Statement of CFTC Commissioner Dawn D. Stump Announcing Further Progress in the CFTC’s Data Protection Initiative
November 21, 2019
I am pleased to provide another update to the Data Protection Initiative that I announced in March. Data is critical to our markets and our regulatory mission. At the same time, the CFTC must be mindful of cyber threats and its data risk profile. The creation of a Data Catalogue to document all the data the CFTC captures provides the agency with a view into all of the information ingested from the markets we regulate. This exercise afforded me the opportunity to examine each data stream and corresponding use-cases. Based on the current frequency of use and the regulatory value of the data, I have identified data that I feel is ripe for streamlining.
I believe that we should:
- Codify the no-action relief applicable to Ownership and Control Reports (OCR) required by Parts 17, 18 and 20 of the Commission’s Regulations and explore whether certain forms and/or questions need further modifications or removal.
- Evaluate whether the Commission should continue to require the reporting of physical commodity swaps both to Swap Data Repositories (SDRs) via Part 45 and directly to the agency per Part 20. If SDR data enables the Commission to effectively oversee commodity swaps markets, then we should explore the sunset of duplicative Part 20 Large Trader Reporting for Physical Commodity Swaps.
- Amend Form CPO-PQR to remove certain schedules and questions while focusing only on data points that the CFTC and National Futures Association (NFA) currently use and have been deemed to be valuable over time. This could include reverting to the original Form-PQR version previously collected by the NFA while adding an extremely limited number of questions that have proven utility. Separately, I want to applaud the joint work of Commissioners Peirce and Quintenz in coordinating across our respective agencies in refining Form PF for the purposes of systemic risk review. I thank them both for their work on the CFTC-SEC harmonization efforts.
- Examine whether to continue the Cotton-On-Call Report.
- Consider the breadth of the CFTC’s upcoming swap data reporting regulations and limit the collection to the Critical Data Elements published by CPMI and IOSCO while only augmenting the collection with additional data elements that are required to accomplish our core mission and have a demonstrable and regularly recurring use-case.
- Explore ways in which the CFTC can better leverage cash-market reporting provided to exchanges in order to avoid duplicative filings, such as on Form 204.
These identified data streams are required to be reported under a myriad of regulations relating to various Divisions within the CFTC and represent both legacy and recently expanded authorities of the agency. The CFTC must constantly evaluate its approach to data and develop a meaningful policy adapted to ever-evolving threats and advances in data security. I hope to implement consistent data protection procedures across the many functions required to carry out our mission that will benefit the agency and market participants. I look forward to engaging with market participants to discuss any other applicable data streams in need of review.
As the CFTC continues its commitment to robust data protection measures, I also am able to convey that recent progress has been achieved concerning the security of the agency’s data. An audit from the Office of the Inspector General regarding information technology management and security issued multiple recommendations. The CFTC addressed all of these recommendation and they were recently closed.
In addition to specific data refinements, the CFTC should review the structure of the agency’s data organization, create a data business plan, and develop a long-term strategy to generate internal operational efficiencies and become a 21st century, data-driven regulator.
I want to thank the staff of all the Divisions and Offices across the entire CFTC for their assistance, as many parts of the agency are involved in this project and data protection is truly everyone’s responsibility. The specter of data breaches requires the CFTC to remain vigilant and ensure that we have both a culture, and policies and procedures, that are conducive to data protection. I look forward to continuing to work with staff and market participants, as appropriate, to implement the remaining steps of the Data Protection Initiative.
 See Statement of CFTC Commissioner Dawn D. Stump Announcing Important Progress in the CFTC’s Data Protection Initiative (July 12, 2019), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/stumpstatement071219.
 See Statement of CFTC Commissioner Dawn D. Stump on Data Protection Initiative (March 1, 2019), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/stumpstatement030119.
 See Committee on Payments and Market Infrastructures and Board of the International Organization of Securities Commissions, Technical Guidance, Harmonisation of Critical OTC Derivatives Data Elements (Other than UTI and UPI) (April 9, 2018), available at https://www.bis.org/cpmi/publ/d175.htm.
 See Review of CFTC’s Data Governance Program: Integrated Surveillance System, Report Number 18-AU-07 (OIG May 7, 2019), available in “Other Audits” at https://www.cftc.gov/About/OfficeoftheInspectorGeneral/index.htm.