On September 4, 2019, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) announced they had entered into settlements with Options Clearing Corporation (“OCC”) regarding its alleged failure to maintain adequate policies to manage its financial risk, operational requirements, and information-systems security. The case represents the first time the CFTC has brought an enforcement action for violations of the Core Principles applicable to Derivatives Clearing Organizations (“DCO”) and the SEC’s first charges relating to violations of its clearing agency standards. Pursuant to the orders, OCC agreed to pay a combined penalty of $20 million to the CFTC and the SEC.
Under the SEC’s jurisdiction, the OCC clears exchange-listed options and over-the-counter options. Indeed, the OCC serves as the only registered clearing agency for exchange-listed option contracts in the United States, which led the SEC to designate it as a systematically important financial market utility in 2012. The SEC order alleged the OCC failed to establish, implement, maintain, and enforce policies and procedures related to its risk-based margins, credit exposure and liquidity risk, and protect information systems. The SEC further alleged that the OCC changed certain of its policies without obtaining approval from the Commission. In accordance with the settlement with the SEC, the OCC agreed to pay a penalty of $15 million and to engage in various remedial actions.
Under the CFTC’s jurisdiction, the OCC clears futures contracts and options on futures contracts. As a clearing house, the OCC is subject to the DCO Core Principles, which contain various requirements, including for risk management, settlement procedures, recordkeeping, and other areas. Like the SEC’s order, the CFTC’s order alleged that the OCC failed to establish, implement, maintain, and enforce policies and procedures to review its risk management, set and monitor its margin requirements, conduct stress tests of its credit exposure, and secure information systems. To settle these allegations, the OCC agreed to pay $5 million and agreed to various remedial and supervisory provisions.
No explanation was provided as to why the CFTC’s penalty amount was a third of the SEC’s penalty amount, but it likely relates to the relative percentage of the OCC’s business that falls within the SEC’s jurisdiction versus that which falls within the CFTC’s jurisdiction.
The SEC and CFTC did not allege that these policy and procedure failures led to any violations of underlying law, and the orders appear to emphasize the SEC’s and CFTC’s close regulatory control over the OCC and their intent to ensure its ability to continue operating in accordance with laws. While the OCC is somewhat unique, these orders provide a reminder that the SEC and CFTC will pay particularly close attention to technical requirements of any entity that plays any form of gate-keeping role with respect to transactions under their jurisdiction.