The 5 Part 38 Core Principles That Kill DCM Applications
The statute says 180 days. Katten's advisory says "often north of two years." That's the gap that ends most DCM applications. Not a denial letter. Attrition. Staff asks follow-up questions, the applicant misses a funding round, the CEO quits, and the whole thing goes dormant.
I've been reading DCM filings and CFTC public comment letters for the last six months. The pattern is boring in a useful way. Applications don't fail across 23 Core Principles evenly. They stall on the same five, over and over, in predictable places. If you're preparing a filing, knowing where to expect the wall matters more than memorizing all 23.
This is the regulation itself, not the tools you buy around it. I wrote about the tools a while back. This is the upstream piece: what 17 CFR Part 38 actually demands, which clauses chew up the most staff cycles, and what "materially complete" looks like on the Core Principles that trip people up.
Why applications stall, not fail
Before the five, the context. Read 17 CFR § 38.3 once and you'll see the statutory clock is basically a suggestion. The 180-day review period doesn't start until your application is "materially complete." The Director of the Division of Market Oversight is delegated authority under § 38.3(c)(1) to notify you the application is incomplete and stay the clock.
That's the mechanism. You file. Staff reviews. Staff says your exhibits are thin somewhere. Clock stops. You respond. Clock restarts. Repeat.
Kalshi spent roughly two years to designation. Polymarket didn't bother. They paid about $112 million in July 2025 to acquire QCEX and inherit an existing DCM license. Crypto.com's Derivatives North America took a different route: they were already registered, and they amended their DCM license in September 2025 to add margined derivatives. Each of these paths tells you something. The de novo path is long enough that $112M in acquisition premium is a reasonable alternative for anyone with the capital.
Applications and inquiries to register as a DCM increased noticeably through 2025, according to Katten's January 2026 advisory. The CFTC itself issued an Enforcement Division advisory on prediction markets in February 2026 and launched an Advance Notice of Proposed Rulemaking that closes for comment on April 30, 2026. The regulatory floor is moving.
Here are the five Core Principles where most of the back-and-forth happens.
1. Core Principle 4 — Prevention of Market Disruption
Text at 17 CFR § 38.250. The statutory language is 48 words: the board of trade shall have the capacity and responsibility to prevent manipulation, price distortion, and disruptions of the delivery or cash-settlement process. Then § 38.251 expands that into seven specific obligations a DCM must demonstrate. Real-time monitoring. Trade reconstruction. Pre-trade risk controls on all electronic orders. Prompt notification to Commission staff of significant market disruptions.
This is where CFTC staff push hardest, and the reasons are structural. Core Principle 4 is the one the Commission itself uses to evaluate whether you deserve the license. They read your surveillance methodology, your real-time monitoring program, your large-trader reporting setup under § 38.254, and your physical-delivery or cash-settlement monitoring under §§ 38.252 and 38.253. Each one is a separate narrative in Form DCM Exhibit M.
Common place it falls apart: applicants submit generic surveillance policy language that doesn't reflect the actual market structure they're proposing to operate. If you're listing event contracts or prediction markets, "we will monitor for spoofing" isn't enough. Staff wants to see the specific alerts, the thresholds, the escalation workflow, and the evidence that your automated surveillance system can process the volume you're forecasting within 24 hours of the trading day ending. That last one is a hard requirement under § 38.156.
The Enforcement Division's February 2026 advisory made this explicit: DCMs have an independent duty under the Act to maintain audit trails, conduct surveillance, and enforce rules against prohibited practices. Kalshi's own disciplinary docket from 2025 shows what that looks like in practice. A $2,246.36 penalty against a political candidate who traded on his own candidacy. A $20,397.58 penalty against a YouTube editor who traded on material non-public information about content he helped produce. Small numbers. Real enforcement, on a live DCM, with documented investigation reports.
If your application's Core Principle 4 exhibit reads like a policy binder instead of an operating plan, expect a multi-round dialogue with staff.
2. Core Principle 2 — Compliance with Rules
Text at 17 CFR § 38.150. This is the umbrella. Access requirements, abusive trading practices, capacity to detect and investigate violations, compliance staff and resources, automated trade surveillance, real-time monitoring, investigation timeliness (§ 38.158(b): no more than 12 months absent mitigating factors), sanctions. Eleven separate regulations under Subpart C.
Core Principle 2 is where the Chief Regulatory Officer problem lives. CFTC staff expects qualified personnel in key roles at the time of filing, not placeholder job descriptions. That's the Katten advisory's phrase, and it tracks what I see in filings. "We will hire a CRO before launch" doesn't cut it. Staff wants the name, the resume, the reporting line, and the compliance staffing model with headcount tied to forecast volume under § 38.155(b).
§ 38.152 is the specific-prohibitions section. Front-running, wash trading, pre-arranged trading, fraudulent trading, money passes, spoofing. Your rulebook needs to prohibit every item on this list, and your surveillance needs to detect each one. When CFTC staff send rulebook comments during review, the most common requests I've seen referenced are variations on "amend Rule X.Y to reference § 38.Z." Not philosophical disagreements, just missing cross-references.
One more trap: § 38.154 lets you use a third-party regulatory service provider, but § 38.154(c) reserves exclusive authority for the DCM over trade cancellation decisions, disciplinary charges, and access denials for disciplinary reasons. Applicants sometimes structure their contracts with NFA or another regulatory service provider in a way that implicitly delegates those decisions. That structure needs to be rewritten before the application is materially complete.
3. Core Principle 20 — System Safeguards
Text at 17 CFR § 38.1050. Subpart U runs to about 3,600 words. It's the longest section in Part 38 by word count, and it's where technology applicants get stuck.
Seven categories of risk analysis and oversight are required under § 38.1051(a): enterprise risk management, information security, business continuity and disaster recovery, capacity and performance planning, systems operations, systems development and QA, and physical security. Each one has to be addressed with evidence. Your vulnerability testing, external penetration testing, internal penetration testing, controls testing, security incident response plan testing, and enterprise technology risk assessment all have to be documented, with frequencies justified by a risk analysis.
For a covered DCM (one with 5% or more of combined annual trading volume), the frequencies are hard-coded: quarterly vulnerability testing, annual external pen testing by independent contractors, annual internal pen testing, key controls testing by independent contractors every three years, annual security incident response plan testing, annual enterprise technology risk assessment. You don't get to a covered-DCM threshold for years, but staff still wants to see the framework from day one.
Two things staff pushes back on consistently. First, the business continuity and disaster recovery plan under § 38.1051(c) is supposed to enable resumption of trading and clearing "during the next business day following the disruption." Applicants often submit BCP documentation that doesn't actually specify recovery time objectives or demonstrate synchronized testing with the clearing organization they're using.
Second, § 38.1051(e) requires notification to Commission staff of cyber security incidents "that actually or potentially jeopardize automated system operation." That's a narrow definition. Staff wants the incident definition, the classification thresholds, and the communication protocol. Vague language like "we will notify the Commission of significant incidents" gets flagged.
This is one of the Core Principles where having actual infrastructure beats having good policy documents. If you can't demonstrate that you've already done a penetration test against your own production-equivalent environment, staff knows.
4. Core Principle 21 — Financial Resources
Text at 17 CFR § 38.1100. Short and brutal. The board of trade shall have adequate financial, operational, and managerial resources. Adequate means the value of financial resources exceeds one year of operating costs, calculated on a rolling basis.
§ 38.1101 adds the operational detail. Financial resources include the DCM's own capital under U.S. GAAP and any other resource the Commission finds acceptable. The 12-month operating cost calculation has to be projected quarterly. "Haircuts" must be applied to reflect market and credit risk. And here's the sleeper: § 38.1101(e) requires unencumbered, liquid financial assets equal to at least six months' operating costs. Cash and highly liquid securities.
A committed line of credit can supplement the liquid portion, but not replace it. An applicant burning $2M a month (reasonable for a modest exchange) needs about $24M in total resources and $12M of that strictly liquid. Plus $1-3M on legal counsel for the application itself, plus $200-500K a year for surveillance technology, plus compliance staffing, plus technology build-out.
This is the Core Principle where the CFO's pro forma collides with the regulator's math. Applicants sometimes count ungranted options or unfunded capital commitments as financial resources. They aren't, under § 38.1101(b). Staff audits the balance sheet against the rolling 12-month projection, asks for the methodology documentation under § 38.1101(f)(3)(i), and compares to the supporting agreements under § 38.1101(f)(3)(iii).
If you filed a DCM application with less than 12 months of runway on the books, the Core Principle 21 exhibit is where staff will spend time.
5. Core Principle 18 — Recordkeeping
Text at 17 CFR § 38.950. Underrated, undercooked, and the reason some applicants end up in an 18-month back-and-forth that reads like a data-engineering project.
A DCM must keep records of all activities relating to its business, in a form capable of being produced promptly, in the format the Commission requires under § 1.31. That sounds simple. It isn't. When you combine it with Core Principle 20's audit trail requirements under § 38.552 (every order, every modification, every cancellation, every fill, timestamped with enough precision to reconstruct sequences), you end up with a data retention and retrieval problem that exchanges often haven't actually solved when they file.
Staff will ask you to demonstrate trade reconstruction. Specifically, under § 38.256, you must have the ability to comprehensively and accurately reconstruct all trading on your trading facility, in a form, manner, and time acceptable to the Commission. That's not a policy statement. That's a technical capability test. If your database schema, your order management system, and your audit log architecture can't satisfy it, you're rebuilding production infrastructure while the 180-day clock isn't even running.
What "materially complete" actually means
This is the phrase that matters more than any other in § 38.3. An application is not materially complete unless the applicant has submitted, at a minimum, the exhibits required in Form DCM. Form DCM is in Appendix A of Part 38. 30+ exhibits labeled A through Z+, covering the organizational chart, the rulebook, system safeguards documentation, the financial statements, and everything between.
Material completeness is binary. A placeholder for a penetration test report is not a penetration test report. A description of surveillance methodology is not a surveillance methodology. A draft rulebook marked "to be finalized" is not a rulebook.
This is why the timeline slips. Applicants file with incomplete exhibits, staff stays the clock, applicants revise, staff stays the clock again, and the 180 days never actually start. I've seen references to applications sitting for 18 months without the 180-day clock ever running. That's not the Commission being slow. That's the application never reaching material completeness.
The unglamorous fix
Most of the work on a DCM application is document-to-regulation mapping. Does every paragraph of § 38.151 through § 38.160 have corresponding language in your rulebook or your Compliance Manual? Does every category of risk analysis in § 38.1051(a) have a documented program and a testing cadence? Does your financial resources calculation actually apply GAAP and haircuts?
Answering those questions by hand is how you end up at $800/hour for outside counsel and a 26-month timeline instead of a 14-month one.
We built a workspace at RegFo that runs this mapping. Upload your rulebook and compliance manual, the system reads every paragraph against the full text of 17 CFR Part 38 (all 23 Core Principles, every subpart, every section) and tells you which obligations are missing cross-references, which are thin, and which don't exist in your documents at all. Not keyword matching. Actual semantic checking of whether your Rule 5.17 on abusive trading satisfies what § 38.152 requires, not just whether it mentions the right words.
We started doing this for biotech IND submissions against FDA and ICH. See how we check preclinical studies and common IND deficiencies for the pharma version. The CFTC version runs on the same engine. Different regulator, same structure: take a company's actual documents, check them against hundreds of specific regulatory obligations, and show exactly what's missing and where.
If you're in the middle of a DCM filing, the most useful thing you can do is stop debating Core Principles in conference rooms and start checking your documents against the CFR sections directly. Every gap you close before submission is one fewer round of comments once staff has the application in hand.
Further reading
- 17 CFR Part 38 full text: read it once, cover to cover
- Form DCM (Appendix A to Part 38): the exhibit list itself
- CFTC Enforcement Advisory on Prediction Markets (February 2026): the most recent statement on DCM surveillance expectations
- Our tools comparison: Eventus, Ascent, NICE Actimize, and four more
- Part 38 library: the full regulation, structured by Core Principle, with every section indexed