CFTC Requests Comments on Changes to Risk Management Programs for Swap Dealers and Futures Commission Merchants

On June 1, 2023, the Commodity Futures Trading Commission (“CFTC”) issued an advance notice of proposed rulemaking that requests public comment about potential changes to the rules that govern swap dealer and futures commission merchant risk management programs.[1]  The advance notice does not propose amendments to required risk management programs at this time, but rather sets forth questions that are designed to inform the CFTC in advance of proposing modifications.  We provide the full list of the CFTC’s questions in Appendix A.  The public can submit comments for up to 60 days after the advance notice is published in the Federal Register.  Accordingly, we project that comments will be due sometime in August 2023.  The expectation is that the CFTC will consider these public comments in a future proposed rulemaking on this topic.

The CFTC issued this advance notice in order to begin to address a number of concerns.  First, the CFTC seeks to provide swap dealers and futures commission merchants (“FCMs”) with further direction concerning the applicability of the risk management rules, given the apparent confusion among firms about what constitutes compliance.  Second, the CFTC seeks to improve the usefulness of firms’ quarterly risk exposure reports.  The CFTC has observed inconsistencies and inefficiencies in the processes through which firms submit the reports, which has diminished their value to the CFTC.  Finally, the advance notice indicates that the CFTC believes that the risk management program rules should be updated to reflect technological and product developments that have occurred since these rules were first promulgated in 2012.

The advance notice requests public comment related to five different aspects of the risk management programs of swap dealers and FCMs.  For each of those topics, we provide a brief background of the existing rules and a summary of the CFTC’s related questions.

1. Risk Management Program Governance

CFTC rules currently require swap dealers and FCMs to develop a risk management program and memorialize the program in written policies and procedures.[2]  In addition, swap dealers and FCMs must create a risk management unit that is independent of the firm’s business unit and is tasked with implementing the firm’s risk management program.  The risk management unit must report to the firm’s senior management, and the firm’s governing body must approve the written procedures.

The advance notice seeks comment on the structure of the risk management program and the related governance requirements.  Commenters are asked to provide feedback on the current definitions of the terms “governing body” and “senior management.”  Separately, the CFTC seeks feedback on imposing qualification standards for risk management unit personnel, and on providing clarification as to the degree of independence that the risk management function must have from the business.  The CFTC also asks whether the rules should address reporting lines within a firm’s risk management unit.  Commenters are also asked to identify any other regulatory regimes that the CFTC should consider in an effort to harmonize its risk management rules with similar regulations that may be imposed on swap dealers and FCMs in other jurisdictions.

2. Enumerated Risks

The CFTC’s current rules enumerate categories of risks that a firm’s risk management program must address.  Although the rules for swap dealers and FCMs are not identical, each addresses some of the same categories of risks, specifically:  market risk, credit risk, liquidity risk, foreign currency risk, legal risk, operational risk, and settlement risk.  In addition, FCMs must consider segregation risk, technological risk, and capital risk.  An FCM and swap dealer must address enumerated risks through the firm’s risk management program.  However, the swap dealer rules require a firm’s policies and procedures to address specific considerations for each category of risk, whereas the FCM rules require policies and procedures to address only segregation, operational, and capital risks.

The advance notice asks whether the CFTC should add definitions for each of the current enumerated risks, and if so, whether the definitions should be harmonized among swap dealer and FCM requirements, and with requirements of other regulators.  The CFTC also asks whether FCMs should be required to create policies and procedures that specifically address each of the enumerated risks, as opposed to only addressing segregation, operational, and capital risks.  Separately, the CFTC asks whether swap dealers should need to consider technological risk, and if so, how that risk should be incorporated into the rules.  Relatedly, commenters are asked whether the CFTC should consider enumerating any other types of risks—such as geopolitical risk and climate-related financial risk, to name a few.  The CFTC also seeks comment on technical aspects of the rules that currently require swap dealers to address market and credit risk.

3. Periodic Risk Exposure Reporting

Current CFTC rules require swap dealers and FCMs to provide their senior management and governing bodies with risk exposure reports that contain specific information about the firm’s risk exposure and the state of its risk management program.  Firms must provide the risk exposure reports on a quarterly basis, as well as in the event of any material change to the firm’s risk exposure.  After a firm provides a risk exposure report to its leadership, it must also furnish a copy to the CFTC within five business days.

In the advance notice, commenters are asked whether the CFTC should amend the rules addressing the content, timing, and format of the risk exposure reports.  The CFTC asks whether risk exposure reports should contain information related to known issues with risk management controls, breaches of risk tolerance limits, and/or material violations of risk management policies or procedures.  The CFTC also asks whether the content of risk exposure reports should be harmonized with the National Futures Association’s monthly swap dealer risk data filings.  Commenters are asked to provide feedback on the frequency with which risk exposure reports should be submitted to the CFTC, and whether the CFTC should prescribe format requirements.  Commenters are also asked whether risk exposure reports should be reported at the registrant level or the enterprise level.  The CFTC also asks whether it should prescribe a standard for determining if a firm has experienced a material change in risk exposure, and what the timeline should be for a firm to notify its leadership and the CFTC of the material change.

4. Segregation of Customer Funds and Safeguarding Counterparty Collateral

The CFTC’s current rules address the management of segregation risk and the safeguarding of counterparty collateral.  An FCM is required to have written policies and procedures in its risk management program to ensure segregation of customer funds.  A swap dealer is not explicitly required to include written policies and procedures in its risk management program to safeguard counterparty collateral, although other CFTC rules require swap dealers to establish a framework to segregate uncleared swap collateral where the counterparty elects segregation.

In the advance notice, commenters are asked whether the current FCM rules adequately address the risks associated with segregation of customer funds, and whether the current swap dealer rules adequately address the risks associated with handling counterparty collateral.  The CFTC also asks whether the current rules adequately address risks to customer funds or counterparty collateral that may be associated with swap dealers and FCMs that have multiple business lines and registrations.  The CFTC also asks whether the current rules adequately address FCMs’ handling of digital assets, and whether the CFTC should consider further rules to address swap dealer or FCM involvement in digital asset financial services, such as digital asset lending.

5. Potential Risks Posed by Affiliates, Lines of Business, and All Other Trading Activity

Current CFTC rules require a swap dealer’s risk management program to take into account risks posed by affiliates.  Similarly, an FCM’s risk management program must consider risks posed by affiliates, all business lines, and all other trading activity of the FCM.  Some swap dealers and FCMs are subject to regulatory requirements designed to mitigate certain affiliate risks.  For example, swap dealers and FCMs that are affiliates or subsidiaries of a banking entity may have to comply with certain restrictions and requirements on inter-affiliate activities.  In addition, swap dealers and FCMs that are subject to the Volcker Rule are subject to additional risk management and compliance requirements.

Commenters are asked to describe the risks that affiliates pose to swap dealers and FCMs—including, for example, risks from trading in physical commodity markets or digital asset markets—and whether such risks are adequately addressed by the CFTC’s current rules or the rules of other regulators and regimes.  Relatedly, the CFTC seeks comment on whether it should expand risk management program requirements to address affiliate risks, and if so, whether this should be a separate enumerated risk.

6. Conclusion

The advance notice presents an opportunity to shape the future of the CFTC’s regulatory regime with respect to risk management programs.  Registrants should carefully consider the benefits and burdens of potentially more prescriptive rules.  Because different categories of registrants incur materially different risks and conduct varied business activities, any potential new rules should provide registrants with sufficient flexibility to manage the different risks associated with their particular business activities.  Comments will likely be due in August, so firms would be well-served by beginning to consider the CFTC’s questions and their responses now.  Please feel free to contact any of the authors, the team listed at the end of this client alert, or the Willkie attorney with whom you regularly work.

Appendix A:

Full List of Questions from the CFTC’s Advance Notice of Proposed Rulemaking

Risk Management Program Governance

The Commission seeks comment generally on the risk management program structure and related governance requirements currently found in the risk management program regulations for swap dealers and FCMs. In addition, commenters should seek to address the following questions:

1. Do the definitions of “governing body” in the risk management program regulations encompass the variety of business structures and entities used by swap dealers and FCMs?
2. Should the Commission consider expanding the definition of “governing body” in Regulation 23.600(a)(4) to include other officers in addition to a swap dealer’s CEO, or other bodies other than a swap dealer’s board of directors (or body performing a similar function)?
3. Are there any other amendments to the “governing body” definition in Regulation 23.600(a)(4) that the Commission should consider?
4. Should similar amendments be considered for the “governing body” definition applicable to FCMs in Regulation 1.11(b)(3)?
5. Should the Commission consider amending the definitions of “senior management” in the risk management program regulations? Are there specific roles or functions within a swap dealer or FCM that the Commission should consider including in the risk management program regulations’ “senior management” definitions?
6. Should the risk management program regulations specifically address or discuss reporting lines within a swap dealer’s or FCM’s risk management unit?
7. Should the Commission propose and adopt standards for the qualifications[3] of certain risk management unit personnel (e.g., model validators)?[4]
8. Should the risk management program regulations further clarify risk management unit independence and/or freedom from undue influence, other than the existing general requirement that the risk management unit be independent of the business unit or business trading unit?[5]
9. Are there other regulatory regimes the Commission should consider in a holistic review of the risk management program regulations? For instance, should the Commission consider harmonizing the risk management program regulations with the risk management regimes of prudential regulators?[6]
10. Are there other portions of the risk management program regulations concerning governance that are not addressed above that the Commission should consider changing? Please explain.

Enumerated Risks in the Risk Management Program Regulations

The Commission requests comment on swap dealers’ and FCMs’ enumerated risks generally, including: (a) whether specific risk considerations that must be taken into account with respect to certain enumerated risks should be amended; (b) whether definitions should be added for each enumerated risk; and finally, (c) whether the Commission should enumerate and define any additional types of risk in the risk management program regulations. In particular:

1. Should the Commission amend Regulation 1.11(e)(3) to require that FCMs’ risk management programs include, but not be limited to, policies and procedures necessary to monitor and manage all of the enumerated risks identified in Regulation 1.11(e)(1) that an FCM’s risk management program is required to take into account, not just segregation, operational, or capital risk (i.e., market risk, credit risk, liquidity risk, foreign currency risk, legal risk, settlement risk, and technological risk)? If so, should the Commission adopt specific risk management considerations for each enumerated risk, similar to those described in Regulation 23.600(c)(4)?
2. Regulation 23.600(c)(4)(i) requires swap dealers to establish policies and procedures necessary to monitor and manage market risk.[7] These policies and procedures must consider, among other things, “timely and reliable valuation data derived from, or verified by, sources that are independent of the business trading unit, and if derived from pricing models, that the models have been independently validated by qualified, independent external or internal persons.”[8]
3. Does this validation requirement in Regulation 23.600(c)(4)(i)(B) warrant clarification?
4. Should validation, as it is currently required in Regulation 23.600(c)(4)(i)(B), align more closely with the validation of margin models discussed in Regulation 23.154(b)(5)?[9]
5. The policies and procedures mandated by Regulations 23.600(c)(4)(i) and (ii) to monitor and manage market risk and credit risk must take into account, among other considerations, “daily measurement of market exposure, including exposure due to unique product characteristics [and] volatility of prices,” and “daily measurement of overall credit exposure to comply with counterparty credit limits.”[10] To manage their risk exposures, swap dealers employ various financial risk management tools, including the exchange of initial margin for uncleared swaps. In that regard, the Commission has set forth minimum initial margin requirements for uncleared swaps,[11] which can be calculated using either a standardized table or a proprietary risk-based model.[12]  A swap dealer’s risk exposures to certain products and underlying asset classes may, however, warrant the collection and posting of initial margin above the minimum regulatory requirements set forth in the standardized table. Should the Commission expand the specific risk management considerations listed in Regulations 23.600(c)(4)(i)-(ii) to add that a swap dealer’s risk management program policies and procedures designed to manage market risk and/or credit risk must also take into account whether the collection or posting of initial margin above the minimum regulatory requirements set forth in the standardized table is warranted?
6. The risk management program regulations enumerate, but do not define, the specific risks that swap dealers’ and FCMs’ risk management programs must take into account. Should the Commission consider adding definitions for any or all of these enumerated risks? If so, should the enumerated risk definitions be identical for both swap dealers and FCMs?
7. The Federal Reserve and Basel III define “operational risk” as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.”[13] Would adding a definition of “operational risk” to the risk management program regulations that is closely aligned with this definition increase clarity and/or efficiencies for swap dealer and FCM risk management practices, or otherwise be helpful? Should the Commission consider identifying specific sub-types of operational risk for purposes of the swap dealer and FCM risk management program requirements?
8. Technological risk is identified in Regulation 1.11(e)(1)(i) as a type of risk that an FCM’s risk management program must take into account; however, technological risk is not similarly included in Regulation 23.600(c)(1)(i) as an enumerated risk that a swap dealer’s risk management program must address. Should the Commission amend Regulation 23.600(c)(1)(i) to add technological risk as a type of risk that swap dealers’ risk management programs must take into account?
9. Should technological risk, if added for swap dealers, be identified as a specific risk consideration within operational risk, as described by Regulation 23.600(c)(4)(vi), or should it be a standalone, independently enumerated area of risk?
10. If technological risk is added as its own enumerated area of risk, what risk considerations should a swap dealer’s risk management program policies and procedures address, as required by Regulation 23.600(c)(4)?
11. Relatedly, although technological risk is included in the various types of risk that an FCM’s risk management program must take into account, no specific risk considerations for technological risk are further outlined in Regulation 1.11(e)(3).[14] What, if any, specific risk considerations for technological risk should be added to Regulation 1.11(e)(3)?  Should the Commission categorize any additional specific risk considerations for technological risk as a subset of the existing “operational risk” considerations in Regulation 1.11(e)(3)(ii), or should “technological risk” have its own independent category of specific risk considerations in Regulation 1.11(e)(3)?
12. Should the Commission define “technological risk” in the risk management program regulations? For example, Canada’s Office of the Superintendent of Financial Institutions (“OSFI”) defines “technology risk” as “the risk arising from the inadequacy, disruption, destruction, failure, damage from unauthorized access, modifications, or malicious use of information technology assets, people or processes that enable and support business needs and can result in financial loss and/or reputational damage.”[15] If the Commission were to add a definition of “technological risk” to the risk management program regulations, should it be identical or similar to that recently finalized by OSFI?[16]  If not, how should it otherwise be defined? Should the Commission consider different definitions of “technological risk” for swap dealers and FCMs? Should the Commission consider providing examples of “information technology assets” to incorporate risks that may arise from the use of certain emerging technologies, such as artificial intelligence and machine learning technology, distributed ledger technologies (e.g., blockchains), digital asset and smart contract-related applications, and algorithmic and other model-based technology applications?
13. Are there any other types of risk that the Commission should consider enumerating in the risk management program regulations as risks required to be monitored and managed by swap dealers’ and FCMs’ risk management programs? Geopolitical risk? Environmental, social and governance (“ESG”) risk? Climate- related financial risk, including physical risk and transition risk such as the energy transition? Reputational risk? Funding risk? Collateral risk? Concentration risk? Model risk? Cybersecurity risk? Regulatory and compliance risk arising from conduct in foreign jurisdictions? Contagion risk?
14. Should these potential new risks be defined in the risk management program regulations?
15. With respect to each newly suggested enumerated risk, what, if any, specific risk considerations should a swap dealer’s or FCM’s risk management program policies and procedures be required to include?
16. Are there international standards for risk management with which the Commission should consider aligning the risk management program regulations?

Periodic Risk Exposure Reporting by Swap Dealers and Futures Commission Merchants

This Notice seeks comment generally on how the current risk exposure report regime for swap dealers and FCMs could be improved, as well as specific responses to the questions listed below:

1. At what frequency should the Commission require swap dealers and FCMs to furnish copies of their risk exposure reports to the Commission?
2. Should the Commission consider changing the risk exposure report filing requirements to require filing with the Commission by a certain day (e.g., a week, month, or other specific timeframe after the quarter-end), rather than tying the filing requirement to when the risk exposure report is furnished to senior management?
3. Should the Commission consider harmonizing or aligning, in whole or in part, the risk exposure report content requirements in the risk management program regulations with those of the National Futures Association (“NFA”)’s swap dealer monthly risk data filings?[17]
4. If so, should the Commission consider any changes or additions to the data metrics currently collected by NFA as could be required in the risk management program regulations?
5. For FCMs who are not currently required to file monthly risk data filings with NFA, were the Commission to adopt a monthly risk exposure reporting requirement, are there different risk data metrics for FCMs that it should consider including? If so, what are they?
6. Are there additional swap dealer or FCM-specific data metrics or risk management issues that the Commission should consider adding to the content requirements of the risk exposure report?
7. Should the Commission consider prescribing the format of the risk exposure reports? For instance, should the Commission consider requiring the risk exposure report to be a template or form that swap dealers and FCMs fill out?
8. In furtherance of the risk exposure report filing requirement, should the Commission consider allowing swap dealers and FCMs to furnish to the Commission the internal risk reporting they already create, maintain, and/or use for their risk management program?
9. If so, how often should these reports be required to be filed with the Commission?
10. If the Commission allowed a swap dealer or FCM to provide the Commission with its own risk reporting, should the Commission prescribe certain minimum content and/or format requirements?
11. Should the Commission consider prescribing the standard swap dealers and FCMs use when determining whether they have experienced a material change in risk exposure, pursuant to Regulations 23.600(c)(2)(i) and 1.11(e)(2)(i)? Alternatively, should the Commission continue to allow swap dealers and FCMs to use their own internally-developed standards for determining when such a material change in risk exposure has occurred?
12. Should the Commission clarify the requirements in Regulations 23.600(c)(2)(i) and 1.11(e)(2)(i) that risk exposure reports “shall be provided to the senior management and the governing body immediately upon detection of any material change in the risk exposure” of the swap dealer or FCM?
13. Should the Commission consider setting a deadline for when a swap dealer or FCM must notify the Commission of any material changes in risk exposure? If so, what should be the deadline?
14. Should the Commission consider additional governance requirements in connection with the provision of the quarterly risk exposure report to the senior management and the governing body of a swap dealer, or of an FCM, respectively?
15. Should the Commission require the risk exposure reports to report on risk at the registrant level, the enterprise level (in cases where the registrant is a subsidiary of, affiliated with, or guaranteed by a corporate family), or both? What data metrics are relevant for each level?
16. Should the Commission require that risk exposure reports contain information related to any breach of risk tolerance limits described in Regulations 23.600(c)(1)(i) and 1.11(e)(1)(i)? Alternatively, should the Commission require prompt notice, outside of the risk exposure report requirement, of any breaches of the risk tolerance limits that were approved by a swap dealer’s or FCM’s senior management and governing body? Should there be a materiality standard for inclusion of breaches in risk exposure reports or requiring notice to the Commission?
17. Should the Commission require that risk exposure reports contain information related to material violations of the risk management program policies or procedures required in Regulations 23.600(b)(1) and 1.11(c)(1)?
18. Should the Commission require that risk exposure reports additionally discuss any known issues, defects, or gaps in the risk management controls that swap dealers and FCMs employ to monitor and manage the specific risk considerations under Regulations 23.600(c)(4) and 1.11(e)(3), as well as including a discussion of their progress toward mitigation and remediation?

Potential Risks Related to the Segregation of Customer Funds and Safeguarding Counterparty Collateral

The Commission seeks comment generally on the risks attendant to the segregation of customer funds and the safeguarding of counterparty collateral. In addition, commenters should seek to address the following questions:

1. Do the current risk management program regulations for FCMs adequately and comprehensively require them to identify, monitor, and manage the risks associated with the segregation of customer funds and the protection of customer property? Are there other Commission regulations that address these risks for FCMs?
2. Currently, the Commission understands that no FCM holds customer property in the form of virtual currencies or other digital assets such as stablecoins. To the extent that FCMs may consider engaging in this activity in the future, would the current risk management program regulations for FCMs adequately and comprehensively require them to identify, monitor, and manage the risks associated with that activity, including custody with a third-party entity?
3. Do the current risk management program regulations for swap dealers adequately and comprehensively require them to identify, monitor, and manage all of the risks associated with the collection, posting, and custody of counterparty collateral and the protection of such assets? Are there any other risks that should be addressed by the risk management program regulations for swap dealers related to the collection, posting, and custody of counterparty collateral?
4. Do the Commission’s risk management program regulations adequately address risks to customer funds or counterparty collateral that may be associated with swap dealers and FCMs that have multiple business lines and registrations? Although the Commission understands that swap dealers and FCMs currently engage in limited activities with respect to digital assets, should the Commission consider additional risk management program requirements applicable to swap dealers and FCMs that are or may become involved in, or affiliated with, the provision of digital asset financial services or products (e.g., digital asset lending arrangements or derivatives)?

Potential Risks Posed by Affiliates, Lines of Business, and All Other Trading Activity

The Commission seeks comment generally on the requirements related to risks posed by affiliates and related trading activity found within the risk management program regulations for swap dealers and FCMs, including non-bank affiliated swap dealers or non-bank affiliated FCMs. In addition, commenters should seek to address the following questions:

1. What risks do affiliates (including, but not limited to, parents and subsidiaries) pose to swap dealers and FCMs? Are there risks posed by an affiliate trading in physical commodity markets, trading in digital asset markets, or relying on affiliated parties to meet regulatory requirements or obligations? Are there contagion risks posed by the credit exposures of affiliates? Are there risks posed by other lines of business of a swap dealer, or of an FCM, respectively, that are not adequately or comprehensively addressed by the Commission’s regulations, including, as applicable, the Volcker Rule regulations found in 17 CFR part 75?
2. Do the current risk management program regulations adequately and comprehensively address the risks associated with the activities of affiliates (whether such affiliates are unregulated, less regulated, or subject to alternative regulatory regimes), or of other lines of business, of a swap dealer or of an FCM, respectively, that could affect swap dealer or FCM operations? Alternatively, to what extent are the risks posed by affiliates discussed in this section adequately addressed through other regulatory requirements (for example, the Volcker Rule or other prudential regulations, or applicable non-U.S. laws, regulations, or standards)?
3. Should the Commission further expand on how swap dealer and FCM risk management programs should address risks posed by affiliates in the risk management program regulations, including any specific risks? Should the Commission consider enumerating any specific risks posed by affiliates or related trading activities within the risk management program regulations, either as a separate enumerated risk, or as a subset of an existing enumerated area of risk (e.g., operational risk, credit risk, etc.)?

Click here to download this article.

[1]       Commodity Futures Trading Commission.  Risk Management Program Regulations for Swap Dealers, Major Swap Participants, and Futures Commission Merchants (June 1, 2023), available here.

[2]       The rules governing swap dealers are at 17 C.F.R. § 23.600.  The rules governing FCMs are at 17 C.F.R. § 1.11.

[3]       This could include, for example, prior risk management experience.

[4]       Regulations 23.600(b)(5) and 1.11(d) require swap dealers and FCMs to establish and maintain risk management units with “qualified personnel.” 17 CFR 23.600(b)(5); 17 CFR 1.11(d).

[5]       See 17 CFR 23.600(b)(5). This concept relates to the fact that a risk management unit may be wholly “independent” from the business unit or business trading unit in terms of physical location and reporting lines, but that does not necessarily equate to freedom from undue influence. For example, during model validation activities, a swap dealer’s business trading unit, whose staff created the model, may try to improperly influence the risk management unit’s model reviewer employees, who are undertaking an independent assessment of it.

[6]       See 7 U.S.C. 1a(39) (defining the term “prudential regulator”). Non-U.S. swap dealers may also be subject to prudential supervision by regulatory authorities in their home jurisdiction.

[7]       17 CFR 23.600(c)(4)(i).

[8]       17 CFR 23.600(c)(4)(i)(B).

[9]       17 CFR 23.154(b)(5) (outlining the process and requirements for the control, oversight, and validation mechanisms for initial margin models).

[10]     17 CFR 23.600(c)(4)(i)-(ii).

[11]     17 CFR 23.150-161. In adopting the margin requirements for uncleared swaps, the Commission noted that the initial margin amount required under the rules is a minimum requirement. See Margin Requirements for Uncleared Swaps for Swap Dealers and Major Swap Participants, 81 FR 636, 649 (Jan. 6, 2016). This is consistent with CEA section 4s(e), which directed the Commission to prescribe by rule or regulation minimum margin requirements for non-bank swap dealers. See 7 U.S.C. 6s(e)(2)(B).

[12]     17 CFR 23.154.

[13]     12 CFR 217.101(b); Basel Committee on Banking Supervision, “Calculation of RWA for Operational Risk” (Dec. 2019), available at https://www.bis.org/basel_framework/chapter/OPE/10.htm?inforce=20191215&published=20191215.

[14]     See 17 CFR 1.11(e)(1)(i); cf. 17 CFR 1.11(e)(3)(i)-(iii).

[15]     See OSFI Guideline B-13, Technology and Cyber Risk Management (July 2022), available at https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b13.aspx.  The final Guideline B-13 will be effective as of January 1, 2024.

[16]     The prudential regulators and the Securities and Exchange Commission (“SEC”) have not yet proposed or adopted definitions of “technological risk.” Accordingly, Commission staff turned to non-U.S. financial regulators for potential definitions of this term. Canada’s OSFI recently finalized its definition of “technology risk,” following extensive engagement with industry and the public that included the September 2020 publication of its discussion paper and a consultation period from September to December 2020; the issuance of proposed guidance in November 2021; and further consultation on its proposed guidance from November 2021 to February 2022. See OSFI Releases New Guideline for Technology and Cyber Risk, Balancing Innovation with Risk Management (July 13, 2022), available at https://www.osfi-bsif.gc.ca/Eng/osfi-bsif/med/Pages/b13-nr.aspx.

[17]     Swap dealers must report certain metrics related to market and credit risk, including Value at Risk (VaR) for interest rates, credit, forex, equities, commodities, and total VaR; total stressed VaR; interest rate sensitivity by tenor bucket; credit spread sensitivity; forex market sensitivities; commodity market sensitivities; total swaps current exposure before collateral; total swaps current exposure net of collateral; total credit valuation adjustment or expected credit loss; and largest swaps counterparty current exposures. See NFA, Notice I-17-10: Monthly Risk Data Reporting Requirements for Swap Dealers (May 30, 2017), available at https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4817.