2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 | 1998 | 1997 | 1996|
Email This to a Friend
April 25, 2002
Ms. Jean A. Webb
Re: Request of the National Futures Association for Approval of Interpretive Notice to NFA Compliance Rule 2-9: Supervision of the Use of Automated Order-Routing Systems (67 Fed. Reg. 14701 (Mar. 27, 2002))
Dear Ms. Webb:
Automated order-routing systems (AORSs) are becoming more and more common and are gradually replacing personal telephone contact as a means of entering orders for futures contracts. Although these simply provide different ways to enter an order and are governed by longstanding regulatory standards, the technology that is used affects the manner in which firms comply with those standards. As AORSs become more prevalent, it becomes increasingly important for NFA Members to understand how to adopt controls that apply pre-existing regulatory standards to these systems.
AORSs provide a valuable service to customers and can improve execution time and quality. However, they can also increase the possibility that a customer's order information will be altered or appropriated without the customer's permission, that a customer's order will be lost in the pipeline if the system becomes overloaded, or that a customer will enter trades that the firm has not authorized the customer to make. As the General Accounting Office has noted:
NFA's proposed interpretive notice on AORSs is designed to provide Members with guidance on their supervisory responsibility to include appropriate controls in the AORSs they offer to their customers. The interpretive notice was the culmination of a long process that included a wide-ranging review of AORS standards and regulatory requirements and sought and incorporated substantial input from all segments of the futures industry.
The interpretive notice adopted by NFA's Board of Directors recognizes that Members have a supervisory responsibility to process orders in a reliable and timely manner and to impose credit and risk-management controls on trading done by any particular customer. The notice also recognizes that supervisory standards do not change with the medium used but that how those standards are applied may be affected by technology. Therefore, the interpretive notice embraces a flexible approach to AORSs that provides meaningful guidance to Members without mandating specific technology.
This comment letter begins by describing the comprehensive process that NFA went through in developing the interpretive notice. It then describes the comments received by NFA as a result of its request for membership comment and the resulting changes to the notice. Finally, it discusses NFA's reasons for adopting the interpretive notice in its current form.
The Special Committee was composed of representatives from six FCMs (ranging from large broker-dealer/FCMs to a smaller, futures-only firm), six exchanges, two end users (CPO/CTAs), two third-party vendors, and one clearing organization. This broad range of viewpoints was a tremendous asset to the Special Committee in developing the interpretive guidance, and the proposed interpretive notice represents the consensus view of these diverse individuals. A list of the Special Committee members is attached as Exhibit A.
The Special Committee met eight times between November 14, 2000 and December 11, 2001. During that time, it reviewed approximately twenty studies, proposals, advisories, and similar documents issued by eight separate organizations, (including the SEC, the CFTC, the GAO, and IOSCO); sought input from NFA's FCM, IB, and CPO/CTA Advisory Committees and from the Futures Industry Association (FIA), the Managed Funds Association (MFA), and the National Introducing Brokers Association (NIBA); and published the proposed interpretive notice for membership comment. The interpretive notice went through seven drafts, including several major revisions based on comments received from the industry at different points during the process.
The Special Committee's initial draft of the interpretive notice affirmed the basic supervisory standards that apply to all order-routing processes regardless of the medium used. The draft then described the best practices used in the industry for orders routed through AORSs and stated that using those practices would provide Members with a safe harbor for meeting the basic standards. When the draft was circulated, some members of FIA's Law and Compliance Division objected to the best practices/safe harbor approach. In particular, the Law and Compliance members felt that best practices should be developed by industry organizations rather than regulators. They were also concerned that characterizing elements of the draft notice as "best practices" or a "safe harbor" could lead to unintended uses by third parties in civil litigation. Finally, they objected to the level of detail contained in the draft interpretive notice.
As a result of these concerns, the Special Committee redrafted the notice without the references to best practices and safe harbors and with less detail. The Special Committee then sought comments on the revised draft from FIA, MFA, NIBA, and NFA's FCM, IB, and CPO/CTA Advisory Committees.
NIBA was the only industry trade association to file comments with the Special Committee, although representatives of FIA did participate in the FCM Advisory Committee's discussion. A copy of NIBA's Comment Letter is attached as Exhibit B. NIBA generally supported the interpretive notice, as did the IB and CPO/CTA Advisory Committees. The FCM Advisory Committee, on the other hand, was concerned that NFA might be establishing standards that would be costly to comply with and could be used against Members in litigation. They felt that NFA was getting ahead of the curve and should take a more cautious approach. In fact, the FCM Advisory Committee questioned whether NFA should be doing anything at all in this area. A copy of a memorandum to the Special Committee describing the Advisory Committees' comments is attached as Exhibit C.
After considering these comments, the Special Committee revised the interpretive notice to eliminate more of the details regarding technology and — at the direction of NFA's Executive Committee — put the revised notice out for membership comment. Notice to Members I-01-15, issued August 31, 2001, is attached as Exhibit D. Although comments were originally due on September 28, 2001, that deadline was subsequently extended to November 15, 2001. The Special Committee also again asked NFA's Advisory Committees to review and comment on the revised language. The comments NFA received are described in the next section of this letter.
After the comment period closed, the Special Committee reviewed the comments received and made additional changes to the interpretive notice. The revised notice was then sent to the Executive Committee and the Board of Directors. This final version of the notice was adopted by the Board on February 21, 2002 and submitted to the CFTC on March 1, 2002.
Summary of the Comments and the Resulting Changes
In contrast to the other commenters, the FCM Advisory Committee did not believe that NFA should issue any interpretive guidance on the use of AORSs. According to the FCM Advisory Committee:
As discussed below, the Special Committee did not agree that the interpretive notice was unnecessary or that the general approach was too prescriptive. It did, however, agree with a number of the specific comments that were made and revised the interpretive notice accordingly. In particular, the Special Committee:
After some introductory language, the interpretive notice contains three sections that deal with security, capacity, and credit and risk-management controls. Each section of the interpretive notice begins with a general standard that applies to all orders regardless of the manner of entry. Although these general standards have not been explicitly spelled out in earlier guidance issued by NFA, they are nothing new. They are intuitive standards that are — and have always been — implicit in NFA Compliance Rule 2-9.
Each of the three sections then goes on to give more practical guidance on how the general standard applies to orders entered through an AORS. This guidance does not impose new requirements but merely clarifies how existing requirements apply to those orders. For example, the section on security states that the AORS should authenticate the user and goes on to give some examples of possible authentication methods. Although the authentication methods that are listed are specific to electronic systems, the duty to authenticate the user has always existed - it goes without saying that a Member should not accept a telephone order without reason to believe that the person placing the order is who he says he is.
The FCM Advisory Committee commented that decisions regarding AORSs should be a matter of business judgment, not regulation. The Special Committee and the Board are mindful of this concern and do not mean to substitute their business judgment for that of individual Members. The interpretive notice provides Members with flexibility to design procedures tailored to their own circumstances and to take advantage of changes in technology. On the other hand, the Special Committee and the Board believe that the use of AORSs is an appropriate area for regulatory guidance and that the requirements in the interpretive notice are necessary to protect customers and other users of the futures markets.
The requirements in the interpretive notice were carefully crafted to ensure that they do not impose unnecessary burdens on Members. In fact, the Special Committee was very responsive to concerns from smaller entities. For example, NFA received several comments that it would be too expensive for small entities to either maintain an independent internal audit department or hire a qualified outside party to test the system. As a result, the interpretive notice was revised to allow these firms to use "other appropriate means" for conducting periodic security testing and capacity reviews.
Some of the comments stated that the interpretive notice is too specific. The Special Committee addressed these concerns where appropriate, and each draft of the interpretive notice became less detailed and more generic. However, the Special Committee believes that making it any more generic than it currently is would make it so general as to be meaningless, and the Board agrees with this assessment.
The FCM Advisory Committee also commented that the guidance issued in the securities industry does not impose these regulatory obligations on securities firms, and the FCM Advisory Committee did not believe that NFA should be a leader in this area. The Special Committee and the Board do not agree. NFA would not be a responsible regulator if it waited to address a need until someone else addressed it first or until a crisis occurred. The Special Committee and the Board believe that a need exists and that NFA should address that need.
As a practical matter, NFA's interpretive notice does not contain anything new. In regard to system security, the banking regulators impose similar requirements,2 and the CFTC recently adopted Regulation 160.30, which, while less detailed, applies the same general standard.3 In regard to capacity, the provisions in the interpretive notice were generally modeled after several SEC releases.4 Although NFA may be the first regulator to issue guidance on applying credit and risk-management controls to AORSs, the obligation to guard against systemic risk is as old as the CFTC — or perhaps as old as the markets themselves.
NFA did not write the interpretive notice in a vacuum. The members of the Special Committee came from divergent segments of the futures industry; the Special Committee specifically sought input from the three trade associations that represent futures intermediaries and from NFA's Advisory Committees, which represent those same constituencies; and NFA put the interpretive notice out for Member comment. The Special Committee considered all of the comments it received from these groups and made a number of significant changes to the interpretive notice in response to those comments. The Special Committee could not, however, please everyone and still remain faithful to NFA's responsibilities as a regulator.
The Federal Register release states that "NFA has also revised the required annual self-examination to include the WebTrustSM/TM Self-Assessment Questionnaire. . . ." Although this statement is true, NFA would like to clarify the effect of incorporating that document into NFA's self-examination requirement. NFA's interpretive notice on Compliance Rule 2-9: Self-Audit Questionnaires (NFA Manual, ¶9020) requires NFA Members to annually review their operations using a questionnaire developed by NFA and to attest in writing that the Member has reviewed its current procedures and they appear to be adequate to meet the Member's supervisory responsibilities. The Member does not have to actually fill out the self-examination questionnarie, nor is it required to keep any documentation other than the written attestation. Furthermore, the Member does not have to review any sections of the questionnaire that do not apply to the Member's business. Therefore, incorporating the WebTrustSM/TM Self-Assessment Questionnaire into the self-examination does not require Members to actually fill out the questionnaire or to review any portions of it that are not applicable to the Member's business.5
As noted above, the interpretive notice does not impose new requirements but merely clarifies existing ones. Nonetheless, NFA realizes that some Members may not have understood these requirements and may not currently comply with them. We will work with Members to bring them into compliance and will not take disciplinary action against any Member that comes into compliance within a reasonable time.
NFA also recognizes that some Members have outstanding agreements with third-party vendors that may not comply with the standards in the interpretive notice. NFA does not expect Members to breach their existing agreements. NFA does, however, expect Members to work with their third-party vendors to conform to those standards. Members should also avoid entering into subsequent agreements that do not comply.
NFA has worked closely with the industry throughout this entire process and will continue to do so. We will be happy to answer any questions and respond to any concerns that are raised by the comment letters.
If you have any questions or need any additional information, please contact Kathryn Camp, Associate General Counsel. She can be reached by telephone at 312-781-1393 or by e-mail at email@example.com.
Very truly yours,
Thomas W. Sexton
cc: Chairman James E. Newsome
1General Accounting Office, Commodity Exchange Act: Issues Related to the Regulation of Electronic Trading Systems, pgs. 12-13 (May 2000).
2See, e.g., FFIEC Guidance on Authentication, SR 01-20 (Federal Reserve, Aug. 15, 2001); Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Recision of Year 2000 Standards for Safety and Soundness, 66 Fed. Reg. 8615 (Feb. 1, 2001) (not medium-specific); Uniform Rating System for Information Technology, 64 Fed. Reg. 3109 (Jan. 20, 1999); Technology Risk Management, OCC 98-3 (OCC, 1998); Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations, SR 98-9 (Federal Reserve, Apr. 20, 1998).
3Privacy of Consumer Financial Information, 66 Fed. Reg. 21235 (Apr. 27, 2001). The SEC has adopted similar regulations. Privacy of Consumer Financial Information, Regulation S-P, 65 Fed. Reg. 40333 (June 29, 2000).
4Policy Statement: Automated Systems of Self-Regulatory Organizations (II) (SEC, May 9, 1991); Policy Statement: Automated Systems of Self-Regulatory Organizations (SEC, Nov. 16, 1989); Staff Legal Bulletin No. 8 (SEC, Sept. 9, 1998) (discussing capacity requirements for broker-dealers and stating in fn. 10 that broker-dealers should use the two automation policies as guidelines). Although the automation policies state that they are guidance to be adopted on a voluntary basis, the SEC appears to have applied those policies as requirements for the development of new systems. See, e.g., Order Approving Proposed Rule Change by the Pacific Exchange, Inc., as Amended, and Notice of Filing and Order Granting Accelerated Approval to Amendment Nos. 4 and 5 Concerning the Establishment of the Archipelago Exchange as the Equities Trading Facility of PCX Equities, Inc., 66 Fed. Reg. 55225, 55230 (Nov. 1, 2001) ("The PCX would also be required to comply with the Commission's Automation Review Policy....").
5Some of the questions in the WebTrustSM/TM Self-Assessment Questionnaire go beyond the standards described in the interpretive notice on AORSs. Those questions may be useful to Members in evaluating their procedures for supervising AORSs, but they are not intended to impose any additional requirements.