Remarks of CFTC Commissioner Sharon Y. Bowen before the 17th Annual OpRisk North America
March 25, 2015
Thank you for that wonderful introduction. I’m honored to speak today to a group that is grounded in an issue that is very near to my heart: operational risk. When I was a corporate lawyer here in New York, I was immersed in operational risk issues every time I worked on an M&A deal. For every deal, the parties and their counsels had to consider many different scenarios. From the possibility that the parties’ data systems might not easily interface, that the two companies had incompatible systems to administer retirement and benefit plans, or that operations outside of the U.S. had different regulatory oversight and restrictions – everything had to be thoroughly vetted prior to finalizing the deal.
The reason we had to do all this advance legwork is something that you all are familiar with – a deal has to make economic sense even if things don’t go as fully expected. And let’s be honest – they never truly go as fully expected. Sometimes a major supplier to one of the parties goes bankrupt for idiosyncratic reasons, forcing a rapid change in the supply chain. Maybe a strike occurs that cuts off access to a particular material that one of the parties relies on. A local election in a market unconnected to the parties’ business goes unexpectedly, triggering a broader crisis of confidence that ripples back to the parties’ core markets. Or a party’s database or its website could simply crash for several hours or days, greatly reducing business and causing significant consumer complaints.
Even worse, there could be a major negative shock to a party’s business. For instance, one of the core analytic models that a bank has relied on could be found to have a significant flaw and force a restructuring of the entire business strategy. A financial entity could face a number of lawsuits, from private actors as well as regulators, necessitating a reworking of the culture of the entity. Or, to reference something that we’re all becoming only too familiar with, hackers could compromise the data systems of a party, endangering personal, private data and causing a crisis of lost confidence in the company among the press, industry, and the general public.
These last few examples aren’t really hypotheticals – we’ve seen numerous examples of them in just the last few years. Some of the most significant events in business, from hacking to shifting the culture at firms in a better direction, are occurring in the operational risk space. In fact, I’m fairly confident all of you are only too familiar with the strife that a major film studio experienced after it was hacked last year. Dealing with these issues is certainly a challenge, but it also represents an opportunity. People who are operational risk experts, like all of you, have the chance to help address some of these significant issues and hopefully even devise some strategies to make these problems much easier to handle in the future.
Of course, as a Commissioner at the CFTC, I’m not an unbiased actor. I’m focused on these issues because I believe operational risks can easily flow to the core of our markets. So, in today’s speech, I will lay out the major trends in operational risks that I believe the market is facing at present. Then, I will provide you with some thoughts on what we need to do to address them. Also, in an effort to provide all of you with some specific insights into a major CFTC rule, I’ll explain how I view our new regulation governing the risk management practices of swap dealers and major swap participants.
Cybersecurity
The first risk is one that you all know only too well because it’s been in the news basically non-stop for months: cybersecurity. As you all know, trading is effectively entirely electronic. Most orders occur electronically, and even when two traders are booking a deal over the phone, it is being logged and finalized via electronic communications. The result is that financial actors have become storehouses for massive amounts of data, much of it incredibly sensitive. From information about trading strategies to client’s social security numbers, the damage that could be done via a major cyberattack on an exchange, clearinghouse, Swap Execution Facility (SEF), or systemically important financial institution is almost incalculable.
Before going further, it’s worth defining the world of cybersecurity threats. At base, there are really two kinds: thieves and vandals. Thieves are simply trying to make money via sensitive information, either by trading off of it or selling it to others. While their methods seem to be getting more sophisticated, this kind of cyberthreat isn’t new. Vandals, on the other hand, are simply trying to damage a system to cause pain, such as leaking information to try and change a corporate policy or by debilitating an information system with the aim of causing a market crash. This threat, which appears to now come from both private persons and even hostile governments, isn’t something we’re really accustomed to dealing with.
All major financial actors need to be ready to deal with both thieves and vandals. That means they need to have absolute top of the line cybersecurity that guards against destructive attacks as well as the theft of data, and they need to be constantly trying to improve on that level. Cybercrime is not static – thieves and vandals are constantly innovating. Therefore, our defenses need to be dynamic. That means resources need to be allocated, year in and year out, to updating defenses and crafting new strategies to prevent the loss of key data.
It also means that, in this instance, standardization is not necessarily our friend. If we at the CFTC establish one simple standard of data security and get everybody else to follow it, that just means we’ve created a blueprint for all our registrants to be hacked. While we need some baseline protections, we need to rely on each member of the industry to craft unique, sufficiently strong cybersecurity regimes. In that regard, we need a two-tiered structure, one that establishes a clear floor for everyone to obey and then mandates that each company add on additional protections, with the largest firms and those with the greatest risk having the most additional security protections. In the case of the largest firms, that probably requires hiring a dedicated team of people with extensive coding and hacking expertise to address innovations in cyber threats and a chief of information security who reports directly to the CEO or the board.
While the threats may be the greatest for the largest firms, this is not an issue that smaller firms can avoid addressing. While a small futures commodity merchant or swap trader might not think of themselves as a target, thieves obviously won’t go after just the biggest fish; they’ll try to infiltrate the systems of smaller firms too. And they will do so in the form of a virus, worm, or “phishing.” And vandals, especially if they’re employed by a foreign government, could go after a smaller firm as part of a broader attack on our financial system. We’re collectively only as strong as our weakest link, and so we need a high baseline level of protection for everyone, and we need to make sure that all registrants have crafted an effective cybersecurity plan.
I have some concerns that we’re not there yet in the financial industry. I found the Sony hack experience especially disturbing partly because that company’s information systems, while flawed, were not shockingly weak. The company had an information security czar from 2011 through 2014 who had been Deputy Undersecretary of Homeland Security.1 It also had already taken steps to improve its data security after a hack in 2011. If, despite that, Sony was this vulnerable, I worry that some financial actors who have far fewer protections may not be sufficiently protected from cyberthreats at present.
In the same regard, I worry that our registrants won’t inform us of a hack the moment it occurs. There’s nothing you can do during a cyberattack that is more important than to inform your regulators, particularly if the attack is coming from a foreign government. And not knowing the source of the attack, which often takes days or weeks to identify, makes prompt notification even more important. By delaying that notification, you increase the risk that the attack has catastrophic consequences for your firm and the rest of the system.
At the end of the day, regulators and the industry are allied in the fight to prevent and mitigate cyberattacks. We have to be working together. Because this threat is constantly changing and new entities are continually developing new strategies, we all need to adopt a stance of constant improvement. No security system, firewall, or protocol will ever be flawless for very long. Instead, the moment you release a new protection into the system, you need to start developing its replacement, just as software companies do. The Commission and other regulators are not exempt from this commitment – we also need to be trying to come up with the next security regulation within minutes of finalizing the last one. The Commission recently held a public roundtable where we received input from registered entities, market participants and organizations, and other government agencies that have developed best practices and standards for cybersecurity. The discussion focused on the need to test system safeguards, risk assessment practices, vulnerability and business continuity, and disaster recovery. While I think we can make great strides to reduce our exposure to cyberattacks in a very short time frame of years or even months, this is not a problem we can ever cure, and I encourage you to approach these cybersecurity risks through that prism.
Technology
My second risk trend is also technology related – specifically, it’s the trend of technology breaking. As I said earlier, the markets have become almost completely electronic. Many of the technologies that comprise commerce are easily understood, such as e-mail, virtual private networks, and databases. Much of the trading technology itself is more esoteric, such as client-matching software within networks, software that interfaces between two exchanges, SEFs, and even high-frequency trading algorithms. Now, none of these innovations is inherently bad – many of them are logical extensions of previous technologies like client-matching software. Yet, as finance has become an industry that is really housed in cyberspace, there is a risk that these new technologies may not fully be understood by the people who are using them, particularly with regard to high frequency trading.2 This isn’t a hypothetical fear – there have been numerous examples of algorithms in particular malfunctioning in both the equities and futures markets, including during the 2010 Flash Crash, 3 and the majority of these events appear to have been accidents. I am grateful that, so far, there has not been a notable example of a massive technological failure affecting clearinghouses.
But this is not a risk that is going away. Instead, I am concerned that similar events will continue unless there is a countervailing pressure to encourage companies to better quality control and monitor their algorithms. I am not saying that this is grounds for the CFTC or other regulators to specifically approve the use of new technologies as we used to approve products for sale on futures exchanges. I do think entities that are using, for instance, high frequency trading algorithms in the futures market should at least be required to inform the CFTC that they are using those technologies, just as other registrants often inform the CFTC if they are implementing major new technological changes.
Doing so will help ensure that industry participants fully understand the tools that they are using to trade. The existence of that kind of disclosure would also make it easier for us to unwind similar malfunctions in the market and make it easier for us to see who is trying to use algorithms to manipulate the markets.
For now, though, I primarily want to encourage you to consider the dangers that your technologies could fail or malfunction to be part of your overall risk management. That includes getting a fulsome grounding in how the technology works and getting the input of your technical experts on the flaws in your present technology. Hopefully, you are already doing this, and if you are, I congratulate you. If you are not, engaging in this kind of risk analysis will allow you to better anticipate a major risk and, hopefully, allow you to fix or replace any risky technology before it causes a major problem, rather than after a system has failed.
Culture
The third risk trend is something that has received a lot of attention in finance recently: culture. As a Commissioner at the CFTC, I’ve seen a significant number of settlements and alleged violations of our laws and regulations in just the last nine months. Too many times, these settlements and alleged violations are coming from large actors who have previously run afoul of the rules, endangering the reputation of those actors and the trust that undergirds the larger financial system. In fact, in one 2011 poll, 67% of Americans said that most people on Wall Street would be willing to break the law if they believed they could make a lot of money and get away with it. While that number should be surprising, what’s even more shocking is that even in 1999, at the peak of the dot-com bubble, 60% of Americans took the same view.4 We have a culture problem in finance, full stop, and it’s getting to the point of endangering firm’s profits and our system’s sustainability and stability.
I agree that we need to improve the culture in finance, but it’s not just that we need to disincentivize people from going against the rules. I think we also need to improve the culture of communication within financial firms. In a world as complex and convoluted as finance, it is easy to make mistakes. Maybe an analyst fails to consider a particular possibility while developing a model. Perhaps a coder makes a mistake while designing an algorithm and accidentally includes a line of code that will cause the algorithm to put in a sell order in natural gas at 1000 times the usual size given a rare move in the price. Or someone analyzing a potential purchase could overlook a key appendix.
The point is mistakes happen. Culture is how those mistakes get addressed. Every company needs to make it easy to fix or mitigate those mistakes, and that requires a culture where information about mistakes easily travels from the bottom to the top and vice versa. I’ve seen numerous examples where a person at a desk learns about a problem and, rather than report it to his superiors, sits on the information. As a result, the problem is often not fully fixed and the entire company pays a price. By the same token, messages from the top need to filter down to the bottom that following the rules is not negotiable or something to do when they make economic sense. Too often, it seems that message has been insufficiently strong in some large firms to make it all the way down to the rank and file. The average business school graduate will change jobs many times during her career. That means that this message must constantly and consistently become part of the DNA of the organization.
One thing I learned in my career is that when something is the responsibility of everybody on a team, too often nobody actually focuses on it. The same is true of culture. If there isn’t a dedicated person in the company trying to improve the culture – both through communication and making it clear that the rules need to be constantly followed – the culture won’t broadly improve.
Each organization should have codes of conduct, rules of ethics, and conflicts of interest that are clear. And a mandatory condition of continued employment for each employee should be that he annually certifies that he has abided by such standards. Failure to adhere to this standard, absent significant extenuating circumstances, should result in termination of employment.
Each supervisor and division head should also be responsible for ensuring that those who report to them have received sufficient training, have fully understood the rules, and will abide by those rules. Those supervisors and division heads must then provide written certifications to that effect to senior management. On the basis of those documents, the CEO should provide certifications to that effect to the Board of Directors, shareholders, and regulators.
If, subsequently, it emerges that ethical problems continued in significant fashion or major problems were not relayed up or down the chain, the designated certifier could face sanction. If a company has a number of violations, the sanctions for future violations would inherently have to be more severe to discourage recidivism, and it is possible that more than one person at the company among senior management would also be on the hook.
The CFTC is mandated by Dodd-Frank to release binding rules on governance, and I will endeavor to ensure that those rules are strong. In the meantime, I would encourage all of you to do what you can both to assess your risks of having a bad culture and to improve your organization’s culture as fast as you can. Unlike cybersecurity, this is a problem that can be solved by each individual firm.
Lack of Regulatory Clarity
The fourth risk trend is something that I am uniquely positioned to both discuss and talk about: a lack of regulatory clarity. This is a topic that is typically talked about in the context of the risk that regulators will change previously finalized rules without giving sufficient notice to industry. Yet, it also applies to situation where rules required by Congress remain unfinished for long periods of time and therefore in a state of flux. Additionally, it also applies to situations where a regulator relies too much on issuing guidance and no-actions letters for previously finalized rules. I believe that, as much as possible, we should change our regulations via the ordinary process of notice and comment and resist the temptation to craft a regulatory regime primarily through no-action letters.
While the CFTC has largely completed its required Dodd-Frank rulemakings, we still have a few rules left on the docket, including margin, governance and position limits. It is my sincere belief that we can finalize all three this year. I see no reason why these rules need to remain in flux when the calendar turns over to 2016, and I think failing to finalize them this year will exacerbate uncertainty that harms both industry and the overall market.
Risk Management Policies
Regulatory clarity also requires that the industry understand what regulators meant when they released particular rules. With that goal in mind, I wanted to give you my thoughts on a final rule the CFTC released a few years ago: our regulation requiring risk management programs for swap dealers and major swap participants, known as Section 23.600. Now, I suspect you’re all experts on this rule, so you know that this rule states that each swap dealer and major swap participant needs to establish and enforce a system of risk management policies associated with its swaps activities.5 This written policy needs to be approved by the governing body of the swap dealer or major swap participant and it has to be provided to the Commission.6 The swap dealer or MSP also has to establish and maintain an independent risk management unit that will carry out the risk management program and it has to report directly to senior management.7 The program has to cover, among other things, a number of risk categories: market risks, credit risks, legal risks, and, of course, operational risk.8 The program also must include a policy for identifying and taking into account the risks of new products before they are used in transactions.9
1. List of Risks Not All-Inclusive
As I’m sure you all have been told by your legal advisers or have seen first-hand, this is a dense regulation. There are a few points I want to flag though. First, the list of risks that risk management programs have to consider is not all-inclusive. It explicitly states that the risk management program of each swap dealer and major swap participant, and I quote, “shall include, but not be limited to” several categories of risk, such as market risk, credit risk, operational risk, et cetera.10 This is not a check-the-box exercise. Instead, that means we have stated the risks that you absolutely must include but you should not regard your risk management plan as complete if you only deal with the risk categories listed explicitly. For instance, I think any risk management plan should probably include at least one other category: systemic risk, which may be regarded as the risk of your products to financial crises and major geopolitical disruptions, among other things. While I wish we’d explicitly included systemic risk in the regulation, I believe it is required given the goals and text of the regulation.
2. Risk Categories Not All-Inclusive
Second, the risk categories themselves are similarly not all-inclusive. In the case of each category, the rule states that programs and policies to address a specific risk shall include two or three explicit risks, quote, “among other things.”11 In the case of operational risk, we explicitly stated that a risk management program has to take into account secure, reliable, and independent operating systems, safeguards against deficiencies in operation and information systems, and reconciliation of all data in operating systems. Yet, I think these three topics only begin to scratch at the surface of operational risk. As I’ve already said, another operational risk that needs to be considered is the danger of inadequate training or communication failures within the organization. I would specifically urge you not to think, by addressing the three explicit operational risks, that you have sufficiently considered the operational risks to your organization. Instead, I recommend that you use these three explicit operational risks as a starting point to help you to identify additional operational risks that do not fall within these three topics.
On the subject of the safeguards referenced in the operational risks to consider, I want to make one additional point. The rule requires your risk management plans to take into account, quote, “safeguards to detect, identify, and promptly correct deficiencies in operating and information systems.”12 I do not think that this requirement can be satisfied with either a list of principles that staff will use to address deficiencies or a listing of the technology you have in place. Instead, you can only address this list with both. You need to lay out the specific technology that you use to find and fix these problems and how staff will use these systems. Only with that kind of information will it be clear to both your employees and the Commission how these technological deficiencies will be addressed.
3. Senior Management Involvement
Third, on the subject of senior management, it is not enough to simply show the plan to the governing body and have them unthinkingly sign it. The regulation is designed to create risk management programs that are really substantively considered by the senior management of a swap dealer or major swap participant. That is why we made sure that the implementation and enforcement of the risk management plan is to be carried out by an independent unit that has direct access to senior management. Senior management therefore needs to really consider and engage with the process of creating and updating the risk management plan. At the end of the day, senior management needs to have a vested interest in the success and usefulness of the risk management program, and I hope that we can make this point more clear when we finalize our governance rules.
4. Independent
Fourth, the risk management unit needs to truly be independent. Ideally, each risk management program would have a majority of people in it who, when they arrive at the risk management unit, have no prior work experience in the company. That kind of distance from the company will help ensure that the unit looks at issues with fresh eyes and reduce the risk that the risk management unit simply ratifies prior analyses without really considering the costs and benefits of doing so. Of course, there is no numerical requirement that you have a majority of “new” employees in the unit. I would however, at least urge you to hire some people without company experience to serve in the unit. Not only does hiring such people make it more clear that the unit is truly independent to us, but it also helps ensure that you are getting unbiased analysis from the unit. Additionally, allowing the unit to truly be independent should help with the implementation of policies to encourage employees to report violations of the risk management plan to senior management, a requirement under subsection c(7) of the regulation.13
Finally, these plans should be dynamic. While I’m not saying that you should create a new risk management plan each year from scratch, I would encourage you to seriously rethink everything about your overall risk management plans with some frequency. This includes doing aggressive testing to see that the rest of the organization is carrying out the plan and that your technological safeguards and firewalls continue to be able to withstand new threats. This may seem like a tall request, but the truth is that the world itself is dynamic and change is constant. These plans are fundamentally designed to protect you and your clients, as well as the market and the general public, and you’ll be better off if you’re aggressively trying to catch all the notable risks that your business faces. After all, in finance especially, an ounce of prevention is better than a pound of cure.
Operational Risk Critically Important to Finance
Well, I think I’ve now exhausted everyone’s patience on the subject of Section 23.600. Before concluding, I want to return to what I said at the beginning of this speech – I think operational risk is a critically important part of finance. It’s by considering operational risk in advance that a smart company is able to be flexible in a tough market or weather a storm. Ultimately, the future of our industry is an unknown commodity and regulators and investors all have to be ready. And while there will always be black swan events that do come out of nowhere, the more companies take into account as many of their real risks as is possible, the better each individual company and our financial system generally will be able to withstand unforeseen events.
Conclusion
In that regard, I’m focused on these issues because they are important to me as a regulator, as someone experienced in the financial sector, and as a member of the public. As a regulator, I believe that our confidence in the financial system depends on its ability to withstand future potential financial crises, and that means major financial actors need to fully implement requirements regarding risk management programs. As someone experienced in the financial sector, I believe that our confidence in the financial system depends on its ability to properly function, and that requires sufficient protections in place in financial entities against hacking and cyberattacks. And as a member of the public, I believe that our confidence in the financial system depends on the public trusting that the financial laws and regulations are being followed, and that means changing the culture at major financial institutions so that there are far fewer violations of our laws and regulations. Thank you, and I welcome your questions.
1 Elizabeth Weise, “Chief Information Security Officers Hard to Find – and Harder to Keep,” USA Today, Dec. 3, 2014, available at http://www.usatoday.com/story/tech/2014/12/02/sony-hack-attack-chief-information-security-officer-philip-reitinger/19776929/
2 Markets Media, “Futures Markets Warm to Algos,” Nov. 10, 2014, available at http://marketsmedia.com/futures-markets-embrace-algorithmic-trading/
3 Ronald D. Orol, “SEC, CFTC Blame Algorithm for ‘Flash Crash’,” MarketWatch, Oct. 1, 2010, available at http://www.marketwatch.com/story/sec-cftc-blame-algorithm-for-flash-crash-2010-10-01-1246290
4 The Harris Poll, “Massive 6-to-1 Majority Favors Tougher Regulation of Wall Street, “ May 20, 2011, available at http://www.harrisinteractive.com/vault/HI-Harris-Poll-Wall-Street-2011-05-20.pdf
5 Swap Dealer and Major Swap Participant Recordkeeping, Reporting, and Duties Rules; Futures Commission Merchant and Introducing Broker Conflicts of Interest Rules; and Chief Compliance Officer Rules for Swap Dealers, Major Swap Participants, and Futures Commission Merchants, 77 Fed. Reg. 20128, 20205 (Apr. 3, 2012) (adding 17 C.F.R. § 23.600), available at http://www.gpo.gov/fdsys/pkg/FR-2012-04-03/pdf/2012-5317.pdf
6 Id.
7 Id. at 20205-06
8 Id. at 20206-07
9 Id. at 20206
10 Id.
11 Id.
12 Id. at 20207
13 Id.
Last Updated: March 25, 2015
Posts
