.jpg)
Today, the Commission considers several amendments to the Part 39 regulations and a delegation provision in Part 140. In January 2020, the Commission amended many of the provisions in Part 39 in order to enhance certain risk management and reporting obligations, clarify the meaning of certain provisions, and streamline registration and reporting.[1] Last November, the Commission considered a proposed rulemaking seeking to update certain Part 39 regulations to reflect developments in risk management. I support the Commission’s consideration of these amendments designed to improve derivatives clearing organization (DCO) risk management practices and clarify reporting requirements set out in Part 39.
Dodd-Frank set out to implement reforms to mitigate systemic financial risk and promote transparency and stability. DCOs play a significant role in mitigating risk and facilitating stability in our markets by providing essential clearing and settlement market infrastructure. Clearing houses enhance visibility, introduce and enforce uniform contractual obligations, and establish standards for critical risk management tools such as initial and variation margin. They facilitate dispute resolution among counterparties, ensure the maintenance of necessary liquidity reserves, introduce important operating systems and cyber-risk management measures, and implement governance measures that mitigate conflicts of interest and monitor systems safeguards.[2]
In light of the role DCOs play, we must provide a workable framework that not only supports market stability but is functional and can be practically integrated. The implementation of these final regulations will operate to enhance the DCO regulatory framework by addressing gaps in reporting data to the Commission.
Cyber security
Under DCO Core Principle I, DCOs must “establish and maintain a program of risk analysis and oversight to identify and minimize sources of operational risk through the development of appropriate controls and procedures…”[3] In accord with this Core Principle, the Commission adopted Regulation 39.18(g) requiring DCOs to promptly notify the Division of Clearing and Risk (DCR) of any cyber security incident or targeted threat that materially impairs, or creates a significant likelihood of material impairment of, automated system operation, reliability, security, or capacity.[4]
We live in a digital age, and our dependence on technology, digital operational infrastructure systems, and software is increasingly undeniable. The security and integrity of cyber systems is important for the effective functioning of individual firms. Interconnectedness in financial markets creates the possibility that a cyber-threat that impacts certain actors in our markets may also impact the safety and soundness of counterparties or customers. In some instances, these cyber events will lead to more significant disruption, impeding clearing and settlement of transactions or impacting price discovery. Just a few months ago, ION, a significant service provider in global derivatives markets, experienced a cybersecurity event that led to ripple effect across derivatives markets. The ION event underscores the importance of cyber security monitoring, prevention, and reporting.
In November of 2022, DCR proposed amendments to 39.18(g) recommending improvements to certain cyber-incident reporting requirements. The proposed amendment would have eliminated the materiality threshold, which would have required DCOs to report all such events regardless of magnitude.[5] The amendment would have increased reporting of DCO cyber incidents and automated system impairments, including impairments concerning third-party provided services.
While I appreciate the Commission’s adaptation in response to public comment, it is important to balance thoughtful consideration of cyber regulation with the emergent need for action. I am hopeful the delay in amending 39.18(g) will be included in a rulemaking focused on cyber controls, monitoring, and reporting to strength market resilience and facilitate the Commission’s duty to surveil the market. Our markets cannot afford significant passage of time without Commission guidance.
While I commend DCR for its careful review and consideration of the responses to the Commission’s request for comment, it is important the Commission balance thoughtful consideration with the need for urgent action in response to growing cyber threats.
As market participants integrate, adopt, and partner with significant technology firms and adopt software and technology that facilitates the technical operations for their businesses, it is imperative that our regulation focus on monitoring, reporting, transparency and the development of cyber recovery and resilience programs.
Four months ago, the Market Risk Advisory Committee (MRAC) that I sponsor held a meeting in this room. The National Cyber Director and others joined a thoughtful dialogue focused on preventing or mitigating the threat of cyber events and cyber security threats. In addition to valuable dialogue during the meeting, my staff and I traveled to the White House executive offices to meet with the Office of the National Cyber Director. Our discussions and dialogue continue.
DCR is correctly focused on refining and updating 39.18(g). There is a clear need for immediate and careful study of the cyber-risk issues that present for DCOs. To this end, an MRAC subcommittee focused on technical and operational resilience will begin to examine several of the issues raised in the proposed amendment and comment letters. Hopefully, our collective efforts will enhance the cyber resilience of the registrants in our markets as well as the critical third- and fourth-party service providers that registrants may depend on.
Segregation of Customer Funds
DCO Core Principle F and requires DCOs to establish standards and procedures for protecting and ensuring the safety of clearing member and customer funds. In addition, Core Principle F requires DCOs to establish standards and procedures that are designed to protect and to ensure the safety of funds and assets held in custody, to hold such funds and assets in a way designed to minimize risk, and to limit investment of such funds and assets to instruments with minimal credit, market, and liquidity risks. The DCO risk mitigation function is imperative for the segregation and safekeeping of clearing member and customer funds and assets.
Today, DCR proposes amendments that seek to close a gap with respect to DCO regulations that govern segregation of customer assets. While there are robust regulations governing segregation of customer funds by futures commission merchants (FCMs),[6] those same protections may not reach all DCO customers. In some instances, the divergence is based on the history and structure of the markets for certain assets. As innovative financial products and market structures proliferate, we must be mindful of the consequences of the lack of parallelism in our customer protection regulations.
I support the Commission’s adoption of the proposed amendments that enhance customer protections, namely segregation of customer funds, treatment of customer funds, and the introduction of financial resource requirements for certain DCOs.
Liquidity Reserves
The amendments today also include updates addressing liquidity-related transparency. Over the last year, the macroeconomic conditions in the US have been impacted by persistent inflation and periods of sustained volatility. Governance and risk management failures can and often do lead to crises, including liquidity crises, and apart from undermining the reputational integrity of the industry and fueling calls for harsh regulatory and legislative action, these failures all too often impose tremendous costs that fall disproportionately on customers. When not managed properly, liquidity risk can lead to instability throughout the financial market and result in default.
The transparency amendments in this rule, which trigger reporting of changes to credit and liquidity facilities, and the financial health of the entities that offer them, will improve the Commission’s risk surveillance of DCOs and clearing members. Prudent risk management, and particularly the management of liquidity needs, is critical to DCO resilience. I support these transparency provisions. Each adds value to the Core Principles we uphold – the protection of customers and the integrity of the financial markets that we regulate.
I want to thank the staff of DCR – Eileen Donovan, August Imholtz, Gavin Young, and Parisa Nouri – for their diligent and thoughtful work on these amendments.
[1] Derivatives Clearing Organization General Provisions and Core Principles, 85 FR 4800 (Jan. 27, 2020), https://www.federalregister.gov/documents/2020/01/27/2020-01065/derivatives-clearing-organization-general-provisions-and-core-principles.
[2] Statement of Commissioner Kristin N. Johnson in Support of Notice of Proposed Amendments to Reporting and Information Requirements for Derivatives Clearing Organizations, Kristin N. Johnson (Nov. 10, 2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement060723d.
[3] 7 U.S.C. § 7a-1(c)(2)(I)(i).
[4] 17 C.F.R. §39.18(g)
[5] Reporting and Information Requirements for Derivatives Clearing Organizations, 87 Fed. Reg. 76,698, 76,700 (Dec. 15, 2022), https://www.cftc.gov/sites/default/files/2022/12/2022-26849a.pdf.
[6] Section 4d(a)(2) of the CEA requires each FCM to segregate from its own assets all money, securities, and other property deposited by futures customers to margin, secure, or guarantee futures contracts and options on futures contracts traded on designated contract markets. 7 U.S.C. § 6d(a)(2). In addition, Section 4d(a)(2) of the CEA requires an FCM to treat and deal with futures customer funds as belonging to the futures customer, and prohibits an FCM from using the funds deposited by a futures customer to margin or extend credit to any person other than the futures customer that deposited the funds. 7 U.S.C. § 6d(a)(2).
