Search This Blog


This is a photo of the National Register of Historic Places listing with reference number 7000063
Showing posts with label CYBERSECURITY. Show all posts
Showing posts with label CYBERSECURITY. Show all posts

Thursday, March 12, 2015

CFTC CHAIRMAN MASSAD'S ADDRESS TO FUTURES INDUSTRY ASSOCIATION BOCA CONFERENCE

FROM:  U.S. COMMODITY FUTURES TRADING COMMISSION
Keynote Address of Chairman Timothy G. Massad before the Futures Industry Association Boca Conference
March 11 2015
As Prepared For Delivery

Thank you for inviting me today, and I thank Walt for that kind introduction. It is a pleasure to be here. This is my first time to the International FIA Conference here, an event that I have heard a lot about. And, of course, with the winter we have been having in Washington, being here is a real treat.

Let me begin by acknowledging the work that the Futures Industry Association and its members do. Your commitment to improving the industry, and your participation in the work of the Commission, is very important.

I want to also acknowledge and thank the CFTC staff. What this agency has accomplished, not only since my arrival, but well before that, is a credit to their hard work. We have an incredibly dedicated and talented team. I also thank my fellow commissioners for their efforts, particularly their willingness to work constructively together. We may not always agree, but I believe all of us are working in good faith to carry out the CFTC’s responsibilities.

Everyone here appreciates the importance of the derivatives markets. They enable businesses of all types to manage risk, and in so doing, are engines of economic growth. The success of these markets depends on many factors, and a key one is having a strong and sensible regulatory framework.

We knew that before the global financial crisis, but the crisis certainly drove that lesson home. The absence of regulation allowed the build-up of excessive risk in the over-the-counter swaps market. That risk intensified the crisis and the damage it caused. We must never forget the true costs of the crisis: millions of jobs lost, homes foreclosed and dreams shattered.

As a result of the financial crisis our country took action to address those risks. We are implementing a new regulatory framework for swaps, one that mandates central clearing and brings greater transparency, reporting and oversight. The CFTC’s responsibility today is to regulate the derivatives markets in a manner that not only prevents the build-up of excessive risk, but also creates a foundation on which the derivatives markets can continue to thrive and work for the many businesses that rely on them.

So today I would like first to review briefly some of the things we have done recently, and some of the things we will be doing in the months ahead. And then I want to discuss a key aspect of that new framework, which is the role of clearinghouses. In particular, I want to discuss the issue of clearinghouse resiliency, because this is an issue that has been a priority for us and has received increased public attention lately.

Current Priorities

We have been very busy since two of my fellow commissioners and I took office last summer. Our agenda today reflects several priorities.

First, the agency has largely finished an intensive rule-writing phase to create the new regulatory framework for swaps. We are now focused on implementation of that framework. One of our priorities has therefore been to focus on fine-tuning our rules, in particular to make sure that the commercial businesses, consistent with the Congressional mandate, that depend on these markets to hedge risk can continue to use the markets effectively. We have made a number of changes to address concerns of commercial end-users. This has included amending our rules to enable publicly-owned utilities to continue to be able to hedge their risks effectively in the energy swaps market. We have proposed revisions regarding the posting of residual interest which is related to the posting of collateral with clearing members. We have proposed exemptions for commercial end-users from certain recordkeeping requirements and clarifications to give the market greater certainty with regard to the treatment of contracts with embedded volumetric optionality.

In addition, the Commission staff has taken action to make sure that end-users can use the Congressional exemption regarding clearing and swap trading, including when they enter into swaps through a treasury affiliate. The staff also recently granted relief from the real-time reporting requirements for certain less liquid, long-dated swap contracts, recognizing that immediate reporting can sometimes undermine a company’s ability to hedge.

We have also extended relief with respect to the treatment of package trades on swap execution facilities to avoid unnecessary disruptions in the marketplace. There may be additional measures, such as today we are looking at trade option reporting rules and the rules on trading of swaps on swap execution facilities.

Finishing the Dodd Frank Rules. We are also working to finish the few remaining rules mandated by Congress, including our proposed rule on margin for uncleared swaps. This rule plays a key role in the new regulatory framework, because uncleared transactions will always be an important part of the market. Certain products will not be suitable for central clearing because of their lack of sufficient liquidity or other risk characteristics. In these cases, margin will continue to be a significant tool to mitigate the risk of default from those transactions and, therefore, the potential risk to the financial system as a whole.

We are currently working with the bank regulators to finalize these proposed rules. These rules exempt commercial end-users from the margin requirements, consistent with Congressional intent. I am hopeful that we can finalize these rules by the summer.

We are also working on the rules on position limits and capital for swap dealers.

Cross-Border Harmonization. We are also focused on addressing cross border issues related to the new framework. We have had productive discussions with the Europeans to facilitate their recognition of U.S. based clearinghouses, and I would hope that we could reach agreement soon. Another important area for cross-border harmonization is the proposed rule I just mentioned, concerning margin for uncleared swaps. We have been working with our counterparts in Europe and Japan, and I am hopeful that our respective final rules will be substantially similar, even though they are not likely to be identical.

Data. We have also made enhancing our ability to use market data effectively a key priority. We continue to focus on data harmonization, including by helping to lead the international work in this area. We are also looking at clarifications to our own rules to improve data collection and usage. We have a lot of work to do in the area of data generally, but we have come a long way since 2008, when we knew very little about the swaps market. Today, there is real time price and volume information and we have much better insight into participant activity.

New Challenges and Risks. We are also looking at new challenges and risks in our markets. We have been very focused on the increased use of automated trading strategies, for example, and their impact on the derivatives markets. We issued a concept release last year and we received a lot of very useful input. We are also keenly focused on cybersecurity, which is perhaps the single most important new risk to market integrity and financial stability. We have incorporated cyber concerns into our core principles and made it a priority in our examinations. Our challenge is to leverage our limited resources as effectively as possible. Many major financial institutions are spending far more on cybersecurity than our entire budget. We do not have, for example, the resources to do independent testing. So one of the things we are looking at is whether the private companies that run the core infrastructure under our jurisdiction – the major exchanges and clearinghouses for example – are doing adequate testing themselves of their cyber protections. We are holding a public staff roundtable to discuss this issue next week.

Enforcement and Compliance. We also remain committed to a robust surveillance and enforcement program to prevent fraud and manipulation. We have held some of the world’s largest banks accountable for attempting to manipulate key benchmarks. We have brought successful cases against those who would attempt to manipulate our markets through sophisticated spoofing strategies. And we have also stopped crooks trying to defraud seniors through precious metal scams and Ponzi schemes. In all these efforts, our goal is to make sure that the markets we oversee operate with fairness for all participants regardless of their size or sophistication.

Ensuring the Strength and Stability of Clearinghouses in the New Regulatory Framework

Let me turn now to discuss clearinghouses. In just about every speech I have given since taking office, I have talked about our progress in implementing the mandate to clear standardized swaps. In our markets, the percentage of swaps cleared has increased from 15% in December 2007 to about 75% today. At the same time, I have talked about the importance of clearinghouse stability and oversight. As we make clearinghouses even more important in the global financial system, we must pay attention to the risks that they can pose.

Lately, there has been increased discussion of this, with many views put forward in papers and speeches, on issues like clearinghouse resiliency, recovery, and resolution. Questions are being asked in particular about the adequacy of recovery plans, about whether clearinghouses have enough capital or “skin in the game,” and whether the potential liability of clearing members is properly sized or capped. This is a good and healthy debate. Today, I would like to discuss how we at the CFTC think about some of these issues. Let me do so by first talking about the work that has taken place in this area, both by us and internationally, then discuss the need to look at issues in context, and then discuss the work that lies ahead.

First, a great deal of work has already taken place to consider these issues, here and internationally. The CFTC has had a regulatory framework in place to oversee clearinghouses since well before the passage of Dodd-Frank. Dodd-Frank amended the agency’s core principles for clearinghouses, with the goal of reducing risk, increasing transparency, and promoting market integrity within the financial system. In 2011, the agency adopted detailed regulations to implement the revised core principles. These regulations provide a regulatory framework designed to strengthen the risk management practices of DCOs, promote financial integrity for swaps and futures markets, and enhance legal certainty for DCOs, clearing members, and market participants.

In 2013, we also supplemented these regulations by adopting additional requirements for systemically important clearinghouses. Thus, our clearinghouse regulations are now consistent with the Principles for Financial Market Infrastructures, or PFMIs, published in 2012 by CPMI-IOSCO.

The work of CPMI-IOSCO with respect to clearinghouses has been an important international effort, and the CFTC has played an active role. The PFMIs set comprehensive principles and key considerations for the design and operation of financial market infrastructures, including clearinghouses, to enhance their safety and efficiency, to limit systemic risk, and to foster transparency and financial stability. This same group also published a Disclosure Framework and Assessment Methodology and last month published quantitative disclosure standards, to further increase transparency of clearinghouses.

The Basel Committee on Banking Supervision has provided strong incentives for clearinghouses to meet these standards, because bank exposures to such “qualifying CCPs” are subject to capital treatment that is significantly more favorable than that afforded to exposures to clearinghouses that do not meet these standards. CPMI-IOSCO has also undertaken a rigorous process to assess the completeness of the regulatory framework in several jurisdictions. The Financial Stability Board has also contributed through the publication of the Key Attributes of Effective Resolution Regimes, which includes an annex on financial market infrastructures.

Writing standards that clearinghouses must follow, however, is of course not enough. That is why the CFTC also engages in extensive oversight activities. Our program includes daily risk surveillance, analysis of margin models, stress testing, back testing, and in-depth compliance examinations. We engage in ongoing review of clearinghouse rules and practices, and we review what products should be mandated for clearing. We require a variety of periodic reporting including some on a daily basis as well as event-specific reporting.

In addition to supervision of clearinghouses, we look at risk at the clearing member and large trader levels. We conduct daily stress tests to identify traders who pose risks to clearing members and clearing members who pose risks to clearinghouses. We require clearinghouses to oversee the risk management policies and practices of their members. We require FCMs, whether clearing members or not, to meet risk management and minimum capital standards. And we have a rigorous compliance examination process.

There is also public transparency on these matters. You can go to our website and see each FCM’s net capital requirement and the amounts of adjusted capital and customer segregated assets they hold.

This oversight and reporting framework is intended to enable us to take proactive measures to promote the financial integrity of the clearing process.

So as we engage in this public discussion about clearinghouse risk, we should always remember to look at the full picture – that is, to look at all the regulatory policies, the clearinghouse practices, the oversight, and the sum of activities that contribute to rigorous risk mitigation. We should not focus on one particular issue without considering how it connects to other issues.

An example of the importance of looking at the full picture is when we consider issues pertaining to risk mitigation through the collection of initial margin. Although there are many aspects to consider, there has been some focus on one issue in particular, which is the liquidation period – that is, whether a clearinghouse should assume a 1 day, 2 day, 5 day, or other minimum time horizon for its ability to liquidate a particular product. This is an important issue. Indeed, our regulations require that the time period must be appropriate based on the characteristics of a particular product or portfolio. But the minimum liquidation period is only one of the many issues that affect how much initial margin is posted with the clearinghouse.

The amount of margin a clearinghouse holds will also depend on whether clearing members post margin on a gross or net basis. “Net” means a clearing member can net customers’ positions to the extent they offset one another, which reduces the amount of margin that must be sent to the clearinghouse for the overall portfolio. By contrast, “gross” posting means the clearing member must post for each customer, without any offsets across customers, which means the clearinghouse receives more – in many cases, much more – collateral than under net posting.

A further difference in regulatory regimes is whether the clearing member is even obligated to collect a minimum amount of margin from each customer, sufficient to cover that customer’s position, or whether the clearing member can negotiate different deals with different customers. Our rules, for example, require that the clearinghouse must require each clearing member to collect from each customer, more than 100% of the clearinghouse’s initial margin requirements with respect to each product and swap portfolio.

Another example of the importance of context is with regard to the issue of whether clearinghouses have enough capital or “skin in the game.” There has obviously been a lot of public and regulatory attention in the last few years on how much capital banks should hold. When it comes to clearinghouses, it’s important to remember that there are significant differences between the business models of clearinghouses and banks, and therefore, in the role that capital plays. A banking institution needs capital to offset losses that may arise frequently. Those losses can be as varied as the many lines of businesses in which a bank engages.

By contrast, when people talk about a clearinghouse drawing on its capital, they are usually talking about a very unusual event: there has been a default of a clearing member, and the resources of the defaulter held by the clearinghouse – both initial margin and default fund contribution – are not enough to cover the loss. The clearinghouse has sought to transfer the defaulting member’s positions to one or more other clearing members, and the success of that auction has affected the size of the loss. The clearinghouse is now looking at covering that loss through the waterfall of resources available to it for recovery – that is, the clearinghouse’s capital, the other clearing members’ prefunded contributions to the default fund, and potential assessments on clearing members.

This would be a very serious event. Historically, however, the use of other clearing members’ resources to meet a default is exceedingly rare worldwide. To my knowledge, it has never happened here in the United States.

That does not mean we should not think about it or plan for it. Post financial crisis, we are and should be doing many things to increase the resiliency of our financial system in the event of unusual situations. The issue of capital needs to be considered in the context of a clearinghouse’s overall financial resources. That is, what are the resources to deal with a loss if initial margin is not adequate? Under CFTC requirements, each of our systemically important clearinghouses must maintain sufficient financial resources to meets its financial obligations to its clearing members notwithstanding the default by the two clearing members creating the largest combined loss to the clearinghouse in extreme but plausible market conditions – the standard known as “Cover 2.” These requirements are consistent with the PFMIs.

To meet these requirements, a clearinghouse may use initial margin payments, its own capital dedicated to this purpose, and default fund contributions. The allocation or the balance between these financial resources may vary, such that the more margin paid up front, the less default fund contributions the clearinghouse will collect and vice versa.

I should note that a clearinghouse faces risks outside of a default by a member, and we are looking at those as well. These can include operational or technological issues, such as the cybersecurity concerns I noted earlier. And we separately require clearinghouses to have capital, or other resources acceptable to us, to cover operating costs for one year. This capital is not fungible with the Cover 2 resources.

We are currently considering the issues pertaining to the resources available to deal with a default in the context of reviewing clearinghouse recovery plans. We are trying to make sure that these plans are “viable” – that is, that they are designed to maximize the probability of a successful clearinghouse recovery, while mitigating the risk that recovery actions could result in contagion to other parts of the financial system. And we will be holding a public staff roundtable on these issues next week – unless Washington gets another snowstorm. The agenda will include discussion of what tools a clearinghouse may use in these situations.

Let me suggest a few questions that may be useful to think about in considering clearinghouse capital in this context: first, is capital primarily about alignment of incentives – that is, alignment of incentives between the clearinghouse and its clearing members – rather than the quantitative increase to the waterfall? In an era when the equity of clearinghouses is held by persons other than the clearing members, this may be particularly important. As the CPMI-IOSCO Recovery Report notes, “[e]xposing owners to losses … provides appropriate incentives for them to ensure that the [clearinghouse] is properly risk-managed.”

Second, when we think about capital in the context of recovery plans, should we also think about issues of governance and process? That is, whose interests should be taken into account when a clearinghouse designs its recovery plan and when a clearinghouse faces a default? If the waterfall of resources is not sufficient to cover a default, then how does the clearinghouse decide what happens next, and who should participate in or have input into that decision? How do we ensure there is adequate time for that decision-making process to take place?

In outlining the things the CFTC has done and is doing, as well as the international work that has taken place, let me note a couple of caveats. While I believe the agency has developed very good policies and practices, there is more we should be doing, particularly with respect to the frequency of examinations. Unfortunately, we are limited by our resources. In addition, to state the obvious, no matter how good the regulatory framework, no regulator can ever guarantee that there won’t be problems.

Finally, I want to underscore that this work is ongoing, and there are many aspects of these issues that I have not touched on today given time limitations. We will be continuing to look at the full range of issues pertaining to clearinghouse risk, resiliency, recovery, and resolution. We will also be participating in further international work on these issues. I note that CPMI-IOSCO will be continuing to look at stress testing – are clearinghouse stress testing programs adequate and should we develop standards, for example – and they will also be looking at recovery issues, and we will be helping to lead that process. I also expect the FSB’s Resolution Steering Group to look further at the resolution issues, and we will work with our colleagues on that as well. While no one wants to get to resolution, it is important that we explore how this would be done as well, without a government bailout and without creating contagion. This is very useful, and it reflects the very good international dialogue that has taken place already in this area. In addition, this work can help us balance the multiple regulatory objectives that come into play in considering these issues, so that regulators with different responsibilities do not work at cross purposes.

As we engage in this work, and as the public discussion about clearinghouse resilience continues, I would just encourage all of us to keep in mind the full picture. We should always take a comprehensive approach to these issues, one that is based on a clear understanding of risk, that enhances transparency and market integrity, and that is backed up by rigorous, ongoing oversight. Effective risk mitigation and resiliency require a broad range of policies and procedures.

Central clearing is fundamental to the health and vibrancy of our markets. We must make sure that clearing firms, as well as clearinghouses, can continue to operate successfully. It is only in this way that the businesses which depend on these markets can continue to use them effectively.

Conclusion

That brings me back to where I started, which is the importance of these markets to the many businesses that rely on them, and to our economy generally. All of you who participate in these markets understand that. And that is what guides us at the Commission. I know I speak for all the Commissioners in saying it is a privilege for us to work on these issues of importance to these markets and our economy. I look forward to working with you to make sure these markets continue to thrive in the years ahead.

Thank you for inviting me.

Last Updated: March 11, 2015

Thursday, March 27, 2014

SEC CHAIR WHITE'S OPENING STATEMENT AT ROUNDTABLE MEETING ON CYBERSECURITY

FROM:  U.S. SECURITIES AND EXCHANGE COMMISSION 
PUBLIC STATEMENT
 Opening Statement at SEC Roundtable on Cybersecurity
 SEC Chair Mary Jo White
March 26, 2014

Good morning.  Welcome to today’s roundtable on cybersecurity.

Cybersecurity threats come from many sources: criminal and hired hackers, terrorists, state-sponsored intruders, and even misguided computer experts to see what they are able to penetrate.

Cyber threats also pose non-discriminating risks across our economy to all of our critical infrastructures, our financial markets, banks, intellectual property, and, as recent events have emphasized, the private data of the American consumer.

This is a global threat.  Cyber threats are of extraordinary and long-term seriousness.  They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And Jim Comey, director of the FBI, has testified that resources devoted to cyber-based threats are expected “to eclipse” resources devoted to terrorism.[1]

What emerges from this arresting view of the cybersecurity landscape is that the public and private sectors must be riveted, in lockstep, in addressing these threats.

The President’s 2013 Cybersecurity Executive Order and the Cybersecurity Framework issued in 2014 by the National Institute of Standards and Technology are reflective of the compelling need for stronger partnerships between the government and the private sector.

The SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information.  But it is incumbent on every government agency to be informed on the full range of cybersecurity risks and actively engage to combat those risks in our respective spheres of responsibility.

This roundtable is one aspect of the SEC’s efforts to better inform ourselves, the marketplace, our fellow agencies, and the private sector as to what the risks are and how best to combat them.

As you know, we at the SEC have been focused on cybersecurity-related issues for some time.  In connection with public company disclosures, in October 2011, our  Division of Corporation Finance issued guidance on existing disclosure obligations related to cybersecurity risks and incidents to assist public companies in framing disclosures of cybersecurity issues.  That guidance makes clear that material information regarding cybersecurity risks and cyber incidents is required to be disclosed.

Since we issued that guidance, our staff has continued to study the important and challenging issues that cybersecurity presents to public companies, market participants, and investors, including the intersection of our investor-focused disclosure requirements and the types of information those with national security responsibility need in order to better protect our critical infrastructure.  I am looking forward to hearing the views on this.

Cybersecurity for SROs and large alternative trading systems also is a very important area of focus for our staff.  Part of this focus involves the Commission’s proposed rule on Regulation Systems, Compliance and Integrity, which would require an entity covered by the rule to test its automated systems for vulnerabilities, test its business continuity and disaster recovery plans, notify the Commission of cyber intrusions, and recover its clearing and trading operations within specified time frames.  I expect the Commission to move ahead with Regulation SCI this year.

We also have focused on cybersecurity risk issues for registered investment advisers, broker-dealers, and funds, including, for example, data protection and identity theft vulnerabilities.

In this area, the Commission last year adopted Regulation S-ID, which requires certain regulated financial institutions and creditors to adopt and implement identity theft programs.[2]  Regulation S-ID builds upon the SEC’s existing rules for protecting customer data, in particular Regulation S-P.[3]

I want to thank all of our panelists for participating today and sharing their views on these critical issues.  There is no better way to proceed than by assembling the right people in the same room to discuss and share information, points of view, and best practices.

Each panel consists of a very impressive group of professionals who bring a great deal of expertise and a range of relevant perspectives.

In addition to our panelists, we are joined today by many others who are here in person or watching online. And, of course, we welcome your views as well.  We have set up a comment file on our website for the public to submit views on cybersecurity issues or respond to the questions addressed and the views expressed by our panelists. And I especially look forward to hearing the public’s ideas and input.  Your views are important to us. We and the others here today will benefit immensely from hearing them as we study these issues.

Thank you and enjoy the roundtable.


[1] Homeland Threats and Agency Responses, The Honorable James B. Comey, Jr., Statement of the Federal Bureau of Investigation Before the Committee on Homeland Security and Governmental Affairs, United States Senate (November 14, 2013).

[2] See Identity Theft Red Flags Rules, Release No. 34-69359 (April 10, 2013), available at http://www.sec.gov/rules/final/2013/34-69359.pdf.

[3] See Final Rule: Privacy of Consumer Financial Information (Regulation S-P) (November 13, 2000), available at http://www.sec.gov/rules/final/34-42974.htm