Self-Regulatory Organizations; ICE Clear Credit LLC; Order Approving Proposed Rule Change To Revise the ICC Operational Risk Management Framework

I. Introduction

On March 10, 2016, ICE Clear Credit LLC (“ICC”) filed with the Securities and Exchange Commission (“Commission”), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) and Rule 19b-4 thereunder, a proposed rule change (SR-ICC-2016-003) to update ICC's Operational Risk Management Framework. The proposed rule change was published for comment in the Federal Register on March 21, 2016. The Commission did not receive comments on the proposed rule change. For the reasons discussed below, the Commission is approving the proposed rule change.

II. Description of the Proposed Rule Change

The ICC Operational Risk Management Framework details ICC's program of risk assessment and oversight, managed by the Operational Risk Manager (“ORM”), which, according to ICC, aims to reduce operational incidents, encourage process and control improvement, bring transparency to operational performance standard monitoring, and fulfill regulatory obligations. ICC proposes organizational changes to its Operational Risk Management Framework related to its operational risk management processes.

ICC will revise the Operational Risk Management Framework to frame its existing operational risk program and processes around an operational risk lifecycle, which according to ICC, is designed to highlight certain aspects of the processes and present the processes in a more efficient manner. The operational risk lifecycle utilized by ICC will have five components: Identify, assess, monitor, mitigate and report. Each of these lifecycle components will be first defined generally in the document then applied to each of ICC's two operational risk processes: Risk assessment; and performance objectives setting and monitoring. Specifically, the content for each risk process will be reorganized to fall into each of the operational risk lifecycle components (i.e., identify, assess, monitor, mitigate, and report).

In addition, ICC will add information regarding the `assess' and `report' component of the risk assessment process. Specifically, ICC represents that it will assess each of its risk scenarios to determine the inherent risk rating associated with the occurrence of an event or incident, as well as the effectiveness of any relevant risk controls. Further, in the `report' component, ICC will clarify that the ORM presents operational risk reporting to an internal committee which includes members of senior management. The responsibilities of the ORM, which is currently listed out in the document, will be incorporated into the risk lifecycles. ICC respresents that the ORM will continue to provide management and staff with advice and guidance related to the development of controls designed to increase performance and reduce processing risk, as part of the `mitigate' risk lifecycle component. Similarly, the responsibilities of senior management, which is currently listed out in the document, will be incorporated into the risk lifecycles.

ICC will categorize those aspects of the operational risk management program which do not fall within this lifecycle as “Operational Risk Focus Areas.” These risk focus areas include: Business continuity planning and disaster recovery; vendor assessment; new products and initiatives; information security; and technology control functions. ICC will reorganize the order of these risk focus areas to better distinguish which functions may, with oversight by the ORM, be outsourced to Intercontinental Exchange, Inc. (“ICE, Inc.”) or performed by departments dedicated to that particular risk area.

ICC will make several clarifying and organizational enhancements to the various risk focus area descriptions. Further, specific details contained within other ICC policies and procedures will be removed and described more generally within the Operational Risk Management Framework, in an effort to reduce redundancy amongst ICC policies and procedures. ICC will continue to maintain business continuity planning and disaster recovery as two separate programs with separate and distinct components; however, ICC will group the description of these programs together for purposes of the Operational Risk Management Framework. ICC will amend the “Vendor Assessment” risk focus area description to note that the ORM is responsible for conducting a service provider risk assessment for critical vendors, and to list the specific steps taken as part of such risk assessment. ICC also will amend the “Information Security” risk focus area description to note that the ICE, Inc. Information Security Department conducts its own risk assessments related to information security and physical security/environmental controls, pursuant to internal policies which are maintained by an ICE, Inc. internal committee. Information regarding the Firm Wide Incident Management Program will be included in the new `Technology Controls Section.' ICC will amend the `Technology Control Functions' risk focus area description to note that the ICC Systems Operations team is responsible for executing daily clearing functions within established service expectations and performing incident management. ICC will describe this incident management process generally within the framework, and will remove more detailed aspects of the program which are contained in specific program documentation.

General information regarding the development and enforcement of a firm-wide operational risk framework will be removed, as the revised framework will more clearly lay out in each particular section who is responsible for the development and enforcement of that component of the operational risk management framework. Information regarding the human resource reporting line of the ORM and specific references to titles of documents utilized as part of the risk assessment process will be removed. As the Vendor Risk Management policy will be retired and encompassed within the Operational Risk Management Framework, reference to the policy will be removed from the document. ICC will also remove internal audit responsibilities from the Operational Risk Management Framework as such responsibilities are contained within internal audit documentation.

ICC represents that the overall governance of the Operational Risk Framework will also be updated to reflect current practices. Specifically, material amendments are reviewed by the Risk Committee, and approved by the Board. The Board reviews the Operational Risk Management Framework at least annually.

Other non-material changes will be made to the framework to improve readability. Previously, ICC included regulatory requirements and industry guidance information within the framework; this information will be moved to a separate appendix to the framework. Further, information regarding Regulation Systems, Compliance, and Integrity will be added for completeness. Certain information regarding governance and governing committees will be resituated to the reporting section of the relevant operational risk lifecycle. Similarly, information regarding the roles and responsibilities of the ORM and senior management will be resituated to the appropriate section the operational risk lifecycle.

III. Discussion and Commission Findings

Section 19(b)(2)(C) of the Act directs the Commission to approve a proposed rule change of a self-regulatory organization if the Commission finds that the proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to such self-regulatory organization. Section 17A(b)(3)(F) of the Act requires, among other things, that the rules of a clearing agency are designed to promote the prompt and accurate clearance and settlement of securities transactions and, to the extent applicable, derivative agreements, contracts, and transactions, to assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible and, in general, to protect investors and the public interest. Rule 17Ad-22(d)(4), in part, requires clearing agencies to establish, implement, maintain and enforce written policies and procedures reasonably designed to identify sources of operational risk and minimize them through the development of appropriate systems, controls, and procedures.

The Commission finds that the proposed rule change is consistent with the requirements of Section 17A of the Act and the rules and regulations thereunder applicable to ICC. The proposed rule change updates the Operational Risk Management Framework to frame its existing operational risk program and processes around an operational risk lifestyle. In addition, the proposed rule change categorizes the operational risk management programs that do not fall within this lifecycle as Operational Risk Focus Areas. The Commission finds that the reorganization of ICC's existing operational risk processes around the operational risk lifecycle is designed to promote readability and efficiency, and should alleviate potential confusion in the implementation of the Operational Risk Management Framework. In that the Operational Risk Management Framework is intended, among other things, to reduce or mitigate operational incidents that would impair ICC's ability to provide clearance and settlement services, the Commission finds that the proposed rule change is designed to facilitate the prompt and accurate clearance and settlement of securities transaction and, to the extent applicable, derivative agreements, contracts, and transactions in accordance with Section 17A(b)(3)(F) of the Act. In addition, the Commission finds that the proposed rule change is consistent with the relevant requirements of Rule 17Ad-22(d)(4) because the change to the ICC Operational Risk Management Framework is intended to further ensure that ICC, through its operational risk program, is able to identify sources of operational risk and minimize them through the development of appropriate systems, control, and procedures.

IV. Conclusion

On the basis of the foregoing, the Commission finds that the proposal is consistent with the requirements of the Act and in particular with the requirements of Section 17A of the Act and the rules and regulations thereunder.

IT IS THEREFORE ORDERED, pursuant to Section 19(b)(2) of the Act, that the proposed rule change (File No. SR-ICC-2016-003) be, and hereby is, approved.