Self-Regulatory Organizations; The Depository Trust Company; Fixed Income Clearing Corporation; National Securities Clearing Corporation; Notice of Filings of Proposed Rule Changes To Adopt the Clearing Agency Operational Risk Management Framework

DATE:

August 8, 2017.

Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934, as amended (“Act”) and Rule 19b-4 thereunder, notice is hereby given that on July 25, 2017, The Depository Trust Company (“DTC”), Fixed Income Clearing Corporation (“FICC”), and National Securities Clearing Corporation (“NSCC,” and together with DTC and FICC, the “Clearing Agencies”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule changes as described in Items I and II below, which Items have been prepared primarily by the Clearing Agencies. The Commission is publishing this notice to solicit comments on the proposed rule changes from interested persons.

I. Clearing Agencies' Statement of the Terms of Substance of the Proposed Rule Changes

The proposed rule changes would adopt the Clearing Agency Operational Risk Management Framework (“Framework”) of the Clearing Agencies, described below. The Framework would apply to both of FICC's divisions, the Government Securities Division (“GSD”) and the Mortgage-Backed Securities Division (“MBSD”). The Framework would be maintained by the Clearing Agencies to support their compliance with Rule 17Ad-22(e)(17) under the Act, as described below.

Although the Clearing Agencies would consider the Framework to be a rule, the proposed rule changes do not require any changes to the Rules, By-laws and Organization Certificate of DTC (“DTC Rules”), the Rulebook of GSD (“GSD Rules”), the Clearing Rules of MBSD (“MBSD Rules”), or the Rules & Procedures of NSCC (“NSCC Rules”), as the Framework would be a standalone document.

II. Clearing Agencies' Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Changes

In their filings with the Commission, the Clearing Agencies included statements concerning the purpose of and basis for the proposed rule changes and discussed any comments they received on the proposed rule changes. The text of these statements may be examined at the places specified in Item IV below. The Clearing Agencies have prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements.

(A) Clearing Agencies' Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Changes

1. Purpose

The Clearing Agencies are proposing to adopt the Framework, which would describe the manner in which each of the Clearing Agencies manages operational risk, which is defined by the Clearing Agencies in the Framework as the risk of direct or indirect loss or reputational harm resulting from an event, internal or external, that is the result of inadequate or failed processes, people, and systems (“Operational Risk”). As described in more detail below, the Framework would set forth the manner in which the Clearing Agencies (1) generally manage Operational Risk; (2) more specifically manage their information technology risks; and (3) more specifically manage their business continuity risks. The processes and systems described in the Framework, and any policies, procedures or other documents created to support those processes, support the Clearing Agencies' compliance with the requirements of Rule 17Ad-22(e)(17). The Framework would be maintained by the DTCC Operational Risk Management group (“ORM”), on behalf of the Clearing Agencies.

Operational Risk Management

The Framework would describe how the Clearing Agencies generally manage their Operational Risks. The Framework would describe how ORM is specifically charged with establishing appropriate systems, policies, procedures, and controls to enable management to identify plausible sources of Operational Risk in order to mitigate their impact to the Clearing Agencies, including through the Risk Tolerance Statements and Risk Profiles, as described below.

The Framework would describe how the Clearing Agencies identify key risks and set metrics to categorize such risks (from “no impact” to “severe impact”) through “Risk Tolerance Statements.” The Framework would describe how the Risk Tolerance Statements document the overall risk reduction or mitigation objectives for the Clearing Agencies with respect to identified risks to the Clearing Agencies. The Framework would also describe how the Risk Tolerance Statements document the risk controls and other measures used to manage such identified risks, including escalation requirements in the event of risk metric breaches. The Framework would state that each Risk Tolerance Statement is reviewed, revised, updated, and/or created, as necessary, by ORM on an annual basis.

The Framework would also describe how the Clearing Agencies monitor key risks, including Operational Risk, through “Risk Profiles,” which document the assessment of risk for each of the Clearing Agencies' businesses and support areas (each a “Clearing Agency Business” and/or “Clearing Agency Support Area”). The risk assessment documented in these profiles includes (1) identification and assessment of inherent risk, which is risk without any mitigating controls; (2) identification of existing controls, and, as appropriate, any new additional controls, and evaluation of the same risk against the strength of such controls; and (3) identification of any residual risk and a determination to either further mitigate such risk or accept such risk by the applicable Clearing Agency Business or Clearing Agency Support Area.

The Framework would also provide a description of the responsibilities of ORM, which is a part of the second line of defense within the Clearing Agencies' Three Lines of Defense approach to risk management. The Framework would identify some of those responsibilities as including, for example, management of the Risk Tolerance Statements and working with the Clearing Agency Businesses and Clearing Agency Support Areas to create and monitor Risk Profiles.

Information Technology Risk

The Framework would describe how the Clearing Agencies address information technology risks. The Framework would state that the DTCC Technology Risk Management group (“TRM”), on behalf of the Clearing Agencies, is responsible for establishing appropriate programs, policies, procedures, and controls with respect to the Clearing Agencies' information technology risks to help management ensure that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity. The Framework would identify some of the recognized information technology standards that may be used by TRM, as applicable, in support of executing its responsibilities.

The Framework would also identify some of TRM's responsibilities, which include, for example, (1) performing risk assessments to, among other things, facilitate the determination of the Clearing Agencies' investment and remediation priorities; (2) facilitating annual mandatory and periodic information security awareness, education, training, and communication to personnel of Clearing Agency Businesses and Clearing Agency Support Areas and relevant external parties; and (3) creating, implementing, and managing certain programs, including programs that (i) address information security throughout a system's lifecycle, (ii) facilitate compliance with evolving and established regulatory rules and guidelines that govern protection of the information assets of the Clearing Agencies and their participants, (iii) identify, prioritize, and manage the level of cyber threats to the Clearing Agencies, and (iv) assure that access to Clearing Agency information assets is appropriately authorized and authenticated based on current business need.

The Framework would state that TRM's risk strategy is closely aligned to the Clearing Agencies' business drivers and future strategic direction, such that efforts to achieve information security threat mitigation objectives, resiliency of infrastructure supporting Clearing Agency critical business applications, and operational reliability are prioritized. The Framework would state this is also accomplished through TRM's early and consistent involvement in initiatives to develop new products and systems. The Framework would state that, by involving TRM from the initial planning phase, through the design, build and operative phases of those initiatives, resiliency, operational effectiveness, reliability, and availability requirements are addressed and incorporated into design and execution from both a technology and cyber security perspective.

The Framework would also describe the Clearing Agencies' security strategy and defense, and would state that the Clearing Agencies' network security framework and preventive controls are designed to support a reliable and robust tiered security strategy and defense. These controls include modern and technically advanced security firewalls, intrusion detection, system and data monitoring, and data protection tools. The Framework would describe the Clearing Agencies' enhanced security features and the standards they use to assess vulnerabilities and potential threats.

Business Continuity Risk

Finally, the Framework would describe how the Clearing Agencies have established and maintain business continuity plans to address events that may pose a significant risk of disrupting their operations. The Framework would describe how the business continuity process for each Clearing Agency Business and Clearing Agency Support Area is ranked within a range of tiers, from 0 to 5, based on criticality to each applicable Clearing Agency's operations (each a “Tier”), where Tier 0 equates to critical operations or support of such operations for which virtually no downtime is permitted under applicable regulatory standards, and Tier 5 equates to non-essential operations or support of such operations for which recovery times of greater than five days is permitted.

The Framework would state that, on an annual basis, each Clearing Agency Business and Clearing Agency Support Area updates its own business continuity plan and reviews and ratifies its business impact analysis. These analyses are used by the DTCC Business Continuity Management department (“BCM”), on behalf of the Clearing Agencies, to validate that business' or area's current Tier ranking. The Framework would identify the key elements of these business impact analyses, which include (1) an assessment of the criticality of the applicable Clearing Agency Business or Clearing Agency Support Area, based on potential impact to the Clearing Agency; (2) an estimation of the maximum allowable downtime for the applicable Clearing Agency Business or Clearing Agency Support Area; and (3) the identification of dependencies, and ranking such dependencies to align with the process criticality for recovery, of the applicable Clearing Agency Business or Clearing Agency Support Area.

The Framework would describe the Clearing Agencies' multiple data centers, and the emergency monitoring and back up systems available at each site. The Framework would describe the capacity of the various data centers. The Framework would also describe the Clearing Agencies' operating centers, and would describe how each Clearing Agency Business and Clearing Agency Support Area creates and deploys its own work area recovery strategy to mitigate the loss of primary workspace and/or associated desktop technology, as well as for purposes of social distancing among personnel. The Framework would describe how each of these work area recovery strategies is developed and executed, based on the applicable Clearing Agency Business' and Clearing Agency Support Area's current Tier ranking, as described above.

The Framework would describe the responsibilities of BCM in managing a disruptive business event, which includes coordination with a team of representatives from each Clearing Agency Business and Clearing Agency Support Area. Finally, the Framework would describe how the Clearing Agencies conduct regular exercises used to simulate loss of Clearing Agency locations, and would describe some of the preventive measures the Clearing Agencies take with respect to business continuity risk management.

2. Statutory Basis

The Clearing Agencies believe that the proposed rule changes are consistent with the requirements of the Act and the rules and regulations thereunder applicable to a registered clearing agency. In particular, the Clearing Agencies believe that the Framework is consistent with Section 17A(b)(3)(F) of the Act and the subsections cited below of Rule 17Ad-22(e)(17), promulgated under the Act, for the reasons described below.

Section 17A(b)(3)(F) of the Act requires, in part, that the rules of a registered clearing agency be designed to promote the prompt and accurate clearance and settlement of securities transactions, and to assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible. As described above, the Framework would describe how the Clearing Agencies manage their Operational Risk, technology and information security risks, and their business continuity risks. The processes, systems, and controls used by the Clearing Agencies to identify, manage, and mitigate these risks, as described in the Framework, and the policies and procedures that support these activities, assist the Clearing Agencies to continue the prompt and accurate clearance and settlement of securities transactions and continue to assure the safeguarding of securities and funds which are in their custody or control or for which they are responsible notwithstanding the realization of these risks. Therefore, the Clearing Agencies believe the Framework is consistent with the requirements of Section 17A(b)(3)(F) of the Act.

The Clearing Agencies believe that the Framework is consistent with the requirements of each of the subsections of Rule 17Ad-22(e)(17), cited below, for the reasons described below.

Rule 17Ad-22(e)(17)(i) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls. The Framework would describe how the Risk Tolerance Statements and the Risk Profiles both assist the Clearing Agencies to identify the plausible sources of Operational Risk, both internal and external. As described above, the Risk Tolerance Statements identify both internal and external Clearing Agency risks, categorize the respective Clearing Agencies' tolerance for those risks, and then identify governance process applicable to any breach of those tolerances. In this way, the Risk Tolerance Statements allow the Clearing Agencies to identify and manage the risks they face. As described above, the Risk Profiles serve a similar function, by serving as a tool for identifying and assessing inherent risks, and evaluating the controls around those risks. The Framework also describes the role of ORM, which includes oversight of the Risk Tolerance Statements and Risk Profiles. By describing the functions of the Risk Tolerance Statements and Risk Profiles, which, together, assist the Clearing Agencies in effectively managing their operational risks by identifying the plausible sources of operational risk, both internal and external, and by assisting the Clearing Agencies in mitigating the impact of those risks, and by describing the role of ORM in facilitating these tools, the Clearing Agencies believe the Framework is consistent with the requirements of Rule 17Ad-22(e)(17)(i).

Rule 17Ad-22(e)(17)(ii) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by ensuring that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity. The Framework would describe the role, and some of the responsibilities, of TRM, in managing the Clearing Agencies' information technology risks and in helping the Clearing Agencies maintain systems with a high degree of security, resiliency, operational reliability, and adequate, scalable capacity. The Framework would also describe the programs, systems, and controls used by TRM in performing this function, and would identify some of the standards on information technology risk management that may be used by TRM in support of its responsibilities. The Framework would also describe TRM's role in product and project initiatives to address security issues through the lifecycle of an initiative. Therefore, by describing the role and responsibilities of TRM in managing the Clearing Agencies' information technology risks and in helping the Clearing Agencies maintain systems with a high degree of security, resiliency, operational reliability, and adequate, scalable capacity, the Clearing Agencies believe the Framework is consistent with the requirements of Rule 17Ad-22(e)(17)(ii).

Rule 17Ad-22(e)(17)(iii) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by establishing and maintaining a business continuity plan that addresses events posing a significant risk of disrupting operations. The Framework would describe how the Clearing Agencies have established and maintain business continuity plans, and would describe the critical features of those plans to demonstrate how such plans address events posing a significant risk of disrupting the Clearing Agencies' operations. The Framework would also describe how each Clearing Agency Business and Clearing Agency Support Area reviews and ratifies its respective plan and its business impact analysis, relative to its assigned Tier. Therefore, through this description of the establishment, management and maintenance of the business continuity plans of the Clearing Agencies, the Clearing Agencies believe the Framework is consistent with the requirements of Rule 17Ad-22(e)(17)(iii).

(B) Clearing Agencies' Statement on Burden on Competition

None of the Clearing Agencies believe that the Framework would have any impact, or impose any burden, on competition because the proposed rule changes reflect some of the existing methods by which the Clearing Agencies manage Operational Risk, including their management of information technology and business continuity risks, and would not effectuate any changes to the Clearing Agencies' processes described therein as they currently apply to their respective participants.

(C) Clearing Agencies' Statement on Comments on the Proposed Rule Changes Received From Members, Participants, or Others

The Clearing Agencies have not solicited or received any written comments relating to this proposal. The Clearing Agencies will notify the Commission of any written comments received by the Clearing Agencies.

III. Date of Effectiveness of the Proposed Rule Changes, and Timing for Commission Action

Within 45 days of the date of publication of this notice in the Federal Register or within such longer period up to 90 days (i) as the Commission may designate if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the clearing agency consents, the Commission will:

(A) By order approve or disapprove such proposed rule changes, or

(B) institute proceedings to determine whether the proposed rule changes should be disapproved.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule changes are consistent with the Act. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's Internet comment form ( http://www.sec.gov/rules/sro.shtml ); or
• Send an email to rule-comments@sec.gov. Please include File Number SR-DTC-2017-014, SR-FICC-2017-017, or SR-NSCC-2017-013 on the subject line.

Paper Comments

• Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549.

All submissions should refer to File Number SR-DTC-2017-014, SR-FICC-2017-017, or SR-NSCC-2017-013. One of these file numbers should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site ( http://www.sec.gov/rules/sro.shtml ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule changes that are filed with the Commission, and all written communications relating to the proposed rule changes between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for Web site viewing and printing in the Commission's Public Reference Room, 100 F Street NE., Washington, DC 20549 on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the principal office of the Clearing Agencies and on DTCC's Web site ( http://dtcc.com/legal/sec-rule-filings.aspx ). All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-DTC-2017-014, SR-FICC-2017-017, or SR-NSCC-2017-013 and should be submitted on or before September 5, 2017.