Notices to Members

2024 | 2023 | 2022 | 2021 | 2020 | Show more years

Notice I-01-15

August 31, 2001

Request for Comments on Proposed Interpretive Notice Regarding Automated Order-Routing Systems

The Board of Directors has asked the Special Committee to Review Technology to develop standards relating to security, capacity, and controls for automated order-routing systems (AORSs) that route orders through an FCM. The Board also directed the Special Committee to find a middle ground between one-size-fits-all requirements that mandate specific technology and guidelines that are so general as to be meaningless. After studying the issue, the Special Committee determined that the best way to address AORS issues is through interpretive guidance to Members on their supervisory responsibilities over orders entered through those systems.

The Special Committee is composed of representatives from all areas of the industry involved in order-routing, including FCMs, exchanges, end users, and third party vendors. The Committee also sought input from industry trade organizations and NFA's FCM, IB, and CPO/CTA Advisory Committees. The resulting broad range of viewpoints has been a tremendous asset to the Special Committee in drafting the interpretive notice. The Committee drew on the experience of other industries — particularly the securities industry — by reviewing releases, studies, standards, and reports issued by the Securities and Exchange Commission, the General Accounting Office, the International Organization of Securities Commissions, and AICPA/CICA, among others1.

The use of, and standards for, AORSs is an important issue that has generated healthy discussion from divergent viewpoints. Therefore, the Executive Committee has asked the Special Committee to publish the draft interpretive notice for comment.

Summary of the Interpretive Notice

The attached draft interpretive notice recognizes that Members have a supervisory responsibility to process orders in a reliable and timely manner and to impose credit and risk-management controls on trading done by any particular customer. The notice also recognizes that supervisory standards do not change with the medium used but that how those standards are applied may be affected by technology. Therefore, as the Board directed, the notice tries to achieve a middle ground between one-size-fits-all requirements that mandate specific technology and guidelines that are so general as to be meaningless.

The notice requires Members to have supervisory procedures but does not specify what those procedures must be, thereby providing each Member with the flexibility to design procedures that are tailored to the Member's own situation. The Special Committee also recognizes that not even the best procedures can prevent every breach of security, ensure that the system never becomes overloaded, or eliminate every financial risk to the firm or its other customers. Therefore, the notice only requires Members to adopt procedures reasonably designed to accomplish these ends.

Regarding security, the draft interpretive notice states that Members who accept orders must adopt and enforce written procedures reasonably designed to protect the reliability and confidentiality of orders and account information at all points during the order-routing process. To that end, the notice states that Members should have procedures addressing authentication of users, encryption of information, firewalls, authorization of users, periodic testing of the AORS's security systems, and who will administer system security.

On the subject of capacity, the draft interpretive notice provides that Members who accept orders must adopt and enforce written procedures reasonably designed to maintain adequate personnel and facilities for the timely and efficient delivery of customer orders and reporting of executions. In this regard, the procedures should cover capacity reviews, disaster recovery and redundancies, and advance disclosure to customers of both potential systems problems and alternative procedures for customers to use if problems occur.

In connection with credit and risk-management controls, the draft interpretive notice states that Members who accept orders must adopt and enforce written procedures reasonably designed to prevent customers from entering into trades that create undue financial risks for the Member or the Member's other customers. In particular, the procedures should address pre-execution and post-execution controls and how to determine which controls apply to a particular customer, fat-finger protections, special considerations for authorizing use of direct access systems, and on-going review of the controls imposed.

Request for Comment

The Special Committee welcomes comments on all aspects of the draft interpretive notice. The Committee specifically requests comments on the following.

  1. Does an NFA Member have a supervisory responsibility over orders entered through an AORS that is within the Member's control? Are there existing standards of sufficient clarity to inform Members what is expected of them when supervising these orders? If so, please identify those standards.

  2. Has the Special Committee taken the right approach by drafting an interpretive notice on Members' supervisory responsibilities? Should NFA adopt a rule instead?

  3. As written, the draft interpretive notice specifies particular matters that Members should address in their supervisory procedures while providing Members with flexibility in how they address those matters. Should the interpretive notice go farther and identify best practices used in the industry? If so, should it provide a safe harbor for Members who use the best practices listed in the notice?

  4. Does the interpretive notice contain the right amount of detail? Is it too specific? Not specific enough?

  5. As written, the draft interpretive notice applies to any AORS the Member has control over. One of the issues the Special Committee struggled with is when a Member has control over an AORS. The Committee requests comments on when an AORS is within a Member's control, including examples and factors to consider.

  6. Is the description of the available technology accurate? Would any of the technological functions mentioned in the interpretive notice be too costly? Ineffective? Are there other functions that should be included?

Comments should be sent to Kathryn Camp, Associate General Counsel, and should be received by September 28, 2001. Comments can be filed by e-mail at kcamp@nfa.futures.org, by facsimile at 312-781-1523, or by mail at National Futures Association, 200 West Madison St., Suite 1600, Chicago, Illinois 60606. Questions can be directed to Kathryn at the above e-mail address or by telephone at 312-781-1393.

DRAFT

COMPLIANCE RULE 2-9: SUPERVISION OF THE USE OF AUTOMATED ORDER-ROUTING SYSTEMS

INTERPRETIVE NOTICE

NFA Compliance Rule 2-9 places a continuing responsibility on every Member to diligently supervise its employees and agents in all aspects of their futures activities. The rule is broadly written to provide Members with flexibility in developing procedures tailored to meet their particular needs. On certain issues, however, NFA has issued Interpretive Notices to provide more specific guidance on acceptable standards for supervisory procedures.

Currently, information technology is changing nearly every aspect of how Members conduct business, including how customer orders are transmitted. The Board of Directors firmly believes that supervisory standards do not change with the medium used. How those standards are applied, however, may be affected by technology. Therefore, in order to fulfill their supervisory responsibilities, Members must adopt and enforce written procedures to examine the security, capacity, and credit and risk-management controls provided by the firm's automated order-routing systems (AORSs).

NFA recognizes that, given the differences in the size, complexity of operations, and make-up of the customers serviced by NFA Members, there must be some degree of flexibility in determining what constitutes "diligent supervision" for each firm. It is NFA's policy to leave the exact form of supervision up to the Member, thereby providing the member with flexibility to design procedures that are tailored to the Member's own situation. It is also NFA's policy to set general standards rather than to require specific technology. Therefore, other procedures besides the ones described in this Interpretive Notice may comply with the general standards for supervisory responsibilities imposed by Compliance Rule 2-9.

This Interpretive Notice applies to any AORS that is within a Member's control, including an AORS that is provided to the Member by an independent service vendor. While a Member is not, of course, responsible for an AORS chosen by the customer and outside of the Member's control - such as direct access systems provided by exchanges - the Member is nevertheless responsible for adopting procedures reasonably expected to address the trading, clearing, and other risks attendant to its customer relationship2.

Security

General Standard. Members who accept orders must adopt and enforce written procedures reasonably designed to protect the reliability and confidentiality of orders and account information at all points during the order-routing process. The procedures must also assign responsibility for overseeing the process to one or more individuals who understand how it works and who are capable of evaluating whether the process complies with the firm's procedures.

Authentication. The AORS should authenticate the user. Authentication can be accomplished through a number of methods, including, but not limited to, the following:

  • Passwords;

  • Authentication tokens, such as SecurID cards; or

  • Digital certificates.

Encryption. The system should use encryption for all authentication and for any order or account information that is transmitted over a public network, a semi-private network, or a virtual private network. Encryption is less important for a private network that uses dedicated lines and is controlled by the Member (although it can still be a valuable protection).

Firewalls. Firewalls should be used with public networks, semi-private networks, and virtual private networks. A warning should be generated if a firewall is breached.

Authorization. The Member should periodically check each customer to verify that the individuals authorized by the customer to access the AORS are still authorized to do so and to discover whether any passwords (or other forms of authentication) should be disabled.

Periodic Testing. The Member should conduct periodic testing of the security of the AORS using either an independent, internal audit department or a qualified outside party.

Administration. The Member should adopt and enforce written procedures assigning the responsibility for overseeing the security of the AORS to an appropriate supervisor who is familiar by experience or training with computer systems and computer security. The procedures should also provide that appropriate personnel keep up with new developments, monitor the effectiveness of the system's security and respond to any breaches, and update the system as needed so that the AORS maintains a high level of security.

Capacity

General Standard. Members who accept orders must adopt and enforce written procedures reasonably designed to maintain adequate personnel and facilities for the timely and efficient delivery of customer orders and reporting of executions. The procedures must also be reasonably designed to handle customer complaints about order delivery and reporting in a timely manner.

Members may not misrepresent the services they provide or the quality of those services. If a Member represents that it maintains a particular capacity or performance level, it must take the measures necessary to achieve that level3.

Capacity Reviews. The Member should adopt and enforce written procedures to regularly evaluate the capacity of the AORS and to increase capacity when needed. The procedures should also provide that the system will be subjected to periodic stress tests by either an independent, internal audit department or a qualified outside party.

The Member should monitor both capacity (how much volume the system can handle before it is adversely impacted or shuts down) and performance (how much volume the system can handle before response time increases), and should assess the AORS's capacity and performance levels based on the major strains imposed on the system. The Member should establish acceptable capacity and performance levels based on its customers' needs and expectations. The Member's procedures should be reasonably designed to provide adequate capacity to meet estimated peak volume needs based on past experience, present demands, and projected demands.

The procedures should also provide for the Member to follow-up on customer complaints about access problems, system slowdowns, or system outages. This follow-up should include identifying the cause of the problem, taking action to correct it, and evaluating ways to prevent it from re-occurring.

Disaster Recovery and Redundancies. The Member should use redundant systems or be able to quickly convert to other systems if the need arises. The Member should also have contingency plans reasonably designed to service customers if the system goes down.

When operational difficulties occur, the Member should provide immediate and effective notification to customers. Notification can be made by a number of methods, including, but not limited to, the following:

  • a message on the Member's web site;
  • e-mails or instant messages; and/or
  • a recorded telephone message for customers on hold.
Advance Disclosure. The Member should disclose, in advance, the factors that could reasonably be expected to affect the system's performance (e.g., periods of stress). The Member should also educate customers on alternative ways to enter orders when the system goes down or reaches an unacceptable performance level. This disclosure may be made in the account agreement, on the Member's web site, or in any other manner designed to provide this information to current customers before problems occur.

Credit and Risk-Management Controls

General Standard. Members who accept orders must adopt and enforce written procedures reasonably designed to prevent customers from entering into trades that create undue financial risks for the Member or the Member's other customers4.

Pre-Execution Controls. An AORS should allow the Member to set limits for each customer based on commodity, quantity, and type of order (e.g., new positions versus liquidating orders) or based on margin requirements. It should allow the Member to impose limits pre-execution and to automatically block any orders that exceed those limits.

The Member does not have to impose pre-execution controls on all customers, however. The Member should review the customer's sophistication, credit-worthiness, objectives, and trading practices when determining whether to impose controls pre-execution or post-execution and deciding what levels to use when setting limits.

Post-Execution Controls. For customers subject to post-execution controls, the system should give the Member the ability to monitor trading promptly and should generate alerts when limits are exceeded. The system should also allow the Member to block subsequent orders, either in their entirety or by kind (e.g., to block orders that create a new position or increase an existing position but not orders that liquidate some or all of an existing position).

"Fat-Finger" Protections. The system should contain protections against "fat-finger" errors. For example, some systems use a "two-click" approach that requires a customer to confirm the order before it is entered. When deciding whether to require a particular customer to use "fat-finger" protections, the Member should again consider the customer's sophistication, credit-worthiness, objectives, and trading practices.

Direct Access Systems. When authorizing (qualifying a customer for) use of a direct access system that does not allow the Member to monitor trading promptly, the Member should utilize available pre-execution controls to set pre-execution limits for each customer, regardless of the nature of the customer. Where the limits are set should be based on the customer's sophistication, credit-worthiness, objectives, trading practices. Members should also consider any other relevant information when deciding whether to authorize a customer to use a direct access system.

Review. Members should use AORSs in conjunction with their credit-review/risk-management systems and should evaluate the controls imposed on each customer as part of their regular credit and risk-control procedures.

* * *

NFA's Self-Examination Questionnaire has been revised to include the WebTrustSM/TM Self-Assessment Questionnaire for Availability that was developed (and copyrighted) by AICPA/CICA. Members will be required to review the AICPA/CICA questionnaire as part of their annual self-examination5.

NFA Compliance Rule 2-9 requires NFA Members to meet the standards for security, capacity, and credit and risk-management controls that are set out in this Interpretive Notice. It is NFA's policy to leave the exact form of supervision up to the Member, thereby providing the Member with flexibility to design procedures that are tailored to the Member's own situation.


1 AICPA/CICA is the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants.

2 An AORS may also be outside an IB Member's control if it is provided by the FCM.

3 Misrepresenting capacity or performance levels or other material information regarding a Member's order-routing system is a violation of NFA Compliance Rule 2-29.

4 NFA Compliance Rule 2-30 also requires Members to consider an individual customer's ability to accept risk.

5 See Interpretive Notice on Compliance Rule 2-9: Self-Audit Questionnaires, NFA Manual, 9020.