US regulator looks to build operational resilience in swaps market

The US Commodity Futures Trading Commission (CFTC) intends to replace risk management rules that futures commission merchants, swap dealers, and major swap participants have had to comply with for more than a decade, with a new operational resilience framework.

The CFTC’s proposed framework is open to consultation until 2 March 2024. It features three central components that address IT security risk, risk when engaging third-party providers, and business continuity and disaster recovery planning. Further rules address governance, staff training, the review and testing of disaster recovery plans and record-keeping.

Proposed notification duties include a requirement to notify the regulator within 24 hours of any incident that adversely impacts, or is reasonably likely to adversely impact, information and technology security, their ability to continue business activities, or the assets or positions of a customer or counterparty.

The regulator intends to build some flexibility into the new framework, proposing that the operational resilience standards each swaps entity will be required to meet would be considered with reference to what is “appropriate and proportionate to the nature, size, scope, complexity and risk profile of its business activities”.

The CFTC said: “As the use of technology and associated third-party service providers has expanded within the financial sector, so too have the sources of operational risk facing covered entities, notably the potential for technological failures and cyberattacks. The Commission preliminarily believes that requirements for covered entities directed at promoting sound practices for managing these risks, as well as the risk of other potential physical disruptions to operations (e.g., power outages, natural disasters, pandemics), and for mitigating their potential impact would not only strengthen individual covered entity operational resilience, but reduce risk to the US financial system as a whole and help protect derivatives customers and counterparties.”

The CFTC developed its proposed new framework with reference to international standards pertinent to operational resilience drawn up by bodies such as the Basel Committee on Banking Supervision (BCBS) and the International Organization of Securities Commissions (IOSCO). Those standards have influenced operational resilience rules already being implemented in UK financial services and those set to take effect under the EU’s Digital Operational Resilience Act (DORA) next year too.

Luke Scanlon, an expert in financial services and technology contracts at Pinsent Masons, said that there are similarities between what is proposed under the CFTC’s new regime and the requirements in the UK and EU. This provides some swaps entities that operate globally with potential scope to extend existing compliance programmes to the US market, he said.

“There has been a move in recent years in both the UK and EU to develop compatible regulatory frameworks that draw together requirements around matters such as ICT , cyber, operational, and third-party risk that were previously addressed in separate rulebooks and guidance,” Scanlon said. “Concepts at the heart of the UK financial regulators’ operational resilience regime, and within DORA too, are reflected in the CFTC’s proposals.”

“For example, US swaps entities look set to face a requirement to establish and document, risk appetite and risk tolerance limits in respect of information and technology security, third-party relationships, and emergencies or other significant disruptions to the continuity of normal business operations, with a view to avoid them engaging in ‘activities that would present risks beyond those they can comfortably manage’. The entities will be expected to have underlying monitoring metrics in place to ensure they operate within their set limits. These requirements are similar to what firms regulated in UK financial services have to have in place in respect of ‘important’ business services they operate. US swaps entities that are part of groups that have entities operating in the UK market may be able to adapt the existing policies and procedures pertaining to the UK regime,” he said.

Within the CFTC’s plans to stiffen up the management of third-party risk are specific proposals applicable to swap entities when engaging ‘critical third-party service providers’. The regulator has proposed to define such providers as “a third-party service provider, the disruption of whose performance would be reasonably likely to either significantly disrupt a covered entity’s businesses operations or significantly and adversely impact the covered entity’s counterparties or customers”.

Swaps entities would be expected to undertake “heightened due diligence” prior to engaging critical third-party service providers compared to when they intend to engage other third-parties – the CFTC said it would expect swaps entities to “expand the type and sources of information they rely on, the rigor and scrutiny they apply  in reviewing the information to identify potential risks, and the level of confidence in their assessment of the third-party service provider’s ability to perform”.

The CFTC recommended that swaps entities consult audit reports, system and organisational controls (SOC) reports, financial statements, public filings, incident response plans, and business continuity plans, among other documents. It further advised that they consider what the information says about the would-be providers’ financial position, reputation, expertise and qualifications, information security and risk management practices, and history of compliance and disruptions, among other factors.

Swaps entities would be expected, though not obliged, to enter into written agreements with critical third-party service providers, under the CFTC’s proposed rules. The CFTC said the agreements should “support [swaps entities’] ability to mitigate, manage, and monitor the risks associated with the relationship, as identified through their initial pre-selection and due diligence activities”.  The regulator recommended that a series of provisions are built into the agreements – including rights of audit, requirements around timely notification of incidents or material changes to services, conditions around use of sub-contractors and termination rights.

Swaps entities would also face ongoing monitoring requirements in respect of their critical third-party service provider arrangements.