SEF Settles Charges for Failing to Timely Provide Records and for System Safeguards Failures
Commentary by Joe Hughes
A swap execution facility settled CFTC charges for failing to (i) maintain adequate system safeguards and (ii) promptly provide records to the Division of Market Oversight during a routine systems safeguards examination.
In the Order, the CFTC outlined that between May 2018 and December 2023, the SEF, among other things, failed to: (i) adequately brief its Board of Directors with reports detailing the results of certain business continuity disaster recovery plan, technical risk and penetration testing and assessments; (ii) conduct adequate periodic testing and oversight of its business continuity disaster recovery plan; and (iii) have an adequate enterprise risk management program due to failure to finalize certain policies addressing operational and third-party risk.
The CFTC further found that during a routine system safeguards exam conducted by the Division of Market Oversight, the SEF failed to promptly provide requested documentation and information, despite being granted multiple extensions.
The CFTC determined that the company violated CEA Sections 5h(f)(14) and 5h(f)(10)(A)(ii) ("Swap execution facilities"), as well as CFTC Regulations 1.31(d) ("Regulatory records; retention and production"), 37.5(a) ("Core Principle 5-Ability to obtain information"), 37.1000(a)(2) ("Core Principle 10-Recordkeeping and reporting"), 37.1400 ("Core Principle 14-System safeguards") and 37.1401 ("Requirements").
To resolve the charges, the SEF agreed to (i) cease and desist from further violations of the statutory provisions and regulatory requirements referenced; (ii) pay a civil monetary penalty of $875,000; and (iii) implement remedial measures to strengthen its system safeguards and reporting processes.
In a dissenting statement, Commissioner Caroline D. Pham argued that the CFTC is moving away from its longstanding, principles-based, regulatory approach by bringing four enforcement actions that establish a new prescriptive framework for SEFs and futures exchanges. She voiced concerns about the CFTC's decision to charge alleged violations of SEF Core Principle 14, which focuses on system safeguard obligations related to operational risks. Commissioner Pham emphasized that deficiencies in systems and processes should not be equated with a failure to implement a program, noting that SEF Core Principle 1 grants SEFs reasonable discretion in how they implement the Core Principles. She also criticized the CFTC for pursuing these enforcement actions without providing fair notice to the public, as they were rooted in SEF examinations. She urged that any shift in the interpretation of Core Principles should be subject to a public notice-and-comment process.
Commentary
Despite Commissioner Pham's dissent, it is unlikely in the near-term that any public notice-and-comment period will be forthcoming on the CFTC's "more narrow approach to the Core Principles" suggested by its recent swap market enforcement actions. Indeed, this Order demonstrates the need for swap market participants to adhere closely to the "procedural" aspects of the rules to meet their regulatory obligations. At no point did the CFTC suggest that the SEF in question experienced any breach or compromise of its systems. Instead, the SEF allegedly failed to, among other things, adequately "brief its Board," "periodically" test its system, and maintain sufficient "written policies"—allegations that go primarily to the SEF's internal procedures.
SEF participants who trade on these exchanges should also be mindful of their own responsibilities to adequately safeguard their systems and protect the confidentiality of User IDs and SEF data.