Remarks as Prepared

Introduction

Good afternoon. Springtime is always a nice time of year to be in New Haven and it is generous of the Yale Law School to host this symposium. Thank you Milhailis [Diamantis], Rishab [Nithyanand], the Iowa Innovation Business & Law Center, and the Yale Journal of Law & Technology for the significant time and effort you expended to organize and execute this symposium. 

As I have indicated throughout my time as a Commissioner, I am delighted to join you in carefully thinking about the increasing salience of better data governance.[1] I am hopeful that the discussions at this symposium will articulate and enhance guardrails for comprehensive privacy law and better data governance. I am also hopeful that our discussions and advocacy will influence federal and state legislatures and financial market regulators, among others, to adopt, implement, and enforce law, regulation, and policy that lead to better data governance. 

In my time with you, I would like to highlight two issues that may deeply impact the shape and development of data governance in financial markets - emerging artificial intelligence (AI) technologies and critical third-party service providers.[2] We can describe these two issues as twin peaks – arising rapidly and substantially altering the structure of financial markets.

The twin peaks at the center of our markets reflect a shift to data-centered markets influenced by the rise of increasingly sophisticated machine learning and generative AI technologies and a remarkable uptick in market participants’ reliance on critical third-party service providers. The peaks are similar but not identical. Yet, each has the potential to deeply impact market structure and how we supervise financial markets. 

First, the integration of data-fueled artificial intelligence (AI) technologies is indisputably altering financial markets infrastructure. As AI takes center stage in many sectors of our economy and society, financial services firms report interests, investments, and incorporation of AI technologies in data analytics, trade data analysis, trade clearing, reconciliation, and settlement, risk management, surveillance, margin and collateral determinations, and administrative, compliance and back-office services.   

Second, developing and updating data-fueled technologies can be expensive. Firms often lack the resources to independently develop certain technologies. The cost of acquiring or developing AI or data-centered technologies may be prohibitive for many businesses. As a result, many financial services firms and others must outsource or seek to license data-centered technologies or models. For smaller and medium sized firms, reliance on third-party service providers is often imperative.

As we begin to consider these twin peaks impacting the operational infrastructure and supervision of our markets, it is worth examining the benefits of novel technologies, whether these changes in market infrastructure may lead to new risks or distinct risks, and the extent to which existing risk management practices and regulations are fit for purpose. 

I. Evolving Market Infrastructure 

A recent study of nearly two thousand financial services firms reports that more than three-quarters of the firms included rely on AI to assist with various aspects of financial reporting and other compliance obligations.[3] Another study shows a significant amount of investment capital moving forward will be dedicated to implementing and integrating AI-based technologies.[4] Commodity Futures Trading Commission (CFTC) regulated market participants have long relied on predictive technologies – a category of technologies that comprise part of the universe of technologies that may be described as AI.[5] In recent years, a number of CFTC-regulated market participants have entered into strategic partnerships with major technology providers.[6] Today, market participants use AI for diverse trade execution, operational, and administrative functions including market intelligence, monitoring, fraud detection, and cybersecurity risk management.[7]

The CFTC supervises areas of financial markets where market participants create, distribute, trade, and transfer financial market products. For financial market regulators, governing data proves challenging, in part, because market participants may rely on intermediaries that are not registered with financial market regulators. Regulators may lack visibility or supervisory authority over these intermediaries. As the market for novel assets such as digital assets grow, this challenge continues to present similar concerns.

As noted at the outset, adoption of critical third-party service providers parallels the rapid adoption of AI. According to recent studies, in 2021 cloud services accounted for less than 10% of critical business initiatives. By 2027, it is expected that cloud services will account for 50% of critical business initiatives.[8] To that end, and to bolster capabilities to utilize AI, cloud services have seen massive investments to infrastructure, with $79 billion spent in the second quarter of 2024 alone.[9]

A. The Rise of AI

While the use cases within and beyond finance are quite diverse, common threads bind the “algorithmic revolution” and increased reliance on critical third-party service providers. Artificial intelligence technologies can automate decision-making tasks and certain subsets of artificial intelligence may execute these tasks autonomously. 

For decades, market participants, researchers, academics, and public interest advocates have assessed the impacts of algorithmic trading in conventional financial markets. Some suggest that artificial intelligence introduces existential questions for markets;[10] others underscore the ethical, civil, or human rights implications of adopting artificial intelligence.[11] As debates proliferate regarding the merits and limitations of automated decision-making technologies, a steady drumbeat declares the future of finance.[12] 

Notwithstanding the utility and benefits that accompany AI, there are risks and notable limitations. A robust literature has developed cataloguing and analyzing the ethical implications that may arise.[13] In addition, bad actors have discovered AI and the potential to use AI to manipulate markets.[14]

Voices at international convenings of market participants and regulators increasingly reflect a call for an open dialogue regarding benefits and thorny issues that arise as we increasingly rely on AI and third-party service providers. Before turning to proposed interventions, let’s explore the second phenomenon changing market infrastructure – the increasing importance of technology-based critical-third party service providers. 

B. Critical Third-Party Service Providers 

Commission-regulated market participants often use third-party vendors to support their operations, risk management, compliance, and technology infrastructure. In an era of data-fueled technologies, cloud-based storage platforms and data centers serve as an increasingly important group of critical third-party service providers. The services of cloud-based platforms, data centers, and other third-party service providers vary; and, in some instances, the services are not critical to the continuity of the market participant’s business. In other instances, third-party services providers offer services which are essential to market participants’ day-to-day operations. 

A glance around the “trading floor” of any financial services firm these days reveals significant reliance on technology. Many firms rely on innovative technologies for the continuous and adequate functioning of their operations.[15] As data-driven technologies proliferate, markets have witnessed a growing trend for participants to rely on cloud-based technologies. In fact, several of our largest market participants have entered strategic partnerships with cloud providers to enable them to handle exceptional volumes of data and enhance their scalability.[16] Cloud based architecture also offers on-demand computing power for risk analytics and trade processing, allowing firms to handle massive amounts of transactions and data in times of high volume, and scale down during slower periods. In many ways, cloud services and AI fit hand-in-glove because of the cloud-based computing power required to execute certain AI technologies.[17] 

Congress, regulators, market participants, and many stakeholders have identified risks related to how our markets operate – robust information security management, reliability and resilience, effective contingency planning, and communication risks.[18] 

Our regulations reflect expectations regarding how registered market participants will comply with this framework. In my role as a Commissioner and sponsor for the Market Risks Advisory Committee, I have led a diverse group of stakeholders in detailing the benefits and concerns that arise as these twin peaks increasingly influence our markets. Here, let’s consider two specific risks that have emerged as we navigate this rise of data-fueled, innovative technologies – concentration and cyber risks – which will be central questions for regulators in the era of data governance. 

II. Managing Data Governance and Data Security Risks 

A few large firms comprise the most prevalent AI and cloud-based technology services providers.[19] The limited diversity of service providers and lack of competition may raise market concentration concerns.[20]

A. Concentration Risks

Evidence indicates that there are a limited number of both AI and critical service providers for financial market participants. A recent survey of the AI industry suggests that ten foundational model providers account for almost ninety percent of the market.[21]

The top three cloud providers, Amazon, Microsoft, and Google, respectively, account for 73% percent of the cloud infrastructure market.[22] Given that software as a service is the most widely adopted form of cloud computing by financial institutions, the United States Department of the Treasury has indicated that the concentration among critical service providers may be cause for concern.[23]

Microsoft and AWS are two of the largest data center providers and among the largest cloud providers; together these firms manage over five hundred and fifteen data centers. Google manages twenty-five data centers.[24] Simply stated, the number of service providers capable of handling the needs of many market participants may be limited. 

Studies also report a decline in the number of Futures Commission Merchants (FCMs).[25] In 2023, the MRAC launched a workstream to analyze the current state and trends of the FCM market over the twenty-year period from 2003 to 2023.[26] The report notes increased operating costs and the capital requirements for FCMS and increased minimum net capital requirements. Markets have also witnessed consolidation in FCM markets. 

In contrast to the decline in the total number of FCMs, clearing volume during this same period has dramatically increased.[27] The total number of non-carrying FCMs declined by 91% and the number of carrying FCMs fell by 58%.[28] This represents a significant reduction in the capacity of FCMs over the course of a relatively short period of time. 

This reduction means that there is far fewer FCMs available to provide the critical functions they traditionally perform.

B. Cyber Risks 

Our registered market participants must comply with the regulatory framework for system safeguards. In many instances, technology service providers also have robust cyber defense capabilities designed to anticipate, prevent, or lessen the effect of sophisticated cyber-attacks.  

In recent years, however, there has been notable disruption in traditional markets and the markets for novel financial products. Two recent events underscore the vulnerability of markets and market infrastructure to cyber threats. These incidents – the ION ransomware attack and the Bybit exchange hack – illustrate the difficulties many firms face when a third-party service provider or a technology employed through a third-party service provider experiences a cyberattack. 

In January of 2023, a critical third-party service provider in derivatives markets, ION Cleared Derivatives (ION), a UK-based trading software partner, experienced a significant cyberattack. ION’s services are widely used by FCMs and other market participants for critical functions, including trade order management, trade processing, and settlement of exchange-traded derivatives. Because a significant number of FCMs rely on ION for back-office trading capabilities, the disruption caused by the ransomware attack on ION cascaded through our derivatives markets. During the period that ION’s operations were impacted by the ransomware attack, affected firms reverted to manual processes to match and settle trades, creating difficulties in recording and reporting trade reconciliation data.[29] Consequently, the Commission was unable to deliver timely Commitments to Traders reports and determining material transactional obligations such as margin and collateral were similarly impacted. 

In a more recent cyberattack in crypto-asset markets, a crypto exchange experienced significant losses related to reliance on a third-party software platform that enables wallet services. In February of 2023, Bybit, a crypto exchange that offers crypto derivatives and other financial products lost over $1.4 billion when the firm suffered a breach of its multi-signature wallets.[30] Hackers infiltrated a developer workstation at a third-party that enables customers to access wallet software that interfaces with Bybit’s exchange. The hackers obtained credentials for the third party’s Amazon Web Services (AWS) repository.[31] Using stolen AWS tokens, the attackers introduced malicious code into the third party’s software, enabling the hackers to alter Bybit’s wallet interface and reroute a scheduled transfer of funds without immediate detection. 

These losses were introduced to market participants through their link to critical third-party service providers and, in the case of Bybit, indirectly with a third party that was using another vendor for the compromised process. These losses can cascade through the markets when that breach occurs in a critical third-party service provider who is linked to a significant number of market participants.

III. Reflections on Proposed and Potential Interventions 

The Commodity Exchange Act and implementing regulations and related guidance provide a principles-based approach to regulating governance, risk management, and cybersecurity measures for CFTC-regulated entities. At the CFTC, we are increasingly focused on how to ensure markets benefit from responsible innovation and mitigate the threats to risk management that may lead to market disruption. 

A. Existing DCO System Safeguard Regulation

Derivatives clearing organizations (DCOs), are subject to core principles established under the CEA, including Section 5b, which establishes that DCOs shall (i) establish and maintain a program of risk analysis and oversight to identify and minimize sources of operational risk through the development of appropriate controls and procedures, and automated systems, that are reliable, secure, and have adequate scalable capacity; and (ii) establish and maintain emergency procedures, backup facilities, and a plan for disaster recovery (and establishes certain criteria for such plans and procedures, including timely recovery and resumption of operations, fulfillment of the DCO’s obligations, and periodic testing).[32] The DCO Core Principles were added to the CEA in the Commodity Futures Modernization Act of 2000. After the financial crisis of 2008, the Dodd-Frank Wall Street Reform and Consumer Protection Act expanded the CFTC’s authority to “establish a more comprehensive statutory framework to reduce risk, increase transparency and promote market integrity,” including by enhancing the Commission’s rulemaking authority with respect to registered entities, including DCOs.[33]

Additional requirements for compliance with DCO Core Principle I, System Safeguards, are enumerated in more detail in Rule 39.18, following Dodd-Frank. When the rule was first proposed, and ultimately codified in 2011, it sought to “delineate the minimum requirements that a DCO would be required to satisfy in order to comply with Core Principle I.”[34] With time, as technology continued to evolve, and the world became more reliant on it, the regulation has evolved to include more specific requirements. For example, in 2016, the Commission amended Rule 39.18, clarifying certain requirements and enhancing others, motivated in large part by escalating and evolving cybersecurity threats. The December 2015 proposing release discussed roundtables held by the Commission and the MRAC that focused on cybersecurity, and a number of important topics surrounding cybersecurity that financial institutions should take into consideration. These include: (i) more cyber adversaries, that are more dangerous, and have expanding and worsening motivations and goals, (ii) increasing cyber capabilities from both non-state actors and state-sponsored intruders, (iii) more sophisticated and longer duration cyberattacks, (iv) a broadening cyber threat field where computers, mobile devices and the cloud are all potential points of vulnerability and, finally, (v) the interconnectedness of financial services firms and the threat that poses.[35] 

As currently in effect, Rule 39.18 includes “(1) the requisite elements, standards, and resources of a DCO’s program of risk analysis and oversight with respect to its operations and automated systems; (2) the requirements for a DCO’s business continuity and disaster recovery plan, emergency procedures, and physical, technological, and personnel resources described therein; (3) the responsibilities, obligations, and recovery time objective of a DCO following a disruption of its operations; and (4) other system safeguards requirements related to reporting, recordkeeping, testing, and coordination with a DCO’s clearing members and service providers.”[36] With respect to third-party service providers, subsection (d)(2) specifies that a DCO can maintain some of the resources required by other subsections of the rule “through written contractual arrangements with another [DCO] or other service provider,”[37] but notes that “[a] [DCO] that enters into a contractual outsourcing arrangement shall retain complete responsibility for any failure to meet [the rules requirements]” and that the DCO “must employ personnel with the expertise necessary to enable it to supervise the service provider’s delivery of the services.”[38] 

B. Opening a Dialogue to Explore Emerging Risks 

In light of the ION attack, as well as the increasing risk of cyber threat events, the Market Risk Advisory Committee (MRAC) has spent significant attention to examining third-party service provider relationships and best practices for managing risks to central counterparties (CCPs). In January of 2023, the MRAC hosted a forum on cyber risks in our markets and focused on the ransomware attack that disrupted ION’s operations. 

Later in 2023, MRAC launched a workstream focused on managing risks that arise from reliance on critical third-party service providers.[39] The workstream led by the CCP Risk and Governance Subcommittee examined the need to consider updating the operational resilience frameworks for CCPs in light of the concentration and cyber risks, among other concerns, that arise as registrants increasingly rely on critical third-party service providers. 

On November 25, 2024, the MRAC published  a report from the CCP Risk and Governance Subcommittee which set forth recommendations on DCO System Safeguard Standards for Third Party Service Providers (Report).[40] The Report addresses recommendations to Rule 39.18, acknowledging that, while the System Safeguards do explicitly say that a DCO retains responsibility regardless of any contractual outsourcing of regulatory requirements and requires a DCO to provide certain information to the Commission with respect to those outsourced resources.[41] The Report recommends that any proposed regulation build upon and incorporate the principles and language set forth in the System Safeguards Rule with respect to DCOs and further that DCOs be required to establish and maintain a robust Third-Party Relationship Management Program that identifies, assesses, mitigates and monitors the full scope of risks that are associated with the use of third part arrangements.[42]

The examples of the MRAC’s efforts illustrate the need for a continuing dialogue regarding the concentration and cyber risks that may accompany increased adoption of sophisticated technologies or reliance on third party service providers for technologies that operate at the center of our markets. Moreover, DCOs are only one the diverse types of registrants in our markets navigating these questions. 

Other registrants, such as designated contract markets and boards of trade, swap execution facilities, and swap data repositories are subject to similar CFTC regulatory system safeguards.[43] Some registrants such as FCMs, commodity trading advisors, commodity pool operators, and introducing brokers who are members of the National Futures Association (NFA) may also be subject to NFA guidance on information systems security programs and third-party service providers.[44] However, similar to DCOs, it is important to consider instances in which reliance on critical third party service providers may introduce risk management concerns.  

The growing concentration of critical third-party service providers present risk implications that may lead to disruption of our markets. While the Commission has broad authority to promulgate regulations consistent with our statutory authority, many technology firms may not be CFTC registrants subject to direct oversight and, absent conduct in violation of Commission regulation, the Commission may have limited oversight authority with respect to these technology firms. 

Conclusion

The issues outlined reflect neither an exhaustive nor a definitive list of the challenges of governing data and providing effective oversight for data integrity, security, and governance. There are many lessons that markets and regulators are yet to learn about the integration of novel technologies such as AI and our evolving market infrastructure.

The illustration of each of these phenomenon – the rise of data-fueled AI and the increasing role of a concentrated group of critical third-party service providers – merits careful consideration. 

I am ever working to enhance the stability and integrity of and strengthen the resilience of our domestic markets. As a Commissioner and throughout my career, I have long emphasized corporate governance, compliance, and risk management as central pillars in market oversight.

Thank you so very much for allowing me to join you this afternoon. I have learned so much from each of the papers presented and the proposals. I am hopeful that other important decision-makers are tracking the issues you outline and solutions that you propose.