# Self-Regulatory Organizations; The Depository Trust Company; Fixed Income Clearing Corporation; and National Securities Clearing Corporation; Order Approving Proposed Rule Changes, as Modified by Amendments No. 1, Relating to a Participant System Disruption
On March 14, 2025, The Depository Trust Company (“DTC”), Fixed Income Clearing Corporation (“FICC”) and National Securities Clearing Corporation (“NSCC,” and together with DTC and FICC, the “Clearing Agencies,” or “Clearing Agency” when referring to one of the three Clearing Agencies) filed with the Securities and Exchange Commission (“Commission”) the proposed rule changes SR-DTC-2025-003, SR-FICC-2025-006, and SR-NSCC-2025-003 pursuant to Section 19(b) of the Securities Exchange Act of 1934 (“Exchange Act”) [^1] and Rule 19b-4 [^2] thereunder. The proposed rule changes were published for public comment in the *Federal Register* on March 27, 2025. [^3] The Commission has received comments regarding the substance of the changes proposed in the proposed rule changes. [^4]
[^1] 15 U.S.C. 78s(b)(1).
[^2] 17 CFR 240.19b-4.
[^3] Securities Exchange Act Release Nos. 102712 (Mar. 21, 2025), 90 FR 13919 (Mar. 27, 2025) (File No. SR-DTC-2025-003) (“DTC Notice of Filing”); 102713 (Mar. 21, 2025), 90 FR 13942 (Mar. 27, 2025) (File No. SR-FICC-2025-006) (“FICC Notice of Filing”); and 102711 (Mar. 21, 2025), 90 FR 13926 (Mar. 27, 2025) (File No. SR-NSCC-2025-003) (“NSCC Notice of Filing”).
[^4] Comments on the proposed rule changes are available at *https://www.sec.gov/comments/sr-dtc-2025-003/srdtc2025003.htm.*
On May 2, 2025, pursuant to Section 19(b)(2) of the Exchange Act, [^5] the Commission designated a longer period within which to approve, disapprove, or institute proceedings to determine whether to approve or disapprove the proposed rule changes. [^6]
[^5] 15 U.S.C. 78s(b)(2).
[^6] Securities Exchange Act Release Nos. 102981 (May 5, 2025), 90 FR 19590 (May 8, 2025) (File Nos. SR-DTC-2025-003; SR-FICC-2025-006; SR-NSCC-2025-003).
On June 20, 2025, the Clearing Agencies filed an amendment to each of the proposed rule changes (collectively defined as “Amendment No. 1”). On June 24, 2025, the Commission instituted proceedings to determine whether to approve or disapprove the proposed rule changes, as modified by Amendment No. 1 (hereinafter defined as “Proposed Rule Changes”). [^7] On September 22, 2025, the Commission designated a longer period for Commission action on the Proposed Rule Changes. [^8] For the reasons discussed below, the Commission is approving the Proposed Rule Changes.
[^7] Securities Exchange Act Release Nos. 103310 (June 24, 2025), 90 FR 27698 (June 27, 2025) (File No. SR-DTC-2025-003) (“DTC Amendment”); 103311 (June 24, 2025), 90 FR 27712 (June 27, 2025) (File No. SR-FICC-2025-006) (“FICC Amendment”); and 103309 (June 24, 2025), 90 FR 27717 (June 27, 2025) (File No. SR-NSCC-2025-003) (“NSCC Amendment”).
[^8] Securities Exchange Act Release No. 104008 (Sept. 22, 2025), 90 FR 46281 (Sept. 25, 2025) (File Nos. SR-DTC-2025-003, SR-FICC-2025-006, and SR-NSCC-2025-003).
**I. Background**
The Proposed Rule Changes seek to amend the Clearing Agencies' Disruption Rules. [^9] The Disruption Rules allow the Clearing Agencies to take certain actions to mitigate risk when there is a reasonable basis to conclude that there is a Major Event, which is currently defined as “one or more System Disruption(s) that is reasonably likely to have a significant impact on [a Clearing Agency]'s operations, including the DTCC Systems, that affect the business, operations, safeguarding of securities or funds, or physical functions of [each Clearing Agency, its respective members or participants as defined in the respective rules of the applicable Clearing Agency (hereinafter, “Respective Participants”)] and/or other market participants.” [^10]
[^9] The Clearing Agencies are each a subsidiary of The Depository Trust & Clearing Corporation (“DTCC”). DTCC operates on a shared service model with respect to the Clearing Agencies. Most corporate functions are established and managed on an enterprise-wide basis pursuant to intercompany agreements under which it is generally DTCC that provides relevant services to the Clearing Agencies. Here, the Clearing Agencies are seeking to modify Rule 38(A) (Systems Disconnect: Threat of Significant Impact to the Corporation's Systems) of the Rules, By-Laws and Organization Certificate of DTC; Rule 50A of the FICC Government Securities Division (“FICC-GSD”) Rulebook; Rule 40A of the FICC Mortgage-Backed Securities Division (“FICC-MBSD”) Clearing Rules; and Rule 60A of the NSCC Rules & Procedures (collectively with DTC Rule 38(A), FICC-GSD Rule 50A, and FICC-MBSD Rule 40A, the “Disruption Rules”). The Disruption Rules are publicly available in the respective rules of the applicable Clearing Agency at *https://www.dtcc.com/legal/rules-and-procedures.* Any capitalized terms not otherwise defined herein have the meaning as set forth in the Clearing Agencies' respective rules.
[^10] Disruption Rules, *supra* note 9, Section 1. Under the current Disruption Rules, Respective Participants for NSCC are Members and Limited Members; for DTC, Participants; for FICC-GSD and FICC-MBSD, Members. Under the proposed changes to the Disruption Rules, as referenced herein, Respective Participants for NSCC will be Members, Limited Members, and Sponsored Members; for DTC, Participants, Limited Participants, and Pledgees; for FICC-GSD, Netting Members, CCIT Members, Comparison Only Members, and Funds-Only Settling Bank Members; and for FICC-MBSD, Members, Clearing Members, and Cash Settling Bank Members.
During a Major Event, [^11] the Disruption Rules authorize the Clearing Agencies to (i) disconnect the subject DTCC Systems Participant from DTCC Systems; [^12] (ii) suspend the receipt and/or transmission of files or communications to/from the DTCC Systems Participant and DTCC Systems; or (iii) take, or refrain from taking, or require a DTCC Systems Participant to take, or refrain from taking, any actions the Clearing Agencies consider appropriate to prevent, address, correct, alleviate, or mitigate the event and facilitate the continuation of the Clearing Agencies' services as may be practicable. [^13]
[^11] Under the current rules, the decision to declare a “Major Event” is determined by designated officials listed in the rules and then ratified, modified, or rescinded within five Business Days by the Clearing Agencies' management committees and the Clearing Agencies' Boards of Directors (“Board”). Disruption Rules, *supra* note 9, Section 2.
[^12] “DTCC Systems Participant” is currently defined in the Disruption Rules as, “a [Respective Participant], or third party service provider, or service bureau that is connecting with the DTCC Systems.” “DTCC Systems” is currently defined in the Disruption Rules as, “the systems, equipment and technology networks of DTCC, the Corporation and/or their Affiliates, whether owned, leased, or licensed, software, devices, IP addresses, or other addresses or accounts used in connection with providing the services set forth in the Rules, or used to transact business or to manage the connection with the Corporation.” Disruption Rules, *supra* note 9, Section 1.
[^13]*Id.* at Section 3.
The Disruption Rules also require the DTCC Systems Participant to immediately notify the Clearing Agencies when they become aware of a Major Event, cooperate with the Clearing Agencies in addressing the Major Event, and require the Clearing Agencies to notify a DTCC Systems Participant of any action that the Clearing Agencies take, or intend to take, against it under the rule. [^14]
[^14]*Id.* at Section 4.
Finally, the Disruption Rules provide certain indemnities, clarify powers available to the Clearing Agencies under the Disruption Rules, impose confidentiality requirements, and include a conflicts provision noting that the provisions of Disruption Rules will prevail if there is a conflict between them and any other Rules or Procedures. [^15]
[^15]*Id.* at Section 5.
The Proposed Rule Changes would (i) update and add definitions used throughout the Disruption Rules; (ii) update the provisions and governance for declaring a Major Event (which would be redefined as a Major System Event); (iii) clarify and enhance the requirements of the DTCC Systems Participant to notify the Clearing Agencies of a Systems Disruption (which would be redefined as a Participant System Disruption); (iv) add provisions incorporating the reporting, testing, and approval requirements, process, legal obligations, and governance necessary for “reconnection” (as defined by the Proposed Rule Changes) [^16] of a DTCC Systems Participant that was “disconnected” from DTCC Systems pursuant to a Disruption Rule; and (v) make technical, ministerial, and other conforming and clarifying changes, including updating the name of the Disruption Rules. The Clearing Agencies state that the Proposed Rule Changes will make the rules more efficient, effective, and clear in their governance, authorities, application, and requirements, so that the Clearing Agencies are better situated to address the events that require action under the rules to protect the Clearing Agencies, and their Respective Participants, Affiliates, and the industry more broadly. [^17] In addition, the Clearing Agencies state that the Proposed Rule Changes would enable a DTCC Systems Participant to better understand and prepare for their obligations to the Clearing Agencies in the event of a Participant System Disruption. [^18]
[^16] Under the Proposed Rule Changes, “Reconnection” would be defined as the reestablishment of connectivity between DTCC Systems and the DTCC Systems Participant that was the subject of action taken pursuant to a Disruption Rule.
[^17]*See* DTC Notice of Filing, *supra* note 3, at 13920; FICC Notice of Filing, *supra* note 3, at 13944; NSCC Notice of Filing, *supra* note 3, at 13928.
[^18]*Id.*
**II. Description of the Proposed Rule Change**
First, the Proposed Rule Changes would rename Section 1 of the Disruption Rules from “Major Event” to “Definitions,” and update and add definitions to the section. In addition to various technical, ministerial, and other conforming and clarifying changes to existing definitions, the Proposed Rule Changes would change the following items: [^19]
[^19] Each respective filing was written from the perspective of the Clearing Agencies, collectively, instead of DTC, FICC, and NSCC individually, but application of the proposed rule changes would only apply to the DTCC Systems Participant (as defined below) of the corresponding Clearing Agency or Clearing Agencies.
• Update the existing definition of “DTCC Systems” to include systems, equipment and technology networks of all DTCC Affiliates and expand the types of systems connectivity to include hardware and applications such that, in the event of a Participant System Disruption, all of DTCC's potentially impacted connections, and any means of connectivity, are incorporated into such definition. [^20]
[^20]*Id.*
• Add the definition “Third-Party Provider” to cover Affiliates of Respective Participants, third-party service providers, service bureaus, or other similar entities that connect to DTCC Systems on behalf of or for the benefit of the Respective Participant. The Clearing Agencies state that this definition would help clarify that the Disruption Rules apply to a DTCC Systems Participant's third-party connections to DTCC Systems. [^21]
[^21]*See* DTC Amendment, *supra* note 7, at 27700; FICC Amendment, *supra* note 7, at 27714; NSCC Amendment, *supra* note 7, at 27719.
• Change the existing definition of “DTCC Systems Participant” to clarify that Respective Participants connected to DTCC Systems either directly or through a Third-Party Provider would be considered DTCC Systems Participants. The Clearing Agencies state that this change better reflects the entities that the definition is intended to cover. [^22]
[^22]*See* DTC Amendment, *supra* note 7, at 27699; FICC Amendment, *supra* note 7, at 27713-14; NSCC Amendment, *supra* note 7, at 27719.
• Add the definition “Best Practices” to mean, the “policies, procedures, practices or similar standards and guidelines that are reasonably designed and consistent with then current financial-sector cybersecurity standards issued by an authoritative body that is a U.S. governmental entity or agency, an association of a U.S. governmental entity or agency, or a widely recognized industry organization.” The Clearing Agencies state that the purpose of adding this definition is to clearly state the standards that the Clearing Agencies would require a Third-Party Cybersecurity Firm (as defined below) to employ when such firm is engaged, as would be required by the Disruption Rules and discussed further below. [^23] The Clearing Agencies state that much of the language of this proposed definition comes directly from Section 1001(a)(4) of the Commission's Regulation Systems Compliance and Integrity (“Reg SCI”). [^24]
[^23]*See* DTC Notice of Filing, *supra* note 3, at 13921; FICC Notice of Filing, *supra* note 3, at 13944; NSCC Notice of Filing, *supra* note 3, at 13928.
[^24]*Id.; see also* 17 CFR 242.1001(a)(4).
• Delete the existing definition “Major Event” and replace it with the definition “Major System Event” to mean, “a Participant System Disruption that has or is reasonably anticipated to, for example, disrupt, degrade, cause a delay in, interrupt or otherwise alter the normal operation of DTCC Systems; result in unauthorized access to DTCC Systems; result in the loss of control of, disclosure of, or loss of DTCC Confidential Information; or cause a strain on, loss of, or overall threat to the Corporation's resources, functions, security or operations.” The Clearing Agencies state that, although the new definition is similar to the prior definition, the new definition would more appropriately tie the disruption at issue to the effect on the normal operation of DTCC Systems and less so on any subsequent effect to the Clearing Agencies' operations. [^25]
[^25]*See* DTC Notice of Filing, *supra* note 3, at 13921; FICC Notice of Filing, *supra* note 3, at 13944; NSCC Notice of Filing, *supra* note 3, at 13928.
• Add the definition “Third-Party Cybersecurity Firm” to mean “a firm that, in [the Clearing Agencies'] reasonable judgement, (A) (i) is well-known and reputable; (ii) is not the subject DTCC Systems Participant, or an Affiliate or a Third-Party Provider of the subject DTCC Systems Participant; (iii) is experienced in financial-sector cybersecurity; and (iv) employs Best Practices; or (B) is otherwise determined to be a Third-Party Cybersecurity Firm by the [the Clearing Agencies].” The Clearing Agencies state that the purpose of adding this definition is to clearly describe the type of firm that the Clearing Agencies would require the subject DTCC Systems Participant to engage under the Disruption Rules, as discussed further below. [^26]
[^26]*Id.*
• Delete the existing definition “Systems Disruption” and replace it with the definition “Participant System Disruption” to mean, “an incident resulting from the unintended or unauthorized access to, or the malfunction or corruption (whether partial or total) of one or more systems, of a DTCC Systems Participant or its Third-Party Provider, connected to DTCC Systems.” The Clearing Agencies state that the new definition is intended to capture only disruptions to systems connected to DTCC Systems, whether via a direct connection from the Respective Participant or through the Respective Participant's third-party service provider, and that it is not intended to capture every disruption to every system of the Respective Participant or its provider. [^27]
[^27]*See* DTC Amendment, *supra* note 7, at 27700; FICC Amendment, *supra* note 7, at 27714; NSCC Amendment, *supra* note 7, at 27719.
Second, the Proposed Rule Changes would move current Section 4 of the Disruption Rules to create a new Section 2, which would be renamed “Notifications of a Participant System Disruption.” The Clearing Agencies state that this move would better align the structure of the Disruption Rules with the expected sequence of events of a Participant System Disruption. [^28]
[^28]*See* DTC Notice of Filing, *supra* note 4, at 13921; FICC Notice of Filing, *supra* note 4, at 13944; NSCC Notice of Filing, *supra* note 4, at 13928.
The new Section 2 would delete the notification language of current Section 4 and replace it with more granular notification requirements applicable to any DTCC Systems Participant, not only the Respective Participants of the Clearing Agencies. Specifically, the DTCC Systems Participant would provide the Clearing Agencies with immediate written notice, to include certain DTCC Systems Participant and Participant System Disruption information, if known, but in any event within two hours of experiencing the disruption. [^29] The information required in the notice, if known, would include (i) the legal entity names of the subject DTCC Systems Participant and any of its Third-Party Providers experiencing or otherwise affected or potentially affected by the Participant System Disruption; (ii) contact information of persons who are authorized to act on behalf of the DTCC Systems Participant; and (iii) key details about the Participant System Disruption, such as event type, event effect, start date, end date (if applicable), discovery date, scope, and any other notices or information that was made public.
[^29] The Disruption Rules require immediate notification. The Proposed Rule Changes would retain this requirement and further specify that the written notice must be provided within two hours of experiencing the disruption.
The Clearing Agencies state that the purpose of the proposed changes in the new Section 2 is to (i) enable a DTCC Systems Participant to better understand and prepare for their obligations to the Clearing Agencies in the event that they experience a Participant System Disruption; and (ii) facilitate the Clearing Agencies' timely receipt of key information that could enable a more efficient and effective review and response by the Clearing Agencies to a Participant System Disruption, all in an effort to help mitigate the risk presented by a Participant System Disruption. [^30]
[^30]*See* DTC Notice of Filing, *supra* note 3, at 13921; FICC Notice of Filing, *supra* note 3, at 13944; NSCC Notice of Filing, *supra* note 3, at 13929.
Third, the Proposed Rule Changes would redesignate current Section 2 of the Disruption Rules as Section 3 and rename the section from “Powers of [the Clearing Agencies]” to “Declaration of a Major System Event,” which the Clearing Agencies state would more accurately describe the purpose of the section. [^31] In addition to various technical, ministerial, and other conforming and clarifying changes to the new Section 3, the Clearing Agencies would no longer (i) provide a list of specific persons that may determine that the Clearing Agencies have a reasonable basis to conclude that there is a Major System Event; nor (ii) require, within five Business Days, that such determination be reviewed by a management committee on which all of such listed people serve, and the Board. Instead, the Clearing Agencies propose that such determination be made by two or more members of the Clearing Agencies' “senior most management committee,” [^32] in their reasonable judgement, and then, after such determination is made, the Board, any remaining members of that senior management committee, and the Commission be promptly notified [^33] of such determination.
[^31]*See* DTC Notice of Filing, *supra* note 3, at 13920; FICC Notice of Filing, *supra* note 3, at 13945; NSCC Notice of Filing, *supra* note 3, at 13929.
[^32] The current “senior most management committee” of the Clearing Agencies is the Executive Committee, which includes each of the six persons listed in the existing Disruption Rules that can determine the existence of a Major Event ( *i.e.,* the Chief Executive Officer, the Chief Financial Officer, the Group Chief Risk Officer, the Chief Information Officer, the Head of Clearing Agency Services, and the General Counsel), plus the Chief Client Officer, Global Head of DTCC Digital Assets, Head of Enterprise Services, and the Chief Human Resources Officer. Disruption Rules, *supra* note 9, Section 2.
[^33] “Prompt notification” means the notification is to be made without undue or unreasonable delay, as is consistent with the use of “prompt” in Reg SCI. *See* DTC Notice of Filing, *supra* note 3, at 13921 n.21; FICC Notice of Filing, *supra* note 3, at 13945 n.21; NSCC Notice of Filing, *supra* note 3, at 13929 n.21; *see also* 17 CFR 242.1001.
In addition, the Clearing Agencies would provide the Board an update on the status of the Major System Event and any action taken pursuant to the Disruption Rules on the earlier of 45 calendar days from the date of declaration of the Major System Event or the next scheduled Board meeting, or more frequently following material changes to the status of a Major System Event.
Accordingly, the Clearing Agencies state that the proposed changes shift the authority to make such a determination from only one of the Clearing Agencies' most senior officers to two of the Clearing Agencies' most senior officers. [^34] Further, the proposed changes eliminate two subsequent reviews, after the determination is already made. The Clearing Agencies state that these reviews are administratively burdensome and may complicate managing the event in terms of ratifying, modifying, or rescinding the disconnection of a DTCC Systems Participant that has already happened. [^35] Instead, the Clearing Agencies state that the proposed changes would set clear communication standards and provide more timely transparency to the remaining senior most management committee members, the Board, and the Commission, which could still act in response to the notice without the need for formal meetings pursuant to the Disruption Rules. [^36]
[^34]*See* DTC Notice of Filing, *supra* note 3, at 13920; FICC Notice of Filing, *supra* note 3, at 13945; NSCC Notice of Filing, *supra* note 3, at 13929.
[^35]*Id.*
[^36]*Id.*
Fourth, the Clearing Agencies would redesignate current Section 3 of the Disruption Rules as Section 4, “Authority to Take Action and Required Cooperation,” and make various technical, ministerial, conforming, and clarifying changes to the section. Additionally, the Clearing Agencies propose to clarify and broaden, in what would be Subsections 4(a)(i) and (ii), the connections of the subject DTCC Systems Participant that can be disconnected and the transmissions, communications, or access that can be suspended. The Clearing Agencies state that the purpose of these changes is to help ensure that the Clearing Agencies can adequately address all potential connectivity and communication types for each DTCC Systems Participant in an effort to help mitigate the risk presented by the Participant System Disruption and associated Major System Event. [^37]
[^37]*See* DTC Notice of Filing, *supra* note 3, at 13922; FICC Notice of Filing, *supra* note 3, at 13945; NSCC Notice of Filing, *supra* note 3, at 13929.
New Subsection 4(a)(iii) would continue to provide from current Subsection 3(c) of the Disruption Rules [^38] the authority for the Clearing Agencies to (A) act or not act, or require the subject DTCC Systems Participant to act or not act, as the Clearing Agencies consider appropriate to help mitigate the risk of the Major System Event, as well as (B) facilitate the continuation of services of the subject DTCC Systems Participant, as appropriate and practical, which may require issuing instructions to the DTCC Systems Participant and, as proposed, requiring such instructions to be followed. The Clearing Agencies state that adding the requirement that their instructions be followed is important not only to help facilitate the continuation of services for the subject DTCC Systems Participant but also for any downstream effects that may have or could have resulted from the disruption. [^39]
[^38] Disruption Rules, *supra* note 9, Section 3.
[^39]*See* DTC Notice of Filing, *supra* note 3, at 13922; FICC Notice of Filing, *supra* note 3, at 13945; NSCC Notice of Filing, *supra* note 3, at 13929.
New Subsection 4(b) would reinstate similar language from current Subsection 4(b) that would require the Clearing Agencies to promptly notify the subject DTCC Systems Participant of any disconnection, suspension, or other material action taken. Additionally, the Clearing Agencies would add new language to clarify that, notwithstanding any action the Clearing Agencies take pursuant to new Section 4, the subject DTCC Systems Participant must continue to meet its obligations to the Clearing Agencies and comply with their rules, as applicable.
New Subsection 4(c) would expand the cooperation requirement in current Section 4(a) to require the DTCC Systems Participant to cooperate “fully and completely” with the Clearing Agencies, to the Clearing Agencies' reasonable satisfaction, regarding the Major System Event in whole, instead of limiting such cooperation to the root cause and resolution. Such cooperation would include, for example, (i) conducting timely investigations and inquiries relating to the Participant System Disruption; (ii) promptly notifying the Clearing Agencies of any material changes, updates, or new information learned regarding the Participant System Disruption; and (iii) promptly providing any documentation or information requested by the Clearing Agencies, unless not legally permitted to do so, regarding the Participant System Disruption.
Fifth, the Clearing Agencies would insert a new Section 5 to the Disruption Rules titled “Reconnection Requirements.” New Section 5 would set forth the information that the subject DTCC Systems Participant would be required to provide to the Clearing Agencies, in form and substance that is reasonably satisfactory to the Clearing Agencies, [^40] prior to the Clearing Agencies “reconnecting” a disconnected DTCC Systems Participant. The Clearing Agencies would require three things: (i) a detailed, comprehensive, and auditable report, from a Third-Party Cybersecurity Firm, or a summary of such report; (ii) an attestation from a Participant Officer of the DTCC Systems Participant; [^41] and (iii) an executed indemnity from the DTCC Systems Participant to the reasonable satisfaction and judgement of the Clearing Agencies in consideration of the facts and circumstances.
[^40] Whether the information provided is “reasonably satisfactory” would be a determination by the applicable Clearing Agency in consideration of the facts and circumstances, such as the severity of the disruption, thoroughness of and confidence in the information provided, any outstanding questions or concerns, etc., all within the context of reasonableness. *See* DTC Notice of Filing, *supra* note 3, at 13922 n.23; FICC Notice of Filing, *supra* note 3, at 13946 n.23; NSCC Notice of Filing, *supra* note 3, at 13930 n.23.
[^41] Pursuant to this proposed rule change, “Participant Officer” would be defined as a member of the board of directors, a senior executive officer, or other member of senior management of the subject DTCC Systems Participant.
Proposed Subsection 5(a)(i) would require the report by the Third-Party Cybersecurity Firm, or a summary of such report, to include the following information:
• a timeline of the Participant System Disruption, including all material actions, events, and decisions taken for or relating to the Participant System Disruption;
• a description of the Participant System Disruption and how it was corrected and resolved;
• root cause analysis of the Participant System Disruption;
• confirmation that any severe, critical, or moderate items, or comparable categorizations, identified by the Third-Party Cybersecurity Firm have been resolved;
• confirmation of the normal or intended operation of the subject systems, including, but not limited to, the return or replacement of key systems and datastores to pre-Participant System Disruption resilience, in a safe, secure, and proper manner for at least 72 hours;
• a description of any short- and long-term preventive monitoring and detection recommendations by the Third-Party Cybersecurity Firm; and
• any other information reasonably requested to be included by the Clearing Agencies.
Proposed Subsection 5(a)(ii) would require the Participant Officer to attest to the following:
• the Third-Party Cybersecurity Firm's report is, to the best of the Participant Officer's knowledge, accurate and complete;
• all short-term preventive monitoring and detection controls recommended by the Third-Party Cybersecurity Firm have been implemented;
• all medium- and long-term preventive monitoring and detection controls recommended by the Third-Party Cybersecurity Firm will be promptly implemented;
• the Participant Officer recommends Reconnection to DTCC Systems; and
• the DTCC Systems Participant will continue to oversee remediation efforts and monitor the subject systems, and immediately, but in any event within two hours, notify the Clearing Agencies if there is any indication of the continuation of a Participant System Disruption or an existence of a new Participant System Disruption.
Finally, Subsection 5(b) would require the subject DTCC Systems Participant to promptly provide, upon the applicable Clearing Agency's request, any other documentation or information and/or take other actions to the Clearing Agency's reasonable satisfaction, including obtaining a second Third-Party Cybersecurity Firm onsite validation of the subject DTCC Systems Participant, all of which would be decided by the Clearing Agency in consideration of the facts and circumstances.
The Clearing Agencies state that the purpose of these proposed changes is to (i) provide each DTCC Systems Participant with notice of what information they would need to provide to the Clearing Agencies in order to be Reconnected under the Disruption Rules; (ii) ensure that the Clearing Agencies have all the necessary information regarding the Participant System Disruption and its remediation from an independent, reputable, and knowledgeable third party, so that the Clearing Agencies can make an informed decision about whether Reconnection is appropriate; (iii) confirm that an appropriate senior officer at the subject DTCC Systems Participant is sufficiently informed and responsible for the DTCC Systems Participant's systems and the information being provided to the Clearing Agencies; and (iv) ensure that the Clearing Agencies are properly indemnified for actions or inactions, as needed, all to help mitigate the risk presented by a Reconnection.
Sixth, the Proposed Rule Changes would insert a new Section 6 titled “Reconnection Testing and Approval.” New Subsection 6(a) would require, prior to approval of the Reconnection, that the subject DTCC Systems Participant demonstrate, as applicable, to the Clearing Agencies' reasonable satisfaction, that it:
• can operate in a test environment, including, but not limited to, sending and receiving messages and transactions;
• can replay or resubmit previously submitted messages or transactions;
• can reverse or void previously submitted messages or transactions;
• can confirm the integrity of messages and transactions;
• has alternative communication methods with the Clearing Agency to facilitate the exchange of messages, transactions, and reports; and
• can complete any other such requirements as are reasonably requested by the Clearing Agencies.
Subsection 6(b) would authorize two or more members of the Clearing Agencies' senior most management committee, in their reasonable judgement, to approve the Reconnection of a DTCC Systems Participant that was the subject of action taken pursuant to the Disruption Rules, after the Clearing Agencies have received and reviewed to their satisfaction all information believed necessary for a safe Reconnection and certain testing has occurred, pursuant to Subsection 6(a).
Similar to the governance process for determining a Major System Event, the Clearing Agencies state that it is appropriate that approval of a Reconnection be made by at least two of the Clearing Agencies' most senior officers to help ensure that information regarding the Reconnection has been escalated to the highest management level. But, it is essential that such approval not be made until the Clearing Agencies have (i) received, to their satisfaction, all necessary Participant System Disruption information and (ii) confirmed that the subject DTCC Systems Participant can safely perform the capabilities necessary for submitting, receiving, and correcting information appropriately, confidently, and in a manner unaffected by the Participant System Disruption, so as to help mitigate the risk presented by the Reconnection. [^42]
[^42]*See* DTC Notice of Filing, *supra* note 3, at 13923; FICC Notice of Filing, *supra* note 3, at 13946; NSCC Notice of Filing, *supra* note 3, at 13930.
Seventh, the Proposed Rule Changes would redesignate current Section 5 of the Disruption Rules as Section 7, which would continue to address “Certain Miscellaneous Matters.” In addition to various technical, ministerial, and other conforming and clarifying changes to newly designated Section 7, the Clearing Agencies propose to remove the existing “conflicts” provision and replace it with a “failure to comply” provision. The new “failure to comply” provision would authorize the Clearing Agencies to (i) subject a DTCC Systems Participant to any and all disciplinary action permitted under the rules of the Clearing Agencies, if it fails to comply with the Disruption Rules; and (ii) require a DTCC Systems Participant that has authorized another party, such as a Third-Party Provider, to access and use DTCC Systems to assume responsibility for such authorized party's compliance or compliance failure. The Clearing Agencies state that the purpose of these changes is to emphasize the importance in complying with the Disruption Rules and highlight the actions that the Clearing Agencies may take if there is a failure to comply, as applicable to the subject party. [^43]
[^43]*See* DTC Notice of Filing, *supra* note 3, at 13923; FICC Notice of Filing, *supra* note 3, at 13947; NSCC Notice of Filing, *supra* note 3, at 13931.
Finally, the Clearing Agencies propose to rename the Disruption Rules from “Systems Disconnect: Threat of Significant Impact to [the Clearing Agencies'] Systems” to “Participant System Disruption,” which the Clearing Agencies state is a more appropriate description of the rule, particularly in consideration of the proposed changes. [^44]
[^44]*Id.*
**III. Discussion and Commission Findings**
Section 19(b)(2)(C) of the Exchange Act directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Exchange Act and the rules and regulations thereunder applicable to such organization. [^45] After carefully considering the Proposed Rule Changes, the Commission finds that the Proposed Rule Changes are consistent with the requirements of the Exchange Act and the rules and regulations thereunder applicable to the Clearing Agencies. More specifically, the Commission finds that the Proposed Rule Changes are consistent with Section 17A(b)(3)(F) of the Exchange Act [^46] and Rules 17ad-22(e)(2)(i), (2)(v), and (17)(i) [^47] thereunder as described in detail below.
[^45] 15 U.S.C. 78s(b)(2)(C).
[^46] 15 U.S.C. 78q-1(b)(3)(F).
[^47] 17 CFR 240.17ad-22(e)(17)(i).
**A. Consistency With Section 17A(b)(3)(F) of the Exchange Act**
Section 17A(b)(3)(F) of the Exchange Act requires, among other things, that a clearing agency's rules are designed to promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible. [^48]
[^48] 15 U.S.C. 78q-1(b)(3)(F).
As described above, the Proposed Rule Changes introduce and amend several definitions in the Disruption Rules, streamline governance for declaring a Major System Event, add more granular notification requirements for DTCC Systems Participants, introduce a structured reconnection process, which includes reporting, testing, and approval following a disruption, replace the existing “conflicts” provision with a “failure to comply” provision, and make technical, ministerial, and other conforming and clarifying changes. The Proposed Rule Changes are designed to enhance the Clearing Agencies' ability to identify, manage, respond to, and recover from systems disruptions experienced by a DTCC Systems Participant or its Third-Party Provider. Collectively, the changes impose certain additional obligations on DTCC Systems Participants and provide additional identification of the actions the Clearing Agencies may take to mitigate the risks presented by a Participant System Disruption and associated Major System Event. The changes also strengthen the Clearing Agencies' ability to manage its disruption-related risks by revising the governance procedure for the Clearing Agencies to declare a Major System Event; providing context and clarity regarding the existing “immediate” notification requirement applicable to DTCC Systems Participants regarding Participant System Disruptions; requiring specific enumerated details for DTCC Systems Participants to provide to the Clearing Agencies about a disruption; and imposing new reconnection requirements for DTCC Systems Participants, including a detailed, comprehensive and auditable report from a Third-Party Cybersecurity Firm, or a summary of such report. The proposed changes should strengthen the Clearing Agencies' risk management processes governing systems disruptions. By creating a consistent set of obligations on DTCC Systems Participants for identifying and reporting system disruptions, the Clearing Agencies would enhance their ability to monitor, mitigate, and manage disruption risks—such as unauthorized disclosure of sensitive information or a loss of data or system integrity—in the event a DTCC Systems Participants experiences a Participant System Disruption. Because the Clearing Agencies' information, data, and systems support and enable their ability to conduct essential clearance and settlement functions, enhancing each Clearing Agency's ability to limit the impact of a Participant System Disruption at a DTCC Systems Participant promotes each Clearing Agency's ability to continue the prompt and accurate clearance and settlement of securities transactions.
One commenter, who “agrees with the spirit of the disruption rule updates,” provided comments on several specific aspects of the Proposed Rule Changes, as originally proposed and prior to the Amendment No. 1. DTCC responded to the comments and made several changes related to areas that the commenters addressed. [^49] First, the commenter stated that the originally proposed definition of Participant System Disruption, which required the reporting of all operational incidents rather than only malicious cybersecurity events, was overly broad. [^50] Further, the commenter stated that requiring the reporting of “reasonably anticipated” incidents would be “subjective, vague, and impractical” which would result in large volumes of reporting that could “dilute the [Clearing Agencies' abilities] to identify serious incidents that threaten real harm.” [^51] Specifically, the commenter stated that the overly broad definition “sets an unnecessarily low threshold for incident notification” that “will likely cause participants to overreport low-risk incidents,” and that it risks misapplying disconnection as a response when it would not be appropriate. [^52] The commenter, therefore, stated that the Clearing Agencies should limit the scope of the definition of Participant System Disruption to actual or ongoing “substantial incidents that impact critical services” caused by “malicious cybersecurity breaches.” [^53] The commenter also stated that the Clearing Agencies should more clearly articulate the risks and threats for which they consider disconnection to be an appropriate mitigant. [^54]
[^49]*See* Letter from Stephen Byron, Managing Director, Head of Operations, Technology, Cyber & BCP, Securities Industry and Financial Markets Association (“SIFMA”), dated April 17, 2025 (“SIFMA Letter”).
[^50]*Id.* at 4.
[^51]*Id.* at 2-4.
[^52]*Id.* at 2.
[^53]*Id.* at 4.
[^54]*Id.* at 7.
In response, the Clearing Agencies stated that they believe that the Proposed Rule Changes clearly articulate the risk and threats that would be considered in both declaring a Major System Event and in the actions that could be taken in response to such an event. [^55] Specifically, the Proposed Rule Changes provide that the Clearing Agencies may consider the risks enumerated in the definition of a Major System Event, which include a disruption, degradation, delay, interruption, or alteration to the normal operation of DTCC Systems; unauthorized access to DTCC Systems; loss of control, disclosure, or loss of DTCC Confidential Information; or a strain, loss, or threat to Clearing Agency resources, functions, security, or operations. The Clearing Agencies state that while they cannot account for or enumerate every risk or threat, they believe the Proposed Rule Changes provide clear and sufficient notice on what the Clearing Agencies would consider prior to acting. [^56]
[^55]*See* Letter from W. Carson McLean, Managing Director and Deputy General Counsel, DTCC, dated June 20, 2025 (“DTCC Letter”), at 5.
[^56]*Id.*
The Clearing Agencies also amended the definition of Participant System Disruption in response to the comments by limiting it to a narrower list of incidents, removing the previously proposed “reasonably anticipated” requirement, and explicitly stating that only systems “connected to DTCC Systems” fall within the definition. These amendments to the Participant System Disruption definition are responsive to the commenter's concerns about the scope of the rule by narrowing the definition to a smaller list of “incidents” and explicitly stating that the definition only applies to systems that are “connected to DTCC Systems.” The Clearing Agencies, however, stated that the scope of incidents should not be limited to only “substantial incidents that limit critical services” caused by “malicious cybersecurity breaches” because concepts such as “substantial,” “critical,” and “malicious” are subjective and could result in different interpretations, non-malicious incidents can still present significant risks to DTCC Systems and there is no direct correlation between a “substantial” or “critical” incident at a Participant and the subsequent effect at the Clearing Agencies. [^57] The Commission agrees that a non-malicious or non-substantial incident could still have a material effect at the Clearing Agencies. Accordingly, the amended definition of Participant System Disruption reasonably balances the commenter's concerns about capturing too many incidents, and each Clearing Agency's need to ensure that it can identify, monitor, and manage the impact of a Participant System Disruption on its systems and operations.
[^57]*Id.* at 2.
Second, the commenter stated that demonstrating that a Third-Party Cybersecurity Firm is “specialized” in financial-sector cybersecurity, as originally proposed, would be “complex and subjective” for participants and the requirement that the cybersecurity firm cannot be affiliated with the participant was unclear and potentially unworkable. [^58] Instead, the commenter suggested that the Third-Party Cybersecurity Firm be “experienced” in financial-sector cybersecurity, which would be “more actionable and objective.” [^59] In response, the Clearing Agencies amended the definition of Third-Party Cybersecurity Firm to require the firm to be “experienced” rather than “specialized” in financial-sector cybersecurity, as suggested by the commenter. The Clearing Agencies also agreed that the “not affiliated with” language in the definition was unclear and modified it to remove the exclusion of firms affiliated with DTCC or the Clearing Agencies and clarify that the firm cannot be the subject DTCC Systems Participant or an Affiliate or a Third-Party Provider of the subject DTCC Systems Participant. [^60] The Commission agrees that these changes are reasonable and provide specificity regarding the nature of a Third-Party Cybersecurity Firm.
[^58]*See* SIFMA Letter, *supra* note 49, at 4-5. SIFMA also stated that it “feel[s] strongly that DTCC should not preclude a firm which DTCC itself has formerly or currently retains for cybersecurity incident response. This would significantly detract from system participants' ability to choose an appropriate firm. Additionally, as a practical matter, the proposed language does not state how system participants would have knowledge of what firms have an affiliation with DTCC.” *Id.* at 4.
[^59]*Id.*
[^60]*See* DTCC Letter, *supra* note 55, at 2-3.
Third, the commenter addressed the originally proposed notice and reporting obligations for DTCC Systems Participants. For example, the commenter objected to the two-hour reporting requirement for DTCC Systems Participant because it stated that the requirement will “divert resources and attention away from assessment and remediation” concerning the incident. [^61] The commenter suggested aligning this requirement with other federal and state reporting standards that range from 36 to 72 hours. [^62] In response, the Clearing Agencies clarified that the existing “immediate” reporting requirement is not changing under the Proposed Rule Changes. [^63] Rather, the Clearing Agencies stated that the addition of “no later than two hours after experiencing the disruption” is simply to provide context on what the Clearing Agencies meant by “immediate.” [^64] Further, the Clearing Agencies stated that given the central and interconnected role that the Clearing Agencies play in the U.S. securities markets, it is imperative that they be notified of and be able to assess a Participant System Disruption as immediately as possible. [^65] The Clearing Agencies, however, stated that if information is unknown within two hours, participants can simply report it as “unknown,” emphasizing that it is better to be aware of issues sooner with less information than later with complete information. [^66]
[^61]*See* SIFMA Letter, *supra* note 49, at 5.
[^62]*Id.* at 5-6. Specifically, the commenter stated that the (1) Office of the Comptroller of the Currency requires notifications about incidents no later than 36 hours after the banking organization determines that a notification incident has occurred; (2) Joint Agency Final Rule on Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers requires notification no later than 36 hours after determining that a notification event has occurred; and (3) New York State Department of Financial Services has a 72-hour notification requirement. *Id.*
[^63]*See* DTCC Letter, *supra* note 55, at 3.
[^64]*Id.*
[^65]*Id.*
[^66]*Id.*
The Commission agrees that enabling the Clearing Agencies to receive timely information on Participant System Disruptions supports the Clearing Agencies' ability to identify, monitor, and manage risks posed to its operations. Further, providing additional specificity regarding what constitutes the “immediate” timeframe should help the DTCC Systems Participants better comply with the Clearing Agencies' rules. The Commission acknowledges that there would be some resources involved for DTCC Systems Participants to report to the Clearing Agencies, but the Clearing Agencies' statement that simply reporting that certain information is unknown should allow for timely notification, allowing the Clearing Agencies to consider what steps may be necessary to safeguard DTCC Systems while still allowing the DTCC Systems Participants the time to fully address any incidents. Given the connectivity between DTCC Systems and a DTCC Systems Participant's systems, a timeframe of 36 to 72 hours would not allow the Clearing Agencies sufficient time to effectively assess and address the impacts of a Participant System Disruption; the federal and state reporting requirements cited by the commenter [^67] do not address situations in which there is connectivity to a system that could be impacted by the systems issue (as the DTCC Systems could be impacted by their DTCC Systems Participant's systems). Accordingly, the Proposed Rule Changes reasonably balance, on the one hand, the commenter's concerns regarding potentially diverting a DTCC Systems Participant's resources and attention away from assessment and remediation concerning the incident, and, on the other hand, the Clearing Agencies' need to address a Participant System Disruption quickly and remain functional as a systemically important financial market utility.
[^67]*See supra* note 62.
Fourth, the commenter stated that the requirement to report disruptions of an “unaffiliated DTCC Systems Participant” is unclear, should be defined, and could divert resources away from participants' management of incidents. [^68] The commenter also suggested that the Clearing Agencies define the following terms: unauthorized access (actual or anticipated), unavailability, system failures or malfunctions system overloads, data corruption, and restrictions (partial or total). [^69] In response, the Clearing Agencies deleted the notification requirements concerning “unaffiliated DTCC Systems Participants” in Section 2(b), amended the definitions of DTCC Systems Participant and Participant System Disruption, and added an entirely new definition, Third-Party Provider, to more precisely describe the entities the rule is intended to cover ( *e.g.,* participants connected to DTCC Systems directly and third-party service providers connected to DTCC Systems on behalf of participants). [^70] This change addresses the commenter's concern regarding the clarity of the term and ensures that the reporting requirements are focused on participants connected to DTCC Systems directly and third-party service providers connected to DTCC Systems on behalf of participants. The Clearing Agencies also deleted the following originally proposed terms from “Participant System Disruption”: “unavailability,” “failure,” “overload,” “restriction,” and the “actual or anticipated” modifier to “unauthorized access.” The terms “malfunction” and “data corruption” are not defined but are commonly understood.
[^68]*See SIFMA Letter, supra* note 49, at 3, 6.
[^69]*Id.* at 3.
[^70]*See DTCC Letter, supra* note 55, at 3-4.
Fifth, the commenter objected to the proposed disclosure of notices given to other firms or regulators, noting that such communications are subject to confidentiality. [^71] In response, the Clearing Agencies amended the rule text to only require notices to be disclosed if they were made public. [^72] This change addresses the commenter's concern regarding potentially confidential materials, as it clarifies that such materials would not be included.
[^71]*See SIFMA Letter, supra* note 49, at 7.
[^72]*See DTCC Letter, supra note 55,* at 4.
Sixth, the commenter stated that the information that participants should be required to report to the Clearing Agencies should be limited to “an actionable purpose,” and that the requirement that participants provide the Clearing Agencies with the Third-Party Cybersecurity Firm's report is inappropriate as it could contain sensitive information and delay participants' reviews of and responses to the incident. [^73] The Clearing Agencies disagreed with limiting requested information to only “actionable” purposes, stating that this requirement is intended to help inform the Clearing Agencies regarding the disruption so they can make an informed decision and they would need to have the necessary information before they can determine what information is actionable. [^74] However, in response to the commenter's concern about the potential disclosure of sensitive information in in the Third-Party Cybersecurity report, the Clearing Agencies modified the requirement to allow participants to provide the Clearing Agencies with a summary of the Third-Party Cybersecurity report in lieu of the full report. [^75] By allowing a summary of the Third-Party Cybersecurity report in lieu of the full report, the Proposed Rule Changes address the commenter's concern about being required to disclose sensitive information by allowing participants to omit such information in a summary, while still ensuring that the Clearing Agencies receive sufficient information to identify, monitor, and manage risks posed to its operations.
[^73]*See SIFMA Letter, supra* note 49, at 2, 8-9.
[^74]*See DTCC Letter, supra* note 55, at 4.
[^75]*Id.*
Seventh, the commenter stated that the proposal gives Clearing Agencies the authority to interfere with a participant's ability to make business decisions and, therefore, the Clearing Agencies should acknowledge that the participants are best placed to determine mitigation actions and that the Clearing Agencies should explicitly acknowledge their intention to consider the balance of the risk created by the incident with the business effect of any disconnection decision taken by the Clearing Agencies. [^76] In response, the Clearing Agencies stated that they do not believe that the Proposed Rule Changes will interfere with participants' business decisions and that they are intended to protect DTCC Systems and provide necessary information for informed decision-making. [^77] The Clearing Agencies did, however, acknowledge that their decisions in accordance with the Proposed Rule Changes could have business effects on participants. [^78] The Clearing Agencies stated that they did not take that effect lightly and have designed the rule to involve the Clearing Agencies' most senior management, their Board, and the Commission to ensure the action is appropriate. [^79]
[^76]*See* SIFMA Letter, *supra* note 49, at 2, 9.
[^77]*See* DTCC Letter, *supra* note 55, at 5.
[^78]*Id.*
[^79]*Id.*
Finally, the commenter objected to the Clearing Agencies requiring indemnities from affected participants because existing contracts govern these relationships and it requested that the Clearing Agencies clarify their intention with respect to the indemnity requirement. [^80] In response, the Clearing Agencies stated that the indemnity requirement is intended to cover situations that may fall outside of existing relationships, such as bespoke arrangements needed to continue services that present unique risks. [^81] The proposed indemnity is therefore appropriate to address unique and otherwise uncovered risks to the Clearing Agencies.
[^80]*See* SIFMA Letter, *supra* note 49, at 9.
[^81]*See* DTCC Letter, *supra* note 55, at 6.
Based on the foregoing, the Commission finds that the Proposed Rule Changes are consistent with the requirements of Section 17A(b)(3)(F) of the Exchange Act.
**B. Consistency With Rules 17ad-22(e)(2)(i) and (v) of the Exchange Act**
Rules 17ad-22(e)(2)(i) and (v) require that a covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to provide for governance arrangements that are clear and transparent and specify clear lines of responsibility. [^82]
[^82] 17 CFR 240.17ad-22(e)(2)(i) and (v).
As described above, the Proposed Rule Changes would update the governance procedures for declaring a Major System Event. The Proposed Rule Changes would no longer require approval from the Board and specific members of management to declare a Major System Event. Rather, the declaration of a Major System Event would be made by two or more members of the Clearing Agencies' most senior management committee. Similarly, the approval for Reconnection of a disconnected DTCC Systems Participant would be made by two or more members of the Clearing Agencies' most senior management committee. By requiring two or more members of the Clearing Agencies' most senior management committee to declare a Major System Event and approve reconnection, the Proposed Rule Changes provide for governance arrangements that are clear and transparent and specify clear lines of responsibility for making such determinations, consistent with Rule 17ad-22(e)(2)(i) and (v).
**C. Consistency With Rule 17ad-22(e)(17)(i) of the Exchange Act**
Rule 17ad-22(e)(17)(i) requires that a covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls. [^83] In adopting Rule 17ad-22(e)(17)(i), the Commission provided guidance, stating that a covered clearing agency generally should consider, among other things, whether it identifies, monitors, and manages the risks that key participants pose to its operations. [^84] To the extent they interact with the Clearing Agencies' systems, systems of a DTCC Systems Participant or its Third-Party Provider may present operational risk to the Clearing Agencies. As described above, the Clearing Agencies propose expanding the definition of DTCC Systems Participant to specifically name the applicable Respective Participant types and clarifying and enhancing the requirements for each DTCC Systems Participant to notify the Clearing Agencies of a Participant System Disruption, which could pose a risk to the Clearing Agencies' operations and, therefore, result in the inability of the Clearing Agencies to conduct essential clearance and settlement functions. The Clearing Agencies also propose numerous protective measures, such as (1) the right to consider a non-exhaustive list of factors included in the definition of “Major System Event” to determine whether to modify a DTCC Systems Participant's access to the Clearing Agencies' systems in response to a Participant Systems Disruption, up to and including disconnection and (2) requirements for disconnected DTCC Systems Participants to provide a detailed, auditable report from a Third-Party Cybersecurity Firm or a summary of such report, a reconnection attestation, and an executed indemnity to the Clearing Agencies. These proposals support the Clearing Agencies' ability to effectively identify, monitor, and manage the risks that DTCC Systems Participants pose to the Clearing Agencies' operations, and are therefore consistent with Rule 17ad-22(e)(17)(i).
[^83] 17 CFR 240.17ad-22(e)(17)(i).
[^84]*See* Standards for Covered Clearing Agencies, Securities Exchange Act Release No. 78961 (Sept. 28, 2016), 81 FR 70786, 70838 (Oct. 13, 2016).
**IV. Conclusion**
On the basis of the foregoing, the Commission finds that the Proposed Rule Changes, as modified by Amendment No. 1, are consistent with the requirements of the Exchange Act, and in particular, the requirements of Section 17A of the Exchange Act [^85] and the rules and regulations thereunder.
[^85] In approving the Proposed Rule Changes, the Commission has considered the proposed rules' impact on efficiency, competition, and capital formation. *See* 15 U.S.C. 78c(f).
*It is therefore ordered,* pursuant to Section 19(b)(2) of the Exchange Act, [^86] that the Proposed Rule Changes (SR-DTC-2025-003; SR-FICC-2025-006; and SR-NSCC-2025-003), as modified by Amendment No. 1, be, and hereby are, approved.
[^86] 15 U.S.C. 78s(b)(2).
For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. [^87]
[^87] 17 CFR 200.30-3(a)(12).
Sherry R. Haywood,
Assistant Secretary.