Statement of CFTC Commissioner Christy Goldsmith Romero Regarding Cboe Clear Digital, LLC’s Expanded Clearing of Digital Asset Futures
June 05, 2023
I support Cboe Clear Digital, LLC’s (“Cboe”) amended order of registration (“Order”), which authorizes Cboe to expand its clearing of futures contracts on crypto assets, while staying within the traditional U.S. futures intermediated market structure. The Order is accompanied by prudent risk-mitigation measures implemented by Cboe to complement policies and practices meeting DCO regulatory requirements. As the regulated digital asset derivatives market evolves, the Commission has a critical role to play in ensuring that any risks associated with that evolution are appropriately addressed by customer protections, guardrails and safeguards. The Commission should assess the risk that flows from any application, determine if that risk can be adequately mitigated, and require risk-mitigation measures.
In my review of the Cboe application, I requested additional measures for critical risk-mitigation, and only with those measures am I able to support the application. I appreciate the staff and Cboe constructively engaging with my office to accommodate my changes to the Order and Cboe’s rulebook, policies, and practices to strengthen cybersecurity and promote market integrity. I also appreciate the staff working with me to create the newly released Division of Clearing and Risk (“DCR”) Advisory on “Review of Risks Associated with Expansion of DCO Clearing of Digital Assets.”[1] This advisory sets forth an approach to our supervision of a number of heightened risks related to the expansion of the regulated digital assets market—which I have called for multiple times this past year.[2] The staff will be able to monitor, supervise, and step in should the risks associated with Cboe’s expanded registration Order cause concern of potential harm to customers and/or markets.
I. Cboe’s futures contracts will continue to be listed, traded, and cleared within the traditional derivatives markets structure and CFTC regulatory framework, limiting certain risks.
Under Cboe’s application, Cboe will operate squarely within the parameters of the traditional broker-intermediated market structure and regulatory framework that has proven effective for decades in protecting customers, clearinghouses, and markets from risks.[3] Under this market structure, regulated brokers who are clearing members will manage and bear risks related to the clearing houses, and interact with customers, providing critical customer protections (including customer bankruptcy priority) and promoting financial stability. This market structure performed well through multiple stress events, including Russia’s war against Ukraine, the pandemic, and the 2008 financial crisis.
Cboe’s application stands in stark contrast to FTX’s application for a bespoke disintermediated direct-to customer market structure. The proposed FTX model was never adopted by the Commission, but it put at risk customers’ bankruptcy priority, other customer protections, and financial stability. In October, while FTX’s application was pending, I gave a speech saying:
The CFTC should continue to use its existing authority, following a “same risk, same regulatory outcome” approach. This starts with establishing the basic foundation of customer protections and guardrails that investors and customers are familiar with, and expect from other regulated financial products and markets. Crypto companies seeking to come within the CFTC-regulated derivatives markets should expect the application of our existing regulatory framework because it has a proven record of reducing financial stability risk. As companies seek bespoke treatment, I will be guided in my decisions by the twin pillars of financial stability and customer protection, in particular for retail investors. Crypto companies set up for an unregulated environment will need to change to look more like a regulated entity. On balance, regulators must be careful in allowing bespoke treatment that could increase financial stability risks—risks that are well in check with our existing framework.[4]
Cboe’s application also differs from other registrants and applicants that have proposed bespoke market structures that could introduce financial stability risk and other risks.
Cboe does not seek bespoke regulation that differs from the time and stress-tested traditional market structure. CBOE’s amended Order provides fair competition, without opening the door to novel and complex risks that could flow from an untested market structure.[5]
Additionally, Cboe’s clearinghouse itself has been registered with the Commission since 2019, and its parent company Cboe has more than fifty years of experience operating exchanges across regulated futures, options, foreign exchange, and equities exchanges.[6] This experience can further serve to limit risk with the financial and human capital, as well as risk management expertise, that Cboe has in executing the responsibilities associated with regulated trading and clearing in other asset classes.
Finally, in connection with seeking the expanded authority under the Order, Cboe has agreed to hold itself to a higher financial-resources standard than the law requires.[7] This recognizes the heightened risks associated with clearing in a nascent marketplace, like crypto, and acts to limit risk.
II. Strengthened customer protections, cybersecurity and clearing-system safeguards and guardrails.
The customer protections, cybersecurity, and clearing-system safeguards and guardrails of the futures markets will be strengthened by four significant measures that my office advanced.
Staff Advisory on Supervision of Heightened Risk
First, last week, the staff issued an advisory warning of certain heightened risks associated with the expansion of clearing into the digital-asset space—a supervisory action that I have advocated for this past year, and worked closely with the staff to release.[8] That advisory is a critical step in implementing heightened supervision of crypto exchanges and clearinghouses where there is heightened risk.
The advisory makes clear that the Commission has existing authorities it can use to supervise areas of heightened risk. It identifies cyber resilience and systems safeguards, conflicts of interest, and physical settlement risks as key areas in which the staff intends to emphasize its general supervisory authority, application review authority, and examination authority.[9] The comprehensive oversight approach reflected in the advisory will continue to be critical in monitoring markets and supervising risks for those regulated entities where we have approved applications, such as CBOE. It will also be critical as the Commission considers other applications to expand clearing into digital assets or for new registered entities.
Strengthened Cybersecurity Related to Cboe
Second, because Cboe wished to expand to physically delivered crypto using an unaffiliated, experienced third-party custody provider, and out of my concern for the high rate of cyber hacks in crypto, Cboe worked with my office to strengthen a key cybersecurity and operational risk protection both for itself and third parties. In February, soon after the cyber attack on ION Markets, I gave a speech on strengthening cyber resilience, saying, “One of the lessons learned from last week is that a firm’s cybersecurity is only as strong as its most vulnerable third-party service provider . . . . Firms owe it to their clients—and I would say the markets—to have ongoing communications and other due diligence with third-party service providers to understand their cybersecurity controls and any weaknesses that could put the firm at risk. One path firms can consider is to request regular updated Systems and Operational Controls 2 (“SOC 2”) audits and opinions that the third party service provider has met, and better yet, exceeded, standards.”[10]
CBOE has agreed to annual SOC 2 audits, giving it regular reports and findings with respect to the design and effectiveness of Cboe’s own financial and operational controls. These audits will serve as a useful oversight tool both for Cboe and the Commission and are a best practice to reduce cyber and operational risk. Commission staff will receive the reports and benefit from information and findings therein due to conditions that have been memorialized in the Order at my request. Cboe has submitted a representation letter to the Commission at my request that it will continue to engage these audits on an annual basis. In the letter, Cboe stated its belief that annual SOC 1 and SOC 2 reports constitute best practices.
Strengthened Cybersecurity Related to Third Parties
Cboe also worked with my office to strengthen cybersecurity by amending its vendor management framework to improve third-party risk management of custodians and wallet providers. Under the revised framework, Cboe will require all “high risk” third-party services involved in custodial or wallet services to provide their own SOC 2 Type II reports to the clearinghouse on a regular schedule.
This third-party cyber risk control will provide Cboe with an independent view of the controls environment at key custodians and wallet third-party providers involved in its digital assets businesses. Key to this important due diligence requirement, of course, is the definition of “high risk,” which Cboe defines to include a broad array of disruptions to Cboe’s ability to deliver services or satisfy compliance or regulatory obligations. It also includes all services with unsupervised access to, or hosting, highly confidential information.
This control comes as a lesson learned from the ION Markets attack. In a discussion of the lessons learned from the ION Markets attack in the Technology Advisory Committee (“TAC”) that I sponsor, TAC member and Deputy Assistant Secretary of the Treasury, Todd Conklin, who leads Treasury’s cyber portfolio and worked on the ION Markets attack, presented the lessons learned from the attack.[11] DAS Conklin said, “You have this potential sprawling impact zone for a firm that, we found later, many institutions didn’t even classify necessarily as a ‘critical’ third-party vendor. Right? So many firms who onboarded ION didn’t use the highest-level scrutiny that they use for their most critical third-party vendors.” The Commission should pay close attention to these definitional issues across all registrants.
Market Integrity Safeguards
Finally, Cboe worked with my office to change its rulebook to protect the integrity of derivatives markets. Cboe agreed, in particular, to amend Rule 301(f) of its rulebook relating to General Eligibility Requirements of Clearing Members to disqualify any applicant for clearing membership if it, any affiliate, or any associated principal is subject to statutory disqualification(s) under section 8a(2) of the Commodity Exchange Act.[12] In other words, Cboe will not admit any clearing firm that has been found to have violated a provision of law identified by Congress as significant enough to prohibit a firm—without a hearing—from engaging in a CFTC-regulated business.
These four measures collectively protect customers, the clearing system, and markets.
III. Conclusion
I have been vocal about the benefits of bringing appropriate crypto activities into the regulated space in order to protect customers, but in a way that supports oversight, accountability, transparency, and risk management (among many other public interests). I also have been vocal about my concerns with respect to firms seeking bespoke regulation that has not been tested for risks. Too often in recent years, crypto firms have sought to take a business model or market structure that exists in an unregulated environment and port it over to the regulated environment. The CFTC does not have a window into the risks associated with models or structures in an unregulated environment. Cboe has not done that, instead operating within the parameters of the traditional futures market structure and regulatory framework. It has constructively engaged with the staff and my office to address concerns related to risk, and implement risk-mitigating measures. For these reasons, along with the staff advisory that recognizes our existing authorities in a supervisory framework for continued monitoring and supervision of heightened risk that could harm customers and markets, I approve.
[1] See Division of Clearing and Risk, U.S. Commodity Futures Trading Commission, Review of Risks Associated with Expansion of DCO Clearing of Digital Assets, CFTC Letter No. 23-07, Advisories (May 30, 2023), CFTC’s Division of Clearing and Risk Issues Staff Advisory on the Risks Associated with Expansion of Derivatives Clearing Organization Clearing of Digital Assets | CFTC.
[2] See CFTC Commissioner Christy Goldsmith Romero, Protecting Against Emerging Global Fintech Threats in Cyberspace and Cryptocurrencies (Nov. 30, 2022), Keynote Remarks of Commissioner Christy Goldsmith Romero at the Futures Industry Association, Asia Derivatives Conference, Singapore | CFTC (“Today, I am calling publicly for the first time for the CFTC to invoke heightened supervision of crypto exchanges—something I have called for internally within the CFTC for months. It is well within our existing authority for derivatives exchanges. At a minimum, heightened supervision would include frequent examinations, and heightened focus on cybersecurity, conflicts of interest, and a safety and soundness financial review. Despite my multiple requests, the CFTC has not implemented heightened supervision. My proposal should take on urgency in light of recent events.”); See CFTC Commissioner Christy Goldsmith Romero, Crypto’s Crisis of Trust: Lessons Learned from FTX’s Collapse (Jan. 18, 2023), Keynote Address by Commissioner Christy Goldsmith Romero at The Wharton School and the University of Pennsylvania Carey Law School | CFTC (“On November 30, 2022 publicly, and internally for months prior, I proposed that the CFTC conduct heightened supervision of CFTC-registered crypto exchanges . . . .”).
[3] In more technical terms, Cboe’s futures contracts will be listed, traded, and cleared within the traditional broker intermediated clearing model. This means that Cboe’s clearing members will be registered and regulated by the Commission and the National Futures Association (a self-regulatory organization) as futures commission merchants (“FCMs”).
[4] See CFTC Commissioner Christy Goldsmith Romero, Financial Stability Risks of Crypto Assets, (Oct. 26, 2022) Remarks of CFTC Commissioner Christy Goldsmith Romero before the International Swaps and Derivatives Association’s Crypto Forum 2022, New York | CFTC.
[5] 7 U.S.C. § 5(b) (The Commission’s mission includes promoting “fair competition among boards of trade, other markets and market participants.”)
[6] See E. Tilly, Ed Tilly on Cboe's Milestone Anniversary (Apr. 26, 2023).
[7] The Commodity Exchange Act and CFTC requirements require each DCO to have financial resources that, in essence, would enable the DCO to meet its obligations in the event that the largest clearing member defaults. This is called the “Cover 1” standard. Cboe has agreed to go beyond that standard and take a conservative approach to financial resources, adopting a Cover 2 standard otherwise required for systemically important clearinghouses (which Cboe Clear Digital, LLC is not).
[8] See fn. 1 and fn. 2 above.
[9] Id.
[10] See CFTC Commissioner Christy Goldsmith Romero, Adjusting the Sails for Cyber and Climate Resilience, (Feb. 10, 2023) Keynote Address by Commissioner Christy Goldsmith Romero at FIA & SIFMA Asset Management Derivatives Forum | CFTC.
[11] See Treasury Deputy Assistant Secretary Todd Conklin, Technology Advisory Committee, U.S. Commodity Futures Trading Commission, at 2:58:45 (Mar. 22, 2023), TAC Meeting Agenda That Includes Cybersecurity, Decentralized Finance, and Artificial Intelligence - YouTube.
[12] The provisions of sections 8a(2)–8a(4) of the Commodity Exchange Act set forth a system of statutory disqualifications pursuant to which the Commission may find an applicant or registrant unfit for registration and vest the Commission with wide discretion to deny, condition, suspend, restrict or revoke the registration of any person subject to one or more of the identified disqualifications. 7 U.S.C. §§ 12a(2). CEA section 8a(2) lists the offenses for which the Commission may upon notice, but without a hearing and pursuant to such rules, regulations or orders as the Commission may adopt, refuse to register, to register conditionally, or to suspend or place restrictions upon the registration of, any person, and for which the Commission may revoke the registration of any person with such a hearing as may be appropriate. 7 U.S.C. § 12a(2).
-CFTC-