prompt and accurate clearance and settlement of 
securities transactions, consistent with Section 17A(b)(3)(F) of the 
Act.\48\ Additionally, a more robust risk management framework should 
provide greater assurance that the securities and funds in CMESC's 
custody or control are safeguarded against potential losses, consistent 
with Section 17A(b)(3)(F) of the Act.\49\
---------------------------------------------------------------------------

    \48\ Id.
    \49\ Id.
---------------------------------------------------------------------------

    Accordingly, for the reasons stated above, the proposed rule change 
is consistent with Section 17A(b)(3)(F) of the Act.\50\
---------------------------------------------------------------------------

    \50\ Id.
---------------------------------------------------------------------------

B. Consistency With Rule 17ad-22(e)(2)

    Rule 17ad-22(e)(2) under the Act requires that a covered clearing 
agency establish, implement, maintain and enforce written policies and 
procedures reasonably designed to provide for governance arrangements 
that clearly prioritize the safety and efficiency of the covered 
clearing agency, and specify clear and direct lines of 
responsibility.\51\
---------------------------------------------------------------------------

    \51\ 17 CFR 240.17ad-22(e)(2).
---------------------------------------------------------------------------

    As described above in Section III.A, the proposed ERMF's governance 
provisions establish clear reporting lines and accountability for the 
management of enterprise risk within CMESC's Risk Appetite. 
Furthermore, the governance structure around the maintenance of the 
ERMF itself provides for reviews on at least an annual basis.
    Additionally, as described above in Section III.C, the proposed 
ERMF includes a risk monitoring and reporting process to monitor the 
ERM program's adequacy. Establishing clear reporting lines and 
accountability should enhance efficiency and increase safety by 
providing oversight and aligning identified enterprise risks with risk 
owners responsible for assessing and monitoring potential threats. 
Annual maintenance reviews of the ERMF and the monitoring process for 
the ERM program's adequacy should proactively ensure that the 
protections are current and robust. These provisions therefore should 
prioritize safety and efficiency and specify direct lines of 
responsibility.\52\
---------------------------------------------------------------------------

    \52\ Id.
---------------------------------------------------------------------------

    Accordingly, for the reasons stated above, the proposed rule change 
is consistent with Rule 17ad-22(e)(2).\53\
---------------------------------------------------------------------------

    \53\ Id.
---------------------------------------------------------------------------

C. Consistency With Rule 17ad-22(e)(3)

    Rule 17ad-22(e)(3) under the Act requires, in part, that a covered 
clearing agency establish, implement, maintain and enforce written 
policies and procedures reasonably designed to maintain a sound risk 
management framework for comprehensively managing legal, credit, 
liquidity, operational, general business, investment, custody, and 
other risks that arise in or are borne by the covered clearing agency, 
which includes risk management policies, procedures, and systems 
designed to identify, measure, monitor, and manage the range of risks 
that arise in or are borne by the covered clearing agency, that are 
subject to review on a specified periodic basis and approved by the 
Board annually.\54\
---------------------------------------------------------------------------

    \54\ 17 CFR 240.17ad-22(e)(3)(i).
---------------------------------------------------------------------------

    As described above in Section III, CMESC proposes to establish the 
ERMF, which would describe: (1) the ERMF governance framework; (2) 
CMESC's Risk Universe; and (3) the ERM Lifecycle, which includes 
components regarding CMESC's Risk Appetite, Risk Tolerance, Risk 
Assessment, Risk Response, and Risk Monitoring and Reporting. 
Specifically, the Risk Universe provisions of the proposed ERMF 
describe how CMESC would identify the risks it faces by classifying 
them into categories and sub-categories. Additionally, the ERM 
Lifecycle provisions of the proposed ERMF describe how CMESC would 
determine its Risk Appetite, Risk Tolerance, Risk Assessment, and Risk 
Response methodologies, designed to enable CMESC to develop strategies 
to mitigate, transfer, or accept risks. These measures constitute 
policies, procedures, and systems that are designed to identify, 
measure, monitor, and manage the range of risks that arise in or are 
borne by CMESC.\55\
---------------------------------------------------------------------------

    \55\ Id.
---------------------------------------------------------------------------

    The proposed ERMF's governance provisions, described above in 
Section III.A, and the proposed ERMF's Risk Monitoring and Reporting 
provisions, described above in Section III.C, provide that the ERMF 
would be subject to review on a specified periodic basis and approved 
by the Board on at least an annual basis.\56\
---------------------------------------------------------------------------

    \56\ Id.
---------------------------------------------------------------------------

    Accordingly, for the reasons stated above, the proposed rule change 
is consistent with Rule 17ad-22(e)(3).\57\
---------------------------------------------------------------------------

    \57\ Id.
---------------------------------------------------------------------------

V. Conclusion

    On the basis of the foregoing, the Commission finds that the 
proposed rule change is consistent with the requirements of the 
Exchange Act and in particular with the requirements

[[Page 32467]]

of Section 17A of the Exchange Act \58\ and the rules and regulations 
promulgated thereunder.
---------------------------------------------------------------------------

    \58\ 15 U.S.C. 78q-1.
---------------------------------------------------------------------------

    It is therefore ordered, pursuant to Section 19(b)(2) of the 
Exchange Act \59\ that proposed rule change SR-CMESC-2026-003 be, and 
hereby is, APPROVED.\60\
---------------------------------------------------------------------------

    \59\ 15 U.S.C. 78s(b)(2).
    \60\ In approving the proposed rule change, the Commission 
considered the proposals' impact on efficiency, competition, and 
capital formation. 15 U.S.C. 78c(f).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\61\
---------------------------------------------------------------------------

    \61\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2026-10833 Filed 5-29-26; 8:45 am]
BILLING CODE 8011-01-P


</pre></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on June 1, 2026.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.