CFTC Proposes "Operational Resilience Framework" for FCMs and Swap Dealers

The CFTC proposed a rule to require that Futures Commission Merchants ("FCMs") and swap dealers establish and maintain an "operational resilience framework" ("ORF") focusing on three components: information and technology security, third-party relationships and disruptions to standard business operations.

The ORF, as proposed under new CFTC Rule 1.13, would require:

• a program addressing information and technology security to protect the confidentiality, integrity and accessibility of sensitive data.
• a mechanism for managing risks linked to third-party service providers, particularly those critical to the entity's operations (see the new Fact Sheet);
• the adoption of a comprehensive business continuity and disaster recovery ("BCDR") plan;
• the implementation of annual risk assessments; and
• the adoption of an incident response plan.

Under the proposed rule, covered entities would be required to promptly notify the CFTC of specific incidents and the activation of their BCDR plan within a 24-hour timeframe. The proposal also requires notification of affected customers and counterparties following incidents that could adversely impact their information, assets or positions.

Further, the proposed rule provides that covered entities may establish holding company consolidated programs or plans for their ORF. Reliance on third-party service providers is permissible, contingent upon the effective management of associated risks, with the covered entity retaining responsibility for regulatory obligations.

Comments on the proposal are due by March 2, 2024.