Comment Letters2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 | 1998 | 1997 | 1996 | Show fewer years
Ms. Jean A. Webb
Commodity Futures Trading Commission
Three Lafayette Centre
1155 21st Street, N.W.
Washington, D.C. 20581
Re: Request of the National Futures Association for Approval of Interpretive Notice to NFA Compliance Rule 2-9: Supervision of the Use of Automated Order-Routing Systems (67 Fed. Reg. 14701 (Mar. 27, 2002))
Dear Ms. Webb:
Automated order-routing systems (AORSs) are becoming more and more common and are gradually replacing personal telephone contact as a means of entering orders for futures contracts. Although these simply provide different ways to enter an order and are governed by longstanding regulatory standards, the technology that is used affects the manner in which firms comply with those standards. As AORSs become more prevalent, it becomes increasingly important for NFA Members to understand how to adopt controls that apply pre-existing regulatory standards to these systems.
AORSs provide a valuable service to customers and can improve execution time and quality. However, they can also increase the possibility that a customer's order information will be altered or appropriated without the customer's permission, that a customer's order will be lost in the pipeline if the system becomes overloaded, or that a customer will enter trades that the firm has not authorized the customer to make. As the General Accounting Office has noted:
- With proper controls, AORS used to transmit customer orders can further regulatory objectives by enhancing customer protection, market integrity, and financial integrity, as well as provide other benefits to futures market participants. However, without proper controls, such AORS can raise customer protection and other regulatory concerns related to inadequate system capacity and security and increased opportunities for unauthorized trading.1
NFA's proposed interpretive notice on AORSs is designed to provide Members with guidance on their supervisory responsibility to include appropriate controls in the AORSs they offer to their customers. The interpretive notice was the culmination of a long process that included a wide-ranging review of AORS standards and regulatory requirements and sought and incorporated substantial input from all segments of the futures industry.
The interpretive notice adopted by NFA's Board of Directors recognizes that Members have a supervisory responsibility to process orders in a reliable and timely manner and to impose credit and risk-management controls on trading done by any particular customer. The notice also recognizes that supervisory standards do not change with the medium used but that how those standards are applied may be affected by technology. Therefore, the interpretive notice embraces a flexible approach to AORSs that provides meaningful guidance to Members without mandating specific technology.
This comment letter begins by describing the comprehensive process that NFA went through in developing the interpretive notice. It then describes the comments received by NFA as a result of its request for membership comment and the resulting changes to the notice. Finally, it discusses NFA's reasons for adopting the interpretive notice in its current form.
In November 2000 the Board of Directors — responding to a letter from then CFTC Chairman Rainer — asked NFA's Special Committee to Review Technology to develop standards relating to security, capacity, and controls for automated order-routing systems (AORSs) that route orders through an FCM. The Board also directed the Special Committee to find a middle ground between one-size-fits-all requirements that mandate specific technology and guidelines that are so general as to be meaningless.
The Special Committee was composed of representatives from six FCMs (ranging from large broker-dealer/FCMs to a smaller, futures-only firm), six exchanges, two end users (CPO/CTAs), two third-party vendors, and one clearing organization. This broad range of viewpoints was a tremendous asset to the Special Committee in developing the interpretive guidance, and the proposed interpretive notice represents the consensus view of these diverse individuals. A list of the Special Committee members is attached as Exhibit A.
The Special Committee met eight times between November 14, 2000 and December 11, 2001. During that time, it reviewed approximately twenty studies, proposals, advisories, and similar documents issued by eight separate organizations, (including the SEC, the CFTC, the GAO, and IOSCO); sought input from NFA's FCM, IB, and CPO/CTA Advisory Committees and from the Futures Industry Association (FIA), the Managed Funds Association (MFA), and the National Introducing Brokers Association (NIBA); and published the proposed interpretive notice for membership comment. The interpretive notice went through seven drafts, including several major revisions based on comments received from the industry at different points during the process.
The Special Committee's initial draft of the interpretive notice affirmed the basic supervisory standards that apply to all order-routing processes regardless of the medium used. The draft then described the best practices used in the industry for orders routed through AORSs and stated that using those practices would provide Members with a safe harbor for meeting the basic standards. When the draft was circulated, some members of FIA's Law and Compliance Division objected to the best practices/safe harbor approach. In particular, the Law and Compliance members felt that best practices should be developed by industry organizations rather than regulators. They were also concerned that characterizing elements of the draft notice as "best practices" or a "safe harbor" could lead to unintended uses by third parties in civil litigation. Finally, they objected to the level of detail contained in the draft interpretive notice.
As a result of these concerns, the Special Committee redrafted the notice without the references to best practices and safe harbors and with less detail. The Special Committee then sought comments on the revised draft from FIA, MFA, NIBA, and NFA's FCM, IB, and CPO/CTA Advisory Committees.
NIBA was the only industry trade association to file comments with the Special Committee, although representatives of FIA did participate in the FCM Advisory Committee's discussion. A copy of NIBA's Comment Letter is attached as Exhibit B. NIBA generally supported the interpretive notice, as did the IB and CPO/CTA Advisory Committees. The FCM Advisory Committee, on the other hand, was concerned that NFA might be establishing standards that would be costly to comply with and could be used against Members in litigation. They felt that NFA was getting ahead of the curve and should take a more cautious approach. In fact, the FCM Advisory Committee questioned whether NFA should be doing anything at all in this area. A copy of a memorandum to the Special Committee describing the Advisory Committees' comments is attached as Exhibit C.
After considering these comments, the Special Committee revised the interpretive notice to eliminate more of the details regarding technology and — at the direction of NFA's Executive Committee — put the revised notice out for membership comment. Notice to Members I-01-15, issued August 31, 2001, is attached as Exhibit D. Although comments were originally due on September 28, 2001, that deadline was subsequently extended to November 15, 2001. The Special Committee also again asked NFA's Advisory Committees to review and comment on the revised language. The comments NFA received are described in the next section of this letter.
After the comment period closed, the Special Committee reviewed the comments received and made additional changes to the interpretive notice. The revised notice was then sent to the Executive Committee and the Board of Directors. This final version of the notice was adopted by the Board on February 21, 2002 and submitted to the CFTC on March 1, 2002.
Summary of the Comments and the Resulting Changes
NFA received nine comment letters in response to its request for membership comment. The FCM, IB, and CPO/CTA Advisory Committees also provided comments. Copies of the comments are attached as Exhibit E. In general:
- All of the commenters except the FCM Advisory Committee supported NFA's efforts to provide guidance to Members on their supervisory responsibilities for orders entered through an automated order-routing system (AORS);
- Several of the commenters questioned the specific approach taken by the proposed interpretive notice, which they characterized as being overly prescriptive rather than simply providing guidance; and
- Some commenters believed that NFA should not mandate that the supervisory procedures be in writing. Some commenters also felt that it is unnecessary to have procedures covering protections that are already written into an automated system.
In contrast to the other commenters, the FCM Advisory Committee did not believe that NFA should issue any interpretive guidance on the use of AORSs. According to the FCM Advisory Committee:
- Members already have all the guidance they need so the notice is unnecessary;
- The notice imposes obligations that are not present for orders entered over the telephone; and
- Decisions regarding AORSs should be a matter of business judgment, not regulation. The members of the FCM Advisory Committee believe that the guidance issued in the securities industry does not impose the same regulatory obligations on firms, and they do not believe that NFA should be a leader in this area.
As discussed below, the Special Committee did not agree that the interpretive notice was unnecessary or that the general approach was too prescriptive. It did, however, agree with a number of the specific comments that were made and revised the interpretive notice accordingly. In particular, the Special Committee:
- Added language to the introduction stating that certain of the procedures in the notice may not be needed when only firm personnel can enter orders into the system;
- Clarified that encryption and firewalls can be replaced with more appropriate and effective security procedures as they are developed or identified;
- Eliminated a statement that Members should periodically check with each customer to verify that the individuals who are authorized to access the AORS are still authorized to do so and to discover whether any passwords should be disabled, replacing it with a statement that Members should, as appropriate, provide customers with a means to notify the Member when individuals are no longer authorized or passwords should be disabled;
- Clarified that the term "customer" includes CTAs except when referring to credit-worthiness and ability to accept risk;
- Revised two sections of the notice to allow Members to use any appropriate means for conducting periodic security testing and capacity reviews;
- Revised the section on administration to clarify that the responsibility for the security of the AORS lies with the firm and not a single individual;
- Revised the section on disaster recovery and redundancies to note that backup systems can include facilities for accepting orders by telephone or reliance on third-party brokers or clearing firms;
- Added a footnote stating that pre-execution controls do not have to be built into a system that will only be used by customers subject to post-execution controls;
- Eliminated a separate section on "fat-finger" protections and replaced it with a footnote stating that fat-finger protections are part of pre-execution controls;
- Clarified that the ability to monitor trades post-execution can be provided by either the AORS or other risk-management systems; and
- Added a footnote to clarify that the written procedures do not have to contain technical specifications or duplicate procedures that are documented elsewhere.
The Special Committee and the Board believe that the industry needs guidance and it is appropriate for NFA to issue it. The Special Committee and the Board also believe that the standards must be clear enough to provide meaningful guidance to Members and to ensure that firms can be audited for compliance. The interpretive notice provides that guidance by clarifying existing requirements.
After some introductory language, the interpretive notice contains three sections that deal with security, capacity, and credit and risk-management controls. Each section of the interpretive notice begins with a general standard that applies to all orders regardless of the manner of entry. Although these general standards have not been explicitly spelled out in earlier guidance issued by NFA, they are nothing new. They are intuitive standards that are — and have always been — implicit in NFA Compliance Rule 2-9.
Each of the three sections then goes on to give more practical guidance on how the general standard applies to orders entered through an AORS. This guidance does not impose new requirements but merely clarifies how existing requirements apply to those orders. For example, the section on security states that the AORS should authenticate the user and goes on to give some examples of possible authentication methods. Although the authentication methods that are listed are specific to electronic systems, the duty to authenticate the user has always existed - it goes without saying that a Member should not accept a telephone order without reason to believe that the person placing the order is who he says he is.
The FCM Advisory Committee commented that decisions regarding AORSs should be a matter of business judgment, not regulation. The Special Committee and the Board are mindful of this concern and do not mean to substitute their business judgment for that of individual Members. The interpretive notice provides Members with flexibility to design procedures tailored to their own circumstances and to take advantage of changes in technology. On the other hand, the Special Committee and the Board believe that the use of AORSs is an appropriate area for regulatory guidance and that the requirements in the interpretive notice are necessary to protect customers and other users of the futures markets.
The requirements in the interpretive notice were carefully crafted to ensure that they do not impose unnecessary burdens on Members. In fact, the Special Committee was very responsive to concerns from smaller entities. For example, NFA received several comments that it would be too expensive for small entities to either maintain an independent internal audit department or hire a qualified outside party to test the system. As a result, the interpretive notice was revised to allow these firms to use "other appropriate means" for conducting periodic security testing and capacity reviews.
Some of the comments stated that the interpretive notice is too specific. The Special Committee addressed these concerns where appropriate, and each draft of the interpretive notice became less detailed and more generic. However, the Special Committee believes that making it any more generic than it currently is would make it so general as to be meaningless, and the Board agrees with this assessment.
The FCM Advisory Committee also commented that the guidance issued in the securities industry does not impose these regulatory obligations on securities firms, and the FCM Advisory Committee did not believe that NFA should be a leader in this area. The Special Committee and the Board do not agree. NFA would not be a responsible regulator if it waited to address a need until someone else addressed it first or until a crisis occurred. The Special Committee and the Board believe that a need exists and that NFA should address that need.
As a practical matter, NFA's interpretive notice does not contain anything new. In regard to system security, the banking regulators impose similar requirements,2 and the CFTC recently adopted Regulation 160.30, which, while less detailed, applies the same general standard.3 In regard to capacity, the provisions in the interpretive notice were generally modeled after several SEC releases.4 Although NFA may be the first regulator to issue guidance on applying credit and risk-management controls to AORSs, the obligation to guard against systemic risk is as old as the CFTC — or perhaps as old as the markets themselves.
NFA did not write the interpretive notice in a vacuum. The members of the Special Committee came from divergent segments of the futures industry; the Special Committee specifically sought input from the three trade associations that represent futures intermediaries and from NFA's Advisory Committees, which represent those same constituencies; and NFA put the interpretive notice out for Member comment. The Special Committee considered all of the comments it received from these groups and made a number of significant changes to the interpretive notice in response to those comments. The Special Committee could not, however, please everyone and still remain faithful to NFA's responsibilities as a regulator.
The Federal Register release states that "NFA has also revised the required annual self-examination to include the WebTrustSM/TM Self-Assessment Questionnaire. . . ." Although this statement is true, NFA would like to clarify the effect of incorporating that document into NFA's self-examination requirement. NFA's interpretive notice on Compliance Rule 2-9: Self-Audit Questionnaires (NFA Manual, ¶9020) requires NFA Members to annually review their operations using a questionnaire developed by NFA and to attest in writing that the Member has reviewed its current procedures and they appear to be adequate to meet the Member's supervisory responsibilities. The Member does not have to actually fill out the self-examination questionnarie, nor is it required to keep any documentation other than the written attestation. Furthermore, the Member does not have to review any sections of the questionnaire that do not apply to the Member's business. Therefore, incorporating the WebTrustSM/TM Self-Assessment Questionnaire into the self-examination does not require Members to actually fill out the questionnaire or to review any portions of it that are not applicable to the Member's business.5
As noted above, the interpretive notice does not impose new requirements but merely clarifies existing ones. Nonetheless, NFA realizes that some Members may not have understood these requirements and may not currently comply with them. We will work with Members to bring them into compliance and will not take disciplinary action against any Member that comes into compliance within a reasonable time.
NFA also recognizes that some Members have outstanding agreements with third-party vendors that may not comply with the standards in the interpretive notice. NFA does not expect Members to breach their existing agreements. NFA does, however, expect Members to work with their third-party vendors to conform to those standards. Members should also avoid entering into subsequent agreements that do not comply.
NFA has worked closely with the industry throughout this entire process and will continue to do so. We will be happy to answer any questions and respond to any concerns that are raised by the comment letters.
If you have any questions or need any additional information, please contact Kathryn Camp, Associate General Counsel. She can be reached by telephone at 312-781-1393 or by e-mail at email@example.com.
Very truly yours,
Thomas W. Sexton
Vice President and General Counsel
cc: Chairman James E. Newsome
Commissioner Barbara Pedersen Holum
Commissioner Thomas J. Erickson
Lawrence B. Patent, Esq.
Christopher W. Cummings, Esq.
1General Accounting Office, Commodity Exchange Act: Issues Related to the Regulation of Electronic Trading Systems, pgs. 12-13 (May 2000).
2See, e.g., FFIEC Guidance on Authentication, SR 01-20 (Federal Reserve, Aug. 15, 2001); Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Recision of Year 2000 Standards for Safety and Soundness, 66 Fed. Reg. 8615 (Feb. 1, 2001) (not medium-specific); Uniform Rating System for Information Technology, 64 Fed. Reg. 3109 (Jan. 20, 1999); Technology Risk Management, OCC 98-3 (OCC, 1998); Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations, SR 98-9 (Federal Reserve, Apr. 20, 1998).
3Privacy of Consumer Financial Information, 66 Fed. Reg. 21235 (Apr. 27, 2001). The SEC has adopted similar regulations. Privacy of Consumer Financial Information, Regulation S-P, 65 Fed. Reg. 40333 (June 29, 2000).
4Policy Statement: Automated Systems of Self-Regulatory Organizations (II) (SEC, May 9, 1991); Policy Statement: Automated Systems of Self-Regulatory Organizations (SEC, Nov. 16, 1989); Staff Legal Bulletin No. 8 (SEC, Sept. 9, 1998) (discussing capacity requirements for broker-dealers and stating in fn. 10 that broker-dealers should use the two automation policies as guidelines). Although the automation policies state that they are guidance to be adopted on a voluntary basis, the SEC appears to have applied those policies as requirements for the development of new systems. See, e.g., Order Approving Proposed Rule Change by the Pacific Exchange, Inc., as Amended, and Notice of Filing and Order Granting Accelerated Approval to Amendment Nos. 4 and 5 Concerning the Establishment of the Archipelago Exchange as the Equities Trading Facility of PCX Equities, Inc., 66 Fed. Reg. 55225, 55230 (Nov. 1, 2001) ("The PCX would also be required to comply with the Commission's Automation Review Policy....").
5Some of the questions in the WebTrustSM/TM Self-Assessment Questionnaire go beyond the standards described in the interpretive notice on AORSs. Those questions may be useful to Members in evaluating their procedures for supervising AORSs, but they are not intended to impose any additional requirements.