member regulatory workshop - nfa...authorization of redemptions includes verifying: • request made...
TRANSCRIPT
Member Regulatory WorkshopFe b r u a r y 2 5 , 2 0 1 9 | C h i c a g o
Cybersecurity Regulatory Update
Agenda
• Information Systems Security Program (ISSP) Interpretive Notice
• Filing a Cybersecurity Incident Notice• Exam Observations and Cybersecurity Incidents• Member Panel Discussion
33
ISSP Interpretive Notice
ISSP Interpretive Notice 9070• Amendments effective April 1, 2019• Key changes to the Interpretive Notice:
• Updated employee training requirement• Updated ISSP approval requirement• New requirement to notify NFA of certain
cybersecurity incidents
4
ISSP Interpretive Notice (cont.)
Cybersecurity Training• Covered topics must be specified• Must be conducted upon hiring and annually thereafter
• May be needed more frequently if circumstances warrant additional training
5
ISSP Interpretive Notice (cont.)
ISSP Approval• Member’s CEO• Senior-level officer of the Member with primary
responsibility for the ISSP (CTO or CISO)• Senior official who is a listed Principal and has authority to
supervise the Member’s ISSP execution
6
Filing a Cybersecurity Incident Notice
A Cybersecurity Incident Notice must be filed when an incident related to commodity interest business:
• Results in a loss of customer or counterparty funds or Member’s capital or
• Results in the firm notifying customers or counterparties of the incident pursuant to U.S. state or federal law
7
Filing a Cybersecurity Incident Notice (cont.)
8
Filing a Cybersecurity Incident Notice (cont.)
9
Filing a Cybersecurity Incident Notice (cont.)
10
Filing a Cybersecurity Incident Notice (cont.)
11
Filing a Cybersecurity Incident Notice (cont.)
12
Filing a Cybersecurity Incident Notice (cont.)
13
Filing a Cybersecurity Incident Notice (cont.)
14
Next Steps
Notice to Members • Additional details on the Notice Filing System• Updated resources
• Frequently-asked questions• Self-Examination Questionnaire• Regulatory Requirements Guide
15
Examination Observations
Procedural Deficiencies• ISSP not approved in writing• Incomplete hardware and software inventory• Internal and external threats not adequately identified• Threats posed from third party vendors not addressed• Lack of incident response and recovery plan
16
Examination Observations (cont.)
Training• Not conducted timely• Relevant personnel not included• Applicable topics not included
ISSP Review• Not reviewed annually or updated with lessons learned
17
Known Incidents
Incident Types• Ransomware• Fraudulent requests to transfer funds• Unauthorized access to sensitive information
Some events have led to enforcement actions.
18
Incident Response
• Execute response and recovery plan• Notify or engage counsel• Consider hiring third party to investigate• Notify regulators, customers and counterparties, if
applicable• Reach out to law enforcement• Notify bank if funds are involved
19
Incident Response (cont.)
• Notify insurance company• File Suspicious Activity Report (SAR) if appropriate• Update ISSP to incorporate lessons learned
20
Contact NFA
Julio Reid | Cybersecurity Examination [email protected] | 212-513-6056
Valerie O’Malley | Director, [email protected] | 312-781-1290
21
Cybersecurity Panel DiscussionDale SpoljaricManaging Director, Compliance, NFA
Michael BurkeChief Executive Officer, HighGround Trading LLC
Jordan von KluckChief Technology Officer, Tastyworks Inc.
Compliance Regulatory Update
Agenda
• Trends from Recent Examinations• Recent NFA Initiatives• CPO Internal Controls
TRENDS FROM RECENT EXAMINATIONS
Examination Areas of Focus
• Cybersecurity• CPO Internal Controls• Pool Financial Reporting• Net Capital• Promotional Material• Disclosure• Registration
26
Common Examination Deficiencies
Net Capital• Not maintaining current books and records
• Monthly net capital computation• General ledger
• Improper classification of current vs. non-current assets• Secured receivables• Timely receipt (e.g. commissions received within 30
days)• Liabilities not properly accrued
27
Common Examination Deficiencies (cont.)
Pool Financial Reporting• Income statement not itemized for non-exempt pools• Report included only individual information rather than
information for the pool in its entirety• Reports not distributed to participants prior to 30 day
deadline• Incomplete or missing oath/affirmation• Liabilities not properly accrued
28
Common Examination Deficiencies (cont.)
CPO and CTA Financial Ratios• Requirements
• Report expenses and revenues for most recent 12 months
• Report ratios for the CPO, not the pool• Use accrual accounting• Maintain supporting documentation
29
Common Examination Deficiencies (cont.)
Registration: Unlisted Principals• Who needs to be listed?
• Owners who own 10% or more of the registrant including individuals with an indirect ownership
• Individuals with specific titles – directors, CCO, managing member
• Individuals with a controlling influence
30
Common Examination Deficiencies (cont.)
Orders and Bunched Orders• Requirements
• Daily supervision of bunched order allocations• Quarterly review of bunched order allocations – CTAs
must conduct a quarterly review of accounts to ensure that bunched orders are allocated in a non-preferential manner
• Maintaining pre-trade communications31
Other Common Deficiencies
Promotional Material• Requirements
• Balance discussion of opportunities for profits with risk of loss
• Reasonable basis of fact for statements of opinion• Performance
• Net of fees• Labeling
32
Other Common Deficiencies (cont.)
Disclosure Documents• Requirements
• Fee disclosure• Break-even analysis• Trading program description
33
Avoiding Common Deficiencies—Mind the Calendar
Potential Overdue Items• Ethics training• Self-examination checklist• BC/DR testing; information systems security training; annual
ISSP review• Annual AML training; annual independent AML audit • Annual branch office audits• Financial statement filings
34
Liquidation Statement Reminders
Pool Liquidation Statements• Permanent cessation of trading – what date to use?• Date of liquidation statement• Net asset value at zero• Unaudited statement
• When acceptable• Required footnote regarding unwinding of pool and
redemption process35
RECENT NFA INITIATIVES
NFA Initiatives
• Review of NFA Rulebook• Upcoming reviews – 2-45, GIB/Branch Office Supervision
and Promotional Material• Swap AP proficiency requirements• ORS and BASIC system enhancements• Promotional Material Filing System
37
Contact NFA
Jennifer Sunu | Director, [email protected] | 312-781-1402
Maria McHenry | Associate Director, [email protected] | 312-781-1420
Kolade Agbaje-Williams | Manager, [email protected] | 312-781-1484
Kevin Justus| Manager, [email protected] | 312-781-1496
38
CPO INTERNAL CONTROLS
Agenda
• Background• Requirements outlined in the Interpretive Notice• Key controls in identified risk areas• Use of administrators• NFA’s exam process relating to internal controls
40
Background
• Supervision at a CPO includes developing a framework that safeguards pool participant funds by protecting against mishandling and fraudulent activity by employees, management and third parties
• Effective internal controls minimize opportunities for mishandling and fraud
41
Background (cont.)
• Created with the input of Member CPOs, the CPO Advisory Committee and CPO representatives on NFA's Board
• Obtained feedback from industry groups• Approved by NFA's Board in November 2018• Submitted to the CFTC in December 2018
Effective April 1, 201942
Internal Controls Interpretive Notice
CPO Internal Control System• Requires CPO Members to implement internal controls
framework• Framework must be reasonably designed according to size
and complexity of the firm’s operations
43
Internal Controls Interpretive Notice (cont.)
Policies and Procedures• Written policies and procedures reasonably designed to
ensure CPO’s operations are in compliance with NFA Rules and CFTC Regulations
• Must include:• Written procedures that fully explain the CPO’s internal
controls framework• Escalation policies relating to improper override of
controls44
Internal Controls Interpretive Notice (cont.)
CPO Risk Assessment• Identify the most critical risks that arise• Periodically perform the assessment again to account for
new risks that may arise
45
Internal Controls Interpretive Notice (cont.)
Internal Controls• Design and implement controls to address identified risks• Monitor effectiveness of controls• Adjust controls as necessary
46
Key Controls – Separation of Duties
No single employee is in a position to carry out and conceal errors or fraud or to have control over any two phases of a transaction or operation
• Initiating• Approving• Recording• Reconciling
47
Key Controls – Separation of Duties (cont.)
• Duties assigned to different employees to allow for cross-checking of work performed in material areas
• Use automated controls to assist with separation of duties
• Functions relating to custody are separate from financial reporting functions
48
Key Controls – Risk areas
Internal controls frameworks must address three risk areas:
• Pool subscriptions, redemptions and transfers• Risk management and investment and valuation of
pool funds• Use of administrators
49
Key Controls
• Review and approve general ledger and subsidiary ledger entries• For automated recording of transactions, review and approve
system mappings and changes• Reconcile transactions between the pool's general ledger, banks
and other depositories (e.g. carrying brokers, prime brokers)• Approve new depository accounts; includes verifying that assets are
held in accounts properly titled with the pool's name and are not commingled with the assets of any other person
50
Key Controls – Subscriptions, Redemptions, Transfers
Authorization of redemptions includes verifying:• Request made by customer• Funds are available• NAV was properly calculated• Proper amount is released to the account owner
51
Key Controls – Subscriptions, Redemptions, Transfers (cont.)
Authorization of transfer/disbursement includes verifying:• Transaction does not violate NFA Compliance Rule 2-45
(prohibition on loans)• Disbursement is allowable pursuant to the pool's DD/OM
52
Key Controls – Risk Management
Due diligence on counterparties and depositories:• Initial and ongoing due diligence• Reputation• Trading strategy• Past performance• Any regulatory actions
53
Key Controls – Risk Management (cont.)
Ongoing monitoring • Market risk• Concentration risk• Counterparty credit risk
54
Key Controls – Risk Management (cont.)
Ongoing monitoring of pool liquidity; consider:• Risk of reduction in funding by lending counterparties
including changes in margins and timing of variation margin calls
• Terms of participant redemption rights• Changes in market liquidity conditions• Conduct stress tests to determine the impact of volatility
and market stress on pool liquidity55
Key Controls – Investments and Valuation
• Authorization of investment includes verifying the investment is consistent with the pool's strategy
• Verify that the investment is valued in accordance with the CPO's valuation policy
56
Key Controls – Use of Administrators
Initial due diligence of administrator, consider:• Reputation• Industry expertise; tax expertise• Timeliness of work• Responsiveness/customer service• Accuracy• Cybersecurity
57
Key Controls – Use of Administrators (cont.)
• Evidence of test of controls and security measures• Maintain shadow books and reconcile with administrator• Or, if no shadow books, reconcile transactions with banks and
other third party depositories and compare to administrator
58
Internal Controls and NFA Exams
Questionnaires• Used to obtain the firm’s description of its controls• Provide prior to fieldwork• See workshop materials for questionnaire
59
Internal Controls and NFA Exams (cont.)
Components of an effectively designed control• Competency and authority of personnel performing the
controls• Correlation of the control to the identified risk• Consistent performance of the control• Criteria for investigation or follow-up
60
Internal Controls and NFA Exams (cont.)
Walkthroughs• Inquiry of the person performing the control• Observation of the control in action• Inspection of documents
61
Contact NFA
Patricia Cushing | Director, [email protected] or 312-781-1403
Ryan Ahlfeld | Manager II, [email protected] or 312-781-1591
62