MENU

CFTC RFC on AI

February 1, 2024 Uncategorized

On January 25, the Commodity Futures Trading Commission (CFTC) Divisions of Market Oversight, Clearing and Risk, Market Participants, and Data, and the Office of Technology Innovation issued a request for comment (RFC) seeking formation on the potential uses and risks of artificial intelligence (AI) in the markets regulated by the CFTC.

CFTC Chairman Rostin Behnam said, “The RFC complements the directives the Biden Administration established for the safe, secure and trustworthy development of artificial intelligence, and embodies good government. It prioritizes promoting responsible innovation and ensuring we understand current and potential AI use cases and the associated potential risks to our jurisdictional markets and the larger financial system. This allows us to better align our supervisory oversight and evaluate the need for future regulation, guidance, or other Commission action… This RFC will further support the CFTC as we strategically identify the highest priorities and return-on-investment projects with AI use cases internally to optimize our data-driven approach to policy, surveillance, and enforcement.”

Questions in the RFC were broken into two categories:

  1. AI Use in CFTC-Regulated Markets:
  • Scope
    • Is the definition of AI in [President Biden’s recent] Executive Order… appropriate for CFTC-regulated entities and markets? Would defining AI more broadly or adopting a more narrowly tailored definition of AI be necessary for guidance or proposed rules applied to CFTC-regulated markets?  Do market participants draw a line between trading based on AI and other automated trading currently in use?  If so, where is or should the line be drawn?  What criteria should be used to differentiate between AI and other forms of automated trading?
  • General Uses
    • A variety of enterprises, activities, and regulatory responsibilities of CFTC-regulated entities are shaped by software and data and, as such, may be impacted by the use of AI. Are there ways in which AI is currently being used by CFTC-regulated entities or by other persons for activities within the scope of the CFTC’s jurisdiction? Activities of interest include, but are not limited to, the following:
      • Trading – In addition to market intelligence, analytics, data processing, and risk evaluation, is AI being used to design strategies or make decisions related to specific trades (directional, hedging or speculative)? How much autonomy is given to AI to identify a trade and place it in the market, with or without human supervision? Is AI being used to mitigate human error in the trading process, or to otherwise “quality control” or validate trading? How does this differ from traditional trading algorithms? How often are AI-driven trading strategies updated? Is use of AI more prevalent for the trading of certain products or markets or by certain types of entities? If so, why? What are the measures for evaluating success when using AI?
      • Data Processing and Analytics – What data processing and analytic tasks have been supported by AI? To what extent do AI-driven analytics inform or supplant human action? Have training and use protocols been developed and/or applied in conjunction with the application of AI analytics? How is AI used to monitor for anomalies or issues with data quality? If analytical errors are discovered, what steps are taken to evaluate and cure those errors? What monitoring is in place to identify data processing errors made by an AI-based system?
      • Risk Management – Is AI used to monitor or evaluate margin, capital, risk tolerances, credit, or position limits? If so, please explain how AI is being used in risk management. In addition to monitoring, has AI been integrated into mechanisms to enforce compliance with margin, capital, or risk limits? Again, if yes, please explain how. Are AI programmers aware/taking steps to evaluate and mitigate harmful AI to AI interactions? In what other ways is AI being used as a part of risk management efforts?
      • Compliance – How is AI being used in compliance? Compliance is broadly interpreted here and includes, but is not limited to, know-your-customer (KYC customer validation), anti-money laundering, anti-fraud, trade documentation and regulatory reporting. Are CFTC-regulated entities using AI to comply with specific CFTC requirements, such as in the context of swap dealer business conduct standards? An additional and important subset of compliance is surveillance, which would include identifying market manipulation, including, but not limited to, spoofing, wash trades, and “marking-the-close” trading. For self-regulatory organizations (“SROs”), please explain any ways in which AI is being adopted as a part of surveillance and oversight of members.
      • Books and Records – CFTC-regulated entities are required to maintain in a readily producible fashion a variety of records, including trade histories, audio recordings, and digital communications. Is AI being used to organize, validate or search required records? Is AI being used to proactively search for risks in records and recordings? Alternatively, is AI being used to search for gaps in records or broken records for compliance or other purposes?
      • Systems Development – AI-based tools are being increasingly used by software developers to enhance productivity, particularly for manual and repetitive tasks. Is AI being used by software developers in CFTC-regulated markets to assist in the development of internal applications and services? Is AI being used to assist in quality assurance?
      • Cybersecurity and Resilience – How, if at all, is AI being used to assess the cyber vulnerabilities of systems or data? To the extent that firms have outsourced activities or data management to third party service providers, has AI been employed to evaluate the cybersecurity and resilience of these systems as well?
      • Customer Interactions – Potential uses for AI with respect to customer service could include chatbots and digital assistants, data mining for purposes of marketing or advice, and monitoring for risk. How is AI being used to communicate with existing and potential customers? Are customers informed when AI has been used to generate answers, advice, or other communications? Does AI serve as the basis for customer engagement or interactions? Do AIpowered chat bots provide a way to opt out and connect with a human? Are preprogrammed automated advisors being developed or used in CFTC-regulated markets? What feedback have customers provided regarding the quality of AIbased customer service interactions?
      • Potential Uses The above question considers active uses of AI in conjunction with a variety of activities. This question addresses the potential of AI.  Even if AI is not currently used or used widely to accomplish the activities described above, do you envision that firms or individuals will likely implement AI, including generative AI, to accomplish these activities in the near future.
    • AI and Geography
      • To the extent that AI is used, is AI application within a firm segmented based on the location of the facility or customer?
    • AI Roadblocks
      • Are there barriers or obstacles impeding the acquisition, application, or use of AI suitable for accomplishing the activities described in question 2? Are the barriers generic (cost, lack of sufficient pool of workers skilled in AI application, concerns about utility, etc.) or are they specific to any of the activities? How do these barriers vary across different types of firms? To what extent is regulatory clarity a concern or impediment to AI implementation?
    • AI and Third-Party Service Providers
      • To what extent are third-party service providers relied upon for the provision of AI services that support the uses described in question 2, above? To the extent that AI supports the activities described in question 2, which of them tend to be performed by in-house staff rather than third-party service providers, and why? Are AI technologies being developed within CFTC-regulated entities as proprietary technology? If not, are CFTC-regulated entities acquiring technologies from third-party service providers? What specific third-party AIbased software are participants in CFTC-regulated markets adopting? What challenges may CFTC-regulated entities face when attempting to manage, update, or deconstruct the decisions or analysis made by third-party created software or technology?
    • Governance of AI Uses
      • How are firms tracking the uses being made of AI, both by in-house operations and by third-party service providers relied upon by firms? How is accountability for AI use assigned? Is the use of AI audited for accuracy and safety? How frequently are AI systems updated?
    • Additional AI Uses
      • To the extent not already discussed, please identify any additional current or prospective uses of AI in CFTC-regulated markets or by CFTCregulated entities.
  1. AI Risks in CFTC- Regulated Markets
  • Governance
    • Have CFTC-regulated entities modified their governance structures to specifically address AI? If so, how? Do these changes include having designated senior management responsible for the oversight of the development, testing, deployment, monitoring, and controls of AI? Do structures appoint a human to be “in the loop” to prevent cascading failures driven by AI? Is any particular AI-specific risk management framework, such as that published by NIST, being used to guide such changes? In the event that the AI tool is procured or operated by a third-party, what additional challenges to governance have been identified, and are they capable of being fully addressed through in-house governance measures?
  • Cybersecurity
    • Do market participants identify AI as a source of cybersecurity vulnerability? Are there difficulties with or concerns over employing AI to probe, scan, or repair digital systems? How have market participants modified governance structures and risk management frameworks to account for cybersecurity and system safeguard risks driven by AI? Have firms implemented measures to defend against these threats? What obstacles have impeded the implementation of defenses to AI-based threats? What unique cybersecurity issues arise from the use of AI technologies created and licensed by third-parties?
  • Explainability and Transparency
    • How do CFTC-regulated entities manage the lack of explainability associated with some AI models? Are there certain AI applications where explainability is more of an issue or concern? Is lack of explainability more likely to be associated with AI procured from a third party? Does procurement of AI from a third party impact the ability to manage the lack of explainability? If SROs are using AI to oversee members, are there particular issues concerning explainability in the context of investigations and enforcement actions?
    • If firms are using AI models to determine obligations or requirements for other parties, such as margin requirements, are there AI-specific transparency issues? Describe any potential transparency concerns that may arise as a result of SROs adopting AI technologies as part of their market oversight responsibilities.
  • Data Quality
    • Does the initial or ongoing quality of data sets used by AI raise concerns? How have data processes changed to address different quality needs associated with AI? What controls are in place to ensure that the data used by AI is of sufficient quality and based on a sufficiently sized data set? Do controls differ depending upon whether the data is procured from a third party?
    • What procedures are being used to select the training data for AI systems used by CFTCregistered entities? What procedures are being used to clean and partition training data for AI systems used by CFTC-regulated entities?
  • Market Manipulation and Fraud
    • Bad actors are increasingly able to use AI to engage in more sophisticated forms of fraud and illegal conduct. Does the proliferation of AI present increased risks of manipulation, fraud, or other illicit activity in the markets overseen by the Commission? Why or why not? How have governance structures addressed this risk? What, if any, policies should be considered, in addition to existing rules, to address potential increases in illegal conduct as a result of the use of AI? Please also specifically comment on whether the adoption of AI may impede enforcement of antifraud and market manipulation regulations.
  • Concentration
    • Are components of AI models currently procured from a concentrated number of firms? If so, which types of provider markets are concentrated and to what extent? What risks exist if the key inputs to AI models are, or become, concentrated? Does the concentration of cloud providers result in concentrations of AI services? Do the features of certain AI systems cause vendor lock-in (i.e., certain cloud providers may provide certain AI skills only available on that cloud provider)?
  • Bias
    • What controls are currently used to ensure that the data used in AI is of sufficient quantity and quality to prevent unlawful discrimination and bias while also being sufficiently broad for a reliable application of AI? How are biases that are reflected in historical data identified and addressed? How are biases identified in the algorithms, and mitigated or removed to minimize biased outcomes? Are biases in stress test scenarios and risk management getting into risk management systems through use of AI?
    • Are the datasets used for developing AI sufficiently diverse and inclusive, and capable of recognizing a variety of languages and language uses, so that the engagement occurs in a non-discriminatory manner? Are the AI tools compliant with Sec. 508 of the Rehabilitation Act?
    • What uses of AI in CFTC-regulated markets present the greatest risk of bias?
  • Customer Protection
    • What controls and governance structures are currently used by CFTC-regulated entities to ensure that AI does not place their interests ahead of customer interests? Does the use of AI increase the risk of such conflict of interest? What are the areas of customer protection that will become increasingly more relevant with the wide-spread adoption of AI (e.g., disclosure, risk management)?
  • Privacy and Confidentially
    • Is the advancement of AI in CFTC-regulated markets resulting in greater risks to individual privacy rights? Why or why not? What steps are being taken to mitigate privacy and confidentiality risks? Are privacy-enhancing technologies35 currently being used?
    • What protections are CFTC-regulated entities adopting to ensure the confidentiality of proprietary data used in AI?
  • Third-Party Service Providers
    • Are there any risks specifically associated with using AI technologies created by third party providers? What efforts are users of third-party AI technology taking to understand and mitigate these risks? What due diligence procedures are in place to evaluate the risks posed by third-party providers prior to adopting third-party AI technologies?
    • What disclosures should be required regarding a firm’s use of third-party providers for AI services?
  • Risks to Competition
    • Does the use of AI and its potential to create large economies of scale present the potential to harm competition among market participants? Please specifically address any market functions that are at the greatest risk of seeing harm to competition through the increased adoption of AI.
  • Other Risks
    • Are there AI risks to CFTC-regulated markets that may arise now or in the future that are not addressed by the questions above?

 

 

Please let us know if you have any questions.

 

Best,

Edmund Perry

 

Delta Strategy Group

600 Pennsylvania Ave SE Ste 300

Washington, DC 20003

(205) 568-4150