I thank Commissioner Christy Goldsmith Romero and am pleased to support her sponsorship of the CFTC’s Technology Advisory Committee (TAC).  I would like to also thank the TAC’s Designated Federal Officer (DFO), Anthony Biagioli, and Alternate Designated Federal Officer (ADFO), Lauren Bennett, and other CFTC staff for their work preparing today’s meeting.  I welcome each of the TAC members as you explore timely issues regarding responsible artificial intelligence (AI), decentralized finance (DeFi), and cyber resilience.  Thank you, Commissioner Goldsmith Romero, for your leadership.

Recently, I have specifically addressed AI and other technological advancements that may impact financial markets.[1]  Across the industry, risk professionals have a critical role in safeguarding our markets.  I discussed the importance of utilizing existing risk governance frameworks and risk management disciplines to identify, measure, monitor, and control emerging risks and new technologies.  For example, operational risk management includes technology risk, cyber risk, and third-party risk.  Model risk management is key for AI risk governance.  Businesses must also consider strategic risk and compliance risk in light of technological developments.  I recently stated that our registrants must be vigilant and address new and emerging risks through various risk stripes as appropriate—whether from changing market conditions, technological developments, geopolitical concerns, or any other event.[2]

At the last TAC meeting, I remarked on the many years of work by policymakers such as the Financial Stability Board (FSB), the Basel Committee on Banking Supervision (BCBS), the International Organization of Securities Commissions (IOSCO), and other regulatory authorities around the world to implement laws, regulations, and standards for operational resilience.[3]  Regulated entities, including the vast majority of our swap dealers (and futures commission merchants (FCMs)) that are banking organizations, have implemented comprehensive, enterprise-wide operational resilience programs.  Operational resilience, as noted by U.S. prudential regulators in 2020, encompasses governance, operational risk management, business continuity management, third-party risk management, scenario analysis, secure and resilient information system management, surveillance and reporting, and cyber risk management.[4]

As you can see, cyber risk (or cyber resilience) is only one component of an operational resilience program.  It is my view that the CFTC’s approach to cyber risk or third-party risk should appropriately recognize that these risks are within the discipline of operational risk, and all of these risks are part of—but not the same as—an operational resilience program.

I look forward to hearing from Kevin Greenfield, Deputy Comptroller for Operational Risk Policy at the Office of the Comptroller of the Currency (OCC), on the recent interagency guidance on third-party risk management.[5]  Many of our swap dealers are OCC-chartered national banks, and it is essential that the CFTC understands the prudential regulation of banking organizations.  I appreciate Commissioner Goldsmith Romero’s engagement with our fellow U.S. regulators on these issues.

The insights and perspectives shared through the TAC’s work will help to shape the CFTC’s approach to new and emerging technologies.  My thanks again to Commissioner Goldsmith Romero, the TAC members, and speakers for your time and commitment to fostering responsible innovation within our markets.