CFTC Issues Notice of Proposed Rulemaking in Connection with Risk Management Program Regulations for SDs, MSPs and FCMs

June 16, 2023

The Commodity Futures Trading Commission (the “Commission” or the ”CFTC”), on May 31, 2023 published an Advance Notice of Proposed Rulemaking (“ANPRM”)1, seeking public comment in connection with potential amendments to the regulations under the Commodity Exchange Act (“CEA”) relating to the risk management program (“RMP”) requirements for swap dealers (“SDs”), major swap participants (“MSPs”)2 and futures commission merchants (“FCMs”) registered with the Commission.

I.  Overview of the Questions and Request for Comment

a.  Risk Management Program Governance

Regulation 23.6003 sets forth the RMP requirements for SDs while Regulation 1.11 sets forth the RMP requirements for FCMs (the “RMP Regulations”). The ANPRM indicates that the Commission is generally seeking feedback on the RMP structure and related governance requirements for SDs and FCMs, as well as to reduce ambiguity in the RMP Regulations by further clarifying or delineating certain terms. Specifically, the rulemaking is expected to address the regulatory definitions of “governing body” and “senior management,” reporting line requirements and qualified personnel under the RMP Regulations.

Significantly, the Commission has also requested comment as to whether it should alternatively consider “other regulatory regimes” pursuant to a “holistic review” of the RMP Regulations – for example, by “harmonizing the RMP Regulations with the risk management regimes” of the prudential regulators (i.e., the Board of Governors of the Federal Reserve System (the “Fed”), the Office of the Comptroller of the Currency, the Farm Credit Administration, or the Federal Housing Finance Agency, as applicable to an individual SD or FCM). This could result in significant operational efficiencies for registrants if adopted.

Additionally, the Commission has indicated that it is considering expanding the definitions of “governing body” under the RMP Regulations to include additional persons who might be necessary to encompass the variety of business structures and entities used by SDs and FCMs. Were the Commission to do so, this could subject new persons to the requirements relating to approving RMPs, risk tolerance limits, new products and trading policies, and reviewing risk exposure reports (“RERs”) and the annual RMP results. Additionally, expanded definitions of “governing body” could have the indirect effect of sweeping additional persons into the related definitions of “senior management” under the RMP Regulations. To that end, the Commission is also considering amending the definitions of “senior management” to delineate specific roles or functions.

The RMP Regulations may also specifically address reporting lines within risk management units (“RMUs”). Currently, SDs’ and FCMs’ RMUs are required to report directly to senior management and be independent from the business units. However, that general requirement creates ambiguity as to what constitutes a reporting line or independence from undue influence, which the Commission seeks to clarify.[i]

b.  Enumerated Risks in the Risk Management Program Regulations

With respect to the quarterly RERs that SDs and FCMs are required to file, the ANPRM states that the “Commission staff has observed significant variances” between how SDs and FCMs define and report on risk, “making it difficult for the Commission to gain a clear understanding of how specific risk exposures are being monitored and managed.”

Such variation is due in part to the different requirements for setting policies and procedures and taking into account risk management considerations between SDs and FCMs. The RMP Regulations enumerate (i) market risk, (ii) credit risk, (iii) liquidity risk, (iv) foreign currency risk, (v) legal risk, (vi) operational risk and (vii) settlement risk as specific areas for SDs’ and FCMs’ RMPs to take into account, while FCMs’ RMPs must additionally take into account (viii) segregation risk, (ix) technological risk and (x) capital risk. The Commission has requested comment as to whether to require SDs to take into account technological risk as well.

The Commission has also indicated that it is considering amending Regulation 1.11(e)(3) to, first, require FCMs’ RMPs to create policies and procedures to address every enumerated area of risk that FCMs are required to take into account, and, second, adopt specific risk management considerations for each such risk. This would create a significant operational burden for FCMs, but would largely harmonize the requirement for FCMs with the similar requirements for SDs under Regulation 23.600.

All such enumerated risks are currently undefined in the CEA; the Commission is considering defining such risks, and is seeking comment on whether the definitions for each should be identical for both SDs and FCMs. For the definitions of “operational risk” and “technological risk,” the Commission has floated the possibility of borrowing the definitions from the Fed and Basel III, and Canada’s Office of the Superintendent of Financial Institutions, respectively. Such definition of technological risk would encompass artificial intelligence, machine learning, crypto asset and distributed ledger technology, and smart contracts, among other things.

With respect to “market risk,” the Commission is considering clarifying the requirement that models be independently validated under Regulation 23.600(c)(4)(i)(B) or, alternatively, aligning the requirement with the validation of margin models under Regulation 23.154(b)(5). Such alignment could result in more granular and onerous validation requirements for SDs, including a requirement that the validation process be completely independent from the business unit from start to finish. Currently, the validation process only requires that the valuation data must be derived from or verified by sources independent from the business unit.

Additionally, Regulation 23.154(b)(5) requires that an SD promptly notify the Commission of any “material problems” with an initial margin model. If this requirement were exported to SD market risk modeling, that would create significant compliance burdens and additional oversight for SDs. The Commission is also considering requiring SDs’ RMP market risk and/or credit risk policies and procedures to explicitly take into account whether the collection or posting of initial margin above the minimum regulatory requirements set forth in Regulation 23.154 is warranted. While many SDs already take into account such consideration in practice, the implementation of a specific requirement to do so could result in a significant amount of additional margin being required from counterparties.

Finally, in consideration of “certain market events over the last decade,” the Commission may propose the inclusion of additional enumerated areas of risk in the RMP Regulations. Such areas could include geopolitical risk, environmental, social and governance risk, climate-related financial risk, including physical risk and transition risk such as the energy transition, reputational risk, funding risk, collateral risk, concentration risk, model risk, cybersecurity risk, regulatory and compliance risk and contagion risk. Given that climate-related risk was subject to a CFTC Request for Information published on June 2, 2022,4 it is likely that climate-associated risks will comprise part of the risk areas in the RMP Regulations.

c.  Periodic Risk Exposure Reporting by SDs and FCMs

Currently, SDs and FCMs are required to provide RERs to their respective “senior management” and “governing body” quarterly, and also “immediately upon the detection of any material change in the risk exposure” of the entity. Additionally, the same RERs must be provided to the Commission within five (5) business days of being provided to senior management on a quarterly basis. The Commission is considering incorporating a deadline for when SDs and FCMs must report to it a material change in risk exposure, and whether it should amend the frequency with which RERs must be furnished to the Commission, or require RERs be filed on a fixed day rather than tying the deadline to delivery to senior management. Additionally, the Commission requests comment as to whether it should impose additional governance requirements prescribing how a SD/FCM provides its RERs to its senior management and governing body.

With respect to the format, content and scope of RERs, the Commission seeks comment as to (1) whether it should prescribe a format for RERs, and/or align or harmonize, wholly or partly, RER content requirements with the National Futures Association (“NFA”)’s SD monthly risk data filings, (2) whether any such risk data should be excluded or whether any additional information should be reported in the RER and (3) whether RERs should report on risk at the registrant level, enterprise level or both. Currently, an entity is required to report in each RER the risk exposures enumerated in Section B above, any recommended or completed changes to the entity’s RMP, along with any incomplete implementation of previously recommended changes to the RMP. On the other hand, the NFA’s monthly risk data filings require metrics such as Value at Risk (“VaR”) for interest rates, credit, FX, equities, commodities and total VaR, total stressed VaR, swaps exposures before and net of collateral and largest swaps counterparty exposures, among other specific requirements.5 Moreover, these NFA filings are currently only required for SDs, thus the Commission requests comment as to whether it should include different risk data metrics for FCMs, or any additional metrics for SDs. The Commission also is considering whether RERs should contain information pertaining to violations of an entity’s RMP or breaches of the risk tolerance limits prescribed either in the RMP Regulations or by the entity’s senior management or governing body, and whether a materiality standard for such violations or breaches should be included.

Finally, the Commission is considering allowing SDs and FCMs to furnish the internal risk reporting they already use in their RMPs in satisfaction of the RER filing requirement, and if so, requests comment as to how often such reports should be furnished to the Commission and whether it should prescribe the content and format of such reports.

d.  Other Areas of Risk

In light of recent market, credit, operational and geopolitical events, the Commission is also considering whether to impose upon SDs and FCMs additional requirements designed to address any related potential fallout, particularly aimed at, first, the segregation of customer funds and counterparty collateral and, second, risks relating to an SD’s and FCM’s affiliates, lines of business and other trading activity (i.e., contagion risk).

With respect to segregation of customer funds and counterparty collateral, RMPs are currently required to “ensure segregated funds are separately accounted for and segregated or secured as belonging to customers.” The Commission is considering whether its RMP Regulations are comprehensive enough with respect to (i) SDs identifying, monitoring and managing risks associated with collecting, posting and holding counterparty collateral and (ii) FCMs’ risk management of segregation of customer funds. Additionally, the Commission is considering whether the RMP Regulations adequately address risks where SDs and FCMs have multiple business lines and registrations. Following the trend of other regulatory activity, the Commission also seeks comment with respect to the risks associated with digital asset lending, derivatives and custody.6

With respect to contagion risks for SDs and FCMs, the Commission is looking into whether there are any inadequacies in the current RMP Regulations’ and the Volcker Rule’s coverage of risks associated with inter-affiliate exposure to credit risk and reliance on affiliates to meet regulatory requirements. Also, the Commission requests guidance with respect to specific risks posed by affiliates of SDs and FCMs, as well as comments addressing the risks associated with an SD’s and FCM’s affiliates or lines of business that could affect its operations.

II.  Summary

Participants may provide comment on any of the RMP Regulations concerning RMP governance, enumerated risk areas, the current RER regime for SDs and FCMs, the risks attendant to the segregation of customer funds and the safeguarding of counterparty collateral and the requirements related to risks posed by affiliates and related trading activity.

The following areas of concern will likely be addressed: (1) whether any of the FCMs or SDs in the past have experienced any negative impact on their business operations or were a subject to a CFTC, SRO or other regulatory enforcement action as a result of the risks noted in the ANPRM or whether the ANPRM may qualify as a solution in search of a problem; (2) whether the final product should be more principles-based and less prescriptive, considering that the language of the final regulations will be the standard against which FCMs and SDs will be specifically held against; (3) whether greater focus should be given to business continuity and disaster recovery concerns that should be designed specifically to address the likely and realistic risks that the FCMs and SDs may face as well as the CFTC and the SROs (e.g., to avoid the need for the CFTC and the NFA issuing tens of no action letters in response to the business disruption caused by the COVID pandemic in 2020 and 2021); and (4) a detailed cost benefit analysis to assess whether the time and effort that the FCMs and SDs would spend on implementing final RMP regulations would be commensurate with the benefits of the revised guidance. 

The Commission must receive comments in writing within 60 days of the ANPRM’s publication in the Federal Register, which as of the date of this Alert, has not yet occurred.


1   Commission RIN 3038-AE59 (May 31, 2023), available at

2   The regulatory requirements relevant to SDs herein apply to both SDs and MSPs; however, as there are currently no MSPs registered with the Commission, we have referred to such requirements only in the context of SDs.

3   Unless otherwise noted, all references to “Regulations” herein are references to CFTC Regulations under the CEA.

4   See Request for Information on Climate-Related Financial Risk, 87 FR 34856 (June 8, 2022), available at

5   See NFA, Notice I-17-10: Monthly Risk Data Reporting Requirements for Swap Dealers (May 30, 2017), available at

6   Many of the risks related to digital assets are already subject to disclosure requirements under NFA’s recently promulgated Rule 2-51. See NFA, Rule 2-51 “Requirements for Members and Associates Engaged in Activities Involving Digital Asset Commodities,” available at


[i]    In CFTC Staff Letter No. 14-158, the Commission approved no-action relief for an SD bank who wanted to establish a reporting line of it Chief Compliance Officer to the SD’s governing body in accordance with Regulation 23.600, rather than its board of directors or senior officer in accordance with Regulation 3.3. See CFTC Letter No. 14-158 (Nov. 25, 2014), available at