1.1         Introduction

This blog will provide an analysis of the $20 million fine imposed on The Options Clearing Corporation, and a critique of the Orders imposed by the United States Securities and Exchange Commission and the United States Commodity Futures Trading Commission.

The first part will cover the Order made by the Commodity Futures Trading Commission which imposed a $5 million fine, and the second part will cover the order made by the Securities and Exchange Commission which imposed a $15 million fine.

1.2         About Options Clearing Corporation

“Founded in 1973, OCC is the largest clearing organization in the world for equity derivatives. Operating under the jurisdiction of the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC), OCC issues and clears U.S.-listed options and futures on a number of underlying financial assets including common stocks and stock indexes. OCC’s clearing membership consists of approximately 100 of the largest U.S. broker-dealers, U.S. futures commission merchants and non-U.S. securities firms representing both professional traders and public customers. The stockholder exchanges share equal ownership of OCC. This ownership, along with a significant clearing member and public director presence on the Board of Directors, ensures a continuing commitment to servicing the needs of OCC’s participant exchanges, clearing members and their customers. OCC provides clearing services for options, financial and commodity futures, security futures, securities lending transactions and over-the-counter index options.”

1.3         Background

On 4th September 2019 the United States (US) Securities and Exchange Commission (SEC) and the US Commodity Futures Trading Commission (CFTC) announced that The Options Clearing Corporation (OCC) would be undertaking remedial efforts, and that they had agreed to pay $20 million in penalties in lieu of settlement of charges that it had failed to implement policies to manage certain risks as required by US laws and SEC and CFTC rules.

1.4         Proceedings before the CFTC

As a Derivatives Clearing Organization (DCO), OCC is required to comply with the DCO Core Principles (Core Principles) which establish standards for the operation of DCOs.[1] In the CFTC Order, the CFTC noted that the Core Principles impose inter alia, requirements relating to:

(1)        the financial, operational, and managerial resources of a DCO; 

(2)        risk management standards;

(3)        rules and procedures relating to management of clearing member defaults;

(4)        risk analysis and oversight of operations and automated systems; and

(5)        clearinghouse governance standards.

The CFTC found that OCC had failed to fully comply with specified Core Principles by failing to establish, implement, and enforce certain policies and procedures reasonably designed to:

(1)        consider and produce margin levels commensurate with every potential risk and particular attribute of each relevant product cleared by OCC; and

(2)        effectively measure, monitor, and manage its credit exposure and liquidity risk; and

(3)        protect the security of certain of its information systems.

The CFTC Order observed that:

“DCOs are an essential part of the U.S. futures and options markets and, as such, they are required to be structured to manage and reduce risk. In instances where a DCO is not structured and operated appropriately, it can pose a risk to the broader financial system. Disruption to OCC’s operations, or failure by OCC to manage risk, could result in significant costs not only to OCC itself and its members, but also to other market participants.”

1.5         Material Representations by OCC

In its 2017 Annual Report entitled “Innovate, Educate, Advocate” (as of 31st December 2017), OCC expressly stated in Note 17. Contingencies, at page 47:

“In the normal course of business, OCC may be subject to various lawsuits and claims. In addition, as a regulated entity, OCC is subject to examinations by the SEC and CFTC. From time to time, such examinations result in regulatory findings or other matters, the resolution of which could in the future include remediation or fines. At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”

In its 2018 Annual Report entitled “Clear the Path” (as of 31st December 2018), OCC expressly stated in Note 17. Contingencies, at page 46:

“In the normal course of business, OCC may be subject to various lawsuits, claims, and other legal proceedings. In addition, as a regulated entity, OCC is subject to examination by the SEC and CFTC. In connection with these regulatory and legal matters, OCC has accrued $15 million as of December 31, 2018. Actual settlement amounts may exceed amounts accrued and such amounts could be material.”

1.6         Failure to Comply with Core Principles B, D, and I

The CFTC Order found that OCC had failed to comply with Core Principles B, D, and I.

The CFTC Order found that OCC had failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to:

1.6.1    Require Review of its Risk-Based Margin Models and the Parameters for those Models on a Regular Basis;

Core Principle D requires a DCO to ensure that it possesses the ability to manage the risks associated with discharging the responsibilities of the DCO through the use of appropriate tools and procedures.[2]

A DCO is also required to use margin requirements to cover its potential credit exposures to clearing members, and that each model and parameter used in setting such margin requirements be risk-based and reviewed on a regular basis.[3]

It was found that OCC failed to fully establish, implement, maintain, and enforce policies and procedures reasonably designed to require review of its risk-based margin models and the parameters for those models on a regular basis.

In February 2018 a spike in a barometer of market sentiment in the US, namely the CBOE Volatility Index (or VIX), spiked in early February, thereby causing a huge cascade of issues in the options market, leaving many traders with significant market losses.

Subsequent to this event, the SEC and CFTC launched probes into OCC’s risk management models and margin rules to identify whether the clearinghouse for the US options market had failed to accurately anticipate how much liquidity would be needed to cover the losses, i.e. whether there were any rule violations in relation to the calculation of margin levels, stress testing of positions, and maintaining critical computer systems. It is these initial investigations, combined with earlier investigations that culminated in this final review by the CFTC.

A CCP’s margin models are an absolutely fundamental part of its ongoing operations. From an operational perspective, if a CCP’s margin models are not accurate then clearing members (indirect, direct) will be posting too much, or too little margin, depending on the calibration of the margin model.

If clearing members post too much margin, then the costs of trading increase and this can hamper market trading and, in turn, market liquidity, thereby affecting market volatility.

If clearing members post too little margin, then in the event of adverse market events, and potential defaults of clearing members, the CCP will not hold sufficient margin to cover any potential default scenario and will then have to revert back to using its other default defences as delineated in its default waterfall.

The main points to note here are that the OCC was founded in 1973. In 2001 it was registered with the Commission as a DCO for the clearing of futures contracts and options on futures contracts, and since 2008, it was further authorized to clear commodity options executed on a designated contract market, in addition to futures contracts and options on futures contracts. It therefore had decades of operational experience under its belt.

It is the largest clearing organization in the world for equity derivatives. Moreover, it has been designated as a ‘Systemically Important Financial Market Utility’ (SIFMU)[4], and therefore it was not only required to set the bar in terms of world class standards, but it was also supposed to lead by example by showcasing best practices globally. Yet, according to the CFTC Order, the OCC had failed an objective test which modestly set the bar at “reasonably designed”, i.e. the policies and procedures to review its risk-based margin models and the parameters for those models on a regular basis were alleged to be not even reasonably designed.

Viewed in such terms, if the allegations were proved to be correct, the OCC would have done an abysmally terrible job at living up to such standards, especially since margin methodologies are one of the most crucial operational aspects of any functional CCP.

1.6.2    Consider and Produce Margin Levels Commensurate with the Risks and Attributes of Each Relevant Product Cleared by OCC;

A DCO is required to establish Initial Margin (IM) requirements that are commensurate with the risks of each product and portfolio, including any unusual characteristics of, or risk associated with, particular products or portfolios, including but not limited to jump-to-default risk or similar jump risk.[5]

The Order noted:

“To date, OCC has not fully established, implemented, maintained, or enforced policies and procedures reasonably designed to consider and produce margin levels commensurate with every potential risk and particular attribute of each relevant product and portfolio cleared by OCC. OCC’s margin model fails to fully consider the impact of market liquidation costs, including bid-ask spreads and other transaction-based costs, as well as the potential market impact of liquidation activity.”

There are two main aspects relating to this finding. The first is that the top priority for any CCP in operation today, is developing and calculating in a highly accurate way, and recalibrating on a regular basis, what is referred to as ‘the margin period of risk’ (MPOR).

The MPOR is defined as “the term used to refer to the effective time between a counterparty ceasing to post margin and when all the underlying trades have been successfully closed out and replaced (or otherwise hedged)” (Gregory, 2014).[6]

The more accurate the calculation of the MPOR, the more accurate the margin model reflects the margins required to accurately and efficiently deal with a clearing member default. The MPOR combines two periods, namely:

(1)        ‘pre-default’, which represents the time before the counterparty defaults and includes the contractual period for making margin calls (e.g. daily), and operational delays in requesting and receiving margin; margin disputes; settlement of non-cash margin; grace period given from a party failing to post margin to being deemed to be in default; and 

(2)        ‘post-default’, which includes the time to close out trades; re-hedging and/or replacement of positions; and auction of trades (Gregory, 2014).

The MPOR will differ depending on the particular type of financial instrument being cleared in question. However, what can be said is that generally speaking derivatives that are traded on an exchange (i.e. Exchange Traded Derivatives (ETD)) are more standardised than over-the-counter (OTC) derivatives that are subsequently cleared on a CCP.

Therefore, the market liquidation costs, bid-ask spreads and other transaction-based costs, as well as the potential market impact of liquidation activity, are easier to calculate for ETD than they are for OTC derivatives cleared on a CCP.

If current CCPs such as Eurex Exchange operating in Germany have developed highly accurate and comprehensive margin models to fully consider the impact of market liquidation costs, bid-ask spreads, and other transaction-based costs, as well as the potential market impact of liquidation activity for OTC cleared derivatives, it is difficult to see why OCC has failed to do so for ETD.

Now, it is at this point that matters become really interesting. In September 2013, following two-and-a-half years of examinations by federal market authorities, regulators levelled a wide-ranging critique of the way OCC managed risk and handled compliance.

This included criticisms of the way OCC measured financial risks facing its members, flaws in the way that OCC prepared for market freeze-ups, senior management supervision failures by the OCC’s Board, and improper management of conflicts of interest. A letter sent to OCC dated 8th September 2013 by the SEC stated that:

“[T]he excessive number of repeat findings raises a serious concern about OCC’s overall commitment to establishing a culture of regulatory compliance and, more specifically, its ability to timely and adequately address the Staff’s findings.”

At the time, Jim Binder, spokesman for OCC enunciated that:

“We are diligently working on a response that will confirm our commitment to resolving the issues identified in the letter, and that will describe the processes that we’ve put in place over the last year or so to prevent a recurrence of similar shortcomings in the future.”

Jim Binder noted that the OCC was taking the SEC examination letter “very seriously”. In fact, it was taken so seriously that more than five years later the OCC was hit with a $20 million fine for pretty much the same failures identified previously.

1.6.3    Fully Stress Test its Credit Exposure;

A DCO is required to have adequate financial, operational, and managerial resources[7] to discharge each responsibility of the DCO.[8]

A DCO is also required to maintain financial resources sufficient to cover its exposures with a high degree of confidence and to enable it to perform its functions in compliance with its Core Principles.[9]

In addition, a DCO is required to perform, on a monthly basis, stress testing that will allow it to make a reasonable calculation of the necessary financial resources. Such stress testing must take into account both historical data and hypothetical scenarios.[10]

It was found that at least through to 4th September 2018, the OCC had failed to fully establish, implement, maintain, and enforce policies and procedures requiring monthly stress testing of its financial resources.

In April 2015, the European Association of CCP Clearing Houses (EACH) published its ‘Best practices for CCPs stress tests’. The paper sought to provide guidance on an overview of best practices with regard to how CCPs perform stress tests. This included discussion of principles[11] to apply when CCPs perform stress tests, as well as risk management areas subject to best practice.[12]

In August 2015, CME Group published its ‘Principles for CCP Stress Testing’, which covered areas such as CCP Risk Management Enterprise; Scenario Standardization and Stress Testing Transparency; and Principles for Stress Testing in depth.[13]

In April 2018 the Committee on Payments and Markets Infrastructures and the Board of the International Organization of Securities Commissions published the highly comprehensive ‘Framework for supervisory stress testing of central counterparties (CCPs)’. This contained highly extensive discussions about the processes involved in CCP stress testing, the use of stress scenarios, identification of risk exposures and sources, as well as analytical metrics.

In April 2019 the US CFTC published its report entitled ‘CCP Supervisory Stress Tests: Reverse Stress Tests and Liquidation Stress Test’. The report analysed reverse stress tests of CCP resources, together with an analysis of stressed liquidation costs. The reverse stress test identified potentially implausible scenarios extreme enough to exhaust all pre-funded resources available to a CCP. The report noted that:

“The analysis of stressed liquidation costs was structured to evaluate whether CCPs had sufficiently pre-funded resources to meet both the payment obligations resulting from a house account default concurrent with an extreme market move, as well as greater than expected costs resulting from hedging and auctioning the positions of the defaulting CM.”

This stress test would allow a DCO to undertake a reasonable calculation of necessary financial resources, as well as taking into account both historical data and hypothetical scenarios.

The point being made here is simple.

In modern times there is a significant body of literature that pertains to the development of modern, accurate, and comprehensive CCP stress tests, and a host of highly qualified financial engineers who can accurately calibrate margin models and run CCP diagnostic stress tests.

The US CFTC is on its third set of CCP supervisory stress tests which is the same as its European Union (EU) counterpart, the European Securities and Markets Authority (ESMA) which launched its third EU-wide CCPs stress test earlier in 2019.

Why is it then that, despite the fact that OCC was formed in 1973; notwithstanding it has decades of operational experience; and also that problems with its risk management practices were raised and identified by federal regulators in 2013; in September 2018 it had still failed to fully establish, implement, maintain, and enforce policies and procedures requiring monthly stress testing of its financial resources – a basic necessity for all modern CCPs?

1.6.4    Fully Maintain a Comprehensive Risk Management Framework;

A DCO is required to ensure that it possesses the ability to manage the risks associated with discharging the responsibilities of the DCO through the use of appropriate tools and procedures.[14]

A DCO is also required to establish and maintain written policies, procedures, and controls (approved by its board of directors), which establish an appropriate risk management framework that, at a minimum, clearly identifies and documents the range of risks to which the DCO is exposed, and addresses the monitoring and management of the entirety of those risks, and provides a mechanism for internal audit. This risk management framework is required to be regularly reviewed and updated as necessary.

It was found that to date the OCC had failed to fully establish, implement, maintain, and enforce policies and procedures reasonably designed to manage the credit and liquidity risks associated with discharging its responsibilities as a DCO.

The OCC had also failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to manage its operational risks.

OCCs failure to establish, implement, maintain, and enforce policies and procedures reasonably designed to manager its credit, liquidity, and operational risks will be dealt with in the second part of this Report.

1.6.5    Fully Protect the Security of Certain OCC Information Systems;

A DCO is required to establish and maintain a programme of risk analysis and oversight to identify and minimise sources of operational risk through the development of appropriate controls and procedures, and automated systems, that are reliable, secure, and have adequate scalable capacity.[15]

A DCO’s programme of risk analysis and oversight with respect to its operations and automated systems must also address:

“Systems operations, including, but not limited to, system maintenance; configuration management (including, baseline configuration, configuration change and patch management, least functionality, inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations including in generally accepted best practices.[16]

In addition, a DCO is required to carry out regular, periodic, and objective testing of its automated systems in order to ensure that they are reliable, secure, and have adequate scalable capacity.[17]

The Order found that as of 3rd November 2015, and continuing through various time periods thereafter, OCC had failed to fully establish and maintain a programme of risk analysis and oversight that was reasonably designed to ensure that its automated systems are reliable, secure, and have adequate scalable capacity.

OCC had failed to establish and maintain policies and procedures that were reasonably designed to:

(1)        consistently identify, prioritise, test, and implement vendor-issued patches;

(2)        ensure that all network devices, including unused and test network devices, were inventoried; and

(3)        ensure security threats would be promptly detected.

OCCs failure to establish and maintain such policies and procedures will be dealt with in the second part of this Report.

1.7         CFTC Order Civil Monetary Penalty

In accordance with the terms of the order, OCC was ordered to pay a civil monetary penalty in the amount of $5 million US dollars ($5,000,000) plus post-judgment interest.

1.8         OCC Remediations

The remediations undertaken by OCC exemplify the range of alleged lapses in its existing risk management framework. For example, as part of the settlement OCC had undertaken a number of remedial efforts, including:

(1)        incorporating stress testing into its clearing fund methodology;

(2)        enhancing its margin policy;

(3)        changing its daily univariate methodology;

(4)        enhancing its implied volatility model;

(5)        changing its margin methodology for Volatility Indexes and Volatility Indexes Futures;

(6)        self-certified a rule change to incorporate liquidation costs in its margin methodology;

(7)        further developed its policies and procedures related to its system safeguards and the security of its information systems.

In addition, although OCC did not admit or deny any of the findings or conclusions of the CFTC Order, it replaced many of its senior executives, including the hiring of a new Chief Executive Officer; a Chief Operating Officer; a Head of Financial Risk Management; a Chief Information Officer; a Chief Security Officer; and heads of control functions.

OCC also increased its expenditures and headcount in specific areas (i.e. risk management, compliance, legal, and information technology).

In addition, although one would have already expected such an institution to have already done this, it retained a qualified independent third party compliance auditor to plan and conduct an audit of OCC’s policies and procedures to determine whether they are reasonably designed to:

(1)        require review of risk-based margin models and the parameters for those models;

(2)        stress test its credit exposure;

(3)        manage its credit, liquidity, and operational risks;

(4)        identify, prioritize, test, and implement vendor-issued patches;

(5)        inventory all network devices; and

(6)        promptly detect security threats.

2             PROCEEDINGS BEFORE THE SEC

The SEC Order noted that because OCC was the sole registered clearing agency for exchange listed option contracts in the US, it had been designated as a ‘Systemically Important Financial Market Utility’ (SIFMU).[18] The SEC Order further observed that:

“OCC serves as sole registered clearing agency for exchange listed option contracts in the United States… Disruption to OCC’s operations, or failure by OCC to manage risk, could result in significant costs not only to OCC itself and its members, but also to other market participants or the broader U.S. financial system.

As a registered clearing agency, OCC is a self-regulatory organization under the Exchange Act. Self-regulatory organizations are charged with an important public trust to carry out their self-regulatory responsibilities effectively and fairly, while fostering free and open markets, protecting investors, and promoting the public trust.”

2.1         Rule 17Ad-22(e) under the Exchange Act

Rule 17Ad-22(e) sought to establish standards for registered clearing agencies that met the definition of “covered clearing agency” (CCA), and was first proposed in March 2014. The Commission adopted it in October 2016, and since OCC was a CCA for the purposes of the rule, it was required to comply by 11th April 2017.

The rule was adopted in order to impose consistent, higher minimum risk management standards across all CCAs, and also in order to mitigate the potential for any moral hazard associated with risk management at a CCA.

2.2         OCC’s Failure to Comply

Despite the fact that the Commission staff had notified OCC of material weaknesses with its policies and procedures that could result in violations of Rule 17Ad-22(e) and Reg. SCI[19], if they were not corrected before the required compliance dates, OCC failed to comply with these rules by the required compliance dates.

The Commission alleged that OCC had failed to establish, implement, maintain and enforce policies and procedures reasonably designed to:

(1)        review its risk-based margin models and the parameters for those models on a monthly basis;

(2)        consider and produce margin levels commensurate with the risks and particular attributes of each relevant product cleared by OCC;

(3)        effectively measure, monitor, and manage its credit exposure and liquidity risk;

(4)        maintain a comprehensive risk management framework;

(5)        protect the security of certain of its information systems; and

(6)        provide for a well-founded, clear, transparent and enforceable legal framework for every aspect of its activities.

In addition, it was alleged that OCC had also failed to comply with Section 19(b) of the Exchange Act and Rule 19b-4(c), by adopting and changing certain policies prior to obtaining Commission approval.[20]

OCC was legally required to comply with Reg. SCI by 2rd November 2015.

OCC was legally required to comply with Rule 17Ad-22(e) by 11th April 2017.

Prior to, and throughout this period, the firm’s legal counsel was under a duty to the OCC to inform and update the management of OCC and/or the Board about its legal responsibilities and duties as required by US laws and SEC and CFTC rules. Any good US law student with a basic understanding of US laws and SEC and CFTC rules would have been able to clearly identify such legal obligations.

A legal counsel working for the largest clearing organization in the world for equity derivatives would have known about these requirements without fail. Consequently, there seems to be questions that ostensibly the SEC and the CFTC have not dealt with in their respective Orders.

If the 2nd November 2015 deadline had passed, then OCC’s legal counsel should have known that OCC was not legally compliant with the requirements mandated by Reg. SCI.

If the 11th April 2017 deadline had passed, then OCC’s legal counsel should have known that OCC was not legally compliant with the requirements mandated by Rule 17Ad-22(e).

Assuming this is the case, and it was prima facie alleged by the SEC that the OCC was in breach of these legal requirements, and that such breaches warranted investigation by the SEC and/or would potentially be subject to civil fines and negative reputational damage.

How can it be that in its 2017 Annual Report the OCC was able to unequivocally say:

“At December 31, 2017, there was no outstanding litigation or regulatory matters that would have a material adverse effect on the financial statements.”

Could such a statement amount to a misrepresentation to existing and/or potential shareholders who were relying on the OCC to inform them about any matters that could negatively impact OCC’s share price?

Indeed, the question to be asked is could this be legally interpreted in any way as to be misinforming the public vis-à-vis the financial affairs and/or share price of the OCC via the OCC’s 2017 Annual Report?

2.3         OCC Failures

The SEC Order found that OCC had failed to establish, implement, maintain, and enforce policies and procedures reasonably designed to:

2.3.1    Review its Risk-Based Margin Models and the Parameters for those Models on a Monthly Basis[21];

Exchange Act Rule (EAR) 17Ad-22(b)(2) mandates that a Registered Clearing Agency (RCA) establish, implement, maintain, and enforce written policies and procedures reasonably designed to use risk-based models and parameters to set margin requirements and review such margin requirements and the related risk-based models and parameters at least monthly.

Although OCC was required to comply with this rule by 2nd January 2013, by April 2017, MORE THAN 3 YEARS LATER, OCC had still not complied with this legal requirement.

The Commission had noted that:

“[m]arket conditions and risks are constantly changing and therefore the models and parameters used by a clearing agency providing [central counterparty] services to set margin may not accurately reflect the needs of a clearing agency if they are permitted to remain static.”

In practice it is crucial for CCPs to ensure that their risk-based margin models are continuously accurate, and that they are reviewed and updated regularly to take into account socioeconomic indicators and trends; political moderating factors; geographical moderating factors; global, regional, and national trends; and other moderating or influencing factors.

For example, a hurricane in the Caribbean could significantly affect commodity exports from those islands affected in the Caribbean. This in turn could then impact commodity prices of related exchange traded products. If risk-based margin models remain static in a month, then, for example, the same August 2019 margin amounts might be called for September 2019 oil derivatives, even though they may no longer be equivalent, in terms of underlying risk, as August 2019 oil derivatives.

Moreover, such risk-based margin models also need to be calibrated to take into account financial stress indicators. For example, Monin (2019)[22] defines financial stress as disruptions in the typical functioning of financial markets. It is further noted that symptoms of financial stress can be informed by both theory and practice, and in practice may include uncertainty about the fundamental value of financial assets or the behaviour of investors; increased asymmetric information; and a decreased willingness to hold risky or illiquid assets (Monin, 2019).

Examples of the Office of Financial Research (OFR) Financial Stress Index (FSI) category definitions include: (1) credit; (2) equity valuation; (3) funding; (4) safe assets; and (5) volatility (Monin, 2019).

The more accurately these risk-based models and parameters are calibrated and regularly reviewed, the more likely it is that a RCA will be effectively fulfilling its role and maintaining balanced market conditions.

In the case of the OCC, owing to its status as a SIFMU it was a fortiori required to ensure that its risk-based margin models were calibrated as accurately as possible, and regularly reviewed to ensure such accuracy because of the potentially significant risks and costs to other market participants and to the broader US financial system.

2.3.2    Consider and Produce Margin Levels Commensurate with the Risks and Particular Attributes of Each Relevant Product Cleared by OCC;

EAR 17Ad-22(e)(6)(i) mandates that a CCA establish, implement, maintain, and enforce policies and procedures that are reasonably designed to cover its credit exposures to its participants by establishing a risk-based margin system that inter alia considers, and produces margin levels commensurate with, the risk and particular attributes of each relevant product, portfolio, and market.

Although OCC was required to comply with this rule by 11th April 2017, at the time of the SEC Order it had still not complied with this legal requirement. The SEC Order stated:

“Specifically, OCC’s margin model fails to consider the impact of market liquidation costs, including bid-ask spreads and other transaction-based costs, as well as the potential market impact of liquidation activity.

OCC’s margin model also fails to consider specific wrong way risk associated with cleared securities which are related to clearing members.

Specific wrong-way risk arises at a [central counterparty] when an exposure to a participant is highly likely to increase when the creditworthiness of that participant is deteriorating.”

The failure of OCC’s margin model to consider the impact of market liquidation costs, bid-ask spreads, other transaction-based costs, and the potential market impact of liquidation activity has been considered and discussed in PART I.

As regards the failure of OCC’s margin model to consider specific wrong way risk (WWR), this issue will be discussed here in further depth.

WWR refers to unfavourable dependencies (e.g. between the value of margin held and creditworthiness of clearing members). So, for example, margin held by a CCP should not be wrong-way, e.g. correlated to the default of the counterparty in that a counterparty posts their own bonds or equity) (Gregory, 2014).[23]

It is important to differentiate between two distinct types of WWR, which can apply to exposure or margin-related linkages, these are:

(1)        General WWR; and

(2)        Specific WWR (Gregory, 2014).

General WWR refers to linkages arising from macroeconomic relationships (e.g. interest rates being correlated to credit spreads), whereas Specific WWR arises from specific factors affecting a counterparty (e.g. a ratings downgrade by ratings agency Moody’s) (Gregory, 2014).

According to Eurex Clearing, “Wrong-way risk is defined as the potential loss which Eurex Clearing may suffer during the Default Management Process, due to an unfavorable interrelatedness between the counterparty’s creditworthiness, the value of its collateral pool and the value of its portfolio.”

If OCC’s margin models had failed to consider specific WWR associated with cleared securities related to clearing members, then this presented a highly significant potential problem for the OCC in terms of accurately identifying the real extent of counterparty risk which the OCC had calculated.

This is because if the OCC’s margin models had calculated counterparty risk, but had failed to account for potential specific WWR relevant to specific clearing members in such models, then the OCC was potentially exposed to an unknown quantity of specific WWR for each clearing member, and cumulatively, this could amount to a very large unknown quantity of specific WWR that could materialise in the event of one or more counterparty defaults.

An example of WWR pertinent to put options is set out below for illustrative purposes:

“If a put option for corporate stock correlates highly with counterparty default probability, when the underlying share price declines, the value of the put option (in this case the exposure) increases at the same time that the probability of counterparty default increases. As a result, this wrong-way risk causes a sharp increase in overall risk” (Inamura et al., 2012).[24]

Eurex Clearing identifies its approach to WWR and the actions it takes with regards to WWR:

“To safeguard the overall integrity of the Clearing House and to protect the mutualizing Default Fund, we conduct an internal credit assessment of all counterparties and perform continuous monitoring of credit, concentration and wrong-way risks. This enables us to guarantee fulfilment of all obligations towards counterparties even under extreme market conditions.

The first step in which we avoid wrong-way risk is that we do not allow counterparties to deposit own issues (or issues of closely linked entities) as collateral. Moreover, counterparties are not entitled to use such instruments as collateral for repo transaction or securities lending transactions.

In case Clearing Members enter into positions, where they are exposed to the performance of their own stock (e.g. derivatives on their own stock) or other instruments issued by themselves or entities belonging to the same legal group, these positions are collateralized based on the assumption that the underlying becomes worthless in a default scenario.

Resources which have already been provided to secure these positions (i.e. dedicated Total Margin Requirement on single position level as well as derived Default Fund contributions) are deducted before the final Supplementary Margin for the own issue positions is calculated.

A daily monitoring process ensures a tight control of any own issue position. For a more efficient collateral management process on the Clearing Member side, the Supplementary Margins are charged weekly based on the largest excess (i.e. Loss given default minus already provided resources) over the previous week.

By defining dedicated wrong-way risk limits, we are taking additional steps to minimize such risk. These limits are applicable to a counterparty’s collateral pool and the counterparty’s notional exposure.”

The sheer size and negative impact of WWR was clearly and unequivocally demonstrated in the previous sub-prime crisis. Consequently, given the clear and significant problems that were demonstrated by unanticipated effects of WWR during the sub-prime crisis, it was the OCC’s duty to ensure that its margin models identified and incorporated potential WWR and thereby mitigated its effects across its clearing members in order to ensure it operated a robust CCP clearing system.

2.3.3    Cover its Credit Exposure;

EAR 17Ad-22(e)(4)(iii) mandates that a CCA (that is not subject to EAR 17Ad-22(e)(4)(ii)) must establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to maintain additional financial resources at a minimum to enable it to cover a wide range of foreseeable stress scenarios.

EARs 17Ad-22(e)(4)(vi)(A)-(D) mandate that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to test the sufficiency of its total financial resources available to meet the minimum requirements[25] by:

(1)        stress testing its total financial resources once each day using standard predetermined parameters and assumptions;

(2)        comprehensively analyzing its stress scenarios, model and underlying parameters and assumptions on at least a monthly basis;

(3)        comprehensively analysing its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility; and

(4)        reporting the results of its stress testing analyses to appropriate decision makers.

Although OCC was required to comply with these rules by 11th April 2017, through at least 4th September 2018 it had still failed to comply with these legal requirements.

It was noted that instead of complying with these requirements, OCC had implemented policies and procedures that determined the monthly sizing of its clearing fund based on a daily calculation of its stress testing exposures utilizing only A LIMITED NUMBER OF SCENARIOS.

The failure of the OCC to cover its credit exposure through stress testing was dealt with in PART I of this Blog. However, some commentary will be made here regarding the OCC’s use of only a limited number of scenarios vis-à-vis its legal stress testing obligations.

The main difficulty with utilizing only a limited number of scenarios is that this makes it highly likely that the monthly sizing of its clearing fund does not in actuality reflect the realities of the underlying markets in which the OCC operates.

This is highly problematic in practice, because it means that the OCC is potentially not actually fulfilling its role, not only as a CCP, but also as a SIFMU, because it is not robustly addressing all the stress scenarios to which it might be exposed in time of normal markets, and also to which it might be potentially exposed, in times when the markets are subject to financial stress.

In practice, stress scenarios need to be created for each asset class that is in use by the OCC, as well as shifting relevant risk factors in particular markets in order to account for the relevant assumed period of risk, i.e. stress period of risk will differ depending on the underlying asset class and the relevant risk factors that have been shifted.

Stress scenarios then need to be calibrated according to extreme but plausible scenarios, and then those scenarios are broken down into:

(1)        historical scenarios (i.e. extreme and well-known events, such as the Lehman Default and the Global Financial Crisis (2008) the Cyprus Financial Crisis (2013); and the Brexit Referendum (2016));

(2)        hypothetical scenarios (i.e. forward-looking scenarios simulating extreme risk factor movements for all cleared asset classes and products simultaneously by combining selected constellations of up and down moves across asset classes)[26];

(3)        correlation stress scenarios (i.e. special hypothetical scenarios that additionally stress the correlations between single risk factors);

(4)        global scenarios (i.e. condensing information from a large number of asset class-specific forward-looking hypothetical scenarios to a smaller number of concise scenarios) (Eurex Clearing, 2019).

As can be seen, if these stress scenarios need to be calculated for multiple asset classes under different market conditions, then calculating stress testing exposures on a daily basis utilizing only a limited number of scenarios would seem to fall very short of the requirements needed to ensure accuracy of financial resources required on a month-to-month basis.

2.3.4    Maintain Sufficient Liquid Resources;

EAR 17Ad-22(e)(7)(i) mandates that a CCA establish, implement, maintain, and enforce written policies and procedures reasonably designed to maintain sufficient liquid resources, at the minimum, in all relevant currencies in order to effect same-day, and where appropriate, intraday and multiday, settlement of payment obligations with a high degree of confidence under a wide range of foreseeable stress scenarios.

EAR 17Ad-22(e)(7)(vi)(A)-(D) mandate that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to determine the amount, and regularly test the sufficiency, of the liquid resources held for the purposes of meeting the minimum liquid resource requirement[27], by, at a minimum:

(1)        stress testing its liquidity resources once each day using standard predetermined parameters and assumptions;

(2)        comprehensively analyzing its stress testing scenarios, models, and underlying parameters and assumptions on at least a monthly basis;

(3)        comprehensively analysing its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility; and

(4)        reporting the results of its stress testing analyses to appropriate decision makers.

The Commission noted that:

“[market] participants in centrally cleared and settled markets are often linked to one another through intermediation chains in which one party may rely on proceeds from sales of cleared products to meet payment obligations to another party… Therefore, the benefits related to liquidity risk management generally flow from the reduced risk of systemic risk transmission by covered clearing agencies as a result of liquidity shortfalls.”

The OCC was required to comply with EAR 17Ad-22(e)(7)(i) and 17AD-22(e)(7)(vi)(A)-(D) by 11th April 2017, however as of the date of the SEC Order, it had still failed to fulfil its legal requirements.

The SEC Order noted that OCC had instead implemented policies and procedures which determined the size of its liquid resources using SCALED NORMAL MARKET CONDITIONS.

By using SCALED NORMAL MARKET CONDITIONS the OCC would have been implementing liquid resources that were very likely to be below that actually required for day-to-day operations.

By failing to include extreme but plausible market conditions, the OCC was ensuring that the parameters of liquidity resources were limited to expected normal market conditions.

Consequently, it was highly likely that not only were the liquidity resources required on a day-to-day basis much lower than that which might otherwise be required using parameters that included extreme but plausible market conditions, but moreover it could not be said that it was maintaining sufficiency of liquid resources with a high degree of confidence under a wide range of foreseeable stress scenarios.

The OCC had failed to stress test its total liquid resources using a wide range of foreseeable stress scenarios once each day;

Again, if the OCC had actually been stress testing its required liquid resources utilising a wide range of foreseeable stress scenarios each day, then the likelihood is that in all probability it would have been calculating higher minimum liquidity resources required, than that which it was actually calculating.

By excluding foreseeable stress scenarios that might be encountered during extreme but plausible market conditions, it was in actuality very likely minimising the minimum liquidity resources calculated, i.e. these may very likely not reflected its ACTUAL MINIMUM LIQUIDITY RESOURCES required utilising both normal and stressed market conditions.

The OCC had failed to analyze its stress testing scenarios, models parameters, and assumptions at least monthly;

By failing to analyse its stress testing scenarios, models parameters and assumptions, at least monthly, it was failing to operate a robust and accurate risk management framework.

This is particularly troubling given that the fundamental role of a CCP is to manage risk on a daily basis using the most accurate and granular data and information available.

The fact that it was alleged that OCC was failing to scrutinise its stress testing scenarios on a regular basis meant that in actuality it fell far below “normal” CCP operational practices, for example, as compared with the operational practices of other well established CCPs operating in the European Union.

The OCC had failed to analyse its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility;

OCC’s failure to analyse its stress testing scenarios, models, parameters, and assumptions more frequently than monthly during periods of stress and/or volatility, again is, when benchmarked against the practices of other well established CCPs, a complete and utter failure on the part of the OCC.

In fact, if we were to solicit comments from other well established CCPs about OCC’s failure to undertake this in practice, it is almost certain that all such CCPs would be highly critical about the negative repercussions that such operational practices would raise in terms of effective risk management practices.

The OCC had failed to report the results of its stress testing analyses to appropriate decision makers.

This failure to report the results of stress testing analyses to appropriate decision makers can in no way be seen as a ‘minor fault’, or something that was ‘overlooked’.

Viewed from a legal perspective, this is nothing less than operational negligence on the part of OCC and/or its employees undertaken on a vicarious liability basis. Such negligence is made all the worse given its fundamental role as a SIFMU within the US.

The OCC had failed to include all known sources of possible liquidity obligations in determining the liquidity required in the event of a clearing member default (such as certain possible liquidity, payment, and delivery obligations relating to default auctions).

In practice this failure translated to the OCC having significantly miscalculated possible liquidity obligations required relating to potential clearing member defaults.

In practice, the fact that it had failed to calculate such factors meant that it was operating at operational levels far, far below that of many other well established CCPs operating around the world, a fact which is all the more shocking given its fundamental role as a SIFMU in the US.

2.3.5    Maintain a Comprehensive Risk Management Framework;

EAR 17Ad-22(e)(3) mandates that a CCA establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to maintain a sound risk management framework to comprehensively manage legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in, or are borne by, the CCA.

EAR 17Ad-22(e)(3)(i) mandates that a CCA’s risk management framework include risk management policies, procedures, and systems that are designed to identify, measure, monitor, and manage the range of risks that arise in, or are borne by, the CCA, and that are subject to review on a specified periodic basis and approved by the board of directors annually.

OCC was required to comply with the latter requirement by 11th April 2017, however at the time of the SEC Order it had failed to implement such policies designed to manage credit and liquidity risks.

OCC lacked policies and procedures which provided for comprehensive stress testing of its financial and liquid resources under a wide range of foreseeable stress scenarios.

OCC failed to implement policies and procedures reasonably designed to manage the operational risk that arises in, or is borne by OCC, and specifically they were not reasonably designed to ensure that its SCI systems and, with respect to security standards, indirect SCI systems had adequate levels of capacity, integrity, resiliency, availability, and security.

OCC’s policies and procedures were also not reasonably designed to provide for a well-founded, clear, transparent, and enforceable legal basis for each aspect of its activities in all relevant jurisdictions, because OCC failed to file proposed rules before adopting certain policies and implemented certain policies prior to approval of the Commission.

It has become patently clear that the OCC’s overall risk management processes and procedures were very far from robust, resilient and secure. Its overall approach to its risk management procedures, its stress testing procedures, its margin methodology procedures, and its security procedures, demonstrate a fundamental disregard to the most basic tenets of a CCP’s operational procedures and mandates.

A CCP is, by design, intended to minimise, mitigate, and deal with risk, and yet all of the evidence offered by the CFTC and SEC Orders cumulatively demonstrate an across-the-board total lapse in operational, technological, and strategic oversight by the OCC.

The accumulated failures identified throughout the CFTC and SEC judgments highlight, not highly operationally advanced and complex requirements, but failures in the most basic risk management frameworks for CCP operations.

This is all the more severe taking into account the OCC’s long-established history, its decades of operational experience, its positioning as the largest clearing organization in the world for equity derivatives, and its statute and responsibilities as a SIFMU.

Taking into account the fact that in 2018 a single default by a clearing member caused a $133 million hole in Nasdaq’s clearing house buffers, one can imagine the potential damage that might have been caused by a default by one or more of the OCC’s clearing members, which could in turn have potentially caused unquantifiable systemic risk, owing to the huge defects in the OCC’s risk management framework. 

Given the fact that in 2017 OCC’s total revenues were $359,619,000, and in 2018 OCC’s total revenues were $467,838,000, it is highly questionable whether a $20 million fine was sufficient to reflect the highly poor operational practices and risk management framework that was put in place by OCC, not only for a short period of time, but in most cases for years and years.

2.3.6    Protect the Security of Certain OCC Information Systems;

Rule 1001(a)(1) of Reg. SCI mandates that an SCI entity (e.g. RCA) establish, maintain, and enforce written policies and procedures that are reasonably designed to ensure that its SCI systems[28], and with respect to security standards, indirect SCI systems[29], have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI’s entity operational capability and promote the maintenance of fair and orderly markets.

Such policies and procedures must include, at a minimum, regular reviews and testing (as applicable), of such systems (including backup systems), to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.

OCC was required to implement such legal requirements by 3rd November 2015. As of the date of the SEC Order, OCC had still failed to establish such policies and procedures that were reasonably designed to ensure that its SCI systems and, with respect to security standards, indirect systems, had adequate levels of capacity, integrity, resiliency, availability, and security.

As of 3rd November 2015, OCC had still failed to establish, maintain, and enforce written policies and procedures that were reasonably designed to:

(1)        consistently identify, prioritize, test, and implement vendor-issued patches;

(2)        secure certain data within cloud environments;

(3)        ensure that all network devices, including unused and test network devices, were inventoried; and

(4)        ensure security threats would be promptly detected.

The failures highlighted by these alleged infractions demonstrate the incompetence of any, or all, of:

(1)        OCC’s information technology (IT) department;

(2)        OCC’s management hierarchy, structure, and reporting lines; and

(3)        OCC’s legal department.

Given that the OCC is the largest clearing organization in the world for equity derivatives, it is submitted that such failures reflect failures in basic operational procedures, and as such either reflect:

(1)        highly lax administrative management and oversight of legal requirements by any, or all of, the above three named departments; or

(2)        worse still, intentional choices made to delay implementation of remedial measures either owing to the costs involved, the low prioritisation of such requirements, or a combination of both.

AND

2.3.7    The OCC Failed to Obtain Commission Approval for Proposed Rule Changes;

Section 19(b)(1) of the Exchange Act requires SROs (e.g. RCAs) to file with the Commission a proposed rule change[30] accompanied by a concise general statement of the basis and purpose of such proposed rule change.

Section 19(b)(1) requires the Commission to publish notice of the proposed rule change and provideinterested persons an opportunity to submit written comments.

Section 19(b)(1) prohibits a proposed rule change from taking effect unless it is approved by the Commission, or otherwise permitted under Section 19(b)(1).

OCC failed to file with the Commission proposed rule changes before adopting a number of policies, e.g. by December 2015 OCC had implemented at least 18 policies covering core risk management issues without filing proposed rule changes with the Commission. These covered the following policies:

(1) legal risk policy; (2) model risk management policy; (3) financial resources policy; (4) risk appetite framework; (5) enterprise risk management framework; (6) risk universe; (7) operational risk management; (8) clearing fund policy; (9) margin policy; (10) credit risk management policy; (11) liquidity risk management policy; (12) systems incident escalation policy; (13) default management policy; (14) collateral risk management policy; (15) business continuity planning policy; (16) information technology risk management policy; (17) vendor risk management policy; and (18) capital requirements policy.

OCC had also implemented other policies without obtaining prior Commission approval, e.g. in May 2017 OCC implemented revisions to its:

(1) counterparty credit risk management policy; (2) default management policy; (3) margin policy; (4) risk management framework policy; (5) collateral risk management policy; and (6) revised charter for OCC’s Board of Directors as well as charters for the Board’s Audit Committee, Risk Committee, Compensation and Payment Committee, Governance and Nominating Committee, Risk Committee, and Technology Committee.

The failure to obtain Commission approval for proposed rule changes in practice amounts to breach of the most basic administrative rules pertinent to SEC oversight. The fact that OCC allegedly overlooked dozens of amendments and proposed rule changes highlights the highly lax administrative and legal oversight put in place by the OCC, as well as the failure of OCC’s legal counsel to provide the most basic legal support to the OCC.

Not only that, but it also flies in the face of public oversight of the OCC’s operations. Section 19(b)(1) was put in place for a particular purpose, and that was to ensure governmental and public accountability on the part of the OCC. If OCC was not providing proposed rule changes to the SEC, at best, it had in place extremely bad operational and administrative practices, at worst, it was intentionally placing itself beyond the supervisory practices of the SEC. However, there is more than simply accountability inherent in Section 19(b)(1). It also incorporates elements of public debate and discussion.

The fact that Section 19(b)(1) requires the SEC to provide interested persons with an opportunity to submit written comments, means that the public at large are able to provide commentary, feedback, and opinions on the practices of a SIFMU that in actuality could significantly affect their lives or of their firm’s operations. By failing to submit proposed rule changes, and by circumventing the legal requirements of Section 19(b)(1), the OCC allegedly deprived interested parties of their legal right and opportunity to comment on the working of a public systemically important institution.

2.4         SEC Order Civil Monetary Penalty

OCC was required to pay a civil monetary penalty in the amount of $15 million to the SEC by 31st December 2019.

ENDNOTES

[1]    As a condition of registration under Section 5b of the Commodity Exchange Act (CEA), 7 U.S.C. § 7a-1 (2012), and implementing provisions set forth in Part 39 of the Commission’s Regulations (Regulations), 17 C.F.R. pt. 39 (2019).

[2]    Section 5b(c)(2)(D)(i) of the Act.

[3]    Regulation 39.13(f) and (g)(1).

[4]    Under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act).

[5]    Regulation 39.13(g)(2)(i).

[6]    Gregory, J. (2014). Central Counterparties. Mandatory Clearing and Bilateral Margin Requirements for OTC Derivatives. John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex.

[7]    As determined by the Commission.

[8]    Section 5(b)(c)(2)(B)(i) of the Act.

[9]    Regulation 39.11(a).

[10] Regulation 39.11(c).

[11] Principle 1 (Relevance); Principle 2 (Structure); Principle 3 (Governance); Principle 4 (Transparency).

[12] Scenarios; Stress period of risk (MPOR); Stress positions and prices; stress liquidity; aggregation; calculation of the stress effect; collateral; allocation; governance; validation; disclosure.

[13] Principle 1 (Dynamic Monitoring of Clearing Member and Client Portfolio); Principle 2 (Conservative Safeguards Sizing and the Waterfall Structure); Principle 3 (Comprehensive Scenario Construction); Principle 4 (Thorough Review to Identify Model Limitations); Principle 5 (Maintaining a Robust Governance Structure); and Principle 6 (Transparent Application of Stress Testing Principles and Practices).

[14] Section 5(b)(c)(2)(D)(i) of the Act.

[15] Core Principle I, Section 5b(d)(2)(I)(i) of the Act, and Regulation 39.18(b)(1).

[16] Regulation 39.18(b)(2)(iv).

[17] Regulation 39.18(e)(1).

[18] Under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act).

[19] Regulation Systems, Compliance, and Integrity under the Exchange Act (Reg SCI) was adopted by the Commission in November 2014 in order to strengthen the technology infrastructure of US securities markets, and also in order to reduce the occurrence of systems issues, improve resiliency when systems problems occurred, and enhanced the Commission’s oversight and enforcement of technology infrastructure of securities markets. OCC had until 3rd November 2015 to comply.

[20] It was therefore alleged that owing to its conduct, OCC had violated Section 17A(d)(1) of the Exchange Act and Rules 17Ad-22(b)(2), 17Ad-22(d)(1), 17Ad-22(e)(1), 17Ad-22(e)(3)(i), 17Ad-22(e)(4)(iii) and (vi), 17Ad-22(e)(6)(i), and 17Ad-22(e)(7)(i) and (vi) thereunder; Rules 1001(a)(1) and (2) of Reg. SCI under the Exchange Act; and Section 19(b) of the Exchange Act and Rule 19b-4 thereunder.

[21] Violation of Exchange Act Rule 17Ad-22(b)(2).

[22] Monin, P.J. (2019). The OFR Financial Stress Index. Risks, 7, 25; doi:10.3390/ risks7010025.

[23] Gregory, J. (2014). Central Counterparties. Mandatory Clearing and Bilateral Margin Requirements for OTC Derivatives. John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex.

[24] Inamura, K.; Hattori, A.; Fukuda, Y.; Sugihara, Y.; Teranishi, Y. (2012). Wrong-way risk in OTC derivatives and its implication for Japan’s financial institutions.’ Bank of Japan Review, (June), pp.1-6.

[25] As stipulated in EAR 17Ad-22(e)(4)(i) through (iii).

[26] Eurex Clearing (2019). Stress scenarios and exposure aggregation.

[27] Under Exchange Act Rule 17Ad-22(e)(7)(i).

[28] SCI systems is defined to mean “all computer, network, electronic, technical, automated or similar systems operated by or on behalf of [the entity] that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance” (Rule 1000 of Reg. SCI).

[29] Indirect SCI systems is defined to mean “any systems of, or operated by or on behalf of, [the entity] that if breached, would be reasonably likely to pose a security threat to SCI systems” (Rule 1000 of Reg. SCI).

[30] Proposed rule change is defined to mean “any proposed rule or any proposed change in, addition to, or deletion from the rules of the self-regulatory organization” (Section 19(b)(1) of the Exchange Act). Exchange Act Rule 19b-4(c) states that “a stated policy, practice, or interpretation of the self-regulatory organization shall be deemed to be a proposed rule change unless: (1) it is reasonably and fairly implied by an existing rule; or (2) it is concerned solely with the administration of the self-regulatory organization and is not a stated policy, practice or interpretation with respect to the meaning, administration, or enforcement of an existing rule of the self-regulatory organization.” The term “stated policy, practice, or interpretation” includes “any material aspect of the operation of the facilities of the self-regulatory organization” (Exchange Act Rule 19b-4(a)(6)).