Member Regulatory Workshop · • SD shall establish and maintain a system to supervise, and shall...

Member Regulatory WorkshopFe b r u a r y 2 7 , 2 0 1 9 | N ew Yo r k

Swap Dealer Regulatory Update

Agenda

• Update on SD Examinations• Themes from Recent SD Examinations• Upcoming SD Examinations

3

UPDATE ON SDEXAMINATIONS

Exam Approach

• Firm prioritization based on risk assessments of qualitative and quantitative factors such as:

• Past exam experience• Self-reported matters• Market events• Regulatory events• Risk data• Swap valuation disputes

5

Exam Scope

Exam scope is tailored to each firm based on their individual risk profiles.

6

Update on Examinations

• Hybrid examination approach • Engagement with foreign regulators on non-U.S. exams

7

THEMES FROM RECENT SD EXAMINATIONS

Rule Areas

9

Rule areas with more findings:• Segregation - CFTC 23.701 - 23.704• Reports to Swap Data Repositories - CFTC 23.204 - 23.205• Business Conduct Standards - CFTC 23.401 - 23.451

Segregation

10

CFTC 23.701: Notification of right to segregation• Provide notifications to counterparties of their right to

segregate initial margin for uncleared swaps instead of posting such margin directly with the firm.

CFTC 23.704: Requirements for non-segregated margin• Report to each counterparty that does not choose to

require segregation on whether the firm’s back office procedures were not in compliance with the counterparty agreement.

Segregation - Findings

11

More frequently observed:• Failure to send notice of right to segregate initial

margin to counterparties• Not sending quarterly reports on whether back office

procedures of the SD are in compliance with agreements

Swap Data Reporting

12

CFTC 23.204 and 23.205: Off-facility transactions• Report transactions real-time to SDR as soon as

technologically practicable (ASATP)• Report creation data ASATP but no later than the timeframe

established for the asset class• Report continuation data within established timeframes

Swap Data Reporting - Findings

13

More frequently observed:• Failure to report trades or required data• Inaccurate reporting• Late reporting or not reporting ASATP• Inadequate monitoring of errors and omissions

Business Conduct Standards

14

CFTC 23.402: General provisions• Requires SD to design policies and procedures to obtain the

essential facts of a counterparty and to monitor compliance with rules

CFTC 23.431: Disclosures of material information• Requires SD to disclose material information concerning the

swap to the counterpartyGeneral disclosures, pre-trade mid-market mark, daily mark, etc.

Business Conduct Standards - Findings

15

More frequently observed:• Failure to obtain documentation on essential facts of a

counterparty• Failure to provide adequate disclosures

General disclosures, pre-trade mid-market mark and daily mark

U.S. Persons

16

Non-U.S. Swap Dealers: • For certain rules, must comply with CFTC regulations only

when transacting with U.S. Persons, Guaranteed Affiliates and Conduit Affiliates

• Incorrect identification of a counterparty’s status prior to transacting has led to noncompliance with regulations

• Cross Border Representation Letter can be used to verify U.S. Person, Guarantee Affiliate and Conduit Affiliate status of counterparty

Trader Incidents

CFTC 23.410: Prohibition on fraud, manipulation, and other abusive practices

• Unlawful for an SD to engage in any act, practice, or course of business that is fraudulent, deceptive, or manipulative

17

Trader Incidents (cont.)

CFTC 23.600: Risk management program for swap dealers• SD shall establish and maintain a system to supervise, and

shall diligently supervise, all activities relating to its business performed by its partners, members, officers, employees, and agents

• SD must establish means to detect unauthorized trading activities or any other violation of policies and procedures

18

Trader Incidents - Findings

Disclosure:• NFA may request as a part of routine examination a list of

trader incidents related to swap dealing activities• Some firms have reported trader incidents in quarterly risk

exposure reports and CCO annual reports• Firms should self report trader incidents to NFA, especially

those that lead to termination of employee • Public news

19

Trader Incidents - Findings (cont.)

NFA’s review of trader incidents:• Determine nature and extent of the incident• Firm’s handling of incident• Control failures• Remediation

20

Trader Incidents - Findings (cont.)

Unauthorized internal trading:• Trader books trades to another trader’s book to increase

P&L • Not detected over a period of time• Small P&L impact per trade but large accumulation over

time

21

Trader Incidents - Findings (cont.)

Means of detecting unauthorized internal trading activities, include:

• P&L review• Cancel and corrects

22

Trader Incidents - Findings (cont.)

Additional monitoring implemented post-incident of unauthorized trading:

• Online process to review and affirm inter-book trades• Daily inter-book trade report with look-back 1 to multiple

days• Review of inter-book trades to confirm that trades are equal

and offsetting

23

UPCOMING SD EXAMINATIONS

Exam Scope

Rule areas that may be in scope for the next 12 months include:• Business conduct standards• Margin• Segregation• Business continuity and disaster recovery• Cybersecurity• Risk management (new product approval, liquidity risk and

settlement risk)25

Contact NFA

Shuna Awong| 212-513-6057 or sawong@nfa.futures.orgSudhir Jain | 212-513-6080 or sjain@nfa.futures.org

Tammy Wong | 212-513-6061 or twong@nfa.futures.orgJoe Zangri | 212-346-5632 or jzangri@nfa.futures.org

26

RECENT NFA UPDATES

NFA Swaps Proficiency Requirements

28

• Background• Timing• Content• Rulemaking

Other Initiatives

29

ORS system enhancements to registration change process and enhanced system security

• Improved navigation• Increased efficiency

BASIC system rebuild• Enhanced search• Improved navigation• Updated look and feel

NFA Enforcement Activity

Complaints

• Focus on past misconduct• Typically issued after a full investigation• Intended to punish wrongdoing and impose remedial

undertakings• Issued by NFA’s Business Conduct Committee (BCC)

Complaints (cont.)

0

5

10

15

20

25

30

35

40

2014 2015 2016 2017 2018

COM

PLAI

NTS

ISSU

ED

YEAR28

Decisions

• Fines of up to $250,000 per violation• Suspensions from NFA membership• Expulsions from NFA membership• Remedial measures

Decisions (cont.)

34

0

5

10

15

20

25

30

35

40

45

2014 2015 2016 2017 2018

DECI

SIO

NS

ISSU

ED

YEAR

Fines

35

$0

$500,000

$1,000,000

$1,500,000

$2,000,000

$2,500,000

$3,000,000

2014 2015 2016 2017 2018

FIN

ES IS

SUED

YEAR

Contact NFA

Cindy Cain Ioannacci| 312-781-1490 or ccain@nfa.futures.org

36

Cybersecurity Regulatory Update

Agenda

• Information Systems Security Program (ISSP) Interpretive Notice

• Filing a Cybersecurity Incident Notice• Exam Observations and Cybersecurity Incidents• Member Panel Discussion

33

ISSP Interpretive Notice

ISSP Interpretive Notice 9070• Amendments effective April 1, 2019• Key changes to the Interpretive Notice:

• Updated employee training requirement• Updated ISSP approval requirement• New requirement to notify NFA of certain

cybersecurity incidents

39

ISSP Interpretive Notice (cont.)

Cybersecurity Training• Covered topics must be specified• Must be conducted upon hiring and annually thereafter

• May be needed more frequently if circumstances warrant additional training

40

ISSP Interpretive Notice (cont.)

ISSP Approval• Member’s CEO• Senior-level officer of the Member with primary

responsibility for the ISSP (CTO or CISO)• Senior official who is a listed Principal and has authority to

supervise the Member’s ISSP execution

41

Filing a Cybersecurity Incident Notice

A Cybersecurity Incident Notice must be filed when an incident related to commodity interest business:

• Results in a loss of customer or counterparty funds or Member’s capital or

• Results in the firm notifying customers or counterparties of the incident pursuant to U.S. state or federal law

42

Filing a Cybersecurity Incident Notice (cont.)

43

Filing a Cybersecurity Incident Notice (cont.)

44

Filing a Cybersecurity Incident Notice (cont.)

45

Filing a Cybersecurity Incident Notice (cont.)

46

Filing a Cybersecurity Incident Notice (cont.)

47

Filing a Cybersecurity Incident Notice (cont.)

48

Filing a Cybersecurity Incident Notice (cont.)

49

Next Steps

Notice to Members • Additional details on the Notice Filing System• Updated resources

• Frequently-asked questions• Self-Examination Questionnaire• Regulatory Requirements Guide

50

Examination Observations

Procedural Deficiencies• ISSP not approved in writing• Incomplete hardware and software inventory• Internal and external threats not adequately identified• Threats posed from third party vendors not addressed• Lack of incident response and recovery plan

51

Examination Observations (cont.)

Training• Not conducted timely• Relevant personnel not included• Applicable topics not included

ISSP Review• Not reviewed annually or updated with lessons learned

52

Known Incidents

Incident Types• Ransomware• Fraudulent requests to transfer funds• Unauthorized access to sensitive information

Some events have led to enforcement actions.

53

Incident Response

• Execute response and recovery plan• Notify or engage counsel• Consider hiring third party to investigate• Notify regulators, customers and counterparties, if

applicable• Reach out to law enforcement• Notify bank if funds are involved

54

Incident Response (cont.)

• Notify insurance company• File Suspicious Activity Report (SAR) if appropriate• Update ISSP to incorporate lessons learned

55

Contact NFA

Julio Reid | Cybersecurity Examination Managerjreid@nfa.futures.org or 212-513-6056

Lou Berardocco | Senior Manager, Compliancelberardocco@nfa.futures.org or 212-513-6030

Sudhir Jain | Director, OTC Derivativessjain@nfa.futures.org or 212-513-6080

56

Cybersecurity Panel DiscussionDale SpoljaricManaging Director, Compliance, NFA

David PollokGeneral Counsel, Lighthouse Investment Partners LLC

Karl SchimmeckGlobal Head of Vulnerability Management, Morgan Stanley

Compliance Regulatory Update

Agenda

• Trends from Recent Examinations• Recent NFA Initiatives• CPO Internal Controls

TRENDS FROM RECENT EXAMINATIONS

Examination Areas of Focus

• Cybersecurity• CPO Internal Controls• Pool Financial Reporting• Net Capital• Promotional Material• Disclosure• Registration

61

Common Examination Deficiencies

Net Capital• Not maintaining current books and records

• Monthly net capital computation• General ledger

• Improper classification of current vs. non-current assets• Secured receivables• Timely receipt (e.g. commissions received within 30

days)• Liabilities not properly accrued

62

Common Examination Deficiencies (cont.)

Pool Financial Reporting• Income statement not itemized for non-exempt pools• Report included only individual information rather than

information for the pool in its entirety• Reports not distributed to participants prior to 30 day

deadline• Incomplete or missing oath/affirmation• Liabilities not properly accrued

63

Common Examination Deficiencies (cont.)

CPO and CTA Financial Ratios• Requirements

• Report expenses and revenues for most recent 12 months

• Report ratios for the CPO, not the pool• Use accrual accounting• Maintain supporting documentation

64

Common Examination Deficiencies (cont.)

Registration: Unlisted Principals• Who needs to be listed?

• Owners who own 10% or more of the registrant including individuals with an indirect ownership

• Individuals with specific titles – directors, CCO, managing member

• Individuals with a controlling influence

65

Common Examination Deficiencies (cont.)

Orders and Bunched Orders• Requirements

• Daily supervision of bunched order allocations• Quarterly review of bunched order allocations – CTAs

must conduct a quarterly review of accounts to ensure that bunched orders are allocated in a non-preferential manner

• Maintaining pre-trade communications66

Other Common Deficiencies

Promotional Material• Requirements

• Balance discussion of opportunities for profits with risk of loss

• Reasonable basis of fact for statements of opinion• Performance

• Net of fees• Labeling

67

Other Common Deficiencies (cont.)

Disclosure Documents• Requirements

• Fee disclosure• Break-even analysis• Trading program description

68

Avoiding Common Deficiencies—Mind the Calendar

Potential Overdue Items• Ethics training• Self-examination checklist• BC/DR testing; information systems security training; annual

ISSP review• Annual AML training; annual independent AML audit • Annual branch office audits• Financial statement filings

69

Liquidation Statement Reminders

Pool Liquidation Statements• Permanent cessation of trading – what date to use?• Date of liquidation statement• Net asset value at zero• Unaudited statement

• When acceptable• Required footnote regarding unwinding of pool and

redemption process70

RECENT NFA INITIATIVES

NFA Initiatives

• Review of NFA Rulebook• Upcoming reviews – 2-45, GIB/Branch Office Supervision

and Promotional Material• Swap AP proficiency requirements• ORS and BASIC system enhancements• Promotional Material Filing System

72

Contact NFA

Dawn Grossmith | Manager II, Compliancedgrossmith@nfa.futures.org or 212-513-6012

Arthur Kenigstain | Manager, Complianceakenigstain@nfa.futures.org or 212-513-6015

Jonathan Flanagan| Manager, Compliancejflanagan@nfa.futures.org or 212-513-6033

73

CPO INTERNAL CONTROLS

Agenda

• Background• Requirements outlined in the Interpretive Notice• Key controls in identified risk areas• Use of administrators• NFA’s exam process relating to internal controls

75

Background

• Supervision at a CPO includes developing a framework that safeguards pool participant funds by protecting against mishandling and fraudulent activity by employees, management and third parties

• Effective internal controls minimize opportunities for mishandling and fraud

76

Background (cont.)

• Created with the input of Member CPOs, the CPO Advisory Committee and CPO representatives on NFA's Board

• Obtained feedback from industry groups• Approved by NFA's Board in November 2018• Submitted to the CFTC in December 2018

Effective April 1, 201977

Internal Controls Interpretive Notice

CPO Internal Control System• Requires CPO Members to implement internal controls

framework• Framework must be reasonably designed according to size

and complexity of the firm’s operations

78

Internal Controls Interpretive Notice (cont.)

Policies and Procedures• Written policies and procedures reasonably designed to

ensure CPO’s operations are in compliance with NFA Rules and CFTC Regulations

• Must include:• Written procedures that fully explain the CPO’s internal

controls framework• Escalation policies relating to improper override of

controls79

Internal Controls Interpretive Notice (cont.)

CPO Risk Assessment• Identify the most critical risks that arise• Periodically perform the assessment again to account for

new risks that may arise

80

Internal Controls Interpretive Notice (cont.)

Internal Controls• Design and implement controls to address identified risks• Monitor effectiveness of controls• Adjust controls as necessary

81

Key Controls – Separation of Duties

No single employee is in a position to carry out and conceal errors or fraud or to have control over any two phases of a transaction or operation

• Initiating• Approving• Recording• Reconciling

82

Key Controls – Separation of Duties (cont.)

• Duties assigned to different employees to allow for cross-checking of work performed in material areas

• Use automated controls to assist with separation of duties

• Functions relating to custody are separate from financial reporting functions

83

Key Controls – Risk areas

Internal controls frameworks must address three risk areas:

• Pool subscriptions, redemptions and transfers• Risk management and investment and valuation of

pool funds• Use of administrators

84

Key Controls

• Review and approve general ledger and subsidiary ledger entries• For automated recording of transactions, review and approve

system mappings and changes• Reconcile transactions between the pool's general ledger, banks

and other depositories (e.g. carrying brokers, prime brokers)• Approve new depository accounts; includes verifying that assets are

held in accounts properly titled with the pool's name and are not commingled with the assets of any other person

85

Key Controls – Subscriptions, Redemptions, Transfers

Authorization of redemptions includes verifying:• Request made by customer• Funds are available• NAV was properly calculated• Proper amount is released to the account owner

86

Key Controls – Subscriptions, Redemptions, Transfers (cont.)

Authorization of transfer/disbursement includes verifying:• Transaction does not violate NFA Compliance Rule 2-45

(prohibition on loans)• Disbursement is allowable pursuant to the pool's DD/OM

87

Key Controls – Risk Management

Due diligence on counterparties and depositories:• Initial and ongoing due diligence• Reputation• Trading strategy• Past performance• Any regulatory actions

88

Key Controls – Risk Management (cont.)

Ongoing monitoring • Market risk• Concentration risk• Counterparty credit risk

89

Key Controls – Risk Management (cont.)

Ongoing monitoring of pool liquidity; consider:• Risk of reduction in funding by lending counterparties

including changes in margins and timing of variation margin calls

• Terms of participant redemption rights• Changes in market liquidity conditions• Conduct stress tests to determine the impact of volatility

and market stress on pool liquidity90

Key Controls – Investments and Valuation

• Authorization of investment includes verifying the investment is consistent with the pool's strategy

• Verify that the investment is valued in accordance with the CPO's valuation policy

91

Key Controls – Use of Administrators

Initial due diligence of administrator, consider:• Reputation• Industry expertise; tax expertise• Timeliness of work• Responsiveness/customer service• Accuracy• Cybersecurity

92

Key Controls – Use of Administrators (cont.)

• Evidence of test of controls and security measures• Maintain shadow books and reconcile with administrator• Or, if no shadow books, reconcile transactions with banks and

other third party depositories and compare to administrator

93

Internal Controls and NFA Exams

Questionnaires• Used to obtain the firm’s description of its controls• Provide prior to fieldwork• See workshop materials for questionnaire

94

Internal Controls and NFA Exams (cont.)

Components of an effectively designed control• Competency and authority of personnel performing the

controls• Correlation of the control to the identified risk• Consistent performance of the control• Criteria for investigation or follow-up

95

Internal Controls and NFA Exams (cont.)

Walkthroughs• Inquiry of the person performing the control• Observation of the control in action• Inspection of documents

96

Contact NFA

Patricia Cushing | Director, Compliancepcushing@nfa.futures.org or 312-781-1403

Ryan Ahlfeld | Manager II, Compliancerahlfeld@nfa.futures.org or 312-781-1591

97