[Federal Register Volume 87, Number 249 (Thursday, December 29, 2022)]
[Notices]
[Pages 80207-80211]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-28303]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-96566; File No. SR-OCC-2022-010]


Self-Regulatory Organizations; The Options Clearing Corporation; 
Order Granting Approval of Proposed Rule Change by The Options Clearing 
Corporation Concerning a Risk Management Framework and Corporate Risk 
Management Policy

December 22, 2022.

I. Introduction

    On September 6, 2022, the Options Clearing Corporation (``OCC'') 
filed with the Securities and Exchange Commission (``Commission'') the 
proposed rule change SR-OCC-2022-010 pursuant to Section 19(b) of the 
Securities Exchange Act of 1934 (``Exchange Act'') \1\ and Rule 19b-4 
\2\ thereunder. The proposed rule change would replace OCC's current 
Risk Management Framework Policy (``RMFP'') with two new documents: a 
revised Risk Management Framework (``RMF'') as well as a Corporate Risk 
Management Policy (``CRMP''). The proposed rule change was published 
for public comment in the Federal Register on September 26, 2022.\3\ On 
November 8, 2022, pursuant to Section 19(b)(2) of the Exchange Act,\4\ 
the Commission designated a longer period within which to approve the 
proposed rule change, disapprove the proposed rule change, or institute 
proceedings to determine whether to disapprove the proposed rule 
change.\5\ The Commission has received no comments regarding the 
proposed rule change. For the reasons discussed below, the Commission 
is approving the proposed rule change.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Securities Exchange Act Release No. 95842 (Sept. 20, 2022), 
87 FR 58409 (Sept. 26, 2022) (File No. SR-OCC-2022-010) (``Notice of 
Filing'').
    \4\ 15 U.S.C. 78s(b)(2).
    \5\ See Securities Exchange Act Release No. 96275 (Nov. 8, 
2022), 87 FR 68529 (Nov. 15, 2022) (File No. SR-OCC-2022-010).
---------------------------------------------------------------------------

II. Background 6
---------------------------------------------------------------------------

    \6\ Capitalized terms used but not defined herein have the 
meanings specified in OCC's Rules and By-Laws, available at https://www.theocc.com/about/publications/bylaws.jsp.
---------------------------------------------------------------------------

    OCC maintains several documents designed to define its framework 
for managing its various risks, including financial, legal, and 
operational risks. The RMFP describes OCC's risk management framework 
as summarizing its overall approach taken to identify, measure, 
monitor, and manage all risks faced by OCC in the provision of 
clearing, settlement, and risk management services. In addition to the 
RMFP, OCC's risk management documents include the Clearing Fund 
Methodology Policy, Collateral Risk Management Policy, Default 
Management Policy, Margin Policy, Model Risk Management Policy, 
Recovery and Orderly Wind-Down Plan, and Third-Party Risk Management 
Framework (collectively, the ``OCC Risk Policies''). These OCC Risk 
Policies are separate supporting documents containing details on how 
OCC's risk management framework is used and applied within OCC.
    OCC's RMFP describes, at a high level, OCC's framework for managing 
risk. After its routine review of its existing RMFP, OCC proposes to 
replace its RMFP with two new, more detailed documents, the RMF and 
CRMP, which it believes will enhance the clarity and transparency of 
its overall risk management framework.\7\
---------------------------------------------------------------------------

    \7\ See Notice of Filing, 87 FR 58409.
---------------------------------------------------------------------------

    Specifically, OCC proposes introducing the RMF to provide a broader 
overview of OCC's risk universe, including categorizations of risk 
management, descriptions of practices across OCC's three lines of 
defense model, a discussion of how OCC is prepared with tools to manage 
recovery and orderly wind-down, and a narrative about the requirements 
related to escalations of exceptions and deviations.
    Simultaneously, OCC proposes to introduce the CRMP as a separate 
policy because it is intended to support the RMF by providing more 
extensive details on OCC's corporate risk management and its practices. 
These details include enhanced descriptions of OCC's activities to 
identify, measure, monitor, manage, report, and escalate risks to 
inform decision-making. Furthermore, OCC proposes to move details of 
OCC's corporate risk management program to the CRMP in order to make 
OCC's approach to corporate risk consistent with other areas of risk 
managed by OCC.

[[Page 80208]]

A. The Risk Management Framework

    Overall, OCC is proposing to expand the level of detail provided in 
its rules describing OCC's framework for managing risk and is proposing 
several changes to the substance of the rules in its RMFP to the extent 
they would be moved to the proposed RMF, in an entirely new document. 
Among other things, the RMF generally encompasses the RMFP with the 
following changes that: (i) replace or update information; (ii) remove 
extraneous information; (iii) relocate information; or (iv) add rule 
text not currently found in the RMFP:
(i) RMF Changes that Replace or Update Information:
    1. Replace the purpose section of the RMFP with a new purpose 
section of the RMF and an introduction section of the CRMP that, 
collectively, would (i) reflect the reorganization of content across 
the two new documents and (ii) explain the purpose of and intention for 
each, as well as their place in OCC's overall framework for risk 
management.
    2. Modify the descriptions of OCC's risk appetite framework, 
including the risk universe, risk appetite, and risk tolerances, to be 
less detailed in the RMF than in the RMFP, while relocating the risk 
appetite framework detail and expanding it in the CRMP for a more 
extensive description overall. These changes include replacing the 
Identification of Key Risks section in the RMFP with a new OCC Risk 
Management section in the RMF, and expanded in the CRMP. Both of these 
changes are discussed in detail below.\8\
---------------------------------------------------------------------------

    \8\ See ``Additional Rule Text in the RMF not Currently Found in 
the RMFP,'' infra at II.A.(iv)1; ``Additional Rule Text in the CRMP 
not Currently Found in the RMFP,'' infra at II.B.(i)2.b.
---------------------------------------------------------------------------

    3. In the new RMF, revise the descriptions of the responsibilities 
of the Management Committee and working groups. The RMF would state 
that the Management Committee supports the management and conduct of 
its business in accordance with policy directives from the Board. The 
RMF would also state that the Management Committee includes officers 
responsible for ensuring that the Management Committee's actions and 
decisions are consistent with OCC's mission, Code of Conduct, Rules and 
By-Laws, policies, procedures, and general principles of sound 
corporate governance. The RMF would further state that the Management 
Committee would have explicitly-stated authority to form and delegate 
authority to subcommittees and working groups to conduct certain of the 
Management Committee's activities, and these subcommittees and working 
groups would be responsible for reporting and escalating information. 
These proposed descriptions vary from the corresponding RMFP 
descriptions that primarily relate to the Management Committee's role 
and responsibilities in reviewing and recommending changes to OCC's 
risk universe and escalating breaches to the Board.\9\
---------------------------------------------------------------------------

    \9\ As noted below, OCC proposes to provide a more detailed 
description in the CRMP of the Management Committee's role and 
responsibilities in reviewing and recommending changes to OCC's risk 
universe. See ``CRMP Governance Adjustments,'' infra at II.B.(ii)4.
---------------------------------------------------------------------------

    4. Replace the Credit Risk Management Framework section in the RMFP 
with proposed Membership Standards, Credit, Clearing Fund, Margin, 
Collateral, and Default Management sections in the RMF. These new 
sections of the RMF would refer to the same OCC Risk Policies that 
address these risks and are currently filed with the Commission as 
rules of OCC (e.g., the Margin Policy,\10\ Clearing Fund Methodology 
Policy,\11\ Collateral Risk Management Policy,\12\ Default Management 
Policy,\13\ and Third-Party Risk Management Framework \14\). There 
would be no change to the substance of these sections.
---------------------------------------------------------------------------

    \10\ See, e.g., Exchange Act Release No. 82355 (Dec. 19, 2017), 
82 FR 61058 (Dec. 26, 2017) (File No. SR-OCC-2017-007).
    \11\ See, e.g., Exchange Act Release No. 83735 (July 27, 2018), 
83 FR 37855 (Aug. 2, 2018) (File No. SR-OCC-2018-008).
    \12\ See, e.g., Exchange Act Release No. 82311 (Dec. 13, 2017), 
82 FR 60252 (Dec. 19, 2017) (File No. SR-OCC-2017-008).
    \13\ See, e.g., Exchange Act Release No. 82310 (Dec. 13, 2017), 
82 FR 60265 (Dec. 19, 2017) (File No. SR-OCC-2017-010).
    \14\ See, e.g., Exchange Act Release No. 90797 (Dec. 23, 2020), 
85 FR 86592 (Dec. 30, 2020) (File No. SR-OCC-2020-014).
---------------------------------------------------------------------------

    5. Revise the process for handling policy violations and 
exceptions. Currently, policy violations and exceptions are reviewed by 
OCC's Chief Executive Officer and Chief Compliance Officer, 
respectively. The proposed changes would instead escalate exceptions 
and risk acceptances to OCC's Corporate Risk group \15\ and to escalate 
policy deviations to its Compliance department.\16\
---------------------------------------------------------------------------

    \15\ The proposed CRMP details requirements related to risk 
reporting and escalation. See ``CRMP Governance Adjustments,'' infra 
at II.B.(ii)4.
    \16\ OCC is making similar changes broadly across policies, 
which have different levels of detail regarding exception handling, 
because it believes such changes would create consistency with this 
practice in their policies and procedures without requiring each to 
have its own individual policy exceptions and violations that need 
to be updated. See Notice of Filing, 87 FR at 58418.
---------------------------------------------------------------------------

    (ii) RMF Changes that Remove Extraneous Information:
    In connection with replacing the RMFP with the RMF and CRMP, OCC 
believes certain information would be rendered extraneous.\17\ 
Accordingly, OCC is proposing to remove such extraneous information 
currently found in the RMFP but will not replace it with equivalent 
sections in either the RMF or CRMP, including the following:
---------------------------------------------------------------------------

    \17\ OCC believes the information being removed from its rules 
to be extraneous. See Notice of Filing, 87 FR at 58411-58423.
---------------------------------------------------------------------------

    1. Delete the Context for Risk Management Framework and Risk 
Management Philosophy sections of the RMFP, as these provide history 
and background information about OCC that is covered elsewhere in the 
content that OCC proposes to migrate from the RMFP to the RMF and CRMP.
    2. Move the standalone RMFP section dedicated to the Compliance 
Risk Assessment program under the broader Compliance section of the 
RMF.\18\
---------------------------------------------------------------------------

    \18\ See Notice of Filing, 87 FR at 58417.
---------------------------------------------------------------------------

    3. Replace the Control Activities section of the RMFP with more 
general descriptions of Compliance's responsibilities under the RMF to 
clarify the department's responsibilities for management of compliance 
risk more succinctly.
    4. Delete the RMFP sections related to project management, 
corporate planning and budgeting, and Human Resources and Compliance 
Training and Policies that address administrative policies and 
practices.
    5. Remove the RMFP's Appendix: OCC's Key Risks with CCA, PFMI, and 
Reg SCI Mapping to remove detailed risk mapping from OCC high-level 
policy documents.\19\
---------------------------------------------------------------------------

    \19\ OCC's Corporate Risk group would continue to maintain and 
dynamically update the mapping, risks, and manner in which it 
defines the risks based on business and market factors. See Notice 
of Filing, 87 FR at 58418.
---------------------------------------------------------------------------

(iii) RMF Changes that Relocate Information
    The following changes involve relocating information contained in 
the RMFP by either moving it to new sections in the RMF or CRMP, or 
incorporating it into RMFP sections that are being moved over largely 
as-is:
    1. Relocate the Risk Management Governance section of the RMFP, 
with certain modifications, to a new Governance section of the RMF. The 
modifications would include streamlining the description of the 
responsibilities of the Board, which generally are already addressed in 
the Board of Directors Charter and Corporate Governance principles. The 
RMF Governance section would state that the Board is responsible for 
advising and overseeing management and that OCC's Chief Risk Officer

[[Page 80209]]

(``CRO'') would present a review of the RMF to the Board for approval 
at least annually. Further, OCC would streamline discussion of the 
Management Committee and working groups to be consistent with changes 
in responsibility discussed above.\20\
---------------------------------------------------------------------------

    \20\ Discussion of responsibilities related to the Management 
Committee's role and responsibilities in reviewing and recommending 
changes to OCC's risk universe, including risk appetites and 
tolerances, and escalating breaches to the Board would be moved to 
the CRMP. See, e.g., ``CRMP Governance Adjustments'' infra at 
II.B.(ii)4.
---------------------------------------------------------------------------

    2. Relocate the Risk Management Practice, Enterprise Risk 
Assessment program, and Risk Reporting sections from the RMFP to the 
CRMP, with the changes described below.\21\
---------------------------------------------------------------------------

    \21\ See Order Granting Approval infra ``CRMP Changes that Add 
Context'' at II.B.(i)2.a.
---------------------------------------------------------------------------

    3. Relocate the discussion of OCC's Scenario Analysis Program from 
the RMFP to the CRMP, with revisions designed to more accurately and 
completely describe the scenario analysis process.\22\
---------------------------------------------------------------------------

    \22\ Id.
---------------------------------------------------------------------------

(iv) Additional Rule Text in the RMF not Currently Found in the RMFP:
    1. Add new rule text describing the responsibilities of OCC 
employees to contain risk escalation reporting, consultations with 
Legal on legal and regulatory matters, and training on a culture of 
risk and control awareness. This new rule text would be located in the 
Governance section of the RMF.
    2. Include a discussion of OCC's ``three lines of defense'' model 
in the OCC Risk Management section of the RMF that would be similar to 
the discussion currently provided in the RMFP. OCC's three lines of 
defense model would remain unchanged, while the additional information 
proposed for the RMF would clarify who has ownership and accountability 
for risk management.
    3. Add text in a Security section stating that OCC's Security 
department manages information, physical, and personnel security risk 
to safeguard the confidentiality, integrity, and availability of 
corporate information systems and data assets implemented and 
maintained by Information Technology.
    4. Add a summary of OCC's Recovery and Orderly Wind-Down Plan to 
the RMF, in order to describe this aspect of OCC's risk management 
framework. The RMF would state that OCC employs a set of recovery tools 
in the event of severe financial, operational, or general business 
stress, to continue to provide critical clearing and settlement 
services. It would further state that OCC has a wind-down plan that 
provides for OCC's orderly resolution if it is determined that recovery 
efforts would be unsuccessful or insufficient.\23\
---------------------------------------------------------------------------

    \23\ See Notice of Filing, 87 FR at 58418.
---------------------------------------------------------------------------

B. The Corporate Risk Management Policy

    Among other things, the CRMP would contain some of the information 
in OCC's RMFP and expand upon certain topics by (i) adding rule text 
not currently found in the RMFP and (ii) introducing certain governance 
adjustments. Such changes would include the following:
(i) Additional Rule Text in the CRMP not Currently Found in the RMFP:
    1. Support the RMF by explaining OCC's risk management activities 
and provide an overview of the activities overseen by OCC's Corporate 
Risk group to identify, measure, monitor, manage, report, and escalate 
risks.
    2. As noted above,\24\ the CRMP would expand the discussion of 
OCC's risk appetite framework in the OCC Risk Management Practice 
section of the RMF.
---------------------------------------------------------------------------

    \24\ See ``RMF Changes that Replace or Update Information,'' 
supra II.A.(i)2.
---------------------------------------------------------------------------

    a. Other than the Compliance Risk Assessment,\25\ the information 
currently provided in the Risk Management Practice section of the RMFP 
would be moved as-is to the Risk Management Practice section of the 
CRMP and revised to more accurately and completely describe the risk 
assessment, monitoring, and reporting processes conducted by Corporate 
Risk. Specifically, the CRMP would include revised discussions of 
Enterprise Risk Assessments, the Scenario Analysis Program, and Risk 
Reporting to provide more detail about how these processes function, 
such as Corporate Risk's obligations, the quarterly results reporting 
duties of the CRO and the use of residual risk, risk tolerances, and 
risk warnings and associated reporting.
---------------------------------------------------------------------------

    \25\ As noted above, the substance of Compliance Risk Assessment 
section of the RMFP would now be addressed in the Compliance section 
of the RMF, and would not be part of the Risk Management Practice 
section of the RMF on which the CRMP expands.
---------------------------------------------------------------------------

    b. Modify the description of OCC's risk appetite framework as well 
as revise terminology in the risk universe, including changes to the 
Key Risks, Sub-Categories, and Definitions in the RMFP. In adopting the 
CRMP, OCC would remove the more general risk appetite statement 
definitions (i.e., no appetite, low appetite, moderate appetite, and 
high appetite), which are currently described in the RMFP, enabling OCC 
to use more detailed qualitative risk appetite statements for each risk 
sub-category. As a result, the CRMP describes OCC's risk universe 
terminology as being classified into: (i) risk categories, which are 
the highest-level groups of risk aggregation; (ii) risk sub-categories, 
which further classify risks within risk categories into detailed 
groups; and (iii) risk statements, which are descriptions of the 
drivers, events and consequences of risks. OCC believes that the 
proposed terms are better at describing the elements that comprise 
OCC's risk universe and the relationship between them.\26\
---------------------------------------------------------------------------

    \26\ See Notice of Filing, 87 FR at 58411.
---------------------------------------------------------------------------

    3. Describe Corporate Risk's process for escalating risks to the 
CRO, Management Committee, and Board, and for training employees about 
risk to support risk management and decision-making.
    4. Introduce the concept of risk rating scales, which reflect how 
large the effect of an event's occurrence would be and the likelihood 
of it occurring when considering a range of repercussions on OCC's 
business. The CRMP would state that the likelihood risk rating scale 
considers a 10-year financial cycle and yearly corporate planning 
activities, and they are used to measure both inherent and residual 
risk. Corporate Risk and Risk Owners would be required to review 
changes to the risk scales, and the CRO would approve them. The 
Management Committee and Board would be notified of changes to the risk 
rating scales.
(ii) CRMP Governance Adjustments:
    1. Transfer responsibility for maintaining inventory of all 
business processes, risks, and associated controls from Compliance to 
Corporate Risk. Revise descriptions related to risk assessment, 
monitoring, and reporting conducted by Corporate Risk to indicate 
Corporate Risk and Risk Owners would be required at least every twelve 
months to review the risk universe, risk tolerances, and risk appetites 
within established tolerances and make adjustments at a risk sub-
category level. This revision is a change from the RMFP because it 
requires Corporate Risk and Risk Owners to do the review instead of the 
Management Committee, and it requires these reviews at least every 
twelve months instead of at least annually.
    2. Introduce the concept of a risk universe, and state that the CRO 
has (i) authority to approve OCC's risk universe and (ii) an obligation 
to provide the risk universe to the Management Committee and the Board.

[[Page 80210]]

    3. Add new sections to provide additional details regarding OCC's 
processes for (i) monitoring qualitative or quantitative risk metrics 
as well as operational risk events, (ii) managing risks against OCC's 
tolerances and appetites, (iii) escalation, and (iv) training.
    4. Provide additional details around the internal governance 
process for reviewing and approving risk categories, appetites, and 
tolerances for monitoring risk tolerances. Corporate Risk would approve 
Risk statements, while it would notify the Management Committee and 
Board of updates.
    a. Risk appetites would be established at the risk subcategory 
level and the CRO and Management Committee would present them along 
with any changes to the Board, or to the Risk Committee if the Board 
has delegated such authority, for approval.
    b. The CRO would be responsible for escalating risk appetite 
breaches to the Management Committee, Risk Committee, and Board.
    c. Risk Owners would be responsible for developing risk treatment 
plans to reduce risks that exceed OCC's risk appetites.

C. Conforming Changes to OCC Risk Policies

    In addition to adopting the RMF and the CRMP, OCC proposes to make 
conforming changes to its OCC Risk Policies by replacing or removing 
references throughout that would become inaccurate (e.g., references to 
the RMFP) and removing the policy-specific references to exceptions and 
violations that would be uniformly covered by the new Risk Acceptance 
and Deviations section of the RMF.\27\ OCC also proposes to make 
administrative updates to cross-references to other internal OCC 
policies and procedures that would not affect the substance of OCC's 
rules.
---------------------------------------------------------------------------

    \27\ See ``RMF Changes that Replace or Update Information'' 
supra at II.A.(i)5.
---------------------------------------------------------------------------

III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Exchange Act directs the Commission to 
approve a proposed rule change of a self-regulatory organization if it 
finds that such proposed rule change is consistent with the 
requirements of the Exchange Act and the rules and regulations 
thereunder applicable to such organization.\28\ After carefully 
considering the proposed rule change, the Commission finds that the 
proposal is consistent with the requirements of the Exchange Act and 
the rules and regulations thereunder applicable to OCC. More 
specifically, the Commission finds that the proposal is consistent with 
Section 17A(b)(3)(F) of the Exchange Act,\29\ Rules 17Ad-22(e)(2)(v) 
\30\, and Rule 17Ad-22(e)(3)(i) \31\ as described in detail below.
---------------------------------------------------------------------------

    \28\ 15 U.S.C. 78s(b)(2)(C).
    \29\ 15 U.S.C. 78q-1(b)(3)(F).
    \30\ 17 CFR 240.17Ad-22(e)(2)(v).
    \31\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

A. Consistency With Section 17A(b)(3)(F) of the Exchange Act

    Section 17A(b)(3)(F) of the Exchange Act requires, among other 
things, that a clearing agency's rules are designed to promote the 
prompt and accurate clearance and settlement of securities 
transactions.\32\
---------------------------------------------------------------------------

    \32\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    The Commission believes that the proposed changes strengthen and 
expand on the foundation of OCC's risk management policies, procedures, 
and systems that make up OCC's broader risk management framework. Among 
other things, the changes clarify lines of reporting and escalation, 
designate responsibility, and provide more transparency around updates 
while making the update process simpler. More specifically, the 
proposed changes both (i) streamline key risk concepts, such as policy 
exceptions to OCC's process for escalating exceptions and deviations to 
develop and mature without requiring individual section updates, and 
(ii) introduce concepts such as the risk rating scales. As a result, 
the Commission believes that the proposed replacement of the RMFP with 
the RMF and CRMP would strengthen OCC's risk management processes, 
which, in turn, would allow OCC to manage such risks in a comprehensive 
manner. The additional conforming changes to the OCC Risk Policies 
would also serve to enhance consistency across the documents comprising 
OCC's framework for managing risks. The comprehensive management of 
risk would reduce the likelihood of a failure or disruption of OCC in 
its role as central counterparty for the listed options.
    The Commission believes, therefore, that the proposal is consistent 
with the requirements of Section 17A(b)(3)(F) of the Exchange Act.

B. Consistency With Rule 17Ad-22(e)(2)(v) of the Exchange Act

    Rules 17Ad-22(e)(2)(v) requires that a covered clearing agency 
establish, implement, maintain and enforce written policies and 
procedures reasonably designed to provide for governance arrangements 
that specify clear and direct lines of responsibility.\33\
---------------------------------------------------------------------------

    \33\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------

    As described above in section II.B.(ii), the proposal contained in 
the Notice of Filing would replace the current RMFP with amended rules 
describing OCC's risk management and governance arrangements in the 
RMF, including the roles and responsibilities of the Board, Management 
Committee, and OCC's internal working groups. The CRMP would provide 
additional descriptions and requirements complementing the rules in the 
RMF by introducing concepts and governance details, including the CRO 
owning and approving the risk universe and then providing it to the 
Management Committee. Furthermore, the proposal would transfer 
responsibility for all business processes, risks, and associated 
controls from Compliance to Corporate Risk, which would also be 
responsible for monitoring, escalating, and training processes. 
Additionally, the proposed changes in the RMF and CRMP together would 
specify clearer lines of reporting, responsibility, and escalation, 
provide definitive update schedules, and create more streamlined set of 
documents requiring updates than are present in the RMF. The Commission 
believes these proposed changes would improve OCC's risk framework by 
presenting a clearer description of OCC's governance arrangements as 
they relate to the management of risk within OCC.
    The Commission believes, therefore, that the proposal is consistent 
with the requirements of Rule 17Ad-22(e)(2)(v) of the Exchange Act.\34\
---------------------------------------------------------------------------

    \34\ 17 CFR 240.17Ad-22(e)(2)(v).
---------------------------------------------------------------------------

C. Consistency With Rule 17Ad-22(e)(3)(i) Under the Exchange Act

    Rule 17Ad-22(e)(3) under the Exchange Act requires that a covered 
clearing agency establish, implement, maintain, and enforce written 
policies and procedures reasonably designed to maintain a sound risk 
management framework for comprehensively managing legal, credit, 
liquidity, operational, general business, investment, custody, and 
other risks that arise in or are borne by the covered clearing 
agency.\35\ Rule 17Ad-22(e)(3)(i) requires that such policies and 
procedures include risk management policies, procedures, and systems 
designed to identify, measure, monitor, and manage the range of risks 
that arise in or are borne by the covered clearing agency that are 
subject to review on a

[[Page 80211]]

specified periodic basis and approved by the board of directors 
annually.\36\
---------------------------------------------------------------------------

    \35\ 17 CFR 240.17Ad-22(e)(3)(i).
    \36\ 17 CFR 240.17Ad-22(e)(3)(i).
---------------------------------------------------------------------------

    The Commission previously found the OCC's RMFP, and subsequent 
revisions thereto, to be consistent with Rule 17Ad-22(e)(3)(i).\37\ As 
described above, the proposal contained in the Notice of Filing would 
replace OCC's RMFP with the RMF and CRMP. In replacing the RMFP, OCC 
proposes to (i) replace or update rules currently in the RMFP,\38\ (ii) 
remove information currently in the RMFP from OCC's rules,\39\ (iii) 
relocate rules from the RMFP to the RMF and CRMP,\40\ and (iv) add new 
rule text expanding on what exists in the RMFP.\41\ The Commission 
believes that, overall, the propose changes would maintain, clarify, 
and expand on OCC's framework for managing risk. Additionally, OCC 
proposes to make conforming changes to other policies that reference 
the RMFP.
---------------------------------------------------------------------------

    \37\ See Exchange Act Release No. 82232 (Dec. 7, 2017), 82 FR 
58662 (Dec. 13, 2017) (File No. SR-OCC-2017-005) (approving adoption 
of the RMFP). See also, e.g., Exchange Act Release No. 90797 (Dec. 
23, 2020), 85 FR 86592 (Dec. 30, 2020) (File No. SR-OCC-2020-014) 
(approving changes to the RMF related to the adoption of Third-Party 
Risk Management Framework).
    \38\ See supra sections II.A.(i).
    \39\ See supra sections II.A.(ii).
    \40\ See supra sections II.A.(iii).
    \41\ See supra sections II.A.(iv), II.B.(i).
---------------------------------------------------------------------------

    As described above, OCC proposes replacing and updating rules 
currently in the RMFP. For example, OCC proposes replacing a 
description of the purpose of the RMFP with a description of the 
purpose of the RMF and an introduction to the CRMP. Further, OCC 
proposes relocating rules currently found in the RMFP without changing 
the substance of those rules. For example, OCC proposes to move the 
substance of the Risk Management Governance section of the RMFP under 
the broader Governance section the RMF. The Commission believes that 
such changes serve to accurately reflect the proposed organization of 
OCC's policies and procedures that comprise its framework for managing 
risk.
    Additionally, OCC proposes removing information such as the history 
and background found in the Risk Management Philosophy section of the 
RFMP. The Commission believes that the removal of background and 
historical information would not change OCC's processes or systems for 
identifying, measuring, monitoring, or managing risk.
    Finally, OCC proposes changes to expand the rules currently 
captured in the RMFP. For example, the RMF would describe OCC's 
reorganized framework for managing risk and provide an overview of 
OCC's risk appetite framework, including OCC's risk universe, risk 
appetite, and risk tolerances that would be described in the CRMP in 
greater detail. It would include an expanded discussion of OCC's three 
lines of defense model while relocating detailed discussions of the 
Risk Management Practice, Enterprise Risk Assessment program, and Risk 
Reporting to the CRMP. The RMF would state that the Board is 
responsible for advising and overseeing management, and that OCC's CRO 
would present a review of the RMF to the Board for approval at least 
annually. The discussion of Control activities would be revised to give 
general descriptions of Compliance while also updating OCC's processes 
for handling policy exceptions. The RMF would also include a new 
section discussing the Recovery and Orderly Wind-Down plan. 
Additionally, the CRMP would contain new rule text regarding OCC's risk 
monitoring processes. Furthermore, the key risk universe definitions 
provided in the CRMP would use detailed qualitative risk appetite 
statements for each risk sub-category to better describe the elements 
that comprise OCC's risk universe and the relationship between them 
while providing additional details for internal governance and 
monitoring. Finally, the CRMP would introduce risk rating scales, which 
reflect how large the effect of an event's occurrence would be and the 
likelihood of it occurring when considering a range of repercussions on 
OCC's business. The Commission believes that the proposed changes 
provide a more comprehensive and transparent discussion of OCC's 
overall framework for managing its range of risks, including legal, 
credit, liquidity, operational, general business, investment, custody, 
among others, as referenced in detail in its first line of defense and 
supported through the challenge and assurance functions in OCC's second 
and third lines of defense. The Commission also believes that certain 
proposed changes clarify and strengthen the risk management framework. 
For example, Corporate Risk and Risk Owners would be required to review 
the risk universe, risk tolerances, and risk appetites within 
established tolerances at least every twelve months instead of at least 
annually, which could otherwise result in gaps of time between reviews 
ranging as long as twenty-two months.
    The Commission believes, therefore, that the proposal is consistent 
with the requirements of Rule 17Ad-22(e)(3)(i) of the Exchange Act.\42\
---------------------------------------------------------------------------

    \42\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

VI. CONCLUSION

    On the basis of the foregoing, the Commission finds that the 
proposed rule change, is consistent with the requirements of the 
Exchange Act, and in particular, the requirements of Section 17A of the 
Exchange Act \43\ and the rules and regulations thereunder.
---------------------------------------------------------------------------

    \43\ In approving this proposed rule change, the Commission has 
considered the proposed rules' impact on efficiency, competition, 
and capital formation. See 15 U.S.C. 78c(f).
---------------------------------------------------------------------------

    It Is Therefore Ordered, pursuant to Section 19(b)(2) of the 
Exchange Act,\44\ that the proposed rule change (SR-OCC-2022-010) be, 
and hereby is, approved
---------------------------------------------------------------------------

    \44\ 15 U.S.C. 78s(b)(2).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\45\
---------------------------------------------------------------------------

    \45\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2022-28303 Filed 12-28-22; 8:45 am]
BILLING CODE 8011-01-P


