Statement of Commissioner Christy Goldsmith Romero on Advance Notice of Proposed Rulemaking on Risk Management Program Regulations
Requirements for Banks and Brokers to Manage Evolving and Emerging Risks
June 01, 2023
Management of existing, evolving, and emerging risk is paramount to the financial stability of the United States and global markets. This is evidenced by the recent bank failures, followed by subsequent government action taken out of regulatory concern over possible contagion effect to other banks and broader economic spillover.[1] Federal Reserve Board Vice Chair Michael Barr recently testified before the Senate at a hearing on the bank failures, “the events of the last few weeks raise questions about evolving risks and what more can and should be done so that isolated banking problems do not undermine confidence in healthy banks and threaten the stability of the banking system as a whole.”[2]
Sound risk management is particularly crucial for CFTC-registered swap dealers, the majority of which are global systemically important banks on Wall Street (or their affiliates) or other prudentially-regulated banks. If there was any one issue at the center of the 2008 financial crisis, it was the failure of risk management by Wall Street. The Dodd-Frank Wall Street Reform and Consumer Protection Act required these dealers to establish and maintain risk management programs. The Commission implemented its risk management requirements for swap dealers in 2012. Then in 2013, the Commission required that brokers in the derivatives markets, known as futures commission merchants (“FCMs”), establish and maintain risk management programs after two brokers, MF Global and Peregrine Financial, misused customer funds and collapsed from a combination of hidden risks and fraud.[3]
Re-evaluating our risk management rules is responsible and necessary to keep pace with evolving markets that can give rise to emerging risk. The last three years presented unprecedented risk. The pandemic, its lingering supply chain disruptions, Russia’s war against Ukraine, climate disasters that proved to be the most-costly three years on record, a spike in ransomware and other cyber attacks (including on ION Markets and Colonial Pipeline), and increasing geo-political tensions involving the U.S. and China, have emerged as often interrelated areas of significant risk. Additionally, as Chairman of the Federal Deposit Insurance Corporation (“FDIC”), Martin Gruenberg testified before the Senate, “the financial system continues to face significant downside risks from the effects of inflation, rising market interest rates, and continuing geopolitical uncertainties.”[4]
Evolving technologies like digital assets, artificial intelligence, and cloud services, also have emerged as areas that can carry significant risk.[5] Vice Chair Barr testified before the Senate, “recent events have shown that we must evolve our understanding of banking in light of changing technologies and emerging risks. To that end, we are analyzing what recent events have taught us about banking, customer behavior, social media, concentrated and novel business models, rapid growth, deposit runs, interest rate risk, and other factors, and we are considering the implications for how we should be regulating and supervising our financial institutions. And for how we think about financial stability.”[6]
The Commission should ensure that our risk management frameworks for banks and brokers reflect and keep pace with the significant evolution of financial stability risk. It is equally important for the Commission to be forward-looking to ensure that our risk management frameworks capture future risk as it could evolve or emerge.[7] The Commission is considering whether to enumerate specific areas of risk that banks and brokers would be required to address. This could include for example, geopolitical risk, cybersecurity risk, climate-related financial risk or contagion risk.
The Commission seeks public comment in its reassessment of its risk management frameworks. I am particularly interested in comment on the following areas: 1) Technology Risk; 2) Cyber Risk; 3) Affiliate Risk; 4) Risk related to segregating customer funds and safeguarding counterparty collateral; and 5) Climate-Related Financial Risk.
Technology Risk
Risk has emerged from the evolution of technology. Distributed ledger networks are being used or considered in certain markets; cloud data storage and computing has gone mainstream; and artificial intelligence hold the power to transform businesses. Many firms are also integrating, or are interested in integrating, digital assets into their businesses, or plan to do so. All of these emerging or evolving technologies carry risks.
Digital assets carry risks—something that has become all too clear in the past year. Silvergate Bank, which recently failed, was almost exclusively known for providing services to digital asset firms.[8] According to FDIC Chairman Gruenberg, “Following the collapse of digital asset exchange FTX in November 2022, Silvergate Bank released a statement indicating that it had $11.9 billion in digital asset-related deposits, and that FTX represented less than 10 percent of total deposits in an effort to explain that its exposure to the digital asset exchange was limited. Nevertheless, in the fourth quarter of 2022, Silvergate Bank experienced an outflow of deposits from digital asset customers that, combined with the FTX deposits, resulted in a 68 percent loss in deposits – from $11.9 billion in deposits to $3.8 billion. That rapid loss of deposits caused Silvergate Bank to sell debt securities to cover deposit withdrawals, resulting in a net earnings loss of $1 billion. On March 1, 2023, Silvergate Bank announced it would be delaying issuance of its 2022 financial statements and indicated that recent events raised concerns about its ability to operate as a going concern, which resulted in a steep drop in Silvergate Bank’s stock price. On March 8, 2023, Silvergate Bank announced that it would self-liquidate.”[9]
Chairman Gruenberg further testified, “Like Silvergate Bank, Signature Bank had also focused a significant portion of its business model on the digital asset industry…. Silvergate Bank operated a similar platform that was also used by digital asset firms…. In the second and third quarters of 2022, Signature Bank, like Silvergate, experienced deposit withdrawals and a drop in its stock price as a consequence of disruptions in the digital asset market due to failures of several high profile digital asset companies.”[10]
These technological advancements, with their accompanying risks, necessitate the Commission revisiting our regulatory oversight, including our risk management requirements. This is similar to other regulators revisiting their oversight in this area. According to Vice Chair Barr, the Federal Reserve “recently decided to establish a dedicated novel activity supervisory group, with a team of experts focused on risks of novel activities, which should help improve oversight of banks like SVB in the future.”[11]
I am interested in comments on how the Commission should amend its risk management requirements to ensure that risks from technology are adequately identified, monitored, assessed and managed. I am also interested in public comment on any gaps in our risk management regulations that the Commission should address regarding technology.
Cyber Risk
I am interested in public comment about how the Commission should update its risk management frameworks to address the growing and increasingly sophisticated threat of cyber attacks. The White House’s recent National Cybersecurity Strategy stated:
Our rapidly evolving world demands a more intentional, more coordinated, and more well-resourced approach to cyber defense. We face a complex threat environment, with state and non-state actors developing and executing novel campaigns to threaten our interests. At the same time, next-generation technologies are reaching maturity at an accelerating pace, creating new pathways for innovation while increasing digital interdependencies.[12]
Global cyber criminals and state-sponsored efforts can create or leverage a serious disruption to markets.
I am also interested in comment on how the Commission should address risk management related to third party service providers. As I said in a speech in November, “Even if financial firms have strong cybersecurity systems, their cybersecurity is only as strong as their most vulnerable third-party service provider. The threat can compound where several firms use the same software or other provider.”[13] Subsequently in February, a third-party service provider ION Markets suffered a cyber attack that compromised a number of brokers in the derivatives market. Treasury Deputy Assistant Secretary Todd Conklin, a member of the CFTC Technology Advisory Committee (“TAC”) presented at a recent TAC meeting that ION was not considered by firms to be a critical vendor.[14] Given the severe threat of cyber attacks, I am interested in commenters’ views on whether the Commission should specifically enumerate cyber risk, specifically include risks associated with third-party service providers in risk management frameworks, or include other requirements to ensure that cyber risk is adequately and comprehensively identified, assessed, and managed.
Affiliate Risk
I am interested in commenters views on the questions related to affiliate risks, especially those related to risks that unregulated affiliates can pose to regulated entities. Currently, the Commission’s rules provide that the risk management frameworks of banks and brokers shall “take into account” risks posed by affiliates. Affiliate risks can take many forms—from counterparty credit risk to operational risks to many others. The questions posed in this ANPRM are designed to flesh out details about affiliate risks, and whether such risks are sufficiently identified and adequately managed.
Understanding affiliate risks is critically important given lessons learned from the past and more recent events. For example, AIG Financial Products (“AIGFP”) is the poster child for how risk of a seemingly remote, unregulated affiliate could undermine the stability of a large, diversified financial institution. AIGFP’s damage reached well beyond its affiliates. AIGFP was a source of contagion for other market participants, ultimately spreading risks across Wall Street, contributing to a global financial crisis and massive taxpayer bailout. Most recently, the abrupt collapse of FTX, with its alleged lack of separation between affiliates as found by new CEO John Ray, led to a bankruptcy with more than 130 affiliate debtors, tying up billions of dollars and more than one million customers and creditors. Although LedgerX, a CFTC-regulated FTX affiliate, is not a debtor in the bankruptcy, the debtors sold LedgerX as a result.
Existing Commission rules require that banks’ and brokers’ risk management programs “take into account” risks related to lines of business. That could include, for example, digital asset markets. In January, before the bank failures, federal bank regulatory agencies issued a recent joint statement outlining numerous “key risks” associated with bank involvement in the crypto-asset sector.[15] I am interested in public comment on those key risks as they may apply specifically to the CFTC’s regulated banks and brokers. About half of all CFTC-registered swap dealers are subject to some form of oversight by the prudential regulators.
Many brokers have expressed an interest in becoming further involved in digital assets as well. Risks can arise from regulated trading in crypto derivatives. The unregulated spot markets carry additional risks as seen with the collapse of FTX, Terra Luna, Celsius and numerous others that have resulted in substantial losses. This is in addition to operational risks and risks associated with rampant fraud and illicit finance in some parts of the crypto markets.
Risk Related to the Segregation of Customer Property and Safeguarding Counterparty Collateral in the Digital Asset Space
Digital assets raise a host of issues about safeguarding customer property that were not contemplated at the time of the 2013 risk management rule or the Commission’s customer protection rules for brokers to segregate customer assets from company assets. For example, brokers may explore holding customer property in the form of stablecoins or other digital assets that could result in unknown and unique risks. These brokers may be confronted by third-party custody and other risks that should be identified and managed. Physical delivery may also present risk, particularly given the proliferation of cyber hacks. Application of the Commission’s segregation rules may also need to be updated based on future risks related to digital assets (even risks not contemplated by the Commission today). I look forward to commenters’ responses in this area.
It is necessary for the CFTC to seek public comment on our risk management framework in this important area of emerging risk so that we keep pace with evolution in our markets and technology. We should not assume that our existing segregation rules and risk management framework comprehensively cover the evolving risks in the markets.[16] The Commission does not have a window into certain unregulated spaces, such as with digital assets, which could obscure risks faced by CFTC-regulated banks or brokers. Integration of digital assets with banks and brokers, and the risks that could be posed, could continue to evolve.
Climate-Related Financial Risk
Developments in the management of climate-related financial risk are an important example of the need for the Commission to adopt a framework that helps banks and brokers keep pace with such emerging risks. When the Climate-Related Market Risk Subcommittee of our Market Risk Advisory Committee released its report in September 2020, it was a “first-of-its-kind effort from a U.S. government entity.”[17] Since then, other U.S. financial regulators have not only echoed this acknowledgment,[18] but have moved ahead to define the risk management framework that banks and other regulated entities must adopt for addressing physical and transition risks posed by climate change.[19] Banks and brokers need frameworks that let them adapt to both the increasingly dire projections by climate scientists about the scope of physical impacts,[20] and to the massive economic impetus to a transition to a lower carbon environment created via Congressional passage of the Inflation Reduction Act, the Bipartisan Infrastructure Law, and the CHIPS and Science Act.
In just three years, climate-related financial risk management has gone from novelty to necessity. We should develop a framework that helps banks and brokers remain resilient to risks like this one, which will continue to develop for years to come. I have been advocating for the Commission to enhance its understanding of how market participants are managing climate-related financial risk.[21] To that end, over the past year, I have been working with the National Futures Association (“NFA”) on a recently completed special project to assess how some of its members are identifying and managing climate-related financial risk. NFA learned that some of its members, particularly those already subject to oversight by U.S. and foreign banking regulators, are taking steps to manage both physical and transition risks. I look forward to hearing from commenters on how best to adapt our framework to incorporate these kinds of emerging risks.
Conclusion
Sound risk management by banks (and other dealers) and brokers at the center of the U.S. derivatives markets is critical to financial stability. The stakes are high. These financial institutions and others take and carry significant risks that could impact financial stability. They are on the front lines of our financial markets, directly engaging with customers or counterparties. Customers have billions of dollars entrusted to these institutions. Market participants depend on liquidity, clearing and other critical functions performed by these institutions.
The Commission must fulfill its own responsibility to ensure that risk management programs at these institutions address the full scope of risks to customers, firms and markets, including keeping pace with evolving and emerging risk. We may never know how many catastrophes were avoided as a result of sound risk management programs, but we have seen what can happen when risks are not well managed.
[1] See Statement of Martin J. Gruenberg, Chairman Federal Deposit Insurance Corporation Chair on “Recent Bank Failures and the Federal Regulatory Response” before the Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) Gruenberg Testimony 3-28-23.pdf (senate.gov); see also Hearing on Recent Bank Failures and the Federal Regulatory Response, United States Senate Committee on Banking, Housing, and Urban Affairs (Mar. 28, 2023) https://www.banking.senate.gov/hearings/recent-bank-failures-and-the-federal-regulatory-response.
[2] See Statement of Michael S. Barr, Vice Chair for Supervision, Board of Governors of the Federal Reserve System before the Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) Barr Testimony 3-28-231.pdf.
[3] This dovetailed with Commission requirements that brokers segregate customer assets from company assets and house accounts.
[4] See Statement of Martin J. Gruenberg, Chairman Federal Deposit Insurance Corporation Chair on “Recent Bank Failures and the Federal Regulatory Response” before the Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) Gruenberg Testimony 3-28-23.pdf (senate.gov).
[5] See Commissioner Christy Goldsmith Romero, Opening Remarks at the Technology Advisory Committee on DeFi, Responsible Artificial Intelligence, Cloud Technology & Cyber Resilience (Mar. 22, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement032223; see also Department of Treasury, The Financial Services Sector’s Adoption of Cloud Services (Feb. 8, 2023), https://home.treasury.gov/news/press-releases/jy1252.
[6] See Statement of Michael S. Barr, Vice Chair for Supervision, Board of Governors of the Federal Reserve System before the Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) Barr Testimony 3-28-231.pdf (adding that Silicon Valley Bank “failed to manage the risks of its liabilities. These liabilities were largely composed of deposits from venture capital firms and the tech sector, which were highly concentrated and could be volatile.”)
[7] Additionally, CFTC staff have observed significant variance in how swap dealers and brokers are defining and reporting on risk areas, making it difficult for CFTC staff to gain a clear understanding of how specific risk exposures are being monitored and managed. Furthermore, some swap dealers have indicated that they do not rely on the information in CFTC risk reporting for their internal risk management. Improving the efficacy of CFTC requirements for swap dealers’ own risk management, along with the Commission’s ability to monitor risk are worthwhile goals.
[8] See Statement of Martin J. Gruenberg, Chairman Federal Deposit Insurance Corporation Chair on “Recent Bank Failures and the Federal Regulatory Response” before the Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) Gruenberg Testimony 3-28-23.pdf (senate.gov).
[9] See Id.
[10] See Id.
[11] Statement of Michael S. Barr, Vice Chair for Supervision, Board of Governors of the Federal Reserve System before the Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) Barr Testimony 3-28-231.pdf.
[12] The White House, Fact Sheet: Biden-Harris Administration Announces National Cybersecurity Strategy, (Mar. 2, 2023), FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy | The White House.
[13] See Commissioner Christy Goldsmith Romero, U.S. Commodity Futures Trading Commission, Protecting Against Emerging Global Fintech Threats in Cyberspace and Cryptocurrencies (Nov. 30, 2022), Keynote Remarks of Commissioner Christy Goldsmith Romero at the Futures Industry Association, Asia Derivatives Conference, Singapore | CFTC.
[14] See Technology Advisory Committee meeting (Mar. 22, 2023) Commissioner Goldsmith Romero Announces Technology Advisory Committee Meeting Agenda That Includes Cybersecurity, Decentralized Finance, and Artificial Intelligence | CFTC.
[15] Joint Statement on Crypto-Asset Risks to Banking Organizations, Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (Jan. 3, 2023), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20230103a1.pdf.
[16] The same could be true of swap dealers related to safeguarding counterparty collateral.
[17] CFTC, CFTC’s Climate-Related Market Risk Subcommittee Releases Report (Sept. 9, 2020), https://www.cftc.gov/PressRoom/PressReleases/8234-20.
[18] See Financial Stability Oversight Council, Financial Stability Oversight Council Identifies Climate Change as an Emerging and Increasing Threat to Financial Stability (October 21, 2021) https://home.treasury.gov/news/press-releases/jy0426.
[19] See, e.g., Federal Deposit Insurance Corporation, FIL-13-2022, Request for Comment on Statement of Principles for Climate-Related Financial Risk Management for Large Financial Institutions (March 30, 2022), https://www.fdic.gov/news/financial-institution-letters/2022/fil22013.html.
[20] Intergovernmental Panel on Climate Change, Climate Change 2022: Impacts, Adaptation and Vulnerability (2022), https://www.ipcc.ch/report/ar6/wg2/chapter/summary-for-policymakers/.
[21] See Commissioner Christy Goldsmith Romero, U.S. Commodity Futures Trading Commission, Promoting Market Resilience (Sept. 28, 2022), Statement of Commissioner Christy Goldsmith Romero before the Market Risk Advisory Committee | CFTC; Statement of CFTC Commissioner Christy Goldsmith Romero In Support of the Commission’s Request for Information on Climate-Related Financial Risk (June 2, 2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement060222.
-CFTC-