9046 - COMPLIANCE RULE 2-9: SUPERVISION OF THE USE OF AUTOMATED ORDER-ROUTING SYSTEMS
(Board of Directors, June 21, 2002; revised December 12, 2006)
NFA Compliance Rule 2-9 places a continuing responsibility on every Member to diligently supervise its employees and agents in all aspects of their futures activities. The rule is broadly written to provide Members with flexibility in developing procedures tailored to meet their particular needs. On certain issues, however, NFA has issued Interpretive Notices to provide more specific guidance on acceptable standards for supervisory procedures.
Currently, information technology is changing nearly every aspect of how Members conduct business, including how customer orders are transmitted. The Board of Directors firmly believes that supervisory standards do not change with the medium used. How those standards are applied, however, may be affected by technology. Therefore, in order to fulfill their supervisory responsibilities, Members must adopt and enforce written procedures to examine the security, capacity, and credit and risk-management controls provided by the firm's automated order-routing systems (AORSs).1
NFA recognizes that, given the differences in the size, complexity of operations, and make-up of the customers serviced by NFA Members, there must be some degree of flexibility in determining what constitutes "diligent supervision" for each firm. It is NFA's policy to leave the exact form of supervision up to the Member, thereby providing the member with flexibility to design procedures that are tailored to the Member's own situation. It is also NFA's policy to set general standards rather than to require specific technology. Therefore, other procedures besides the ones described in this Interpretive Notice may comply with the general standards for supervisory responsibilities imposed by Compliance Rule 2-9.
The procedures discussed in this Interpretive Notice assume that customers have access to the AORS without human intervention. Systems used by Members to transmit customer orders from the firm to the exchange vary significantly, and certain of the procedures discussed in this Notice may not be needed when only firm personnel can enter orders into the system.
This Interpretive Notice applies to AORSs that are within a Member's control, including AORSs that are provided to the Member by an application service provider or an independent software vendor. While a Member is not, of course, responsible for an AORS chosen by the customer and outside of the Member's control - such as direct access systems provided by exchanges - the Member is nevertheless responsible for adopting procedures reasonably expected to address the trading, clearing, and other risks attendant to its customer relationship.2
General Standard. Members who accept orders must adopt and enforce written procedures reasonably designed to protect the reliability and confidentiality of customer orders and account information at all points during the order-routing process. The procedures must also assign responsibility for overseeing the process to one or more individuals who understand how it works and who are capable of evaluating whether the process complies with the firm's procedures.
Authentication. The AORS, or other systems the customer must go through to access the AORS, should authenticate the user. Authentication can be accomplished through a number of methods, including, but not limited to, the following:
- Authentication tokens, such as SecurID cards; or
- Digital certificates.
Encryption. The system should use encryption or equivalent protections for all authentication and for any order or account information that is transmitted over a public network, a semi-private network, or a virtual private network.3 Encryption is less important for a private network that uses dedicated lines and is controlled by the Member (although it can still be a valuable protection). If more appropriate and effective security procedures are developed or identified, the use of those procedures would comply with this standard.
Firewalls. Firewalls or equivalent protections should be used with public networks, semi-private networks, and virtual private networks. The system should log the activities that pass through a firewall, and the log should be reviewed regularly for abnormal activity. If more appropriate and effective security procedures are developed or identified, the use of those procedures would comply with this standard.
Authorization. Although it is the customer's responsibility to ensure that only authorized individuals access the AORS using the customer's facilities and authentication devices (e.g., passwords), the Member's procedures should, as appropriate, provide customers with a means to notify the Member that particular individuals are no longer authorized or to request that authentication devices be disabled. Customers should be informed about the notification process.4
Periodic Testing. The Member should conduct and evidence periodic,reasonable reviews designed to assess the security of the AORS using an independent internal audit department, a qualified outside party, or other appropriate means.
Administration. The Member should adopt and enforce written procedures assigning the responsibility for overseeing the security of the AORS to appropriate supervisory personnel. The procedures should also provide that appropriate personnel keep up with new developments, monitor the effectiveness of the system's security, and respond to any breaches, and that the firm update the system as needed so that the AORS maintains the appropriate level of security.
General Standard. Members who accept orders must adopt and enforce written procedures reasonably designed to maintain adequate personnel and facilities for the timely and efficient delivery of customer orders and reporting of executions. The procedures must also be reasonably designed to handle customer complaints about order delivery and reporting in a timely manner.
Members may not misrepresent the services they provide or the quality of those services. If a Member represents that it maintains a particular capacity or performance level, it must take the measures necessary to achieve that level.5
The Member should adopt and enforce written procedures to regularly evaluate the capacity of the AORS and to increase capacity when needed. The procedures should also provide that the system will be subjected to an initial stress test. Such test may be conducted through simulation or other available means. Thereafter, the system should be subject to periodic reviews by using an independent internal audit department, or a qualified outside party, or using other appropriate means.
The Member should monitor both capacity (how much volume the system can handle before it is adversely impacted or shuts down) and performance (how much volume the system can handle before response time materially increases), and should assess the AORS’s capacity and performance levels based on the major strains imposed on the system. The Member should establish acceptable capacity and performance levels for its AORS. The Member’s procedures should be reasonably designed to provide adequate capacity to meet estimated peak volume needs based on past experience, present demands, and projected demands.
The procedures should also provide for the Member to follow-up on customer complaints about access problems, system slowdowns, or system outages. This follow-up should include identifying the cause of the problem, if any, and taking action to correct it, and/or evaluating ways to prevent it from re-occurring.
Disaster Recovery and Redundancies. The Member should have contingency plans reasonably designed to service customers if either the system goes down or activity exceeds reasonably expected peak volume needs. The Member should use redundant systems or be able to quickly convert to other systems if the need arises. These backup systems can include facilities for accepting orders by telephone or reliance on third-party brokers or clearing firms.
When operational difficulties occur, the Member should provide prompt and effective notification to customers affected by the operational difficulties. Notification can be made by a number of methods, including, but not limited to, the following:
- a message on the Member's web site;
- e-mails or instant messages;
- a recorded telephone message for customers on hold; and/or
- a recorded telephone message on a line dedicated to providing information to AORS customers.
Advance Disclosure. The Member should disclose, in advance, the factors that could reasonably be expected to affect materially the system's performance (e.g., periods of stress). The Member should also educate customers on alternative ways to enter orders when the system goes down or reaches an unacceptable performance level. This disclosure may be made in the account agreement, on the Member's web site, or in any other manner designed to provide this information to current customers before problems occur.
Credit and Risk-Management Controls
General Standard. Members who accept orders must adopt and enforce written procedures reasonably designed to prevent customers from entering into trades that create undue financial risks for the Member or the Member's other customers.6
Pre-Execution Controls.7 An AORS should allow the Member to set limits for each customer based on commodity, quantity, and type of order or based on margin requirements. It should allow the Member to impose limits pre-execution and to automatically block any orders that exceed those limits.8
The Member does not have to impose pre-execution controls on all customers, however. The Member should review the customer's sophistication, credit-worthiness, objectives, and trading practices and strategies when determining whether to impose controls pre-execution or post-execution and deciding what levels to use when setting limits.
Post-Execution Controls. For customers subject to post-execution controls, the Member should have the ability to monitor trading promptly.9 This ability can be provided by the AORS or through other risk-management systems. The AORS should generate alerts when limits are exceeded through that system. The system should also allow the Member to block subsequent orders, either in their entirety or by kind (e.g., to block orders that create a new position or increase an existing position but not orders that liquidate some or all of an existing position).
Direct Access Systems. When authorizing (qualifying a customer for) use of a direct access system that does not allow the Member to monitor trading promptly, the Member should utilize pre-execution controls, if available, to set pre-execution limits for each customer, regardless of the nature of the customer.10 Where the limits are set should be based on the customer's sophistication, credit-worthiness, objectives, and trading practices. Members should also consider any other relevant information when deciding whether to authorize a customer to use a direct access system.
Review. Members should use AORSs in conjunction with their credit-review/risk-management systems and should evaluate the controls imposed on each customer as part of their regular credit and risk-control procedures.
* * *
NFA Compliance Rule 2-9 requires NFA Members to meet the standards for security, capacity, and credit and risk-management controls that are set out in this Interpretive Notice. It is NFA's policy to leave the exact form of supervision up to the Member, thereby providing the Member with flexibility to design procedures that are tailored to the Member's own situation.
1The written procedures do not, however, have to contain technical specifications or duplicate procedures that are documented elsewhere.
2An AORS may also be outside an IB Member's control if it is provided by the FCM.
3 This notice only applies to AORSs. It does not, for example, require Members to encrypt account information provided to customers electronically under CFTC Rule 1.33(g).
4For purposes of this notice, the term "customer" includes CTAs except when referring to credit-worthiness and ability to accept risk. In those instances, the term "customer" is limited to the owner of the account.
5Misrepresenting capacity or performance levels or other material information regarding a Member's order-routing system is a violation of NFA Compliance Rule 2-29.
6NFA Compliance Rule 2-30 also requires Members to consider an individual customer's ability to accept risk.
7Pre-execution controls include both credit and "fat-finger" protections.
8The ability to impose pre-execution controls does not, however, have to be built into a system that will only be used by customers subject to post-execution controls.
9"Promptly" means as soon as practical under the circumstances. Obviously, Members can review trades of customers who engage in simple strategies on only one market much more quickly than they can review trades of customers who execute complex strategies on multiple markets. In the latter case, a Member may not have all of the relevant information until the end of the day.
10 Customers may have a choice of direct access systems, some of which are better suited to their trading needs than others. While this interpretation does not dictate which system the customer uses, the Member should have the ability to either set pre-execution controls or monitor trading promptly.