CFTC Technology Advisory Committee Meeting

Commodity Futures Trading Commission

Technology Advisory Committee Meeting

Thursday, October 3, 2019

 Key Topics & Takeaways

  • CFTC Approach to Technology: Chairman Tarbert stated that the best way to strike a balance between innovation and market integrity is through a principles-based approach to regulation that allows flexibility but maintains fundamental regulatory mandates.
  • Distributed Ledger Technology: Hoffman noted that technology changes rapidly, and so regulators should not regulate DLT technology itself but rather its outcomes and impacts on individuals.
  • Financial Services Sector Cybersecurity Profile: Magri noted that the Securities and Exchange Commission, Office of the Comptroller of the Currency, Federal Reserve, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions have issued statements of support for the FSSCC, and requested that the CFTC do the same.

Presenters

  • Gary DeWaal, Special Counsel, Chair, Financial Markets and Regulatory, Katten Muchin Rosenman LLP
  • Lee Schneider, General Counsel, block.one
  • Chris Brummer, Professor and Director, Institute of International Economic Law, Georgetown University Law Center
  • Brad Levy, CEO MarkitSERV, IHS Markit
  • Shawnna Hoffman, IBM Global Cognitive Legal Leader
  • Yesha Yadav, Professor of Law, Vanderbilt Law School
  • Alicia Crighton, Managing Director, Goldman Sachs
  • Mayur Kapani, Chief Technology Officer, ICE
  • Tim McHenry, Vice President, Information Systems, NFA
  • Josh Magri, Senior Vice President and Counsel for Regulation & Developing Technology, Bank Policy Institute
  • Jason Harrell, Executive Director and Head of Business and Government Cybersecurity Partnerships, DTCC

Opening Remarks

Brian Quintenz, Commissioner; Sponsor of the Technology Advisory Committee

Quintenz introduced the topics to be presented and discussed by the Commodity Futures Trading Commission’s (CFTC) Technology Advisory Committee (TAC). He commented that stablecoins have the potential to function as a viable and liquid medium of exchange, and that policymakers should approach them consistently with other products that have similar characteristics. He also said distributed ledger technology (DLT) “holds great promise” in that it can help to safeguard individuals’ privacy, promote data integrity and ensure confidentiality, and he suggested that the CFTC could explore how DLT could play a role in its record retention requirements.

Heath Tarbert, Chairman

In his opening remarks, Tarbert said the TAC has a vital role to play as the CFTC regulates markets at the cutting edge of technological innovation, and the CFTC does not always have the same technological expertise as the entities they regulate. He said the CFTC needs insights from industry to ensure its rules protect market integrity while fostering innovation. Tarbert stated that the best way to strike a balance between innovation and market integrity is through a principles-based approach to regulation that allows flexibility but maintains fundamental regulatory mandates.

Dan Berkovitz, Commissioner

Berkovitz commented that technology can also be used to make regulatory compliance more efficient, suggesting that automation could improve consistency and reduce errors and the need for human input, which can then lead to savings on fines, legal fees and other such costs. He said the CFTC should play a role in helping providers build such solutions, and that the CFTC should be mindful of the role of technology in its own approach to regulation.

Panel One: Virtual Currencies Subcommittee Presentations

A review of the different natures and characteristics of stablecoins and the potential implications for regulation

Lee Schneider, General Counsel, block.one, explained that stablecoins are digital representations of value designed to be stable against the value of a referent asset or assets, which can be physical assets like gold or more intangible assets such as fiat currencies or securities. He said understanding of how stablecoins are treated gets more difficult with intangible assets or baskets of assets, but that stablecoin developers are trying to mimic ideas already out in the world but adding the use of blockchain and encryption to make them more transparent, auditable and safer.

Gary DeWaal, Special Counsel, Chair, Financial Markets and Regulatory, Katten Muchin Rosenman LLP, called the legal analysis of the regulation of stablecoins fascinating, explaining that there are different kinds of stablecoins based on a “continuum” of referent assets. He said stablecoins can be backed by a single asset, such as a currency, which allows transactions to take place on the blockchain with something of perceived stable value. He offered that a stablecoin based on the U.S. Dollar, for instance, would arguably not be a security. However, he continued that stablecoins backed by multiple instruments determined by a manager might be considered a security based on the Howey Test.

DeWaal stressed that stablecoins and virtual currencies raise a variety of regulatory issues for many types of regulators, such as the Bank Secrecy Act or anti-money laundering based on payments regimes. While he said would not recommend it himself, stablecoins could even be fall under the broad definition of a swap under the Commodities Exchange Act. DeWaal noted that the Swiss Financial Market Supervisory Authority has published guidance on stablecoins with the principle that products posing the same risks should be subject to the same rules. He said the market is “far away” from regulatory certainty and that there could be a “turf war” between regulators.

 A presentation on the various cryptocurrency custodial relationships and custodial options

Chris Brummer, Professor and Director, Institute of International Economic Law, Georgetown University Law Center, presented on cryptocurrency and digital asset custodial relationships, noting that these pose unique cybersecurity and governance challenges and that there is no “magic solution” to navigating the tradeoffs between different custodial solutions. He explained three models for custody: 1) self-custody, which risks exposing customers as the weakest links in cybersecurity and stymies liquidity but also enables a decentralized architecture with lower paydays for cyber criminals; 2) exchange-based wallets, which improve cybersecurity but also offer a more attractive target for criminals and present dangers such as comingling of customer assets or market manipulation; and 3) third party non-exchange custodians that can provide better cybersecurity than retail custodians but still pose liquidity challenges from different infrastructures.

Brummer stated that there is a wide variety of potential custodians, including broker-dealers, banks and trust companies, investment advisers, futures commission merchants, derivatives clearing organizations, foreign depositories and others. However, he said few large players have entered the digital asset custody space to date, likely due to the inherent riskiness of assets, lack of familiarity with digital assets, questionable robustness of cybersecurity/technology, and regulatory compliance or litigation risk.

Brummer said a disclosure regime for custodians is needed, and that it should cover: cybersecurity practices and limitations, operational risks, conflicts of interest, balance sheet and capitalization, forking practices, and insurance coverage.

Panel Two: Distributed Ledger Technology and Market Infrastructure Subcommittee Presentation

A presentation on data privacy, and the applications of distributed ledger technology in derivatives markets for custody and collateral management

Brad Levy, CEO MarkitSERV, IHS Markit, outlined the work of the DLT and Market Infrastructure Subcommittee as it has reviewed the applications of DLT beyond cryptocurrencies. He said a particular focus has been on the technology’s benefits for privacy.

Yesha Yadav, Professor of Law, Vanderbilt Law School, discussed the importance of keeping data safe, calling it a singularly lucrative target for hackers worldwide. She said DLT has the potential to offer privacy solutions as it can be tailored to suit different information ecosystems and can be adapted and permissioned so only certain users can access networks. She also explained how DLT can help with custody, pointing out that DLT networks can securely verify user identities, verify trades and automate signals to custodians and warehouses.

Shawnna Hoffman, IBM Global Cognitive Legal Leader, explained how DLT enables efficient and storage of documents and that it can create encrypted and immutable digital records through hashing algorithms that cannot be reverse engineered.

Hoffman noted that technology changes rapidly, and so regulators should not regulate the technology itself but rather its outcomes and impacts on individuals. She offered four questions for the CFTC to consider regarding DLT:

    1. Do DLT-based information verification standards meet various legal standards for data privacy and security in derivatives?
    2. For interoperability, will markets demand just a handful of encryption standards?
    3. How should innovation in encryption take place, where a handful of standards support financial markets?
    4. Should the CFTC lead international standard-setting in relation to data privacy and DLT?

Panel Three: Automated and Modern Trading Markets Subcommittee Presentation

A presentation on best practices for managing risks associated with automated trading systems and related market implications, highlighting FIA’s best practices and risk controls currently employed on the ICE trading platform

Alicia Crighton, Managing Director, Goldman Sachs, gave a presentation on the Futures Industry Association’s (FIA) best practices for managing risks associated with electronic and automated trading. Crighton noted that FIA engaged with futures exchanges, market participants and international regulators in order to develop best practices intended to mitigate the risks of electronic trading in response to growth in exchange volumes and various market events. She outlined the principles of FIA’s best practices, including pre- and post-trade risk controls, emphasizing that risk controls should be principles-based rather than a prescriptive set of requirements. Prescriptive requirements, according to Crighton, can become obsolete as markets and their participants evolve, and overall are challenging to implement.

Crighton then presented trends and themes identified in related FIA market surveys on the development of best practices over time. She explained that FIA conducted multiple surveys between 2010 and 2018, finding, among other things, that there has been a substantial increase in the implementation of market integrity controls since 2010 and that there has been generally positive feedback to industry initiatives and responsiveness to identify and self-solve industry risks. On continuing development, Crighton noted that FIA has identified four themes among industry responses to risks: 1) automated access to risk controls; 2) more granular pre-trade risk controls; 3) potential new limits; and 4) certification and testing.

Mayur Kapani, Chief Technology Officer, ICE, presented on how ICE thinks about risk across all its futures exchanges, and where the institution thinks the future is going. Kapani outlined ICE’s risk controls philosophy, namely that the controls are jurisdictionally agnostic, preventative rather than reactive, real-time managed, and granular at different levels of aggregation. Following the discussion of ICE’s risk control philosophy, Kapani walked through controls at different levels, including market controls, clearing member-managed controls and trading firm managed controls. He then discussed detection and mitigation tools in place, or currently being developed, such as kill switches, FIX APIs, and breach alerts.

Question & Answer

Brad Levy, IHS Markit, asked whether there are evolving initiatives or issues, in terms of future tech, that may look like a future problem ICE would need to address. Kapani answered that they conduct predictive analyses based on historical data at different levels, and that combined with diligent market supervision ICE will be able to handle evolving issues.

Supurna VedBrat, Blackrock, shared concerns about the unanticipated sharing of information and asked whether ICE shares information about an end user’s portfolio beyond a particular customer’s FCM relationship in the event of a breach. Kapani responded that portfolio information is not available in a general form, and it is only available to the participant and their particular FCM. Kapani noted that it would be a major cyber incident if a firm had multiple FCMs and there was any sharing of the portfolio information across the FCMs.

John Lothian, John J. Lothian Co. Inc., and VedBrat both asked about a recent significant move in the Bitcoin futures market. Lothian asked Kapani to walk through how ICE’s risk management tools worked in such an illiquid market. Kapani responded that although the Bitcoin market is an illiquid market, ICE didn’t see sudden jumps that would trigger circuit breakers, and because the Bitcoin futures market is a newer market, price collars and limits were set appropriately for participants and all tools worked as designed. VedBrat asked whether the Bitcoin futures market had its own default fund, noting that if there are clients who made a decision to avoid such a risky marketplace there shouldn’t be any indirect or unintentional exposure. Kapani responded that there is an initial $35 million at the outset of a separate waterfall structure, and that in additional to that contribution, ICE holds separate insurance for those contracts. He noted that they structured the Bitcoin futures default fund to ensure there is no indirect or unintentional exposure to non-participating clients.

Quintenz then stated that despite there being no new regulations, there has been advancement in the addressing of risk. He noted that the presentations have shown the industry has been all over the new types of risk due to both a strong business and ecosystem interest in addressing these risks at the exchange level, clearing member level, and firm level. Quintenz complimented the actions firms have done and is interested in learning more about the data gathered by FIA.

Panel Four: Cybersecurity Subcommittee Presentations

A presentation on the Financial Services Sector Cybersecurity Profile

Tim McHenry, Vice President, Information Systems, NFA, presented on the Financial Services Sector Cybersecurity Profile (FSSCC) and noted that the purpose of the presentation was to recommend the CFTC join other regulators in issuing a statement of support for the profile.

Josh Magri, Senior Vice President and Counsel for Regulation & Developing Technology, Bank Policy Institute, began by providing a graphical depiction of the reconciliation process, and noted that the FSSCC is made up of two components: 1) scaling through an impact questionnaire; and 2) architecture, diagnostic statements, and example regulations. On scaling through an impact questionnaire, he noted that there was a need to scale the profile for both small and large firms, and that they looked at guidance pieces new and old in evaluating how each might affect the whole economy if impacted by a cyber attack. Magri explained that the questionnaire aimed at assessing the institutions’ impact on global, national and local economies. Further, he walked through the process of how the profile digested numerous regulations and created a diagnostic statement that would be compliant with each overlapping regulation. Magri offered examiner training to the regulators that would find such training useful. He concluded the presentation by noting that other regulators such as the Securities and Exchange Commission, Office of the Comptroller of the Currency, Federal Reserve, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions have issued statements of support, and requested that the CFTC do the same.

A presentation on the current approach to vendor risk management, the challenges of that approach, and possible alternatives to consider

Jason Harrell, Executive Director and Head of Business and Government Cybersecurity Partnerships, presented on the current approach to vendor risk management, challenges to the approach, and a new approach that is intended to create an equitable risk balance between the financial institutions and the third party vendor. Harrell emphasized that the sophistication, frequency and scale of cyber attacks against the financial services sector has moved resiliency to the top of the risk management agenda. Harrell noted that several supervisors, such as the Bank of England, Financial Conduct Authority, Prudential Regulatory Authority, Monetary Authority of Singapore, and Australian Securities and Investments Commission have begun to communicate with the sector on resiliency through supervisory documents. The documents, according to Harrell’s presentation, require a service-centric approach to providing products and services, and require firms and their supervisors to ensure resiliency through vendors.

Harrell then outlined the challenges to the current vendor management approach, including risk visibility/questionnaire fatigue, compliance across multiple firms’ policies and standards, intellectual property protection, and contractual leverage. To solve these challenges Harrell recommended requiring vendors that engage in business with the financial services sector to be certified or accredited against a recognized industry standard where the requirements and frequency of the certification are dependent on the size of the vendor and the level of risk that is inherent to the financial marketplace. He stated that this might serve to reduce questionnaire fatigue, harmonize the requirements of multiple firms, simplify contractual language relative to cybersecurity, and provide a greater level of resiliency assurance than the current vendor management model.

Questions & Answer

Richard Gorelick, DRW Holdings, LLC, asked Magri what the longer-term goal was relating to the CFTC and whether new rules and regulations would be required in this space. Magri responded that they are currently asking for the CFTC to issue a supportive statement, but in the alternative, they would like to have a conversation or public comment period with some reference to the profile, and work through the traditional processes that map regulations going forward.

For more information on this meeting, please click here.