Today, the Division of Clearing and Risk (DCR) of the Commodity Futures Trading Commission (CFTC or Commission) issued a Staff Advisory on Review of Risks Associated with Expansion of DCO Clearing of Digital Assets (Staff Advisory).  The Staff Advisory acknowledges the introduction of innovative changes including novel financial products and platforms and new market participants operating in our regulated markets in recent years.  The Staff Advisory further acknowledges that careful evaluation may reveal heightened risks associated with certain clearing activities, particularly clearing activities in digital assets or cryptocurrency markets.

Begin A Rulemaking Process

While I support the Staff Advisory, the rationale for such a notice indicates the increasingly urgent need for the Commission to initiate a formal rulemaking process that invites a comprehensive evaluation of “heightened” risks associated with certain crypto clearing activities, ensures parallel customer protections apply across our markets for similar clearing activities, and proposes appropriate measures to mitigate unique as well as traditional risks. Specifically, proposed rules should address:

• Conflicts of interest arising from vertical integration of activities and functions;
• Custody and client asset protection;
• Operational and technological risk, specifically cyber-risks; and
• Market manipulation and fraud.

During my time in service at the Commission, I have repeatedly raised these very concerns when applauding enforcement actions and advocating for rulemakings, including, for example, the recent DCO Governance rulemaking.  Across these discussions as well as based on concerns presented at the Commission’s Roundtable on Non-Intermediation, [1] there is strong consensus and adequate grounds to begin a rulemaking process and consider ensuring parallel regulations govern the diverse market structures adopted in DCO markets.

Same Activity. Same Risks. Same Regulation.

In internal and public remarks, I have repeatedly called for the Commission to begin a rulemaking process to ensure that the same customer protection, risk management, and market stability measures embedded in our regulation for intermediated DCOs apply to all DCOs.[2] Part 39 of our regulations includes specific customer and market integrity protections for certain—but not all—clearing activities.

As the Staff Advisory indicates, we observe increased registration activity for crypto-commodity derivatives clearing and note that several proposed models adopt a non-intermediated market structure. Unless we introduce parallel regulation, these crypto-commodity derivatives clearing models may not be subject to the most rigorous regulatory standards. It is also imperative to note that these models may solicit or market products to retail or individual investors.

In other words, we may be exposing the most vulnerable investors—investors entering our markets with hard-earned cash from a long day’s work—to platforms with the higher risk management exposures and lower customer protections.

Based on the history of market structure in DCO markets, and the absence of significant retail or individual investor activity in particular, our regulations must be refined to sufficiently ensure parallel application and a single, robust regulatory framework designed to prevent misuse or misappropriation of customers’ funds, abuse of customers resulting from the absence of effective conflicts of interest policies, and excessive risk taking that may disrupt market stability and undermine market integrity. We must apply one set of rules across the board. Same activity. Same risks. Same regulation.

An Advanced Notice of Proposed Rulemaking (ANPRM)

Following this staff advisory, I propose that the Commission initiate an Advanced Notice of Proposed Rulemaking on Crypto or Digital Commodity DCO Clearing Activities.  This approach acknowledges the innovative features of novel crypto-commodity derivative products and the platforms that clear and settle these transactions and addresses potential heightened risks described in the Staff Advisory.  Such an approach would enable the Commission to engage in a comprehensive review of the new or potential risks that arise from clearing activities in the crypto-markets and formulate a proposed rule that effectively responds to the identified concerns.

In thinking of the ANPRM process, one may recall the initiatives adopted to gather information and develop a regulatory framework for implementing Title VII of the Dodd-Frank Act.  Beginning with an Advance Notice of Proposed Rulemaking may enable a multi-faceted and highly-collaborative process that includes diverse stakeholders influencing regulation through Requests for Information, formal Roundtables, and the development of Guidance from the Commission ahead of drafting formal regulations.

To be exceptionally clear, a rulemaking limited to ensuring parallel protections for the crypto-clearing activities outlined in the Staff Advisory is expressly within the Commission’s existing authority.  Market participants operating as DCOs, designated contract markets, swap execution facilities, and registered derivatives intermediaries are subject to the Commission’s jurisdiction.

The Staff Advisory keenly focuses on entities that are registered or seek to register with the CFTC to offer derivatives clearing services.  In other words, by their own indications in submitted applications, these entities are consenting to the CFTC’s jurisdiction and employing a market structure predominantly adopted in commodity derivatives markets.

As I have noted on a number of recent occasions, persistent volatility, inflationary pressures, and other challenging macroeconomic conditions have challenged our markets significantly since the onset of the COVID-19 pandemic.  Our markets have demonstrated resilience and, at least in part, this effective resilience is the result of careful, well-calibrated regulation designed to enable our markets and market participants to respond to remarkable market conditions.  One could conclude that our preparation through rulemaking and enforcement has fostered markets that are orderly, transparent, and fair. We should apply these lessons to every asset class permitted within our markets.

As noted above, proposed rules may address a number of areas where the Commission has refined regulations in intermediated DCO markets over the last several years including conflicts of interest; segregation of customer funds and treatment of customer assets; operational and technological risk, specifically cyber-risks; and market manipulation and fraud.

The LedgerX Order

The Commission has previously signaled a need to address the lack of parallelism in the context of certain DCO clearing activities involving crypto or digital assets. In 2017, LedgerX submitted an application to register as a DCO. The LedgerX order of registration outlines several of the key initiatives that an ANPRM might address.[3] These carefully crafted conditions offer guidance on the issues that merit the Commission’s focus in the context of the clearing activities referenced in the Staff Advisory.

These conditions were necessary because no current statutory language nor regulatory text expressly imposes relevant obligations on certain DCOs. The conditions, therefore, provide a possible framework for customized regulatory requirements to be considered in an ANPRM.

Ensuring Cyber Resilience

Finally, an ANPRM may propose an approach for introducing risk management and cyber resilience in the markets for novel products and platforms.  In addition to the investor protection and market integrity concerns that will inform an ANPRM, we must carefully focus on the system safeguards that promote cyber resilience within the markets for novel market structures and products.

Section 5b(c)(2) of the Commodity Exchange Act (CEA), as amended by the Dodd-Frank Wall Street Reform and Consumer Protection Act[4] sets out eighteen core principles (DCO Core Principles).[5]  In 2011, the Commission promulgated Regulation 39.10(a) which requires DCOs to comply with each of the DCO Core Principles as well as “any requirement that the Commission may impose by rule or regulation pursuant to section 8a(5) of the Act[.]”[6] Part 39 of the Commission’s regulations implements the DCO Core Principles which seek “… to strengthen the risk management practices of DCOs, and to promote financial integrity for swaps and futures markets.”[7]

In 2016, the Commission adopted regulation 39.18 titled “System Safeguards”[8] which implements Core Principle I and specifies the requisite elements for system safeguards as well as risk analysis and oversight plans for operations and monitoring of automated systems.[9]  At that time, the Commission acted in response to increased frequency in cyber threats and the necessity to enhance cybersecurity requirements and testing for DCOs.[10]  In the adopting release, the Commission cites to the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) as a central source for best practices in cybersecurity and surveillance.[11]  The NIST Framework advocates “for testing of cybersecurity response and recovery plans and cybersecurity detection processes and procedures.”[12]

Over the last decade, the Commission has consulted and considered additional international standards on cybersecurity which establish best practices including the Principles for Financial Market Infrastructure (PFMI) issued by the Committee on Payments and Market Infrastructure (CPMI) and the International Organization of Securities Commissions (IOSCO).[13]  The PFMI is a key standard in the international community that is considered “essential to strengthening and preserving financial stability.”[14]  Under the PFMI, CPMI and ISOCO issued the Guidance on Cyber Resilience for Financial Market Infrastructures which advocates for cyber risk awareness and regular evaluation and improvement of cyber resilience for financial market entities.[15]

The Commission’s focus on cybersecurity over the last few years was recently validated by the January cybersecurity event at ION Cleared Derivatives.  ION provides trading, clearing, analytics, treasury, and risk management services for capital markets and futures and derivatives markets. [16]  Many market participants rely on services agreements with ION for back-office trade processing and settlement of exchange-traded derivatives.[17]  The January cyberattack disrupted not only ION’s operations but also the operations of other market participants, triggering a ripple effect across markets.  The cyber-incident halted deal matching, required affected parties to rely on manual (old school) trade processing, and caused delays in reconciliation and information sharing and reporting, among other challenges.[18]

During the March 2023 Market Risk Advisory Committee meeting, we examined the threat of cyberattacks on market participants and critical third-party resources that facilitate clearing and settlement of market transactions.[19]  As new market participants enter our markets, it is imperative that their systems safeguards establish parallel protection for their customers. This may be especially important where interoperability and reliance on critical third-party service providers play a key role in their operational integrity.

While the CFTC has long implemented and enforced cyber risk regulation, the ION cyber incident demonstrates that operational resilience and system safeguards must be continuously re-evaluated to keep up with changes in our financial market infrastructure and ever-evolving technology.  As our market infrastructure becomes increasingly dependent on digital technologies, it is of the utmost importance that individual firm cyber defenses keep pace with evolving threats.  In addition, we must seek to enhance cybersecurity across the network of firms, large and small, that facilitate trade execution, clearing, and settlement in our markets.

Conclusion

I urge the Commission to initiate a rulemaking process to explore the unique challenges of introducing customer protections in non-intermediated crypto-markets, particularly those seeking to engage in marketing of leveraged, retail-focused derivatives products. Now is the time to act to further protect customers and customer funds.