I support the Notice of Proposed Rulemaking on Operational Resilience Framework for Futures Commission Merchants, Swap Dealers, and Major Swap Participants (Operational Resilience Proposal)[1] because I believe this approach is largely consistent with international standards for operational resilience, as well as U.S. prudential regulations and non-U.S. regulations, which have been implemented for several years now. I thank the staff of the Market Participants Division (MPD), especially Pamela Geraghty, Elise Bruntel, and Amanda Olear, as well as Chairman Behnam and Commissioner Goldsmith Romero, for working with me over the past year to address my concerns.

Background

My discussions with MPD staff, formerly the Division of Swap Dealer and Intermediary Oversight (DSIO), in fact date back to 2016 when I was in the private sector. MPD staff have been considering many of the elements of an operational resilience framework for years, including operational risk and cybersecurity risk. I appreciate the staff’s focus on all of these important issues that contribute to ensuring that our registrants have robust risk management and compliance programs, and that the CFTC is doing our job to uphold financial stability and protect against systemic risk.

I would like to mention my background and experience, as well as familiarity, with the subject areas covered by the Operational Resilience Proposal to provide context for my efforts to support the development of this Proposal and address my concerns that the CFTC’s approach should not be overly prescriptive and generally takes a principles-based approach in recognition of the extensive years-long global implementation of operational resilience requirements by U.S. and non-U.S. regulators and banking organizations.

In my previous roles at a global systemically important bank (GSIB), I have been involved with operational resilience since 2019, including the oversight and coordination of global regulatory advocacy with the Financial Stability Board (FSB) and regulatory authorities such as the U.S. prudential regulators[2], the Bank of England, and European Union (EU) authorities. I also was on the enterprise-wide operational resilience program steering committee, and I have implemented enterprise-wide programs across a global financial institution across all regions and both institutional or wholesale and consumer businesses.

Among the specific elements encompassed in the Operational Resilience Proposal, I have enhanced the swap dealer and futures commission merchant (FCM) risk management programs. I have drafted an enterprise-wide risk appetite statement. I have implemented the National Futures Association’s (NFA) update to its information systems security programs requirements, which addresses cybersecurity risk. I have participated in tabletop exercises, drills, and simulations of responses to cyber attacks. I was the lead from the Compliance department on the third-party risk management program for cross-asset activities or other programmatic aspects across the global markets business. I have enhanced the business continuity and disaster recovery (BCDR) swap dealer policies and procedures and integration with the enterprise-wide continuity of business program. I have delivered training for, respectively, 9,000 and 17,000 employees across nearly 100 countries and multiple languages. I have had a compliance monitoring team that reported directly to me. I have advised on the design and implementation of the enterprise-wide Volcker Rule independent testing program. I was part of global regulatory notification protocols for cybersecurity or other incidents. And also, of course, I have been subject to regulatory examinations on each one of these areas. This practical experience has informed my engagement on this significant rulemaking initiative.

The CFTC’s Approach to Operational Resilience Must Be Consistent with International Standards and Prudential Regulations

I am pleased that the CFTC is seeking an approach that is consistent with international standards and best practices for regulators in addressing operational resilience. I will reiterate my previous remarks on the many years of work by policymakers such as the FSB, the Basel Committee on Banking Supervision (BCBS), the International Organization of Securities Commissions (IOSCO), and other regulatory authorities around the world to implement laws, regulations, and standards for operational resilience. Operational resilience, as noted by U.S. prudential regulators in 2020, encompasses governance, operational risk management, business continuity management, third-party risk management, scenario analysis, secure and resilient information system management, surveillance and reporting, and cyber risk management. Regulated entities, including the vast majority of our swap dealers and FCMs that are part of banking organizations, have already implemented comprehensive enterprise-wide operational resilience programs.[3]

Issuing this Proposal can be beneficial to initiate an open process to request information and stimulate dialogue with the public. That is why, although there has been some hesitation or trepidation around what the Commission might do since we are coming onto the tail end of operational resilience implementation globally, I do think it is important that we are taking this step today, because it is critical that the public has the opportunity to provide input on any amendment or expansion of our existing programmatic requirements that is informed by actual experience from risk management and compliance officers, other control functions, and practitioners who have implemented and complied with operational resilience requirements pursuant to other regulations.

Further, as I have noted previously, because the CFTC’s rules are often only one part of a much broader risk governance framework for financial institutions, the Commission must ensure that it has the full picture before coming to conclusions to ensure that our rules not only address any potential regulatory gaps or changes in risk profiles, but also to avoid issuing rules that are conflicting, duplicative, or unworkable with other regulatory regimes.[4]

For example, when I last checked earlier this year, the CFTC currently has 106 provisionally registered swap dealers. Of these 106 entities, both U.S. and non-U.S., all but a handful are also registered with and supervised by another agency or authority, such as a prudential, functional, or market regulator. Most of these swap dealers are subject to three or more regulatory regimes.[5]

It is imperative that the Commission and the staff consider how our rules work in practice together with the rules of other regulators, whether foreign or domestic. This key point is easily apparent in looking at the CFTC’s substituted compliance regime for non-U.S. swap dealers, where the Commission has expressly found that non-U.S. swap dealers in certain jurisdictions are subject to comparable and comprehensive regulation, and therefore, our rules permit such non-U.S. swap dealers to, for example, substitute compliance with their home jurisdiction risk management regulations to satisfy our risk management program rules under CFTC Regulation 23.600.[6]

Specific Areas for Public Comment

As a preliminary matter, regarding discussion of the CFTC’s approach to system safeguards requirements for designated contract markets (DCMs) and derivatives clearing organizations (DCOs) and its impact on the development of today’s Operational Resilience Proposal, I note that swap dealers and FCMs are very different from exchanges and clearinghouses. The CFTC should not overly rely upon its approach to the system safeguards rulesets because it is akin to the difference between, for example, the Securities and Exchange Commission’s (SEC) Regulation SCI and the U.S. prudential regulators’ Heightened Standards for Risk Governance. I believe that the staff has tried to balance these considerations, and I welcome public comment on this approach.

Definitions

Words matter, and it is very important for the Commission to be precise in the words that we use for defined terms. I encourage all commenters to review the Proposal’s definitions and advise whether the definitions are appropriate or need to be revised.

Third-party relationship program guidance

The Operational Resilience Proposal includes an appendix to the rule text with more prescriptive guidance on third-party relationships (third-party risk management). This is unusual because I do not believe that the CFTC has this level of prescriptiveness for any other category of risk, such as credit risk. I question whether this heralds a change to the CFTC’s approach to setting forth risk management requirements, and why would the Commission issue prescriptive guidance for third-party risk, but not other risks such as operational risk or market risk.

I also question the approach of issuing Commission guidance, which would have to undergo notice-and-comment rulemaking and that could take a year or two to update, instead of issuing staff guidance, which could be updated more flexibly. I believe that any prescriptive guidance would be more appropriate as staff guidance, not Commission guidance, because staff guidance can be kept up-to-date more easily to address changes in best practices or to adapt to emerging risks. This is similar to how, for example, U.S. prudential regulators update their bank examiners handbook or circulars.

I am interested in public comment on the CFTC’s requirements for third-party risk management, and whether it should be issued as Commission guidance or staff guidance.

Risk appetite

The Operational Resilience Proposal refers to risk appetite, which is a new concept to CFTC regulations. I am interested in whether commenters believe risk appetite is workable under the CFTC’s regulatory framework, which is focused on enforcement rather than ongoing supervision. Indeed, I have repeatedly noted that the CFTC lacks a swap dealer examination program. As a consequence, non-material operational or technical issues are the subject of enforcement actions, rather than addressed more appropriately through supervisory findings and exam reports like every other regulatory authority in the world. This makes the CFTC an outlier amongst U.S. and non-U.S. regulators, and therefore prudential concepts like risk appetite may not be workable.

Risk tolerance limits

Risk tolerance limits are a requirement under the CFTC’s risk management program (RMP) rules for swap dealers and FCMs. The Operational Resilience Proposal also requires risk tolerance limits, but sets forth a different definition and does not refer to the risk tolerance limits under the RMP rules. I am interested in public comment on whether the two differing requirements may cause confusion or can be implemented without any issues.

Annual attestation

The Operational Resilience Proposal requires an annual attestation by the senior officer, an oversight body, or a senior-level official of a swap dealer or FCM that relies on a consolidated operational resilience program. Such attestation is to the effect that the consolidated program meets CFTC requirements and reflects the risk appetite and risk tolerance limits appropriate to the swap dealer or FCM. I encourage commenters to discuss the attestation requirement and suggest appropriate attestation language.

Substituted compliance

Under the Operational Resilience Proposal, substituted compliance would be available for non-U.S. swap dealers subject to a comparability determination issued by the Commission. I appreciate the recognition in the Proposal of the importance of a home-host regulator approach to maintaining regulatory cohesion and addressing systemic risk and financial stability. I am interested in whether commenters believe the Proposal presents any cross-border issues in implementation.

Conclusion

I believe in continuous improvement for not only our market participants, but also for the Commission and its regulations, and that is why I would like to thank the MPD staff again for being proactive in thinking about these issues. I want to particularly recognize the leadership of Commissioner Goldsmith Romero in first highlighting these risks and exploring ways to address them through the work of the CFTC’s Technology Advisory Committee, which she sponsors.

As I have stated before, the benefit of the CFTC’s principles-based regulatory framework is that it can quickly anticipate and adapt to changes in risk profiles or the operating environment. That is why I believe our rules must be broad and flexible enough to be forward-looking and evergreen, because it is simply not possible to prescribe every last requirement for the unknown future. Consistent with international standards, I have discussed the importance of utilizing existing risk governance frameworks and risk management disciplines to identify, measure, monitor, and control emerging risks and new technologies. Swap dealers and FCMs must be vigilant and address new and emerging risks through various risk stripes as appropriate, whether from changing market conditions, technological developments, geopolitical concerns, or any other event, and maintain operational resilience.

With that, I welcome the input from the public comments to inform the Commission and the staff regarding the application of the Operational Resilience Proposal to swap dealers and FCMs, especially those entities that are part of a banking organization and have already implemented operational resilience requirements pursuant to U.S. or non-U.S. regulations.