Introduction
This four-part blog will provide an analysis of the $20 million fine imposed on The Options Clearing Corporation, and a critique of the Orders imposed by the United States Securities and Exchange Commission and the United States Commodity Futures Trading Commission. The first two parts of the blog will cover the Order made by the Commodity Futures Trading Commission which imposed a $5 million fine, and the second two parts of the blog will cover the order made by the Securities and Exchange Commission which imposed a $15 million fine.
About Options Clearing Corporation
“Founded in 1973, OCC is the largest clearing organization in the world for equity derivatives. Operating under the jurisdiction of the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC), OCC issues and clears U.S.-listed options and futures on a number of underlying financial assets including common stocks and stock indexes. OCC’s clearing membership consists of approximately 100 of the largest U.S. broker-dealers, U.S. futures commission merchants and non-U.S. securities firms representing both professional traders and public customers. The stockholder exchanges share equal ownership of OCC. This ownership, along with a significant clearing member and public director presence on the Board of Directors, ensures a continuing commitment to servicing the needs of OCC’s participant exchanges, clearing members and their customers. OCC provides clearing services for options, financial and commodity futures, security futures, securities lending transactions and over-the-counter index options.”
Background
On 4th September 2019 the United States (US) Securities and Exchange Commission (SEC or the Commission) and the US Commodity Futures Trading Commission (CFTC) announced that The Options Clearing Corporation (OCC) would be undertaking remedial efforts and had agreed to pay $20 million in penalties in lieu of settlement of charges that it failed to implement policies to manage certain risks as required by US laws and SEC and CFTC rules.
Proceedings Before the SEC
The SEC Order noted that because OCC was the sole registered clearing agency for exchange listed option contracts in the US, it had been designated as a ‘Systemically Important Financial Market Utility’ (SIFMU). The SEC Order further observed that:
“OCC serves as sole registered clearing agency for exchange listed option contracts in the United States… Disruption to OCC’s operations, or failure by OCC to manage risk, could result in significant costs not only to OCC itself and its members, but also to other market participants or the broader U.S. financial system.
As a registered clearing agency, OCC is a self-regulatory organization (SRO) under the Exchange Act. Self-regulatory organizations are charged with an important public trust to carry out their self-regulatory responsibilities effectively and fairly, while fostering free and open markets, protecting investors, and promoting the public trust.”
Material Representations by OCC
In it’s 2017 Annual Report entitled “Innovate, Educate, Advocate” (as of 31st December 2017), OCC expressly stated in Note 17. Contingencies, at page 47:
“In the normal course of business, OCC may be subject to various lawsuits and claims. In addition, as a regulated entity, OCC is subject to examinations by the SEC and CFTC. From time to time, such examinations result in regulatory findings or other matters, the resolution of which could in the future include remediation or fines. At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”
In its 2018 Annual Report entitled “Clear the Path” (as of 31st December 2018), OCC expressly stated in Note 17. Contingencies, at page 46:
“In the normal course of business, OCC may be subject to various lawsuits, claims, and other legal proceedings. In addition, as a regulated entity, OCC is subject to examination by the SEC and CFTC. In connection with these regulatory and legal matters, OCC has accrued $15 million as of December 31, 2018. Actual settlement amounts may exceed amounts accrued and such amounts could be material.”
Rule 17Ad-22(e) under the Exchange Act
Rule 17Ad-22(e) sought to establish standards for registered clearing agencies that met the definition of “covered clearing agency” (CCA), and was first proposed in March 2014. The Commission adopted it in October 2016, and since OCC was a CCA for the purposes of the rule, it was required to comply by 11th April 2017. The rule was adopted in order to impose consistent, higher minimum risk management standards across all CCAs, and also in order to mitigate the potential for any moral hazard associated with risk management at a CCA.
OCC’s Failure to Comply
Despite the fact that the Commission staff had notified OCC of material weaknesses with its policies and procedures that could result in violations of Rule 17Ad-22(e) and Reg. SCI , if they were not corrected before the required compliance dates, OCC failed to comply with these rules by the required compliance dates.
The Commission alleged that OCC had failed to establish, implement, maintain and enforce policies and procedures reasonably designed to:
(1) review its risk-based margin models and the parameters for those models on a monthly basis;
(2) consider and produce margin levels commensurate with the risks and particular attributes of each relevant product cleared by OCC;
(3) effectively measure, monitor, and manage its credit exposure and liquidity risk;
(4) maintain a comprehensive risk management framework;
(5) protect the security of certain of its information systems; and
(6) provide for a well-founded, clear, transparent and enforceable legal framework for every aspect of its activities.
In addition, it was alleged that OCC had also failed to comply with Section 19(b) of the Exchange Act and Rule 19b-4(c), by adopting and changing certain policies prior to obtaining Commission approval.
OCC was legally required to comply with Reg. SCI by 2rd November 2015.
OCC was legally required to comply with Rule 17Ad-22(e) by 11th April 2017.
Prior to, and throughout this period, the firm’s legal counsel was under a duty to the OCC to inform and update the management of OCC and/or the Board about its legal responsibilities and duties as required by US laws and SEC and CFTC rules. Any good US law student with a basic understanding of US laws and SEC and CFTC rules would have been able to clearly identify such legal obligations.
A legal counsel working for the largest clearing organization in the world for equity derivatives would have known about these requirements without fail. Consequently, there seems to be questions that ostensibly the SEC and the CFTC have not dealt with in their respective Orders.
If the 2nd November 2015 deadline had passed, then OCC’s legal counsel should have known that OCC was not legally compliant with the requirements mandated by Reg. SCI.
If the 11th April 2017 deadline had passed, then OCC’s legal counsel should have known that OCC was not legally compliant with the requirements mandated by Rule 17Ad-22(e).
Assuming this is the case, and it was prima facie alleged by the SEC that the OCC was in breach of these legal requirements, and that such breaches warranted investigation by the SEC and/or would potentially be subject to civil fines and negative reputational damage.
How can it be that in its 2017 Annual Report the OCC was able to unequivocally say:
“At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”
Could such a statement amount to a misrepresentation to existing and/or potential shareholders who were relying on the OCC to inform them about any matters that could negatively impact OCC’s share price?
Indeed, the question to be asked is could this be legally interpreted in any way as to be misinforming the public vis-à-vis the financial affairs and/or share price of the OCC via the OCC’s 2017 Annual Report?
OCC Failures
The SEC Order found that OCC had failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to:
(1) REVIEW ITS RISK-BASED MARGIN MODELS AND THE PARAMETERS FOR THOSE MODELS ON A MONTHLY BASIS;
Exchange Act Rule (EAR) 17Ad-22(b)(2) mandates that a Registered Clearing Agency (RCA) establish, implement, maintain, and enforce written policies and procedures reasonably designed to use risk-based models and parameters to set margin requirements and review such margin requirements and the related risk-based models and parameters at least monthly.
Although OCC was required to comply with this rule by 2nd January 2013, by April 2017, MORE THAN 3 YEARS LATER, OCC had still not complied with this legal requirement.
The Commission had noted that “[m]arket conditions and risks are constantly changing and therefore the models and parameters used by a clearing agency providing [central counterparty] services to set margin may not accurately reflect the needs of a clearing agency if they are permitted to remain static.”
In practice it is crucial for CCPs to ensure that their risk-based margin models are continuously accurate, and that they are reviewed and updated regularly to take into account socioeconomic indicators and trends; political moderating factors; geographical moderating factors; global, regional, and national trends; and other moderating or influencing factors.
For example, a hurricane in the Caribbean could significantly affect commodity exports from those islands affected in the Caribbean. This in turn could then impact commodity prices of related exchange traded products. If risk-based margin models remain static in a month, then, for example, the same August 2019 margin amounts might be called for September 2019 oil derivatives, even though they may no longer be equivalent, in terms of underlying risk, as August 2019 oil derivatives.
Moreover, such risk-based margin models also need to be calibrated to take into account financial stress indicators. For example, Monin (2019) defines financial stress as disruptions in the typical functioning of financial markets. It is further noted that symptoms of financial stress can be informed by both theory and practice, and in practice may include uncertainty about the fundamental value of financial assets or the behaviour of investors; increased asymmetric information; and a decreased willingness to hold risky or illiquid assets (Monin, 2019). Examples of the Office of Financial Research (OFR) Financial Stress Index (FSI) category definitions include: (1) credit; (2) equity valuation; (3) funding; (4) safe assets; and (5) volatility (Monin, 2019).
The more accurately these risk-based models and parameters are calibrated and regularly reviewed, the more likely it is that a RCA will be effectively fulfilling its role and maintaining balanced market conditions. In the case of the OCC, owing to its status as a SIFMU it was a fortiori required to ensure that its risk-based margin models were calibrated as accurately as possible, and regularly reviewed to ensure such accuracy because of the potentially significant risks and costs to other market participants and to the broader US financial system.
(2) CONSIDER AND PRODUCE MARGIN LEVELS COMMENSURATE WITH THE RISKS AND PARTCULAR ATTRIBUTES OF EACH RELEVANT PRODUCT CLEARED BY OCC;
EAR 17Ad-22(e)(6)(i) mandates that a CCA establish, implement, maintain, and enforce policies and procedures that are reasonably designed to cover its credit exposures to its participants by establishing a risk-based margin system that inter alia considers, and produces margin levels commensurate with, the risk and particular attributes of each relevant product, portfolio, and market.
Although OCC was required to comply with this rule by 11th April 2017, at the time of the SEC Order it had still not complied with this legal requirement. The SEC Order stated:
“Specifically, OCC’s margin model fails to consider the impact of market liquidation costs, including bid-ask spreads and other transaction-based costs, as well as the potential market impact of liquidation activity.
OCC’s margin model also fails to consider specific wrong way risk associated with cleared securities which are related to clearing members.
Specific wrong-way risk arises at a [central counterparty] when an exposure to a participant is highly likely to increase when the creditworthiness of that participant is deteriorating.”
The failure of OCC’s margin model to consider the impact of market liquidation costs, bid-ask spreads, other transaction-based costs, and the potential market impact of liquidation activity has been considered and discussed in PART I of this Blog series.
As regards the failure of OCC’s margin model to consider specific wrong way risk (WWR), this issue will be discussed here in further depth.
WWR refers to unfavourable dependencies (e.g. between the value of margin held and creditworthiness of clearing members). So, for example, margin held by a CCP should not be wrong-way, e.g. correlated to the default of the counterparty in that a counterparty posts their own bonds or equity) (Gregory, 2014).
It is important to differentiate between two distinct types of WWR, which can apply to exposure or margin-related linkages, these are: (1) General WWR; and (2) Specific WWR (Gregory, 2014). General WWR refers to linkages arising from macroeconomic relationships (e.g. interest rates being correlated to credit spreads), whereas Specific WWR arises from specific factors affecting a counterparty (e.g. a ratings downgrade by ratings agency Moody’s) (Gregory, 2014).
According to Eurex Clearing, “Wrong-way risk is defined as the potential loss which Eurex Clearing may suffer during the Default Management Process, due to an unfavorable interrelatedness between the counterparty’s creditworthiness, the value of its collateral pool and the value of its portfolio.”
If OCC’s margin models had failed to consider specific WWR associated with cleared securities related to clearing members, then this presented a highly significant potential problem for the OCC in terms of accurately identifying the real extent of counterparty risk which the OCC had calculated. This is because if the OCC’s margin models had calculated counterparty risk, but had failed to account for potential specific WWR relevant to specific clearing members in such models, then the OCC was potentially exposed to an unknown quantity of specific WWR for each clearing member, and cumulatively, this could amount to a very large unknown quantity of specific WWR that could materialise in the event of one or more counterparty defaults.
An example of WWR pertinent to put options is set out below for illustrative purposes:
“If a put option for corporate stock correlates highly with counterparty default probability, when the underlying share price declines, the value of the put option (in this case the exposure) increases at the same time that the probability of counterparty default increases. As a result, this wrong-way risk causes a sharp increase in overall risk” (Inamura et al., 2012).
Eurex Clearing identifies its approach to WWR and the actions it takes with regards to WWR:
“To safeguard the overall integrity of the Clearing House and to protect the mutualizing Default Fund, we conduct an internal credit assessment of all counterparties and perform continuous monitoring of credit, concentration and wrong-way risks. This enables us to guarantee fulfilment of all obligations towards counterparties even under extreme market conditions.
The first step in which we avoid wrong-way risk is that we do not allow counterparties to deposit own issues (or issues of closely linked entities) as collateral. Moreover, counterparties are not entitled to use such instruments as collateral for repo transaction or securities lending transactions.
In case Clearing Members enter into positions, where they are exposed to the performance of their own stock (e.g. derivatives on their own stock) or other instruments issued by themselves or entities belonging to the same legal group, these positions are collateralized based on the assumption that the underlying becomes worthless in a default scenario.
Resources which have already been provided to secure these positions (i.e. dedicated Total Margin Requirement on single position level as well as derived Default Fund contributions) are deducted before the final Supplementary Margin for the own issue positions is calculated.
A daily monitoring process ensures a tight control of any own issue position. For a more efficient collateral management process on the Clearing Member side, the Supplementary Margins are charged weekly based on the largest excess (i.e. Loss given default minus already provided resources) over the previous week.
By defining dedicated wrong-way risk limits, we are taking additional steps to minimize such risk. These limits are applicable to a counterparty’s collateral pool and the counterparty’s notional exposure.”
The sheer size and negative impact of WWR was clearly and unequivocally demonstrated in the previous sub-prime crisis. Consequently, given the clear and significant problems that were demonstrated by unanticipated effects of WWR during the sub-prime crisis, it was the OCC’s duty to ensure that its margin models identified and incorporated potential WWR and thereby mitigated its effects across its clearing members in order to ensure it operated a robust CCP clearing system.
(3) COVER ITS CREDIT EXPOSURE;
EAR 17Ad-22(e)(4)(iii) mandates that a CCA (that is not subject to EAR 17Ad-22(e)(4)(ii)) must establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to maintain additional financial resources at a minimum to enable it to cover a wide range of foreseeable stress scenarios.
EARs 17Ad-22(e)(4)(vi)(A)-(D) mandate that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to test the sufficiency of its total financial resources available to meet the minimum requirements by:
(1) stress testing its total financial resources once each day using standard predetermined parameters and assumptions;
(2) comprehensively analyzing its stress scenarios, model and underlying parameters and assumptions on at least a monthly basis;
(3) comprehensively analysing its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility; and
(4) reporting the results of its stress testing analyses to appropriate decision makers.
Although OCC was required to comply with these rules by 11th April 2017, through at least 4th September 2018 it had still failed to comply with these legal requirements.
It was noted that instead of complying with these requirements, OCC had implemented policies and procedures that determined the monthly sizing of its clearing fund based on a daily calculation of its stress testing exposures utilizing only A LIMITED NUMBER OF SCENARIOS.
The failure of the OCC to cover its credit exposure through stress testing was dealt with in PART I of this Blog. However, some commentary will be made here regarding the OCC’s use of only a limited number of scenarios vis-à-vis its legal stress testing obligations. The main difficulty with utilizing only a limited number of scenarios is that this makes it highly likely that the monthly sizing of its clearing fund does not in actuality reflect the realities of the underlying markets in which the OCC operates. This is highly problematic in practice, because it means that the OCC is potentially not actually fulfilling its role, not only as a CCP, but also as a SIFMU, because it is not robustly addressing all the stress scenarios to which it might be exposed in time of normal markets, and also to which it might be potentially exposed, in times when the markets are subject to financial stress.
In practice, stress scenarios need to be created for each asset class that is in use by the OCC, as well as shifting relevant risk factors in particular markets in order to account for the relevant assumed period of risk, i.e. stress period of risk will differ depending on the underlying asset class and the relevant risk factors that have been shifted.
Stress scenarios then need to be calibrated according to extreme but plausible scenarios, and then those scenarios are broken down into:
(1) historical scenarios (i.e. extreme and well-known events, such as the Lehman Default and the Global Financial Crisis (2008) the Cyprus Financial Crisis (2013); and the Brexit Referendum (2016));
(2) hypothetical scenarios (i.e. forward-looking scenarios simulating extreme risk factor movements for all cleared asset classes and products simultaneously by combining selected constellations of up and down moves across asset classes) ;
(3) correlation stress scenarios (i.e. special hypothetical scenarios that additionally stress the correlations between single risk factors);
(4) global scenarios (i.e. condensing information from a large number of asset class-specific forward-looking hypothetical scenarios to a smaller number of concise scenarios) (Eurex Clearing, 2019).
As can be seen, if these stress scenarios need to be calculated for multiple asset classes under different market conditions, then calculating stress testing exposures on a daily basis utilizing only a limited number of scenarios would seem to fall very short of the requirements needed to ensure accuracy of financial resources required on a month-to-month basis.
(4) MAINTAIN SUFFICIENT LIQUID RESOURCES
EAR 17Ad-22(e)(7)(i) mandates that a CCA establish, implement, maintain, and enforce written policies and procedures reasonably designed to maintain sufficient liquid resources, at the minimum, in all relevant currencies in order to effect same-day, and where appropriate, intraday and multiday, settlement of payment obligations with a high degree of confidence under a wide range of foreseeable stress scenarios.
EAR 17Ad-22(e)(7)(vi)(A)-(D) mandate that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to determine the amount, and regularly test the sufficiency, of the liquid resources held for the purposes of meeting the minimum liquid resource requirement , by, at a minimum:
(1) stress testing its liquidity resources once each day using standard predetermined parameters and assumptions;
(2) comprehensively analyzing its stress testing scenarios, models, and underlying parameters and assumptions on at least a monthly basis;
(3) comprehensively analysing its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility; and
(4) reporting the results of its stress testing analyses to appropriate decision makers.
The OCC was required to comply with EAR 17Ad-22(e)(7)(i) and 17AD-22(e)(7)(vi)(A)-(D) by 11th April 2017, however as of the date of the SEC Order, it had still failed to fulfil its legal requirements.
The SEC Order noted that OCC had instead implemented policies and procedures which determined the size of its liquid resources using SCALED NORMAL MARKET CONDITIONS.
By using SCALED NORMAL MARKET CONDITIONS the OCC would have been implementing liquid resources that were very likely to be below that actually required for day-to-day operations. By failing to include extreme but plausible market conditions, the OCC was ensuring that the parameters of liquidity resources were limited to expected normal market conditions. Consequently, it was highly likely that not only were the liquidity resources required on a day-to-day basis much lower than that which might otherwise be required using parameters that included extreme but plausible market conditions, but moreover it could not be said that it was maintaining sufficiency of liquid resources with a high degree of confidence under a wide range of foreseeable stress scenarios.
The OCC had failed to stress test its total liquid resources using a wide range of foreseeable stress scenarios once each day;
Again, if the OCC had actually been stress testing its required liquid resources utilising a wide range of foreseeable stress scenarios each day, then the likelihood is that in all probability it would have been calculating higher minimum liquidity resources required, than that which it was actually calculating. By excluding foreseeable stress scenarios that might be encountered during extreme but plausible market conditions, it was in actuality very likely minimising the minimum liquidity resources calculated, i.e. these may very likely not reflected its ACTUAL MINIMUM LIQUIDITY RESOURCES required utilising both normal and stressed market conditions.
The OCC had failed to analyze its stress testing scenarios, models parameters, and assumptions at least monthly;
By failing to analyse its stress testing scenarios, models parameters and assumptions, at least monthly, it was failing to operate a robust and accurate risk management framework. This is particularly troubling given that the fundamental role of a CCP is to manage risk on a daily basis using the most accurate and granular data and information available. The fact that it was alleged that OCC was failing to scrutinise its stress testing scenarios on a regular basis meant that in actuality it fell far below “normal” CCP operational practices, for example, as compared with the operational practices of other well established CCPs operating in the European Union.
The OCC had failed to analyse its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility;
OCC’s failure to analyse its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility, again is, when benchmarked against the practices of other well established CCPs, a complete and utter failure on the part of the OCC. In fact if we were to solicit comments from other well established CCPs about OCC’s failure to undertake this in practice, it is almost certain that all such CCPs would be highly critical about the negative repercussions that such operational practices would raise in terms of effective risk management practices.
The OCC had failed to report the results of its stress testing analyses to appropriate decision makers;
This failure to report the results of stress testing analyses to appropriate decision makers can in no way be seen as a ‘minor fault’, or something that was ‘overlooked’. Viewed from a legal perspective, this is nothing less than operational negligence on the part of OCC and/or its employees undertaken on a vicarious liability basis. Such negligence is made all the worse given its fundamental role as a SIFMU within the US.
The OCC had failed to include all known sources of possible liquidity obligations in determining the liquidity required in the event of a clearing member default (such as certain possible liquidity, payment, and delivery obligations relating to default auctions);
In practice this failure translated to the OCC having significantly miscalculated possible liquidity obligations required relating to potential clearing member defaults. In practice, the fact that it had failed to calculate such factors meant that it was operating at operational levels far, far below that of many other well established CCPs operating around the world, a fact which is all the more shocking given its fundamental role as a SIFMU in the US.
(5) MAINTAIN A COMPREHENSIVE RISK MANAGEMENT FRAMEWORK
EAR 17Ad-22(e)(3) mandates that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to maintain a sound risk management framework to comprehensively manage legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in, or are borne by, the CCA.
EAR 17Ad-22(e)(3)(i) mandates that a CCA’s risk management framework include risk management policies, procedures, and systems that are designed to identify, measure, monitor, and manage the range of risks that arise in, or are borne by, the CCA, and that are subject to review on a specified periodic basis and approved by the board of directors annually.
OCC was required to comply with the latter requirement by 11th April 2017, however at the time of the SEC Order it had failed to implement such policies designed to manage credit and liquidity risks.
OCC lacked policies and procedures which provided for comprehensive stress testing of its financial and liquid resources under a wide range of foreseeable stress scenarios.
OCC failed to implement policies and procedures reasonably designed to manage the operational risk that arises in, or is borne by OCC, and specifically they were not reasonably designed to ensure that its SCI systems and, with respect to security standards, indirect SCI systems had adequate levels of capacity, integrity, resiliency, availability, and security.
OCC’s policies and procedures were also not reasonably designed to provide for a well-founded, clear, transparent, and enforceable legal basis for each aspect of its activities in all relevant jurisdictions, because OCC failed to file proposed rules before adopting certain policies and implemented certain policies prior to approval of the Commission.
It has become patently clear that the OCC’s overall risk management processes and procedures were very far from robust, resilient and secure. Its overall approach to its risk management procedures, its stress testing procedures, its margin methodology procedures, and its security procedures, demonstrate a fundamental disregard to the most basic tenets of a CCP’s operational procedures and mandates.
A CCP is, by design, intended to minimise, mitigate, and deal with risk, and yet all of the evidence offered by the CFTC and SEC Orders cumulatively demonstrate an across-the-board total lapse in operational, technological, and strategic oversight by the OCC. The accumulated failures identified throughout the CFTC and SEC judgments highlight, not highly operationally advanced and complex requirements, but failures in the most basic risk management frameworks for CCP operations.
This is all the more severe taking into account the OCC’s long-established history, its decades of operational experience, its positioning as the largest clearing organization in the world for equity derivatives, and its statute and responsibilities as a SIFMU. Taking into account the fact that in 2018 a single default by a clearing member caused a $133 million hole in Nasdaq’s clearing house buffers, one can imagine the potential damage that might have been caused by a default by one or more of the OCC’s clearing members, which could in turn have potentially caused unquantifiable systemic risk, owing to the huge defects in the OCC’s risk management framework.
Given the fact that in 2017 OCC’s total revenues were $359,619,000, and in 2018 OCC’s total revenues were $467,838,000, it is highly questionable whether a $20 million fine was sufficient to reflect the highly poor operational practices and risk management framework that was put in place by OCC, not only for a short period of time, but in most cases for years and years.
(6) PROTECT THE SECURITY OF CERTAIN OCC INFORMATION SYSTEMS
Rule 1001(a)(1) of Reg. SCI mandates that an SCI entity (e.g. RCA) establish, maintain, and enforce written policies and procedures that are reasonably designed to ensure that its SCI systems , and with respect to security standards, indirect SCI systems , have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI’s entity operational capability and promote the maintenance of fair and orderly markets.
Such policies and procedures must include, at a minimum, regular reviews and testing (as applicable), of such systems (including backup systems), to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.
OCC was required to implement such legal requirements by 3rd November 2015. As of the date of the SEC Order, OCC had still failed to establish such policies and procedures that were reasonably designed to ensure that its SCI systems and, with respect to security standards, indirect systems, had adequate levels of capacity, integrity, resiliency, availability, and security.
As of 3rd November 2015, OCC had still failed to establish, maintain, and enforce written policies and procedures that were reasonably designed to:
(1) consistently identify, prioritize, test, and implement vendor-issued patches;
(2) secure certain data within cloud environments;
(3) ensure that all network devices, including unused and test network devices, were inventoried; and
(4) ensure security threats would be promptly detected.
The failures highlighted by these alleged infractions demonstrate the incompetence of any, or all, of: (1) OCC’s information technology (IT) department; (2) OCC’s management hierarchy, structure, and reporting lines; and (3) OCC’s legal department.
Given that the OCC is the largest clearing organization in the world for equity derivatives, it is submitted that such failures reflect failures in basic operational procedures, and as such either reflect:
(1) highly lax administrative management and oversight of legal requirements by any, or all of, the above three named departments; or
(2) worse still, intentional choices made to delay implementation of remedial measures either owing to the costs involved, the low prioritisation of such requirements, or a combination of both.
AND
(7) THE OCC FAILED TO OBTAIN COMMISSION APPROVAL FOR PROPOSED RULE CHANGES
Section 19(b)(1) of the Exchange Act requires SROs (e.g. RCAs) to file with the Commission a proposed rule change accompanied by a concise general statement of the basis and purpose of such proposed rule change.
Section 19(b)(1) requires the Commission to publish notice of the proposed rule change and provide interested persons an opportunity to submit written comments.
Section 19(b)(1) prohibits a proposed rule change from taking effect unless it is approved by the Commission, or otherwise permitted under Section 19(b)(1).
OCC failed to file with the Commission proposed rule changes before adopting a number of policies, e.g. by December 2015 OCC had implemented at least 18 policies covering core risk management issues without filing proposed rule changes with the Commission. These covered the following policies:
(1) legal risk policy; (2) model risk management policy; (3) financial resources policy; (4) risk appetite framework; (5) enterprise risk management framework; (6) risk universe; (7) operational risk management; (8) clearing fund policy; (9) margin policy; (10) credit risk management policy; (11) liquidity risk management policy; (12) systems incident escalation policy; (13) default management policy; (14) collateral risk management policy; (15) business continuity planning policy; (16) information technology risk management policy; (17) vendor risk management policy; and (18) capital requirements policy.
OCC had also implemented other policies without obtaining prior Commission approval, e.g. in May 2017 OCC implemented revisions to its:
(1) counterparty credit risk management policy; (2) default management policy; (3) margin policy; (4) risk management framework policy; (5) collateral risk management policy; and (6) revised charter for OCC’s Board of Directors as well as charters for the Board’s Audit Committee, Risk Committee, Compensation and Payment Committee, Governance and Nominating Committee, Risk Committee, and Technology Committee.
The failure to obtain Commission approval for proposed rule changes in practice amounts to breach of the most basic administrative rules pertinent to SEC oversight. The fact that OCC allegedly overlooked dozens of amendments and proposed rule changes highlights the highly lax administrative and legal oversight put in place by the OCC, as well as the failure of OCC’s legal counsel to provide the most basic legal support to the OCC.
Not only that, but it also flies in the face of public oversight of the OCC’s operations. Section 19(b)(1) was put in place for a particular purpose, and that was to ensure governmental and public accountability on the part of the OCC. If OCC was not providing proposed rule changes to the SEC, at best, it had in place extremely bad operational and administrative practices, at worst, it was intentionally placing itself beyond the supervisory practices of the SEC. However, there is more than simply accountability inherent in Section 19(b)(1). It also incorporates elements of public debate and discussion.
The fact that Section 19(b)(1) requires the SEC to provide interested persons with an opportunity to submit written comments, means that the public at large are able to provide commentary, feedback, and opinions on the practices of a SIFMU that in actuality could significantly affect their lives or of their firm’s operations. By failing to submit proposed rule changes, and by circumventing the legal requirements of Section 19(b)(1), the OCC allegedly deprived interested parties of their legal right and opportunity to comment on the working of a public systemically important institution.
[TO BE CONTINUED]
ENDNOTES
(1) Under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act).
(2) Regulation Systems, Compliance, and Integrity under the Exchange Act (Reg SCI) was adopted by the Commission in November 2014 in order to strengthen the technology infrastructure of US securities markets, and also in order to reduce the occurrence of systems issues, improve resiliency when systems problems occurred, and enhanced the Commission’s oversight and enforcement of technology infrastructure of securities markets. OCC had until 3rd November 2015 to comply.
(3) It was therefore alleged that owing to its conduct, OCC had violated Section 17A(d)(1) of the Exchange Act and Rules 17Ad-22(b)(2), 17Ad-22(d)(1), 17Ad-22(e)(1), 17Ad-22(e)(3)(i), 17Ad-22(e)(4)(iii) and (vi), 17Ad-22(e)(6)(i), and 17Ad-22(e)(7)(i) and (vi) thereunder; ;Rules 1001(a)(1) and (2) of Reg. SCI under the Exchange Act; and Section 19(b) of the Exchange Act and Rule 19b-4 thereunder.
(4) Violation of Exchange Act Rule 17Ad-22(b)(2).
(5) Monin, P.J. (2019). The OFR Financial Stress Index. Risks, 7, 25; doi:10.3390/ risks7010025.
(6) Gregory, J. (2014). Central Counterparties. Mandatory Clearing and Bilateral Margin Requirements for OTC Derivatives. John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex.
(7) Inamura, K.; Hattori, A.; Fukuda, Y.; Sugihara, Y.; Teranishi, Y. (2012). Wrong-way risk in OTC derivatives and its implication for Japan’s financial institutions.’ Bank of Japan Review, (June), pp.1-6.
(8) As stipulated in EAR 17Ad-22(e)(4)(i) through (iii).
(9) Eurex Clearing (2019). Stress scenarios and exposure aggregation.
(10) Under Exchange Act Rule 17Ad-22(e)(7)(i).
(11) SCI systems is defined to mean “all computer, network, electronic, technical, automated or similar systems operated by or on behalf of [the entity] that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance” (Rule 1000 of Reg. SCI).
(12) Indirect SCI systems is defined to mean “any systems of, or operated by or on behalf of, [the entity] that if breached, would be reasonably likely to pose a security threat to SCI systems” (Rule 1000 of Reg. SCI).
(13) Proposed rule change is defined to mean “any proposed rule or any proposed change in, addition to, or deletion from the rules of the self-regulatory organization” (Section 19(b)(1) of the Exchange Act). Exchange Act Rule 19b-4(c) states that “a stated policy, practice, or interpretation of the self-regulatory organization shall be deemed to be a proposed rule change unless: (1) it is reasonably and fairly implied by an existing rule; or (2) it is concerned solely with the administration of the self-regulatory organization and is not a stated policy, practice or interpretation with respect to the meaning, administration, or enforcement of an existing rule of the self-regulatory organization.” The term “stated policy, practice, or interpretation” includes “any material aspect of the operation of the facilities of the self-regulatory organization” (Exchange Act Rule 19b-4(a)(6)).
