Central Counterparty (CCP): Options Clearing Corporation $20 Million Fine: A Critique by Storm-7 Consulting – PART II (CFTC ORDER)

Introduction

This four-part blog will provide an analysis of the $20 million fine imposed on The Options Clearing Corporation, and a critique of the Orders imposed by the United States Securities and Exchange Commission and the United States Commodity Futures Trading Commission. The first two parts of the blog will cover the Order made by the Commodity Futures Trading Commission which imposed a $5 million fine, and the second two parts of the blog will cover the order made by the Securities and Exchange Commission which imposed a $15 million fine.

About Options Clearing Corporation

“Founded in 1973, OCC is the largest clearing organization in the world for equity derivatives. Operating under the jurisdiction of the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC), OCC issues and clears U.S.-listed options and futures on a number of underlying financial assets including common stocks and stock indexes. OCC’s clearing membership consists of approximately 100 of the largest U.S. broker-dealers, U.S. futures commission merchants and non-U.S. securities firms representing both professional traders and public customers. The stockholder exchanges share equal ownership of OCC. This ownership, along with a significant clearing member and public director presence on the Board of Directors, ensures a continuing commitment to servicing the needs of OCC’s participant exchanges, clearing members and their customers. OCC provides clearing services for options, financial and commodity futures, security futures, securities lending transactions and over-the-counter index options.”

Background

On 4th September 2019 the United States (US) Securities and Exchange Commission (SEC) and the US Commodity Futures Trading Commission (CFTC) announced that The Options Clearing Corporation (OCC) would be undertaking remedial efforts, and that they had agreed to pay $20 million in penalties in lieu of settlement of charges that it had failed to implement policies to manage certain risks as required by US laws and SEC and CFTC rules.

[CONTINUED]

(3) FULLY STRESS TEST ITS CREDIT EXPOSURE;

A DCO is required to have adequate financial, operational, and managerial resources to discharge each responsibility of the DCO.

A DCO is also required to maintain financial resources sufficient to cover its exposures with a high degree of confidence and to enable it to perform its functions in compliance with its Core Principles.

In addition, a DCO is required to perform, on a monthly basis, stress testing that will allow it to make a reasonable calculation of the necessary financial resources. Such stress testing must take into account both historical data and hypothetical scenarios.

It was found that at least through to 4th September 2018, the OCC had failed to fully establish, implement, maintain, and enforce policies and procedures requiring monthly stress testing of its financial resources.

In April 2015, the European Association of CCP Clearing Houses (EACH) published its ‘Best practices for CCPs stress tests’. The paper sought to provide guidance on an overview of best practices with regard to how CCPs perform stress tests. This included discussion of principles to apply when CCPs perform stress tests, as well as risk management areas subject to best practice.

In August 2015, CME Group published its ‘Principles for CCP Stress Testing’, which covered areas such as CCP Risk Management Enterprise; Scenario Standardization and Stress Testing Transparency; and Principles for Stress Testing in depth.

In April 2018 the Committee on Payments and Markets Infrastructures and the Board of the International Organization of Securities Commissions published the highly comprehensive ‘Framework for supervisory stress testing of central counterparties (CCPs)’. This contained highly extensive discussions about the processes involved in CCP stress testing, the use of stress scenarios, identification of risk exposures and sources, as well as analytical metrics.

In April 2019 the US CFTC published its report entitled ‘CCP Supervisory Stress Tests: Reverse Stress Tests and Liquidation Stress Test’. The report analysed reverse stress tests of CCP resources, together with an analysis of stressed liquidation costs. The reverse stress test identified potentially implausible scenarios extreme enough to exhaust all pre-funded resources available to a CCP. The report noted that:

“The analysis of stressed liquidation costs was structured to evaluate whether CCPs had sufficiently pre-funded resources to meet both the payment obligations resulting from a house account default concurrent with an extreme market move, as well as greater than expected costs resulting from hedging and auctioning the positions of the defaulting CM.”

This stress test would allow a DCO to undertake a reasonable calculation of necessary financial resources, as well as taking into account both historical data and hypothetical scenarios.

The point being made here is simple.

In modern times there is a significant body of literature that pertains to the development of modern, accurate, and comprehensive CCP stress tests, and a host of highly qualified financial engineers who can accurately calibrate margin models and run CCP diagnostic stress tests. The US CFTC is on its third set of CCP supervisory stress tests which is the same as its European Union (EU) counterpart, the European Securities and Markets Authority (ESMA) which launched its third EU-wide CCPs stress test earlier in 2019.

Why is it then that, despite the fact that OCC was formed in 1973; notwithstanding it has decades of operational experience; and also that problems with its risk management practices were raised and identified by federal regulators in 2013; in September 2018 it had still failed to fully establish, implement, maintain, and enforce policies and procedures requiring monthly stress testing of its financial resources – a basic necessity for all modern CCPs?

(4) FULLY MAINTAIN A COMPREHENSIVE RISK MANAGEMENT FRAMEWORK;

A DCO is required to ensure that it possesses the ability to manage the risks associated with discharging the responsibilities of the DCO through the use of appropriate tools and procedures.

A DCO is also required to establish and maintain written policies, procedures, and controls (approved by its board of directors), which establish an appropriate risk management framework that, at a minimum, clearly identifies and documents the range of risks to which the DCO is exposed, and addresses the monitoring and management of the entirety of those risks, and provides a mechanism for internal audit. This risk management framework is required to be regularly reviewed and updated as necessary.

It was found that to date the OCC had failed to fully establish, implement, maintain, and enforce policies and procedures reasonably designed to manage the credit and liquidity risks associated with discharging its responsibilities as a DCO.

The OCC had also failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to manage its operational risks.

OCCs failure to establish, implement, maintain, and enforce policies and procedures reasonably designed to manager its credit, liquidity, and operational risks will be dealt with in PART II of this blog.

(5) FULLY PROTECT THE SECURITY OF CERTAIN OCC INFORMATION SYSTEMS.

A DCO is required to establish and maintain a programme of risk analysis and oversight to identify and minimise sources of operational risk through the development of appropriate controls and procedures, and automated systems, that are reliable, secure, and have adequate scalable capacity.

A DCO’s programme of risk analysis and oversight with respect to its operations and automated systems must also address:

“Systems operations, including, but not limited to, system maintenance; configuration management (including, baseline configuration, configuration change and patch management, least functionality, inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations including in generally accepted best practices.

In addition, a DCO is required to carry out regular, periodic, and objective testing of its automated systems in order to ensure that they are reliable, secure, and have adequate scalable capacity.

The Order found that as of 3rd November 2015, and continuing through various time periods thereafter, OCC had failed to fully establish and maintain a programme of risk analysis and oversight that was reasonably designed to ensure that its automated systems are reliable, secure, and have adequate scalable capacity.

OCC had failed to establish and maintain policies and procedures that were reasonably designed to:

(1) consistently identify, prioritise, test, and implement vendor-issued patches;

(2) ensure that all network devices, including unused and test network devices, were inventoried; and

(3) ensure security threats would be promptly detected.

OCCs failure to establish and maintain such policies and procedures will be dealt with in PART II of this blog.

CFTC Order Civil Monetary Penalty

In accordance with the terms of the order, OCC was ordered to pay a civil monetary penalty in the amount of $5 million US dollars ($5,000,000) plus post-judgment interest.

OCC Remediations

The remediations undertaken by OCC exemplify the range of alleged lapses in its existing risk management framework. For example, as part of the settlement OCC had undertaken a number of remedial efforts, including:

(1) incorporating stress testing into its clearing fund methodology;

(2) enhancing its margin policy;

(3) changing its daily univariate methodology;

(4) enhancing its implied volatility model;

(5) changing its margin methodology for Volatility Indexes and Volatility Indexes Futures;

(6) self-certified a rule change to incorporate liquidation costs in its margin methodology;

(7) further developed its policies and procedures related to its system safeguards and the security of its information systems.

In addition, although OCC did not admit or deny any of the findings or conclusions of the CFTC Order, it replaced many of its senior executives, including the hiring of a new Chief Executive Officer; a Chief Operating Officer; a Head of Financial Risk Management; a Chief Information Officer; a Chief Security Officer; and heads of control functions.

OCC also increased its expenditures and headcount in specific areas (i.e. risk management, compliance, legal, and information technology).

In addition, although one would have already expected such an institution to have already done this, it retained a qualified independent third party compliance auditor to plan and conduct an audit of OCC’s policies and procedures to determine whether they are reasonably designed to: (1) require review of risk-based margin models and the parameters for those models; (2) stress test its credit exposure; (3) manage its credit, liquidity, and operational risks; (4) identify, prioritize, test, and implement vendor-issued patches; (5) inventory all network devices; and (6) promptly detect security threats.

[TO BE CONTINUED]

ENDNOTES

(1) As determined by the Commission.

(2) Section 5(b)(c)(2)(B)(i) of the Act.

(3) Regulation 39.11(a).

(4) Regulation 39.11(c).

(5) Principle 1 (Relevance); Principle 2 (Structure); Principle 3 (Governance); Principle 4 (Transparency).

(6) Scenarios; Stress period of risk (MPOR); Stress positions and prices; stress liquidity; aggregation; calculation of the stress effect; collateral; allocation; governance; validation; disclosure.

(7) Principle 1 (Dynamic Monitoring of Clearing Member and Client Portfolio); Principle 2 (Conservative Safeguards Sizing and the Waterfall Structure); Principle 3 (Comprehensive Scenario Construction); Principle 4 (Thorough Review to Identify Model Limitations); Principle 5 (Maintaining a Robust Governance Structure); and Principle 6 (Transparent Application of Stress Testing Principles and Practices).

(8) Section 5(b)(c)(2)(D)(i) of the Act.

(9) Core Principle I, Section 5b(d)(2)(I)(i) of the Act, and Regulation 39.18(b)(1).

(10) Regulation 39.18(b)(2)(iv).

(11) Regulation 39.18(e)(1).