September 18, 2023 Submitted Electronically

Mr. Christopher Kirkpatrick
Secretary
U.S. Commodity Futures Trading Commission
Three Lafayette Centre
1155 21st St., N.W.
Washington, DC 20581

Re: ANPRM on potential amendments to the Risk Management Program (CFTC Regulations 23.600 and 1.11)

Dear Mr. Kirkpatrick:

The International Swaps and Derivatives Association, Inc. (“ISDA”)1 and the Securities Industry and Financial Markets Association (“SIFMA”)2 (collectively, the “Associations”) appreciate the opportunity to submit these comments on the Commodity Futures Trading Commission’s (“CFTC or Commission”) advanced notice of proposed rulemaking (“ANPRM”) on potential amendments to the Risk Management Program (“RMP”).

We appreciate the Commission’s willingness to revisit rules that were implemented more than a decade ago to ensure that they keep pace with evolving industry standards and practices. However, when it comes to the risk management program, the Associations do not support making any amendments to the existing rules. The current framework contains the necessary requirements for swap dealers (“SDs”) to manage and minimize risk and, at the same time, establishes the appropriate level of transparency that allows the CFTC to fully understand how each SD manages its risks. In fact, since these rules were adopted in 2012, to our knowledge, there have been no major deficiencies with SD’s risk management programs that would warrant any regulatory shifts.

Moreover, we believe that the current rules provide a clear and consistent framework for SDs to develop their respective risk management programs, while allowing sufficient flexibility to tailor such programs to an individual firm’s risk tolerance. We are concerned that the trajectory of the questioning in the ANPRM signals the Commission’s intention to introduce a more prescriptive risk management framework. As explained in more detail below, we do not believe that such an approach would further the Commission’s goals of ensuring that SDs have comprehensive and effective risk management programs.

Nonetheless, should the Commission decide to make amendments to its existing framework, we ask that the CFTC maintain the status quo for existing substituted compliance orders (i.e., Canada, Japan, the United Kingdom, EU, Switzerland, Hong King, and Australia) by automatically extending the applicability of such orders without requiring an additional level of review. Below we provide specific answers to the Commission’s questions as they relate to SDs.3

CFTC Questions & the Associations’ Answers

I. Governance and Structure

1. Do the definitions of “governing body” in the RMP Regulations encompass the variety of business structures and entities used by SDs and FCMs?

• Should the Commission consider expanding the definition of “governing body”in Regulation 23.600(a)(4) to include other officers in addition to an SD’s CEO, or other bodies other than an SD’s board of directors (or body performing a similar function)?
• Are there any other amendments to the “governing body” definition in Regulation 23.600(a)(4) that the Commission should consider?
• Should similar amendments be considered for the “governing body” definition applicable to FCMs in Regulation 1.11(b)(3)?

2. Should the Commission consider amending the definitions of “senior management” in the RMP Regulations? Are there specific roles or functions within an SD or FCM that the Commission should consider including in the RMP Regulations’ “senior management” definitions?

In response to Questions 1(a)-(c) and 2, the Associations do not support changes to the definitions of governing body or senior management under §23.600. The current definitions appropriately provide flexibility in order to account for the differences in business structures and functions that exist across SDs. Such flexibility is also important because it enables firms to identify personnel within the firm that have the appropriate level of seniority in order to obtain the required senior approvals.

With respect to the definition of “senior management” in particular, the RMP regulations state that senior management should be comprised of those granted with the appropriate authority and responsibility to carry out the duties of senior management. We believe that it is appropriate to leave it to the firm’s discretion to identify qualified employees to form part of the SD’s senior management, rather than prescribe specific roles or functions that must comprise senior management.

3. Should the RMP Regulations specifically address or discuss reporting lines within an SD’s or FCM’s RMU?

No, the RMP regulations should not specifically address or discuss reporting lines within an SD’s risk management unit (“RMU”). The RMP regulations provide sufficient guidance to SDs on how to create, structure, and manage their respective risk management programs. The rules also clearly establish reporting lines by requiring the RMU to have “sufficient authority” and “report directly to senior management.” Moreover, the current regulations sufficiently safeguard against potential conflicts of interest between the RMU and business trading unit.4

Introducing additional requirements that mandate even more specific reporting lines will only serve to make the rules more complex and prescriptive and will eliminate the flexibility for SDs to structure their RMU in a way that allows such personnel to efficiently monitor and address excessive risks that are particular to the SD’s business structure. Additionally, preserving this level of flexibility is important given the differences in business structures and functions that exist across SDs. The Commission has not identified shortfalls with existing governance structures of SD risk management programs and has therefore not set forth a compelling reason to modify a risk management regime that already achieves the Commission’s goals.

4. Should the Commission propose and adopt standards for the qualifications of certain RMU personnel (e.g., model validators)?

No, the Commission should not adopt standards for the qualification of RMU personnel. The key to risk management is understanding the specific vulnerabilities that are particular to a business and creating specific mechanisms to address those risks. The risks and approaches to address risk will (and should) vary from firm to firm. The same logic applies to risk management personnel, and thus, a “one-size-fitsall” approach would not be appropriate. SDs need the flexibility to hire personnel within their RMU’s that are best positioned to manage the risks of their particular business. Moreover, the rules already require that the SD employ “qualified personnel” with “sufficient authority” to the RMU.5 This standard is sufficient to ensure that the SD’s risk personnel are able to carry out the functions of the risk management program.

It is also important to note that any prescriptive standards that the CFTC might consider could become quickly outdated as risk management standards are dynamic and evolve over time in order to keep pace with financial innovation.

5. Should the RMP Regulations further clarify RMU independence and/or freedom from undue influence, other than the existing general requirement that the RMU be independent of the business unit or business trading unit?

As noted above, the Associations believe that the current regulations sufficiently safeguard against potential conflicts of interest between the RMU and business trading unit. Both §23.600(b)(5) and (d) clearly establish that the RMU should operate independently from the business trading unit and that there should be separation between the personnel of each unit.

6. Are there other regulatory regimes the Commission should consider in a holistic review of the RMP Regulations? For instance, should the Commission consider harmonizing the RMP Regulations with the risk management regimes of prudential regulators?

If a US Swap Entity is subject to entity-level risk management supervision by a prudential regulator, then the Commission should permit substituted compliance with such supervision and regulation for §23.600 (like the CFTC permits non-US Swap Entities to comply with their home country regulations that are deemed comparable to §23.600).

SDs that are banks are already subject to comprehensive risk management supervision and regulation by the Prudential Regulators, including with respect to their swaps activities.6 Deference to the Prudential Regulators in relation to risk management regulation of these SDs would not present a gap in U.S. regulatory oversight. Instead, allowing for substituted compliance with comparable U.S. financial regulations would reduce the cost and complexity of compliance, promote more efficient use of Commission and NFA resources, and align risk management requirements with existing capital frameworks for US SDs, where such deference is already established by CFTC capital rules. Indeed, under the CEA, the Prudential Regulators are responsible for establishing capital requirements for SDs that are banks.7 Similar alignment with Prudential risk management standards would not obviate the requirement that these SDs continue to provide risk management reporting to the Commission and the NFA, thus allowing for efficient Commission oversight of these SDs.

7. Are there other portions of the RMP Regulations concerning governance that are not addressed above that the Commission should consider changing? Please explain.

Under §23.600(c), SDs are required to establish risk tolerance limits as part of their risk management program. These limits are required to be reviewed and approved quarterly by senior management, and then annually by the governing body. The Associations believe that risk tolerance limits are required to be reviewed and approved too frequently. Most firms’ risk committees and governing bodies set and approve risk tolerance limits on an annual basis, with interim adjustments made by an independent risk function when needed. Conducting reviews quarterly does not add value as such intervals provide an insufficient amount of time for an SD’s RMU personnel to conduct a meaningful and time-intensive analysis of risks and their potential impacts. In most cases, these reviews do not result in any meaningful changes to the annually set risk tolerance limits. In short, the frequency of these reviews has become an increased administrative burden—compromising the robustness of each review and diverting attention away from more strategic risk management activities.

In addition, the governing body should not be required to approve the limits, they should just be informed of the set limits. Requiring the governing body to “approve” the risk tolerance limits results in duplicative obligations for governing body members to oversee matters that have already been considered by the senior management, as well as other governance committees or forums within an SD’s broader organization.8 If anything, this requirement introduces unclear lines of accountability and authority.

1 Since 1985, ISDA has worked to make the global derivatives markets safer and more efficient. Today, ISDA has over 1,000 member institutions from 79 countries. These members comprise a broad range of derivatives market participants, including corporations, investment managers, government and supranational entities, insurance companies, energy and commodities firms, and international and regional banks. In addition to market participants, members also include key components of the derivatives market infrastructure, such as exchanges, intermediaries, clearing houses and repositories, as well as law firms, accounting firms and other service providers. Information about ISDA and its activities is available on the Association’s website: www.isda.org.

2 The Securities Industry and Financial Markets Association is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). For more information, visit http://www.sifma.org.

3 With respect to the risk management program requirements applicable to FCMs, the Associations defer to and support the comments submitted by the Futures Industry Association (“FIA”). As a general matter, we agree with the FIA that the Commission’s current requirements surrounding RMPs are sufficiently robust and provide the appropriate level of flexibility that is necessary to account for firms’ differing business structures and risk exposures.

4 Both §23.600(b)(5) and (d) clearly establish that the RMU should operate independently from the business trading unit and that there should be separation between the personnel of each unit.

5 §23.600(b)(5).

6 See, e.g., OCC, Comptroller’s Handbook, Risk Management of Financial Derivatives (Jan. 1997) at: https://www.occ.treas.gov/publications/publications-by-type/comptrollers-handbook/risk-mgmtfinancialderivatives/pub-ch-risk-mgmt-financial-derivatives.pdf.

7 See CEA § 4s(e).

8 Prudential regulations with respect to governance require policies to be approved by the applicable committees. These committees are ultimately delegated their authority by the Board of Directors. See, for example, the FDIC’s Supervisory Guidance for Model Risk Management, which provides as follows: “Model risk governance is provided