NFA Institutes New Operational Requirements for Members; Registered CPOs and CTAs Need to Take Action in Q3 and Q4 2021

In the United States, the National Futures Association is making changes to its rules for commodity interest trading which will affect any entity, in or outside the United States, that operates as a registered commodity pool operator or commodity trading advisor.

Under new NFA Compliance Rule 2-50, as of June 30, 2021, registered CPOs will be required to file a notice with the NFA when a market or other significant adverse event affects a commodity pool’s ability to fulfil its financial obligations to commodity pool participants (adverse event notice filings requirement).¹ With regard to this requirement, registered CPOs will need to implement procedures to ensure they are reporting the appropriate adverse events to the NFA in a timely fashion.

As of September 30, 2021, each registered CPO and CTA that outsources any of their regulatory functions will be required to adopt and implement a written supervisory framework over the outsourced function, in order to mitigate outsourcing-related risks (member outsourcing to third parties requirement). Although many registered CPOs and CTAs already will have in place the type of supervisory programs for third-party service providers that are required under this requirement, because of requirements applicable to them as registered investment advisers under the Investment Advisers Act of 1940, the NFA nevertheless will require those NFA members to review their current policies and procedures and make any modifications necessary to meet the requirements of the NFA’s Interpretive Notice on the subject.² Registered CPOs and CTAs also will need to include a review of their supervisory frameworks for third-party service providers as part of their next annual NFA self-examination process, and the NFA has amended the annual self-examination questionnaire to facilitate this review and help members understand the requirement.³

NFA Requirement Regarding Registered CPO Adverse Event Notice Filings

Under new NFA Compliance Rule 2-50, registered CPOs will be required to notify the NFA by no later than 5pm CT on the next business day following any of the following four adverse events affecting a commodity pool operated by the CPO:

·       The commodity pool is unable to meet margin call(s);

·       The commodity pool is unable to satisfy redemption requests in accordance with its subscription agreements;

·       The commodity pool has halted redemptions and the halt on redemptions is not associated with pre-existing gates or lockups, or a pre-planned cessation of operations; or

·       The CPO receives a notice from a swap counterparty that the commodity pool is in default.

Some of these events already are subject to CPO reporting on CFTC Form CPO-PQR/NFA Form PQR and in annual pool financial reports; however the NFA is instituting this new reporting regime in order to receive that information on a more timely basis. Registered CPOs that operate pools for which they nevertheless have a registration exemption also need to be aware that the adverse event notice filings requirement applies to commodity pools operated by a CPO in its exempt capacity (which pool-level information would not be reported to the CFTC/NFA on CFTC Form CPO-PQR/NFA Form PQR or in annual pool financial reports).⁴

Not every occurrence of one of the above events will subject the CPO to reporting to the NFA. The NFA Interpretive Notice accompanying the new rule explains that the reporting requirement focuses on instances where a commodity pool is truly in financial trouble and has exhausted grace periods and other means to meet its financial obligations. For example, if a commodity pool cannot meet a margin call on the day of the call, but reasonably believes it will meet the margin call within the period set forth in its trading agreement or other arrangement with its futures commission merchant or broker, that event is not reportable. However, the event can become reportable thereafter if the margin call cannot be met within the prescribed time period. With regard to swap counterparty declarations of default, all categories of declarations of default are reportable; however, applicable cure periods and other self-help is available before the event becomes reportable. For example, if a default is related to a margin call, the reporting requirement would apply only where the margin call results in a deficit that the CPO reasonably believes the commodity pool will not be able to address or cover by adding further funds, after giving effect to whatever cure periods are available. Aside from a margin call event of default, other events of default under standard ISDA swap trading documentation that would be reportable may include: breaches of agreement; misrepresentations; defaults under a “Specified Transaction”; cross-defaults; bankruptcy; and “mergers without assumption.”

Registered CPOs will want to review the NFA Interpretive Notice to ensure that they have procedures to address the reportable adverse financial events, but also not to over-report.

NFA Requirement Regarding Registered CPO and CTA Written Supervisory Framework for Third Parties Performing Regulatory Functions

Many CFTC registrants that are NFA members outsource certain of their regulatory obligations to third-party service providers and vendors, to perform functions that otherwise would be undertaken by the member firm in order to comply with CFTC or NFA requirements. In recognition of this market practice, the NFA is instituting a requirement under NFA Compliance Rule 2-9 that NFA members must have a written supervisory framework to address the oversight of third-party service providers used to meet the respective members’ regulatory obligations, noting that NFA members remain responsible for the regulatory obligations that third parties assist in fulfilling.

As with other supervisory requirements the NFA recently has instituted (e.g., the Information Security Systems Procedures requirements and CPO Internal Controls Requirements), the NFA is leaving it up to individual NFA members to craft supervisory controls that meet the needs of their businesses. However, the NFA is establishing certain minimum parameters around these supervision procedures. In addition, the NFA recognizes that some NFA members may hire and supervise third-party service providers on an enterprise-wide or holding company level. The NFA has indicated that an NFA member’s third-party service provider relationships may be addressed at those levels, but, importantly, will continue to require that the areas of supervision discussed below be addressed in that process.

The following are the minimum areas that an NFA member’s written supervisory framework must address:

·       An initial risk assessment;

·       Onboarding due diligence;

·       Ongoing monitoring;

·       Termination; and

·       Recordkeeping.

Initial Risk Assessment. The initial risk assessment must address three primary areas of concern, in addition to any other areas of risk the NFA member identifies: information security (what sensitive information a third party might have and how the third party would safeguard the information); regulatory risk (the impact on the NFA member, its investors/clients and counterparties of the third party failing to carry out its assigned function properly); and logistics (the implications of the location of the third party for the provision of services and access to records). If an NFA member determines that it cannot adequately manage the risks of outsourcing a particular regulatory function, it should not move ahead with outsourcing such function.

Onboarding Due Diligence. The NFA member must determine whether the third-party service provider will be able to carry out its outsourced function successfully in accordance with CFTC and NFA requirements. Part of this due diligence would involve determining that the service provider is familiar with the applicable CFTC/NFA requirements. Where a third-party service provider will have access to or obtain critical and/or confidential data, the NFA member needs to conduct a heightened level of due diligence into the third-party’s: IT security; financial stability background of key employees; regulatory action and lawsuit history; and business continuity and disaster recovery plans. The NFA member also needs to be aware of any subcontracting arrangements, and assess, to the extent possible, any risks the subcontracting relationship creates.

The NFA member also should have a written agreement that governs its relationship with the third-party service provider, which agreement, to the extent the NFA member is able to negotiate: requires the third-party service provider to comply with all applicable regulatory obligations; requires the third-party service provider to notify the NFA member immediately of any material failure to perform an outsourced regulatory function; and provides for how data will be managed after the termination of the relationship. The agreement also needs to provide adequate notice of termination to the NFA member, and the NFA member needs to make sure it will still be able to meet its regulatory obligations after termination of the relationship.

Ongoing Monitoring. The NFA member must conduct ongoing risk-based monitoring of the third-party service provider, addressing both the outsourced regulatory functions and the third-party service provider’s business overall. The frequency and scope of the reviews would be based on the type of service the entity is providing and how critical that service is for the NFA member. NFA members should also consider who are the appropriate personnel to conduct the reviews and have an escalation policy to involve senior management, or an internal committee, in the event of a significant issue with a third-party service provider. The risk implications involved in contract renewals also would be a part of the ongoing due diligence process.

Termination. In addition to the guideposts outlined above addressing termination of an agreement with a third-party service provider, the NFA member needs to make a reasonable effort to ensure that if the third-party had access to confidential information, it no longer does post-termination.

Recordkeeping. Any NFA member that engages a third-party service provider as described in this OnPoint must maintain records pursuant to NFA Compliance Rules 2-10 and 2-49, in order to demonstrate that the member has addressed the supervisory framework requirements. In addition, registered CPOs are reminded that if they use third parties as record-keepers, they must file an electronic notice with the NFA and must obtain a representation letter from the third party, which letter is filed with the notice.⁵ Registered CTAs that use third parties are record keepers must file notice with the CFTC staff to that effect, but no representation letter from the third party is necessary.⁶

Footnotes

1) NFA Compliance Rule 2-50: CPO Notice Filing Requirements, NFA Interpretive Notice No. 9080 (Feb. 18, 2021, effective June 30, 2021). 

2) NFA Compliance Rules 2-9 and 2-36: Members’ Use of Third-Party Service Providers, NFA Interpretive Notice No. 9079 (Feb. 18, 2021). 

3) Effective Date for Interpretive Notice Regarding Members’ Use of Third-Party Service Providers, NFA Notice to Members No. I-21-13 (Mar. 24, 2021). 

4) Proposed NFA Compliance Rule 2-50 and Related Interpretive Notice entitled NFA Compliance Rule 2-50: CPO Notice Filing Requirements, NFA Submission Letter to the CFTC (Mar. 5, 2021). 

5) CFTC Rule 4.7(b)(6); CFTC Rule 4.23(c).

6) CFTC No-Action Letter No. 17-24 (April 20, 2017).