Friday, November 07, 2014

Chairman Massad Identifies Focus on Cybersecurity, Cross-Border Issues

[This story previously appeared in Securities Regulation Daily.]

By Lene Powell, J.D.
In remarks at a futures industry conference, CFTC Chairman Massad discussed progress on key G-20 derivatives reform commitments and highlighted areas the CFTC looks at in system safeguards examinations regarding cybersecurity and business continuity disaster recovery. Also, Commissioner Sharon Bowen talked about her priorities for the CFTC as it works to prevent future financial crises, including finalizing rules on margin for uncleared swaps and position limits.
Cross-border progress. Chairman Massad pointed to progress on four key commitments agreed to by the leaders of the G-20 nations and embodied in the Dodd-Frank Act. First, there is increased oversight of major market players, with 106 swap dealers and two major swap participants provisionally registered and subject to strong risk management practices. Second, clearing is now required for most interest rate and credit default swaps. An estimated 16% of outstanding transactions were cleared in December 2007, while about 74% were cleared in September 2014. There is also a significant move to transparent trading of standardized transactions on regulated platforms, with 22 swap execution facilities (SEFs) registered and two more registrations pending. Volume on SEFs continues to rise. Swap data reporting is a work in progress, but the public now has much more information regarding the swaps marketplace, allowing more competition and better oversight.
Although there is concern about possible inefficiencies due to differences in derivatives regulatory regimes across different jurisdictions, it’s important to have perspective, said Chairman Massad. The rules for securities offerings are not the same in all G-20 nations, and rules for securing bank loans aren’t even the same in the 50 states. There will be differences in derivatives reform among the G-20 nations. The CFTC wrote its rules faster than other jurisdictions, and while it made many substituted compliance determinations last December and expects to make more, you can’t make those determinations until the other jurisdictions have passed their laws and written their rules.
The CFTC cross-border guidance issued last November 14 relating to when a foreign swap dealer that engages in certain conduct in the United States it is subject to U.S. transaction requirements will expire at the end of the year. Staff has recommended extending the relief for the time being. In addition, the CFTC is continuing to work on cross-border harmonization of clearinghouse regulation. Chairman Massad is pleased that the European Commission has decided to postpone imposing higher capital charges on banks clearing through U.S.-based central counterparties, since it was the threat of higher capital charges that was going to fragment the market, not dual registration of clearinghouses.
Cybersecurity. The need to strengthen the security and resilience of our financial markets is clear, said the chairman. The CFTC has modernized its Core Principles and updated its regulations in recent years to address cyber and information security. 
Clearinghouses, exchanges, and other market infrastructure entities are required to have the following: (1) a program of risk analysis and oversight to identify and minimize sources of cyber and operational risk; (2) automated systems that are reliable, secure, and have adequate scalable capacity; (3) emergency procedures, backup facilities, and a business continuity-disaster recovery plan; and (4) regular, objective, independent testing to verify that the system safeguards program is sufficient to fulfill its regulatory responsibilities.
 Key areas that the CFTC looks at in exams include:
  • Governance. Is the board and top management paying sufficient attention to cybersecurity and taking appropriate steps? Does the board have the expertise, and does it devote the time, to do so? Is it setting the right tone as to the importance of these issues

  • Resources. Is the entity devoting sufficient resources and capabilities to monitor and control cyber-related risks across all levels of the organization? 

  • Policies and procedures. Are adequate plans and policies in place to address information security, physical security, system operations, and other critical areas? Is the regulated entity actually following its plans and policies? Is it considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments? 

  • Vigilance and responsiveness to identified weaknesses and problems. If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?

The chairman said that limited CFTC resources have constrained its ability to conduct compliance exams in this area.

Commissioner Bowen priorities. In her first address as CFTC commissioner, Sharon Bowen shared her priorities for the agency. She noted that the CFTC has entered the post-financial crisis world, with all sitting commissioners all confirmed after the fall of Lehman Brothers and the passage of the Dodd-Frank Act. Her biggest fear, always at the back of her mind, is that the agency won’t do enough to prevent a future crisis. The CFTC needs to act in such a way that the 2008 financial crisis is regarded as an extraordinary break from typical financial stability, not the first in a series of crises.
In identifying and managing risk, the CFTC must allow financial actors to take reasonable risks, to allow firms to take a chance on an idea, even if it might mean the end of the firm if it fails, said Commissioner Bowen. However, there must be protections, including position limits, margin requirements, and well-run clearinghouses, to make sure that one company’s risky bet doesn’t throw the entire system into chaos. The CFTC proposed a rule for margin requirements for uncleared swaps in September, and she looks forward to reviewing the many comments received and finalizing the rule in the “near future.”
 A rule regarding position limits was finalized in 2011, vacated by the D.C. district court in 2012, and re-proposed in 2013. The comment period on the re-proposed rule was reopened this summer and staff is reviewing comments. The rule seeks to fix the issues flagged by the court, and Bowen hopes it can be finalized in a way that realizes congressional intent in mandating position limits and also maintains companies’ ability to manage their commercial risks. At this point these rules have been discussed for years now, and it is time for the Commission to make the decisions it needs to make to get the rules finalized, she said.