CSA Notice of Publication: Regulation to amend Regulation 24-102 respecting Clearing Agency Requirements

CSA Notice of Publication Regulation to amend Regulation 24-102 respecting Clearing Agency Requirements Amendments to Policy Statement to Regulation 24-102 respecting Clearing Agency Requirements March 19, 2020 Introduction The Canadian Securities Administrators (the CSA or we) are adopting Regulation to amend Regulation 24-102 respecting Clearing Agency Requirements (Regulation) and Amendments to Policy Statement to Regulation 24-102 respecting Clearing Agency Requirements (Policy Statement), together referred to as the Amendments. The Regulation and the Policy Statement are collectively referred to as Regulation 24-102. The Amendments are expected to be adopted by each member of the CSA. In some jurisdictions, Ministerial approvals are required for the implementation of the Amendments. Provided all necessary ministerial approvals are obtained, the Amendments will come into force on June 19, 2020. Further details can be found in Annex C of this Notice. The purpose of the Amendments is described in the “Substance and Purpose” section below. This Notice contains the following annexes: • Annex A – List of commenters • Annex B – Summary of comments and CSA responses • Annex C – Adoption of the Regulation This Notice, including its annexes, is available on websites of CSA jurisdictions, including: www.albertasecurities.com www.bcsc.bc.ca www.fcaa.gov.sk.ca www.fcnb.ca www.lautorite.qc.ca www.mbsecurities.ca nssc.novascotia.ca www.osc.gov.on.ca Background The Regulation sets out ongoing requirements for regulated clearing agencies, including requirements that are based on international standards applicable to financial market infrastructures (FMIs) operating as a central counterparty (CCP), central securities depository (CSD) or securities settlement system (SSS). The Policy Statement includes an annex (Annex I) with supplementary guidance (Joint Supplementary Guidance) that was developed jointly by the Bank of Canada and CSA regulators to provide additional clarity on the PFMI principles for domestic recognized clearing agencies that are also overseen by the Bank of Canada. The Regulation also sets forth certain requirements for clearing agencies intending to apply for recognition as a clearing agency under securities legislation, or for an exemption from the recognition requirement.

We published draft amendments to the Regulation and the Policy Statement for comment on October 18, 2018 (the October 2018 Proposal). Summary of Comments Received by the CSA In response to the October 2018 Proposal, we received submissions from 3 commenters. We have considered the comments received and thank all of the commenters for their input. A list of those who submitted comments and a summary of the comments and our responses are attached to this Notice at Annexes A and B respectively. Copies of the comment letters are available at www.osc.gov.on.ca. Substance and Purpose

1. Purposes of Amendments The Amendments seek to enhance operational system requirements, align aspects of Regulation 24-102 more closely with similar provisions in Regulation 21-101 respecting Marketplace Operation (Regulation 21-101), and reflect the latest developments and findings of the Committee on Payments and Market Infrastructures of the Bank for International Settlements and the International Organization of Securities Commissions (CPMI-IOSCO) with relevance for the Canadian market. They also incorporate certain comments we received on the October 2018 Proposal. Specifically, the Amendments: • enhance the systems-related requirements in Part 4, Division 3, of the Regulation and related provisions in the Policy Statement by aligning them more closely with similar provisions in Regulation 21-101, emphasizing the importance of cyber resilience, and clarifying testing and reporting expectations; • update Regulation 24-102 to include a general reference in the Policy Statement to CPMI-IOSCO guidance reports that have been published on various aspects of the PFMI Principles since the publication of the PFMI Report; • adopt findings made by the CPMI-IOSCO PFMI implementation monitoring assessment, including substantially simplifying the Joint Supplementary Guidance; and • make other non-substantive changes, corrections and clarifications to Regulation 24-102.
2. Summary of Amendments We have set out below a brief summary of the key changes and policy rationales for the Amendment. a. Financial reporting Under subsection 2.5(2) of the October 2018 Proposal, we had proposed to clarify that an interim period for financial statements had the same meaning as under Regulation 51-102 respecting Continuous Disclosure Obligations (Regulation 51-102). To avoid potential confusion arising from the reference to Regulation 51-102 and the applicability of exemptions from that regulation, we have removed this language from the Amendments. Instead, we have clarified in the Policy Statement our expectation that exempt clearing agencies should file interim financial statements in accordance with the interim filing requirements of their home regulator, as our intention is not to require such entities to produce and file additional financial statements. We have also clarified in the Policy Statement the content of interim financial statements required to be filed by exempt and recognized clearing agencies under the Regulation. b. Systems requirements (i) Cyber resilience has been added to subparagraph 4.6(a)(ii) as one of the controls a recognized clearing agency must develop and maintain. While cyber resilience should already be covered by an entity’s general controls, its explicit addition to the Regulation reflects its increasing importance, as discussed in the June 2016 CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures.1 (ii) The concept of “security breach” in relation to the notifications that must be provided by a recognized clearing agency pursuant to subsection 4.6(c) has been broadened to “security incident”. The change extends the concept beyond actual breaches, as we are of the view that a material event may include one where a breach has not necessarily occurred. We describe “security incidents” in the Policy Statement with reference to the general definition used by the National Institute of Standards and Technology (U.S. Department of Commerce) (NIST),2 a recognized standard also followed by CPMI-IOSCO. (iii) We have adopted a requirement in the Regulation under section 4.6 that recognized clearing agencies must keep records of any systems failures, malfunctions, delays or security incidents and identify whether they are material. In response to concerns raised in the comments, and to avoid placing an undue burden on recognized clearing agencies, we have not proceeded with additional related reporting requirements that were included in the October 2018 Proposal. However, as noted in the revised Policy Statement language, in circumstances where we consider it appropriate we may nonetheless request additional 1 The guidance is available at https://www.bis.org/cpmi/publ/d146.pdf. 2 The NIST definition of “security incident” is available at https://csrc.nist.gov/Glossary.

information from a recognized clearing agency. We have also clarified the Policy Statement language and aligned it with the revised Regulation. (iv) A new section 4.6.1 regarding auxiliary systems has been adopted. An auxiliary system of a recognized clearing agency is a system that is operated by or on behalf of the clearing agency that, if breached, would pose a security threat to one or more of the systems operated by or on behalf of the agency that support its clearing, settlement and depository functions. We have made minor changes to the definition of auxiliary system in the October 2018 proposal to clarify its intended scope. Consistent with section 4.6, section 4.6.1 includes requirements relating to auxiliary systems with respect to controls and records, and notifications in connection with security incidents. (v) Amended section 4.7 states that a recognized clearing agency must engage a “qualified external auditor” to conduct and report on its independent systems reviews. We expect the clearing agency to discuss with us its choice of qualified external auditor and the scope of the systems review mandate. c. Additional CPMI-IOSCO guidance reports The Policy Statement states that, in interpreting and implementing the PFMI Principles, regard is to be given to the explanatory notes in the PFMI Report unless otherwise indicated in section 3.1 or Part 3 of the Policy Statement. Since the publication of the PFMI Report, CPMI-IOSCO has published related documents and additional guidance on certain specific aspects of the PFMI Principles. 3 We have therefore adopted an addition to the Policy Statement that these and other future CPMI-IOSCO reports should be used as guidance in interpreting and implementing the PFMI Principles. d. CPMI-IOSCO implementation monitoring assessment for Canada The CPMI-IOSCO implementation monitoring assessment4 noted that a reporting line from the chief compliance officer and the chief risk officer to the chief executive officer may result in insufficient independence of the risk and audit functions unless there are adequate safeguards in place that address potential conflicts of interest. In the October 2018 Proposal, draft amendments to subsection 4.3(1) could have been interpreted as removing the ability of a recognized clearing agency’s board of directors to determine that the chief risk officer and chief compliance officer should report directly to the chief executive officer. In response to the comments we received regarding the October 2018 Proposal, we decided not to proceed with this change. Instead, we have clarified in the Policy Statement that dual line reporting is permitted if there are adequate safeguards in place to ensure that the chief risk officer and chief compliance officer are sufficiently independent from the other members of management. Also in response to the CPMI-IOSCO assessment, we have simplified and clarified the Joint Supplementary Guidance with respect to the application of the PFMI Principles to domestic recognized clearing agencies that are also overseen by the Bank of Canada. e. Additional non-substantive changes Lastly, a number of non-substantive changes, corrections and clarifications were adopted, including modernizing the drafting of Regulation 24-102 in accordance with recently revised CSA rule-making drafting guidelines. By their nature, none of the non￾substantive changes should have any impact on the application of Regulation 24-102 to market participants. Questions Please refer questions to any of the following: Claude Gatien Director, Global Initiatives Autorité des marchés financiers Tel: 514 395-0337, ext. 4341 Toll free: 1 877 525-0337 Email: claude.gatien@lautorite.qc.ca Anna Tyniec Senior Policy Advisor, Clearing Houses Autorité des marchés financiers Tel: 514 395-0337, ext. 4345 Toll free: 1 877 525-0337 Email: anna.tyniec@lautorite.qc.ca Marta Zybko 3 Links to this material are presently available at https://www.bis.org/cpmi/info_pfmi.htm. 4 See Implementation monitoring of PFMI: Level 2 assessment report for Canada, August 2018 at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD608.pdf.

Director, Clearing Houses Autorité des marchés financiers Tel: 514 395-0337, ext. 4391 Toll free: 1 877 525-0337 Email: marta.zybko@lautorite.qc.ca Aaron Ferguson Manager, Market Regulation Ontario Securities Commission Tel: 416 593-3676 Email: aferguson@osc.gov.on.ca Stephanie Wakefield Senior Legal Counsel Market Regulation Ontario Securities Commission Tel: 416 595-8771 Email: swakefield@osc.gov.on.ca Michael Brady Manager, Capital Markets Regulation British Columbia Securities Commission Tel: 604 899-6561 Email: mbrady@bcsc.bc.ca Katrina Prokopy Senior Legal Counsel Alberta Securities Commission Tel: 403 297-7239 Email: katrina.prokopy@asc.ca Paula White Deputy Director, Compliance and Oversight Manitoba Securities Commission Tel: 204 945-5195 Email: paula.white@gov.mb.ca Liz Kutarna Deputy Director, Capital Markets, Securities Division Financial and Consumer Affairs Authority of Saskatchewan Tel: 306 787-5871 Email: liz.kutarna@gov.sk.ca

ANNEX A List of Commenters on Draft Regulation to amend Regulation 24-102 respecting Clearing Agency Requirements and Draft Amendments to Policy Statement to Regulation 24-102 respecting Clearing Agency Requirements (as published for comment on October 18, 2018) Commenters: CME Group Inc. LCH Limited TMX Group Limited

ANNEX B Summary of Comments on Draft Regulation to amend Regulation 24-102 respecting Clearing Agency Requirements and Draft Amendments to Policy Statement to Regulation 24-102 respecting Clearing Agency Requirements and CSA Responses

1. Theme/question1 2. Summary of comments 3. CSA response Records retention period One commenter noted that while subsection 5.1(1) requires that books and records be retained for seven years, the equivalent requirement under U.S. law is five years. The commenter asked that the retention period in the Regulation be reduced to five years, or that substituted compliance be permitted. The commenter’s proposal is beyond the scope of this initiative, as there are no draft amendments to subsection 5.1(1) in the materials published for comment. This comment will be considered outside of the draft amendments, for example as part of the OSC’s initiative to reduce regulatory burden. A clearing agency may also choose to apply for an exemption from this requirement on the basis of substituted compliance, and the relevant CSA jurisdictions will consider any application on a case by case basis. Reporting changes to PFMI Disclosure Document One commenter requested that substituted compliance with an entity’s home-country regulatory requirements be permitted for exempt clearing agencies with respect to the requirement in subsection 2.2(5). Subsection 2.2(5) requires that the securities regulatory authority be notified in writing of any material change to, or subsequent inaccuracy in, its PFMI Disclosure Framework Document and related application materials. The commenter’s proposal is beyond the scope of this initiative, as there are no draft amendments to subsection 5.1(1) in the materials published for comment. This comment will be considered outside of the draft amendments, for example as part of the OSC’s initiative to reduce regulatory burden. A clearing agency may also choose to apply for an exemption from this requirement on the basis of compliance with an entity’s home country regulatory requirements, and the relevant CSA jurisdictions will consider any application on a case by case basis. Chief Risk Officer (CRO) and Chief Compliance Officer (CCO) reporting line Two commenters expressed concern that the draft amendments to paragraph 4.3(1) could be interpreted to eliminate dual reporting lines of the CRO and CCO to both the management and Board of Directors. The commenters stated that the elimination of dual reporting would require a change in their current practices, even though such practices do not contravene the PFMIs. They find the flexibility of direct reporting to the Board of Directors, while retaining administrative reporting to management, to be efficient It is not our intention to prohibit dual reporting lines for the CRO and CCO to management and the Board of Directors. Rather, our intention is to avoid interpretations and practices that may undermine the independence of key risk and audit roles, a concern raised in the CPMI-IOSCO implementation monitoring assessment and which we share. We recognize, however, that the deletion of language referencing reporting to the CEO may have caused some confusion. We have therefore added explanatory language in a new subsection

1 A reference to a provision (i.e. Part, section, subsection, paragraph, etc.) is a reference to a provision of the Draft Regulation, unless otherwise indicated. Defined terms used in this summary table, which are not otherwise defined herein, have the meanings given in the Notice.

and practical, as long as there are parallel mechanisms to ensure that the independence of the CRO and CCO functions from the management is preserved. One of the commenters also noted that dual reporting can be found in a number of foreign clearing agencies, including non-domestic clearing agencies that operate in Canada. 4.3(1) to the Policy Statement to better reflect our intent. Filing of interim financial statements One commenter submitted that substituted compliance should be permitted for exempt clearing agencies with respect to the interim financial statement filing requirement in subsection 2.5(2). We have modified the amendment to subsection 2.5(2) to allow clearing agencies to file interim financial statements in CSA jurisdictions at the same intervals they are required to file them in their home jurisdictions, which is generally consistent with the approach taken in Regulation 51-102 and Regulation 71-102. We have also added clarifying language to the Policy Statement to this effect. Given that the proposed reference in subsection 2.5(2) to Regulation 51-102 has now been deleted, we have also amended the Policy Statement to clarify the content of interim financial statements based on IFRS IAS 34. Independent system reviews One commenter disagreed with the draft amendment to paragraph 4.7(1)(a) that would require an external party, as opposed to an internal auditor, from conducting independent system reviews of recognized clearing agencies. The commenter expressed the view that the independent nature of the internal audit function provides sufficient objectivity and that the draft amendment would not enhance the resilience of the control environment. While the CSA recognizes the professional objectivity required of internal auditors, we are of the view that requiring independent systems reviews be conducted by a qualified external auditor at arms-length from the clearing agency both enhances and promotes confidence in the process. It is also consistent with industry best practices. Auxiliary systems One commenter expressed concern that the definition of “auxiliary systems” is too broad and submitted that the term should only cover systems that are part of the clearing agency ecosystem and under its control. After careful consideration of the comments, we have modified the definition of auxiliary systems in subsection 4.6.1(1) to capture those systems operated by or on behalf of the recognized clearing agency that, if breached, would pose a security threat to the clearing agency’s critical systems i.e. systems that support the recognized clearing agency’s clearing, settlement and depository functions Security incidents and related reporting obligations One commenter expressed concern with the proposed change from the obligation in paragraph 4.6(c) to report material security breaches to an obligation to report material security incidents, as well as proposed new language in the Policy Statement regarding materiality. The commenter submitted that the Given the evolving and multidimensional nature of cyber threats, a sophisticated attack on the entity’s systems and controls can have serious operational, financial or even reputational impact on the entity even if a breach has yet to happen. This is a view that is shared by regulators, organizations and stakeholders globally. The definition of

resulting obligations would be much broader than the current requirements and would be unduly onerous without providing a clear material benefit. The commenter expressed similar concerns regarding the draft new subsection 4.6(2), which would require clearing agencies to provide a log and explanation for any system issue or security incident regardless of its impact. incidents by the National Institute of Standards and Technology (NIST) captures this reality, which is why the CSA has incorporated it into the proposed definition of security incident, in paragraph 4.6(c) to the Policy Statement. With regards to the issue of materiality, we find that relying on internal corporate controls for establishing the materiality threshold is a straightforward and reasonable regulatory anchor for the purpose of event reporting. We have modified paragraph 4.6(c) to clarify the guidance with respect to determining materiality. In addition, we have removed the draft new subsection 4.6(2) in the Regulation which would have required a recognized clearing agency to file with the regulator quarterly reports of any all system issues and security incidents logs. Instead we have added language to the Policy Statement which reiterates the securities regulator’s discretion to ask for any information related to system issues or securities incidents as part of its broader information access rights under section 5.1 of the Regulation.

ANNEX C ADOPTION OF THE REGULATION The Amendments will be implemented as: • a rule in each of Alberta, British Columbia, Manitoba, New Brunswick, Newfoundland and Labrador, Northwest Territories, Nova Scotia, Nunavut, Ontario, Prince Edward Island and Yukon • a regulation in Québec • a commission regulation in Saskatchewan In Ontario, the Amendments, as well as other required materials, were delivered to the Minister of Finance on March 17, 2020. The Minister may approve or reject the Amendments or return them for further consideration. If the Minister approves the Amendments or does not take any further action, the Amendments will come into force on June 19, 2020. In Québec, the Amendments are adopted as a regulation made under section 331.1 of the Securities Act (Québec) and must be approved, with or without amendment, by the Minister of Finance. The regulation will come into force on the date of its publication in the Gazette officielle du Québec or on any later date specified in the regulation. It is also published in the Bulletin of the Autorité des marchés financiers. In British Columbia, some of these changes, specifically changes that do not have a legal effect, have been made by way of revision instead of amendment. Despite this, the intended effect of the changes in the Regulation is consistent across all jurisdictions. In Saskatchewan, the implementation of the Amendments is subject to ministerial approval. If all necessary approvals are obtained, the Amendments will come into force on June 19, 2020 or, if after June 19, 2020, on the day on which they are filed with the Registrar of Regulations.