.jpg)
Introduction
Good afternoon. It’s a pleasure to be here for the inaugural meeting of the Technology Advisory Committee (TAC) under Commissioner Goldsmith-Romero’s sponsorship. The work of the Commission’s Advisory Committees is critical to the development of the CFTC’s regulations and policies, as well as industry best practices.
I want to thank Commissioner Goldsmith-Romero and Anthony Biagioli—TAC’s Designated Federal Officer, for convening this meeting today. I also want to thank you, TAC’s membership and today’s panelists. The Advisory Committee has an ever-more important role in furthering and foster the education of the Commissioners and Commission.
In the spring of 2000, the TAC held its inaugural meeting. A year later, following the tragic events of September 11th, members of TAC demonstrated tremendous resolve, holding a meeting in November of 2001 and focusing on electronic order routing and disaster recovery, business continuity plans, and technology-centered recovery and resilience planning.
Over the following years, TAC continued to focus on the unique and important issues outlined in the Committee’s charter and at the intersection of the integration of technology in finance. Specifically, in 2005, TAC examined critical questions including how best to define “prior art” in the patents process; intellectual property in trading and settlements technology; restrictions on the usage of exchange settlement prices; and market data piracy. More recently, TAC has led the Commission’s efforts to understand and explore high frequency and algorithmic trading practices; the role of technology in pre- and post-trade transparency in implementing the Dodd-Frank Act; universal product and legal entity identifiers; standardization of machine-readable legal contracts; semantics; and date storage and retrieval.
As we gather today, consider how our world has changed. Much has been made (and publicized) about distributed ledger technology (DLT) within the context of tokens, currencies, and other “stores of value” or “medium of exchange” uses. Even if Satoshi Nakamoto’s white paper, published over a decade ago, offers a precise description of the archetypal use case, there is much to explore and discover in the context of the introduction of this technology in our society.[1]
Allow me to highlight a few of interesting and I believe important, uses for distributed ledger technology.
- Distributed Ledger Technology Use Cases
As we think about the many potential use cases for distributed ledger technology, the need to focus on climate risks in financial markets comes quickly into focus. As a recent report explains:
“The 2021 estimate by the Interagency Working Group on Social Cost of Greenhouse Gases puts the social cost of carbon at $56 per metric ton of carbon dioxide (CO2) by 2025 and $85 per metric ton of CO2 by 2050 (in 2020 dollars, at a 3% discount rate). These consistently higher estimates for the future social cost of carbon are largely driven by expectations of increasing costs of climate-related damage.”[2]
The authors of the recently published report further explain that, whether we are discussing compliance or voluntary markets, financial markets “can perform a price discovery and risk allocation function in determining the price of carbon emissions.”[3]
In addition to providing critical infrastructure for developing carbon markets, others have proposed the use of DLT technology in agricultural markets. For example, IBM recently launched the IBM Food Trust program.[4] This program facilitates better handling of perishable fruits and vegetables through information sharing and dynamic optimization. In other contexts, supply chains have introduced DLT tools that enable end-to-end traceability for perishable produce.[5]
Beyond food production, DLT also helps farmers with other challenges in data management and operation. Distributed ledger technology may aid cotton farmers and others who seek to authenticate or verify information regarding crops.[6]
Another important use case for DLT that maintains a strong tie to financial markets is digital or decentralized identities. Traditionally, service providers maintain identifying information outside of the control of the individuals and where outside third-party service providers authenticate of the identifying information.[7] Today in the financial sector, we see this occur in banking, investment services, and in credit and mortgage lending. When an individual reaches out to a financial firm to establish an account, they consent to access and collection of financial, identifying, and demographic information by the servicing firm. This data, however, is often outside of the control of the individual and therefore is susceptible to data leaks and financial discrimination.
To combat the need for service and identity providers to collect and store sensitive identity data, technology developers have presented novel solutions empowering individuals to manage their own data. In its simplest form, ‘digital identity’ is self-managed identity information stored on the blockchain. Using distributed ledger technology, these systems would track and certify data, events, and information relating to an individual’s personal and financial information.[8] The information would be stored in an individual’s digital wallet and instantly verifiable on the blockchain. Proponents of this use for blockchain technology tout many benefits including encrypted information and pseudonyms to ensure privacy, autonomy for individuals to control access to their data, and reduced opportunity for mass data leaks and cyber threats.[9]
Finally, there is tremendous promise in the possibility of developing and deploying digital technologies that enable the creation of digital identities with effective embedded privacy protection. As I have previously explained during testimony before the U.S. House Financial Services Committee in July of 2019:
Supplementing traditional credit underwriting data inputs and processes, [distributed digital ledger technology employs] newer modeling techniques and consider[s] a broader range of source data referred to descriptively (rather than normatively) as alternative data. These new inputs include information regarding consumers’ financial transactions [and] recurring payments history.”[10]
The opportunity to gain access to additional sources of information such as utility bill payments or rental payments offers great promise but also present unique concerns. Legislative and regulatory authorities must, however, balance these laudable promises of greater inclusion with the significant risks posed, particularly the risks that vulnerable populations may face.
- Cybersecurity
A little less than two months ago, ION Cleared Derivatives acknowledged that “a cybersecurity event” had “affected some of its services.”[11] As we all now well know, ION provides back-office trade processing and settlement of exchange-traded derivatives for many futures commission merchants (FCMs) and other participants in our markets.
Because of this central role in trade processing, the cyberattack disrupted not only ION’s operations but also the operations of other market participants, triggering a ripple effect across markets. Because they could not rely on ION, affected parties were forced to resort to manual (old-school) trade processing, leading to delays in reconciliation and information sharing and reporting that we are only now fully recovering from.
Earlier this month, at a meeting of the Market Risk Advisory Committee (MRAC) that I sponsor, I invited speakers to engage in a deep dive discussion exploring cyberthreats that create risk management concerns.[12] During the meeting, Walt Lukken, the President of the Futures Industry Association announced the creation of a task force focused on improving operational resilience across diverse market participants. In addition, Tom Sexton, President of the National Futures Association described recent initiatives to enhance cyber risk oversight and acknowledge efforts to expand oversight to critical third-party service providers.
First, cyber risks are not siloed, individual enterprise risk management concerns; all too often, cyber threats demand coordinated action across several market participants, with thoughtful incorporation of large, systemically important market participants.[13] The National Cybersecurity Strategy, released just prior to the MRAC meeting, makes this point clearly: “[A]cross both the public and private sectors, we must ask more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient.”[14] Accountability must be top of mind and at the center of the systems that technology providers build and deploy.
Second, our economy is a digital economy. Computers and the internet have integrated themselves into every aspect of the business of our financial markets. In this increasingly digitized environment, vulnerabilities further and further from crucial market participants may nonetheless have significant impacts on the functioning and resilience of our markets. Reliance on third-party service providers and non-proprietary software for key operational functions such as trade processing, margin determinations, and data distribution underscore the importance of revisiting our risk management regulations to ensure that the Commission has adequate visibility into the system safeguards of firms that may impact the operational integrity of registered market participants.[15] Even robust and well-designed safeguards and regulatory frameworks may be inadequate if they are not broad enough in scope—we cannot train our focus only on our registered entities and market participants, but must cast a wider net to ensure sufficient identification and mitigation of cyber risks.[16]
One particular type of service provider is playing an increasingly critical and systemic role in our financial system: the cloud-services industry. There is notable concentration—three major cloud-service providers (CSPs), Google Cloud, Amazon Web Services, and Microsoft Azure, control roughly 60% of the market.[17] Most major futures exchanges (e.g., CME) and most major stock exchanges (e.g., NYSE, Nasdaq), rely on these handful of CSPs.[18] CSP market concentration and exchanges’ reliance on these CSPs may potentially engender systemic risk concerns, both from nefarious avenues (e.g. hacking) and non-nefarious ones (e.g., general outages).[19]
Indeed, CSPs provide a particularly complex and difficult problem in terms of financial regulatory oversight of their system safeguards.[20] While, on the one hand, CSPs may be presumed to be technologically sophisticated, with the resources needed to protect their systems, they are, on the other hand, operating in a more unregulated space than typical financial industry participants. And due to their size and market power, it may be even harder for a regulated entity to seek to require a CSP to comply with CFTC system safeguards and other regulatory provisions.[21]
The disruption in financial markets over the past several weeks further establishes the implications of interconnection in markets. Interconnectedness and correlations may amplify the consequences of cyber-attacks against critical infrastructure resources. As noted at the MRAC meeting, I have long advocated for regulators and market participants to prioritize cybersecurity and investigate the potential for cyberthreats to create systemic risk or national security concerns.[22]
While I called for MRAC to serve as a timely and transparent forum for critical discussions regarding resilience, recovery, and resolution, these issues are so significant and multifaceted that there is substantial benefit to be gained from a diversity of voices. Accordingly, I look forward to hearing from TAC members today about their perspective on these important issues.
- Responsible Artificial Intelligence
In recent months, we have witnessed the potential for artificial intelligence (AI) to address endemic challenges in all spheres of our economy.[23] This includes the potential for AI to improve the efficiency of trading in financial markets, as well as the accuracy and dexterity of market surveillance and fraud detection.[24] There are, however, challenges to the increasing adoption of and reliance on AI. Several years ago, commentators began to focus on the ethical implications of AI and concerns regarding the potential for limited data sets and shortcomings in the curation, structuring, partitioning, and cleaning of data to lead to hardwiring bias in the real world deployment of AI.[25] I have spoken previously about the potential for innovative technology to further goals of financial inclusion, for example by democratizing access to markets and financial information.[26] These questions extend beyond the markets and entities regulated by the CFTC, but I am hopeful that today’s discussion will reach these questions and that TAC will foster a systematic effort to study and address them.
Thank you again to Commissioner Goldsmith-Romero and DFO Biagioli. I look forward to hearing from each of you today.
[1] Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System.
[2] E.g., Alessandro Cocco, Jesse Leigh Maniff, David Radziewicz & Michael Werner, Distributed Ledger Technology, Carbon Accounting, and Emissions Trading, Chicago Fed Letter (Nov. 2022), https://www.chicagofed.org/publications/chicago-fed-letter/2022/474.
[3] Id.
[4] IBM Food Trust (accessed Mar. 7, 2023), https://www.ibm.com/blockchain/resources/food-trust/fresh-produce/.
[5] Fresh Leafy Greens, New Walmart Food Traceability Initiative, Questions and Answers, Walmart (Sept. 10, 2018), https://corporate.walmart.com/media-library/document/leafy-greens-food-safety-traceability-requirements-faq/_proxyDocument?id=00000166-0c8e-dc77-a7ff-4dff95cb0001.
[6] Terry W. Griffin, Keith D. Harris, Jason K. Ward, Paul Goeringer & Jessica A. Richard, Three Digital Agricultural Problems in Cotton Solves by Distributed Ledger Technology, Applied Econ. Perspect. Policy (2022), https://onlinelibrary.wiley.com/doi/epdf/10.1002/aepp.13142.
[7] Shlock Gilda, Tanvi Jain & Aashish Dhalla, None Shall Pass: A blockchain-based federated identity management system, Arxiv (July 5, 2022), https://arxiv.org/pdf/2207.02207.pdf.
[8] Id.
[9] Id. See also Linda Jeng, How self-custodied identity works, presentation at the CFTC Market Risk Advisory Committee meeting, March 8, 2023, [hyperlink once posted]
[10] Kristin N. Johnson, Examining the Use of Alternative Data in Underwriting and Credit Scoring to Expand Access to Credit, written testimony before the U.S. House Committee on Financial Services Task Force on Financial Technology, July 25, 2019, https://democrats-financialservices.house.gov/UploadedFiles/HHRG-116-BA00-Wstate-JohnsonK-20190725.pdf.
[11] Cleared Derivatives Cyber Event, ION Cleared Derivatives, Jan. 31, 2023, https://iongroup.com/press-release/markets/cleared-derivatives-cyber-event/.
[12] Opening Statement of Commissioner Kristin N. Johnson Before the Market Risk Advisory Committee Meeting, Mar. 8, 2023, https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement030823.
[13] See FIA's CEO Walt Lukken speaks on cyber resilience before CFTC, Remarks by FIA President and CEO Walt Lukken delivered to MRAC, Mar. 8, 2023, https://www.fia.org/fia/articles/fias-ceo-walt-lukken-speaks-cyber-resilience-cftc (noting the importance of communication to coordinate action); Remarks by NFA President and CEO Tom Sexton delivered to MRAC, Mar. 8, 2023 (noting the importance of communication and a unified response between industry, government, and SROs to mitigate the impact of the ION hack).
[14] National Cybersecurity Strategy, Mar. 2023, at 4–5, https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf. Notably, the document identifies government’s role, in part, as “ensur[ing] private entities, particularly critical infrastructure, are protecting their systems.” Id. at 5.
[15] NFA requires Members to adopt and implement a supervisory framework over functions that they outsource to third parties, including with respect to cyber risks. See Sexton remarks, supra; see also NFA Interpretive Notice 9079—NFA Compliance Rules 2-9 and 2-36: Members’ Use of Third-Party Service Providers, Feb. 18, 2021, https://www.nfa.futures.org/rulebooksql/rules.aspx?Section=9&RuleID=9079.
[16] Notably, the Futures Industry Association announced at MRAC that it was forming a global Cyber Risk Taskforce to look at the ION event and develop recommendations, including with respect to safeguards around third-party service providers. See Lukken remarks, supra. FIA intends to release an initial report on recent cyber incidents by the second quarter of 2023 and we look forward to reviewing that report.
[17] Carolina Asensio, Antoine Bouveret, & Alexander Harris, Financial Stability Risks from Cloud Outsourcing, ESMA (May 2022), https://www.esma.europa.eu/sites/default/files/library/esma_wp_cloud_may_2022.pdf.
[18] CME Group Signs 10-Year Partnership with Google Cloud to Transform Global Derivatives Markets Through Cloud Adoption, CME Group (Nov. 4, 2021), https://www.cmegroup.com/media-room/press-releases/2021/11/04/cme_group_signs_10-yearpartnershipwithgooglecloudtotransformglob.html; NYSE Market Data Via Amazon Web Services, NYSE (accessed Mar. 21, 2023), https://www.nyse.com/nyse-cloud; Nasdaq and AWS Partner to Transform Capital Markets, Nasdaq (Nov. 30, 2021), https://www.nasdaq.com/press-release/nasdaq-and-aws-partner-to-transform-capital-markets-2021-12-01.
[19] Erik Feyen, Jon Frost, Leonardo Gambacorta, Harish Natarajan & Matthew Saal, Fintech And the Digital Transformation of Financial Services: Implications For Market Structure And Public Policy, BIS (July 2021), https://www.bis.org/publ/bppdf/bispap117.pdf. Third-Party Dependencies in Cloud Services: Considerations on Financial Stability Implications, FSB (Dec. 9, 2019), https://www.fsb.org/wp-content/uploads/P091219-2.pdf; Juan Carlos Crisanto, Johannes Ehrentraud, Marcos Fabian & Amélie Monteil, Big Tech Interdependencies—A Key Policy Blind Spot, BIS FSI Insights on Policy Implementation (July 2022), https://www.bis.org/fsi/publ/insights44.pdf.
[20] See, e.g., U.S. Dep’t of the Treasury, The Financial Services Sector’s Adoption of Cloud Services, sec. 6 (Challenges with the Financial Sector’s Use of Cloud Services) (Feb. 8, 2023), https://home.treasury.gov/system/files/136/Treasury-Cloud-Report.pdf.
[21] See id. sec. 6.4–6.5 (describing several challenges associated with greater cloud adoption by U.S. financial institutions, including risks related to concentration in the CSP market and resulting difficulties in contract negotiations).
[22] See, e.g., Kristin N. Johnson, Cyber Risks: Emerging Risk Management Concerns for Financial Institutions, 50 Ga. L. Rev. 132 (2015) (explaining that “cybersecurity concerns are an ever-increasing threat,” and concluding that enterprise risk management solutions focusing only on an individual firm’s cyber defenses may be inadequate to address concerns arising from reliance on third party service providers or resulting from the networking or interconnectedness created by transactional relationships); Kristin N. Johnson, Managing Cyber Risks, 50 Ga. L. Rev. 528 (2015) (emphasizing market participants’ adoption of the NIST cybersecurity framework).
[23] See generally, German Lopez, The Brilliance and Weirdness of ChatGPT (Dec. 8, 2022), https://www.nytimes.com/2022/12/05/technology/chatgpt-ai-twitter.html.
[24] E.g., Podcast, Deep Learning: The Future of the Market Manipulation Surveillance Program, FINRA (Jan. 25, 2022), https://www.finra.org/media-center/finra-unscripted/deep-learning-market-surveillance.
[25] Reva Schwartz, Apostol Vassilev, Kristen Greene, Lori Perine, Andrew Burt, & Patrick Hall, Towards a Standard for Identifying and Managing Bias in Artificial Intelligence, U.S. Dept. of Commerce National Institute of Standards and Technology (Mar. 2022), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf.
[26] E.g., Commissioner Kristin Johnson, Opening Remarks of Commissioner Kristin Johnson for the CFTC and OMWI Roundtable on Digital Assets and Financial Inclusion, CFTC Roundtable on Digital Assets and Financial Inclusion (Aug. 19, 2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/opajohnson1.
