Member Regulatory WorkshopFe b r u a r y 2 7 , 2 0 1 9 | N ew Yo r k
Swap Dealer Regulatory Update
Agenda
• Update on SD Examinations• Themes from Recent SD Examinations• Upcoming SD Examinations
3
UPDATE ON SDEXAMINATIONS
Exam Approach
• Firm prioritization based on risk assessments of qualitative and quantitative factors such as:
• Past exam experience• Self-reported matters• Market events• Regulatory events• Risk data• Swap valuation disputes
5
Exam Scope
Exam scope is tailored to each firm based on their individual risk profiles.
6
Update on Examinations
• Hybrid examination approach • Engagement with foreign regulators on non-U.S. exams
7
THEMES FROM RECENT SD EXAMINATIONS
Rule Areas
9
Rule areas with more findings:• Segregation - CFTC 23.701 - 23.704• Reports to Swap Data Repositories - CFTC 23.204 - 23.205• Business Conduct Standards - CFTC 23.401 - 23.451
Segregation
10
CFTC 23.701: Notification of right to segregation• Provide notifications to counterparties of their right to
segregate initial margin for uncleared swaps instead of posting such margin directly with the firm.
CFTC 23.704: Requirements for non-segregated margin• Report to each counterparty that does not choose to
require segregation on whether the firm’s back office procedures were not in compliance with the counterparty agreement.
Segregation - Findings
11
More frequently observed:• Failure to send notice of right to segregate initial
margin to counterparties• Not sending quarterly reports on whether back office
procedures of the SD are in compliance with agreements
Swap Data Reporting
12
CFTC 23.204 and 23.205: Off-facility transactions• Report transactions real-time to SDR as soon as
technologically practicable (ASATP)• Report creation data ASATP but no later than the timeframe
established for the asset class• Report continuation data within established timeframes
Swap Data Reporting - Findings
13
More frequently observed:• Failure to report trades or required data• Inaccurate reporting• Late reporting or not reporting ASATP• Inadequate monitoring of errors and omissions
Business Conduct Standards
14
CFTC 23.402: General provisions• Requires SD to design policies and procedures to obtain the
essential facts of a counterparty and to monitor compliance with rules
CFTC 23.431: Disclosures of material information• Requires SD to disclose material information concerning the
swap to the counterpartyGeneral disclosures, pre-trade mid-market mark, daily mark, etc.
Business Conduct Standards - Findings
15
More frequently observed:• Failure to obtain documentation on essential facts of a
counterparty• Failure to provide adequate disclosures
General disclosures, pre-trade mid-market mark and daily mark
U.S. Persons
16
Non-U.S. Swap Dealers: • For certain rules, must comply with CFTC regulations only
when transacting with U.S. Persons, Guaranteed Affiliates and Conduit Affiliates
• Incorrect identification of a counterparty’s status prior to transacting has led to noncompliance with regulations
• Cross Border Representation Letter can be used to verify U.S. Person, Guarantee Affiliate and Conduit Affiliate status of counterparty
Trader Incidents
CFTC 23.410: Prohibition on fraud, manipulation, and other abusive practices
• Unlawful for an SD to engage in any act, practice, or course of business that is fraudulent, deceptive, or manipulative
17
Trader Incidents (cont.)
CFTC 23.600: Risk management program for swap dealers• SD shall establish and maintain a system to supervise, and
shall diligently supervise, all activities relating to its business performed by its partners, members, officers, employees, and agents
• SD must establish means to detect unauthorized trading activities or any other violation of policies and procedures
18
Trader Incidents - Findings
Disclosure:• NFA may request as a part of routine examination a list of
trader incidents related to swap dealing activities• Some firms have reported trader incidents in quarterly risk
exposure reports and CCO annual reports• Firms should self report trader incidents to NFA, especially
those that lead to termination of employee • Public news
19
Trader Incidents - Findings (cont.)
NFA’s review of trader incidents:• Determine nature and extent of the incident• Firm’s handling of incident• Control failures• Remediation
20
Trader Incidents - Findings (cont.)
Unauthorized internal trading:• Trader books trades to another trader’s book to increase
P&L • Not detected over a period of time• Small P&L impact per trade but large accumulation over
time
21
Trader Incidents - Findings (cont.)
Means of detecting unauthorized internal trading activities, include:
• P&L review• Cancel and corrects
22
Trader Incidents - Findings (cont.)
Additional monitoring implemented post-incident of unauthorized trading:
• Online process to review and affirm inter-book trades• Daily inter-book trade report with look-back 1 to multiple
days• Review of inter-book trades to confirm that trades are equal
and offsetting
23
UPCOMING SD EXAMINATIONS
Exam Scope
Rule areas that may be in scope for the next 12 months include:• Business conduct standards• Margin• Segregation• Business continuity and disaster recovery• Cybersecurity• Risk management (new product approval, liquidity risk and
settlement risk)25
Contact NFA
Shuna Awong| 212-513-6057 or [email protected] Jain | 212-513-6080 or [email protected]
Tammy Wong | 212-513-6061 or [email protected] Zangri | 212-346-5632 or [email protected]
26
RECENT NFA UPDATES
NFA Swaps Proficiency Requirements
28
• Background• Timing• Content• Rulemaking
Other Initiatives
29
ORS system enhancements to registration change process and enhanced system security
• Improved navigation• Increased efficiency
BASIC system rebuild• Enhanced search• Improved navigation• Updated look and feel
NFA Enforcement Activity
Complaints
• Focus on past misconduct• Typically issued after a full investigation• Intended to punish wrongdoing and impose remedial
undertakings• Issued by NFA’s Business Conduct Committee (BCC)
Complaints (cont.)
0
5
10
15
20
25
30
35
40
2014 2015 2016 2017 2018
COM
PLAI
NTS
ISSU
ED
YEAR28
Decisions
• Fines of up to $250,000 per violation• Suspensions from NFA membership• Expulsions from NFA membership• Remedial measures
Decisions (cont.)
34
0
5
10
15
20
25
30
35
40
45
2014 2015 2016 2017 2018
DECI
SIO
NS
ISSU
ED
YEAR
Fines
35
$0
$500,000
$1,000,000
$1,500,000
$2,000,000
$2,500,000
$3,000,000
2014 2015 2016 2017 2018
FIN
ES IS
SUED
YEAR
Cybersecurity Regulatory Update
Agenda
• Information Systems Security Program (ISSP) Interpretive Notice
• Filing a Cybersecurity Incident Notice• Exam Observations and Cybersecurity Incidents• Member Panel Discussion
33
ISSP Interpretive Notice
ISSP Interpretive Notice 9070• Amendments effective April 1, 2019• Key changes to the Interpretive Notice:
• Updated employee training requirement• Updated ISSP approval requirement• New requirement to notify NFA of certain
cybersecurity incidents
39
ISSP Interpretive Notice (cont.)
Cybersecurity Training• Covered topics must be specified• Must be conducted upon hiring and annually thereafter
• May be needed more frequently if circumstances warrant additional training
40
ISSP Interpretive Notice (cont.)
ISSP Approval• Member’s CEO• Senior-level officer of the Member with primary
responsibility for the ISSP (CTO or CISO)• Senior official who is a listed Principal and has authority to
supervise the Member’s ISSP execution
41
Filing a Cybersecurity Incident Notice
A Cybersecurity Incident Notice must be filed when an incident related to commodity interest business:
• Results in a loss of customer or counterparty funds or Member’s capital or
• Results in the firm notifying customers or counterparties of the incident pursuant to U.S. state or federal law
42
Filing a Cybersecurity Incident Notice (cont.)
43
Filing a Cybersecurity Incident Notice (cont.)
44
Filing a Cybersecurity Incident Notice (cont.)
45
Filing a Cybersecurity Incident Notice (cont.)
46
Filing a Cybersecurity Incident Notice (cont.)
47
Filing a Cybersecurity Incident Notice (cont.)
48
Filing a Cybersecurity Incident Notice (cont.)
49
Next Steps
Notice to Members • Additional details on the Notice Filing System• Updated resources
• Frequently-asked questions• Self-Examination Questionnaire• Regulatory Requirements Guide
50
Examination Observations
Procedural Deficiencies• ISSP not approved in writing• Incomplete hardware and software inventory• Internal and external threats not adequately identified• Threats posed from third party vendors not addressed• Lack of incident response and recovery plan
51
Examination Observations (cont.)
Training• Not conducted timely• Relevant personnel not included• Applicable topics not included
ISSP Review• Not reviewed annually or updated with lessons learned
52
Known Incidents
Incident Types• Ransomware• Fraudulent requests to transfer funds• Unauthorized access to sensitive information
Some events have led to enforcement actions.
53
Incident Response
• Execute response and recovery plan• Notify or engage counsel• Consider hiring third party to investigate• Notify regulators, customers and counterparties, if
applicable• Reach out to law enforcement• Notify bank if funds are involved
54
Incident Response (cont.)
• Notify insurance company• File Suspicious Activity Report (SAR) if appropriate• Update ISSP to incorporate lessons learned
55
Contact NFA
Julio Reid | Cybersecurity Examination [email protected] or 212-513-6056
Lou Berardocco | Senior Manager, [email protected] or 212-513-6030
Sudhir Jain | Director, OTC [email protected] or 212-513-6080
56
Cybersecurity Panel DiscussionDale SpoljaricManaging Director, Compliance, NFA
David PollokGeneral Counsel, Lighthouse Investment Partners LLC
Karl SchimmeckGlobal Head of Vulnerability Management, Morgan Stanley
Compliance Regulatory Update
Agenda
• Trends from Recent Examinations• Recent NFA Initiatives• CPO Internal Controls
TRENDS FROM RECENT EXAMINATIONS
Examination Areas of Focus
• Cybersecurity• CPO Internal Controls• Pool Financial Reporting• Net Capital• Promotional Material• Disclosure• Registration
61
Common Examination Deficiencies
Net Capital• Not maintaining current books and records
• Monthly net capital computation• General ledger
• Improper classification of current vs. non-current assets• Secured receivables• Timely receipt (e.g. commissions received within 30
days)• Liabilities not properly accrued
62
Common Examination Deficiencies (cont.)
Pool Financial Reporting• Income statement not itemized for non-exempt pools• Report included only individual information rather than
information for the pool in its entirety• Reports not distributed to participants prior to 30 day
deadline• Incomplete or missing oath/affirmation• Liabilities not properly accrued
63
Common Examination Deficiencies (cont.)
CPO and CTA Financial Ratios• Requirements
• Report expenses and revenues for most recent 12 months
• Report ratios for the CPO, not the pool• Use accrual accounting• Maintain supporting documentation
64
Common Examination Deficiencies (cont.)
Registration: Unlisted Principals• Who needs to be listed?
• Owners who own 10% or more of the registrant including individuals with an indirect ownership
• Individuals with specific titles – directors, CCO, managing member
• Individuals with a controlling influence
65
Common Examination Deficiencies (cont.)
Orders and Bunched Orders• Requirements
• Daily supervision of bunched order allocations• Quarterly review of bunched order allocations – CTAs
must conduct a quarterly review of accounts to ensure that bunched orders are allocated in a non-preferential manner
• Maintaining pre-trade communications66
Other Common Deficiencies
Promotional Material• Requirements
• Balance discussion of opportunities for profits with risk of loss
• Reasonable basis of fact for statements of opinion• Performance
• Net of fees• Labeling
67
Other Common Deficiencies (cont.)
Disclosure Documents• Requirements
• Fee disclosure• Break-even analysis• Trading program description
68
Avoiding Common Deficiencies—Mind the Calendar
Potential Overdue Items• Ethics training• Self-examination checklist• BC/DR testing; information systems security training; annual
ISSP review• Annual AML training; annual independent AML audit • Annual branch office audits• Financial statement filings
69
Liquidation Statement Reminders
Pool Liquidation Statements• Permanent cessation of trading – what date to use?• Date of liquidation statement• Net asset value at zero• Unaudited statement
• When acceptable• Required footnote regarding unwinding of pool and
redemption process70
RECENT NFA INITIATIVES
NFA Initiatives
• Review of NFA Rulebook• Upcoming reviews – 2-45, GIB/Branch Office Supervision
and Promotional Material• Swap AP proficiency requirements• ORS and BASIC system enhancements• Promotional Material Filing System
72
Contact NFA
Dawn Grossmith | Manager II, [email protected] or 212-513-6012
Arthur Kenigstain | Manager, [email protected] or 212-513-6015
Jonathan Flanagan| Manager, [email protected] or 212-513-6033
73
CPO INTERNAL CONTROLS
Agenda
• Background• Requirements outlined in the Interpretive Notice• Key controls in identified risk areas• Use of administrators• NFA’s exam process relating to internal controls
75
Background
• Supervision at a CPO includes developing a framework that safeguards pool participant funds by protecting against mishandling and fraudulent activity by employees, management and third parties
• Effective internal controls minimize opportunities for mishandling and fraud
76
Background (cont.)
• Created with the input of Member CPOs, the CPO Advisory Committee and CPO representatives on NFA's Board
• Obtained feedback from industry groups• Approved by NFA's Board in November 2018• Submitted to the CFTC in December 2018
Effective April 1, 201977
Internal Controls Interpretive Notice
CPO Internal Control System• Requires CPO Members to implement internal controls
framework• Framework must be reasonably designed according to size
and complexity of the firm’s operations
78
Internal Controls Interpretive Notice (cont.)
Policies and Procedures• Written policies and procedures reasonably designed to
ensure CPO’s operations are in compliance with NFA Rules and CFTC Regulations
• Must include:• Written procedures that fully explain the CPO’s internal
controls framework• Escalation policies relating to improper override of
controls79
Internal Controls Interpretive Notice (cont.)
CPO Risk Assessment• Identify the most critical risks that arise• Periodically perform the assessment again to account for
new risks that may arise
80
Internal Controls Interpretive Notice (cont.)
Internal Controls• Design and implement controls to address identified risks• Monitor effectiveness of controls• Adjust controls as necessary
81
Key Controls – Separation of Duties
No single employee is in a position to carry out and conceal errors or fraud or to have control over any two phases of a transaction or operation
• Initiating• Approving• Recording• Reconciling
82
Key Controls – Separation of Duties (cont.)
• Duties assigned to different employees to allow for cross-checking of work performed in material areas
• Use automated controls to assist with separation of duties
• Functions relating to custody are separate from financial reporting functions
83
Key Controls – Risk areas
Internal controls frameworks must address three risk areas:
• Pool subscriptions, redemptions and transfers• Risk management and investment and valuation of
pool funds• Use of administrators
84
Key Controls
• Review and approve general ledger and subsidiary ledger entries• For automated recording of transactions, review and approve
system mappings and changes• Reconcile transactions between the pool's general ledger, banks
and other depositories (e.g. carrying brokers, prime brokers)• Approve new depository accounts; includes verifying that assets are
held in accounts properly titled with the pool's name and are not commingled with the assets of any other person
85
Key Controls – Subscriptions, Redemptions, Transfers
Authorization of redemptions includes verifying:• Request made by customer• Funds are available• NAV was properly calculated• Proper amount is released to the account owner
86
Key Controls – Subscriptions, Redemptions, Transfers (cont.)
Authorization of transfer/disbursement includes verifying:• Transaction does not violate NFA Compliance Rule 2-45
(prohibition on loans)• Disbursement is allowable pursuant to the pool's DD/OM
87
Key Controls – Risk Management
Due diligence on counterparties and depositories:• Initial and ongoing due diligence• Reputation• Trading strategy• Past performance• Any regulatory actions
88
Key Controls – Risk Management (cont.)
Ongoing monitoring • Market risk• Concentration risk• Counterparty credit risk
89
Key Controls – Risk Management (cont.)
Ongoing monitoring of pool liquidity; consider:• Risk of reduction in funding by lending counterparties
including changes in margins and timing of variation margin calls
• Terms of participant redemption rights• Changes in market liquidity conditions• Conduct stress tests to determine the impact of volatility
and market stress on pool liquidity90
Key Controls – Investments and Valuation
• Authorization of investment includes verifying the investment is consistent with the pool's strategy
• Verify that the investment is valued in accordance with the CPO's valuation policy
91
Key Controls – Use of Administrators
Initial due diligence of administrator, consider:• Reputation• Industry expertise; tax expertise• Timeliness of work• Responsiveness/customer service• Accuracy• Cybersecurity
92
Key Controls – Use of Administrators (cont.)
• Evidence of test of controls and security measures• Maintain shadow books and reconcile with administrator• Or, if no shadow books, reconcile transactions with banks and
other third party depositories and compare to administrator
93
Internal Controls and NFA Exams
Questionnaires• Used to obtain the firm’s description of its controls• Provide prior to fieldwork• See workshop materials for questionnaire
94
Internal Controls and NFA Exams (cont.)
Components of an effectively designed control• Competency and authority of personnel performing the
controls• Correlation of the control to the identified risk• Consistent performance of the control• Criteria for investigation or follow-up
95
Internal Controls and NFA Exams (cont.)
Walkthroughs• Inquiry of the person performing the control• Observation of the control in action• Inspection of documents
96
Contact NFA
Patricia Cushing | Director, [email protected] or 312-781-1403
Ryan Ahlfeld | Manager II, [email protected] or 312-781-1591
97