The National Futures Association ("NFA") recently issued two notices to its members that establish effective dates for new regulatory and operational requirements which apply to registered commodity pool operators ("CPOs") and commodity trading advisors ("CTAs").
On April 13, 2021, NFA issued Notice I-21-15, which establishes June 30, 2021 as the effective date by which member CPOs, including those operating exempt pools, must begin to notify NFA when certain market or other events affect the ability of a pool to fulfill its obligations to pool participants or which may result in a pool's unplanned liquidation, pursuant to new NFA Compliance Rule 2-50 (the "CPO Adverse Event Reporting Requirement").1
On March 24, 2021, NFA issued Notice I-21-13, which establishes September 30, 2021 as the effective date by which members, including registered CPOs and CTAs, must have adopted and implemented a written supervisory framework that addresses key outsourcing-related risks in connection with their use of third-party service providers to fulfill their regulatory functions, pursuant to NFA Compliance Rules ("Supervision of Outsourcing Regulatory Functions").2
A. CPO Adverse Event Reporting Requirement
Beginning on June 30, 2021, member CPOs (including those operating pools pursuant to an exemption under rules adopted by the Commodity Futures Trading Commission ("CFTC") such as Rule 4.7 or 4.13(a)(3)) will be required to promptly notify NFA by no later than 5:00 PM (CT) on the next business day if any of the CPO's pools: (1) are unable to meet a margin call; (2) are unable to satisfy redemption requests in accordance with their subscription documents; (3) has halted redemptions and the halt on redemptions is not associated with pre-existing gates or lockups or a pre-planned cessation of operations; or (4) receives notice from a swap counterparty that such pool is in default.3 Similar to existing rules for futures commission merchants (each, an "FCM") and introducing brokers, the CPO Adverse Event Reporting Requirement is intended to assist NFA in readily identifying CPOs of pools that have been adversely impacted by a market or other event. To assist CPOs in complying with the new requirement, NFA has issued Interpretive Notice 9080, which provides some guidance regarding reportable and nonreportable events under NFA Compliance Rule 2-50 (CPO Notice Filing Requirements)4:
- Unable to Meet a Margin Call: A CPO is not required to notify NFA on the day a pool receives a margin call if the CPO reasonably expects to meet the margin call within the time period imposed by its FCM or broker by altering its portfolio or accessing other means to meet the margin call. However, once a CPO determines that one of its pools will be unable to meet a margin call, including in situations where the CPO disputes the amount or appropriateness of the margin call, the CPO must file the notice required by NFA Compliance Rule 2-50 within the required time period.5
- Unable to Satisfy Redemption Requests: A CPO is not required to notify NFA if it is unable to meet a redemption request on the day it receives the request provided that the CPO is able to do so in accordance with the pool's subscription agreement, including after giving effect to any applicable grace periods or other provisions impacting the timing of a redemption payment (e.g., payment-in-kind or side pocket arrangements). However, once a CPO determines that a pool will be unable to meet a redemption request within the terms of the subscription agreement, the CPO must file notice within the required time period, even if the applicable grace period has not yet expired.
- Halt on Redemptions: A CPO is not required to notify NFA where a pool's subscription agreement identifies pre-determined gates or lockups or where a CPO liquidates a pool in the ordinary course of business (not due to a market-related or other unexpected event) and redemptions are halted pending a final accounting. However, a CPO is required to notify NFA within the required time period when one of its pools unexpectedly halts redemptions, either temporarily or permanently, as a result of a market or other event that impacts the pool's ability to meet redemptions.
- Pool Declared in Default by Swap Counterparty: A CPO must notify NFA within the required time period once it is notified that a pool is in default to a swap counterparty if the CPO does not reasonably believe that the pool can cure the default within the previously agreed cure period, regardless of whether the pool is in negotiations with the swap counterparty to cure the default or whether the CPO disputes the default notice.
NFA has indicated that it will provide members with additional instructions regarding the form and manner of CPO adverse event reporting prior to June 30, 2021. Additionally, NFA has indicated that it will address the new compliance requirement during forthcoming educational programs.
B. Supervision of Outsourcing Regulatory Functions
Beginning on September 30, 2021, member CPOs and CTAs, among other categories of NFA members, must have adopted and implemented a written supervisory framework that addresses key outsourcing- related risks, including: (1) an initial risk assessment; (2) onboarding due diligence; (3) ongoing monitoring; (4) termination of the outsourcing relationship; and (5) recordkeeping, governing members' use of third-party service providers6 to fulfill their regulatory functions, pursuant to NFA rules, including NFA Compliance Rule 2-9 (Supervision). Rule 2-9(a) requires, among other things, member CPOs, CTAs and other NFA members to diligently supervise their employees and agents in the conduct of commodity interest activities for or on behalf of the member.7 NFA has recognized that members need flexibility to tailor supervisory frameworks to meet their specific circumstances and has issued Interpretive Notice 9079 to guide them as to the minimum requirements for such frameworks.8 In this regard, the written supervisory framework should address9:
- An Initial Risk Assessment: Prior to outsourcing a regulatory function10 to a third-party service provider, NFA members should consider the appropriateness of outsourcing such function and the attendant risks. An NFA member should not outsource a particular function unless it determines that the risks of doing so can be adequately managed. At a minimum, members' initial risk assessment should consider (A) information security risks (i.e., what sensitive information a third-party service provider may have access to and how that information can be protected), (B) regulatory risks (i.e., what are the impacts to the member, its customers or its counterparties if the third-party service provider fails to carry out the outsourced function), and (C) logistics (i.e., where the third-party service provider is located and whether it has the resources to meet its obligations to the member and provide it with access to records).
- Onboarding Due Diligence: Members' onboarding due diligence of third-party service providers should include an assessment of whether the provider is familiar with applicable NFA and CFTC rules. Additionally, where a third-party service provider will have access to sensitive information, members must conduct a heightened due diligence review of the provider's IT security (e.g., examination of data transmission and storage processes), financial stability (e.g., review of the provider's financials, audit/examination results, public filings and website and references), background of key employees, regulatory history (e.g., regulatory actions/lawsuits) and business continuity and disaster recovery plans, particularly regarding data availability and integrity. Members' relationship with third-party service providers should be documented in the form of a written contract that addresses the provider's use of subcontractors (if applicable) and contain, if possible, a requirement that the provider (A) comply with all applicable regulatory obligations, (B) immediately notify the member of any material failure to perform an outsourced regulatory function and (C) provide adequate notice of any termination of the outsourcing relationship and provide for adequate maintenance of member data upon and after termination.
- Ongoing Monitoring: Members must conduct ongoing monitoring of a third-party service provider to ensure that the provider is able to carry out the outsourced function and meet its contractual obligations. The ongoing review should be tailored in frequency and scope based on the criticality of, and risks associated with, the outsourced function and should involve an ongoing review of the outsourced function as well as a periodic, holistic review of the provider's business. Members' risk-based review should consider risks associated with becoming overly reliant on a particular third-party service provider and weigh the availability of alternatives such as competitor offerings and insourcing where applicable. Members should also consider the appropriate personnel to be involved in ongoing monitoring and have in place an escalation policy involving senior management or an internal committee. Risks related to contract renewals should be considered as part of members' ongoing monitoring obligations.
- Termination of the Outsourcing Relationship: In addition to the foregoing components of members' outsourcing supervisory framework, members should also make sure that third-party service providers to whom regulatory functions are outsourced no longer have access to sensitive information after the outsourcing contract is terminated.
- Recordkeeping: In order to demonstrate compliance, members that outsource regulatory functions to a third-party service provider must maintain records pursuant to NFA Compliance Rule 2-10 (Recordkeeping) and applicable CFTC requirements.11
Beginning in the third and fourth calendar quarters of 2021, NFA member CPOs and CTAs will be required to comply with these additional regulatory requirements which are intended to address certain market and operational risks. Affected firms should carefully review the relevant Interpretive Notices and, to the extent they have not done so already, develop and implement internal policies and procedures to ensure that they will be in compliance. In this regard, because many member CPOs and CTAs already have written supervisory frameworks governing their outsourcing of regulatory functions to third-party service providers, any necessary adjustments should likely be relatively minor.