Statement of Commissioner Kristin N. Johnson Calling for the CFTC to Initiate A Rulemaking Process for CFTC-Registered DCOs Engaged in Crypto or Digital Asset Clearing Activities
May 30, 2023
Today, the Division of Clearing and Risk (DCR) of the Commodity Futures Trading Commission (CFTC or Commission) issued a Staff Advisory on Review of Risks Associated with Expansion of DCO Clearing of Digital Assets (Staff Advisory). The Staff Advisory acknowledges the introduction of innovative changes including novel financial products and platforms and new market participants operating in our regulated markets in recent years. The Staff Advisory further acknowledges that careful evaluation may reveal heightened risks associated with certain clearing activities, particularly clearing activities in digital assets or cryptocurrency markets.
Begin A Rulemaking Process
While I support the Staff Advisory, the rationale for such a notice indicates the increasingly urgent need for the Commission to initiate a formal rulemaking process that invites a comprehensive evaluation of “heightened” risks associated with certain crypto clearing activities, ensures parallel customer protections apply across our markets for similar clearing activities, and proposes appropriate measures to mitigate unique as well as traditional risks. Specifically, proposed rules should address:
- Conflicts of interest arising from vertical integration of activities and functions;
- Custody and client asset protection;
- Operational and technological risk, specifically cyber-risks; and
- Market manipulation and fraud.
During my time in service at the Commission, I have repeatedly raised these very concerns when applauding enforcement actions and advocating for rulemakings, including, for example, the recent DCO Governance rulemaking. Across these discussions as well as based on concerns presented at the Commission’s Roundtable on Non-Intermediation, [1] there is strong consensus and adequate grounds to begin a rulemaking process and consider ensuring parallel regulations govern the diverse market structures adopted in DCO markets.
Same Activity. Same Risks. Same Regulation.
In internal and public remarks, I have repeatedly called for the Commission to begin a rulemaking process to ensure that the same customer protection, risk management, and market stability measures embedded in our regulation for intermediated DCOs apply to all DCOs.[2] Part 39 of our regulations includes specific customer and market integrity protections for certain—but not all—clearing activities.
As the Staff Advisory indicates, we observe increased registration activity for crypto-commodity derivatives clearing and note that several proposed models adopt a non-intermediated market structure. Unless we introduce parallel regulation, these crypto-commodity derivatives clearing models may not be subject to the most rigorous regulatory standards. It is also imperative to note that these models may solicit or market products to retail or individual investors.
In other words, we may be exposing the most vulnerable investors—investors entering our markets with hard-earned cash from a long day’s work—to platforms with the higher risk management exposures and lower customer protections.
Based on the history of market structure in DCO markets, and the absence of significant retail or individual investor activity in particular, our regulations must be refined to sufficiently ensure parallel application and a single, robust regulatory framework designed to prevent misuse or misappropriation of customers’ funds, abuse of customers resulting from the absence of effective conflicts of interest policies, and excessive risk taking that may disrupt market stability and undermine market integrity. We must apply one set of rules across the board. Same activity. Same risks. Same regulation.
An Advanced Notice of Proposed Rulemaking (ANPRM)
Following this staff advisory, I propose that the Commission initiate an Advanced Notice of Proposed Rulemaking on Crypto or Digital Commodity DCO Clearing Activities. This approach acknowledges the innovative features of novel crypto-commodity derivative products and the platforms that clear and settle these transactions and addresses potential heightened risks described in the Staff Advisory. Such an approach would enable the Commission to engage in a comprehensive review of the new or potential risks that arise from clearing activities in the crypto-markets and formulate a proposed rule that effectively responds to the identified concerns.
In thinking of the ANPRM process, one may recall the initiatives adopted to gather information and develop a regulatory framework for implementing Title VII of the Dodd-Frank Act. Beginning with an Advance Notice of Proposed Rulemaking may enable a multi-faceted and highly-collaborative process that includes diverse stakeholders influencing regulation through Requests for Information, formal Roundtables, and the development of Guidance from the Commission ahead of drafting formal regulations.
To be exceptionally clear, a rulemaking limited to ensuring parallel protections for the crypto-clearing activities outlined in the Staff Advisory is expressly within the Commission’s existing authority. Market participants operating as DCOs, designated contract markets, swap execution facilities, and registered derivatives intermediaries are subject to the Commission’s jurisdiction.
The Staff Advisory keenly focuses on entities that are registered or seek to register with the CFTC to offer derivatives clearing services. In other words, by their own indications in submitted applications, these entities are consenting to the CFTC’s jurisdiction and employing a market structure predominantly adopted in commodity derivatives markets.
As I have noted on a number of recent occasions, persistent volatility, inflationary pressures, and other challenging macroeconomic conditions have challenged our markets significantly since the onset of the COVID-19 pandemic. Our markets have demonstrated resilience and, at least in part, this effective resilience is the result of careful, well-calibrated regulation designed to enable our markets and market participants to respond to remarkable market conditions. One could conclude that our preparation through rulemaking and enforcement has fostered markets that are orderly, transparent, and fair. We should apply these lessons to every asset class permitted within our markets.
As noted above, proposed rules may address a number of areas where the Commission has refined regulations in intermediated DCO markets over the last several years including conflicts of interest; segregation of customer funds and treatment of customer assets; operational and technological risk, specifically cyber-risks; and market manipulation and fraud.
The LedgerX Order
The Commission has previously signaled a need to address the lack of parallelism in the context of certain DCO clearing activities involving crypto or digital assets. In 2017, LedgerX submitted an application to register as a DCO. The LedgerX order of registration outlines several of the key initiatives that an ANPRM might address.[3] These carefully crafted conditions offer guidance on the issues that merit the Commission’s focus in the context of the clearing activities referenced in the Staff Advisory.
These conditions were necessary because no current statutory language nor regulatory text expressly imposes relevant obligations on certain DCOs. The conditions, therefore, provide a possible framework for customized regulatory requirements to be considered in an ANPRM.
Ensuring Cyber Resilience
Finally, an ANPRM may propose an approach for introducing risk management and cyber resilience in the markets for novel products and platforms. In addition to the investor protection and market integrity concerns that will inform an ANPRM, we must carefully focus on the system safeguards that promote cyber resilience within the markets for novel market structures and products.
Section 5b(c)(2) of the Commodity Exchange Act (CEA), as amended by the Dodd-Frank Wall Street Reform and Consumer Protection Act[4] sets out eighteen core principles (DCO Core Principles).[5] In 2011, the Commission promulgated Regulation 39.10(a) which requires DCOs to comply with each of the DCO Core Principles as well as “any requirement that the Commission may impose by rule or regulation pursuant to section 8a(5) of the Act[.]”[6] Part 39 of the Commission’s regulations implements the DCO Core Principles which seek “… to strengthen the risk management practices of DCOs, and to promote financial integrity for swaps and futures markets.”[7]
In 2016, the Commission adopted regulation 39.18 titled “System Safeguards”[8] which implements Core Principle I and specifies the requisite elements for system safeguards as well as risk analysis and oversight plans for operations and monitoring of automated systems.[9] At that time, the Commission acted in response to increased frequency in cyber threats and the necessity to enhance cybersecurity requirements and testing for DCOs.[10] In the adopting release, the Commission cites to the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) as a central source for best practices in cybersecurity and surveillance.[11] The NIST Framework advocates “for testing of cybersecurity response and recovery plans and cybersecurity detection processes and procedures.”[12]
Over the last decade, the Commission has consulted and considered additional international standards on cybersecurity which establish best practices including the Principles for Financial Market Infrastructure (PFMI) issued by the Committee on Payments and Market Infrastructure (CPMI) and the International Organization of Securities Commissions (IOSCO).[13] The PFMI is a key standard in the international community that is considered “essential to strengthening and preserving financial stability.”[14] Under the PFMI, CPMI and ISOCO issued the Guidance on Cyber Resilience for Financial Market Infrastructures which advocates for cyber risk awareness and regular evaluation and improvement of cyber resilience for financial market entities.[15]
The Commission’s focus on cybersecurity over the last few years was recently validated by the January cybersecurity event at ION Cleared Derivatives. ION provides trading, clearing, analytics, treasury, and risk management services for capital markets and futures and derivatives markets. [16] Many market participants rely on services agreements with ION for back-office trade processing and settlement of exchange-traded derivatives.[17] The January cyberattack disrupted not only ION’s operations but also the operations of other market participants, triggering a ripple effect across markets. The cyber-incident halted deal matching, required affected parties to rely on manual (old school) trade processing, and caused delays in reconciliation and information sharing and reporting, among other challenges.[18]
During the March 2023 Market Risk Advisory Committee meeting, we examined the threat of cyberattacks on market participants and critical third-party resources that facilitate clearing and settlement of market transactions.[19] As new market participants enter our markets, it is imperative that their systems safeguards establish parallel protection for their customers. This may be especially important where interoperability and reliance on critical third-party service providers play a key role in their operational integrity.
While the CFTC has long implemented and enforced cyber risk regulation, the ION cyber incident demonstrates that operational resilience and system safeguards must be continuously re-evaluated to keep up with changes in our financial market infrastructure and ever-evolving technology. As our market infrastructure becomes increasingly dependent on digital technologies, it is of the utmost importance that individual firm cyber defenses keep pace with evolving threats. In addition, we must seek to enhance cybersecurity across the network of firms, large and small, that facilitate trade execution, clearing, and settlement in our markets.
Conclusion
I urge the Commission to initiate a rulemaking process to explore the unique challenges of introducing customer protections in non-intermediated crypto-markets, particularly those seeking to engage in marketing of leveraged, retail-focused derivatives products. Now is the time to act to further protect customers and customer funds.
[1] CFTC Announces Staff Roundtable Discussion on Non-intermediation, May 25, 2022, https://www.cftc.gov/PressRoom/Events/opaeventstaffroundtable052522.
[2] See, e.g., Keynote Address of Commissioner Kristin Johnson at Digital Assets @ Duke Conference, Duke’s Pratt School of Engineering and Duke Financial Economics Center: Mitigating Crypto-Crises: Applying Lessons Learned in Governance, Risk Management, and Compliance, Jan. 26, 2023, https://www.cftc.gov/PressRoom/SpeechesTestimony/opajohnson2; Statement of Commissioner Kristin N. Johnson Regarding CFTC Consent Order of $2.8 Million in Restitution for Virtual Currency Fraud: A Call to Action: Let’s Use Our Existing Authority to Stop Crypto-Fraud, Dec. 1, 2022, https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement120122.
[3] LedgerX DCO Order of Registration – Conditions
(1) Cleared Products. LedgerX is permitted to clear, in its capacity as a DCO, fully collateralized digital currency swaps, subject to the requirements of Commission Regulation 39.5(a). A contract cleared by LedgerX will be considered fully collateralized if LedgerX holds, at all times, funds sufficient to cover the maximum possible loss a counterparty could incur upon liquidation or expiration of the contract, in the form of the required payment.
(2) Treatment of Funds. Funds held in the Cleared Swap Proprietary Accounts shall be considered member property, as that term is defined in the Bankruptcy Code. LedgerX shall at all times maintain funds of its clearing members separate and distinct from its own funds.
(3) Digital Currency Audit. LedgerX shall engage an independent certified public accountant to audit LedgerX's digital currency balances and issue an opinion on the accounting treatment of digital currency held by LedgerX as of three months after LedgerX begins clearing operations, and on an annual basis thereafter.
(4) Compliance with the Act and Commission Regulations. LedgerX shall comply, and shall demonstrate compliance as requested by the Commission, with applicable provisions of the Act, including the core principles set forth in Section 5b of the Act (“Core Principles”), and Commission regulations, as may be amended or adopted from time to time. LedgerX shall fulfill each of the representations it has made to the Commission relating to compliance with the Core Principles and Commission regulations.
(5) Self-Regulatory Function. LedgerX shall ensure the performance of all self-regulatory functions required of it as a registered DCO under the Act and Commission regulations, including, without limitation: monitoring and enforcing clearing member compliance with LedgerX admission and continuing eligibility standards; and enforcing clearing member compliance with the terms of all other LedgerX rules, regulations, and procedures.
(6) New Regulations. Should the Commission promulgate or amend a regulation addressing or otherwise affecting any aspect of this Order, then such regulation will apply and supersede the applicable term(s) in this Order.
(7) Reservation of Rights. This Order is based upon the representations made and supporting material provided to the Commission by LedgerX. In the event of any changes to or omissions in the material facts or circumstances pursuant to which this Order is issued, or for any reason in its own discretion, the Commission may condition, modify, suspend, terminate, or otherwise restrict the terms of this Order, as appropriate and as permitted by law, on its own motion.
LedgerX, LLC Order of Registration as a DCO, July 24, 2017, https://www.cftc.gov/media/4556/ledgerxllcamendeddcoorder9-2-2020/download.
[4] “Section 725(c) of the Dodd-Frank Act amended Section 5b(c)(2) of the CEA, which sets forth core principles with which a DCO must comply in order to be registered and to maintain registration as a DCO.” Derivatives Clearing Organization General Provisions and Core Principles, 76 Fed. Reg. 69,334, 69,430 (Nov. 8, 2011).
[5] Section 5b(c)(2)(D) of the CEA, 7 U.S.C. §7a-1(c)(2).
[6] 17 C.F.R. § 39.10(a) (2011).
[7] 76 Fed. Reg. at 69,335.
[8] 17 C.F.R. § 39.18(2016).
[9] System Safeguards Testing Requirements for Derivatives Clearing Organizations, 81 Fed. Reg. 64,321, 64,322 (Sept. 19, 2016).
[10] Id. at 64,322.
[11] Id.
[12] Id.
[13] Principles for Financial Market Infrastructures, Bank for International Settlements, Apr. 16, 2012, available at https://www.bis.org/cpmi/info_pfmi.htm.
[14] Id.
[15] Guidance of cyber resilience for financial market infrastructures, Bank for International Settlements, Jun. 29, 2016, available at https://www.bis.org/cpmi/publ/d146.htm.
[16] See Opening Statement of Commissioner Kristin N. Johnson Before the Market Risk Advisory Committee Meeting, Mar. 8, 2023, https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement030823.
[17] Id.
[18] Id.
[19] Market Risk Advisory Committee Meeting, Mar. 8, 2023, https://www.cftc.gov/PressRoom/Events/opaeventmrac020823.
-CFTC-