In a post-FTX environment, several financial regulators are taking action to emphasize a policy of sound custody and disclosure practices and to better understand certain risks to protect customers in the event of an insolvency or similar proceeding. For example, back in January 2023, the New York Department of Financial Services announced that it had issued certain Guidance on Custodial Structures for Customer Protection in the Event of Insolvency in which it highlighted the significance of consumer protection upon insolvency or similar proceeding. And in February 2023, the Securities and Exchange Commission (“SEC”) proposed amendments to the Custody Rule under the Investment Advisers Act of 1940, which, among other changes, clarified aspects of the existing rule and expanded its application to a broader array of client assets managed by registered investment advisers.

This past month, the Commodity Futures Trading Commission (“CFTC”) acted to ensure proper risk management within the derivatives markets in relation to, among other things, digital assets, by issuing two separate releases: (1) a proposed rulemaking on potential amendments to certain Risk Management Program (“RMP”) requirements applicable to swap dealers (“SDs”), major swap participants (“MSPs”), and futures commission merchants (“FCMs”); and (2) an advisory letter reminding derivatives clearing organization (“DCO”) registrants and DCO applicants about compliance obligations when expanding the types of products cleared and services offered by DCOs, including those related to digital assets.  The CFTC stated that re-evaluating its risk management rules is necessary to keep pace with evolving markets that can give rise to new risks from emerging technologies such as digital assets and artificial intelligence.

As to the first item, the CFTC published an advanced notice of proposed rulemaking (“ANPRM”) requesting public comment on potential amendments under the Commodity Exchange Act governing RMP requirements of SDs, MSPs, and FCMs. The ANPRM covered multiple topics, but this blog post will only highlight proposals related to digital assets and related technologies.

In the years after adopting 17 C.F.R. 23.600 (establishing risk management requirements for SDs and MSPs) and 17 C.F.R.1.11 (establishing risk management requirements for FCMs that accept customer funds), among other rules, the CFTC stated that it received many questions and noticed inconsistencies and inefficiencies stemming from the RMPs. Specific areas of apparent confusion and inconsistency include the structure and governance of RMPs, the enumerated risks that RMPs monitor and manage, and the inefficiencies of the periodic risk exposure reporting. The ANPRM also stated that the CFTC observed “significant variance” among SDs’ and FCMs’ quarterly risk exposure reports [We note that currently there are no registered MSPs] as to how they define and report on the enumerated areas of risk (e.g., market risk, credit risk, liquidity risk, etc.), thus purportedly making it difficult for the CFTC to gain a clear understanding of how specific risk exposures are being monitored and managed by such entities over time. The ANPRM noted that since the adoption of the RMP Regulations, “some SDs and FCMs have engaged in novel product offerings, such as derivatives on certain digital assets, have increased their facilitation of electronic and automated trading, and have incorporated into their operations the use of recent technological developments, including cloud-based storage and computing, and possibly artificial intelligence and machine learning technologies.”  The ANPRM also pointed out that considering recent market disruptions, as well as the growth of digital assets, the CFTC is also seeking comment on “the risks posed by SDs’ and FCMs’ affiliates and related trading activity.” It also noted that while “technological risk” is identified in Regulation 1.11(e)(1)(i) as a type of risk that an FCM’s RMP must take into account, technological risk is not similarly included in Regulation 23.600(c)(1)(i) as an enumerated risk that a SD’s RMPs must address.

In all, the ANPRM requested comment on several questions, including:

• Should the CFTC amend Regulation 23.600(c)(1)(i) to add technological risk as a type of risk that SD’s RMPs must take into account?
• Should the CFTC consider different definitions of “technological risk” for SDs and FCMs?
• Should the CFTC consider providing examples of “information technology assets” to incorporate risks that may arise from the use of certain emerging technologies, such as artificial intelligence and machine learning technology, distributed ledger technologies (e.g., blockchains), digital asset and smart contract-related applications, and algorithmic and other model-based technology applications?

Moreover, according to the ANPRM, the existing risk management rules may not address many of the questions that arise from the use of digital assets to safeguard customer property. As the proposal stated, the CFTC considers the segregation of customer funds and safeguarding of counterparty collateral as cornerstones of the CFTC’s SD and FCM regulatory regimes, respectively. In the CFTC’s understanding, SDs and FCMs currently engage in limited activities with respect to digital assets and no FCM holds customer property in the form of virtual currencies or other digital assets such as stablecoins. Nevertheless, the ANPRM requested public comment on the following questions:

• To the extent that FCMs may consider engaging in virtual currency or digital asset activity in the future, would the current RMP Regulations for FCMs adequately and comprehensively require them to identify, monitor, and manage the risks associated with that activity, including custody with a third-party entity?
• Should the CFTC consider additional RMP requirements applicable to SDs and FCMs that are or may become involved in, or affiliated with, the provision of digital asset financial services or products (e.g., digital asset lending arrangements or derivatives)?

Following public comment on the ANPRM, the CFTC hopes to better understand the potential shortfalls with the current RPMs and address them through future regulatory amendment.

Another recent development from the CFTC concerning risk management involves an advisory letter released on May 30, 2023. The letter from the Division of Clearing and Risk (“DCR”) addresses all DCO registrants and applicants. According to the CFTC, in the last few years DCOs have expressed an increased interest in expansion of the types of products cleared and business lines, clearing models, and services offered. This letter serves as a reminder of the potential risks associated with the expansion of activities such as DCO clearing of digital assets.

In the advisory, DCR reiterates its dedication to remaining focused on risk management moving forward, placing emphasis on risks related to system safeguards, conflicts of interest, and physical settlement procedures and physical deliveries, particularly when expanding lines of business, changing business models, or offering new and novel products (including digital assets).  The advisory stated that digital assets can involve higher cyber and operational risks, which DCR will monitor to ensure compliance under applicable regulations. The advisory letter also noted that DCR, working with other relevant CFTC staff, will “emphasize reviews of physical settlement arrangements” for DCOs clearing contracts that may involve physical delivery of digital assets and examine whether DCOs have “adequately identified and managed risks and obligations associated with digital assets and whether DCO rules clearly state the obligations of the DCO, if any, with respect to physical deliveries involving digital assets.”

[View source.]