DCM Fined for Risk Assessment and Trade Reporting Violations

A designated contracts market ("DCM") settled CFTC charges for failing to establish a risk analysis program designed to minimize operational risk related to cybersecurity and cyber resiliency.

In the Order, the CFTC found that the DCM failed to conduct adequate information security testing and develop enterprise technology risk assessments, both of which were part of a larger failure to establish a comprehensive risk management program. Additionally, the DCM failed to report certain options and swaps transactions to a swap data repository, in violation of the CFTC's reporting requirements. The DCM also falsely represented to the CFTC that it was complying with all necessary reporting requirements and would continue to do so, despite knowing such data was not being reported.

As a result, the CFTC determined that the DCM violated CEA Section 2(a)(13)(G) ("Jurisdiction of Commission; liability of principal for act of agent; Commodity Futures Trading Commission; transaction in interstate commerce"), Section 5(d)(20) ("Designation of boards of trade as contract markets") and Section 6(c)(2) ("Application for designation as contract market or derivatives transaction execution facility; time; suspension or revocation of designation; hearing; review by court of appeals").

Additionally, the DCM violated CFTC Rule 16.02 ("Daily trade and supporting data reports"), Rule 38.1050 ("Core Principle 20"), multiple provisions of Rule 38.1051 ("System Safeguards - General Requirements"), Rules 43.3(a)(1)-(2) ("Method and timing for real-time public reporting") and Rule 45.3 ("Swap data reporting: Creation data").

To settle the charges, the DCM agreed to (i) cease and desist, (ii) pay a civil monetary penalty of $6,500,000 and (iii) initiate undertakings to improve compliance.