[ad_1]
[Federal Register Volume 88, Number 136 (Tuesday, July 18, 2023)]
[Proposed Rules]
[Pages 45826-45836]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-15056]
=======================================================================
———————————————————————–
COMMODITY FUTURES TRADING COMMISSION
17 CFR Parts 1 and 23
RIN 3038-AE59
Risk Management Program Regulations for Swap Dealers, Major Swap
Participants, and Futures Commission Merchants
AGENCY: Commodity Futures Trading Commission.
ACTION: Advance notice of proposed rulemaking; request for comments.
———————————————————————–
SUMMARY: The Commodity Futures Trading Commission (CFTC or Commission)
is issuing this Advance Notice of Proposed Rulemaking (ANPRM or Notice)
and seeking public comment regarding potential regulatory amendments
under the Commodity Exchange Act governing the risk management programs
of swap dealers, major swap participants, and futures commission
merchants. In particular, the Commission is seeking information and
public comment on several issues stemming from the adoption of certain
risk management programs, including the governance and structure of
such programs, the enumerated risks these programs must monitor and
manage, and the specific risk considerations they must take into
account; the Commission further seeks comment on how the related
periodic risk reporting regime could be altered or improved. The
Commission intends to use the information and comments received from
this Notice to inform potential future agency action, such as a
rulemaking, with respect to risk management.
DATES: Comments must be in writing and received by September 18, 2023.
ADDRESSES: You may submit comments, identified by RIN 3038-AE59, by any
of the following methods:
CFTC Comments Portal: https://comments.cftc.gov. Select
the “Submit Comments” link for this rulemaking and follow the
instructions on the Public Comment Form.
Mail: Send to Christopher Kirkpatrick, Secretary of the
Commission, Commodity Futures Trading Commission, Three Lafayette
Centre, 1155 21st Street NW, Washington, DC 20581.
Hand Delivery/Courier: Follow the same instruction as for
Mail, above.
Please submit your comments using only one of these methods.
Submissions through the CFTC Comments Portal are encouraged. All
comments must be submitted in English, or if not,
[[Page 45827]]
accompanied by an English translation. Comments will be posted as
received to https://comments.cftc.gov. You should submit only
information that you wish to make available publicly. If you wish the
Commission to consider information that you believe is exempt from
disclosure under the Freedom of Information Act (FOIA), a petition for
confidential treatment of the exempt information may be submitted
according to the procedures established in section 145.9 of the
Commission’s regulations. The Commission reserves the right, but shall
have no obligation, to review, prescreen, filter, redact, refuse, or
remove any or all of your submission from https://comments.cftc.gov
that it may deem to be inappropriate for publication, such as obscene
language. All submissions that have been redacted or removed that
contain comments on the merits of the rulemaking will be retained in
the public comment file and will be considered as required under the
Administrative Procedure Act (APA) and other applicable laws and may be
accessible under the FOIA.
FOR FURTHER INFORMATION CONTACT: Amanda L. Olear, Director, 202-418-
5283, [email protected]; Pamela M. Geraghty, Deputy Director, 202-418-
5634, [email protected]; Fern Simmons, Associate Director, 202-418-
5901, [email protected]; or Elizabeth Groover, Special Counsel, 202-
418-5985, [email protected]; each in the Market Participants Division
at the Commodity Futures Trading Commission, Three Lafayette Centre,
1155 21st Street NW, Washington, DC 20581.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Background
II. Questions and Request for Comment
A. Risk Management Program Governance
B. Enumerated Risks in the Risk Management Program Regulations
C. Periodic Risk Exposure Reporting by Swap Dealers and Futures
Commission Merchants
D. Other Areas of Risk
I. Background
Title VII of the Dodd-Frank Wall Street Reform and Consumer
Protection Act 1 (Dodd-Frank Act) amended the Commodity Exchange Act
(CEA) 2 to establish a comprehensive regulatory framework to reduce
risk, increase transparency, and promote market integrity within the
financial system by, among other things, providing for the registration
and comprehensive regulation of swap dealers (SDs) 3 and major swap
participants (MSPs),4 and enhancing the rulemaking and enforcement
authorities of the CFTC with respect to all registered entities and
intermediaries subject to its oversight, including, among others,
futures commission merchants (FCMs).5 Added by the Dodd-Frank Act,
CEA section 4s(j) outlines the duties with which SDs must comply.6
Specifically, CEA section 4s(j)(2) requires SDs to establish robust and
professional risk management systems adequate for managing the day-to-
day business of the registrant.7 CEA section 4s(j)(7) directs the
Commission to prescribe rules governing the duties of SDs, including
the duty to establish risk management procedures.8 In April 2012, the
Commission adopted Regulation 23.600,9 which established requirements
for the development, approval, implementation, and operation of SD risk
management programs (RMPs).10
—————————————————————————
1 See Dodd-Frank Act, Public Law 111-203, 124 Stat. 1376
(2010).
2 7 U.S.C. 1 et seq.
3 An SD is an entity that holds itself out as a dealer in
swaps; makes a market in swaps; regularly enters into swaps with
counterparties as an ordinary course of business for its own
account; or engages in any activity causing the entity to be
commonly known in the trade as a dealer or market maker in swaps.
See 7 U.S.C. 1a(49)(A); see also 17 CFR 1.3 (describing exceptions
and limitations).
4 An MSP is any person that is not an SD and maintains a
substantial position in swaps for any of the major swap categories;
whose outstanding swaps create substantial counterparty exposure
that could have serious adverse effects on the financial stability
of the United States banking system or financial markets; or is a
financial entity that is highly leveraged relative to the amount of
capital it holds and that is not subject to capital requirements
established by an appropriate Federal banking agency and maintains a
substantial position in outstanding swaps in any major swap
category. See 7 U.S.C. 1a(33)(A); 17 CFR 1.3. There are currently no
registered MSPs; the relevant regulatory requirements discussed in
this ANPRM, however, apply to both SDs and MSPs. For ease of
drafting, throughout this Notice, any reference to SDs should be
construed to include both SDs and MSPs.
5 An FCM is an entity that solicits or accepts orders to buy
or sell futures contracts, options on futures, retail off-exchange
forex contracts or swaps, and accepts money or other assets from
customers to support such orders. See 7 U.S.C. 1a(28); 17 CFR 1.3.
6 7 U.S.C. 6s(j).
7 7 U.S.C. 6s(j)(2).
8 7 U.S.C. 6s(j)(7).
9 17 CFR 23.600.
10 Swap Dealer and Major Swap Participant Recordkeeping,
Reporting, and Duties Rules; Futures Commission Merchant and
Introducing Broker Conflicts of Interest Rules; and Chief Compliance
Officer Rules for Swap Dealers, Major Swap Participants, and Futures
Commission Merchants, 77 FR 20128 (Apr. 3, 2012) (2012 SD Risk
Management Final Rule). For additional background, see the related
notice of proposed rulemaking: Regulations Establishing and
Governing the Duties of Swap Dealers and Major Swap Participants, 75
FR 71397 (Nov. 23, 2010).
—————————————————————————
Following two FCM insolvencies involving the misuse of customer
funds in 2011 and 2012, the Commission proposed and adopted a series of
regulatory amendments designed to enhance the protection of customers
and customer funds held by FCMs.11 The Commission adopted Regulation
1.11 in 2013 to establish risk management requirements for those FCMs
that accept customer funds. Regulation 1.11 is largely aligned with the
SD risk management requirements in Regulation 23.600 (together with
Regulation 1.11, the RMP Regulations).12 The Commission concluded at
that time that it could mitigate the risks of misconduct and an FCM’s
failure to maintain required funds in segregation 13 with more robust
risk management systems and controls.14
—————————————————————————
11 Enhancing Protections Afforded Customers and Customer Funds
Held by Futures Commission Merchants and Derivatives Clearing
Organizations, 77 FR 67866 (Nov. 14, 2012) (FCM Customer Protection
Proposed Rule); Enhancing Protections Afforded Customers and
Customer Funds Held by Futures Commission Merchants and Derivatives
Clearing Organizations, 78 FR 68506 (Nov. 14, 2013) (FCM Customer
Protection Final Rule).
12 17 CFR 1.11; FCM Customer Protection Final Rule.
13 The statutory requirement for FCMs to segregate customer
funds from their own funds is a fundamental cornerstone of customer
protection. FCM Customer Protection Final Rule, 78 FR at 68506
(“The protection of customers–and the safeguarding of money,
securities or other property deposited by customers with an FCM–is
a fundamental component of the Commission’s disclosure and financial
responsibility framework.”).
14 Id. at 68509.
—————————————————————————
The Commission is issuing this ANPRM for several reasons. After
Regulation 23.600 was initially adopted in 2012, the Commission
received a number of questions from SDs concerning compliance with
these requirements, particularly those concerning governance (for
example, questions regarding who is properly designated as “senior
management,” as well as issues relating to the reporting lines within
the risk management unit).15 The intervening decade of examination
findings and ongoing requests for staff guidance from SDs with respect
to Regulation 23.600 warrant consideration of the Commission’s rules
and additional public discourse on this topic.
—————————————————————————
15 Some SDs expressed confusion to Commission staff regarding
the reporting line requirements and the regulatory definitions of
“governing body” and “senior management.”
—————————————————————————
The Commission has further identified the enumerated areas of risk
that RMPs are required to take into account, and the quarterly risk
exposure reports (RERs), as other areas of potential confusion and
inconsistency
[[Page 45828]]
in the RMP Regulations for SDs and FCMs. Commission staff has observed
significant variance among SD and FCM RERs with respect to how they
define and report on the enumerated areas of risk (e.g., market risk,
credit risk, liquidity risk, etc.), making it difficult for the
Commission to gain a clear understanding of how specific risk exposures
are being monitored and managed by individual SDs and FCMs over time,
as well as across SDs and FCMs during a specified time period.
Furthermore, the Commission’s implementation experiences and certain
market events over the last decade indicate that it may be appropriate
to consider whether to include additional enumerated areas of risk in
the RMP Regulations.
The Commission has observed inefficiencies with respect to the RER
requirements in the RMP Regulations. Currently, Regulations
23.600(c)(2) and 1.11(e)(2) 16 prescribe neither the format of the
RER nor its exact filing schedule.17 As a result, the Commission
frequently receives RERs in inconsistent formats containing stale
information, in some cases data that is at least 90 days out-of-date.
Furthermore, a number of SDs have indicated that the quarterly RERs are
not relied upon for their internal risk management purposes, but
rather, they are created solely to comply with Regulation 23.600,
indicating to the Commission that additional consideration of the RER
requirement is warranted.
—————————————————————————
16 17 CFR 23.600(c)(2); 17 CFR 1.11(e)(2).
17 The timeline for filing quarterly RERs with the Commission
is tied to when such reports are given to SDs’ and FCMs’ senior
management. Regulations 23.600(c)(2) and 1.11(e)(2) do not prescribe
how soon after a quarter-end an SD or FCM must provide its RER to
senior management or the format in which the SD or FCM must submit
the information required in the RER to the Commission. Id.
—————————————————————————
Finally, the Commission also reminds SDs and FCMs that their RMPs
may require periodic updates to reflect and keep pace with
technological innovations that have developed or evolved since the
Commission first promulgated the RMP Regulations.18 The Commission is
seeking information regarding any risk areas that may exist in the RMP
Regulations that the Commission should consider with respect to notable
product or technological developments.
—————————————————————————
18 Since the adoption of the RMP Regulations, some SDs and
FCMs have engaged in novel product offerings, such as derivatives on
certain digital assets, have increased their facilitation of
electronic and automated trading, and have incorporated into their
operations the use of recent technological developments, including
cloud-based storage and computing, and possibly artificial
intelligence and machine learning technologies.
—————————————————————————
Therefore, the Commission is issuing this Notice to seek industry
and public comment on these aforementioned specific aspects of the
existing RMP Regulations, as discussed further below.
II. Questions and Request for Comment
In responding to each of the following questions, please provide a
detailed response, including the rationale for such response, cost and
benefit considerations, and relevant supporting information. The
Commission encourages commenters to include the subsection title and
the assigned number of the specific request for information in their
submitted responses to facilitate the review of public comments by
Commission staff.
A. Risk Management Program Governance
Regulations 23.600(a) and (b) set out the parameters by which an SD
must structure and govern its RMPs. Regulation 23.600(a) sets forth
certain definitions, including “business trading unit,” 19
“governing body,” 20 and “senior management,” 21 whereas
Regulation 23.600(b) requires an SD to memorialize its RMP through
written policies and procedures, which the SD’s governing body must
approve.22 Regulation 23.600(b) further requires an SD to create a
risk management unit (RMU) that: (1) is charged with carrying out the
SD’s RMP; (2) has sufficient authority, qualified personnel, and
resources to carry out the RMP; (3) reports directly to senior
management; and (4) is independent from the business trading unit.23
—————————————————————————
19 “Business trading unit” is defined as, any department,
division, group, or personnel of a swap dealer or major swap
participant or any of its affiliates, whether or not identified as
such, that performs, or personnel exercising direct supervisory
authority over the performance of any pricing (excluding price
verification for risk management purposes), trading, sales,
marketing, advertising, solicitation, structuring, or brokerage
activities on behalf of a registrant. 17 CFR 23.600(a)(2).
20 “Governing body” is defined as, (1) A board of directors;
(2) A body performing a function similar to a board of directors;
(3) Any committee of a board or body; or (4) The chief executive
officer of a registrant, or any such board, body, committee, or
officer of a division of a registrant, provided that the
registrant’s swaps activities for which registration with the
Commission is required are wholly contained in a separately
identifiable division. 17 CFR 23.600(a)(4).
21 “Senior management” is defined as, with respect to a
registrant, any officer or officers specifically granted the
authority and responsibility to fulfill the requirements of senior
management by the registrant’s governing body. 17 CFR 23.600(a)(6).
22 17 CFR 23.600(b).
23 17 CFR 23.600(b)(5).
—————————————————————————
Similar to Regulation 23.600, Regulation 1.11 contains specific
requirements with respect to the risk governance structure.24
Regulation 1.11(b) defines “business unit,” 25 “governing body,”
26 and “senior management,” 27 while Regulation 1.11(c) requires
the FCM to establish the RMP through written policies and procedures,
which the FCM’s governing body must approve.28 Regulation 1.11(d)
requires that an FCM establish and maintain an RMU with sufficient
authority; qualified personnel; and financial, operational, and other
resources to carry out the RMP, that is independent from the business
unit and reports directly to senior management.29
—————————————————————————
24 17 CFR 1.11.
25 “Business unit” is defined as, any department, division,
group, or personnel of a futures commission merchant or any of its
affiliates, whether or not identified as such that: (i) Engages in
soliciting or in accepting orders for the purchase or sale of any
commodity interest and that, in or in connection with such
solicitation or acceptance of orders, accepts any money, securities,
or property (or extends credit in lieu thereof) to margin,
guarantee, or secure any trades or contracts that result or may
result therefrom; or (ii) Otherwise handles segregated funds,
including managing, investing, and overseeing the custody of
segregated funds, or any documentation in connection therewith,
other than for risk management purposes; and (iii) Any personnel
exercising direct supervisory authority of the performance of the
activities described in paragraph (b)(1)(i) or (ii). 17 CFR
1.11(b)(1)(i)-(iii).
26 “Governing body” is defined as, the proprietor, if the
futures commission merchant is a sole proprietorship; a general
partner, if the futures commission merchant is a partnership; the
board of directors if the futures commission merchant is a
corporation; the chief executive officer, the chief financial
officer, the manager, the managing member, or those members vested
with the management authority if the futures commission merchant is
a limited liability company or limited liability partnership. 17 CFR
1.11(b)(3).
27 “Senior management” is defined as, any officer or
officers specifically granted the authority and responsibility to
fulfill the requirements of senior management by the governing body.
17 CFR 1.11(b)(5).
28 17 CFR 1.11(c).
29 17 CFR 1.11(d).
—————————————————————————
The Commission seeks comment generally on the RMP structure and
related governance requirements currently found in the RMP Regulations
for SDs and FCMs. In addition, commenters should seek to address the
following questions:
1. Do the definitions of “governing body” in the RMP Regulations
encompass the variety of business structures and entities used by SDs
and FCMs?
a. Should the Commission consider expanding the definition of
“governing body” in Regulation 23.600(a)(4) to include other officers
in addition to an SD’s CEO, or other bodies other than an SD’s board of
directors (or body performing a similar function)?
b. Are there any other amendments to the “governing body”
definition in
[[Page 45829]]
Regulation 23.600(a)(4) that the Commission should consider?
c. Should similar amendments be considered for the “governing
body” definition applicable to FCMs in Regulation 1.11(b)(3)?
2. Should the Commission consider amending the definitions of
“senior management” in the RMP Regulations? Are there specific roles
or functions within an SD or FCM that the Commission should consider
including in the RMP Regulations’ “senior management” definitions?
3. Should the RMP Regulations specifically address or discuss
reporting lines within an SD’s or FCM’s RMU?
4. Should the Commission propose and adopt standards for the
qualifications 30 of certain RMU personnel (e.g., model validators)?
31
—————————————————————————
30 This could include, for example, prior risk management
experience.
31 Regulations 23.600(b)(5) and 1.11(d) require SDs and FCMs
to establish and maintain RMUs with “qualified personnel.” 17 CFR
23.600(b)(5); 17 CFR 1.11(d).
—————————————————————————
5. Should the RMP Regulations further clarify RMU independence and/
or freedom from undue influence, other than the existing general
requirement that the RMU be independent of the business unit or
business trading unit? 32
—————————————————————————
32 See 17 CFR 23.600(b)(5). This concept relates to the fact
that an RMU may be wholly “independent” from the business unit or
business trading unit in terms of physical location and reporting
lines, but that does not necessarily equate to freedom from undue
influence. For example, during model validation activities, an SD’s
business trading unit, whose staff created the model, may try to
improperly influence the RMU’s model reviewer employees, who are
undertaking an independent assessment of it.
—————————————————————————
6. Are there other regulatory regimes the Commission should
consider in a holistic review of the RMP Regulations? For instance,
should the Commission consider harmonizing the RMP Regulations with the
risk management regimes of prudential regulators? 33
—————————————————————————
33 See 7 U.S.C. 1a(39) (defining the term “prudential
regulator”). Non-U.S. SDs may also be subject to prudential
supervision by regulatory authorities in their home jurisdiction.
—————————————————————————
7. Are there other portions of the RMP Regulations concerning
governance that are not addressed above that the Commission should
consider changing? Please explain.
B. Enumerated Risks in the Risk Management Program Regulations
The RMP Regulations specify certain enumerated risks that SDs’ and
FCMs’ RMPs must consider. Specifically, Regulation 23.600(c)(1)(i)
identifies specific areas of enumerated risk that an SD’s RMP must take
into account: market risk, credit risk, liquidity risk, foreign
currency risk, legal risk, operational risk, and settlement risk.34
Though not identical, Regulation 1.11(e)(1)(i) similarly lists specific
areas of enumerated risk that an FCM’s RMP must take into account:
market risk, credit risk, liquidity risk, foreign currency risk, legal
risk, operational risk, settlement risk, segregation risk,
technological risk, and capital risk.35
—————————————————————————
34 17 CFR 23.600(c)(1).
35 17 CFR 1.11(e)(1)(i).
—————————————————————————
Regulation 23.600(c)(4) requires that an SD’s RMP include, but not
be limited to, policies and procedures necessary to monitor and manage
all of the risks enumerated in Regulation 23.600(c)(1)(i), as well as
requiring that the policies and procedures for each such risk take into
account specific risk management considerations.36 In contrast,
Regulation 1.11(e)(3) requires that an FCM’s RMP include, but not be
limited to, policies and procedures that monitor and manage segregation
risk, operational risk, and capital risk, along with enumerating
specific risk management considerations that are required to be
included and/or addressed in the policies and procedures for these
risks.37 Unlike Regulation 23.600(c)(4), Regulation 1.11(e)(3) does
not explicitly require policies and procedures, or enumerate attendant
specific risk considerations, for all of the types of risk that must be
taken into account by an FCM’s RMP pursuant to Regulation
1.11(e)(1)(i), focusing instead on segregation, operational, and
capital risks.
—————————————————————————
36 17 CFR 23.600(c)(4).
37 17 CFR 1.11(e)(3).
—————————————————————————
The Commission requests comment on SDs’ and FCMs’ enumerated risks
generally, including: (a) whether specific risk considerations that
must be taken into account with respect to certain enumerated risks
should be amended; (b) whether definitions should be added for each
enumerated risk; and finally, (c) whether the Commission should
enumerate and define any additional types of risk in the RMP
Regulations. In particular:
1. Should the Commission amend Regulation 1.11(e)(3) to require
that FCMs’ RMPs include, but not be limited to, policies and procedures
necessary to monitor and manage all of the enumerated risks identified
in Regulation 1.11(e)(1) that an FCM’s RMP is required to take into
account, not just segregation, operational, or capital risk (i.e.,
market risk, credit risk, liquidity risk, foreign currency risk, legal
risk, settlement risk, and technological risk)? If so, should the
Commission adopt specific risk management considerations for each
enumerated risk, similar to those described in Regulation 23.600(c)(4)?
2. Regulation 23.600(c)(4)(i) requires SDs to establish policies
and procedures necessary to monitor and manage market risk.38 These
policies and procedures must consider, among other things, “timely and
reliable valuation data derived from, or verified by, sources that are
independent of the business trading unit, and if derived from pricing
models, that the models have been independently validated by qualified,
independent external or internal persons.” 39
—————————————————————————
38 17 CFR 23.600(c)(4)(i).
39 17 CFR 23.600(c)(4)(i)(B).
—————————————————————————
a. Does this validation requirement in Regulation
23.600(c)(4)(i)(B) warrant clarification?
b. Should validation, as it is currently required in Regulation
23.600(c)(4)(i)(B), align more closely with the validation of margin
models discussed in Regulation 23.154(b)(5)? 40
—————————————————————————
40 17 CFR 23.154(b)(5) (outlining the process and requirements
for the control, oversight, and validation mechanisms for initial
margin models).
—————————————————————————
3. The policies and procedures mandated by Regulations
23.600(c)(4)(i) and (ii) to monitor and manage market risk and credit
risk must take into account, among other considerations, daily
measurement of market exposure, including exposure due to unique
product characteristics and volatility of prices, and daily measurement
of overall credit exposure to comply with counterparty credit
limits.41 To manage their risk exposures, SDs employ various
financial risk management tools, including the exchange of initial
margin for uncleared swaps. In that regard, the Commission has set
forth minimum initial margin requirements for uncleared swaps,42
which can be calculated using either a standardized table or a
proprietary risk-based model.43 An SD’s risk exposures to certain
products and underlying asset classes may, however, warrant the
collection and posting of initial margin above the minimum regulatory
requirements set forth in the standardized table. Should the Commission
expand the specific risk management considerations listed in
Regulations 23.600(c)(4)(i)-(ii) to add
[[Page 45830]]
that an SD’s RMP policies and procedures designed to manage market risk
and/or credit risk must also take into account whether the collection
or posting of initial margin above the minimum regulatory requirements
set forth in the standardized table is warranted?
—————————————————————————
41 17 CFR 23.600(c)(4)(i)-(ii).
42 17 CFR 23.150-161. In adopting the margin requirements for
uncleared swaps, the Commission noted that the initial margin amount
required under the rules is a minimum requirement. See Margin
Requirements for Uncleared Swaps for Swap Dealers and Major Swap
Participants, 81 FR 636, 649 (Jan. 6, 2016). This is consistent with
CEA section 4s(e), which directed the Commission to prescribe by
rule or regulation minimum margin requirements for non-bank SDs. See
7 U.S.C. 6s(e)(2)(B).
43 17 CFR 23.154.
—————————————————————————
4. The RMP Regulations enumerate, but do not define, the specific
risks that SDs’ and FCMs’ RMPs must take into account. Should the
Commission consider adding definitions for any or all of these
enumerated risks? If so, should the enumerated risk definitions be
identical for both SDs and FCMs?
5. The Federal Reserve and Basel III define “operational risk” as
the risk of loss resulting from inadequate or failed internal
processes, people, and systems or from external events.44 Would
adding a definition of “operational risk” to the RMP Regulations that
is closely aligned with this definition increase clarity and/or
efficiencies for SD and FCM risk management practices, or otherwise be
helpful? Should the Commission consider identifying specific sub-types
of operational risk for purposes of the SD and FCM RMP requirements?
—————————————————————————
44 12 CFR 217.101(b); Basel Committee on Banking Supervision,
“Calculation of RWA for Operational Risk” (Dec. 2019), available
at https://www.bis.org/basel_framework/chapter/OPE/10.htm?inforce=20191215&published=20191215.
—————————————————————————
6. Technological risk is identified in Regulation 1.11(e)(1)(i) as
a type of risk that an FCM’s RMP must take into account; however,
technological risk is not similarly included in Regulation
23.600(c)(1)(i) as an enumerated risk that an SD’s RMP must address.
Should the Commission amend Regulation 23.600(c)(1)(i) to add
technological risk as a type of risk that SDs’ RMPs must take into
account?
a. Should technological risk, if added for SDs, be identified as a
specific risk consideration within operational risk, as described by
Regulation 23.600(c)(4)(vi), or should it be a standalone,
independently enumerated area of risk?
b. If technological risk is added as its own enumerated area of
risk, what risk considerations should an SD’s RMP policies and
procedures address, as required by Regulation 23.600(c)(4)?
c. Relatedly, although technological risk is included in the
various types of risk that an FCM’s RMP must take into account, no
specific risk considerations for technological risk are further
outlined in Regulation 1.11(e)(3).45 What, if any, specific risk
considerations for technological risk should be added to Regulation
1.11(e)(3)? Should the Commission categorize any additional specific
risk considerations for technological risk as a subset of the existing
“operational risk” considerations in Regulation 1.11(e)(3)(ii), or
should “technological risk” have its own independent category of
specific risk considerations in Regulation 1.11(e)(3)?
—————————————————————————
45 See 17 CFR 1.11(e)(1)(i); cf. 17 CFR 1.11(e)(3)(i)-(iii).
—————————————————————————
d. Should the Commission define “technological risk” in the RMP
Regulations? For example, Canada’s Office of the Superintendent of
Financial Institutions (OSFI) defines “technology risk” as “the risk
arising from the inadequacy, disruption, destruction, failure, damage
from unauthorized access, modifications, or malicious use of
information technology assets, people or processes that enable and
support business needs and can result in financial loss and/or
reputational damage.” 46 If the Commission were to add a definition
of “technological risk” to the RMP Regulations, should it be
identical or similar to that recently finalized by OSFI? 47 If not,
how should it otherwise be defined? Should the Commission consider
different definitions of “technological risk” for SDs and FCMs?
Should the Commission consider providing examples of “information
technology assets” to incorporate risks that may arise from the use of
certain emerging technologies, such as artificial intelligence and
machine learning technology, distributed ledger technologies (e.g.,
blockchains), digital asset and smart contract-related applications,
and algorithmic and other model-based technology applications?
—————————————————————————
46 See OSFI Guideline B-13, Technology and Cyber Risk
Management (July 2022), available at https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b13.aspx. The final Guideline B-
13 will be effective as of January 1, 2024.
47 The prudential regulators and the Securities and Exchange
Commission (SEC) have not yet proposed or adopted definitions of
“technological risk.” Accordingly, Commission staff turned to non-
U.S. financial regulators for potential definitions of this term.
Canada’s OSFI recently finalized its definition of “technology
risk,” following extensive engagement with industry and the public
that included the September 2020 publication of its discussion paper
and a consultation period from September to December 2020; the
issuance of proposed guidance in November 2021; and further
consultation on its proposed guidance from November 2021 to February
2022. See OSFI Releases New Guideline for Technology and Cyber Risk,
Balancing Innovation with Risk Management (July 13, 2022), available
at https://www.osfi-bsif.gc.ca/Eng/osfi-bsif/med/Pages/b13-nr.aspx.
—————————————————————————
7. Are there any other types of risk that the Commission should
consider enumerating in the RMP Regulations as risks required to be
monitored and managed by SDs’ and FCMs’ RMPs? Geopolitical risk?
Environmental, social and governance (ESG) risk? Climate-related
financial risk, including physical risk and transition risk such as the
energy transition? Reputational risk? Funding risk? Collateral risk?
Concentration risk? Model risk? Cybersecurity risk? Regulatory and
compliance risk arising from conduct in foreign jurisdictions?
Contagion risk?
a. Should these potential new risks be defined in the RMP
Regulations?
b. With respect to each newly suggested enumerated risk, what, if
any, specific risk considerations should an SD’s or FCM’s RMP policies
and procedures be required to include?
c. Are there international standards for risk management with which
the Commission should consider aligning the RMP Regulations?
C. Periodic Risk Exposure Reporting by Swap Dealers and Futures
Commission Merchants
In accordance with Regulation 23.600(c)(2), an SD must provide to
its senior management and governing body a quarterly RER containing
specific information on the SD’s risk exposures and the current state
of its RMP; the RER shall also be provided to the SD’s senior
management and governing body immediately upon the detection of any
material change in the risk exposure of the SD.48 SDs are required to
furnish copies of all RERs to the Commission within five (5) business
days of providing such RERs on a quarterly basis to their senior
management.49 Likewise, Regulation 1.11(e)(2) has an identical RER
requirement for FCMs.50
—————————————————————————
48 17 CFR 23.600(c)(2). SD RERs shall set forth the market,
credit, liquidity, foreign currency, legal, operational, settlement,
and any other applicable risk exposures of the SD; any recommended
or completed changes to the RMP; the recommended time frame for
implementing recommended changes; and the status of any incomplete
implementation of previously recommended changes to the RMP. Id.
49 17 CFR 23.600(c)(2)(ii).
50 17 CFR 1.11(e)(2).
—————————————————————————
This Notice seeks comment generally on how the current RER regime
for SDs and FCMs could be improved, as well as specific responses to
the questions listed below:
1. At what frequency should the Commission require SDs and FCMs to
furnish copies of their RERs to the Commission?
2. Should the Commission consider changing the RER filing
requirements to require filing with the Commission by a certain day
(e.g., a week, month, or other specific timeframe after the quarter-
end), rather than tying the filing requirement to when the RER is
furnished to senior management?
3. Should the Commission consider harmonizing or aligning, in whole
or in part, the RER content requirements in
[[Page 45831]]
the RMP Regulations with those of the National Futures Association
(NFA)’s SD monthly risk data filings? 51
—————————————————————————
51 SDs must report certain metrics related to market and
credit risk, including Value at Risk (VaR) for interest rates,
credit, forex, equities, commodities, and total VaR; total stressed
VaR; interest rate sensitivity by tenor bucket; credit spread
sensitivity; forex market sensitivities; commodity market
sensitivities; total swaps current exposure before collateral; total
swaps current exposure net of collateral; total credit valuation
adjustment or expected credit loss; and largest swaps counterparty
current exposures. See NFA, Notice I-17-10: Monthly Risk Data
Reporting Requirements for Swap Dealers (May 30, 2017), available at
https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4817.
—————————————————————————
a. If so, should the Commission consider any changes or additions
to the data metrics currently collected by NFA as could be required in
the RMP Regulations?
b. For FCMs who are not currently required to file monthly risk
data filings with NFA, were the Commission to adopt a monthly risk
exposure reporting requirement, are there different risk data metrics
for FCMs that it should consider including? If so, what are they?
4. Are there additional SD or FCM-specific data metrics or risk
management issues that the Commission should consider adding to the
content requirements of the RER?
5. Should the Commission consider prescribing the format of the
RERs? For instance, should the Commission consider requiring the RER to
be a template or form that SDs and FCMs fill out?
6. In furtherance of the RER filing requirement, should the
Commission consider allowing SDs and FCMs to furnish to the Commission
the internal risk reporting they already create, maintain, and/or use
for their risk management program?
a. If so, how often should these reports be required to be filed
with the Commission?
b. If the Commission allowed an SD or FCM to provide the Commission
with its own risk reporting, should the Commission prescribe certain
minimum content and/or format requirements?
7. Should the Commission consider prescribing the standard SDs and
FCMs use when determining whether they have experienced a material
change in risk exposure, pursuant to Regulations 23.600(c)(2)(i) and
1.11(e)(2)(i)? Alternatively, should the Commission continue to allow
SDs and FCMs to use their own internally-developed standards for
determining when such a material change in risk exposure has occurred?
8. Should the Commission clarify the requirements in Regulations
23.600(c)(2)(i) and 1.11(e)(2)(i) that RERs shall be provided to the
senior management and the governing body immediately upon detection of
any material change in the risk exposure of the SD or FCM?
9. Should the Commission consider setting a deadline for when an SD
or FCM must notify the Commission of any material changes in risk
exposure? If so, what should be the deadline?
10. Should the Commission consider additional governance
requirements in connection with the provision of the quarterly RER to
the senior management and the governing body of a SD, or of an FCM,
respectively?
11. Should the Commission require the RERs to report on risk at the
registrant level, the enterprise level (in cases where the registrant
is a subsidiary of, affiliated with, or guaranteed by a corporate
family), or both? What data metrics are relevant for each level?
12. Should the Commission require that RERs contain information
related to any breach of risk tolerance limits described in Regulations
23.600(c)(1)(i) and 1.11(e)(1)(i)? Alternatively, should the Commission
require prompt notice, outside of the RER requirement, of any breaches
of the risk tolerance limits that were approved by an SD’s or FCM’s
senior management and governing body? Should there be a materiality
standard for inclusion of breaches in RERs or requiring notice to the
Commission?
13. Should the Commission require that RERs contain information
related to material violations of the RMP policies or procedures
required in Regulations 23.600(b)(1) and 1.11(c)(1)?
14. Should the Commission require that RERs additionally discuss
any known issues, defects, or gaps in the risk management controls that
SDs and FCMs employ to monitor and manage the specific risk
considerations under Regulations 23.600(c)(4) and 1.11(e)(3), as well
as including a discussion of their progress toward mitigation and
remediation?
D. Other Areas of Risk
Recent market, credit, operational, and geopolitical events have
highlighted the critical importance of risk management and the need to
periodically review risk management practices. Therefore, the
Commission is interested in feedback and comment on other RMP-related
topics, specifically: (1) the segregation of customer funds and
safeguarding of counterparty collateral, and (2) risks posed by
affiliates, lines of business, and other trading activity. The
Commission continues to have confidence in its regulations governing
the segregation of customer funds in traditional derivatives markets.
The questions below are intended to assist the Commission in its
ongoing evaluation of whether and how RMP regulations and practices at
FCMs and SDs adequately and comprehensively address risks arising from
new or evolving market structures, products, and registrants.
a. Potential Risks Related to the Segregation of Customer Funds and
Safeguarding Counterparty Collateral
The segregation of customer funds and safeguarding of counterparty
collateral are cornerstones of the Commission’s FCM and SD regulatory
regimes, respectively. Currently, the existing RMP Regulations address
the management of segregation risk and the safeguarding of counterparty
collateral in different ways, given the differing business models
between FCMs and SDs. Regulation 1.11(e)(3)(i) requires an FCM’s RMP to
include written policies and procedures reasonably designed to ensure
segregated funds are separately accounted for and segregated or secured
as belonging to customers.52 This requirement further lists several
subjects that must, “at a minimum,” be addressed by an FCM’s RMP
policies and procedures, including the evaluation and monitoring
process for approved depositories, the treatment of related residual
interest, transfers, and withdrawals, and permissible investments.
—————————————————————————
52 17 CFR 1.11(e)(3)(i).
—————————————————————————
Although Regulation 23.600(c)(6) of the SD RMP Regulations requires
compliance with all capital and margin requirements, Regulation 23.600
does not explicitly require an SD’s RMP to include written policies and
procedures to safeguard counterparty collateral. Rather, the Commission
chose to adopt Regulations 23.701 through 23.703 for the purpose of
establishing a separate framework for the elected segregation of assets
held as collateral in uncleared swap transactions.53 Additionally,
the Commission requires certain initial margin to be held through
custodial arrangements in accordance with Regulation 23.157.54
—————————————————————————
53 17 CFR 23.701-23.703.
54 17 CFR 23.157.
—————————————————————————
The Commission seeks comment generally on the risks attendant to
the segregation of customer funds and the safeguarding of counterparty
collateral. In addition, commenters should seek to address the
following questions:
1. Do the current RMP Regulations for FCMs adequately and
comprehensively require them to identify, monitor, and
[[Page 45832]]
manage the risks associated with the segregation of customer funds and
the protection of customer property? Are there other Commission
regulations that address these risks for FCMs?
2. Currently, the Commission understands that no FCM holds customer
property in the form of virtual currencies or other digital assets such
as stablecoins. To the extent that FCMs may consider engaging in this
activity in the future, would the current RMP Regulations for FCMs
adequately and comprehensively require them to identify, monitor, and
manage the risks associated with that activity, including custody with
a third-party entity?
3. Do the current RMP Regulations for SDs adequately and
comprehensively require them to identify, monitor, and manage all of
the risks associated with the collection, posting, and custody of
counterparty collateral and the protection of such assets? Are there
any other risks that should be addressed by the RMP Regulations for SDs
related to the collection, posting, and custody of counterparty
collateral?
4. Do the Commission’s RMP Regulations adequately address risks to
customer funds or counterparty collateral that may be associated with
SDs and FCMs that have multiple business lines and registrations?
Although the Commission understands that SDs and FCMs currently engage
in limited activities with respect to digital assets, should the
Commission consider additional RMP requirements applicable to SDs and
FCMs that are or may become involved in, or affiliated with, the
provision of digital asset financial services or products (e.g.,
digital asset lending arrangements or derivatives)?
b. Potential Risks Posed by Affiliates, Lines of Business, and All
Other Trading Activity
In light of increasing market volatility and recent market
disruptions, as well as the growth of digital asset markets, the
Commission generally seeks comment on the risks posed by SDs’ and FCMs’
affiliates and related trading activity. Generally, the RMP Regulations
require SD and FCM RMPs to take into account risks posed by affiliates
and related trading activity. Specifically, Regulation 23.600(c)(1)(ii)
requires an SD’s RMP to take into account “risks posed by affiliates”
with the RMP integrated into risk management functions at the
“consolidated entity level.” 55 Similarly, Regulation
1.11(e)(1)(ii) requires an FCM’s RMP to take into account risks posed
by affiliates, all lines of business of the FCM, and all other trading
activity engaged in by the FCM.” 56
—————————————————————————
55 17 CFR 23.600(c)(1)(ii).
56 17 CFR 1.11(e)(1)(ii).
—————————————————————————
Some SDs and FCMs are subject to regulatory requirements designed
to mitigate certain risks arising from certain affiliate activities.
For example, SDs and FCMs that are affiliates or subsidiaries of a
banking entity may have to comply with certain restrictions and
requirements on inter-affiliate activities. Further, those SDs and FCMs
that are subject to the Volcker Rule, codified and implemented in part
75 of the Commission’s regulations, and incorporated into other
requirements, such as Regulation 3.3, are subject to the Volcker Rule’s
risk management program and compliance program requirements.57
—————————————————————————
57 17 CFR part 75; 17 CFR 3.3.
—————————————————————————
The Commission seeks comment generally on the requirements related
to risks posed by affiliates and related trading activity found within
the RMP Regulations for SDs and FCMs, including non-bank affiliated SDs
or non-bank affiliated FCMs. In addition, commenters should seek to
address the following questions:
1. What risks do affiliates (including, but not limited to, parents
and subsidiaries) pose to SDs and FCMs? Are there risks posed by an
affiliate trading in physical commodity markets, trading in digital
asset markets, or relying on affiliated parties to meet regulatory
requirements or obligations? Are there contagion risks posed by the
credit exposures of affiliates? Are there risks posed by other lines of
business of an SD, or of an FCM, respectively, that are not adequately
or comprehensively addressed by the Commission’s regulations,
including, as applicable, the Volcker Rule regulations found in 17 CFR
part 75?
2. Do the current RMP Regulations adequately and comprehensively
address the risks associated with the activities of affiliates (whether
such affiliates are unregulated, less regulated, or subject to
alternative regulatory regimes), or of other lines of business, of an
SD or of an FCM, respectively, that could affect SD or FCM operations?
Alternatively, to what extent are the risks posed by affiliates
discussed in this section adequately addressed through other regulatory
requirements (for example, the Volcker Rule or other prudential
regulations, or applicable non-U.S. laws, regulations, or standards)?
3. Should the Commission further expand on how SD and FCM RMPs
should address risks posed by affiliates in the RMP Regulations,
including any specific risks? Should the Commission consider
enumerating any specific risks posed by affiliates or related trading
activities within the RMP Regulations, either as a separate enumerated
risk, or as a subset of an existing enumerated area of risk (e.g.,
operational risk, credit risk, etc.)?
Issued in Washington, DC, on July 12, 2023, by the Commission.
Robert Sidman,
Deputy Secretary of the Commission.
Note: The following appendices will not appear in the Code of
Federal Regulations.
Appendices to Risk Management Program Regulations for Swap Dealers,
Major Swap Participants, and Futures Commission Merchants–Voting
Summary and Chairman’s and Commissioners’ Statements
Appendix 1–Voting Summary
On this matter, Chairman Behnam and Commissioners Johnson,
Goldsmith Romero, Mersinger, and Pham voted in the affirmative. No
Commissioner voted in the negative.
Appendix 2–Statement of Chairman Rostin Behnam
I appreciate all of the Market Participants Division staff’s
hard work on this proposal. I look forward to the public’s
thoughtful comments on the proposal to inform a potential future
rulemaking or guidance for the Commission’s risk management program
regulations for swap dealers and futures commission merchants.
Appendix 3–Statement of Commissioner Christy Goldsmith Romero on
Advance Notice of Proposed Rulemaking on Risk Management Program
Regulations
Management of existing, evolving, and emerging risk is paramount
to the financial stability of the United States and global markets.
This is evidenced by the recent bank failures, followed by
subsequent government action taken out of regulatory concern over
possible contagion effect to other banks and broader economic
spillover.1 Federal Reserve Board Vice Chair Michael Barr recently
testified before the Senate at a hearing on the bank failures, “the
events of the last few weeks raise questions about evolving risks
and what more can and should be done so that isolated banking
problems do not
[[Page 45833]]
undermine confidence in healthy banks and threaten the stability of
the banking system as a whole.” 2
—————————————————————————
1 See Statement of Martin J. Gruenberg, Chairman Federal
Deposit Insurance Corporation Chair on “Recent Bank Failures and
the Federal Regulatory Response” before the Committee of Banking,
Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) https://www.banking.senate.gov/imo/media/doc/Gruenberg%20Testimony%203-28-23.pdf; see also Hearing on Recent Bank Failures and the Federal
Regulatory Response, United States Senate Committee on Banking,
Housing, and Urban Affairs (Mar. 28, 2023) https://www.banking.senate.gov/hearings/recent-bank-failures-and-the-federal-regulatory-response.
2 Statement of Michael S. Barr, Vice Chair for Supervision,
Board of Governors of the Federal Reserve System before the
Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar.
28, 2023) https://www.banking.senate.gov/imo/media/doc/Barr%20Testimony%203-28-231.pdf.
—————————————————————————
Sound risk management is particularly crucial for CFTC-
registered swap dealers, the majority of which are global
systemically important banks on Wall Street (or their affiliates) or
other prudentially-regulated banks. If there was any one issue at
the center of the 2008 financial crisis, it was the failure of risk
management by Wall Street. The Dodd-Frank Wall Street Reform and
Consumer Protection Act required these dealers to establish and
maintain risk management programs. The Commission implemented its
risk management requirements for swap dealers in 2012. Then in 2013,
the Commission required that brokers in the derivatives markets,
known as futures commission merchants (“FCMs”), establish and
maintain risk management programs after two brokers, MF Global and
Peregrine Financial, misused customer funds and collapsed from a
combination of hidden risks and fraud.3
—————————————————————————
3 This dovetailed with Commission requirements that brokers
segregate customer assets from company assets and house accounts.
—————————————————————————
Re-evaluating our risk management rules is responsible and
necessary to keep pace with evolving markets that can give rise to
emerging risk. The last three years presented unprecedented risk.
The pandemic, its lingering supply chain disruptions, Russia’s war
against Ukraine, climate disasters that proved to be the most-costly
three years on record, a spike in ransomware and other cyber attacks
(including on ION Markets and Colonial Pipeline), and increasing
geo-political tensions involving the U.S. and China, have emerged as
often interrelated areas of significant risk. Additionally, as
Chairman of the Federal Deposit Insurance Corporation (“FDIC”),
Martin Gruenberg testified before the Senate, “the financial system
continues to face significant downside risks from the effects of
inflation, rising market interest rates, and continuing geopolitical
uncertainties.” 4
—————————————————————————
4 See Statement of Martin J. Gruenberg, Chairman Federal
Deposit Insurance Corporation Chair on “Recent Bank Failures and
the Federal Regulatory Response” before the Committee of Banking,
Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) https://www.banking.senate.gov/imo/media/doc/Gruenberg%20Testimony%203-28-23.pdf.
—————————————————————————
Evolving technologies like digital assets, artificial
intelligence, and cloud services, also have emerged as areas that
can carry significant risk.5 Vice Chair Barr testified before the
Senate, “recent events have shown that we must evolve our
understanding of banking in light of changing technologies and
emerging risks. To that end, we are analyzing what recent events
have taught us about banking, customer behavior, social media,
concentrated and novel business models, rapid growth, deposit runs,
interest rate risk, and other factors, and we are considering the
implications for how we should be regulating and supervising our
financial institutions. And for how we think about financial
stability.” 6
—————————————————————————
5 See Commissioner Christy Goldsmith Romero, Opening Remarks
at the Technology Advisory Committee on DeFi, Responsible Artificial
Intelligence, Cloud Technology & Cyber Resilience (Mar. 22, 2023),
https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement032223; see also Department of Treasury, The
Financial Services Sector’s Adoption of Cloud Services (Feb. 8,
2023), https://home.treasury.gov/news/press-releases/jy1252.
6 See Statement of Michael S. Barr, Vice Chair for
Supervision, Board of Governors of the Federal Reserve System before
the Committee of Banking, Housing and Urban Affairs, U.S. Senate
(Mar. 28, 2023) https://www.banking.senate.gov/imo/media/doc/Barr%20Testimony%203-28-231.pdf (adding that Silicon Valley Bank
“failed to manage the risks of its liabilities. These liabilities
were largely composed of deposits from venture capital firms and the
tech sector, which were highly concentrated and could be
volatile.”)
—————————————————————————
The Commission should ensure that our risk management frameworks
for banks and brokers reflect and keep pace with the significant
evolution of financial stability risk. It is equally important for
the Commission to be forward-looking to ensure that our risk
management frameworks capture future risk as it could evolve or
emerge.7 The Commission is considering whether to enumerate
specific areas of risk that banks and brokers would be required to
address. This could include for example, geopolitical risk,
cybersecurity risk, climate-related financial risk or contagion
risk.
—————————————————————————
7 Additionally, CFTC staff have observed significant variance
in how swap dealers and brokers are defining and reporting on risk
areas, making it difficult for CFTC staff to gain a clear
understanding of how specific risk exposures are being monitored and
managed. Furthermore, some swap dealers have indicated that they do
not rely on the information in CFTC risk reporting for their
internal risk management. Improving the efficacy of CFTC
requirements for swap dealers’ own risk management, along with the
Commission’s ability to monitor risk are worthwhile goals.
—————————————————————————
The Commission seeks public comment in its reassessment of its
risk management frameworks. I am particularly interested in comment
on the following areas: (1) Technology Risk; (2) Cyber Risk; (3)
Affiliate Risk; (4) Risk related to segregating customer funds and
safeguarding counterparty collateral; and (5) Climate-Related
Financial Risk.
Technology Risk
Risk has emerged from the evolution of technology. Distributed
ledger networks are being used or considered in certain markets; cloud
data storage and computing has gone mainstream; and artificial
intelligence hold the power to transform businesses. Many firms are
also integrating, or are interested in integrating, digital assets into
their businesses, or plan to do so. All of these emerging or evolving
technologies carry risks.
Digital assets carry risks–something that has become all too clear
in the past year. Silvergate Bank, which recently failed, was almost
exclusively known for providing services to digital asset firms.8
According to FDIC Chairman Gruenberg, “Following the collapse of
digital asset exchange FTX in November 2022, Silvergate Bank released a
statement indicating that it had $11.9 billion in digital asset-related
deposits, and that FTX represented less than 10 percent of total
deposits in an effort to explain that its exposure to the digital asset
exchange was limited. Nevertheless, in the fourth quarter of 2022,
Silvergate Bank experienced an outflow of deposits from digital asset
customers that, combined with the FTX deposits, resulted in a 68
percent loss in deposits–from $11.9 billion in deposits to $3.8
billion. That rapid loss of deposits caused Silvergate Bank to sell
debt securities to cover deposit withdrawals, resulting in a net
earnings loss of $1 billion. On March 1, 2023, Silvergate Bank
announced it would be delaying issuance of its 2022 financial
statements and indicated that recent events raised concerns about its
ability to operate as a going concern, which resulted in a steep drop
in Silvergate Bank’s stock price. On March 8, 2023, Silvergate Bank
announced that it would self-liquidate.” 9
—————————————————————————
8 See Statement of Martin J. Gruenberg, Chairman Federal
Deposit Insurance Corporation Chair on “Recent Bank Failures and
the Federal Regulatory Response” before the Committee of Banking,
Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) https://www.banking.senate.gov/imo/media/doc/Gruenberg%20Testimony%203-28-23.pdf.
9 See Id.
—————————————————————————
Chairman Gruenberg further testified, “Like Silvergate Bank,
Signature Bank had also focused a significant portion of its business
model on the digital asset industry. . . . Silvergate Bank operated a
similar platform that was also used by digital asset firms. . . . In
the second and third quarters of 2022, Signature Bank, like Silvergate,
experienced deposit withdrawals and a drop in its stock price as a
consequence of disruptions in the digital asset market due to failures
of several high profile digital asset companies.” 10
—————————————————————————
10 See Id.
—————————————————————————
These technological advancements, with their accompanying risks,
necessitate the Commission revisiting our regulatory oversight,
including our risk management requirements. This is similar to other
regulators revisiting their oversight in this area. According to Vice
Chair Barr, the Federal Reserve “recently decided to establish a
dedicated novel activity supervisory group, with a team of experts
focused on risks of novel activities, which should help improve
oversight of banks like SVB in the future.” 11
—————————————————————————
11 Statement of Michael S. Barr, Vice Chair for Supervision,
Board of Governors of the Federal Reserve System before the
Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar.
28, 2023) https://www.banking.senate.gov/imo/media/doc/Barr%20Testimony%203-28-231.pdf.
—————————————————————————
[[Page 45834]]
I am interested in comments on how the Commission should amend its
risk management requirements to ensure that risks from technology are
adequately identified, monitored, assessed and managed. I am also
interested in public comment on any gaps in our risk management
regulations that the Commission should address regarding technology.
Cyber Risk
I am interested in public comment about how the Commission should
update its risk management frameworks to address the growing and
increasingly sophisticated threat of cyber attacks. The White House’s
recent National Cybersecurity Strategy stated:
Our rapidly evolving world demands a more intentional, more
coordinated, and more well-resourced approach to cyber defense. We
face a complex threat environment, with state and non-state actors
developing and executing novel campaigns to threaten our interests.
At the same time, next-generation technologies are reaching maturity
at an accelerating pace, creating new pathways for innovation while
increasing digital interdependencies.12
—————————————————————————
12 The White House, Fact Sheet: Biden-Harris Administration
Announces National Cybersecurity Strategy, (Mar. 2, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/.
—————————————————————————
Global cyber criminals and state-sponsored efforts can create or
leverage a serious disruption to markets.
I am also interested in comment on how the Commission should
address risk management related to third party service providers. As
I said in a speech in November, “Even if financial firms have
strong cybersecurity systems, their cybersecurity is only as strong
as their most vulnerable third-party service provider. The threat
can compound where several firms use the same software or other
provider.” 13 Subsequently in February, a third-party service
provider ION Markets suffered a cyber attack that compromised a
number of brokers in the derivatives market. Treasury Deputy
Assistant Secretary Todd Conklin, a member of the CFTC Technology
Advisory Committee (“TAC”) presented at a recent TAC meeting that
ION was not considered by firms to be a critical vendor.14 Given
the severe threat of cyber attacks, I am interested in commenters’
views on whether the Commission should specifically enumerate cyber
risk, specifically include risks associated with third-party service
providers in risk management frameworks, or include other
requirements to ensure that cyber risk is adequately and
comprehensively identified, assessed, and managed.
—————————————————————————
13 See Commissioner Christy Goldsmith Romero, U.S. Commodity
Futures Trading Commission, Protecting Against Emerging Global
Fintech Threats in Cyberspace and Cryptocurrencies (Nov. 30, 2022),
Keynote Remarks of Commissioner Christy Goldsmith Romero at the
Futures Industry Association, Asia Derivatives Conference,
Singapore, https://www.cftc.gov/PressRoom/SpeechesTestimony/oparomero4.
14 See Technology Advisory Committee meeting (Mar. 22, 2023)
Commissioner Goldsmith Romero Announces Technology Advisory
Committee Meeting Agenda That Includes Cybersecurity, Decentralized
Finance, and Artificial Intelligence, https://www.cftc.gov/PressRoom/Events/opaeventtac032223.
—————————————————————————
Affiliate Risk
I am interested in commenters views on the questions related to
affiliate risks, especially those related to risks that unregulated
affiliates can pose to regulated entities. Currently, the
Commission’s rules provide that the risk management frameworks of
banks and brokers shall “take into account” risks posed by
affiliates. Affiliate risks can take many forms–from counterparty
credit risk to operational risks to many others. The questions posed
in this ANPRM are designed to flesh out details about affiliate
risks, and whether such risks are sufficiently identified and
adequately managed.
Understanding affiliate risks is critically important given
lessons learned from the past and more recent events. For example,
AIG Financial Products (“AIGFP”) is the poster child for how risk
of a seemingly remote, unregulated affiliate could undermine the
stability of a large, diversified financial institution. AIGFP’s
damage reached well beyond its affiliates. AIGFP was a source of
contagion for other market participants, ultimately spreading risks
across Wall Street, contributing to a global financial crisis and
massive taxpayer bailout. Most recently, the abrupt collapse of FTX,
with its alleged lack of separation between affiliates as found by
new CEO John Ray, led to a bankruptcy with more than 130 affiliate
debtors, tying up billions of dollars and more than one million
customers and creditors. Although LedgerX, a CFTC-regulated FTX
affiliate, is not a debtor in the bankruptcy, the debtors sold
LedgerX as a result.
Existing Commission rules require that banks’ and brokers’ risk
management programs “take into account” risks related to lines of
business. That could include, for example, digital asset markets. In
January, before the bank failures, federal bank regulatory agencies
issued a recent joint statement outlining numerous “key risks”
associated with bank involvement in the crypto-asset sector.15 I
am interested in public comment on those key risks as they may apply
specifically to the CFTC’s regulated banks and brokers. About half
of all CFTC-registered swap dealers are subject to some form of
oversight by the prudential regulators.
—————————————————————————
15 Joint Statement on Crypto-Asset Risks to Banking
Organizations, Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation, and the Office of the
Comptroller of the Currency (Jan. 3, 2023), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20230103a1.pdf.
—————————————————————————
Many brokers have expressed an interest in becoming further
involved in digital assets as well. Risks can arise from regulated
trading in crypto derivatives. The unregulated spot markets carry
additional risks as seen with the collapse of FTX, Terra Luna,
Celsius and numerous others that have resulted in substantial
losses. This is in addition to operational risks and risks
associated with rampant fraud and illicit finance in some parts of
the crypto markets.
Risk Related to the Segregation of Customer Property and
Safeguarding Counterparty Collateral in the Digital Asset Space
Digital assets raise a host of issues about safeguarding
customer property that were not contemplated at the time of the 2013
risk management rule or the Commission’s customer protection rules
for brokers to segregate customer assets from company assets. For
example, brokers may explore holding customer property in the form
of stablecoins or other digital assets that could result in unknown
and unique risks. These brokers may be confronted by third-party
custody and other risks that should be identified and managed.
Physical delivery may also present risk, particularly given the
proliferation of cyber hacks. Application of the Commission’s
segregation rules may also need to be updated based on future risks
related to digital assets (even risks not contemplated by the
Commission today). I look forward to commenters’ responses in this
area.
It is necessary for the CFTC to seek public comment on our risk
management framework in this important area of emerging risk so that
we keep pace with evolution in our markets and technology. We should
not assume that our existing segregation rules and risk management
framework comprehensively cover the evolving risks in the
markets.16 The Commission does not have a window into certain
unregulated spaces, such as with digital assets, which could obscure
risks faced by CFTC-regulated banks or brokers. Integration of
digital assets with banks and brokers, and the risks that could be
posed, could continue to evolve.
—————————————————————————
16 The same could be true of swap dealers related to
safeguarding counterparty collateral.
—————————————————————————
Climate-Related Financial Risk
Developments in the management of climate-related financial risk
are an important example of the need for the Commission to adopt a
framework that helps banks and brokers keep pace with such emerging
risks. When the Climate-Related Market Risk Subcommittee of our
Market Risk Advisory Committee released its report in September
2020, it was a “first-of-its-kind effort from a U.S. government
entity.” 17 Since then, other U.S. financial regulators have not
only echoed this acknowledgment,18 but have moved ahead to
[[Page 45835]]
define the risk management framework that banks and other regulated
entities must adopt for addressing physical and transition risks
posed by climate change.19 Banks and brokers need frameworks that
let them adapt to both the increasingly dire projections by climate
scientists about the scope of physical impacts,20 and to the
massive economic impetus to a transition to a lower carbon
environment created via Congressional passage of the Inflation
Reduction Act, the Bipartisan Infrastructure Law, and the CHIPS and
Science Act.
—————————————————————————
17 CFTC, CFTC’s Climate-Related Market Risk Subcommittee
Releases Report (Sept. 9, 2020), https://www.cftc.gov/PressRoom/PressReleases/8234-20.
18 See Financial Stability Oversight Council, Financial
Stability Oversight Council Identifies Climate Change as an Emerging
and Increasing Threat to Financial Stability (October 21, 2021)
https://home.treasury.gov/news/press-releases/jy0426.
19 See, e.g., Federal Deposit Insurance Corporation, FIL-13-
2022, Request for Comment on Statement of Principles for Climate-
Related Financial Risk Management for Large Financial Institutions
(March 30, 2022), https://www.fdic.gov/news/financial-institution-letters/2022/fil22013.html.
20 Intergovernmental Panel on Climate Change, Climate Change
2022: Impacts, Adaptation and Vulnerability (2022), https://www.ipcc.ch/report/ar6/wg2/chapter/summary-for-policymakers/.
—————————————————————————
In just three years, climate-related financial risk management
has gone from novelty to necessity. We should develop a framework
that helps banks and brokers remain resilient to risks like this
one, which will continue to develop for years to come. I have been
advocating for the Commission to enhance its understanding of how
market participants are managing climate-related financial risk.21
To that end, over the past year, I have been working with the
National Futures Association (“NFA”) on a recently completed
special project to assess how some of its members are identifying
and managing climate-related financial risk. NFA learned that some
of its members, particularly those already subject to oversight by
U.S. and foreign banking regulators, are taking steps to manage both
physical and transition risks. I look forward to hearing from
commenters on how best to adapt our framework to incorporate these
kinds of emerging risks.
—————————————————————————
21 See Commissioner Christy Goldsmith Romero, U.S. Commodity
Futures Trading Commission, Promoting Market Resilience (Sept. 28,
2022), Statement of Commissioner Christy Goldsmith Romero before the
Market Risk Advisory Committee, https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement092822; Statement of CFTC
Commissioner Christy Goldsmith Romero In Support of the Commission’s
Request for Information on Climate-Related Financial Risk (June 2,
2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement060222.
—————————————————————————
Conclusion
Sound risk management by banks (and other dealers) and brokers
at the center of the U.S. derivatives markets is critical to
financial stability. The stakes are high. These financial
institutions and others take and carry significant risks that could
impact financial stability. They are on the front lines of our
financial markets, directly engaging with customers or
counterparties. Customers have billions of dollars entrusted to
these institutions. Market participants depend on liquidity,
clearing and other critical functions performed by these
institutions.
The Commission must fulfill its own responsibility to ensure
that risk management programs at these institutions address the full
scope of risks to customers, firms and markets, including keeping
pace with evolving and emerging risk. We may never know how many
catastrophes were avoided as a result of sound risk management
programs, but we have seen what can happen when risks are not well
managed.
Appendix 4–Statement of Commissioner Caroline D. Pham
I support the Advance Notice of Proposed Rulemaking (ANPRM)
seeking public comment on potential amendments to the Risk
Management Program (RMP) requirements in CFTC rules 23.600 and 1.11
1 (collectively, RMP Rules) applicable to swap dealers and futures
commission merchants (FCMs), respectively. I believe in continuous
improvement for not only our market participants, but for the
Commission and its regulations too.
—————————————————————————
1 See 17 CFR 23.600 and 1.11.
—————————————————————————
I would like to thank the staff of the Market Participants
Division for working closely with me on this ANPRM, and making
revisions in response to my concerns, in particular Amanda Olear,
Pamela Geraghty, Fern Simmons, Elizabeth Groover, and Samantha
Ostrom. I also appreciate the opportunity to work collaboratively
with the Chairman and my fellow Commissioners.
It is critical that the public has the opportunity to provide
input on any potential amendment or expansion of RMP requirements
that is informed by actual experience from risk management officers,
other control functions, and practitioners who have implemented and
complied with the RMP Rules for the past 10 years, oftentimes within
a broader enterprise-wide risk management program pursuant to other
requirements from other regulators.
Because the CFTC’s rules are often only one part of much broader
risk governance frameworks for financial institutions, the
Commission must ensure that it has the full picture before coming to
conclusions to ensure that our rules not only address any potential
regulatory gaps or changes in risk profiles, but also avoids issuing
rules that are conflicting, duplicative, or unworkable with other
regulatory regimes.
For example, the CFTC currently has 106 provisionally registered
swap dealers.2 Of these 106 entities, both U.S. and non-U.S., all
but a handful are also registered with and supervised by another
agency or authority, such as a prudential, functional, or market
regulator. Most of these swap dealers are subject to three or more
regulatory regimes.
—————————————————————————
2 See CFTC provisionally registered swap dealers, as of
January 30, 2023, available at https://www.cftc.gov/LawRegulation/DoddFrankAct/registerswapdealer.html.
—————————————————————————
Therefore, it is imperative that the Commission and the staff
consider how the CFTC’s RMP Rules work in practice together with the
rules of other regulators, whether foreign or domestic. This key
point is easily apparent in looking at the CFTC’s substituted
compliance regime for non-U.S. swap dealers, where the Commission
has expressly found that non-U.S. swap dealers in certain
jurisdictions are subject to comparable and comprehensive
regulation, and therefore permits such non-U.S. swap dealers to
“substitute” compliance with home jurisdiction risk management
regulations to satisfy CFTC rule 23.600.3
—————————————————————————
3 On December 27, 2013, the Commission issued comparability
determinations for certain entity-level requirements, including risk
management, for the following jurisdictions: European Union; Canada;
Switzerland; Japan; Hong Kong; and Australia. See Comparability
Determinations for Substituted Compliance Purposes, available at
https://www.cftc.gov/LawRegulation/DoddFrankAct/CDSCP/index.htm
(July 11, 2023).
—————————————————————————
Issuing an ANPRM can be beneficial to initiate an open process
to request information and stimulate dialogue with the public. As
stated in the preamble, “After Regulation 23.600 was initially
adopted in 2012, the Commission received a number of questions from
[swap dealers] concerning compliance with these requirements,
particularly those concerning governance . . . . The intervening
decade of examination findings and ongoing requests for staff
guidance from [swap dealers] with respect to Regulation 23.600
warrant consideration of the Commission’s rules and additional
public discourse on this topic.” The preamble also states,
“Furthermore, a number of [swap dealers] have indicated that the
quarterly [risk exposure reports] are not relied upon for their
internal risk management purposes, but rather, they are created
solely to comply with Regulation 23.600, indicating to the
Commission that additional consideration of the [risk exposure
report] requirement is warranted.”
I commend the Commission and staff for seeking to address areas
of potential confusion, inconsistency, and inefficiencies in the RMP
Rules. Risk management must be more than an exercise in paperwork.
And lack of regulatory clarity can actually inhibit compliance
simply because our registrants are unsure of supervisory
expectations and are unclear as to what to implement. That is why I
am focused as a Commissioner on providing clear rules and guidance
to facilitate compliance with the Commission’s regulations. I also
support using this opportunity to improve our RMP Rules and I
encourage commenters to explore how the RMP Rules could be aligned
with other risk governance and risk management frameworks, such as
prudential requirements for banking organizations, in order to more
effectively and efficiently address risks.
Regarding potential risks related to the segregation of customer
funds and safeguarding counterparty collateral, I will note that the
CFTC’s existing rules are the gold standard for customer protection
around the world. Further, our existing rules also address potential
risks posed by affiliates, lines of business, and all other trading
activity. While much attention has been paid to widespread fraud and
failures of risk management in the cryptocurrency sector, it bears
reminding that a so-called crypto exchange is a very different type
of organization and business model from a highly regulated financial
institution. The public should take care to avoid conflating these
completely different entities–it is at least as wholly unlike one
another as a domesticated housecat and a wild tiger. I look forward
to comments on these two other areas of risk.
[[Page 45836]]
Nonetheless, neither the Commission nor our registrants should
be complacent. I reiterate this statement in the preamble: “[T]he
Commission also reminds [swap dealers] and FCMs that their RMPs may
require periodic updates to reflect and keep pace with technological
innovations that have developed or evolved since the Commission
first promulgated the RMP Regulations.” The benefit of a
principles-based regulatory framework is that it can more quickly
anticipate and adapt to changes in risk profiles or the operating
environment. I believe our rules must be broad and flexible enough
to be forward-looking and evergreen, because it is simply not
possible to prescribe every last requirement for the unknown future.
Accordingly, swap dealers and FCMs must be vigilant and address new
and emerging risks in their RMPs through various risk stripes as
appropriate–whether from changing market conditions, technological
developments, geopolitical concerns, or any other event.
I welcome input from commenters to inform the Commission and the
staff regarding the application of the RMP Rules to swap dealers and
FCMs, especially those entities that are part of a banking
organization, and to describe in a detailed manner the policies,
procedures, processes, systems, controls, testing, and audits that
are part of an RMP, and associated governance requirements. In this
way, it will be more clearly apparent to the Commission and staff
that the vast majority of swap dealers and FCMs are part of
enterprise-wide risk management programs that the industry spends
billions of dollars on each year, with thousands of personnel across
the three lines of defense. In addition, the CFTC’s stringent RMP
governance provisions ensure management accountability and
responsibility, and the RMP Rules prescribe various requirements for
swap dealers to address market risk, credit risk, liquidity risk,
foreign currency risk, legal risk, operational risk, and settlement
risk,4 and for FCMs to address market risk, credit risk, liquidity
risk, foreign currency risk, legal risk, operational risk,
settlement risk, segregation risk, technological risk, and capital
risk.5
—————————————————————————
4 17 CFR 23.600(c)(1).
5 17 CFR 1.11(e)(1)(i).
—————————————————————————
Of course, financial institutions can still have lapses in risk
management and weaknesses in their control environment. This is
evident in the high-profile news stories of the past few years. But
the appropriate response is for regulators, including the CFTC and
National Futures Association (NFA), to increase focus and resources
on compliance examinations to ensure that swap dealers and FCMs are
complying with the rules we already have–not piling on more rules
that ultimately do not enhance sound risk management and governance,
and further dilute limited resources, time, and attention.6 In
instances of especially egregious or prolonged deficiencies,
material weakness, or misconduct by management, then enforcement
actions may be appropriate, and the Commission should not shy away
from this step.
—————————————————————————
6 See Opening Statement of Commissioner Caroline D. Pham
before the CFTC Technology Advisory Committee, March 22, 2023,
available at https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement032223.
[FR Doc. 2023-15056 Filed 7-17-23; 8:45 am]
BILLING CODE 6351-01-P
[ad_2]
Source link
