Risk Management Program Regulations for Swap Dealers, Major Swap Participants, and Futures Commission Merchants

AGENCY:

Commodity Futures Trading Commission.

ACTION:

Advance notice of proposed rulemaking; request for comments.

SUMMARY:

The Commodity Futures Trading Commission (CFTC or Commission) is issuing this Advance Notice of Proposed Rulemaking (ANPRM or Notice) and seeking public comment regarding potential regulatory amendments under the Commodity Exchange Act governing the risk management programs of swap dealers, major swap participants, and futures commission merchants. In particular, the Commission is seeking information and public comment on several issues stemming from the adoption of certain risk management programs, including the governance and structure of such programs, the enumerated risks these programs must monitor and manage, and the specific risk considerations they must take into account; the Commission further seeks comment on how the related periodic risk reporting regime could be altered or improved. The Commission intends to use the information and comments received from this Notice to inform potential future agency action, such as a rulemaking, with respect to risk management.

DATES:

Comments must be in writing and received by September 18, 2023.

ADDRESSES:

You may submit comments, identified by RIN 3038–AE59, by any of the following methods:

• CFTC Comments Portal: https://comments.cftc.gov. Select the “Submit Comments” link for this rulemaking and follow the instructions on the Public Comment Form.

• Mail: Send to Christopher Kirkpatrick, Secretary of the Commission, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581.

• Hand Delivery/Courier: Follow the same instruction as for Mail, above.

Please submit your comments using only one of these methods. Submissions through the CFTC Comments Portal are encouraged. All comments must be submitted in English, or if not, accompanied by an English translation. Comments will be posted as received to https://comments.cftc.gov. You should submit only information that you wish to make available publicly. If you wish the Commission to consider information that you believe is exempt from disclosure under the Freedom of Information Act (FOIA), a petition for confidential treatment of the exempt information may be submitted according to the procedures established in section 145.9 of the Commission's regulations. The Commission reserves the right, but shall have no obligation, to review, prescreen, filter, redact, refuse, or remove any or all of your submission from https://comments.cftc.gov that it may deem to be inappropriate for publication, such as obscene language. All submissions that have been redacted or removed that contain comments on the merits of the rulemaking will be retained in the public comment file and will be considered as required under the Administrative Procedure Act (APA) and other applicable laws and may be accessible under the FOIA.

FOR FURTHER INFORMATION CONTACT:

Amanda L. Olear, Director, 202–418–5283, aolear@cftc.gov; Pamela M. Geraghty, Deputy Director, 202–418–5634, pgeraghty@cftc.gov; Fern Simmons, Associate Director, 202–418–5901, fsimmons@cftc.gov; or Elizabeth Groover, Special Counsel, 202–418–5985, egroover@cftc.gov; each in the Market Participants Division at the Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background

II. Questions and Request for Comment

A. Risk Management Program Governance

B. Enumerated Risks in the Risk Management Program Regulations

C. Periodic Risk Exposure Reporting by Swap Dealers and Futures Commission Merchants

D. Other Areas of Risk

I. Background

Title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) amended the Commodity Exchange Act (CEA) to establish a comprehensive regulatory framework to reduce risk, increase transparency, and promote market integrity within the financial system by, among other things, providing for the registration and comprehensive regulation of swap dealers (SDs) and major swap participants (MSPs), and enhancing the rulemaking and enforcement authorities of the CFTC with respect to all registered entities and intermediaries subject to its oversight, including, among others, futures commission merchants (FCMs). Added by the Dodd-Frank Act, CEA section 4s(j) outlines the duties with which SDs must comply. Specifically, CEA section 4s(j)(2) requires SDs to establish robust and professional risk management systems adequate for managing the day-to-day business of the registrant. CEA section 4s(j)(7) directs the Commission to prescribe rules governing the duties of SDs, including the duty to establish risk management procedures. In April 2012, the Commission adopted Regulation 23.600, which established requirements for the development, approval, implementation, and operation of SD risk management programs (RMPs).

Following two FCM insolvencies involving the misuse of customer funds in 2011 and 2012, the Commission proposed and adopted a series of regulatory amendments designed to enhance the protection of customers and customer funds held by FCMs. The Commission adopted Regulation 1.11 in 2013 to establish risk management requirements for those FCMs that accept customer funds. Regulation 1.11 is largely aligned with the SD risk management requirements in Regulation 23.600 (together with Regulation 1.11, the RMP Regulations). The Commission concluded at that time that it could mitigate the risks of misconduct and an FCM's failure to maintain required funds in segregation with more robust risk management systems and controls.

The Commission is issuing this ANPRM for several reasons. After Regulation 23.600 was initially adopted in 2012, the Commission received a number of questions from SDs concerning compliance with these requirements, particularly those concerning governance (for example, questions regarding who is properly designated as “senior management,” as well as issues relating to the reporting lines within the risk management unit). The intervening decade of examination findings and ongoing requests for staff guidance from SDs with respect to Regulation 23.600 warrant consideration of the Commission's rules and additional public discourse on this topic.

The Commission has further identified the enumerated areas of risk that RMPs are required to take into account, and the quarterly risk exposure reports (RERs), as other areas of potential confusion and inconsistency in the RMP Regulations for SDs and FCMs. Commission staff has observed significant variance among SD and FCM RERs with respect to how they define and report on the enumerated areas of risk ( e.g., market risk, credit risk, liquidity risk, etc.), making it difficult for the Commission to gain a clear understanding of how specific risk exposures are being monitored and managed by individual SDs and FCMs over time, as well as across SDs and FCMs during a specified time period. Furthermore, the Commission's implementation experiences and certain market events over the last decade indicate that it may be appropriate to consider whether to include additional enumerated areas of risk in the RMP Regulations.

The Commission has observed inefficiencies with respect to the RER requirements in the RMP Regulations. Currently, Regulations 23.600(c)(2) and 1.11(e)(2) prescribe neither the format of the RER nor its exact filing schedule. As a result, the Commission frequently receives RERs in inconsistent formats containing stale information, in some cases data that is at least 90 days out-of-date. Furthermore, a number of SDs have indicated that the quarterly RERs are not relied upon for their internal risk management purposes, but rather, they are created solely to comply with Regulation 23.600, indicating to the Commission that additional consideration of the RER requirement is warranted.

Finally, the Commission also reminds SDs and FCMs that their RMPs may require periodic updates to reflect and keep pace with technological innovations that have developed or evolved since the Commission first promulgated the RMP Regulations. The Commission is seeking information regarding any risk areas that may exist in the RMP Regulations that the Commission should consider with respect to notable product or technological developments.

Therefore, the Commission is issuing this Notice to seek industry and public comment on these aforementioned specific aspects of the existing RMP Regulations, as discussed further below.

II. Questions and Request for Comment

In responding to each of the following questions, please provide a detailed response, including the rationale for such response, cost and benefit considerations, and relevant supporting information. The Commission encourages commenters to include the subsection title and the assigned number of the specific request for information in their submitted responses to facilitate the review of public comments by Commission staff.

A. Risk Management Program Governance

Regulations 23.600(a) and (b) set out the parameters by which an SD must structure and govern its RMPs. Regulation 23.600(a) sets forth certain definitions, including “business trading unit,” “governing body,” and “senior management,” whereas Regulation 23.600(b) requires an SD to memorialize its RMP through written policies and procedures, which the SD's governing body must approve. Regulation 23.600(b) further requires an SD to create a risk management unit (RMU) that: (1) is charged with carrying out the SD's RMP; (2) has sufficient authority, qualified personnel, and resources to carry out the RMP; (3) reports directly to senior management; and (4) is independent from the business trading unit.

Similar to Regulation 23.600, Regulation 1.11 contains specific requirements with respect to the risk governance structure. Regulation 1.11(b) defines “business unit,” “governing body,” and “senior management,” while Regulation 1.11(c) requires the FCM to establish the RMP through written policies and procedures, which the FCM's governing body must approve. Regulation 1.11(d) requires that an FCM establish and maintain an RMU with sufficient authority; qualified personnel; and financial, operational, and other resources to carry out the RMP, that is independent from the business unit and reports directly to senior management.

The Commission seeks comment generally on the RMP structure and related governance requirements currently found in the RMP Regulations for SDs and FCMs. In addition, commenters should seek to address the following questions:

1. Do the definitions of “governing body” in the RMP Regulations encompass the variety of business structures and entities used by SDs and FCMs?

a. Should the Commission consider expanding the definition of “governing body” in Regulation 23.600(a)(4) to include other officers in addition to an SD's CEO, or other bodies other than an SD's board of directors (or body performing a similar function)?

b. Are there any other amendments to the “governing body” definition in Regulation 23.600(a)(4) that the Commission should consider?

c. Should similar amendments be considered for the “governing body” definition applicable to FCMs in Regulation 1.11(b)(3)?

2. Should the Commission consider amending the definitions of “senior management” in the RMP Regulations? Are there specific roles or functions within an SD or FCM that the Commission should consider including in the RMP Regulations' “senior management” definitions?

3. Should the RMP Regulations specifically address or discuss reporting lines within an SD's or FCM's RMU?

4. Should the Commission propose and adopt standards for the qualifications of certain RMU personnel ( e.g., model validators)?

5. Should the RMP Regulations further clarify RMU independence and/or freedom from undue influence, other than the existing general requirement that the RMU be independent of the business unit or business trading unit?

6. Are there other regulatory regimes the Commission should consider in a holistic review of the RMP Regulations? For instance, should the Commission consider harmonizing the RMP Regulations with the risk management regimes of prudential regulators?

7. Are there other portions of the RMP Regulations concerning governance that are not addressed above that the Commission should consider changing? Please explain.

B. Enumerated Risks in the Risk Management Program Regulations

The RMP Regulations specify certain enumerated risks that SDs' and FCMs' RMPs must consider. Specifically, Regulation 23.600(c)(1)(i) identifies specific areas of enumerated risk that an SD's RMP must take into account: market risk, credit risk, liquidity risk, foreign currency risk, legal risk, operational risk, and settlement risk. Though not identical, Regulation 1.11(e)(1)(i) similarly lists specific areas of enumerated risk that an FCM's RMP must take into account: market risk, credit risk, liquidity risk, foreign currency risk, legal risk, operational risk, settlement risk, segregation risk, technological risk, and capital risk.

Regulation 23.600(c)(4) requires that an SD's RMP include, but not be limited to, policies and procedures necessary to monitor and manage all of the risks enumerated in Regulation 23.600(c)(1)(i), as well as requiring that the policies and procedures for each such risk take into account specific risk management considerations. In contrast, Regulation 1.11(e)(3) requires that an FCM's RMP include, but not be limited to, policies and procedures that monitor and manage segregation risk, operational risk, and capital risk, along with enumerating specific risk management considerations that are required to be included and/or addressed in the policies and procedures for these risks. Unlike Regulation 23.600(c)(4), Regulation 1.11(e)(3) does not explicitly require policies and procedures, or enumerate attendant specific risk considerations, for all of the types of risk that must be taken into account by an FCM's RMP pursuant to Regulation 1.11(e)(1)(i), focusing instead on segregation, operational, and capital risks.

The Commission requests comment on SDs' and FCMs' enumerated risks generally, including: (a) whether specific risk considerations that must be taken into account with respect to certain enumerated risks should be amended; (b) whether definitions should be added for each enumerated risk; and finally, (c) whether the Commission should enumerate and define any additional types of risk in the RMP Regulations. In particular:

1. Should the Commission amend Regulation 1.11(e)(3) to require that FCMs' RMPs include, but not be limited to, policies and procedures necessary to monitor and manage all of the enumerated risks identified in Regulation 1.11(e)(1) that an FCM's RMP is required to take into account, not just segregation, operational, or capital risk ( i.e., market risk, credit risk, liquidity risk, foreign currency risk, legal risk, settlement risk, and technological risk)? If so, should the Commission adopt specific risk management considerations for each enumerated risk, similar to those described in Regulation 23.600(c)(4)?

2. Regulation 23.600(c)(4)(i) requires SDs to establish policies and procedures necessary to monitor and manage market risk. These policies and procedures must consider, among other things, “timely and reliable valuation data derived from, or verified by, sources that are independent of the business trading unit, and if derived from pricing models, that the models have been independently validated by qualified, independent external or internal persons.”

a. Does this validation requirement in Regulation 23.600(c)(4)(i)(B) warrant clarification?

b. Should validation, as it is currently required in Regulation 23.600(c)(4)(i)(B), align more closely with the validation of margin models discussed in Regulation 23.154(b)(5)?

3. The policies and procedures mandated by Regulations 23.600(c)(4)(i) and (ii) to monitor and manage market risk and credit risk must take into account, among other considerations, daily measurement of market exposure, including exposure due to unique product characteristics and volatility of prices, and daily measurement of overall credit exposure to comply with counterparty credit limits. To manage their risk exposures, SDs employ various financial risk management tools, including the exchange of initial margin for uncleared swaps. In that regard, the Commission has set forth minimum initial margin requirements for uncleared swaps, which can be calculated using either a standardized table or a proprietary risk-based model. An SD's risk exposures to certain products and underlying asset classes may, however, warrant the collection and posting of initial margin above the minimum regulatory requirements set forth in the standardized table. Should the Commission expand the specific risk management considerations listed in Regulations 23.600(c)(4)(i)–(ii) to add that an SD's RMP policies and procedures designed to manage market risk and/or credit risk must also take into account whether the collection or posting of initial margin above the minimum regulatory requirements set forth in the standardized table is warranted?

4. The RMP Regulations enumerate, but do not define, the specific risks that SDs' and FCMs' RMPs must take into account. Should the Commission consider adding definitions for any or all of these enumerated risks? If so, should the enumerated risk definitions be identical for both SDs and FCMs?

5. The Federal Reserve and Basel III define “operational risk” as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. Would adding a definition of “operational risk” to the RMP Regulations that is closely aligned with this definition increase clarity and/or efficiencies for SD and FCM risk management practices, or otherwise be helpful? Should the Commission consider identifying specific sub-types of operational risk for purposes of the SD and FCM RMP requirements?

6. Technological risk is identified in Regulation 1.11(e)(1)(i) as a type of risk that an FCM's RMP must take into account; however, technological risk is not similarly included in Regulation 23.600(c)(1)(i) as an enumerated risk that an SD's RMP must address. Should the Commission amend Regulation 23.600(c)(1)(i) to add technological risk as a type of risk that SDs' RMPs must take into account?

a. Should technological risk, if added for SDs, be identified as a specific risk consideration within operational risk, as described by Regulation 23.600(c)(4)(vi), or should it be a standalone, independently enumerated area of risk?

b. If technological risk is added as its own enumerated area of risk, what risk considerations should an SD's RMP policies and procedures address, as required by Regulation 23.600(c)(4)?

c. Relatedly, although technological risk is included in the various types of risk that an FCM's RMP must take into account, no specific risk considerations for technological risk are further outlined in Regulation 1.11(e)(3). What, if any, specific risk considerations for technological risk should be added to Regulation 1.11(e)(3)? Should the Commission categorize any additional specific risk considerations for technological risk as a subset of the existing “operational risk” considerations in Regulation 1.11(e)(3)(ii), or should “technological risk” have its own independent category of specific risk considerations in Regulation 1.11(e)(3)?

d. Should the Commission define “technological risk” in the RMP Regulations? For example, Canada's Office of the Superintendent of Financial Institutions (OSFI) defines “technology risk” as “the risk arising from the inadequacy, disruption, destruction, failure, damage from unauthorized access, modifications, or malicious use of information technology assets, people or processes that enable and support business needs and can result in financial loss and/or reputational damage.” If the Commission were to add a definition of “technological risk” to the RMP Regulations, should it be identical or similar to that recently finalized by OSFI? If not, how should it otherwise be defined? Should the Commission consider different definitions of “technological risk” for SDs and FCMs? Should the Commission consider providing examples of “information technology assets” to incorporate risks that may arise from the use of certain emerging technologies, such as artificial intelligence and machine learning technology, distributed ledger technologies ( e.g., blockchains), digital asset and smart contract-related applications, and algorithmic and other model-based technology applications?

7. Are there any other types of risk that the Commission should consider enumerating in the RMP Regulations as risks required to be monitored and managed by SDs' and FCMs' RMPs? Geopolitical risk? Environmental, social and governance (ESG) risk? Climate-related financial risk, including physical risk and transition risk such as the energy transition? Reputational risk? Funding risk? Collateral risk? Concentration risk? Model risk? Cybersecurity risk? Regulatory and compliance risk arising from conduct in foreign jurisdictions? Contagion risk?

a. Should these potential new risks be defined in the RMP Regulations?

b. With respect to each newly suggested enumerated risk, what, if any, specific risk considerations should an SD's or FCM's RMP policies and procedures be required to include?

c. Are there international standards for risk management with which the Commission should consider aligning the RMP Regulations?

C. Periodic Risk Exposure Reporting by Swap Dealers and Futures Commission Merchants

In accordance with Regulation 23.600(c)(2), an SD must provide to its senior management and governing body a quarterly RER containing specific information on the SD's risk exposures and the current state of its RMP; the RER shall also be provided to the SD's senior management and governing body immediately upon the detection of any material change in the risk exposure of the SD. SDs are required to furnish copies of all RERs to the Commission within five (5) business days of providing such RERs on a quarterly basis to their senior management. Likewise, Regulation 1.11(e)(2) has an identical RER requirement for FCMs.

This Notice seeks comment generally on how the current RER regime for SDs and FCMs could be improved, as well as specific responses to the questions listed below:

1. At what frequency should the Commission require SDs and FCMs to furnish copies of their RERs to the Commission?

2. Should the Commission consider changing the RER filing requirements to require filing with the Commission by a certain day ( e.g., a week, month, or other specific timeframe after the quarter-end), rather than tying the filing requirement to when the RER is furnished to senior management?

3. Should the Commission consider harmonizing or aligning, in whole or in part, the RER content requirements in the RMP Regulations with those of the National Futures Association (NFA)'s SD monthly risk data filings?

a. If so, should the Commission consider any changes or additions to the data metrics currently collected by NFA as could be required in the RMP Regulations?

b. For FCMs who are not currently required to file monthly risk data filings with NFA, were the Commission to adopt a monthly risk exposure reporting requirement, are there different risk data metrics for FCMs that it should consider including? If so, what are they?

4. Are there additional SD or FCM-specific data metrics or risk management issues that the Commission should consider adding to the content requirements of the RER?

5. Should the Commission consider prescribing the format of the RERs? For instance, should the Commission consider requiring the RER to be a template or form that SDs and FCMs fill out?

6. In furtherance of the RER filing requirement, should the Commission consider allowing SDs and FCMs to furnish to the Commission the internal risk reporting they already create, maintain, and/or use for their risk management program?

a. If so, how often should these reports be required to be filed with the Commission?

b. If the Commission allowed an SD or FCM to provide the Commission with its own risk reporting, should the Commission prescribe certain minimum content and/or format requirements?

7. Should the Commission consider prescribing the standard SDs and FCMs use when determining whether they have experienced a material change in risk exposure, pursuant to Regulations 23.600(c)(2)(i) and 1.11(e)(2)(i)? Alternatively, should the Commission continue to allow SDs and FCMs to use their own internally-developed standards for determining when such a material change in risk exposure has occurred?

8. Should the Commission clarify the requirements in Regulations 23.600(c)(2)(i) and 1.11(e)(2)(i) that RERs shall be provided to the senior management and the governing body immediately upon detection of any material change in the risk exposure of the SD or FCM?

9. Should the Commission consider setting a deadline for when an SD or FCM must notify the Commission of any material changes in risk exposure? If so, what should be the deadline?

10. Should the Commission consider additional governance requirements in connection with the provision of the quarterly RER to the senior management and the governing body of a SD, or of an FCM, respectively?

11. Should the Commission require the RERs to report on risk at the registrant level, the enterprise level (in cases where the registrant is a subsidiary of, affiliated with, or guaranteed by a corporate family), or both? What data metrics are relevant for each level?

12. Should the Commission require that RERs contain information related to any breach of risk tolerance limits described in Regulations 23.600(c)(1)(i) and 1.11(e)(1)(i)? Alternatively, should the Commission require prompt notice, outside of the RER requirement, of any breaches of the risk tolerance limits that were approved by an SD's or FCM's senior management and governing body? Should there be a materiality standard for inclusion of breaches in RERs or requiring notice to the Commission?

13. Should the Commission require that RERs contain information related to material violations of the RMP policies or procedures required in Regulations 23.600(b)(1) and 1.11(c)(1)?

14. Should the Commission require that RERs additionally discuss any known issues, defects, or gaps in the risk management controls that SDs and FCMs employ to monitor and manage the specific risk considerations under Regulations 23.600(c)(4) and 1.11(e)(3), as well as including a discussion of their progress toward mitigation and remediation?

D. Other Areas of Risk

Recent market, credit, operational, and geopolitical events have highlighted the critical importance of risk management and the need to periodically review risk management practices. Therefore, the Commission is interested in feedback and comment on other RMP-related topics, specifically: (1) the segregation of customer funds and safeguarding of counterparty collateral, and (2) risks posed by affiliates, lines of business, and other trading activity. The Commission continues to have confidence in its regulations governing the segregation of customer funds in traditional derivatives markets. The questions below are intended to assist the Commission in its ongoing evaluation of whether and how RMP regulations and practices at FCMs and SDs adequately and comprehensively address risks arising from new or evolving market structures, products, and registrants.

a. Potential Risks Related to the Segregation of Customer Funds and Safeguarding Counterparty Collateral

The segregation of customer funds and safeguarding of counterparty collateral are cornerstones of the Commission's FCM and SD regulatory regimes, respectively. Currently, the existing RMP Regulations address the management of segregation risk and the safeguarding of counterparty collateral in different ways, given the differing business models between FCMs and SDs. Regulation 1.11(e)(3)(i) requires an FCM's RMP to include written policies and procedures reasonably designed to ensure segregated funds are separately accounted for and segregated or secured as belonging to customers. This requirement further lists several subjects that must, “at a minimum,” be addressed by an FCM's RMP policies and procedures, including the evaluation and monitoring process for approved depositories, the treatment of related residual interest, transfers, and withdrawals, and permissible investments.

Although Regulation 23.600(c)(6) of the SD RMP Regulations requires compliance with all capital and margin requirements, Regulation 23.600 does not explicitly require an SD's RMP to include written policies and procedures to safeguard counterparty collateral. Rather, the Commission chose to adopt Regulations 23.701 through 23.703 for the purpose of establishing a separate framework for the elected segregation of assets held as collateral in uncleared swap transactions. Additionally, the Commission requires certain initial margin to be held through custodial arrangements in accordance with Regulation 23.157.

The Commission seeks comment generally on the risks attendant to the segregation of customer funds and the safeguarding of counterparty collateral. In addition, commenters should seek to address the following questions:

1. Do the current RMP Regulations for FCMs adequately and comprehensively require them to identify, monitor, and manage the risks associated with the segregation of customer funds and the protection of customer property? Are there other Commission regulations that address these risks for FCMs?

2. Currently, the Commission understands that no FCM holds customer property in the form of virtual currencies or other digital assets such as stablecoins. To the extent that FCMs may consider engaging in this activity in the future, would the current RMP Regulations for FCMs adequately and comprehensively require them to identify, monitor, and manage the risks associated with that activity, including custody with a third-party entity?

3. Do the current RMP Regulations for SDs adequately and comprehensively require them to identify, monitor, and manage all of the risks associated with the collection, posting, and custody of counterparty collateral and the protection of such assets? Are there any other risks that should be addressed by the RMP Regulations for SDs related to the collection, posting, and custody of counterparty collateral?

4. Do the Commission's RMP Regulations adequately address risks to customer funds or counterparty collateral that may be associated with SDs and FCMs that have multiple business lines and registrations? Although the Commission understands that SDs and FCMs currently engage in limited activities with respect to digital assets, should the Commission consider additional RMP requirements applicable to SDs and FCMs that are or may become involved in, or affiliated with, the provision of digital asset financial services or products ( e.g., digital asset lending arrangements or derivatives)?

b. Potential Risks Posed by Affiliates, Lines of Business, and All Other Trading Activity

In light of increasing market volatility and recent market disruptions, as well as the growth of digital asset markets, the Commission generally seeks comment on the risks posed by SDs' and FCMs' affiliates and related trading activity. Generally, the RMP Regulations require SD and FCM RMPs to take into account risks posed by affiliates and related trading activity. Specifically, Regulation 23.600(c)(1)(ii) requires an SD's RMP to take into account “risks posed by affiliates” with the RMP integrated into risk management functions at the “consolidated entity level.” Similarly, Regulation 1.11(e)(1)(ii) requires an FCM's RMP to take into account risks posed by affiliates, all lines of business of the FCM, and all other trading activity engaged in by the FCM.”

Some SDs and FCMs are subject to regulatory requirements designed to mitigate certain risks arising from certain affiliate activities. For example, SDs and FCMs that are affiliates or subsidiaries of a banking entity may have to comply with certain restrictions and requirements on inter-affiliate activities. Further, those SDs and FCMs that are subject to the Volcker Rule, codified and implemented in part 75 of the Commission's regulations, and incorporated into other requirements, such as Regulation 3.3, are subject to the Volcker Rule's risk management program and compliance program requirements.

The Commission seeks comment generally on the requirements related to risks posed by affiliates and related trading activity found within the RMP Regulations for SDs and FCMs, including non-bank affiliated SDs or non-bank affiliated FCMs. In addition, commenters should seek to address the following questions:

1. What risks do affiliates (including, but not limited to, parents and subsidiaries) pose to SDs and FCMs? Are there risks posed by an affiliate trading in physical commodity markets, trading in digital asset markets, or relying on affiliated parties to meet regulatory requirements or obligations? Are there contagion risks posed by the credit exposures of affiliates? Are there risks posed by other lines of business of an SD, or of an FCM, respectively, that are not adequately or comprehensively addressed by the Commission's regulations, including, as applicable, the Volcker Rule regulations found in 17 CFR part 75?

2. Do the current RMP Regulations adequately and comprehensively address the risks associated with the activities of affiliates (whether such affiliates are unregulated, less regulated, or subject to alternative regulatory regimes), or of other lines of business, of an SD or of an FCM, respectively, that could affect SD or FCM operations? Alternatively, to what extent are the risks posed by affiliates discussed in this section adequately addressed through other regulatory requirements (for example, the Volcker Rule or other prudential regulations, or applicable non-U.S. laws, regulations, or standards)?

3. Should the Commission further expand on how SD and FCM RMPs should address risks posed by affiliates in the RMP Regulations, including any specific risks? Should the Commission consider enumerating any specific risks posed by affiliates or related trading activities within the RMP Regulations, either as a separate enumerated risk, or as a subset of an existing enumerated area of risk ( e.g., operational risk, credit risk, etc.)?

Note:

The following appendices will not appear in the Code of Federal Regulations.

Appendices to Risk Management Program Regulations for Swap Dealers, Major Swap Participants, and Futures Commission Merchants—Voting Summary and Chairman's and Commissioners' Statements

Appendix 1—Voting Summary

On this matter, Chairman Behnam and Commissioners Johnson, Goldsmith Romero, Mersinger, and Pham voted in the affirmative. No Commissioner voted in the negative.

Appendix 2—Statement of Chairman Rostin Behnam

I appreciate all of the Market Participants Division staff's hard work on this proposal. I look forward to the public's thoughtful comments on the proposal to inform a potential future rulemaking or guidance for the Commission's risk management program regulations for swap dealers and futures commission merchants.

Appendix 3—Statement of Commissioner Christy Goldsmith Romero on Advance Notice of Proposed Rulemaking on Risk Management Program Regulations

Management of existing, evolving, and emerging risk is paramount to the financial stability of the United States and global markets. This is evidenced by the recent bank failures, followed by subsequent government action taken out of regulatory concern over possible contagion effect to other banks and broader economic spillover. Federal Reserve Board Vice Chair Michael Barr recently testified before the Senate at a hearing on the bank failures, “the events of the last few weeks raise questions about evolving risks and what more can and should be done so that isolated banking problems do not undermine confidence in healthy banks and threaten the stability of the banking system as a whole.”

Sound risk management is particularly crucial for CFTC-registered swap dealers, the majority of which are global systemically important banks on Wall Street (or their affiliates) or other prudentially-regulated banks. If there was any one issue at the center of the 2008 financial crisis, it was the failure of risk management by Wall Street. The Dodd-Frank Wall Street Reform and Consumer Protection Act required these dealers to establish and maintain risk management programs. The Commission implemented its risk management requirements for swap dealers in 2012. Then in 2013, the Commission required that brokers in the derivatives markets, known as futures commission merchants (“FCMs”), establish and maintain risk management programs after two brokers, MF Global and Peregrine Financial, misused customer funds and collapsed from a combination of hidden risks and fraud.

Re-evaluating our risk management rules is responsible and necessary to keep pace with evolving markets that can give rise to emerging risk. The last three years presented unprecedented risk. The pandemic, its lingering supply chain disruptions, Russia's war against Ukraine, climate disasters that proved to be the most-costly three years on record, a spike in ransomware and other cyber attacks (including on ION Markets and Colonial Pipeline), and increasing geo-political tensions involving the U.S. and China, have emerged as often interrelated areas of significant risk. Additionally, as Chairman of the Federal Deposit Insurance Corporation (“FDIC”), Martin Gruenberg testified before the Senate, “the financial system continues to face significant downside risks from the effects of inflation, rising market interest rates, and continuing geopolitical uncertainties.”

Evolving technologies like digital assets, artificial intelligence, and cloud services, also have emerged as areas that can carry significant risk. Vice Chair Barr testified before the Senate, “recent events have shown that we must evolve our understanding of banking in light of changing technologies and emerging risks. To that end, we are analyzing what recent events have taught us about banking, customer behavior, social media, concentrated and novel business models, rapid growth, deposit runs, interest rate risk, and other factors, and we are considering the implications for how we should be regulating and supervising our financial institutions. And for how we think about financial stability.”

The Commission should ensure that our risk management frameworks for banks and brokers reflect and keep pace with the significant evolution of financial stability risk. It is equally important for the Commission to be forward-looking to ensure that our risk management frameworks capture future risk as it could evolve or emerge. The Commission is considering whether to enumerate specific areas of risk that banks and brokers would be required to address. This could include for example, geopolitical risk, cybersecurity risk, climate-related financial risk or contagion risk.

The Commission seeks public comment in its reassessment of its risk management frameworks. I am particularly interested in comment on the following areas: (1) Technology Risk; (2) Cyber Risk; (3) Affiliate Risk; (4) Risk related to segregating customer funds and safeguarding counterparty collateral; and (5) Climate-Related Financial Risk.

Technology Risk

Risk has emerged from the evolution of technology. Distributed ledger networks are being used or considered in certain markets; cloud data storage and computing has gone mainstream; and artificial intelligence hold the power to transform businesses. Many firms are also integrating, or are interested in integrating, digital assets into their businesses, or plan to do so. All of these emerging or evolving technologies carry risks.

Digital assets carry risks—something that has become all too clear in the past year. Silvergate Bank, which recently failed, was almost exclusively known for providing services to digital asset firms. According to FDIC Chairman Gruenberg, “Following the collapse of digital asset exchange FTX in November 2022, Silvergate Bank released a statement indicating that it had $11.9 billion in digital asset-related deposits, and that FTX represented less than 10 percent of total deposits in an effort to explain that its exposure to the digital asset exchange was limited. Nevertheless, in the fourth quarter of 2022, Silvergate Bank experienced an outflow of deposits from digital asset customers that, combined with the FTX deposits, resulted in a 68 percent loss in deposits—from $11.9 billion in deposits to $3.8 billion. That rapid loss of deposits caused Silvergate Bank to sell debt securities to cover deposit withdrawals, resulting in a net earnings loss of $1 billion. On March 1, 2023, Silvergate Bank announced it would be delaying issuance of its 2022 financial statements and indicated that recent events raised concerns about its ability to operate as a going concern, which resulted in a steep drop in Silvergate Bank's stock price. On March 8, 2023, Silvergate Bank announced that it would self-liquidate.”

Chairman Gruenberg further testified, “Like Silvergate Bank, Signature Bank had also focused a significant portion of its business model on the digital asset industry. . . . Silvergate Bank operated a similar platform that was also used by digital asset firms. . . . In the second and third quarters of 2022, Signature Bank, like Silvergate, experienced deposit withdrawals and a drop in its stock price as a consequence of disruptions in the digital asset market due to failures of several high profile digital asset companies.”

These technological advancements, with their accompanying risks, necessitate the Commission revisiting our regulatory oversight, including our risk management requirements. This is similar to other regulators revisiting their oversight in this area. According to Vice Chair Barr, the Federal Reserve “recently decided to establish a dedicated novel activity supervisory group, with a team of experts focused on risks of novel activities, which should help improve oversight of banks like SVB in the future.”

I am interested in comments on how the Commission should amend its risk management requirements to ensure that risks from technology are adequately identified, monitored, assessed and managed. I am also interested in public comment on any gaps in our risk management regulations that the Commission should address regarding technology.

Cyber Risk

I am interested in public comment about how the Commission should update its risk management frameworks to address the growing and increasingly sophisticated threat of cyber attacks. The White House's recent National Cybersecurity Strategy stated:

Our rapidly evolving world demands a more intentional, more coordinated, and more well-resourced approach to cyber defense. We face a complex threat environment, with state and non-state actors developing and executing novel campaigns to threaten our interests. At the same time, next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies.

Global cyber criminals and state-sponsored efforts can create or leverage a serious disruption to markets.

I am also interested in comment on how the Commission should address risk management related to third party service providers. As I said in a speech in November, “Even if financial firms have strong cybersecurity systems, their cybersecurity is only as strong as their most vulnerable third-party service provider. The threat can compound where several firms use the same software or other provider.” Subsequently in February, a third-party service provider ION Markets suffered a cyber attack that compromised a number of brokers in the derivatives market. Treasury Deputy Assistant Secretary Todd Conklin, a member of the CFTC Technology Advisory Committee (“TAC”) presented at a recent TAC meeting that ION was not considered by firms to be a critical vendor. Given the severe threat of cyber attacks, I am interested in commenters' views on whether the Commission should specifically enumerate cyber risk, specifically include risks associated with third-party service providers in risk management frameworks, or include other requirements to ensure that cyber risk is adequately and comprehensively identified, assessed, and managed.

Affiliate Risk

I am interested in commenters views on the questions related to affiliate risks, especially those related to risks that unregulated affiliates can pose to regulated entities. Currently, the Commission's rules provide that the risk management frameworks of banks and brokers shall “take into account” risks posed by affiliates. Affiliate risks can take many forms—from counterparty credit risk to operational risks to many others. The questions posed in this ANPRM are designed to flesh out details about affiliate risks, and whether such risks are sufficiently identified and adequately managed.

Understanding affiliate risks is critically important given lessons learned from the past and more recent events. For example, AIG Financial Products (“AIGFP”) is the poster child for how risk of a seemingly remote, unregulated affiliate could undermine the stability of a large, diversified financial institution. AIGFP's damage reached well beyond its affiliates. AIGFP was a source of contagion for other market participants, ultimately spreading risks across Wall Street, contributing to a global financial crisis and massive taxpayer bailout. Most recently, the abrupt collapse of FTX, with its alleged lack of separation between affiliates as found by new CEO John Ray, led to a bankruptcy with more than 130 affiliate debtors, tying up billions of dollars and more than one million customers and creditors. Although LedgerX, a CFTC-regulated FTX affiliate, is not a debtor in the bankruptcy, the debtors sold LedgerX as a result.

Existing Commission rules require that banks' and brokers' risk management programs “take into account” risks related to lines of business. That could include, for example, digital asset markets. In January, before the bank failures, federal bank regulatory agencies issued a recent joint statement outlining numerous “key risks” associated with bank involvement in the crypto-asset sector. I am interested in public comment on those key risks as they may apply specifically to the CFTC's regulated banks and brokers. About half of all CFTC-registered swap dealers are subject to some form of oversight by the prudential regulators.

Many brokers have expressed an interest in becoming further involved in digital assets as well. Risks can arise from regulated trading in crypto derivatives. The unregulated spot markets carry additional risks as seen with the collapse of FTX, Terra Luna, Celsius and numerous others that have resulted in substantial losses. This is in addition to operational risks and risks associated with rampant fraud and illicit finance in some parts of the crypto markets.

Risk Related to the Segregation of Customer Property and Safeguarding Counterparty Collateral in the Digital Asset Space

Digital assets raise a host of issues about safeguarding customer property that were not contemplated at the time of the 2013 risk management rule or the Commission's customer protection rules for brokers to segregate customer assets from company assets. For example, brokers may explore holding customer property in the form of stablecoins or other digital assets that could result in unknown and unique risks. These brokers may be confronted by third-party custody and other risks that should be identified and managed. Physical delivery may also present risk, particularly given the proliferation of cyber hacks. Application of the Commission's segregation rules may also need to be updated based on future risks related to digital assets (even risks not contemplated by the Commission today). I look forward to commenters' responses in this area.

It is necessary for the CFTC to seek public comment on our risk management framework in this important area of emerging risk so that we keep pace with evolution in our markets and technology. We should not assume that our existing segregation rules and risk management framework comprehensively cover the evolving risks in the markets. The Commission does not have a window into certain unregulated spaces, such as with digital assets, which could obscure risks faced by CFTC-regulated banks or brokers. Integration of digital assets with banks and brokers, and the risks that could be posed, could continue to evolve.

Climate-Related Financial Risk

Developments in the management of climate-related financial risk are an important example of the need for the Commission to adopt a framework that helps banks and brokers keep pace with such emerging risks. When the Climate-Related Market Risk Subcommittee of our Market Risk Advisory Committee released its report in September 2020, it was a “first-of-its-kind effort from a U.S. government entity.” Since then, other U.S. financial regulators have not only echoed this acknowledgment, but have moved ahead to define the risk management framework that banks and other regulated entities must adopt for addressing physical and transition risks posed by climate change. Banks and brokers need frameworks that let them adapt to both the increasingly dire projections by climate scientists about the scope of physical impacts, and to the massive economic impetus to a transition to a lower carbon environment created via Congressional passage of the Inflation Reduction Act, the Bipartisan Infrastructure Law, and the CHIPS and Science Act.

In just three years, climate-related financial risk management has gone from novelty to necessity. We should develop a framework that helps banks and brokers remain resilient to risks like this one, which will continue to develop for years to come. I have been advocating for the Commission to enhance its understanding of how market participants are managing climate-related financial risk. To that end, over the past year, I have been working with the National Futures Association (“NFA”) on a recently completed special project to assess how some of its members are identifying and managing climate-related financial risk. NFA learned that some of its members, particularly those already subject to oversight by U.S. and foreign banking regulators, are taking steps to manage both physical and transition risks. I look forward to hearing from commenters on how best to adapt our framework to incorporate these kinds of emerging risks.

Conclusion

Sound risk management by banks (and other dealers) and brokers at the center of the U.S. derivatives markets is critical to financial stability. The stakes are high. These financial institutions and others take and carry significant risks that could impact financial stability. They are on the front lines of our financial markets, directly engaging with customers or counterparties. Customers have billions of dollars entrusted to these institutions. Market participants depend on liquidity, clearing and other critical functions performed by these institutions.

The Commission must fulfill its own responsibility to ensure that risk management programs at these institutions address the full scope of risks to customers, firms and markets, including keeping pace with evolving and emerging risk. We may never know how many catastrophes were avoided as a result of sound risk management programs, but we have seen what can happen when risks are not well managed.

Appendix 4—Statement of Commissioner Caroline D. Pham

I support the Advance Notice of Proposed Rulemaking (ANPRM) seeking public comment on potential amendments to the Risk Management Program (RMP) requirements in CFTC rules 23.600 and 1.11 (collectively, RMP Rules) applicable to swap dealers and futures commission merchants (FCMs), respectively. I believe in continuous improvement for not only our market participants, but for the Commission and its regulations too.

I would like to thank the staff of the Market Participants Division for working closely with me on this ANPRM, and making revisions in response to my concerns, in particular Amanda Olear, Pamela Geraghty, Fern Simmons, Elizabeth Groover, and Samantha Ostrom. I also appreciate the opportunity to work collaboratively with the Chairman and my fellow Commissioners.

It is critical that the public has the opportunity to provide input on any potential amendment or expansion of RMP requirements that is informed by actual experience from risk management officers, other control functions, and practitioners who have implemented and complied with the RMP Rules for the past 10 years, oftentimes within a broader enterprise-wide risk management program pursuant to other requirements from other regulators.

Because the CFTC's rules are often only one part of much broader risk governance frameworks for financial institutions, the Commission must ensure that it has the full picture before coming to conclusions to ensure that our rules not only address any potential regulatory gaps or changes in risk profiles, but also avoids issuing rules that are conflicting, duplicative, or unworkable with other regulatory regimes.

For example, the CFTC currently has 106 provisionally registered swap dealers. Of these 106 entities, both U.S. and non-U.S., all but a handful are also registered with and supervised by another agency or authority, such as a prudential, functional, or market regulator. Most of these swap dealers are subject to three or more regulatory regimes.

Therefore, it is imperative that the Commission and the staff consider how the CFTC's RMP Rules work in practice together with the rules of other regulators, whether foreign or domestic. This key point is easily apparent in looking at the CFTC's substituted compliance regime for non-U.S. swap dealers, where the Commission has expressly found that non-U.S. swap dealers in certain jurisdictions are subject to comparable and comprehensive regulation, and therefore permits such non-U.S. swap dealers to “substitute” compliance with home jurisdiction risk management regulations to satisfy CFTC rule 23.600.

Issuing an ANPRM can be beneficial to initiate an open process to request information and stimulate dialogue with the public. As stated in the preamble, “After Regulation 23.600 was initially adopted in 2012, the Commission received a number of questions from [swap dealers] concerning compliance with these requirements, particularly those concerning governance . . . . The intervening decade of examination findings and ongoing requests for staff guidance from [swap dealers] with respect to Regulation 23.600 warrant consideration of the Commission's rules and additional public discourse on this topic.” The preamble also states, “Furthermore, a number of [swap dealers] have indicated that the quarterly [risk exposure reports] are not relied upon for their internal risk management purposes, but rather, they are created solely to comply with Regulation 23.600, indicating to the Commission that additional consideration of the [risk exposure report] requirement is warranted.”

I commend the Commission and staff for seeking to address areas of potential confusion, inconsistency, and inefficiencies in the RMP Rules. Risk management must be more than an exercise in paperwork. And lack of regulatory clarity can actually inhibit compliance simply because our registrants are unsure of supervisory expectations and are unclear as to what to implement. That is why I am focused as a Commissioner on providing clear rules and guidance to facilitate compliance with the Commission's regulations. I also support using this opportunity to improve our RMP Rules and I encourage commenters to explore how the RMP Rules could be aligned with other risk governance and risk management frameworks, such as prudential requirements for banking organizations, in order to more effectively and efficiently address risks.

Regarding potential risks related to the segregation of customer funds and safeguarding counterparty collateral, I will note that the CFTC's existing rules are the gold standard for customer protection around the world. Further, our existing rules also address potential risks posed by affiliates, lines of business, and all other trading activity. While much attention has been paid to widespread fraud and failures of risk management in the cryptocurrency sector, it bears reminding that a so-called crypto exchange is a very different type of organization and business model from a highly regulated financial institution. The public should take care to avoid conflating these completely different entities—it is at least as wholly unlike one another as a domesticated housecat and a wild tiger. I look forward to comments on these two other areas of risk.

Nonetheless, neither the Commission nor our registrants should be complacent. I reiterate this statement in the preamble: “[T]he Commission also reminds [swap dealers] and FCMs that their RMPs may require periodic updates to reflect and keep pace with technological innovations that have developed or evolved since the Commission first promulgated the RMP Regulations.” The benefit of a principles-based regulatory framework is that it can more quickly anticipate and adapt to changes in risk profiles or the operating environment. I believe our rules must be broad and flexible enough to be forward-looking and evergreen, because it is simply not possible to prescribe every last requirement for the unknown future. Accordingly, swap dealers and FCMs must be vigilant and address new and emerging risks in their RMPs through various risk stripes as appropriate—whether from changing market conditions, technological developments, geopolitical concerns, or any other event.

I welcome input from commenters to inform the Commission and the staff regarding the application of the RMP Rules to swap dealers and FCMs, especially those entities that are part of a banking organization, and to describe in a detailed manner the policies, procedures, processes, systems, controls, testing, and audits that are part of an RMP, and associated governance requirements. In this way, it will be more clearly apparent to the Commission and staff that the vast majority of swap dealers and FCMs are part of enterprise-wide risk management programs that the industry spends billions of dollars on each year, with thousands of personnel across the three lines of defense. In addition, the CFTC's stringent RMP governance provisions ensure management accountability and responsibility, and the RMP Rules prescribe various requirements for swap dealers to address market risk, credit risk, liquidity risk, foreign currency risk, legal risk, operational risk, and settlement risk, and for FCMs to address market risk, credit risk, liquidity risk, foreign currency risk, legal risk, operational risk, settlement risk, segregation risk, technological risk, and capital risk.

Of course, financial institutions can still have lapses in risk management and weaknesses in their control environment. This is evident in the high-profile news stories of the past few years. But the appropriate response is for regulators, including the CFTC and National Futures Association (NFA), to increase focus and resources on compliance examinations to ensure that swap dealers and FCMs are complying with the rules we already have—not piling on more rules that ultimately do not enhance sound risk management and governance, and further dilute limited resources, time, and attention. In instances of especially egregious or prolonged deficiencies, material weakness, or misconduct by management, then enforcement actions may be appropriate, and the Commission should not shy away from this step.