Out-Law / Your Daily Need-To-Know

Out-Law News 4 min. read

US regulator looks to build operational resilience in swaps market

New York skyline sunrise SEO

Photo by Gary Hershorn/Getty Images

Comprehensive new rules aimed at ensuring businesses in the US swaps market are resilient to cyber, operational, and third-party risk have been proposed by a US regulator.

The US Commodity Futures Trading Commission (CFTC) intends to replace risk management rules that futures commission merchants, swap dealers, and major swap participants have had to comply with for more than a decade, with a new operational resilience framework.

The CFTC’s proposed framework is open to consultation until 2 March 2024. It features three central components that address IT security risk, risk when engaging third-party providers, and business continuity and disaster recovery planning. Further rules address governance, staff training, the review and testing of disaster recovery plans and record-keeping.

Proposed notification duties include a requirement to notify the regulator within 24 hours of any incident that adversely impacts, or is reasonably likely to adversely impact, information and technology security, their ability to continue business activities, or the assets or positions of a customer or counterparty.

There are similarities between what is proposed under the CFTC’s new regime and the requirements in the UK and EU. This provides some swaps entities that operate globally with potential scope to extend existing compliance programmes to the US market

The regulator intends to build some flexibility into the new framework, proposing that the operational resilience standards each swaps entity will be required to meet would be considered with reference to what is “appropriate and proportionate to the nature, size, scope, complexity and risk profile of its business activities”.

The CFTC said: “As the use of technology and associated third-party service providers has expanded within the financial sector, so too have the sources of operational risk facing covered entities, notably the potential for technological failures and cyberattacks. The Commission preliminarily believes that requirements for covered entities directed at promoting sound practices for managing these risks, as well as the risk of other potential physical disruptions to operations (e.g., power outages, natural disasters, pandemics), and for mitigating their potential impact would not only strengthen individual covered entity operational resilience, but reduce risk to the US financial system as a whole and help protect derivatives customers and counterparties.”

The CFTC developed its proposed new framework with reference to international standards pertinent to operational resilience drawn up by bodies such as the Basel Committee on Banking Supervision (BCBS) and the International Organization of Securities Commissions (IOSCO). Those standards have influenced operational resilience rules already being implemented in UK financial services and those set to take effect under the EU’s Digital Operational Resilience Act (DORA) next year too.

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

US swaps entities that are part of groups that have entities operating in the UK market may be able to adapt the existing policies and procedures pertaining to the UK regime

Luke Scanlon, an expert in financial services and technology contracts at Pinsent Masons, said that there are similarities between what is proposed under the CFTC’s new regime and the requirements in the UK and EU. This provides some swaps entities that operate globally with potential scope to extend existing compliance programmes to the US market, he said.

“There has been a move in recent years in both the UK and EU to develop compatible regulatory frameworks that draw together requirements around matters such as ICT , cyber, operational, and third-party risk that were previously addressed in separate rulebooks and guidance,” Scanlon said. “Concepts at the heart of the UK financial regulators’ operational resilience regime, and within DORA too, are reflected in the CFTC’s proposals.”

“For example, US swaps entities look set to face a requirement to establish and document, risk appetite and risk tolerance limits in respect of information and technology security, third-party relationships, and emergencies or other significant disruptions to the continuity of normal business operations, with a view to avoid them engaging in ‘activities that would present risks beyond those they can comfortably manage’. The entities will be expected to have underlying monitoring metrics in place to ensure they operate within their set limits. These requirements are similar to what firms regulated in UK financial services have to have in place in respect of ‘important’ business services they operate. US swaps entities that are part of groups that have entities operating in the UK market may be able to adapt the existing policies and procedures pertaining to the UK regime,” he said.

2014888_Cyturion Pullout image 700 x 420px

Pinsent Masons' Cyturion is a one-stop-shop tool that helps Business prepare for and respond to cyber iincidents

Scanlon added that swaps entities will want to consider the practicalities of compliance when considering the CFTC’s proposals – and ensure they provide feedback to the regulator on where the draft new framework might be improved – including in relation to incident notification.

“It is notable that the definition of incidents in the context of reporting extends to all that adversely impact information and technology security,” Scanlon said. “This stands in contrast to DORA which limits reportable incidents to those that are ‘major’ in the sense that they have a ‘high’ adverse impact. This is likely a matter that will be addressed during the consultation period.”

Within the CFTC’s plans to stiffen up the management of third-party risk are specific proposals applicable to swap entities when engaging ‘critical third-party service providers’. The regulator has proposed to define such providers as “a third-party service provider, the disruption of whose performance would be reasonably likely to either significantly disrupt a covered entity’s businesses operations or significantly and adversely impact the covered entity’s counterparties or customers”.

Swaps entities would be expected to undertake “heightened due diligence” prior to engaging critical third-party service providers compared to when they intend to engage other third-parties – the CFTC said it would expect swaps entities to “expand the type and sources of information they rely on, the rigor and scrutiny they apply  in reviewing the information to identify potential risks, and the level of confidence in their assessment of the third-party service provider’s ability to perform”.

The CFTC recommended that swaps entities consult audit reports, system and organisational controls (SOC) reports, financial statements, public filings, incident response plans, and business continuity plans, among other documents. It further advised that they consider what the information says about the would-be providers’ financial position, reputation, expertise and qualifications, information security and risk management practices, and history of compliance and disruptions, among other factors.

Swaps entities would be expected, though not obliged, to enter into written agreements with critical third-party service providers, under the CFTC’s proposed rules. The CFTC said the agreements should “support [swaps entities’] ability to mitigate, manage, and monitor the risks associated with the relationship, as identified through their initial pre-selection and due diligence activities”.  The regulator recommended that a series of provisions are built into the agreements – including rights of audit, requirements around timely notification of incidents or material changes to services, conditions around use of sub-contractors and termination rights.

Swaps entities would also face ongoing monitoring requirements in respect of their critical third-party service provider arrangements.

CFTC commissioner Caroline Pham said the regulator is open to input from stakeholders on its proposed new framework. In a statement, she highlighted issues such as core definitions, the plans in respect of third party risk management, and the proposed approach to risk appetite and risk tolerance limits, as among those the CFTC would welcome comment on.

The CFTC has outlined specific issues it seeks comment on throughout its consultation paper too. One of those issues relates its proposed requirements around business continuity and

disaster recovery planning, and how prescriptive the regulator should be about imposing recovery time objectives.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.