As your industry advocate, the NIBA provides many services which help your business stay in compliance with NFA regulations. "Ask the NFA," is the way you can ask questions about those regulations and compliance requirements without having to call NFA directly.
Just email us at nfacomments@theniba.com and we will get the answers for you. Please keep in mind the purpose of this contact is to keep the lines of communication between NFA and NIBA members open, not to fix any specific individual concerns.
This month's questions were selected from those submitted by NIBA members. The answers were supplied by NFA staff.
I am a registered Associated Person for an Introducing Broker. We provide broker assisted execution services to our customers. Of my responsibilities, one is to enter customer orders into any number of the electronic trade execution platforms our firm uses. I have my own unique log-in credentials for each of electronic trade execution platforms we use. I will be taking an extended vacation next month. May I share my log-on credentials with a co-worker, also an AP at the IB I work at, to service my customer accounts while I’m out of the office? What are the NFA rules or CFTC regulations that govern the use and sharing of platform user I.D.’s and passwords?
Member firms should not permit the APs involved to share passwords or log-in credentials. CFTC and NFA customer order recordkeeping requirements are grounded in the principals of robust internal controls, auditability and transparency. An AP using the log-in credentials of another AP to place customer orders signals a weak internal control environment at the Introducing Broker, possibly resulting in violations of NFA Compliance Rule 2-9.
Password sharing generally is a very serious system security issue. These types of employee behaviors expose a firm to a number of cybersecurity and data protection risks.
NFA recommends that the Introducing Broker configure the “covering” AP’s electronic trade execution platform access to allow for the placement of orders for the vacationing AP’s customers. Doing so will ensure accurate customer order records, dependable audit trails, and preserve the integrity of each AP’s log-in credentials. If the Introducing Broker’s security protocol permits, the “covering” AP’s platform access to the vacationing AP’s customer accounts should be disabled.
I’m a newly registered CTA that offers different trading programs to my clients. What is the technical definition of a "trading program?" Do I have disclosure requirements for each separate program?
CFTC Regulation 4.10(g) provides the technical definition of a “trading program” and states:
“Trading Program refers to the program pursuant to which a person (1) directs a client’scommodity interest account, or (2) guides the client’s commodity interest trading by means of a systematic program that recommends specific transactions.”
It is important for each CTA to understand what constitutes a “trading program,” as there are disclosure and recordkeeping requirements for each “trading program” offered. For example, for each program a CTA offers there is a disclosure document delivery requirement (CFTC Regulation 4.31 and 4.34), a recordkeeping requirement (CFTC Regulation 4.33) and performance disclosure requirement (CFTC Regulation 4.35), among all the other CTA rules and regulations.
Recently, NFA staff has indicated it will work closely with the industry to ensure that cyber security programs required by the new Interpretive Notice are implemented practically, effectively and in accordance with generally accepted cyber security best practices. Further, I’ve heard that NFA does not intend to use the new cyber security Interpretive Notice as an enforcement tool – at least initially? Is this true.
Yes. In creating the new Interpretive Notice, NFA sought to establish minimum information system security program requirements whereby Members take necessary steps to protect the industry’s data and electronic systems.
The CFTC recently approved NFA's Interpretive Notice and it will become effective on March 1, 2016. The Interpretive Notice applies to all membership categories--futures commission merchants, swap dealers, major swap participants, introducing brokers, forex dealer members, commodity pool operators and commodity trading advisors. A copy of the Interpretive Notice can be found here.
The Interpretive Notice adopts a principles-based risk approach to allow Member firms some degree of flexibility in determining what constitutes "diligent supervision," given the differences in Members' size and complexity of operations, the make-up of customers and counterparties serviced by Members, and the extent of Members' interconnectedness. NFA recognizes that a one-size-fits-all approach will not work for the application of these requirements. However, the Interpretive Notice does require each Member to adopt and enforce an information systems security program appropriate to its circumstances.
NFA recognizes that some Members will already have information systems security procedures while others will need to devote a significant amount of time and resources to meet their obligations. Therefore, NFA believes that it may need to provide additional, more detailed guidance to Members including smaller IBs, CPOs and CTAs so that these firms may satisfy their obligations pursuant to the Interpretive Notice. Given that this framework is a significant new requirement for Members, NFA intends to develop an incremental, risk-based examination approach regarding the Interpretive Notice’s requirements and we will initially work with the Member firms to assist them in developing their procedures.