[This story previously appeared in Securities Regulation Daily.]
By R. Jason Howard, J.D.
CFTC Commissioner Sharon Y. Bowen spoke before the 17th Annual OpRisk North America on March 25th to discuss operational risk, an issue she described as being very near to her heart.
In her speech she lays out the major trends in operational risks that she believes the market is facing at present. She also provided some thoughts on what needs to be done to address those risks. She also provided some specific insights into a major CFTC rule and explained how she views the CFTC's new regulation governing the risk management practices of swap dealers and major swap participants.
Cybersecurity. Commissioner Bowen began the discussion on cybersecurity by first reminding the audience that “trading is effectively entirely electronic.” Even when two traders are booking a deal over the phone, it is being logged and finalized via electronic communications, she said. The result, she continued, is that financial actors have become storehouses for massive amounts of sensitive data, from information about trading strategies to client’s social security numbers. Intuitively, the damage that could be done via a major cyberattack on an exchange, clearinghouse, Swap Execution Facility (SEF), or systemically important financial institution is almost incalculable.
At the end of the day, the Commissioner explained, regulators and the industry are allied in the fight to prevent and mitigate cyberattacks. We have to be working together. Because this threat is constantly changing and new entities are continually developing new strategies, we all need to adopt a stance of constant improvement.
Technology. The trend of technology breaking was Commissioner Bowen’s second risk trend topic. As finance has become an industry that is really housed in cyberspace, she explained, there is a risk that these new technologies may not fully be understood by the people who are using them, particularly with regard to high frequency trading. An example she cited was the ‘flash crash’ of 2010, which was an accident but, she continued, the risk of massive technological failure affecting clearinghouses is not going away. Therefore she thinks that entities that are using, for instance, high frequency trading algorithms in the futures market should at least be required to inform the CFTC that they are using those technologies, just as other registrants often inform the CFTC if they are implementing major new technological changes; doing so she says, will help ensure that industry participants fully understand the tools that they are using to trade.
For now, she explained, she wants to encourage consideration of the dangers that technologies could fail or malfunction and suggest that be part of overall risk management. That includes getting a fulsome grounding in how the technology works and getting the input of technical experts on the flaws in the present technology being used.
Culture. Culture, the Commissioner explained, is a trend that has received a lot of attention lately as she has witnessed a significant number of settlements and alleged violations of our laws and regulations in just the last nine months and, all too often, she continued, those settlements and alleged violations are coming from large actors who have previously run afoul of the rules, endangering the reputation of those actors and the trust that undergirds the larger financial system.
On this topic, the Commissioner encouraged all attending to do what they can both to assess their risks of having a bad culture and to improve their organization’s culture as fast as they can. Unlike cybersecurity, she stated, this is a problem that can be solved by each individual firm.
Lack of regulatory clarity. This was the fourth risk trend that Commissioner Bowen spoke about, saying that this topic is typically talked about in the context of the risk that regulators will change previously finalized rules without giving sufficient notice to industry but it also applies to situations where rules required by Congress remain unfinished for long periods of time and therefore in a state of flux, as well as applying to situations where a regulator relies too much on issuing guidance and no-action letters for previously finalized rules. To this she said that she believes regulations should be changed, as much as possible, via the ordinary process of notice and comment and resist the temptation to craft a regulatory regime primarily through no-action letters.
Risk management policies. Here, Commissioner Bowen discussed the final rule the CFTC released a few years ago: the CFTC regulation requiring risk management programs for swap dealers and major swap participants, known as Section 23.600. The rule states that each swap dealer and major swap participant needs to establish and enforce a system of risk management policies associated with its swaps activities.
Commissioner Bowen explained that the written policy needs to be approved by the governing body of the swap dealer or major swap participant and it has to be provided to the Commission; the swap dealer or MSP also has to establish and maintain an independent risk management unit that will carry out the risk management program and it has to report directly to senior management; the program has to cover, among other things, a number of risk categories: market risks, credit risks, legal risks, and, of course, operational risk; and the program also must include a policy for identifying and taking into account the risks of new products before they are used in transactions.
List of risks not all-inclusive. Because CFTC Section 23.600 is a “dense regulation,” Commissioner Bowen explained that the list of risks to be considered is not all-inclusive and the items that swap participants must consider are not “check-the-box” exercises, rather, it states only the risks that must be included in the risk management programs. Those plans that deal only with the explicit requirements, said Commissioner Bowen, should not be viewed as complete and she went on to suggest that “systemic” risk would be an appropriate category to include.
Risk categories not all-inclusive. The Commissioner’s second point about Section 23.600 was that the risk categories themselves are not all-inclusive. In the case of each category, she continued, the rule states that programs and policies to address a specific risk shall include two or three explicit risks, among other things. Her example was on operational risk, where the CFTC has explicitly stated that a risk management program has to take into account secure, reliable, and independent operating systems, safeguards against deficiencies in operation and information systems, and reconciliation of all data in operating systems. This, the Commissioner believes, only begins to scratch at the surface of operational risk.
Senior management involvement. Third, Commissioner Bowen said that the implementation and enforcement of the risk management plan is to be carried out by an independent unit that has direct access to senior management. Senior management, she continued, needs to really consider and engage with the process of creating and updating the risk management plan so that senior management has a vested interest in the success and usefulness of the risk management program.
Independent. The Commissioner’s fourth point was that the risk management unit needs to be truly independent, the Commissioner said. Ideally, she explained, each risk management program would have a majority of people in it who, when they arrive at the risk management unit, have no prior work experience in the company. Moreover, she continued, suggesting that distance will help ensure that the unit looks at issues with fresh eyes and reduce the risk that the risk management unit simply ratifies prior analyses without really considering the costs and benefits of doing so.
The Commissioner suggested that the plans be dynamic and she encouraged the attendees “seriously rethink everything about your overall risk management plans with some frequency.”
Operational risk critically important to finance. Commissioner Bowen reiterated her thoughts from earlier in the speech, saying that she thinks operational risk is a critically important part of finance. “It’s by considering operational risk in advance, she explained, that a smart company is able to be flexible in a tough market or weather a storm...and while there will always be black swan events that do come out of nowhere, the more companies take into account as many of their real risks as is possible, the better each individual company and our financial system generally will be able to withstand unforeseen events.”
Conclusion. Commissioner Bowen concluded by saying that major financial actors need to fully implement requirements regarding risk management programs, sufficient protections need to be in place to prevent against hacking and cyberattacks, and major financial institutions need to change their culture so that there are far fewer violations of our laws and regulations.