Public Statements & Remarks

Opening Statement of Commissioner Kristin N. Johnson Before the Technology Advisory Committee

March 22, 2023

Introduction

Good afternoon.  It’s a pleasure to be here for the inaugural meeting of the Technology Advisory Committee (TAC) under Commissioner Goldsmith-Romero’s sponsorship.  The work of the Commission’s Advisory Committees is critical to the development of the CFTC’s regulations and policies, as well as industry best practices.

I want to thank Commissioner Goldsmith-Romero and Anthony Biagioli—TAC’s Designated Federal Officer, for convening this meeting today. I also want to thank you, TAC’s membership and today’s panelists.  The Advisory Committee has an ever-more important role in furthering and fostering the knowledge and understanding of the Commissioners and Commission. The Committee is fortunate to have the leadership of Chair Carole House from Terranet Ventures and previously the White House National Security Council where she served as Director for Cybersecurity and Secure Digital Innovation and Vice Chair Ari Redbord of TRM Labs.

In the spring of 2000, the TAC held its inaugural meeting. A year later, following the tragic events of September 11th, members of TAC demonstrated tremendous resolve, holding a meeting in November of 2001 and focusing on electronic order routing and disaster recovery, business continuity plans, and technology-centered recovery and resilience planning.

Over the following years, TAC continued to focus on the unique and important issues outlined in the Committee’s charter and at the intersection of the integration of technology in finance.  Specifically, in 2005, TAC examined critical questions including how best to define “prior art” in the patents process; intellectual property in trading and settlements technology; restrictions on the usage of exchange settlement prices; and market data piracy.  More recently, TAC has led the Commission’s efforts to understand and explore high frequency and algorithmic trading practices; the role of technology in pre- and post-trade transparency in implementing the Dodd-Frank Act; universal product and legal entity identifiers; standardization of machine-readable legal contracts; semantics; and date storage and retrieval.

As we gather today, consider how our world has changed. Much has been made (and publicized) about distributed ledger technology within the context of tokens, currencies, and other “stores of value” or “medium of exchange” uses. Even if Satoshi Nakamoto’s white paper, published over a decade ago, offers a precise description of the archetypal use case, there is much to explore and discover in the context of the introduction of this technology in our society.[1]

Allow me to highlight a few of interesting and I believe important, uses for distributed ledger technology.

  1. Distributed Ledger Technology Use Cases

As we think about the many potential use cases for distributed ledger technology (DLT), the need to focus on climate risks in financial markets comes quickly into focus.  As a recent report explains:

“The 2021 estimate by the Interagency Working Group on Social Cost of Greenhouse Gases puts the social cost of carbon at $56 per metric ton of carbon dioxide (CO2) by 2025 and $85 per metric ton of CO2 by 2050 (in 2020 dollars, at a 3% discount rate).  These consistently higher estimates for the future social cost of carbon are largely driven by expectations of increasing costs of climate-related damage.”[2]

The authors of the recently published report further explain that, whether we are discussing compliance or voluntary carbon markets, financial markets “can perform a price discovery and risk allocation function in determining the price of carbon emissions.”[3]

In addition to providing critical infrastructure for developing carbon markets, others have proposed the use of DLT technology in agricultural markets.  For example, IBM recently launched the IBM Food Trust program.[4]  This program facilitates better handling of perishable fruits and vegetables through information sharing and dynamic optimization.  In other contexts, supply chains have introduced DLT tools that enable end-to-end traceability.

Beyond food production, DLT also helps farmers with other challenges in data management and operation. DLT may aid cotton farmers and others who seek to authenticate or verify information regarding crops.[5]

Another important use case for DLT in financial markets is the digital identity use case.[6]

Technology developers increasingly present novel solutions empowering individuals to manage their own data.  In its simplest form, ‘digital identity’ is self-managed identity information stored on the blockchain.  Using DLT, these systems would track and certify data, events, and information relating to an individual’s personal and financial information.[7]  The information would be stored in an individual’s digital wallet and instantly verifiable on the blockchain.  Proponents of this use for blockchain technology tout many benefits including encrypted information and pseudonyms to ensure privacy, autonomy for individuals to control access to their data, and reduced opportunity for mass data leaks and cyber threats.[8]

There is tremendous promise in the possibility of developing and deploying digital technologies that enable the creation of digital identities with effective embedded privacy protection.  As I have previously explained during testimony before the U.S. House Financial Services Committee in July of 2019:

Supplementing traditional credit underwriting data inputs and processes, [distributed digital ledger technology employs] newer modeling techniques and consider[s] a broader range of source data referred to descriptively (rather than normatively) as alternative data.  These new inputs include information regarding consumers’ financial transactions [and] recurring payments history.”[9]

The opportunity to gain access to additional sources of information such as utility bill payments or rental payments offers great promise but also present unique concerns. There are, however, notable concerns, including the need to ensure effective privacy protections are embedded in the development of such technologies. Legislative and regulatory authorities must balance these laudable promises of greater inclusion with the significant risks posed, particularly the risks that vulnerable populations may face. Today, we will have the benefit of hearing from TAC Chair Carole House on this matter and I very much look forward to her presentation.

  1. Cybersecurity

Earlier this year, ION Cleared Derivatives acknowledged that “a cybersecurity event” had “affected some of its services.”[10]  ION provides back-office trade processing and settlement of exchange-traded derivatives for many futures commission merchants (FCMs) and other participants in our markets.

Because of this central role in trade processing, the cyberattack disrupted not only ION’s operations but also the operations of other market participants, triggering a ripple effect across markets.  Because they could not rely on ION, affected parties returned to manual (old-school) trade processing, leading to delays in reconciliation, information sharing, and reporting.

Earlier this month, at a meeting of the Market Risk Advisory Committee (MRAC) that I sponsor, I invited speakers to engage in a deep dive discussion exploring cyberthreats that create risk management concerns.[11]  During the meeting, Walt Lukken, the Chief Executive Officer and President of the Futures Industry Association announced the creation of a Cyber Risk Task Force focused on improving operational resilience across diverse market participants.  In addition, Tom Sexton, President and Chief Executive Officer of the National Futures Association described recent initiatives to enhance cyber risk oversight and acknowledge efforts to expand oversight to critical third-party service providers.

First, cyber risks are not siloed, individual enterprise risk management concerns; all too often, cyber threats demand coordinated action across several market participants, with thoughtful incorporation of large, systemically important market participants.[12]  The National Cybersecurity Strategy, released just prior to the MRAC meeting, makes this point clearly:  “[A]cross both the public and private sectors, we must ask more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient.”[13]  Accountability must be top of mind and at the center of the systems development and regulatory oversight.

Second, our economy is a digital economy.  Reliance on third-party service providers and non-proprietary software for key operational functions such as trade processing, margin determinations, and data distribution underscore the importance of revisiting our risk management regulations to ensure that the Commission has adequate visibility into the system safeguards of firms that may impact the operational integrity of registered market participants.[14]  Even robust and well-designed safeguards and regulatory frameworks may be inadequate if they are not broad enough in scope—we cannot train our focus only on our registered entities and market participants, but must cast a wider net to ensure sufficient identification and mitigation of cyber risks.[15]

We must also note that benefits and challenges of integrating an increasingly prominent service provider that plays a critical role in our financial system:  the cloud-services industry. Three large cloud-service providers (CSPs), Google Cloud, Amazon Web Services, and Microsoft Azure, provide a significant percentage of cloud-services.[16] Most major futures exchanges and stock exchanges rely on these CSPs.[17]  CSP market concentration and exchanges’ reliance on CSPs may potentially engender broader risk management concerns from common exogenous threats such as hacking to nuanced concerns such as outages.[18]

CSPs provide a particularly complex challenges.[19]  Due to their size and market power, regulation may present unique challenges.[20]

The disruption in financial markets over the past several weeks further establishes the implications of interconnection in markets.  Interconnectedness and correlations may amplify the consequences of cyber-attacks against critical infrastructure resources.  As noted at the MRAC meeting, I have long advocated for regulators and market participants to prioritize cybersecurity and investigate the potential for cyberthreats to create systemic risk or national security concerns.[21]

While I called for MRAC to serve as a timely and transparent forum for critical discussions regarding resilience, recovery, and resolution, these issues are so significant and multifaceted that there is substantial benefit to be gained from a diversity of voices.  Accordingly, I look forward to hearing from TAC members today about their perspective on these important issues.

  1. Responsible Artificial Intelligence

In recent months, we have witnessed the potential for artificial intelligence (AI) to address endemic challenges in financial markets.[22]  This includes the potential for AI to improve the efficiency of trading in financial markets, as well as the accuracy and dexterity of market surveillance and fraud detection.[23]  There are, however, challenges to the increasing adoption of and reliance on AI.  Several years ago, commentators began to focus on the ethical implications of AI and concerns regarding the potential for limited data sets and shortcomings in the curation, structuring, partitioning, and cleaning of data to lead to hardwiring bias in the real world deployment of AI.[24]  I have spoken previously about the potential for innovative technology to further goals of financial inclusion.[25]  While these challenges extend beyond the markets and entities regulated by the CFTC, I am hopeful that today’s discussion will reach these questions and that TAC will foster a systematic effort to study and address them.

Thank you again to Commissioner Goldsmith-Romero, Chair House, Vice Chair Redbod, and DFO Biagioli. I look forward to hearing from each of you today.


[1] Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System.

[2] E.g., Alessandro Cocco, Jesse Leigh Maniff, David Radziewicz & Michael Werner, Distributed Ledger Technology, Carbon Accounting, and Emissions Trading, Chicago Fed Letter (Nov. 2022), https://www.chicagofed.org/publications/chicago-fed-letter/2022/474.

[3] Id.

[4] IBM Food Trust (accessed Mar. 7, 2023), https://www.ibm.com/blockchain/resources/food-trust/fresh-produce/.

[5] Terry W. Griffin, Keith D. Harris, Jason K. Ward, Paul Goeringer & Jessica A. Richard, Three Digital Agricultural Problems in Cotton Solves by Distributed Ledger Technology, Applied Econ. Perspect. Policy (2022), https://onlinelibrary.wiley.com/doi/epdf/10.1002/aepp.13142.

[6] Shlock Gilda, Tanvi Jain & Aashish Dhalla, None Shall Pass: A blockchain-based federated identity management system, Arxiv (July 5, 2022), https://arxiv.org/pdf/2207.02207.pdf.

[7] Id.

[8] Id. See also Linda Jeng, How self-custodied identity works, presentation at the CFTC Market Risk Advisory Committee meeting, March 8, 2023, https://www.cftc.gov/media/8326/MRAC_PowerPoint032223/download.

[9] Kristin N. Johnson, Examining the Use of Alternative Data in Underwriting and Credit Scoring to Expand Access to Credit, written testimony before the U.S. House Committee on Financial Services Task Force on Financial Technology, July 25, 2019, https://democrats-financialservices.house.gov/UploadedFiles/HHRG-116-BA00-Wstate-JohnsonK-20190725.pdf.

[10] Cleared Derivatives Cyber Event, ION Cleared Derivatives, Jan. 31, 2023, https://iongroup.com/press-release/markets/cleared-derivatives-cyber-event/.

[11] Opening Statement of Commissioner Kristin N. Johnson Before the Market Risk Advisory Committee Meeting, Mar. 8, 2023, https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement030823.

[12] See FIA's CEO Walt Lukken speaks on cyber resilience before CFTC, Remarks by FIA President and CEO Walt Lukken delivered to MRAC, Mar. 8, 2023, https://www.fia.org/fia/articles/fias-ceo-walt-lukken-speaks-cyber-resilience-cftc (noting the importance of communication to coordinate action); Remarks by NFA President and CEO Tom Sexton delivered to MRAC, Mar. 8, 2023 (noting the importance of communication and a unified response between industry, government, and SROs to mitigate the impact of the ION hack).

[13] National Cybersecurity Strategy, Mar. 2023, at 4–5, https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.  Notably, the document identifies government’s role, in part, as “ensur[ing] private entities, particularly critical infrastructure, are protecting their systems.”  Id. at 5.

[14] NFA requires Members to adopt and implement a supervisory framework over functions that they outsource to third parties, including with respect to cyber risks.  See Sexton remarks, supra; see also NFA Interpretive Notice 9079—NFA Compliance Rules 2-9 and 2-36:  Members’ Use of Third-Party Service Providers, Feb. 18, 2021, https://www.nfa.futures.org/rulebooksql/rules.aspx?Section=9&RuleID=9079.

[15] Notably, the Futures Industry Association announced at MRAC that it was forming a global Cyber Risk Taskforce to look at the ION event and develop recommendations, including with respect to safeguards around third-party service providers.  See Lukken remarks, supra.  FIA intends to release an initial report on recent cyber incidents by the second quarter of 2023 and we look forward to reviewing that report.

[16] Carolina Asensio, Antoine Bouveret, & Alexander Harris, Financial Stability Risks from Cloud Outsourcing, ESMA (May 2022), https://www.esma.europa.eu/sites/default/files/library/esma_wp_cloud_may_2022.pdf.

[17] CME Group Signs 10-Year Partnership with Google Cloud to Transform Global Derivatives Markets Through Cloud Adoption, CME Group (Nov. 4, 2021), https://www.cmegroup.com/media-room/press-releases/2021/11/04/cme_group_signs_10-yearpartnershipwithgooglecloudtotransformglob.html; NYSE Market Data Via Amazon Web Services, NYSE (accessed Mar. 21, 2023), https://www.nyse.com/nyse-cloud; Nasdaq and AWS Partner to Transform Capital Markets, Nasdaq (Nov. 30, 2021), https://www.nasdaq.com/press-release/nasdaq-and-aws-partner-to-transform-capital-markets-2021-12-01.

[18] Erik Feyen, Jon Frost, Leonardo Gambacorta, Harish Natarajan & Matthew Saal, Fintech And the Digital Transformation of Financial Services: Implications For Market Structure And Public Policy, BIS (July 2021), https://www.bis.org/publ/bppdf/bispap117.pdf.  Third-Party Dependencies in Cloud Services: Considerations on Financial Stability Implications, FSB (Dec. 9, 2019), https://www.fsb.org/wp-content/uploads/P091219-2.pdf; Juan Carlos Crisanto, Johannes Ehrentraud, Marcos Fabian & Amélie Monteil, Big Tech Interdependencies—A Key Policy Blind Spot, BIS FSI Insights on Policy Implementation (July 2022), https://www.bis.org/fsi/publ/insights44.pdf.

[19] See, e.g., U.S. Dep’t of the Treasury, The Financial Services Sector’s Adoption of Cloud Services, sec. 6 (Challenges with the Financial Sector’s Use of Cloud Services) (Feb. 8, 2023), https://home.treasury.gov/system/files/136/Treasury-Cloud-Report.pdf

[20] See id. sec. 6.4–6.5 (describing several challenges associated with greater cloud adoption by U.S. financial institutions, including risks related to concentration in the CSP market and resulting difficulties in contract negotiations).

[21] See, e.g., Kristin N. Johnson, Cyber Risks: Emerging Risk Management Concerns for Financial Institutions, 50 Ga. L. Rev. 132 (2015) (explaining that “cybersecurity concerns are an ever-increasing threat,” and concluding that enterprise risk management solutions focusing only on an individual firm’s cyber defenses may be inadequate to address concerns arising from reliance on third party service providers or resulting from the networking or interconnectedness created by transactional relationships); Kristin N. Johnson, Managing Cyber Risks, 50 Ga. L. Rev. 528 (2015) (emphasizing market participants’ adoption of the NIST cybersecurity framework).

[22] See generally, German Lopez, The Brilliance and Weirdness of ChatGPT (Dec. 8, 2022), https://www.nytimes.com/2022/12/05/technology/chatgpt-ai-twitter.html.

[23] E.g., Podcast, Deep Learning: The Future of the Market Manipulation Surveillance Program, FINRA (Jan. 25, 2022), https://www.finra.org/media-center/finra-unscripted/deep-learning-market-surveillance.

[24] Reva Schwartz, Apostol Vassilev, Kristen Greene, Lori Perine, Andrew Burt, & Patrick Hall, Towards a Standard for Identifying and Managing Bias in Artificial Intelligence, U.S. Dept. of Commerce National Institute of Standards and Technology (Mar. 2022), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf.

[25] E.g., Commissioner Kristin Johnson, Opening Remarks of Commissioner Kristin Johnson for the CFTC and OMWI Roundtable on Digital Assets and Financial Inclusion, CFTC Roundtable on Digital Assets and Financial Inclusion (Aug. 19, 2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/opajohnson1.

-CFTC-