United States

Dodd Frank and risk management program reviews


An interview with the regulatory compliance team at RSM US LLP, to discuss a timely topic: Dodd-Frank and risk management program reviews. The team recently just completed a swap dealer risk management program review and has some unique insights from the so-called "front lines" on the topic.

What are some of your takeaways from the process of conducting a risk management program review of a swap dealer?

Dodd-Frank introduced the concept of program reviews for certain market participants such as swap dealers (SDs) and major swap participants (MSPs) under CFTC Reg. 23.600, as well as futures commission merchants (FCMs) under CFTC Reg. 1.11. 

Must a third party conduct these annual reviews?

The regulations do not require that a third party conduct the annual review and testing, but if a qualified third party is not used, then the testing shall be performed by "qualified internal audit staff members that are independent."

When does the annual review clock start ticking?

The clock starts ticking based on the end of an entity’s fiscal year. CFTC Regulation 3.3(f)(2) requires that all FCMs, SDs and MSPs file their annual report no later than 60 days after the end of their fiscal year.

What is involved in an annual review?

A review of the risk management program would include an assessment to determine whether policies and procedures are reasonable and consistent with CFTC regulations, as well as whether the firm is adhering to those policies and procedures. Areas under review for a SD/MSP would include market risk, credit risk, liquidity risk, foreign currency risk, legal risk, operational risk and settlement risk. FCMs have similar areas that are required to be reviewed, including segregation, technology risk and capital.

Does the CFTC receive copies of the risk management program reviews?

The regulations do not require distribution of these reviews to the Commission. However, the initial written policies that consist of the firm’s risk management program are required to be furnished to the Commission. While the market participant does not need to provide a copy of the risk management program reviews to the CFTC, the report is subject to the Commission’s document retention rules under CFTC Regulation 1.31 (generally, five years). Thus, it is important to retain documentation of these reviews as the Commission may request market participants to demonstrate such reviews were being performed timely. 

Does anyone else receive the results of the risk management program review?

Yes, it must be distributed to the firm’s chief compliance officer, senior management and the governing body for the SD, MSP or FCM.

Do you have any final tips or suggestions?

Initially, we would caution market participants to ensure that the reviewer is independent under the rules or a qualified third party should be engaged to perform such reviews.

Also, be advised that a well-designed testing program will involve an understanding of the business units, robust procedures to address the relevant regulations and business needs, and most importantly, frequent communication with key stakeholders to avoid surprises. Key individuals who oversee the risk areas identified in the regulations must be interviewed. Further, many documents – electronic and paper – must be reviewed, analyzed and properly cataloged. Then, a report of the key findings must be drafted and reviewed with key personnel. Lastly, any finding that demonstrates a lack of compliance should be remediated as soon as possible. That is generally how the process progresses.