Proposed Interpretive Notice:
By letter dated December 4, 2018, the National Futures Association (“NFA”) submitted to the Commodity Futures Trading Commission (“CFTC”) proposed amendments to its interpretive notice NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Amendments”). Shortly afterward, on December 10, 2018, NFA submitted to the CFTC a proposed interpretive notice entitled NFA Compliance Rule 2-9: CPO Internal Controls Systems (the “Interpretive Notice”). Together, the Amendments and the Interpretive Notice would impose certain new requirements and provide clarification for NFA members in relation to their information systems security programs (“ISSPs”), as well as new requirements for CPO members to establish internal controls systems designed to deter fraudulent activity. The Amendments will become effective on April 1, 2019. The Interpretive Notice is also expected to become effective on April 1, 2019.
- Notification Requirement: Most significantly for commodity pool operator (“CPO”) and commodity trading advisor (“CTA”) NFA members, the Amendments impose a new requirement that a member firm notify NFA of cybersecurity incidents related to their commodity interest business that result in (1) any loss of customer or counterparty funds, (2) any loss of the member firm’s own capital, or (3) the member notifying its customers or counterparties of the incident pursuant to state or federal law. In notifying NFA, the member must provide a written summary of the incident with the relevant details. If the member provides a notice to customers or counterparties, however, the member may provide a copy of the notice to NFA in lieu of a written summary. Further, if substantially identical notices regarding the same incident are provided to multiple parties (e.g., to all affected customers in a breach of personally identifiable information), the member would only need to provide a copy of one particular notice as an example.
- Training: NFA currently requires members to provide training to employees upon hiring and periodically during their employment. The Amendments require training of employees upon hiring, at least annually thereafter, and more frequently if circumstances warrant. In addition, the Amendments require that members identify the specific topical areas covered in the member’s training program.
- Approval of ISSP: NFA currently requires that a member’s ISSP be approved, in writing, by the member’s chief executive officer, chief technology officer, or other “executive level official.” To provide greater clarity, NFA has deleted the term “executive level official” and replaced it with the phrase “senior level officer with primary responsibility for information system security…or other senior official who is a listed principal and has the authority to supervise the [m]ember’s execution of its ISSP.” The Amendments also clarify the approval process for a member that meets its obligations through participation in a consolidated entity ISSP where the member is part of a broader organization.
The Interpretive Notice
Pursuant to the Interpretive Notice, each NFA member CPO would be required to implement an internal controls system that is designed to deter fraudulent activity by employees, management, and third parties in order to address the safety of customer funds and provide reasonable assurance that the CPO’s commodity pool financial reports are reliable and that it is in compliance with applicable CFTC and NFA requirements.3
While the Interpretive Notice acknowledges that internal controls systems will vary according to the size and complexity of a CPO’s operations, the Interpretive Notice provides guidance on designing and implementing an adequate internal controls system and the minimum components that must be included. Key components addressed in the Interpretive Notice include:
- Separation of Duties;
- Risk Assessment, including the following areas;
- Pool Subscriptions, Redemptions and Transfers;
- Risk Management and Investment and Valuation of Pool Funds;
- Use of Administrators; and
The Amendments and the Interpretive Notice establish certain new compliance requirements for NFA member CPOs and CTAs with respect to their ISSPs and internal controls systems, as applicable. With that said, it is likely that many NFA members already have ISSPs and internal controls systems in place that adequately address most aspects of these requirements. Accordingly, NFA member CPOs and CTAs should review carefully their existing policies and procedures to ensure that they will be compliant with these new requirements when they become effective and evaluate whether any updates are necessary or appropriate.