[Federal Register Volume 88, Number 136 (Tuesday, July 18, 2023)]
[Proposed Rules]
[Pages 45826-45836]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-15056]



17 CFR Parts 1 and 23

RIN 3038-AE59

Risk Management Program Regulations for Swap Dealers, Major Swap 
Participants, and Futures Commission Merchants

AGENCY: Commodity Futures Trading Commission.

ACTION: Advance notice of proposed rulemaking; request for comments.


SUMMARY: The Commodity Futures Trading Commission (CFTC or Commission) 
is issuing this Advance Notice of Proposed Rulemaking (ANPRM or Notice) 
and seeking public comment regarding potential regulatory amendments 
under the Commodity Exchange Act governing the risk management programs 
of swap dealers, major swap participants, and futures commission 
merchants. In particular, the Commission is seeking information and 
public comment on several issues stemming from the adoption of certain 
risk management programs, including the governance and structure of 
such programs, the enumerated risks these programs must monitor and 
manage, and the specific risk considerations they must take into 
account; the Commission further seeks comment on how the related 
periodic risk reporting regime could be altered or improved. The 
Commission intends to use the information and comments received from 
this Notice to inform potential future agency action, such as a 
rulemaking, with respect to risk management.

DATES: Comments must be in writing and received by September 18, 2023.

ADDRESSES: You may submit comments, identified by RIN 3038-AE59, by any 
of the following methods:
     CFTC Comments Portal: https://comments.cftc.gov. Select 
the ``Submit Comments'' link for this rulemaking and follow the 
instructions on the Public Comment Form.
     Mail: Send to Christopher Kirkpatrick, Secretary of the 
Commission, Commodity Futures Trading Commission, Three Lafayette 
Centre, 1155 21st Street NW, Washington, DC 20581.
     Hand Delivery/Courier: Follow the same instruction as for 
Mail, above.

Please submit your comments using only one of these methods. 
Submissions through the CFTC Comments Portal are encouraged. All 
comments must be submitted in English, or if not,

[[Page 45827]]

accompanied by an English translation. Comments will be posted as 
received to https://comments.cftc.gov. You should submit only 
information that you wish to make available publicly. If you wish the 
Commission to consider information that you believe is exempt from 
disclosure under the Freedom of Information Act (FOIA), a petition for 
confidential treatment of the exempt information may be submitted 
according to the procedures established in section 145.9 of the 
Commission's regulations. The Commission reserves the right, but shall 
have no obligation, to review, prescreen, filter, redact, refuse, or 
remove any or all of your submission from https://comments.cftc.gov 
that it may deem to be inappropriate for publication, such as obscene 
language. All submissions that have been redacted or removed that 
contain comments on the merits of the rulemaking will be retained in 
the public comment file and will be considered as required under the 
Administrative Procedure Act (APA) and other applicable laws and may be 
accessible under the FOIA.

FOR FURTHER INFORMATION CONTACT: Amanda L. Olear, Director, 202-418-
5283, [email protected]; Pamela M. Geraghty, Deputy Director, 202-418-
5634, [email protected]; Fern Simmons, Associate Director, 202-418-
5901, [email protected]; or Elizabeth Groover, Special Counsel, 202-
418-5985, [email protected]; each in the Market Participants Division 
at the Commodity Futures Trading Commission, Three Lafayette Centre, 
1155 21st Street NW, Washington, DC 20581.


Table of Contents

I. Background
II. Questions and Request for Comment
    A. Risk Management Program Governance
    B. Enumerated Risks in the Risk Management Program Regulations
    C. Periodic Risk Exposure Reporting by Swap Dealers and Futures 
Commission Merchants
    D. Other Areas of Risk

I. Background

    Title VII of the Dodd-Frank Wall Street Reform and Consumer 
Protection Act \1\ (Dodd-Frank Act) amended the Commodity Exchange Act 
(CEA) \2\ to establish a comprehensive regulatory framework to reduce 
risk, increase transparency, and promote market integrity within the 
financial system by, among other things, providing for the registration 
and comprehensive regulation of swap dealers (SDs) \3\ and major swap 
participants (MSPs),\4\ and enhancing the rulemaking and enforcement 
authorities of the CFTC with respect to all registered entities and 
intermediaries subject to its oversight, including, among others, 
futures commission merchants (FCMs).\5\ Added by the Dodd-Frank Act, 
CEA section 4s(j) outlines the duties with which SDs must comply.\6\ 
Specifically, CEA section 4s(j)(2) requires SDs to establish robust and 
professional risk management systems adequate for managing the day-to-
day business of the registrant.\7\ CEA section 4s(j)(7) directs the 
Commission to prescribe rules governing the duties of SDs, including 
the duty to establish risk management procedures.\8\ In April 2012, the 
Commission adopted Regulation 23.600,\9\ which established requirements 
for the development, approval, implementation, and operation of SD risk 
management programs (RMPs).\10\

    \1\ See Dodd-Frank Act, Public Law 111-203, 124 Stat. 1376 
    \2\ 7 U.S.C. 1 et seq.
    \3\ An SD is an entity that holds itself out as a dealer in 
swaps; makes a market in swaps; regularly enters into swaps with 
counterparties as an ordinary course of business for its own 
account; or engages in any activity causing the entity to be 
commonly known in the trade as a dealer or market maker in swaps. 
See 7 U.S.C. 1a(49)(A); see also 17 CFR 1.3 (describing exceptions 
and limitations).
    \4\ An MSP is any person that is not an SD and maintains a 
substantial position in swaps for any of the major swap categories; 
whose outstanding swaps create substantial counterparty exposure 
that could have serious adverse effects on the financial stability 
of the United States banking system or financial markets; or is a 
financial entity that is highly leveraged relative to the amount of 
capital it holds and that is not subject to capital requirements 
established by an appropriate Federal banking agency and maintains a 
substantial position in outstanding swaps in any major swap 
category. See 7 U.S.C. 1a(33)(A); 17 CFR 1.3. There are currently no 
registered MSPs; the relevant regulatory requirements discussed in 
this ANPRM, however, apply to both SDs and MSPs. For ease of 
drafting, throughout this Notice, any reference to SDs should be 
construed to include both SDs and MSPs.
    \5\ An FCM is an entity that solicits or accepts orders to buy 
or sell futures contracts, options on futures, retail off-exchange 
forex contracts or swaps, and accepts money or other assets from 
customers to support such orders. See 7 U.S.C. 1a(28); 17 CFR 1.3.
    \6\ 7 U.S.C. 6s(j).
    \7\ 7 U.S.C. 6s(j)(2).
    \8\ 7 U.S.C. 6s(j)(7).
    \9\ 17 CFR 23.600.
    \10\ Swap Dealer and Major Swap Participant Recordkeeping, 
Reporting, and Duties Rules; Futures Commission Merchant and 
Introducing Broker Conflicts of Interest Rules; and Chief Compliance 
Officer Rules for Swap Dealers, Major Swap Participants, and Futures 
Commission Merchants, 77 FR 20128 (Apr. 3, 2012) (2012 SD Risk 
Management Final Rule). For additional background, see the related 
notice of proposed rulemaking: Regulations Establishing and 
Governing the Duties of Swap Dealers and Major Swap Participants, 75 
FR 71397 (Nov. 23, 2010).

    Following two FCM insolvencies involving the misuse of customer 
funds in 2011 and 2012, the Commission proposed and adopted a series of 
regulatory amendments designed to enhance the protection of customers 
and customer funds held by FCMs.\11\ The Commission adopted Regulation 
1.11 in 2013 to establish risk management requirements for those FCMs 
that accept customer funds. Regulation 1.11 is largely aligned with the 
SD risk management requirements in Regulation 23.600 (together with 
Regulation 1.11, the RMP Regulations).\12\ The Commission concluded at 
that time that it could mitigate the risks of misconduct and an FCM's 
failure to maintain required funds in segregation \13\ with more robust 
risk management systems and controls.\14\

    \11\ Enhancing Protections Afforded Customers and Customer Funds 
Held by Futures Commission Merchants and Derivatives Clearing 
Organizations, 77 FR 67866 (Nov. 14, 2012) (FCM Customer Protection 
Proposed Rule); Enhancing Protections Afforded Customers and 
Customer Funds Held by Futures Commission Merchants and Derivatives 
Clearing Organizations, 78 FR 68506 (Nov. 14, 2013) (FCM Customer 
Protection Final Rule).
    \12\ 17 CFR 1.11; FCM Customer Protection Final Rule.
    \13\ The statutory requirement for FCMs to segregate customer 
funds from their own funds is a fundamental cornerstone of customer 
protection. FCM Customer Protection Final Rule, 78 FR at 68506 
(``The protection of customers--and the safeguarding of money, 
securities or other property deposited by customers with an FCM--is 
a fundamental component of the Commission's disclosure and financial 
responsibility framework.'').
    \14\ Id. at 68509.

    The Commission is issuing this ANPRM for several reasons. After 
Regulation 23.600 was initially adopted in 2012, the Commission 
received a number of questions from SDs concerning compliance with 
these requirements, particularly those concerning governance (for 
example, questions regarding who is properly designated as ``senior 
management,'' as well as issues relating to the reporting lines within 
the risk management unit).\15\ The intervening decade of examination 
findings and ongoing requests for staff guidance from SDs with respect 
to Regulation 23.600 warrant consideration of the Commission's rules 
and additional public discourse on this topic.

    \15\ Some SDs expressed confusion to Commission staff regarding 
the reporting line requirements and the regulatory definitions of 
``governing body'' and ``senior management.''

    The Commission has further identified the enumerated areas of risk 
that RMPs are required to take into account, and the quarterly risk 
exposure reports (RERs), as other areas of potential confusion and 

[[Page 45828]]

in the RMP Regulations for SDs and FCMs. Commission staff has observed 
significant variance among SD and FCM RERs with respect to how they 
define and report on the enumerated areas of risk (e.g., market risk, 
credit risk, liquidity risk, etc.), making it difficult for the 
Commission to gain a clear understanding of how specific risk exposures 
are being monitored and managed by individual SDs and FCMs over time, 
as well as across SDs and FCMs during a specified time period. 
Furthermore, the Commission's implementation experiences and certain 
market events over the last decade indicate that it may be appropriate 
to consider whether to include additional enumerated areas of risk in 
the RMP Regulations.
    The Commission has observed inefficiencies with respect to the RER 
requirements in the RMP Regulations. Currently, Regulations 
23.600(c)(2) and 1.11(e)(2) \16\ prescribe neither the format of the 
RER nor its exact filing schedule.\17\ As a result, the Commission 
frequently receives RERs in inconsistent formats containing stale 
information, in some cases data that is at least 90 days out-of-date. 
Furthermore, a number of SDs have indicated that the quarterly RERs are 
not relied upon for their internal risk management purposes, but 
rather, they are created solely to comply with Regulation 23.600, 
indicating to the Commission that additional consideration of the RER 
requirement is warranted.

    \16\ 17 CFR 23.600(c)(2); 17 CFR 1.11(e)(2).
    \17\ The timeline for filing quarterly RERs with the Commission 
is tied to when such reports are given to SDs' and FCMs' senior 
management. Regulations 23.600(c)(2) and 1.11(e)(2) do not prescribe 
how soon after a quarter-end an SD or FCM must provide its RER to 
senior management or the format in which the SD or FCM must submit 
the information required in the RER to the Commission. Id.

    Finally, the Commission also reminds SDs and FCMs that their RMPs 
may require periodic updates to reflect and keep pace with 
technological innovations that have developed or evolved since the 
Commission first promulgated the RMP Regulations.\18\ The Commission is 
seeking information regarding any risk areas that may exist in the RMP 
Regulations that the Commission should consider with respect to notable 
product or technological developments.

    \18\ Since the adoption of the RMP Regulations, some SDs and 
FCMs have engaged in novel product offerings, such as derivatives on 
certain digital assets, have increased their facilitation of 
electronic and automated trading, and have incorporated into their 
operations the use of recent technological developments, including 
cloud-based storage and computing, and possibly artificial 
intelligence and machine learning technologies.

    Therefore, the Commission is issuing this Notice to seek industry 
and public comment on these aforementioned specific aspects of the 
existing RMP Regulations, as discussed further below.

II. Questions and Request for Comment

    In responding to each of the following questions, please provide a 
detailed response, including the rationale for such response, cost and 
benefit considerations, and relevant supporting information. The 
Commission encourages commenters to include the subsection title and 
the assigned number of the specific request for information in their 
submitted responses to facilitate the review of public comments by 
Commission staff.

A. Risk Management Program Governance

    Regulations 23.600(a) and (b) set out the parameters by which an SD 
must structure and govern its RMPs. Regulation 23.600(a) sets forth 
certain definitions, including ``business trading unit,'' \19\ 
``governing body,'' \20\ and ``senior management,'' \21\ whereas 
Regulation 23.600(b) requires an SD to memorialize its RMP through 
written policies and procedures, which the SD's governing body must 
approve.\22\ Regulation 23.600(b) further requires an SD to create a 
risk management unit (RMU) that: (1) is charged with carrying out the 
SD's RMP; (2) has sufficient authority, qualified personnel, and 
resources to carry out the RMP; (3) reports directly to senior 
management; and (4) is independent from the business trading unit.\23\

    \19\ ``Business trading unit'' is defined as, any department, 
division, group, or personnel of a swap dealer or major swap 
participant or any of its affiliates, whether or not identified as 
such, that performs, or personnel exercising direct supervisory 
authority over the performance of any pricing (excluding price 
verification for risk management purposes), trading, sales, 
marketing, advertising, solicitation, structuring, or brokerage 
activities on behalf of a registrant. 17 CFR 23.600(a)(2).
    \20\ ``Governing body'' is defined as, (1) A board of directors; 
(2) A body performing a function similar to a board of directors; 
(3) Any committee of a board or body; or (4) The chief executive 
officer of a registrant, or any such board, body, committee, or 
officer of a division of a registrant, provided that the 
registrant's swaps activities for which registration with the 
Commission is required are wholly contained in a separately 
identifiable division. 17 CFR 23.600(a)(4).
    \21\ ``Senior management'' is defined as, with respect to a 
registrant, any officer or officers specifically granted the 
authority and responsibility to fulfill the requirements of senior 
management by the registrant's governing body. 17 CFR 23.600(a)(6).
    \22\ 17 CFR 23.600(b).
    \23\ 17 CFR 23.600(b)(5).

    Similar to Regulation 23.600, Regulation 1.11 contains specific 
requirements with respect to the risk governance structure.\24\ 
Regulation 1.11(b) defines ``business unit,'' \25\ ``governing body,'' 
\26\ and ``senior management,'' \27\ while Regulation 1.11(c) requires 
the FCM to establish the RMP through written policies and procedures, 
which the FCM's governing body must approve.\28\ Regulation 1.11(d) 
requires that an FCM establish and maintain an RMU with sufficient 
authority; qualified personnel; and financial, operational, and other 
resources to carry out the RMP, that is independent from the business 
unit and reports directly to senior management.\29\

    \24\ 17 CFR 1.11.
    \25\ ``Business unit'' is defined as, any department, division, 
group, or personnel of a futures commission merchant or any of its 
affiliates, whether or not identified as such that: (i) Engages in 
soliciting or in accepting orders for the purchase or sale of any 
commodity interest and that, in or in connection with such 
solicitation or acceptance of orders, accepts any money, securities, 
or property (or extends credit in lieu thereof) to margin, 
guarantee, or secure any trades or contracts that result or may 
result therefrom; or (ii) Otherwise handles segregated funds, 
including managing, investing, and overseeing the custody of 
segregated funds, or any documentation in connection therewith, 
other than for risk management purposes; and (iii) Any personnel 
exercising direct supervisory authority of the performance of the 
activities described in paragraph (b)(1)(i) or (ii). 17 CFR 
    \26\ ``Governing body'' is defined as, the proprietor, if the 
futures commission merchant is a sole proprietorship; a general 
partner, if the futures commission merchant is a partnership; the 
board of directors if the futures commission merchant is a 
corporation; the chief executive officer, the chief financial 
officer, the manager, the managing member, or those members vested 
with the management authority if the futures commission merchant is 
a limited liability company or limited liability partnership. 17 CFR 
    \27\ ``Senior management'' is defined as, any officer or 
officers specifically granted the authority and responsibility to 
fulfill the requirements of senior management by the governing body. 
17 CFR 1.11(b)(5).
    \28\ 17 CFR 1.11(c).
    \29\ 17 CFR 1.11(d).

    The Commission seeks comment generally on the RMP structure and 
related governance requirements currently found in the RMP Regulations 
for SDs and FCMs. In addition, commenters should seek to address the 
following questions:
    1. Do the definitions of ``governing body'' in the RMP Regulations 
encompass the variety of business structures and entities used by SDs 
and FCMs?
    a. Should the Commission consider expanding the definition of 
``governing body'' in Regulation 23.600(a)(4) to include other officers 
in addition to an SD's CEO, or other bodies other than an SD's board of 
directors (or body performing a similar function)?
    b. Are there any other amendments to the ``governing body'' 
definition in

[[Page 45829]]

Regulation 23.600(a)(4) that the Commission should consider?
    c. Should similar amendments be considered for the ``governing 
body'' definition applicable to FCMs in Regulation 1.11(b)(3)?
    2. Should the Commission consider amending the definitions of 
``senior management'' in the RMP Regulations? Are there specific roles 
or functions within an SD or FCM that the Commission should consider 
including in the RMP Regulations' ``senior management'' definitions?
    3. Should the RMP Regulations specifically address or discuss 
reporting lines within an SD's or FCM's RMU?
    4. Should the Commission propose and adopt standards for the 
qualifications \30\ of certain RMU personnel (e.g., model validators)? 

    \30\ This could include, for example, prior risk management 
    \31\ Regulations 23.600(b)(5) and 1.11(d) require SDs and FCMs 
to establish and maintain RMUs with ``qualified personnel.'' 17 CFR 
23.600(b)(5); 17 CFR 1.11(d).

    5. Should the RMP Regulations further clarify RMU independence and/
or freedom from undue influence, other than the existing general 
requirement that the RMU be independent of the business unit or 
business trading unit? \32\

    \32\ See 17 CFR 23.600(b)(5). This concept relates to the fact 
that an RMU may be wholly ``independent'' from the business unit or 
business trading unit in terms of physical location and reporting 
lines, but that does not necessarily equate to freedom from undue 
influence. For example, during model validation activities, an SD's 
business trading unit, whose staff created the model, may try to 
improperly influence the RMU's model reviewer employees, who are 
undertaking an independent assessment of it.

    6. Are there other regulatory regimes the Commission should 
consider in a holistic review of the RMP Regulations? For instance, 
should the Commission consider harmonizing the RMP Regulations with the 
risk management regimes of prudential regulators? \33\

    \33\ See 7 U.S.C. 1a(39) (defining the term ``prudential 
regulator''). Non-U.S. SDs may also be subject to prudential 
supervision by regulatory authorities in their home jurisdiction.

    7. Are there other portions of the RMP Regulations concerning 
governance that are not addressed above that the Commission should 
consider changing? Please explain.

B. Enumerated Risks in the Risk Management Program Regulations

    The RMP Regulations specify certain enumerated risks that SDs' and 
FCMs' RMPs must consider. Specifically, Regulation 23.600(c)(1)(i) 
identifies specific areas of enumerated risk that an SD's RMP must take 
into account: market risk, credit risk, liquidity risk, foreign 
currency risk, legal risk, operational risk, and settlement risk.\34\ 
Though not identical, Regulation 1.11(e)(1)(i) similarly lists specific 
areas of enumerated risk that an FCM's RMP must take into account: 
market risk, credit risk, liquidity risk, foreign currency risk, legal 
risk, operational risk, settlement risk, segregation risk, 
technological risk, and capital risk.\35\

    \34\ 17 CFR 23.600(c)(1).
    \35\ 17 CFR 1.11(e)(1)(i).

    Regulation 23.600(c)(4) requires that an SD's RMP include, but not 
be limited to, policies and procedures necessary to monitor and manage 
all of the risks enumerated in Regulation 23.600(c)(1)(i), as well as 
requiring that the policies and procedures for each such risk take into 
account specific risk management considerations.\36\ In contrast, 
Regulation 1.11(e)(3) requires that an FCM's RMP include, but not be 
limited to, policies and procedures that monitor and manage segregation 
risk, operational risk, and capital risk, along with enumerating 
specific risk management considerations that are required to be 
included and/or addressed in the policies and procedures for these 
risks.\37\ Unlike Regulation 23.600(c)(4), Regulation 1.11(e)(3) does 
not explicitly require policies and procedures, or enumerate attendant 
specific risk considerations, for all of the types of risk that must be 
taken into account by an FCM's RMP pursuant to Regulation 
1.11(e)(1)(i), focusing instead on segregation, operational, and 
capital risks.

    \36\ 17 CFR 23.600(c)(4).
    \37\ 17 CFR 1.11(e)(3).

    The Commission requests comment on SDs' and FCMs' enumerated risks 
generally, including: (a) whether specific risk considerations that 
must be taken into account with respect to certain enumerated risks 
should be amended; (b) whether definitions should be added for each 
enumerated risk; and finally, (c) whether the Commission should 
enumerate and define any additional types of risk in the RMP 
Regulations. In particular:
    1. Should the Commission amend Regulation 1.11(e)(3) to require 
that FCMs' RMPs include, but not be limited to, policies and procedures 
necessary to monitor and manage all of the enumerated risks identified 
in Regulation 1.11(e)(1) that an FCM's RMP is required to take into 
account, not just segregation, operational, or capital risk (i.e., 
market risk, credit risk, liquidity risk, foreign currency risk, legal 
risk, settlement risk, and technological risk)? If so, should the 
Commission adopt specific risk management considerations for each 
enumerated risk, similar to those described in Regulation 23.600(c)(4)?
    2. Regulation 23.600(c)(4)(i) requires SDs to establish policies 
and procedures necessary to monitor and manage market risk.\38\ These 
policies and procedures must consider, among other things, ``timely and 
reliable valuation data derived from, or verified by, sources that are 
independent of the business trading unit, and if derived from pricing 
models, that the models have been independently validated by qualified, 
independent external or internal persons.'' \39\

    \38\ 17 CFR 23.600(c)(4)(i).
    \39\ 17 CFR 23.600(c)(4)(i)(B).

    a. Does this validation requirement in Regulation 
23.600(c)(4)(i)(B) warrant clarification?
    b. Should validation, as it is currently required in Regulation 
23.600(c)(4)(i)(B), align more closely with the validation of margin 
models discussed in Regulation 23.154(b)(5)? \40\

    \40\ 17 CFR 23.154(b)(5) (outlining the process and requirements 
for the control, oversight, and validation mechanisms for initial 
margin models).

    3. The policies and procedures mandated by Regulations 
23.600(c)(4)(i) and (ii) to monitor and manage market risk and credit 
risk must take into account, among other considerations, daily 
measurement of market exposure, including exposure due to unique 
product characteristics and volatility of prices, and daily measurement 
of overall credit exposure to comply with counterparty credit 
limits.\41\ To manage their risk exposures, SDs employ various 
financial risk management tools, including the exchange of initial 
margin for uncleared swaps. In that regard, the Commission has set 
forth minimum initial margin requirements for uncleared swaps,\42\ 
which can be calculated using either a standardized table or a 
proprietary risk-based model.\43\ An SD's risk exposures to certain 
products and underlying asset classes may, however, warrant the 
collection and posting of initial margin above the minimum regulatory 
requirements set forth in the standardized table. Should the Commission 
expand the specific risk management considerations listed in 
Regulations 23.600(c)(4)(i)-(ii) to add

[[Page 45830]]

that an SD's RMP policies and procedures designed to manage market risk 
and/or credit risk must also take into account whether the collection 
or posting of initial margin above the minimum regulatory requirements 
set forth in the standardized table is warranted?

    \41\ 17 CFR 23.600(c)(4)(i)-(ii).
    \42\ 17 CFR 23.150-161. In adopting the margin requirements for 
uncleared swaps, the Commission noted that the initial margin amount 
required under the rules is a minimum requirement. See Margin 
Requirements for Uncleared Swaps for Swap Dealers and Major Swap 
Participants, 81 FR 636, 649 (Jan. 6, 2016). This is consistent with 
CEA section 4s(e), which directed the Commission to prescribe by 
rule or regulation minimum margin requirements for non-bank SDs. See 
7 U.S.C. 6s(e)(2)(B).
    \43\ 17 CFR 23.154.

    4. The RMP Regulations enumerate, but do not define, the specific 
risks that SDs' and FCMs' RMPs must take into account. Should the 
Commission consider adding definitions for any or all of these 
enumerated risks? If so, should the enumerated risk definitions be 
identical for both SDs and FCMs?
    5. The Federal Reserve and Basel III define ``operational risk'' as 
the risk of loss resulting from inadequate or failed internal 
processes, people, and systems or from external events.\44\ Would 
adding a definition of ``operational risk'' to the RMP Regulations that 
is closely aligned with this definition increase clarity and/or 
efficiencies for SD and FCM risk management practices, or otherwise be 
helpful? Should the Commission consider identifying specific sub-types 
of operational risk for purposes of the SD and FCM RMP requirements?

    \44\ 12 CFR 217.101(b); Basel Committee on Banking Supervision, 
``Calculation of RWA for Operational Risk'' (Dec. 2019), available 
at https://www.bis.org/basel_framework/chapter/OPE/10.htm?inforce=20191215&published=20191215.

    6. Technological risk is identified in Regulation 1.11(e)(1)(i) as 
a type of risk that an FCM's RMP must take into account; however, 
technological risk is not similarly included in Regulation 
23.600(c)(1)(i) as an enumerated risk that an SD's RMP must address. 
Should the Commission amend Regulation 23.600(c)(1)(i) to add 
technological risk as a type of risk that SDs' RMPs must take into 
    a. Should technological risk, if added for SDs, be identified as a 
specific risk consideration within operational risk, as described by 
Regulation 23.600(c)(4)(vi), or should it be a standalone, 
independently enumerated area of risk?
    b. If technological risk is added as its own enumerated area of 
risk, what risk considerations should an SD's RMP policies and 
procedures address, as required by Regulation 23.600(c)(4)?
    c. Relatedly, although technological risk is included in the 
various types of risk that an FCM's RMP must take into account, no 
specific risk considerations for technological risk are further 
outlined in Regulation 1.11(e)(3).\45\ What, if any, specific risk 
considerations for technological risk should be added to Regulation 
1.11(e)(3)? Should the Commission categorize any additional specific 
risk considerations for technological risk as a subset of the existing 
``operational risk'' considerations in Regulation 1.11(e)(3)(ii), or 
should ``technological risk'' have its own independent category of 
specific risk considerations in Regulation 1.11(e)(3)?

    \45\ See 17 CFR 1.11(e)(1)(i); cf. 17 CFR 1.11(e)(3)(i)-(iii).

    d. Should the Commission define ``technological risk'' in the RMP 
Regulations? For example, Canada's Office of the Superintendent of 
Financial Institutions (OSFI) defines ``technology risk'' as ``the risk 
arising from the inadequacy, disruption, destruction, failure, damage 
from unauthorized access, modifications, or malicious use of 
information technology assets, people or processes that enable and 
support business needs and can result in financial loss and/or 
reputational damage.'' \46\ If the Commission were to add a definition 
of ``technological risk'' to the RMP Regulations, should it be 
identical or similar to that recently finalized by OSFI? \47\ If not, 
how should it otherwise be defined? Should the Commission consider 
different definitions of ``technological risk'' for SDs and FCMs? 
Should the Commission consider providing examples of ``information 
technology assets'' to incorporate risks that may arise from the use of 
certain emerging technologies, such as artificial intelligence and 
machine learning technology, distributed ledger technologies (e.g., 
blockchains), digital asset and smart contract-related applications, 
and algorithmic and other model-based technology applications?

    \46\ See OSFI Guideline B-13, Technology and Cyber Risk 
Management (July 2022), available at https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b13.aspx. The final Guideline B-
13 will be effective as of January 1, 2024.
    \47\ The prudential regulators and the Securities and Exchange 
Commission (SEC) have not yet proposed or adopted definitions of 
``technological risk.'' Accordingly, Commission staff turned to non-
U.S. financial regulators for potential definitions of this term. 
Canada's OSFI recently finalized its definition of ``technology 
risk,'' following extensive engagement with industry and the public 
that included the September 2020 publication of its discussion paper 
and a consultation period from September to December 2020; the 
issuance of proposed guidance in November 2021; and further 
consultation on its proposed guidance from November 2021 to February 
2022. See OSFI Releases New Guideline for Technology and Cyber Risk, 
Balancing Innovation with Risk Management (July 13, 2022), available 
at https://www.osfi-bsif.gc.ca/Eng/osfi-bsif/med/Pages/b13-nr.aspx.

    7. Are there any other types of risk that the Commission should 
consider enumerating in the RMP Regulations as risks required to be 
monitored and managed by SDs' and FCMs' RMPs? Geopolitical risk? 
Environmental, social and governance (ESG) risk? Climate-related 
financial risk, including physical risk and transition risk such as the 
energy transition? Reputational risk? Funding risk? Collateral risk? 
Concentration risk? Model risk? Cybersecurity risk? Regulatory and 
compliance risk arising from conduct in foreign jurisdictions? 
Contagion risk?
    a. Should these potential new risks be defined in the RMP 
    b. With respect to each newly suggested enumerated risk, what, if 
any, specific risk considerations should an SD's or FCM's RMP policies 
and procedures be required to include?
    c. Are there international standards for risk management with which 
the Commission should consider aligning the RMP Regulations?

C. Periodic Risk Exposure Reporting by Swap Dealers and Futures 
Commission Merchants

    In accordance with Regulation 23.600(c)(2), an SD must provide to 
its senior management and governing body a quarterly RER containing 
specific information on the SD's risk exposures and the current state 
of its RMP; the RER shall also be provided to the SD's senior 
management and governing body immediately upon the detection of any 
material change in the risk exposure of the SD.\48\ SDs are required to 
furnish copies of all RERs to the Commission within five (5) business 
days of providing such RERs on a quarterly basis to their senior 
management.\49\ Likewise, Regulation 1.11(e)(2) has an identical RER 
requirement for FCMs.\50\

    \48\ 17 CFR 23.600(c)(2). SD RERs shall set forth the market, 
credit, liquidity, foreign currency, legal, operational, settlement, 
and any other applicable risk exposures of the SD; any recommended 
or completed changes to the RMP; the recommended time frame for 
implementing recommended changes; and the status of any incomplete 
implementation of previously recommended changes to the RMP. Id.
    \49\ 17 CFR 23.600(c)(2)(ii).
    \50\ 17 CFR 1.11(e)(2).

    This Notice seeks comment generally on how the current RER regime 
for SDs and FCMs could be improved, as well as specific responses to 
the questions listed below:
    1. At what frequency should the Commission require SDs and FCMs to 
furnish copies of their RERs to the Commission?
    2. Should the Commission consider changing the RER filing 
requirements to require filing with the Commission by a certain day 
(e.g., a week, month, or other specific timeframe after the quarter-
end), rather than tying the filing requirement to when the RER is 
furnished to senior management?
    3. Should the Commission consider harmonizing or aligning, in whole 
or in part, the RER content requirements in

[[Page 45831]]

the RMP Regulations with those of the National Futures Association 
(NFA)'s SD monthly risk data filings? \51\

    \51\ SDs must report certain metrics related to market and 
credit risk, including Value at Risk (VaR) for interest rates, 
credit, forex, equities, commodities, and total VaR; total stressed 
VaR; interest rate sensitivity by tenor bucket; credit spread 
sensitivity; forex market sensitivities; commodity market 
sensitivities; total swaps current exposure before collateral; total 
swaps current exposure net of collateral; total credit valuation 
adjustment or expected credit loss; and largest swaps counterparty 
current exposures. See NFA, Notice I-17-10: Monthly Risk Data 
Reporting Requirements for Swap Dealers (May 30, 2017), available at 

    a. If so, should the Commission consider any changes or additions 
to the data metrics currently collected by NFA as could be required in 
the RMP Regulations?
    b. For FCMs who are not currently required to file monthly risk 
data filings with NFA, were the Commission to adopt a monthly risk 
exposure reporting requirement, are there different risk data metrics 
for FCMs that it should consider including? If so, what are they?
    4. Are there additional SD or FCM-specific data metrics or risk 
management issues that the Commission should consider adding to the 
content requirements of the RER?
    5. Should the Commission consider prescribing the format of the 
RERs? For instance, should the Commission consider requiring the RER to 
be a template or form that SDs and FCMs fill out?
    6. In furtherance of the RER filing requirement, should the 
Commission consider allowing SDs and FCMs to furnish to the Commission 
the internal risk reporting they already create, maintain, and/or use 
for their risk management program?
    a. If so, how often should these reports be required to be filed 
with the Commission?
    b. If the Commission allowed an SD or FCM to provide the Commission 
with its own risk reporting, should the Commission prescribe certain 
minimum content and/or format requirements?
    7. Should the Commission consider prescribing the standard SDs and 
FCMs use when determining whether they have experienced a material 
change in risk exposure, pursuant to Regulations 23.600(c)(2)(i) and 
1.11(e)(2)(i)? Alternatively, should the Commission continue to allow 
SDs and FCMs to use their own internally-developed standards for 
determining when such a material change in risk exposure has occurred?
    8. Should the Commission clarify the requirements in Regulations 
23.600(c)(2)(i) and 1.11(e)(2)(i) that RERs shall be provided to the 
senior management and the governing body immediately upon detection of 
any material change in the risk exposure of the SD or FCM?
    9. Should the Commission consider setting a deadline for when an SD 
or FCM must notify the Commission of any material changes in risk 
exposure? If so, what should be the deadline?
    10. Should the Commission consider additional governance 
requirements in connection with the provision of the quarterly RER to 
the senior management and the governing body of a SD, or of an FCM, 
    11. Should the Commission require the RERs to report on risk at the 
registrant level, the enterprise level (in cases where the registrant 
is a subsidiary of, affiliated with, or guaranteed by a corporate 
family), or both? What data metrics are relevant for each level?
    12. Should the Commission require that RERs contain information 
related to any breach of risk tolerance limits described in Regulations 
23.600(c)(1)(i) and 1.11(e)(1)(i)? Alternatively, should the Commission 
require prompt notice, outside of the RER requirement, of any breaches 
of the risk tolerance limits that were approved by an SD's or FCM's 
senior management and governing body? Should there be a materiality 
standard for inclusion of breaches in RERs or requiring notice to the 
    13. Should the Commission require that RERs contain information 
related to material violations of the RMP policies or procedures 
required in Regulations 23.600(b)(1) and 1.11(c)(1)?
    14. Should the Commission require that RERs additionally discuss 
any known issues, defects, or gaps in the risk management controls that 
SDs and FCMs employ to monitor and manage the specific risk 
considerations under Regulations 23.600(c)(4) and 1.11(e)(3), as well 
as including a discussion of their progress toward mitigation and 

D. Other Areas of Risk

    Recent market, credit, operational, and geopolitical events have 
highlighted the critical importance of risk management and the need to 
periodically review risk management practices. Therefore, the 
Commission is interested in feedback and comment on other RMP-related 
topics, specifically: (1) the segregation of customer funds and 
safeguarding of counterparty collateral, and (2) risks posed by 
affiliates, lines of business, and other trading activity. The 
Commission continues to have confidence in its regulations governing 
the segregation of customer funds in traditional derivatives markets. 
The questions below are intended to assist the Commission in its 
ongoing evaluation of whether and how RMP regulations and practices at 
FCMs and SDs adequately and comprehensively address risks arising from 
new or evolving market structures, products, and registrants.
a. Potential Risks Related to the Segregation of Customer Funds and 
Safeguarding Counterparty Collateral
    The segregation of customer funds and safeguarding of counterparty 
collateral are cornerstones of the Commission's FCM and SD regulatory 
regimes, respectively. Currently, the existing RMP Regulations address 
the management of segregation risk and the safeguarding of counterparty 
collateral in different ways, given the differing business models 
between FCMs and SDs. Regulation 1.11(e)(3)(i) requires an FCM's RMP to 
include written policies and procedures reasonably designed to ensure 
segregated funds are separately accounted for and segregated or secured 
as belonging to customers.\52\ This requirement further lists several 
subjects that must, ``at a minimum,'' be addressed by an FCM's RMP 
policies and procedures, including the evaluation and monitoring 
process for approved depositories, the treatment of related residual 
interest, transfers, and withdrawals, and permissible investments.

    \52\ 17 CFR 1.11(e)(3)(i).

    Although Regulation 23.600(c)(6) of the SD RMP Regulations requires 
compliance with all capital and margin requirements, Regulation 23.600 
does not explicitly require an SD's RMP to include written policies and 
procedures to safeguard counterparty collateral. Rather, the Commission 
chose to adopt Regulations 23.701 through 23.703 for the purpose of 
establishing a separate framework for the elected segregation of assets 
held as collateral in uncleared swap transactions.\53\ Additionally, 
the Commission requires certain initial margin to be held through 
custodial arrangements in accordance with Regulation 23.157.\54\

    \53\ 17 CFR 23.701-23.703.
    \54\ 17 CFR 23.157.

    The Commission seeks comment generally on the risks attendant to 
the segregation of customer funds and the safeguarding of counterparty 
collateral. In addition, commenters should seek to address the 
following questions:
    1. Do the current RMP Regulations for FCMs adequately and 
comprehensively require them to identify, monitor, and

[[Page 45832]]

manage the risks associated with the segregation of customer funds and 
the protection of customer property? Are there other Commission 
regulations that address these risks for FCMs?
    2. Currently, the Commission understands that no FCM holds customer 
property in the form of virtual currencies or other digital assets such 
as stablecoins. To the extent that FCMs may consider engaging in this 
activity in the future, would the current RMP Regulations for FCMs 
adequately and comprehensively require them to identify, monitor, and 
manage the risks associated with that activity, including custody with 
a third-party entity?
    3. Do the current RMP Regulations for SDs adequately and 
comprehensively require them to identify, monitor, and manage all of 
the risks associated with the collection, posting, and custody of 
counterparty collateral and the protection of such assets? Are there 
any other risks that should be addressed by the RMP Regulations for SDs 
related to the collection, posting, and custody of counterparty 
    4. Do the Commission's RMP Regulations adequately address risks to 
customer funds or counterparty collateral that may be associated with 
SDs and FCMs that have multiple business lines and registrations? 
Although the Commission understands that SDs and FCMs currently engage 
in limited activities with respect to digital assets, should the 
Commission consider additional RMP requirements applicable to SDs and 
FCMs that are or may become involved in, or affiliated with, the 
provision of digital asset financial services or products (e.g., 
digital asset lending arrangements or derivatives)?
b. Potential Risks Posed by Affiliates, Lines of Business, and All 
Other Trading Activity
    In light of increasing market volatility and recent market 
disruptions, as well as the growth of digital asset markets, the 
Commission generally seeks comment on the risks posed by SDs' and FCMs' 
affiliates and related trading activity. Generally, the RMP Regulations 
require SD and FCM RMPs to take into account risks posed by affiliates 
and related trading activity. Specifically, Regulation 23.600(c)(1)(ii) 
requires an SD's RMP to take into account ``risks posed by affiliates'' 
with the RMP integrated into risk management functions at the 
``consolidated entity level.'' \55\ Similarly, Regulation 
1.11(e)(1)(ii) requires an FCM's RMP to take into account risks posed 
by affiliates, all lines of business of the FCM, and all other trading 
activity engaged in by the FCM.'' \56\

    \55\ 17 CFR 23.600(c)(1)(ii).
    \56\ 17 CFR 1.11(e)(1)(ii).

    Some SDs and FCMs are subject to regulatory requirements designed 
to mitigate certain risks arising from certain affiliate activities. 
For example, SDs and FCMs that are affiliates or subsidiaries of a 
banking entity may have to comply with certain restrictions and 
requirements on inter-affiliate activities. Further, those SDs and FCMs 
that are subject to the Volcker Rule, codified and implemented in part 
75 of the Commission's regulations, and incorporated into other 
requirements, such as Regulation 3.3, are subject to the Volcker Rule's 
risk management program and compliance program requirements.\57\

    \57\ 17 CFR part 75; 17 CFR 3.3.

    The Commission seeks comment generally on the requirements related 
to risks posed by affiliates and related trading activity found within 
the RMP Regulations for SDs and FCMs, including non-bank affiliated SDs 
or non-bank affiliated FCMs. In addition, commenters should seek to 
address the following questions:
    1. What risks do affiliates (including, but not limited to, parents 
and subsidiaries) pose to SDs and FCMs? Are there risks posed by an 
affiliate trading in physical commodity markets, trading in digital 
asset markets, or relying on affiliated parties to meet regulatory 
requirements or obligations? Are there contagion risks posed by the 
credit exposures of affiliates? Are there risks posed by other lines of 
business of an SD, or of an FCM, respectively, that are not adequately 
or comprehensively addressed by the Commission's regulations, 
including, as applicable, the Volcker Rule regulations found in 17 CFR 
part 75?
    2. Do the current RMP Regulations adequately and comprehensively 
address the risks associated with the activities of affiliates (whether 
such affiliates are unregulated, less regulated, or subject to 
alternative regulatory regimes), or of other lines of business, of an 
SD or of an FCM, respectively, that could affect SD or FCM operations? 
Alternatively, to what extent are the risks posed by affiliates 
discussed in this section adequately addressed through other regulatory 
requirements (for example, the Volcker Rule or other prudential 
regulations, or applicable non-U.S. laws, regulations, or standards)?
    3. Should the Commission further expand on how SD and FCM RMPs 
should address risks posed by affiliates in the RMP Regulations, 
including any specific risks? Should the Commission consider 
enumerating any specific risks posed by affiliates or related trading 
activities within the RMP Regulations, either as a separate enumerated 
risk, or as a subset of an existing enumerated area of risk (e.g., 
operational risk, credit risk, etc.)?

    Issued in Washington, DC, on July 12, 2023, by the Commission.
Robert Sidman,
Deputy Secretary of the Commission.

    Note:  The following appendices will not appear in the Code of 
Federal Regulations.

Appendices to Risk Management Program Regulations for Swap Dealers, 
Major Swap Participants, and Futures Commission Merchants--Voting 
Summary and Chairman's and Commissioners' Statements

Appendix 1--Voting Summary

    On this matter, Chairman Behnam and Commissioners Johnson, 
Goldsmith Romero, Mersinger, and Pham voted in the affirmative. No 
Commissioner voted in the negative.

Appendix 2--Statement of Chairman Rostin Behnam

    I appreciate all of the Market Participants Division staff's 
hard work on this proposal. I look forward to the public's 
thoughtful comments on the proposal to inform a potential future 
rulemaking or guidance for the Commission's risk management program 
regulations for swap dealers and futures commission merchants.

Appendix 3--Statement of Commissioner Christy Goldsmith Romero on 
Advance Notice of Proposed Rulemaking on Risk Management Program 

    Management of existing, evolving, and emerging risk is paramount 
to the financial stability of the United States and global markets. 
This is evidenced by the recent bank failures, followed by 
subsequent government action taken out of regulatory concern over 
possible contagion effect to other banks and broader economic 
spillover.\1\ Federal Reserve Board Vice Chair Michael Barr recently 
testified before the Senate at a hearing on the bank failures, ``the 
events of the last few weeks raise questions about evolving risks 
and what more can and should be done so that isolated banking 
problems do not

[[Page 45833]]

undermine confidence in healthy banks and threaten the stability of 
the banking system as a whole.'' \2\

    \1\ See Statement of Martin J. Gruenberg, Chairman Federal 
Deposit Insurance Corporation Chair on ``Recent Bank Failures and 
the Federal Regulatory Response'' before the Committee of Banking, 
Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) https://www.banking.senate.gov/imo/media/doc/Gruenberg%20Testimony%203-28-23.pdf; see also Hearing on Recent Bank Failures and the Federal 
Regulatory Response, United States Senate Committee on Banking, 
Housing, and Urban Affairs (Mar. 28, 2023) https://www.banking.senate.gov/hearings/recent-bank-failures-and-the-federal-regulatory-response.
    \2\ Statement of Michael S. Barr, Vice Chair for Supervision, 
Board of Governors of the Federal Reserve System before the 
Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar. 
28, 2023) https://www.banking.senate.gov/imo/media/doc/Barr%20Testimony%203-28-231.pdf.

    Sound risk management is particularly crucial for CFTC-
registered swap dealers, the majority of which are global 
systemically important banks on Wall Street (or their affiliates) or 
other prudentially-regulated banks. If there was any one issue at 
the center of the 2008 financial crisis, it was the failure of risk 
management by Wall Street. The Dodd-Frank Wall Street Reform and 
Consumer Protection Act required these dealers to establish and 
maintain risk management programs. The Commission implemented its 
risk management requirements for swap dealers in 2012. Then in 2013, 
the Commission required that brokers in the derivatives markets, 
known as futures commission merchants (``FCMs''), establish and 
maintain risk management programs after two brokers, MF Global and 
Peregrine Financial, misused customer funds and collapsed from a 
combination of hidden risks and fraud.\3\

    \3\ This dovetailed with Commission requirements that brokers 
segregate customer assets from company assets and house accounts.

    Re-evaluating our risk management rules is responsible and 
necessary to keep pace with evolving markets that can give rise to 
emerging risk. The last three years presented unprecedented risk. 
The pandemic, its lingering supply chain disruptions, Russia's war 
against Ukraine, climate disasters that proved to be the most-costly 
three years on record, a spike in ransomware and other cyber attacks 
(including on ION Markets and Colonial Pipeline), and increasing 
geo-political tensions involving the U.S. and China, have emerged as 
often interrelated areas of significant risk. Additionally, as 
Chairman of the Federal Deposit Insurance Corporation (``FDIC''), 
Martin Gruenberg testified before the Senate, ``the financial system 
continues to face significant downside risks from the effects of 
inflation, rising market interest rates, and continuing geopolitical 
uncertainties.'' \4\

    \4\ See Statement of Martin J. Gruenberg, Chairman Federal 
Deposit Insurance Corporation Chair on ``Recent Bank Failures and 
the Federal Regulatory Response'' before the Committee of Banking, 
Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) https://www.banking.senate.gov/imo/media/doc/Gruenberg%20Testimony%203-28-23.pdf.

    Evolving technologies like digital assets, artificial 
intelligence, and cloud services, also have emerged as areas that 
can carry significant risk.\5\ Vice Chair Barr testified before the 
Senate, ``recent events have shown that we must evolve our 
understanding of banking in light of changing technologies and 
emerging risks. To that end, we are analyzing what recent events 
have taught us about banking, customer behavior, social media, 
concentrated and novel business models, rapid growth, deposit runs, 
interest rate risk, and other factors, and we are considering the 
implications for how we should be regulating and supervising our 
financial institutions. And for how we think about financial 
stability.'' \6\

    \5\ See Commissioner Christy Goldsmith Romero, Opening Remarks 
at the Technology Advisory Committee on DeFi, Responsible Artificial 
Intelligence, Cloud Technology & Cyber Resilience (Mar. 22, 2023), 
https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement032223; see also Department of Treasury, The 
Financial Services Sector's Adoption of Cloud Services (Feb. 8, 
2023), https://home.treasury.gov/news/press-releases/jy1252.
    \6\ See Statement of Michael S. Barr, Vice Chair for 
Supervision, Board of Governors of the Federal Reserve System before 
the Committee of Banking, Housing and Urban Affairs, U.S. Senate 
(Mar. 28, 2023) https://www.banking.senate.gov/imo/media/doc/Barr%20Testimony%203-28-231.pdf (adding that Silicon Valley Bank 
``failed to manage the risks of its liabilities. These liabilities 
were largely composed of deposits from venture capital firms and the 
tech sector, which were highly concentrated and could be 

    The Commission should ensure that our risk management frameworks 
for banks and brokers reflect and keep pace with the significant 
evolution of financial stability risk. It is equally important for 
the Commission to be forward-looking to ensure that our risk 
management frameworks capture future risk as it could evolve or 
emerge.\7\ The Commission is considering whether to enumerate 
specific areas of risk that banks and brokers would be required to 
address. This could include for example, geopolitical risk, 
cybersecurity risk, climate-related financial risk or contagion 

    \7\ Additionally, CFTC staff have observed significant variance 
in how swap dealers and brokers are defining and reporting on risk 
areas, making it difficult for CFTC staff to gain a clear 
understanding of how specific risk exposures are being monitored and 
managed. Furthermore, some swap dealers have indicated that they do 
not rely on the information in CFTC risk reporting for their 
internal risk management. Improving the efficacy of CFTC 
requirements for swap dealers' own risk management, along with the 
Commission's ability to monitor risk are worthwhile goals.

    The Commission seeks public comment in its reassessment of its 
risk management frameworks. I am particularly interested in comment 
on the following areas: (1) Technology Risk; (2) Cyber Risk; (3) 
Affiliate Risk; (4) Risk related to segregating customer funds and 
safeguarding counterparty collateral; and (5) Climate-Related 
Financial Risk.

Technology Risk

    Risk has emerged from the evolution of technology. Distributed 
ledger networks are being used or considered in certain markets; cloud 
data storage and computing has gone mainstream; and artificial 
intelligence hold the power to transform businesses. Many firms are 
also integrating, or are interested in integrating, digital assets into 
their businesses, or plan to do so. All of these emerging or evolving 
technologies carry risks.
    Digital assets carry risks--something that has become all too clear 
in the past year. Silvergate Bank, which recently failed, was almost 
exclusively known for providing services to digital asset firms.\8\ 
According to FDIC Chairman Gruenberg, ``Following the collapse of 
digital asset exchange FTX in November 2022, Silvergate Bank released a 
statement indicating that it had $11.9 billion in digital asset-related 
deposits, and that FTX represented less than 10 percent of total 
deposits in an effort to explain that its exposure to the digital asset 
exchange was limited. Nevertheless, in the fourth quarter of 2022, 
Silvergate Bank experienced an outflow of deposits from digital asset 
customers that, combined with the FTX deposits, resulted in a 68 
percent loss in deposits--from $11.9 billion in deposits to $3.8 
billion. That rapid loss of deposits caused Silvergate Bank to sell 
debt securities to cover deposit withdrawals, resulting in a net 
earnings loss of $1 billion. On March 1, 2023, Silvergate Bank 
announced it would be delaying issuance of its 2022 financial 
statements and indicated that recent events raised concerns about its 
ability to operate as a going concern, which resulted in a steep drop 
in Silvergate Bank's stock price. On March 8, 2023, Silvergate Bank 
announced that it would self-liquidate.'' \9\

    \8\ See Statement of Martin J. Gruenberg, Chairman Federal 
Deposit Insurance Corporation Chair on ``Recent Bank Failures and 
the Federal Regulatory Response'' before the Committee of Banking, 
Housing and Urban Affairs, U.S. Senate (Mar. 28, 2023) https://www.banking.senate.gov/imo/media/doc/Gruenberg%20Testimony%203-28-23.pdf.
    \9\ See Id.

    Chairman Gruenberg further testified, ``Like Silvergate Bank, 
Signature Bank had also focused a significant portion of its business 
model on the digital asset industry. . . . Silvergate Bank operated a 
similar platform that was also used by digital asset firms. . . . In 
the second and third quarters of 2022, Signature Bank, like Silvergate, 
experienced deposit withdrawals and a drop in its stock price as a 
consequence of disruptions in the digital asset market due to failures 
of several high profile digital asset companies.'' \10\

    \10\ See Id.

    These technological advancements, with their accompanying risks, 
necessitate the Commission revisiting our regulatory oversight, 
including our risk management requirements. This is similar to other 
regulators revisiting their oversight in this area. According to Vice 
Chair Barr, the Federal Reserve ``recently decided to establish a 
dedicated novel activity supervisory group, with a team of experts 
focused on risks of novel activities, which should help improve 
oversight of banks like SVB in the future.'' \11\

    \11\ Statement of Michael S. Barr, Vice Chair for Supervision, 
Board of Governors of the Federal Reserve System before the 
Committee of Banking, Housing and Urban Affairs, U.S. Senate (Mar. 
28, 2023) https://www.banking.senate.gov/imo/media/doc/Barr%20Testimony%203-28-231.pdf.


[[Page 45834]]

    I am interested in comments on how the Commission should amend its 
risk management requirements to ensure that risks from technology are 
adequately identified, monitored, assessed and managed. I am also 
interested in public comment on any gaps in our risk management 
regulations that the Commission should address regarding technology.

Cyber Risk

    I am interested in public comment about how the Commission should 
update its risk management frameworks to address the growing and 
increasingly sophisticated threat of cyber attacks. The White House's 
recent National Cybersecurity Strategy stated:

    Our rapidly evolving world demands a more intentional, more 
coordinated, and more well-resourced approach to cyber defense. We 
face a complex threat environment, with state and non-state actors 
developing and executing novel campaigns to threaten our interests. 
At the same time, next-generation technologies are reaching maturity 
at an accelerating pace, creating new pathways for innovation while 
increasing digital interdependencies.\12\

    \12\ The White House, Fact Sheet: Biden-Harris Administration 
Announces National Cybersecurity Strategy, (Mar. 2, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/.

    Global cyber criminals and state-sponsored efforts can create or 
leverage a serious disruption to markets.
    I am also interested in comment on how the Commission should 
address risk management related to third party service providers. As 
I said in a speech in November, ``Even if financial firms have 
strong cybersecurity systems, their cybersecurity is only as strong 
as their most vulnerable third-party service provider. The threat 
can compound where several firms use the same software or other 
provider.'' \13\ Subsequently in February, a third-party service 
provider ION Markets suffered a cyber attack that compromised a 
number of brokers in the derivatives market. Treasury Deputy 
Assistant Secretary Todd Conklin, a member of the CFTC Technology 
Advisory Committee (``TAC'') presented at a recent TAC meeting that 
ION was not considered by firms to be a critical vendor.\14\ Given 
the severe threat of cyber attacks, I am interested in commenters' 
views on whether the Commission should specifically enumerate cyber 
risk, specifically include risks associated with third-party service 
providers in risk management frameworks, or include other 
requirements to ensure that cyber risk is adequately and 
comprehensively identified, assessed, and managed.

    \13\ See Commissioner Christy Goldsmith Romero, U.S. Commodity 
Futures Trading Commission, Protecting Against Emerging Global 
Fintech Threats in Cyberspace and Cryptocurrencies (Nov. 30, 2022), 
Keynote Remarks of Commissioner Christy Goldsmith Romero at the 
Futures Industry Association, Asia Derivatives Conference, 
Singapore, https://www.cftc.gov/PressRoom/SpeechesTestimony/oparomero4.
    \14\ See Technology Advisory Committee meeting (Mar. 22, 2023) 
Commissioner Goldsmith Romero Announces Technology Advisory 
Committee Meeting Agenda That Includes Cybersecurity, Decentralized 
Finance, and Artificial Intelligence, https://www.cftc.gov/PressRoom/Events/opaeventtac032223.

Affiliate Risk

    I am interested in commenters views on the questions related to 
affiliate risks, especially those related to risks that unregulated 
affiliates can pose to regulated entities. Currently, the 
Commission's rules provide that the risk management frameworks of 
banks and brokers shall ``take into account'' risks posed by 
affiliates. Affiliate risks can take many forms--from counterparty 
credit risk to operational risks to many others. The questions posed 
in this ANPRM are designed to flesh out details about affiliate 
risks, and whether such risks are sufficiently identified and 
adequately managed.
    Understanding affiliate risks is critically important given 
lessons learned from the past and more recent events. For example, 
AIG Financial Products (``AIGFP'') is the poster child for how risk 
of a seemingly remote, unregulated affiliate could undermine the 
stability of a large, diversified financial institution. AIGFP's 
damage reached well beyond its affiliates. AIGFP was a source of 
contagion for other market participants, ultimately spreading risks 
across Wall Street, contributing to a global financial crisis and 
massive taxpayer bailout. Most recently, the abrupt collapse of FTX, 
with its alleged lack of separation between affiliates as found by 
new CEO John Ray, led to a bankruptcy with more than 130 affiliate 
debtors, tying up billions of dollars and more than one million 
customers and creditors. Although LedgerX, a CFTC-regulated FTX 
affiliate, is not a debtor in the bankruptcy, the debtors sold 
LedgerX as a result.
    Existing Commission rules require that banks' and brokers' risk 
management programs ``take into account'' risks related to lines of 
business. That could include, for example, digital asset markets. In 
January, before the bank failures, federal bank regulatory agencies 
issued a recent joint statement outlining numerous ``key risks'' 
associated with bank involvement in the crypto-asset sector.\15\ I 
am interested in public comment on those key risks as they may apply 
specifically to the CFTC's regulated banks and brokers. About half 
of all CFTC-registered swap dealers are subject to some form of 
oversight by the prudential regulators.

    \15\ Joint Statement on Crypto-Asset Risks to Banking 
Organizations, Board of Governors of the Federal Reserve System, the 
Federal Deposit Insurance Corporation, and the Office of the 
Comptroller of the Currency (Jan. 3, 2023), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20230103a1.pdf.

    Many brokers have expressed an interest in becoming further 
involved in digital assets as well. Risks can arise from regulated 
trading in crypto derivatives. The unregulated spot markets carry 
additional risks as seen with the collapse of FTX, Terra Luna, 
Celsius and numerous others that have resulted in substantial 
losses. This is in addition to operational risks and risks 
associated with rampant fraud and illicit finance in some parts of 
the crypto markets.

Risk Related to the Segregation of Customer Property and 
Safeguarding Counterparty Collateral in the Digital Asset Space

    Digital assets raise a host of issues about safeguarding 
customer property that were not contemplated at the time of the 2013 
risk management rule or the Commission's customer protection rules 
for brokers to segregate customer assets from company assets. For 
example, brokers may explore holding customer property in the form 
of stablecoins or other digital assets that could result in unknown 
and unique risks. These brokers may be confronted by third-party 
custody and other risks that should be identified and managed. 
Physical delivery may also present risk, particularly given the 
proliferation of cyber hacks. Application of the Commission's 
segregation rules may also need to be updated based on future risks 
related to digital assets (even risks not contemplated by the 
Commission today). I look forward to commenters' responses in this 
    It is necessary for the CFTC to seek public comment on our risk 
management framework in this important area of emerging risk so that 
we keep pace with evolution in our markets and technology. We should 
not assume that our existing segregation rules and risk management 
framework comprehensively cover the evolving risks in the 
markets.\16\ The Commission does not have a window into certain 
unregulated spaces, such as with digital assets, which could obscure 
risks faced by CFTC-regulated banks or brokers. Integration of 
digital assets with banks and brokers, and the risks that could be 
posed, could continue to evolve.

    \16\ The same could be true of swap dealers related to 
safeguarding counterparty collateral.

Climate-Related Financial Risk

    Developments in the management of climate-related financial risk 
are an important example of the need for the Commission to adopt a 
framework that helps banks and brokers keep pace with such emerging 
risks. When the Climate-Related Market Risk Subcommittee of our 
Market Risk Advisory Committee released its report in September 
2020, it was a ``first-of-its-kind effort from a U.S. government 
entity.'' \17\ Since then, other U.S. financial regulators have not 
only echoed this acknowledgment,\18\ but have moved ahead to

[[Page 45835]]

define the risk management framework that banks and other regulated 
entities must adopt for addressing physical and transition risks 
posed by climate change.\19\ Banks and brokers need frameworks that 
let them adapt to both the increasingly dire projections by climate 
scientists about the scope of physical impacts,\20\ and to the 
massive economic impetus to a transition to a lower carbon 
environment created via Congressional passage of the Inflation 
Reduction Act, the Bipartisan Infrastructure Law, and the CHIPS and 
Science Act.

    \17\ CFTC, CFTC's Climate-Related Market Risk Subcommittee 
Releases Report (Sept. 9, 2020), https://www.cftc.gov/PressRoom/PressReleases/8234-20.
    \18\ See Financial Stability Oversight Council, Financial 
Stability Oversight Council Identifies Climate Change as an Emerging 
and Increasing Threat to Financial Stability (October 21, 2021) 
    \19\ See, e.g., Federal Deposit Insurance Corporation, FIL-13-
2022, Request for Comment on Statement of Principles for Climate-
Related Financial Risk Management for Large Financial Institutions 
(March 30, 2022), https://www.fdic.gov/news/financial-institution-letters/2022/fil22013.html.
    \20\ Intergovernmental Panel on Climate Change, Climate Change 
2022: Impacts, Adaptation and Vulnerability (2022), https://www.ipcc.ch/report/ar6/wg2/chapter/summary-for-policymakers/.

    In just three years, climate-related financial risk management 
has gone from novelty to necessity. We should develop a framework 
that helps banks and brokers remain resilient to risks like this 
one, which will continue to develop for years to come. I have been 
advocating for the Commission to enhance its understanding of how 
market participants are managing climate-related financial risk.\21\ 
To that end, over the past year, I have been working with the 
National Futures Association (``NFA'') on a recently completed 
special project to assess how some of its members are identifying 
and managing climate-related financial risk. NFA learned that some 
of its members, particularly those already subject to oversight by 
U.S. and foreign banking regulators, are taking steps to manage both 
physical and transition risks. I look forward to hearing from 
commenters on how best to adapt our framework to incorporate these 
kinds of emerging risks.

    \21\ See Commissioner Christy Goldsmith Romero, U.S. Commodity 
Futures Trading Commission, Promoting Market Resilience (Sept. 28, 
2022), Statement of Commissioner Christy Goldsmith Romero before the 
Market Risk Advisory Committee, https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement092822; Statement of CFTC 
Commissioner Christy Goldsmith Romero In Support of the Commission's 
Request for Information on Climate-Related Financial Risk (June 2, 
2022), https://www.cftc.gov/PressRoom/SpeechesTestimony/romerostatement060222.


    Sound risk management by banks (and other dealers) and brokers 
at the center of the U.S. derivatives markets is critical to 
financial stability. The stakes are high. These financial 
institutions and others take and carry significant risks that could 
impact financial stability. They are on the front lines of our 
financial markets, directly engaging with customers or 
counterparties. Customers have billions of dollars entrusted to 
these institutions. Market participants depend on liquidity, 
clearing and other critical functions performed by these 
    The Commission must fulfill its own responsibility to ensure 
that risk management programs at these institutions address the full 
scope of risks to customers, firms and markets, including keeping 
pace with evolving and emerging risk. We may never know how many 
catastrophes were avoided as a result of sound risk management 
programs, but we have seen what can happen when risks are not well 

Appendix 4--Statement of Commissioner Caroline D. Pham

    I support the Advance Notice of Proposed Rulemaking (ANPRM) 
seeking public comment on potential amendments to the Risk 
Management Program (RMP) requirements in CFTC rules 23.600 and 1.11 
\1\ (collectively, RMP Rules) applicable to swap dealers and futures 
commission merchants (FCMs), respectively. I believe in continuous 
improvement for not only our market participants, but for the 
Commission and its regulations too.

    \1\ See 17 CFR 23.600 and 1.11.

    I would like to thank the staff of the Market Participants 
Division for working closely with me on this ANPRM, and making 
revisions in response to my concerns, in particular Amanda Olear, 
Pamela Geraghty, Fern Simmons, Elizabeth Groover, and Samantha 
Ostrom. I also appreciate the opportunity to work collaboratively 
with the Chairman and my fellow Commissioners.
    It is critical that the public has the opportunity to provide 
input on any potential amendment or expansion of RMP requirements 
that is informed by actual experience from risk management officers, 
other control functions, and practitioners who have implemented and 
complied with the RMP Rules for the past 10 years, oftentimes within 
a broader enterprise-wide risk management program pursuant to other 
requirements from other regulators.
    Because the CFTC's rules are often only one part of much broader 
risk governance frameworks for financial institutions, the 
Commission must ensure that it has the full picture before coming to 
conclusions to ensure that our rules not only address any potential 
regulatory gaps or changes in risk profiles, but also avoids issuing 
rules that are conflicting, duplicative, or unworkable with other 
regulatory regimes.
    For example, the CFTC currently has 106 provisionally registered 
swap dealers.\2\ Of these 106 entities, both U.S. and non-U.S., all 
but a handful are also registered with and supervised by another 
agency or authority, such as a prudential, functional, or market 
regulator. Most of these swap dealers are subject to three or more 
regulatory regimes.

    \2\ See CFTC provisionally registered swap dealers, as of 
January 30, 2023, available at https://www.cftc.gov/LawRegulation/DoddFrankAct/registerswapdealer.html.

    Therefore, it is imperative that the Commission and the staff 
consider how the CFTC's RMP Rules work in practice together with the 
rules of other regulators, whether foreign or domestic. This key 
point is easily apparent in looking at the CFTC's substituted 
compliance regime for non-U.S. swap dealers, where the Commission 
has expressly found that non-U.S. swap dealers in certain 
jurisdictions are subject to comparable and comprehensive 
regulation, and therefore permits such non-U.S. swap dealers to 
``substitute'' compliance with home jurisdiction risk management 
regulations to satisfy CFTC rule 23.600.\3\

    \3\ On December 27, 2013, the Commission issued comparability 
determinations for certain entity-level requirements, including risk 
management, for the following jurisdictions: European Union; Canada; 
Switzerland; Japan; Hong Kong; and Australia. See Comparability 
Determinations for Substituted Compliance Purposes, available at 
(July 11, 2023).

    Issuing an ANPRM can be beneficial to initiate an open process 
to request information and stimulate dialogue with the public. As 
stated in the preamble, ``After Regulation 23.600 was initially 
adopted in 2012, the Commission received a number of questions from 
[swap dealers] concerning compliance with these requirements, 
particularly those concerning governance . . . . The intervening 
decade of examination findings and ongoing requests for staff 
guidance from [swap dealers] with respect to Regulation 23.600 
warrant consideration of the Commission's rules and additional 
public discourse on this topic.'' The preamble also states, 
``Furthermore, a number of [swap dealers] have indicated that the 
quarterly [risk exposure reports] are not relied upon for their 
internal risk management purposes, but rather, they are created 
solely to comply with Regulation 23.600, indicating to the 
Commission that additional consideration of the [risk exposure 
report] requirement is warranted.''
    I commend the Commission and staff for seeking to address areas 
of potential confusion, inconsistency, and inefficiencies in the RMP 
Rules. Risk management must be more than an exercise in paperwork. 
And lack of regulatory clarity can actually inhibit compliance 
simply because our registrants are unsure of supervisory 
expectations and are unclear as to what to implement. That is why I 
am focused as a Commissioner on providing clear rules and guidance 
to facilitate compliance with the Commission's regulations. I also 
support using this opportunity to improve our RMP Rules and I 
encourage commenters to explore how the RMP Rules could be aligned 
with other risk governance and risk management frameworks, such as 
prudential requirements for banking organizations, in order to more 
effectively and efficiently address risks.
    Regarding potential risks related to the segregation of customer 
funds and safeguarding counterparty collateral, I will note that the 
CFTC's existing rules are the gold standard for customer protection 
around the world. Further, our existing rules also address potential 
risks posed by affiliates, lines of business, and all other trading 
activity. While much attention has been paid to widespread fraud and 
failures of risk management in the cryptocurrency sector, it bears 
reminding that a so-called crypto exchange is a very different type 
of organization and business model from a highly regulated financial 
institution. The public should take care to avoid conflating these 
completely different entities--it is at least as wholly unlike one 
another as a domesticated housecat and a wild tiger. I look forward 
to comments on these two other areas of risk.

[[Page 45836]]

    Nonetheless, neither the Commission nor our registrants should 
be complacent. I reiterate this statement in the preamble: ``[T]he 
Commission also reminds [swap dealers] and FCMs that their RMPs may 
require periodic updates to reflect and keep pace with technological 
innovations that have developed or evolved since the Commission 
first promulgated the RMP Regulations.'' The benefit of a 
principles-based regulatory framework is that it can more quickly 
anticipate and adapt to changes in risk profiles or the operating 
environment. I believe our rules must be broad and flexible enough 
to be forward-looking and evergreen, because it is simply not 
possible to prescribe every last requirement for the unknown future. 
Accordingly, swap dealers and FCMs must be vigilant and address new 
and emerging risks in their RMPs through various risk stripes as 
appropriate--whether from changing market conditions, technological 
developments, geopolitical concerns, or any other event.
    I welcome input from commenters to inform the Commission and the 
staff regarding the application of the RMP Rules to swap dealers and 
FCMs, especially those entities that are part of a banking 
organization, and to describe in a detailed manner the policies, 
procedures, processes, systems, controls, testing, and audits that 
are part of an RMP, and associated governance requirements. In this 
way, it will be more clearly apparent to the Commission and staff 
that the vast majority of swap dealers and FCMs are part of 
enterprise-wide risk management programs that the industry spends 
billions of dollars on each year, with thousands of personnel across 
the three lines of defense. In addition, the CFTC's stringent RMP 
governance provisions ensure management accountability and 
responsibility, and the RMP Rules prescribe various requirements for 
swap dealers to address market risk, credit risk, liquidity risk, 
foreign currency risk, legal risk, operational risk, and settlement 
risk,\4\ and for FCMs to address market risk, credit risk, liquidity 
risk, foreign currency risk, legal risk, operational risk, 
settlement risk, segregation risk, technological risk, and capital 

    \4\ 17 CFR 23.600(c)(1).
    \5\ 17 CFR 1.11(e)(1)(i).

    Of course, financial institutions can still have lapses in risk 
management and weaknesses in their control environment. This is 
evident in the high-profile news stories of the past few years. But 
the appropriate response is for regulators, including the CFTC and 
National Futures Association (NFA), to increase focus and resources 
on compliance examinations to ensure that swap dealers and FCMs are 
complying with the rules we already have--not piling on more rules 
that ultimately do not enhance sound risk management and governance, 
and further dilute limited resources, time, and attention.\6\ In 
instances of especially egregious or prolonged deficiencies, 
material weakness, or misconduct by management, then enforcement 
actions may be appropriate, and the Commission should not shy away 
from this step.

    \6\ See Opening Statement of Commissioner Caroline D. Pham 
before the CFTC Technology Advisory Committee, March 22, 2023, 
available at https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement032223.

[FR Doc. 2023-15056 Filed 7-17-23; 8:45 am]