Statement of Commissioner Kristin N. Johnson in Support of Reporting and Information Requirements for Derivatives Clearing Organizations
July 26, 2023
Today, the Commission considers several amendments to Part 39 regulations. In January of 2020, the Commission amended a number of the provisions in Part 39 to enhance certain risk management and reporting obligations and clarify the meaning of certain provisions including registration and reporting requirements.[1] Last November, the Commission considered a proposed rulemaking seeking to further update certain Part 39 regulations to reflect developments in risk management. I support the Commission’s consideration of these amendments designed to improve derivatives clearing organizations’ (DCO) risk management practices and clarify reporting requirements set out in Part 39.
The Dodd-Frank Wall Street Reform and Consumer Protection Act set out to implement reforms to mitigate systemic risk and promote transparency and stability.[2] DCOs play a significant role in mitigating risk and facilitating stability in our markets by providing essential clearing and settlement market infrastructure. Clearinghouses enhance visibility, introduce and enforce uniform contractual obligations, and establish standards for critical risk management tools such as initial and variation margin. They facilitate dispute resolution among counterparties, ensure the maintenance of necessary liquidity reserves, introduce important operating systems and cyber-risk management measures, and implement governance measures that mitigate conflicts of interest and monitor systems safeguards.[3]
In light of the role of DCOs in our markets, we must provide a framework that not only supports market stability but is functional and can be practically integrated. The implementation of the proposed final amendments to existing regulations will address gaps in reporting data to the Commission.
Cyber security
We live in a digital age, and our dependence on technology, digital operational infrastructure systems, and software is increasingly undeniable. The security and integrity of cyber systems is important for the effective functioning of individual firms. Interconnectedness in financial markets creates the possibility that a cyber-threat that impacts certain actors in our markets may also impact the safety and soundness of counterparties or customers. In some instances, these cyber events will lead to more significant disruption, impeding clearing and settlement of transactions or impacting price discovery. Just a few months ago, ION, a significant service provider in global derivatives markets, experienced a cybersecurity event that triggered concerning effects across derivatives markets. The ION cybersecurity event underscores the importance of cyber security monitoring, prevention, and reporting.
Under DCO Core Principle I, DCOs must “establish and maintain a program of risk analysis and oversight to identify and minimize sources of operational risk through the development of appropriate controls and procedures…”[4] In accord with this Core Principle, the Commission adopted Regulation 39.18(g) requiring DCOs to promptly notify the Division of Clearing and Risk (DCR) of any cyber security event or targeted threat that materially impairs, or creates a significant likelihood of material impairment of automated system operation, reliability, security, or capacity.[5]
In November of 2022, DCR proposed amendments to 39.18(g) recommending improvements to certain cyber-event reporting requirements. The proposed amendment would have eliminated the materiality threshold, which would have required DCOs to report all such events regardless of magnitude.[6] The amendment would have increased reporting of DCO cyber events and automated system impairments, including impairments concerning third-party provided services.
While I appreciate the Commission’s careful response to public comments received regarding proposed amendments to 39.18(g), it is important to balance thoughtful consideration of cyber regulation with the emergent need for action. Our markets cannot afford to wait for continued attacks or delayed action over a significant period of time. The potential disruption that may be created by cyber-events requires a timely response.
As market participants integrate, adopt, and partner with significant technology firms and adopt software and technology that facilitates the technical operations for their businesses, it is imperative that our regulation focus on monitoring, reporting, transparency and the development of cyber recovery and resilience programs.
Four months ago, the Market Risk Advisory Committee (MRAC) that I sponsor held a meeting in this room. The director of national cybersecurity at the White House’s Office of the National Cyber Director and others joined a thoughtful dialogue focused on preventing or mitigating the threat of cyber events and cyber security threats. In addition to valuable dialogue during the MRAC meeting, my staff and I traveled to the White House executive offices to meet with the Office of the National Cyber Director. Our discussions and dialogue continue.
DCR is correctly focused on refining and updating 39.18(g). There is a clear need for immediate and careful study of the cyber-risk issues that present for DCOs. To this end, an MRAC subcommittee focused on technical and operational resilience will begin to examine several of the issues raised in the proposed amendment and comment letters. Hopefully, our collective efforts will enhance cyber resilience of the registrants in our markets as well as the critical third- and fourth-party service providers that registrants may depend on.
Segregation of Customer Funds
DCO Core Principle F and requires DCOs to establish standards and procedures for protecting and ensuring the safety of clearing member and customer funds. In addition, Core Principle F requires DCOs to establish standards and procedures that are designed to protect and to ensure the safety of funds and assets held in custody, to hold such funds and assets in a way designed to minimize risk, and to limit investment of such funds and assets to instruments with minimal credit, market, and liquidity risks. The DCO risk mitigation function is imperative for the segregation and safekeeping of clearing member and customer funds and assets.
Today, DCR proposes amendments that seek to close a gap with respect to DCO regulations that govern segregation of customer assets.
While there are robust regulations governing segregation of customer funds by futures commission merchants (FCMs),[7] those same protections may not reach all DCO customers. In some instances, the divergence in our rules is based on the history and structure of the markets for certain assets and products. As innovative financial products and market structures proliferate, we must be mindful of the consequences of the lack of parallelism in our customer protection regulations.
I support the Commission’s adoption of the proposed amendments that enhance customer protections, namely segregation of customer funds, treatment of customer funds, and the introduction of financial resource requirements for certain DCOs.
Liquidity Reserves
The amendments today also include updates addressing liquidity-related transparency. When market participants fail to manage liquidity risk effectively, enterprise risk management failures may occur and, depending on the size and significance of the market participants experiencing risk management failures, the effects may trigger disruption across global financial markets.
The transparency amendments proposed today, enhance reporting requirements for credit and liquidity facilities. Specifically, § 39.19(c)(4)(xv) will require DCOs report within one business day after becoming aware of any material issues or concerns regarding the performance, stability, liquidity, or financial resources of any credit facility funding arrangement, liquidity funding arrangement, custodian bank, or settlement bank used by the DCO or approved for use by the DCO’s clearing members. These amendments will improve the Commission’s risk surveillance of DCOs and clearing members. Prudent risk management - the management of liquidity needs, in particular, is critical to DCO resilience. I support the amendments to enhance transparency. Each adds value to the Core Principles we uphold and our mandate to the protect customers and preserve the integrity of the financial markets that we regulate.
I want to thank the staff of DCR – Eileen Donovan, August Imholtz, Gavin Young, and Parisa Nouri – for their diligent and thoughtful work on these amendments.
[1] Derivatives Clearing Organization General Provisions and Core Principles, 85 FR 4800 (Jan. 27, 2020), https://www.federalregister.gov/documents/2020/01/27/2020-01065/derivatives-clearing-organization-general-provisions-and-core-principles.
[2] Dodd-Frank Wall Street Reform and Consumer Protection Act, No. 111-203, 124 Stat. 1376 (2010).
[3] Statement of Commissioner Kristin N. Johnson in Support of Notice of Proposed Amendments to Reporting and Information Requirements for Derivatives Clearing Organizations, Kristin N. Johnson (Nov. 10, 2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement060723d.
[4] 7 U.S.C. § 7a-1(c)(2)(I)(i).
[5] 17 C.F.R. §39.18(g)
[6] Reporting and Information Requirements for Derivatives Clearing Organizations, 87 Fed. Reg. 76,698, 76,700 (Dec. 15, 2022), https://www.cftc.gov/sites/default/files/2022/12/2022-26849a.pdf.
[7] Section 4d(a)(2) of the CEA requires each FCM to segregate from its own assets all money, securities, and other property deposited by futures customers to margin, secure, or guarantee futures contracts and options on futures contracts traded on designated contract markets. 7 U.S.C. § 6d(a)(2). In addition, Section 4d(a)(2) of the CEA requires an FCM to treat and deal with futures customer funds as belonging to the futures customer, and prohibits an FCM from using the funds deposited by a futures customer to margin or extend credit to any person other than the futures customer that deposited the funds. 7 U.S.C. § 6d(a)(2).
-CFTC-