Self-Regulatory Organizations; ICE Clear Europe Limited; Order Approving Proposed Rule Change Relating to ICE Clear Europe Operational Risk and Resilience Policy

I. Introduction

On September 22, 2022, ICE Clear Europe Limited (“ICE Clear Europe”) filed with the Securities and Exchange Commission (“Commission”), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (the “Act”) and Rule 19b-4 thereunder, a proposed rule change to amend its Operational Risk Management Policy and rename it the Operational Risk and Resilience Policy. The proposed rule change was published for comment in the Federal Register on October 7, 2022. The Commission did not receive comments regarding the proposed rule change. For the reasons discussed below, the Commission is approving the proposed rule change.

II. Description of the Proposed Rule Change

A. Background

ICE Clear Europe currently has in place an Operational Risk Management Policy. The current Operational Risk Management Policy explains how ICE Clear Europe identifies, assesses, manages, monitors, and reports its operational risks. The proposed rule change would maintain the current substance of the Operational Risk Management Policy while expanding it to include a description of how ICE Clear Europe maintains operational resilience, in addition to managing operational risk. The proposed rule change would define operational resilience as the ability to prevent, respond to, recover, and learn from operational service disruption events. The proposed rule change would add descriptions of the following elements that ICE Clear Europe employs to maintain operational resilience: (i) the three lines of defense; (ii) certain other ICE Clear Europe policies and procedures that form a framework for managing and maintaining operational resilience; (iii) important business services; (iv) impact tolerances; and (v) scenario analysis and testing. The proposed rule change also would rename the Operational Risk Management Policy as the Operational Risk and Resilience Policy (referred to below as the “Policy”).

ICE Clear Europe maintains that overall these changes would memorialize in the Policy its current practices with respect to operational resilience. ICE Clear Europe is making these changes to demonstrate compliance with certain additional legal requirements applicable to ICE Clear Europe in its home jurisdiction, the United Kingdom.

In addition to the changes related to operational resilience, the proposed rule change would make other updates to the Policy, including fixing typographical errors and adjusting the frequency of review.

B. Operational Resilience Updates

i. Three Lines of Defense

The proposed rule change would add to the Policy a description of the three lines of defense, which is the model that ICE Clear Europe currently uses for managing risks. The proposed rule change would not make any changes to this model but would memorialize it in the Policy, in compliance with certain additional legal requirements applicable to ICE Clear Europe in its home jurisdiction.

Under the three lines of defense model, the ICE Clear Europe business line that generates the risk is considered to be the First Line of defense (or Risk Owner). The First Line is responsible for managing risks and adhering to the Policy. All ICE Clear Europe departments, other than the Risk Oversight Department and Internal Audit, could be the First Line of defense.

The Risk Oversight Department/Enterprise Risk Management is the Second Line of defense. The Second Line is responsible for challenging the First Line and monitoring adherence to the Policy.

Internal Audit is the Third Line of defense. It provides independent and objective assurance to ICE Clear Europe's Board regarding, among other things, evaluation of governance, risk management, and key controls mitigating current and evolving risk.

ii. Framework

The proposed rule change would add to the Policy a description of the other policies and procedures that ICE Clear Europe uses to maintain operational resilience. ICE Clear Europe considers these policies and procedures to form a complimentary operational risk and resilience framework. As would be described in the Policy, ICE Clear Europe uses this framework to reduce the likelihood of an operational disruption event within acceptable tolerance, and mitigate and quickly recover from an operational disruption event. In addition to the Policy itself, the policies and procedures in the framework are: (i) the Incident Management Policy; (ii) the Business Continuity & Disaster Recovery Policy; (iii) the Information Security Policy and Cyber Security Strategy; (iv) the Outsourcing Policy; and (v) the Vendor Management Policy.

Again, ICE Clear Europe currently maintains these policies and procedures and the proposed rule change would not alter these policies and procedures. The proposed rule change would only memorialize these policies and procedures to demonstrate how they form a complimentary framework for managing and maintaining ICE Clear Europe's operational resilience, in compliance with certain additional legal requirements applicable to ICE Clear Europe in its home jurisdiction.

iii. Important Business Services

Next, the proposed rule change would add a description of ICE Clear Europe's Important Business Services and set certain requirements with respect to these services. The proposed rule change would define a business service as important if a prolonged disruption of that service would significantly disrupt the orderly functioning of a market that ICE Clear Europe serves, thereby impacting financial stability. The proposed rule change would require that ICE Clear Europe identify and document its Important Business Services and the people, processes, technology, facilities, and underlying information related to such services. Moreover, the relevant First Line must review the important business service annually, subject to oversight by Second Line and approval by a Board-level committee.

ICE Clear Europe currently maintains and documents its critical business services, as part of managing its operational risk and maintaining operational resilience. ICE Clear Europe's critical business services are similar to Important Business Services, but slightly broader in scope. ICE Clear Europe's Important Business Services therefore would be a subset of its critical business services. Given that, ICE Clear Europe maintains that overall, identifying its Important Business Services would not substantively alter its existing risk management framework. While not changing its approach in a substantive way, ICE Clear Europe is introducing the concept of Important Business Services to demonstrate compliance with certain additional legal requirements applicable in its home jurisdiction.

iv. Impact Tolerances

The proposed rule change would also add a description of the maximum levels of disruption to its Important Business Services that ICE Clear Europe could tolerate. The proposed rule change would describe these as impact tolerances. For each Important Business Service, ICE Clear Europe would establish an appropriate impact tolerance, as well as controls and recovery procedures to help ensure ICE Clear Europe can recover when the tolerance is exceeded.

ICE Clear Europe would monitor impact tolerances and would escalate breaches to the Executive Risk Committee and Board. Moreover, First Line personnel would review breaches and establish a remediation plan. Second Line would be required to agree to the review and remediation plan, and ultimately the review and remediation would be presented to the Board.

First Line would review the impact tolerances annually. Second Line would oversee this review and an appropriate Board-level Committee would approve it.

ICE Clear Europe currently maintains a risk management framework that already covers incident management based on levels of severity linked to financial, reputational, operational and regulatory impacts.¹⁴ ICE Clear Europe therefore maintains that overall, establishing impact tolerances with respect to its Important Business Services would build on its existing risk management framework to demonstrate compliance with certain additional legal requirements applicable in its home jurisdiction.¹⁵

v. Scenario Analysis and Testing

The proposed rule change also would add an overview of ICE Clear Europe's scenario analysis and testing. ICE Clear Europe would conduct scenario analysis and testing on its Important Business Services to determine if ICE Clear Europe can remain within the impact tolerances under a range of extreme but plausible disruption scenarios. ICE Clear Europe's testing scenarios would include scenarios that affect more than one Important Business Service at a time and that take into account dependencies.

For any identified weaknesses related to extreme but plausible scenarios, the First Line must develop a remediation plan, with which the Second Line must agree. Moreover, scenario analysis and testing results would be reported to the Executive Risk Committee and the Board.

ICE Clear Europe currently conducts scenario analysis and testing. ICE Clear Europe is adding this section to the Policy to document its scenario analysis and testing, particularly with respect to its Important Business Services. As discussed above, ICE Clear Europe is identifying, and establishing impact tolerances for its Important Business Services in compliance with certain additional legal requirements applicable to ICE Clear Europe in its home jurisdiction. ICE Clear Europe maintains that memorializing its approach to scenario analysis and testing, in particular with respect to its Important Business Services, would further demonstrate compliance with these legal requirements.

C. Other Updates and Typographical Corrections

In addition to expanding the Policy to include operational resilience, the proposed rule change would make other updates to the Policy. For example, the proposed rule change would correct typographical errors, update references, and remove redundant references. The proposed rule change also would rename the section formerly titled “The Policy for Operational Risk Management” as “Risk and Control Assessments,” to more clearly reflect the information contained there.

The proposed rule change also would correct a reference to the Enterprise Risk Register. Section 3.1 currently provides that all “risks are documented in the Enterprise Risk Register . . .” The proposed rule change would correct this to provide instead that all “risk assessments,” and not just “risks,” are documented in the Enterprise Risk Register. The proposed rule change also would correct a reference to the Enterprise Risk Register in Section 3.1, changing it from the “Risk Register Dashboard” to the “Enterprise Risk Register.”

The proposed rule change would correct a drafting error in Section 3.2.5. Section 3.2.5 requires, among other things, that ICE Clear Europe periodically monitor key Controls, meaning controls that mitigate high inherent risks. As currently written, Section 3.2.5 requires that Enterprise Risk Management coordinate with the First, Second, and Third Lines to develop control monitoring plans for Key Controls. The proposed rule change would delete the reference to the Second Line. Given that the Enterprise Risk Management Group is, as noted above, part of ICE Clear Europe's Second Line, the reference is redundant.

Finally, the proposed rule change would amend the review section of the Policy to require that it be subject to at least an annual review or earlier in the event of a material change. Currently the Policy is subject to a biennial review or earlier in the event of a material change. ICE Clear Europe is making this change to make the Policy consistent with other ICE Clear Europe policies, which are subject to annual reviews.

III. Discussion and Commission Findings

Section 19(b)(2)(C) of the Act directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to such organization. For the reasons discussed below, the Commission finds that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act, and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17) thereunder.

i. Consistency With Section 17A(b)(3)(F) of the Act

Section 17A(b)(3)(F) of the Act requires, among other things, that the rules of ICE Clear Europe be designed to promote the prompt and accurate clearance and settlement of securities transactions and, to the extent applicable, derivative agreements, contracts, and transactions. Based on its review of the record, and for the reasons discussed below, the Commission believes the proposed changes to the Policy are consistent with the promotion of the prompt and accurate clearance and settlement of securities transactions.

The Commission believes that the proposed rule change would help ICE Clear Europe maintain its overall operational resilience while demonstrating compliance with certain additional legal requirements applicable to ICE Clear Europe in its home jurisdiction. It would do so by memorializing in the Policy how ICE Clear Europe manages and maintains its operational resilience. As discussed above, ICE Clear Europe does so by using, among others, the three lines of defense model and maintain complimentary operational risk and resilience framework. The Commission believes that memorializing these practices in the Policy would help to ensure that ICE Clear Europe personnel follow them on a consistent and predictable basis. Because the Commission believes that these practices are an effective means of maintaining operational resilience, the Commission believes that memorializing them in the Policy, and therefore helping to ensure that ICE Clear Europe personnel follow these processes on a consistent and predictable basis, would help ICE Clear Europe maintain operational resilience.

The Commission similarly believes that identifying ICE Clear Europe's Important Business Services, setting impact tolerances with respect to those services, and conducting scenario and analysis and testing for those services, would help ICE Clear Europe to maintain these Important Business Services in the event of a disruption. Because a prolonged disruption to an Important Business Service would significantly disrupt the orderly functioning of a market that ICE Clear Europe serves, thus impacting financial stability, the Commission believes that maintaining Important Business Services against the threat of a disruption and other operational risks would help ICE Clear Europe maintain its overall operational resilience.

Moreover, the Commission believes that the other changes discussed in Part II.C above would improve the Policy and therefore ICE Clear Europe's ability to maintain operational resilience using the Policy. For example, the Commission believes that fixing typographical errors, removing the redundant reference to the Second Line in Section 3.2.5, and updating references would help to ensure that the Policy can be applied consistently and free from error. The Commission also believes that making the Policy subject to at least an annual review or earlier in the event of a material change, rather than a biennial review, would help to identify any gaps and necessary resolutions or updates sooner than what is currently required.

For these reasons, the Commission believes the proposed rule change would help ICE Clear Europe maintain operational resilience using the Policy. ICE Clear Europe's operational resilience should decrease the likelihood that operational incidents disrupt its ability to promptly and accurately clear and settle securities transactions. The Commission believes therefore the proposed rule change would maintain ICE Clear Europe's ability to promptly and accurately clear and settle securities transactions, consistent with Section 17A(b)(3)(F) of the Act.

ii. Consistency With Rule 17Ad-22(e)(2)(v)

Rule 17Ad-22(e)(2)(v) requires that ICE Clear Europe establish, implement, maintain and enforce written policies and procedures reasonably designed to provide for governance arrangements that, among other things, specify clear and direct lines of responsibility. The Commission believes that the proposed changes discussed above would maintain clear and direct lines of responsibility for First Line and Second Line personnel. For example, the First Line would review each Important Business Service annually, subject to oversight by the Risk Oversight Department and approval by a Board-level committee. The First Line additionally would review the impact tolerances annually, and the Second Line would oversee this review. The First Line also would, as discussed above, develop plans to remediate certain findings from scenario analysis and testing. As discussed above, the proposed rule change would memorialize these lines of responsibility to demonstrate compliance with certain additional legal requirements applicable to ICE Clear Europe in its home jurisdiction. The Commission believes all of these changes would specify clear and direct lines of responsibility.

Therefore, the Commission finds that the proposed rule change is consistent with Rule 17Ad-22(e)(2)(v).

iii. Consistency With Rule 17Ad-22(e)(17)

Rule 17Ad-22(e)(17) requires that ICE Clear Europe establish, implement, maintain and enforce written policies and procedures reasonably designed to manage its operational risks by, among other things, identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls. The Commission believes that by memorializing in the Policy how ICE Clear Europe manages and maintains its operational resilience, the proposed rule change would mitigate the impact of operational risk at ICE Clear Europe by helping to ensure that ICE Clear Europe personnel follow these processes on a consistent and predictable basis, and therefore are able to maintain operational resilience and mitigate the impact of operational risk at ICE Clear Europe. The Commission also believes that identifying ICE Clear Europe's Important Business Services, setting impact tolerances with respect to those services, and conducting scenario and analysis and testing for those services would help ICE Clear Europe to identify, manage, and mitigate the impact of operational risks to these Important Business Services. Therefore, the Commission finds that the proposed rule change is consistent with Rule 17Ad-22(e)(17).

IV. Conclusion

On the basis of the foregoing, the Commission finds that the proposed rule change is consistent with the requirements of the Act, and in particular, with the requirements of Section 17A(b)(3)(F) of the Act, and Rules 17Ad-22(e)(2)(v) and 17Ad-22(e)(17) thereunder.

It is therefore ordered pursuant to Section 19(b)(2) of the Act that the proposed rule change (SR-ICEEU-2022-015) be, and hereby is, approved.