Voglio sapere a riguardo di…

8980

Federal Register / Vol. 86, No. 26 / Wednesday, February 10, 2021 / Notices
to access the System and use the SDR
Services on behalf of the user; and 2
removing access for any individuals who should no longer access the System on behalf of the user.49
To participate in the SDR services offered by DDR, each user will be required to enter into a user agreement;
by entering into a user agreement each user agrees to be bound by the terms of the user agreement and DDR Operating Procedures, which incorporate terms of DDRs Rulebook.50 In addition, the DDR
Rulebook provides that each user must comply with all reasonable requests by DDR for information, documentation, or data concerning such user and related to such users use of the DDR system as DDR may deem necessary.51 The DDR
Rulebook also states that DDR has the right to audit or inspect a user and its facilities with respect to its use of the DDR system, upon reasonable notice.52
Furthermore, the DDR Rulebook provides that users must cooperate with such audits or inspections and with other inquiries by DDR concerning their use of the DDR system.53
The DDR Operating Procedures provide that each user agrees to defend and indemnify DDR from and against all reasonable losses, liabilities, damages, judgments, settlements, fines, costs, and expenses DDR may incur directly arising out of or directly relating to the acts or omissions of a users participation or failure to participate for itself or on behalf of others in DDRs services or DDRs system, any unauthorized access to DDRs system through such users interface with DDRs system, or any other matter directly relating to such user that is not the responsibility of DDR under the DDR Operating Procedures, except to the extent that such losses arise out of or relate to the DDRs negligence or willful misconduct.54
With respect to prohibiting or limiting a persons access to SDR services, the DDR Rulebook outlines the process required for DDR to decline an application to become a user of SDR
services.55 For example, DDR may deny an applicants access to the DDR system if required pursuant to applicable law e.g., due to sanctions against the application administered and enforced by OFAC or the Canadian Governments Office of the Superintendent of Financial Institutions.56 The DDR
49 Id.

at sec. 1.2.
at sec. 1.3.
51 Id. at sec. 10.5.
52 Id.
53 Id.
54 Id., app. A, at sec. 9.
55 See id. at sec. 10.2.
56 See id.
50 Id.

VerDate Sep<11>2014

18:53 Feb 09, 2021

Jkt 253001

Rulebook provides that any such applicants would receive notice and an opportunity for a hearing in the event that DDR declines an application.57 The DDR Rulebook also provides that, if the denial of an application is reversed by the DDR Board or by the Commission pursuant to Section 11A of the Exchange Act, such application will be accepted and the applicant granted access following completion of onboarding requirements.58
With respect to DDR temporarily denying a user access to or imposing restrictions on its use of the DDR
system, the DDR Rulebook provides that DDR may take such action where a user:
i Violates DDR rules; ii refuses to or neglects to comply with any direction DDR deems reasonably necessary to protect its systems and other users; iii or any error, delay, or other conduct that materially and adversely affects the operations of DDR each a Subject Event.59 Limits to the activities, functions, or operation of users may include, but are not limited to, restricting access to the DDR system or a users ability to submit data via a nonapproved source and assessing users with all costs incurred by DDR in connection with a Subject Event and apply any deterrent financial penalties that DDR may deem necessary.60 The DDR Rulebook provides that DDR is required to provide prompt notice to the designated regulators of any such action,61 as well as furnish the user with a concise written statement describing the Subject Event applicable to the user.62
In addition, the DDR Rulebook provides that DTCC has established a Technology Risk Management Team, whose role is to manage information security risk and ensure the availability, integrity, and confidentiality of the organizations information assets.63 DDR
will be responsible for monitoring the performance of DTCC regarding implementation and maintenance of information security within its infrastructure.64 The DDR Rulebook specifies that various policies have been developed to provide the framework for both physical security and information 57 See
id.
id.
59 See id. at sec. 10.4.1.
60 See id.
61 See id.
62 See id. at sec. 10.4.2 setting out DDRs procedures for restrictive proceedings, including the users response to the Subject Event written statement, the users opportunity for a hearing, and the users right to apply for review to the DDR
Board.
63 Id. at sec. 9.2.
64 Id. at sec. 9.1.
58 See
PO 00000

Frm 00099

Fmt 4703

Sfmt 4703

security are routinely refreshed.65
According to DDR, the Technology Risk Management Team carries out a series of processes to endeavor to ensure DDR is protected in a cost-effective and comprehensive manner, while still meeting the requirements of applicable regulations.66 This includes preventive controls such as firewalls, appropriate encryption technology, and authentication methods.67 Vulnerability scanning is used to identify high risks to be mitigated and managed and to measure conformance against the policies and standards.68
The DDR system is supported by DTCC and relies on the disaster recovery program maintained by DTCC.69 To enable DDR to provide timely resumption of critical services should there be any disruption to its business, DDR follows these key principles for business continuity and disaster recovery: i Achieve recovery of critical services within a four-hour window with faster recovery time in less extreme situations; ii disperse staff across geographically diverse operating facilities; iii operate multiple back-up data centers linked by a highly resilient network technology; iv maintain emergency command and out-of-region operating control; v utilize new technology which provides highvolume, high-speed, asynchronous data transfer over distances of 1,000 miles or more; vi maintain processes that mitigate marketplace, operational and cyber-attack risks; vii test continuity plan readiness and connectivity on a regular basis ensuring that users and third-party vendors/service providers can connect to DDRs primary and backup sites; viii communicate on an emergency basis with the market, users and government agency decisionmakers; and ix evaluate, test, and utilize best business continuity and resiliency practices.70
C. Acceptance and Use of SBS Data The application provides that DDR
will provide Market Participants with the ability to submit data for over-thecounter OTC derivatives for credits, equities, rates, foreign exchange FX
and other commodity asset classes.71
DDR may reject a transaction record submitted due the submission failing to meet DDR validations, including but not limited to the submission failing to be 65 Id.

at sec. 9.2.

66 Id.
67 Id.
68 Id.
69 See
id. at sec. 8.1.
id.
71 Id. at sec. 3.1; see also Disclosure Document, Ex. D6, sec. 1.
70 See
E:FRFM10FEN1.SGM

10FEN1