Skip to Content

Notice

Self-Regulatory Organizations; CME Securities Clearing Inc.; Order Approving Proposed Rule Change to Establish the CME Securities Clearing Inc. Enterprise Risk Management Framework

A Notice by the Securities and Exchange Commission on 06/01/2026

  • PDF
  • Document Details
  • Table of Contents
  • Related Documents
  • Public Comments
  • Regulations.gov Data
  • Sharing
  • Print
  • Document Statistics
  • Other Formats
  • Public Inspection
Published Document: 2026-10833 (91 FR 32464)

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Document Headings

Document headings vary by document type but may contain the following:

  1. the agency or agencies that issued and signed a document
  2. the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to
  3. the agency docket number / agency internal file number
  4. the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions

See the Document Drafting Handbook for more details.

Securities and Exchange Commission
  1. [Release No. 34-105561; File No. SR-CMESC-2026-003]
May 27, 2026.

I. Introduction

On April 1, 2026, CME Securities Clearing Inc. (“CMESC”) filed with the Securities and Exchange Commission (“Commission”) proposed rule change SR-CMESC-2026-003, pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (the “Act”) [1] and Rule 19b-4 thereunder.[2] The proposed rule change would establish a new Enterprise Risk Management Framework (“ERMF”) to identify, assess, mitigate, and monitor enterprise risks. The proposed rule change was published for comment in the Federal Register on April 17, 2026.[3] The Commission has received no comments on the changes proposed. For the reasons discussed below, the Commission is approving the proposed rule change.

II. Background

On December 1, 2025, the Commission approved CMESC's application for registration as a clearing agency to provide central counterparty services for U.S. Treasury Securities.[4] As a part of its application, CMESC submitted a Risk Management Framework (“RMF”). CMESC states that the RMF is designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by the covered clearing agency, consistent with Rule 17ad-22(e)(3).[5] The RMF refers to CMESC's Enterprise Risk Management Framework (“ERMF”). However, the ERMF was not included as part of CMESC's application.[6]

III. Description of the Proposed Rule Change

The proposed rule change would establish the ERMF to enhance CMESC's enterprise risk management policies. CMESC states that the ERMF is designed to work cohesively with the RMF to identify, assess, and manage the potential risks that may affect CMESC's operations and services.[7] The ERMF contains a preamble describing its general purpose and applicability to all CMESC personnel.[8] Additionally, as discussed more fully below, the proposed ERMF describes the: (1) ERMF's governance framework; (2) process through which the ERMF determines the universe of risks CMESC may face (“Risk Universe”); and (3) “ERM Lifecycle,” which includes components regarding (i) the aggregate amount of residual risk CMESC is willing to accept in a given risk category before taking action to reduce such risk (“Risk Appetite”), (ii) the acceptable boundary of risk CMESC is willing to accept in pursuit of its business objectives (“Risk Tolerance”), (iii) CMESC's risk assessment mechanism, (iv) CMESC's risk response methodology, and (v) the risk monitoring and reporting process to monitor the ERM program's adequacy.[9]

( printed page 32465)

A. Governance

The proposed ERMF includes a section describing its governance framework.[10] Specifically, the ERMF would be maintained by CMESC's Compliance and ERM team, which supports CMESC's Chief Compliance Officer (“CCO”) in implementing the ERMF.[11] On at least an annual basis, the CCO would recommend the ERMF for review to CMESC's Risk Management Committee, which would subsequently recommend the ERMF to CMESC's Board (“Board”) for approval.[12] Any substantive changes outside of the annual review process would similarly require review and approval by CMESC's Risk Management Committee, and changes with a significant impact on CMESC's risk profile would require Board approval.[13]

The proposed ERMF also provides a description of the Board's oversight of overall risk management at CMESC, supported by various committees and individuals with powers delegated by the Board.[14]

B. Risk Universe

The proposed ERMF includes a section describing how CMESC would evaluate and monitor the risks it may face.[15] Specifically, CMESC would identify its “Risk Universe” by aligning identified risks with enterprise risk categories and sub-risk categories assigned with risk owners responsible for assessing and monitoring potential threats to CMESC and risk impacts on CMESC's business objectives.[16] The enterprise risk categories (initially consisting of Financial Resources, Operations, Regulatory Compliance, and Service Provider risks) are the highest level of risk aggregation and would be subject to Board oversight.[17] The sub-risk categories would further classify risks into more detailed groups designed to identify the specific processes underlying each enterprise risk category.[18]

C. ERM Lifecycle

The proposed ERMF discusses the components of CMESC's risk management lifecycle.[19] The proposed ERMF defines “Risk Appetite” as “the aggregate amount of residual risk, on a broad level, CMESC is willing to accept in any given category in pursuit of its strategic objectives before additional action is deemed necessary to reduce the risk.” [20] The proposed ERMF describes the five-point risk rating system CMESC would use to develop guidance or parameters on the level of risk exposure CMESC is willing to accept regarding specific enterprise risk categories and sub-risk categories within the Risk Universe.[21]

The proposed ERMF defines “Risk Tolerance” as “the acceptable boundary of risk that CMESC is willing to accept in pursuit of its business objectives and to ensure that those boundaries are not breached.” [22] The ERMF describes Risk Tolerance as the quantitative and tactical counterpart to Risk Appetite.[23] CMESC would evaluate whether risks are within its Risk Tolerance levels by monitoring key risk indicators (“KRIs”), which are metrics designed to provide an early signal of potential increasing risk exposure, allowing CMESC to take corrective action to maintain risks within the tolerance levels.[24] KRIs are tied to a tiered escalation protocol for the action required, ranging from ongoing monitoring to reporting and escalation to the Board.[25]

The proposed ERMF describes CMESC's risk assessment mechanism, which would be used to identify, aggregate, and quantify risks, and to determine the appropriate response to mitigate, monitor, and reduce risks.[26] The proposed ERMF differentiates inherent risks ( i.e., the level of risk absent any controls) from residual risks ( i.e., the level of risk after accounting for compensating controls), and identifies the timing of risk assessments for each type of risk.[27] Specifically, inherent risk assessments would be performed annually, whereas residual risk assessments would be performed on a quarterly basis.[28] CMESC states that residual risk assessments would be more frequent because they are designed to ensure the internal control environment remains responsive to emerging threats and the residual risk profile aligns with CMESC's Risk Appetite.[29] Residual risk assessment requires risk owners and senior CMESC management to identify risks in their areas of responsibility and to implement appropriate qualitative and quantitative measures to evaluate, prioritize, and manage risk.[30] The proposed ERMF also describes the concept of “risk outlook,” which CMESC considers within the context of making risk assessments.[31] Risk outlook represents the expected forward-looking trend for the risk over the upcoming 12-month period and is used to show increasing, elevated, stable or decreasing risk to CMESC.[32] The proposed ERMF describes control testing that would be conducted to assess the design and effectiveness of CMESC's internal controls and CMESC's monitoring of service providers to assess third-party risk.[33] Control testing results would be used to determine the effectiveness of a given control and inform the assessment of the overall level of residual risk.[34] An annual control testing schedule would be established using a risk-based approach, where the frequency of testing is determined by the sum of factors essential to a control's significance in reducing residual risk.[35]

The proposed ERMF describes CMESC's risk response methodology for evaluating options and identifying actions to enhance opportunities and reduce risks associated with the pursuit of business objectives.[36] The risk response methodology would be used by risk owners to facilitate determining the appropriate strategy for maintaining risks within the acceptable Risk Appetite.[37] The proposed ERMF discusses various strategies to mitigate, transfer, or accept risk, and establishes that once strategies are identified, a four-point methodology would be used to prioritize the specific response.[38] The proposed ERMF also describes the process for reporting, approving, and remediating a risk that CMESC determines exceeds its Risk Appetite.[39]

Finally, the proposed ERMF describes the risk monitoring and reporting process to monitor the ERM program's adequacy.[40] Risk monitoring includes overall governance and ongoing validation efforts, such as control testing ( printed page 32466) and audit assurance designed to ensure that risk taking is aligned with CMESC's strategic objectives and Risk Appetite.[41] Risk reporting includes collating ongoing risk assessments into quarterly reports to senior CMESC management.[42]

IV. Discussion and Commission Findings

Section 19(b)(2)(C) of the Act [43] directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and rules and regulations thereunder applicable to such organization. After carefully considering the proposed rule change, the Commission finds that the proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to CMESC. In particular, the Commission finds that the proposed rule change is consistent with Sections 17A(b)(3)(F) of the Act,[44] Rule 17ad-22(e)(2),[45] and Rule 17ad-22(e)(3).[46]

A. Consistency With Section 17A(b)(3)(F) of the Act

Section 17A(b)(3)(F) of the Act requires, in part, that the rules of a clearing agency be designed to promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible.[47]

As described above in Section III, CMESC proposes to establish the ERMF, which would describe: (1) the ERMF governance framework; (2) CMESC's Risk Universe; and (3) the ERM Lifecycle, which includes components regarding CMESC's Risk Appetite, Risk Tolerance, Risk Assessment, Risk Response, and Risk Monitoring and Reporting. The ERMF would enhance CMESC's risk management by establishing risk management policies enabling CMESC to identify potential events that may affect CMESC, manage and report on the associated risks, and reasonably assure that risks are managed in accordance with CMESC's Risk Appetite.

Adopting a more robust risk management framework should enhance CMESC's ability to better identify, assess, and mitigate potential risks that may impact its operations, reducing the likelihood of disruptions to its clearance and settlement services and thereby promoting the prompt and accurate clearance and settlement of securities transactions, consistent with Section 17A(b)(3)(F) of the Act.[48] Additionally, a more robust risk management framework should provide greater assurance that the securities and funds in CMESC's custody or control are safeguarded against potential losses, consistent with Section 17A(b)(3)(F) of the Act.[49]

Accordingly, for the reasons stated above, the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act.[50]

B. Consistency With Rule 17ad-22(e)(2)

Rule 17ad-22(e)(2) under the Act requires that a covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to provide for governance arrangements that clearly prioritize the safety and efficiency of the covered clearing agency, and specify clear and direct lines of responsibility.[51]

As described above in Section III.A, the proposed ERMF's governance provisions establish clear reporting lines and accountability for the management of enterprise risk within CMESC's Risk Appetite. Furthermore, the governance structure around the maintenance of the ERMF itself provides for reviews on at least an annual basis.

Additionally, as described above in Section III.C, the proposed ERMF includes a risk monitoring and reporting process to monitor the ERM program's adequacy. Establishing clear reporting lines and accountability should enhance efficiency and increase safety by providing oversight and aligning identified enterprise risks with risk owners responsible for assessing and monitoring potential threats. Annual maintenance reviews of the ERMF and the monitoring process for the ERM program's adequacy should proactively ensure that the protections are current and robust. These provisions therefore should prioritize safety and efficiency and specify direct lines of responsibility.[52]

Accordingly, for the reasons stated above, the proposed rule change is consistent with Rule 17ad-22(e)(2).[53]

C. Consistency With Rule 17ad-22(e)(3)

Rule 17ad-22(e)(3) under the Act requires, in part, that a covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to maintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by the covered clearing agency, which includes risk management policies, procedures, and systems designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by the covered clearing agency, that are subject to review on a specified periodic basis and approved by the Board annually.[54]

As described above in Section III, CMESC proposes to establish the ERMF, which would describe: (1) the ERMF governance framework; (2) CMESC's Risk Universe; and (3) the ERM Lifecycle, which includes components regarding CMESC's Risk Appetite, Risk Tolerance, Risk Assessment, Risk Response, and Risk Monitoring and Reporting. Specifically, the Risk Universe provisions of the proposed ERMF describe how CMESC would identify the risks it faces by classifying them into categories and sub-categories. Additionally, the ERM Lifecycle provisions of the proposed ERMF describe how CMESC would determine its Risk Appetite, Risk Tolerance, Risk Assessment, and Risk Response methodologies, designed to enable CMESC to develop strategies to mitigate, transfer, or accept risks. These measures constitute policies, procedures, and systems that are designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by CMESC.[55]

The proposed ERMF's governance provisions, described above in Section III.A, and the proposed ERMF's Risk Monitoring and Reporting provisions, described above in Section III.C, provide that the ERMF would be subject to review on a specified periodic basis and approved by the Board on at least an annual basis.[56]

Accordingly, for the reasons stated above, the proposed rule change is consistent with Rule 17ad-22(e)(3).[57]

V. Conclusion

On the basis of the foregoing, the Commission finds that the proposed rule change is consistent with the requirements of the Exchange Act and in particular with the requirements ( printed page 32467) of Section 17A of the Exchange Act [58] and the rules and regulations promulgated thereunder.

It is therefore ordered, pursuant to Section 19(b)(2) of the Exchange Act [59] that proposed rule change SR-CMESC-2026-003 be, and hereby is, APPROVED.[60]

For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.[61]

Sherry R. Haywood,

Assistant Secretary.

Footnotes

3.  Securities Exchange Act Release No. 114433 (Apr. 14, 2026), 91 FR 20179 (Apr. 17, 2026) (File No. SR-CMESC-2026-003) (“Notice of Filing”).

Back to Citation

4.  Securities Exchange Act Release No. 104281 (Dec. 1, 2025), 90 FR 55926 (Dec. 4, 2025).

Back to Citation

5.  Notice of Filing, supra note 3, at 20719; see also17 CFR 240.17ad-22(e)(3).

Back to Citation

6.   See Notice of Filing, supra note 3, at 20719.

Back to Citation

8.   See Notice of Filing, supra note 3, at 20720.

Back to Citation

9.   See Notice of Filing, supra note 3, at 20720-21.

Back to Citation

10.   See Notice of Filing, supra note 3, at 20720.

Back to Citation

11.   Id.

Back to Citation

12.   Id.

Back to Citation

13.   Id.

Back to Citation

14.   Id.

Back to Citation

15.   Id.

Back to Citation

16.   Id.

Back to Citation

17.   Id.

Back to Citation

18.   Id.

Back to Citation

19.   See Notice of Filing, supra note 3, at 20720-21.

Back to Citation

20.   See Notice of Filing, supra note 3, at 20720.

Back to Citation

21.   Id.

Back to Citation

22.   Id.

Back to Citation

23.   Id.

Back to Citation

24.   Id.

Back to Citation

25.   Id.

Back to Citation

26.   See Notice of Filing, supra note 3, at 20721.

Back to Citation

27.   Id.

Back to Citation

28.   Id.

Back to Citation

29.   Id.

Back to Citation

30.   Id.

Back to Citation

31.   Id.

Back to Citation

32.   Id.

Back to Citation

33.   Id.

Back to Citation

34.   Id.

Back to Citation

35.  Such factors would include, for example, the inherent risk rating of the risk category the control is mitigating, the extent that the control is manual or automated, nature, critically and complexity of the control, frequency at which the control is applied, and whether it directly fulfills a CMESC regulatory requirements. See id.

Back to Citation

36.   Id.

Back to Citation

37.   Id.

Back to Citation

38.   Id.

Back to Citation

39.   Id.

Back to Citation

40.   Id.

Back to Citation

41.   Id.

Back to Citation

42.   Id.

Back to Citation

48.   Id.

Back to Citation

49.   Id.

Back to Citation

50.   Id.

Back to Citation

52.   Id.

Back to Citation

53.   Id.

Back to Citation

55.   Id.

Back to Citation

56.   Id.

Back to Citation

57.   Id.

Back to Citation

60.  In approving the proposed rule change, the Commission considered the proposals' impact on efficiency, competition, and capital formation. 15 U.S.C. 78c(f).

Back to Citation

[FR Doc. 2026-10833 Filed 5-29-26; 8:45 am]

BILLING CODE 8011-01-P

Published Document: 2026-10833 (91 FR 32464)