CFTC Commissioner Bowen Discusses Operational Risks

CFTC Commissioner Sharon Y. Bowen spoke at the 17th Annual OpRisk North America conference. Her remarks concerned operational risks in the market and what stakeholders can do to address those risks. She also addressed the risk management policy requirements of CFTC Rule 23.600.

Commissioner Bowen identified cybersecurity as an operational risk that her audience knew "only too well." She explained that, since trading has become electronic, financial firms now store massive amounts of data, which makes them targets for hackers. She stated that two primary types of actors are involved in cybersecurity threats: (i) thieves, who try to make money by stealing, trading or selling sensitive information to others; and (ii) vandals, who try to damage the system, perhaps by leaking information in an attempt to change corporate policy.

Commissioner Bowen advocated a dynamic and flexible two-tier structure that "establishes a clear floor for everyone to obey and then mandates that each company add on additional protections." Commissioner Bowen also expressed concern that certain firms have not reported breaches in cybersecurity immediately, and stated that a high level of baseline protection is needed to ensure that all stakeholders have an effective cybersecurity plan.

Commissioner Bowen touched briefly on technology as an operational risk, and mentioned incidents in which trading algorithms malfunctioned, causing market crashes and massive technological failures that impacted clearinghouses. She encouraged firms to include technological failures as part of their overall risk management plans.

Additionally, Commissioner Bowen explained that a large number of operational risks are human. They are driven both by regulatory ambiguity and by a risk-taking culture in the financial industry. She stated that in order to improve the culture in the financial industry, the CFTC must disincentivize people from breaking the rules and encourage firms to improve the flow of information in internal communications. Commissioner Bowen also explained that regulatory uncertainty is a product of the CFTC's reliance on "issuing guidance and no-actions letters for previously finalized rules." She said that the CFTC should instead rely on the "ordinary" notice and comment process.

Lastly, Commissioner Bowen discussed the risk management policy requirements in CFTC Rule 23.600. She explained that risk management programs are not a "check-the-box exercise," and that the lists of risks and risk categories mentioned in the rule are not all-inclusive. She encouraged firms to address "systemic risk" comprehensively in their programs. She also stated that senior management should have a "vested interest" in creating and implementing a useful risk management plan. She recommended that firms rethink their overall risk management plans with "some frequency."

See: Commissioner Bowen's Remarks.
See also: CFTC Rule 23.601 ("Risk Management Program for Swap Dealers and Major Swap Participants").

Premium Content

Available only to Premium subscribers.

 

Tags