Fed Financial Market Utility Op Risks


On Sep. 23, Fed amended FMU operational risk-management rules.


  • Fed invited comment on updates to operational risk-management requirements for certain systemically important financial market utilities (FMUs) that it supervised.
  • Notice of proposed rulemaking (NPR) would amend Regulation HH, 12 CFR 234.
  • Proposal aims to ensure regulation expectations reflect changes to the environment.
  • Operational risk, technology, and regulatory landscape for FMUs evolved significantly, since the Fed last updated its risk management requirements for them in 2014.
  • 2014 update was for global principles for financial market infrastructures (PFMI).
  • New challenges have emerged, such as the global pandemic and more cyber events.
  • Existing FMUs
  • There are 8 designated FMUs, Fed is the supervisory agency under DFA for 2 of them.
  • For The Clearing House Payments Company, L.L.C. (on basis of its role as operator of the Clearing House Interbank Payments System (CHIPS)), and CLS Bank International.
  • SEC is supervisory agency for DTC, FICC, NSCC, OpCC; CFTC is for CME and ICE ICC.
  • FMU Supervision Background
  • FMUs provide essential infrastructure to clear, settle payments, financial transactions.
  • In recognition of criticality of FMUs to financial system stability, DFA established a framework for enhanced supervision of FMUs named systemically important by FSOC.
  • By law, Fed must prescribe risk-management standards governing operations of FMUs.
  • FMU Review
  • Regulation has set of 23 risk-management standards, generally consistent with PFMI.
  • Identify opportunities to address challenges in applying principles-based standards.
  • Further align, as appropriate, with relevant rules by regulators such as SEC, CFTC.
  • Stated belief current provisions of regulation generally still relevant, comprehensive.
  • Yet, Fed staff identified several areas where it believes that updates are necessary.
  • Some of the amendments represent new or heightened regulatory requirements.
  • However, Fed believes they would create minimal added burden for designated FMUs.
  • Key Areas
  • Proposal addressed four key areas, including incident management and notification.
  • Also business continuity management and planning; third-party risk management.
  • Additionally, addressed review and testing of operational risk management measures.
  • Proposal Overview
  • Rules would explicitly require FMUs to establish an incident management framework.
  • Emphasize need for FMUs to continue to advance their cyber resilience capabilities.
  • Updates largely consistent to existing measures FMUs take to comply with regulation.
  • Staff would expect to hold Fedwire Services to same requirements as those proposed.
  • Therefore, staff does not believe the proposed rule will have any direct and material adverse effect on the ability of private-sector FMUs to compete with the Fed.
  • Incident Management and Notification
  • Rulemaking proposed to establish incident management and notification requirements.
  • Currently no such specific requirements, and would make implicit expectations explicit.
  • Required a designated FMU to immediately notify Fed of material operational incidents.
  • Immediately notify affected participants of actual disruptions or material degradation to designated FMU’s critical operations, services or ability to fulfill obligations on time;
  • Must establish plan to notify in timely manner all participants, other relevant entities of all other material operational incidents that would require immediate Fed notification.
  • Added, in part, in light of recent Fed, OCC, FDIC joint rulemaking requiring computer-security incident notification by banking organization, service providers, see #121678.
  • Business Continuity, Planning
  • Emphasized need for designated FMUs to continue progress advancing cyber resilience capabilities specifically, and demonstrate their business continuity capability generally.
  • Would require designated FMU’s business continuity plan (BCP) set out criteria and processes addressing reconnection of a designated FMU to participants, other entities.
  • For events following disruption to the designated FMU’s critical operations or services.
  • Separated annual BCP test obligation into 2 requirements addressing testing, review.
  • Maintained minimum annual tests; elaborated on 3 minimum required test outcomes.
  • Demonstrate FMU's ability to run live production at its 2 sites with distinct risk profiles;
  • Solutions for data recovery, reconciliation enable it to meet objectives to recover and resume operations 2 hours following disruption, enable settlement by end of the day.
  • By day end of disruption even extreme circumstances, including data loss/corruption;
  • Show it has geographically dispersed staff who can effectively run operations, manage.
  • All designated FMUs would be required to review their BCPs on at least annual basis.
  • Two-fold objectives: to incorporate lessons learned from actual, averted disruptions.
  • Also, update scenarios considered, assumptions built in plan to ensure responsiveness to evolving risk environment, incorporate new and evolving sources of operational risk.
  • Third-Party Risk Management
  • Designated FMU required to have systems, policies, procedures, and controls in order to effectively identify, monitor, manage risks associated with third-party relationships.
  • Third-party systems, policies, procedures, controls must ensure risks are identified, monitored, and managed to same extent as if designated FMU were performing itself.
  • Risks include both those stemming from third party itself, and from the supply chain.
  • Made an expectation explicit due to importance of managing third-party relationships.
  • Review, Testing of Risk Measures
  • Set of requirements added on review, testing for more specificity on Fed expectations.
  • Intended to ensure comprehensive, risk-based approach to testing, review program.
  • Including by assessing whether its operational risk measures function as intended.
  • Reviewing design, implementation, and testing of operational risk measures after a material operational incidents/significant changes to environment in which it operates.
  • Remediating any deficiencies identified during testing and review as soon as possible.
  • Comment Request
  • Requested comment on all aspects of proposal, including effective, compliance date.
  • Comment also requested on specific questions listed in proposal for each key area.
  • Where possible, include quantitative data, detailed analysis, rationale for alternatives.
  • Proposed Compliance Date
  • Effective, require compliance 60 days from date final rule published in federal register.
  • Effectiveness
  • Comments must be submitted in 60 days from pending publication in federal register.
  • Oct. 2022 Fed Register Publication
  • On Oct. 5, 2022, Fed published notice of proposed rulemaking, in the federal register.
  • Comments on changes to FMU operational risk-management rules due Dec. 5, 2022.
  • Mar. 8, 2024 Fed Final Rule
  • On Mar. 8, 2024, Fed issued final rule for FMU risk management, related board memo.
  • Final rule becomes effective in 30 days after pending publication in federal register.
  • The final updates are substantively similar to the proposal and largely consistent with existing measures that FMUs take to comply with the current requirements.
  • FMUs subject to the rule must be in compliance with certain updates by 90 days, and with all updates by 180 days after pending publication in the federal register.
  • Mar. 15, 2024 Fed Reg Final Rule
  • On Mar. 15, 2024, Fed published final rule in federal register, effective Apr. 15, 2024.

Regulators Fed
Entity Types Bank; Depo
Reference 89 FR 18749, 3/15/2024; PR, RF Docket No. R-1782, 3/8/2024; Memo, 2/5/2024; 87 FR 60314, 10/5/2022; PR, RF, 9/23/2022; Memo, 9/6/2022; RIN No. 7100-AG40; Docket No. R-1782; ESG; COVID-19; DFA; Citation: 12 CFR 234;
Functions Audit; BCS; Compliance; Cyber; Environment; Financial; Legal; Operations; Outsourcing; Reporting; Risk; Settlement; Technology; Treasury
Countries United States of America
Category
State
Products Banking; Clearing; Payments; Securities
Regions Am
Rule Type Final
Rule Date 9/23/2022
Effective Date 4/15/2024
Rule Id 148717
Linked to Rule :121678
Reg. Last Update 3/15/2024
Report Section US Banking

Last substantive update on 03/19/2024