member regulatory workshop - nfa...authorization of redemptions includes verifying: • request made...

Member Regulatory WorkshopFe b r u a r y 2 5 , 2 0 1 9 | C h i c a g o

Cybersecurity Regulatory Update

Agenda

• Information Systems Security Program (ISSP) Interpretive Notice

• Filing a Cybersecurity Incident Notice• Exam Observations and Cybersecurity Incidents• Member Panel Discussion

33

ISSP Interpretive Notice

ISSP Interpretive Notice 9070• Amendments effective April 1, 2019• Key changes to the Interpretive Notice:

• Updated employee training requirement• Updated ISSP approval requirement• New requirement to notify NFA of certain

cybersecurity incidents

4

ISSP Interpretive Notice (cont.)

Cybersecurity Training• Covered topics must be specified• Must be conducted upon hiring and annually thereafter

• May be needed more frequently if circumstances warrant additional training

5

ISSP Interpretive Notice (cont.)

ISSP Approval• Member’s CEO• Senior-level officer of the Member with primary

responsibility for the ISSP (CTO or CISO)• Senior official who is a listed Principal and has authority to

supervise the Member’s ISSP execution

6

Filing a Cybersecurity Incident Notice

A Cybersecurity Incident Notice must be filed when an incident related to commodity interest business:

• Results in a loss of customer or counterparty funds or Member’s capital or

• Results in the firm notifying customers or counterparties of the incident pursuant to U.S. state or federal law

7

Filing a Cybersecurity Incident Notice (cont.)

8


9


10


11


12


13


14

Next Steps

Notice to Members • Additional details on the Notice Filing System• Updated resources

• Frequently-asked questions• Self-Examination Questionnaire• Regulatory Requirements Guide

15

Examination Observations

Procedural Deficiencies• ISSP not approved in writing• Incomplete hardware and software inventory• Internal and external threats not adequately identified• Threats posed from third party vendors not addressed• Lack of incident response and recovery plan

16

Examination Observations (cont.)

Training• Not conducted timely• Relevant personnel not included• Applicable topics not included

ISSP Review• Not reviewed annually or updated with lessons learned

17

Known Incidents

Incident Types• Ransomware• Fraudulent requests to transfer funds• Unauthorized access to sensitive information

Some events have led to enforcement actions.

18

Incident Response

• Execute response and recovery plan• Notify or engage counsel• Consider hiring third party to investigate• Notify regulators, customers and counterparties, if

applicable• Reach out to law enforcement• Notify bank if funds are involved

19

Incident Response (cont.)

• Notify insurance company• File Suspicious Activity Report (SAR) if appropriate• Update ISSP to incorporate lessons learned

20

Contact NFA

Julio Reid | Cybersecurity Examination [email protected] | 212-513-6056

Valerie O’Malley | Director, [email protected] | 312-781-1290

21

mailto:[email protected]


Cybersecurity Panel DiscussionDale SpoljaricManaging Director, Compliance, NFA

Michael BurkeChief Executive Officer, HighGround Trading LLC

Jordan von KluckChief Technology Officer, Tastyworks Inc.

Compliance Regulatory Update

Agenda

• Trends from Recent Examinations• Recent NFA Initiatives• CPO Internal Controls

TRENDS FROM RECENT EXAMINATIONS

Examination Areas of Focus

• Cybersecurity• CPO Internal Controls• Pool Financial Reporting• Net Capital• Promotional Material• Disclosure• Registration

26

Common Examination Deficiencies

Net Capital• Not maintaining current books and records

• Monthly net capital computation• General ledger

• Improper classification of current vs. non-current assets• Secured receivables• Timely receipt (e.g. commissions received within 30

days)• Liabilities not properly accrued

27

Common Examination Deficiencies (cont.)

Pool Financial Reporting• Income statement not itemized for non-exempt pools• Report included only individual information rather than

information for the pool in its entirety• Reports not distributed to participants prior to 30 day

deadline• Incomplete or missing oath/affirmation• Liabilities not properly accrued

28


CPO and CTA Financial Ratios• Requirements

• Report expenses and revenues for most recent 12 months

• Report ratios for the CPO, not the pool• Use accrual accounting• Maintain supporting documentation

29


Registration: Unlisted Principals• Who needs to be listed?

• Owners who own 10% or more of the registrant including individuals with an indirect ownership

• Individuals with specific titles – directors, CCO, managing member

• Individuals with a controlling influence

30


Orders and Bunched Orders• Requirements

• Daily supervision of bunched order allocations• Quarterly review of bunched order allocations – CTAs

must conduct a quarterly review of accounts to ensure that bunched orders are allocated in a non-preferential manner

• Maintaining pre-trade communications31

Other Common Deficiencies

Promotional Material• Requirements

• Balance discussion of opportunities for profits with risk of loss

• Reasonable basis of fact for statements of opinion• Performance

• Net of fees• Labeling

32

Other Common Deficiencies (cont.)

Disclosure Documents• Requirements

• Fee disclosure• Break-even analysis• Trading program description

33

Avoiding Common Deficiencies—Mind the Calendar

Potential Overdue Items• Ethics training• Self-examination checklist• BC/DR testing; information systems security training; annual

ISSP review• Annual AML training; annual independent AML audit • Annual branch office audits• Financial statement filings

34

Liquidation Statement Reminders

Pool Liquidation Statements• Permanent cessation of trading – what date to use?• Date of liquidation statement• Net asset value at zero• Unaudited statement

• When acceptable• Required footnote regarding unwinding of pool and

redemption process35

RECENT NFA INITIATIVES

NFA Initiatives

• Review of NFA Rulebook• Upcoming reviews – 2-45, GIB/Branch Office Supervision

and Promotional Material• Swap AP proficiency requirements• ORS and BASIC system enhancements• Promotional Material Filing System

37

CPO INTERNAL CONTROLS

Agenda

• Background• Requirements outlined in the Interpretive Notice• Key controls in identified risk areas• Use of administrators• NFA’s exam process relating to internal controls

40

Background

• Supervision at a CPO includes developing a framework that safeguards pool participant funds by protecting against mishandling and fraudulent activity by employees, management and third parties

• Effective internal controls minimize opportunities for mishandling and fraud

41

Background (cont.)

• Created with the input of Member CPOs, the CPO Advisory Committee and CPO representatives on NFA's Board

• Obtained feedback from industry groups• Approved by NFA's Board in November 2018• Submitted to the CFTC in December 2018

Effective April 1, 201942

Internal Controls Interpretive Notice

CPO Internal Control System• Requires CPO Members to implement internal controls

framework• Framework must be reasonably designed according to size

and complexity of the firm’s operations

43

Internal Controls Interpretive Notice (cont.)

Policies and Procedures• Written policies and procedures reasonably designed to

ensure CPO’s operations are in compliance with NFA Rules and CFTC Regulations

• Must include:• Written procedures that fully explain the CPO’s internal

controls framework• Escalation policies relating to improper override of

controls44


CPO Risk Assessment• Identify the most critical risks that arise• Periodically perform the assessment again to account for

new risks that may arise

45


Internal Controls• Design and implement controls to address identified risks• Monitor effectiveness of controls• Adjust controls as necessary

46

Key Controls – Separation of Duties

No single employee is in a position to carry out and conceal errors or fraud or to have control over any two phases of a transaction or operation

• Initiating• Approving• Recording• Reconciling

47

Key Controls – Separation of Duties (cont.)

• Duties assigned to different employees to allow for cross-checking of work performed in material areas

• Use automated controls to assist with separation of duties

• Functions relating to custody are separate from financial reporting functions

48

Key Controls – Risk areas

Internal controls frameworks must address three risk areas:

• Pool subscriptions, redemptions and transfers• Risk management and investment and valuation of

pool funds• Use of administrators

49

Key Controls

• Review and approve general ledger and subsidiary ledger entries• For automated recording of transactions, review and approve

system mappings and changes• Reconcile transactions between the pool's general ledger, banks

and other depositories (e.g. carrying brokers, prime brokers)• Approve new depository accounts; includes verifying that assets are

held in accounts properly titled with the pool's name and are not commingled with the assets of any other person

50

Key Controls – Subscriptions, Redemptions, Transfers

Authorization of redemptions includes verifying:• Request made by customer• Funds are available• NAV was properly calculated• Proper amount is released to the account owner

51

Key Controls – Subscriptions, Redemptions, Transfers (cont.)

Authorization of transfer/disbursement includes verifying:• Transaction does not violate NFA Compliance Rule 2-45

(prohibition on loans)• Disbursement is allowable pursuant to the pool's DD/OM

52

Key Controls – Risk Management

Due diligence on counterparties and depositories:• Initial and ongoing due diligence• Reputation• Trading strategy• Past performance• Any regulatory actions

53

Key Controls – Risk Management (cont.)

Ongoing monitoring • Market risk• Concentration risk• Counterparty credit risk

54

Key Controls – Risk Management (cont.)

Ongoing monitoring of pool liquidity; consider:• Risk of reduction in funding by lending counterparties

including changes in margins and timing of variation margin calls

• Terms of participant redemption rights• Changes in market liquidity conditions• Conduct stress tests to determine the impact of volatility

and market stress on pool liquidity55

Key Controls – Investments and Valuation

• Authorization of investment includes verifying the investment is consistent with the pool's strategy

• Verify that the investment is valued in accordance with the CPO's valuation policy

56

Key Controls – Use of Administrators

Initial due diligence of administrator, consider:• Reputation• Industry expertise; tax expertise• Timeliness of work• Responsiveness/customer service• Accuracy• Cybersecurity

57

Key Controls – Use of Administrators (cont.)

• Evidence of test of controls and security measures• Maintain shadow books and reconcile with administrator• Or, if no shadow books, reconcile transactions with banks and

other third party depositories and compare to administrator

58

Internal Controls and NFA Exams

Questionnaires• Used to obtain the firm’s description of its controls• Provide prior to fieldwork• See workshop materials for questionnaire

59

Internal Controls and NFA Exams (cont.)

Components of an effectively designed control• Competency and authority of personnel performing the

controls• Correlation of the control to the identified risk• Consistent performance of the control• Criteria for investigation or follow-up

60

Internal Controls and NFA Exams (cont.)

Walkthroughs• Inquiry of the person performing the control• Observation of the control in action• Inspection of documents

61

Contact NFA

Patricia Cushing | Director, [email protected] or 312-781-1403

Ryan Ahlfeld | Manager II, [email protected] or 312-781-1591

62

