Public Statements & Remarks

Opening Statement of Commissioner Kristin N. Johnson Regarding the Open Commission Meeting on December 13, 2023

December 13, 2023

Good morning. Thank you, Mr. Chairman.

It is a pleasure to welcome everyone joining us for this monumental meeting today. We will consider two proposed rules that represent the Commission taking invaluable steps toward addressing the most pressing issues in our markets—issues that are at the frontier of an undeniable transformation in global financial markets.  We will also consider an application for registration of a derivatives clearing organization interested in enabling digital asset trading in our markets. This application immediately illustrates the urgent need for swift, decisive action and a clear direction of travel from the Commission on evolving market structures enabling the trading of crypto or any novel asset class as well as traditional derivatives products.

Stated more technically, today we will consider a proposed rule on the Operational Resilience Framework for Futures Commission Merchants, Swap Dealers, and Major Swap Participants; a proposed rule on the Protection of Clearing Member Funds Held by Derivatives Clearing Organizations; and the amended application of Bitnomial Clearinghouse, LLC for Registration as a Derivatives Clearing Organization (DCO).

Developing Risks in Our Markets

The efforts we will undertake this morning are focused on addressing emerging threats in the context of evolving market structure.  The rules and application before the Commission today allow us to consider two burgeoning risks in our markets.  These are risks that I have spent my entire career advocating for the CFTC and other regulators to address, as a lawyer in private practice, as in-house counsel, as an academic, and exceptionally vocally as a Commissioner.

The Market Participants Division will propose new rules to develop and update existing operational resilience regulations.  The amendments seek to ensure that covered entities must identify, monitor, manage, and assess risks posed by their use of critical third-parties to handle all manner of their covered business activities, as diverse as margin processing, risk management, human resources, and information technology.  Firms’ cybersecurity is not solely measured by efforts to protect their own facilities cyber threats, but also by their ability to prepare for inevitable cyber-disruptions that impact critical contractors and subcontractors.

A decade ago, as an academic, I became part of a small group of international legal and cybersecurity experts focused on developing regulation to address cyber threats that present a risk to governments, businesses (including the financial services sector of our economy), and every other form of educational, religious, or philanthropic institution that may be a target for cyberattacks.  We studied the applicability of internationally recognized standards, including the National Institute of Standards and Technology (NIST) cybersecurity framework, and reporting and assessments to monitor and mitigate the risks of cyberattacks using systems like System and Organization Controls (SOC) defined by the American Institute of Certified Public Accountants (AICPA).

My work and expertise focused almost exclusively on the possibility of a coordinated national security-oriented Distributed Denial-of-Service (DDoS) attack on financial market infrastructure—the type of catastrophic disruption that might target domestic exchanges, clearinghouses, and large financial institutions, particularly banking firms—leading to a cessation in asset transfers and a deep interruption of the operational mechanics of the global financial system.

Allow me to make two observations about the proposed rule now and offer additional detail on the second observation later.

First, for the last few weeks I have spoken publicly on the potential for voluntary carbon markets to have a positive impact on climate change.  Some markets are global. Addressing risks in these markets may yield benefits for citizens, governments, and businesses in every corner of the world.

In this context, similarly, some sinister efforts to undermine the success of institutions at the heart of global financial markets may ultimately have the opposite impact on citizens around the world.

Considering, for example, the cyberattack on ION in January of this year, I note that a Dublin-based firm that is a not a CFTC registrant experienced a ransomware attack that impacted businesses around the world.  As we begin to address cyber threats against critical third parties, we must acknowledge that the nature of our market structure is evolving, and our regulations must adapt with it.  We must begin to consider the importance of third parties both small (like ION) and large (like Google, Microsoft, and AWS) that provide critical links in the back offices, in clearing and settlement, or in transaction data storage in derivatives markets.

Second, we cannot be backward looking as we try to move into the future of financial markets.  We may have adopted siloed regulation in the last century but market risks today quickly transcend the boundaries drafted as text in our statute and regulations. Cyber threats are irreverent to our thinking about market structure, and thus taking a siloed approach to regulation may stymie the effectiveness of the very regulation that we adopt.  We live in a world where networked connectivity enables transactions but also threats to transfer systems that can quickly transcend territorial boundaries.

Cyber threats do not discriminate among the assets traded on a platform nor are they concerned with the type of businesses—swap execution facilities, futures commission merchants (FCMs), exchanges, or DCOs—that facilitate transfers or custody assets.  Seeking fast cash (ransomware) or to protest our responses to sensitive geopolitical conflicts around the world, cyber attackers from someplace on the other side of the world, relying on internet capabilities and a few quick clicks on a keyboard, may all at once disrupt the businesses of every type of derivatives organization in our markets.

I share all this to simply highlight that the proposed operational resilience rule does not apply to DCOs and certain other entities comprising the derivatives markets infrastructure.  I strongly believe that it should. We need comprehensive whole-of-government and whole-of-market solutions to address cyber threats that heed no traditional marketplace dividing lines.

The Financial Stability Oversight Council (FSOC), whose annual reports outline potential emerging threats and vulnerabilities, most recently noted the dangers to the financial system presented by underexamined cybersecurity at DCOs:

A grave cybersecurity incident could potentially threaten the stability of the U.S. financial system through at least three channels: (1) disrupting key institutions with few or no substitutes, such as central banks, exchanges, payment clearing and settlement systems, or other critical service providers; (2) compromising the integrity of data that is critical to the stable functioning of financial firms and the system; and (3) causing a loss of confidence among a broad set of market participants.[1]

FSOC continued: “Maintaining and improving the cybersecurity resilience of the financial sector requires continuous assessment of cyber vulnerabilities and close cooperation across firms and governments within the U.S. and internationally.”[2]

Because I believe that we need to aim for comprehensive reform, I also offer suggestions on issues that would be ripe for comment regarding the second proposed rule on DCO member property. A quick word about each proposed rule.

Proposed Rule and Request for Comments on Operational Resilience Framework for Futures Commission Merchants, Swap Dealers, and Major Swap Participants

The Market Participants Division (MPD) has put before the Commission a holistic and thoughtful proposed rulemaking aimed at directing FCMs, swap dealers, and major swap participants (collectively, the “covered entities”) on required steps for improving their operational resilience through the use of concrete action plans covering business continuity and disaster planning, cybersecurity, and third-party risk.  I want to commend MPD on this Herculean effort.

The proposed rulemaking sets out three major pillars of its operational resilience framework: (1) information and technology security (i.e., cybersecurity); (2) management of risks presented by relationships with mission-critical third-party service providers; and (3) a business continuity and disaster recovery plan.  The rulemaking layers on top of those pillars corporate governance reforms intended to emphasize that any operational resilience framework needs to be assessed at the most senior levels of the covered entities’ organizational structure, and obligating the entities to develop firm risk appetites and tolerance limits.  And the rule is bolstered by robust review, testing, training, and notification requirements, including requirements for notifying the Commission should an anticipated (or unanticipated) risk materialize.

I fully support this proposal.  That said, the potential eventual finalization of this rule will highlight a gap between the operational resilience requirements placed on the covered entities, and the requirements on other Commission registrants, particularly DCOs.  The stability of DCOs is critical to proper functioning of our markets—quite literally some of them are considered “systemically important”—and the risks that the operational resilience rulemaking are intended to mitigate apply just as equally to them.  Yet the system safeguards rules currently in place for DCOs are nearing eight years old, and they do not consider the increasingly important risks posed to our registered entities by mission-critical third-party service providers.  As more and more of DCOs operations are shifted to outsourcing contracts, attention needs to be paid to the commensurate shifting of risks.  We must consider parallel regulations for them.  I am hopeful that ongoing consideration of the role of DCOs and their risk exposures will prompt similar Commission action in the future.

Proposed Rule and Request for Comments on Protection of Clearing Member Funds Held by Derivatives Clearing Organizations

Next, the Commission will consider a proposed rulemaking to protect clearing member funds or property held by a DCO.  The Division of Clearing and Risk has worked closely with my office to bring this proposal forward and I commend them for their hard work.

The proposed rules: (1) require clearing member property be segregated from a DCO’s own funds and be acknowledged as separate in writing; (2) require clearing member property to be treated as belonging to the clearing member while permitting the use of it as part of the DCO’s default waterfall, consistent with the DCO’s rules and agreements with clearing members; (3) permit the commingling of clearing member property in a single omnibus account for convenience; (4) permit the investment of clearing member property pursuant to CFTC Regulation 1.25; and (5) require the daily reconciliation of balances owed to customers and clearing members against the amount actually held in segregation.

Customer protection has been at the forefront of my agenda during my tenure as a Commissioner and this proposed rule will continue to give teeth to my mission to champion the customer in our markets.  I look forward to carefully considering the comments we receive to further sharpen our approach to promoting fairness and customer confidence.

DCO Registration Application of Bitnomial Clearinghouse, LLC

Finally, the Commission will be considering the application of Bitnomial Clearinghouse, LLC (Bitnomial) for registration as a DCO pursuant to Section 5b of the Commodity Exchange Act and part 39 of the Commission’s regulations.

DCOs play an increasingly important role in the financial markets, and the clearing market structure has evolved from a traditional clearing model, where the exchange and DCOs were the only affiliated entities, to a substantially more vertically integrated clearing model, where the exchange, DCO, and an FCM are affiliated entities.  Without appropriate guardrails, vertical integration can cause financial instability, prejudice customers, stifle competition, and undermine the proper functioning of our derivatives market.

Bitnomial, an exchange, and an FCM are all affiliated entities.  The Commission must determine whether Bitnomial has complied with existing statutory and regulatory requirements to register as a DCO.  But the Commission must also immediately launch a rulemaking process to develop and adopt rules that are sufficiently tailored to address the increased risks of affiliations and vertical integration in the clearing ecosystem so that we no longer consider the issue solely on an ad hoc basis.

Vertical integration may pose a significant risk to and problem for our financial system.  These risks and problems merit the Commission launching a rulemaking process that would advance precise regulatory text and clearly articulated regulatory expectations to facilitate compliance; a careful analysis regarding the scope of the CEA; the implementation of limitations or conditions; and the consideration of effective oversight by the CFTC.

For each of the two rulemakings, I strongly encourage public response to our requests for comment during the review period, and I look forward to a thoughtful discussion with my fellow commissioners today.

I want to express my gratitude to the Division of Clearing and Risk and the Market Participants Division for their efforts to introduce the proposed rules and application that we will consider.  I also want to thank my Chief Counsel Tamika Bent, and Senior Counsels Peter Janowski and Julia Welch for their assistance in preparing for today’s meeting.

[1] Financial Stability Oversight Council, 2022 Annual Report, at 11 (Dec. 16, 2022),

[2] Id.