9060 - COMPLIANCE RULE 2-36(e): SUPERVISION OF THE USE OF ELECTRONIC TRADING SYSTEMS
(Board of Directors, November 16, 2006; effective July 1, 2007; revised October 15, 2007; December 17, 2007; June 1, 2009; October 18, 2010; October 1, 2011; November 15, 2011; and September 19, 2016.)
NFA Compliance Rule 2-36(e) places a continuing responsibility on every Forex Dealer Member (FDM) to diligently supervise its employees and agents in all aspects of its forex activities, and Compliance Rule 2-39 applies this same requirement to Members who solicit, introduce, or manage forex customer accounts. These rules are broadly written to provide Members with flexibility in developing procedures tailored to meet their particular needs, so NFA uses interpretive notices to provide more specific guidance.1
Although the Board of Directors firmly believes that supervisory standards do not change with the medium used, technology may affect how those standards are applied. The forex markets are highly automated, with virtually all trading done on electronic platforms. Most orders are also placed electronically, usually entered directly with the platform via the Internet. Therefore, in order to fulfill their supervisory responsibilities, Members must adopt and enforce written procedures to address the security, capacity, credit and risk-management controls, and records provided by the firm's electronic trading systems.2 This includes electronic trading platforms, order-routing systems incorporated into electronic trading platforms, and separate order-routing systems (AORSs).3 For an electronic trading platform, the procedures must also address the integrity of the trades placed on it.
NFA recognizes that Members who solicit or manage accounts may not have control over the electronic platform where the customer places its trades. Nonetheless, if these Members are dealing with a counterparty that is not an FDM, they have a supervisory responsibility to conduct a reasonable investigation regarding security, capacity, credit and risk-management, records, and integrity of trades on the platform prior to entering into a relationship with that counterparty and periodically thereafter. Therefore, while they are not subject to the more specific requirements of this Notice, they should adopt written procedures addressing the steps they will take to investigate the platform and how they will respond if they have reason to believe that the platform does not meet the general standards set out after each major heading.4
The specific requirements of this Notice do, however, apply to any FDM that uses another entity's trading platform through a "white-labeling" arrangement.5 If the entity providing the platform (the white labeler) is also an FDM, the FDM using the platform (the sponsor) may rely on the white labeler to comply with most of these requirements. The sponsor must, however, adopt and enforce written procedures to:
- Provide required notifications and disclosures to customers;
- Maintain records; and
- Respond to situations where it has reason to believe the white labeler is not complying with the Notice.
If the white labeler is not an FDM, the sponsor and the white labeler may agree by contract that the white labeler will comply with the Notice, but the sponsor FDM will still be liable if the requirements are not met.6
Each FDM must notify NFA of the trading platform it uses including the identity of the platform's owner and developer (if different than the owner) and whether the platform is proprietary, used under a white-labeling arrangement, or leased from a third-party under other terms. The FDM must also notify NFA when it changes its trading platform, adds a new trading platform, or drops a trading platform.
Each FDM must also maintain a copy of the procedures required by this Notice and provide a copy to NFA upon its request. The procedures must assign the responsibility for complying with this Notice to individuals who are under the ultimate supervision of an Associated Person who is also a listed principal.
Members must also ensure that any promotional or other material they distribute or endorse regarding the electronic trading system, or the services (e.g., capacity) or the quality of services (e.g., performance level) they provide with respect to that system, accurately and completely discuss the system’s functions and operation. Using material that misrepresents the electronic system, or the Member’s services or quality of service, constitutes a violation of NFA Compliance Rules 2-36(b) and 2-39(a).
Given the differences in NFA Members' size, complexity of operations, and business activities, they must have some flexibility in determining what constitutes "diligent supervision" for their firms. NFA's policy is to leave the exact form of supervision up to each Member, thereby providing the Member with flexibility to design procedures tailored to its own situation. It is also NFA's policy to set general standards rather than to require specific technology. Therefore, other procedures besides the ones described in this Interpretive Notice may comply with the general standards for supervisory responsibilities imposed by Compliance Rules 2-36 and 2-39.
General Standard. Members who handle customer orders must adopt and enforce written procedures reasonably designed to protect the reliability and confidentiality of customer orders and account information. The procedures must also assign responsibility for overseeing the process to one or more individuals who understand how it works and who are capable of evaluating whether the process complies with the firm's procedures.
Authentication. Electronic trading systems, or other systems the customer must go through to access electronic trading systems, should authenticate the user. Authentication can be accomplished through a number of methods, including:
- Authentication tokens, such as SecurID cards; or
- Digital certificates.
Encryption. The system should use encryption or equivalent protections for all authentication and for any order or account information that is transmitted over a public network (including the Internet), a semi-private network, or a virtual private network. If more appropriate and effective security procedures are developed or identified, the use of those procedures would comply with this standard.
Firewalls. Firewalls or equivalent protections should be used with public networks, semi-private networks, and virtual private networks. The system should log the activities that pass through a firewall, and the log should be reviewed regularly for abnormal activity. If more appropriate and effective security procedures are developed or identified, the use of those procedures would comply with this standard.
Authorization. Although it is the customer's responsibility to ensure that only authorized individuals have access to the electronic trading system using the customer's facilities and authentication devices (e.g., passwords), the Member's procedures should, as appropriate, provide customers with a means to notify the Member that particular individuals are no longer authorized or to request that authentication devices be disabled. Customers should be informed about the notification process.7
Administration. The Member should adopt and enforce written procedures assigning the responsibility for overseeing the security of the electronic trading system to appropriate supervisory personnel. The procedures should also provide that appropriate personnel keep up with new developments, monitor the effectiveness of the system's security, and respond to any breaches. Additionally, the procedures should provide for updating the system as needed to maintain the appropriate level of security.
General Standard. Members who handle customer orders must adopt and enforce written procedures reasonably designed to maintain adequate personnel and facilities for the timely and efficient delivery of customer orders and reporting of executions. Members who operate trading platforms must adopt and enforce written procedures reasonably designed to maintain adequate personnel and facilities for the timely and efficient execution of customer orders. The procedures must also be reasonably designed to handle customer complaints about order delivery, execution (if applicable), and reporting and to handle those complaints in a timely manner.
Capacity Reviews. The Member should adopt and enforce written procedures to regularly evaluate the capacity of each electronic trading system and to increase capacity when needed. The procedures should also provide that each system will be subjected to an initial stress test. Such test may be conducted through simulation or other available means. Capacity reviews should be conducted whenever major changes are made to the system or the Member projects a significant increase in volume and should occur at least annually.
The Member should monitor both capacity (how much volume the system can handle before it is adversely impacted or shuts down) and performance (how much volume the system can handle before response time materially increases), and should assess the electronic trading system's capacity and performance levels based on the major strains imposed on the system. The Member should establish acceptable capacity and performance levels for each of its electronic trading systems. The Member's procedures should be reasonably designed to provide adequate capacity to meet estimated peak volume needs based on past experience, present demands, and projected demands.
The procedures should also provide for the Member to follow up on customer complaints about access problems, system slowdowns, system outages, or other problems that may be related to capacity.8 The Member should identify the cause of any problem and take action to prevent it from re-occurring.
Disaster Recovery and Redundancies. The Member should have contingency plans reasonably designed to service customers if either the system goes down or activity exceeds reasonably expected peak volume needs. The Member should use redundant systems or be able to quickly convert to other systems if the need arises. These backup systems can include facilities for accepting orders by telephone.
When operational difficulties occur, including but not limited to a system outage or disruption or delay in execution time, the Member should provide prompt and effective notification to any customers affected by the operational difficulties. Notification can be made by a number of methods, including:
- a message on the Member's web site;
- e-mails or instant messages;
- a recorded telephone message for customers on hold; and/or
- a recorded telephone message on a line dedicated to providing system bulletins to existing customers.
An FDM must notify NFA as soon as reasonably possible, but no more than 24 hours, after operational difficulties occur. The notice should include the date, time, length, and cause of the outage or disruption; what the FDM did to remedy the situation in the short term; what steps the FDM will take to guard against future occurrences; the number of customers affected; and any actions the FDM took to adjust customer trades or accounts.
Advance Disclosure. The Member should disclose, in advance, the factors that could reasonably be expected to materially affect the system's performance (e.g., periods of stress) and the means available for contacting the Member during a system outage or slow-down. This disclosure should be provided to each customer at the time the customer opens an account using a method reasonably calculated to ensure that the customer becomes aware of it.9 The disclosure should also be prominently displayed on the Member's web site. The Member should also educate customers on alternative ways to enter orders when the system goes down or reaches an unacceptable performance level. This disclosure must be made in a manner designed to provide this information to current customers before problems occur, such as through the account agreement or a notice on the Member's website.
Credit and Risk-Management Controls
General Standard. Members who handle customer orders must adopt and enforce written procedures reasonably designed to prevent customers from entering into trades that create undue financial risks for the Member or the Member's other customers.10 Regardless of its business model - dealer or straight through processor - a Member must also have policies and procedures in place to monitor its own proprietary trading, including open positions, and the impact those positions and any potential market movement or adjustments may have on the Member’s ability to meet its capital requirement.
Account Controls. An electronic trading system should be designed to allow the Member to set limits for each customer based on the amount of equity in the account or the currency, quantity, and type of order, and the Member should utilize these controls. The system should automatically block any orders that exceed the pre-set limits.11
If the trading platform automatically liquidates positions, the FDM should set the liquidation levels high enough so that the positions will be closed out at prices that will prevent the account from going into a deficit position under all but the most extraordinary market conditions.12 The FDM's platform must automatically liquidate positions, and it must set its liquidation levels to comply with this requirement, if its customer agreement or promotional material states or implies that customers cannot lose more than they invest.
An electronic trading platform that does not automatically liquidate positions should generate an immediate alert when an account is in danger of going into a deficit position. Firm personnel should monitor those alerts throughout the day and take action when necessary.
System Controls. An electronic trading system should also be designed to identify trading anomalies or patterns that indicate a system malfunction, especially a malfunction that could result in undue risk to the FDM.
General Standard. Members who handle orders must adopt and enforce written procedures reasonably designed to record and maintain essential information regarding customer orders and account activity, including the information required by CFTC Regulation 5.18(b)(4).
Profit and Loss Reports. Electronic trading platforms should be able to produce, upon request, a report showing monthly and yearly realized and unrealized profits and losses by customer. The report should be sortable by the person soliciting, introducing, or managing the account.
The system should generate year-end reports for each customer showing the realized profits and losses incurred during the calendar year and the unrealized profits and losses on open positions. The FDM must distribute these reports to customers by January 31st.13
Reporting to NFA
General Standard. Each FDM must submit to NFA any reports or information required by NFA.
Daily Trade Records. Each FDM must file a daily electronic report of trades with NFA in accordance with NFA Compliance Rule 2-48. The report must contain the following data, and any other data required by NFA:
- All order transaction records on a daily basis;
- A list of executed trades on a daily basis;
- A list of all money managers on the first day of reporting, with any changes being reported daily;
- A list of all price adjustments made by the FDM on a daily basis; and
- A list of any unusual events, such as a system outage or "fast market" on a daily basis as applicable.
Management should review this report to ensure that it is providing NFA with full and complete information and review all transactions, exceptions and unusual events for suspicious or unjustifiable activity.
Assessment Fee Reports. Electronic trading platforms should generate month-end assessment fee reports for each FDM using the platform. The report should summarize the number of forex transactions executed during the month and the size of those transactions.14
Retention. Members must maintain this information for five years from the date created, and it must be readily accessible during the first two years, in accordance with CFTC Regulation 1.31. These records must be open to inspection by NFA, and copies must be provided to NFA upon request.
General Standard. FDMs must adopt and enforce written procedures reasonably designed to ensure the integrity of trades placed on their trading platforms.
Pricing. Trading platforms must be designed to provide bids and offers that are reasonably related to current market prices and conditions. For example, bids and offers should increase as prices increase, and spreads should remain relatively constant unless the market is volatile.15 Furthermore, if an FDM advertises a particular spread (e.g., 1 pip) for certain currency pairs or provides for a particular spread in its customer agreement, the system should be designed to provide that spread.16
Slippage. An electronic trading platform should be designed to ensure that any slippage is based on real market conditions. For example, slippage should be less frequent in stable currencies than in volatile ones, and prices should move in customers' favor as often as they move against it.
Settlement. An electronic trading platform should be designed to calculate uniform settlement prices. An FDM must have written procedures describing how settlement prices will be set using objective criteria.
Rollovers. If an electronic trading platform automatically rolls over open positions, the trading platform should be designed to ensure that the rollover complies with the terms disclosed in the customer agreement, including those provisions dictating how the rollover price is determined. Forex Dealer Members should adopt and enforce a written policy detailing the procedures it follows to calculate rollover or interest charges and payments. The policy must include the factors that are considered as well as the names of any sources for these factors. The Member should document the underlying factors reviewed in completing the calculation, including any related transactions entered into by the Forex Dealer Member, so it can be replicated.
Periodic Reviews and Annual Certification
Members should conduct periodic reviews (at least annually, but more frequently if the circumstances warrant a more frequent review) of any electronic trading system it utilizes. This review should be designed to:
- Assess the security of the electronic trading system;
- Assess the reliability of the electronic trading system’s credit and risk-management controls;
- Ensure that the electronic trading system maintains required data and is capable of generating the reports required by this Notice;
- Ensure that the electronic system protects the integrity of the trades placed on it and executes customer forex orders in a fair manner.
The Member must prepare a report of the periodic review, noting the scope of the review, any findings and corrective action and maintain a copy of the review in accordance with CFTC Regulation 1.31. The results of this review should be reported to the firm’s senior management, including the FDM’s Chief Compliance Officer, and any follow up should be recorded and signed by senior management.
An FDM must also have a qualified outside party conduct an independent annual review of any electronic trading platform it uses within twelve months after the FDM begins trading on that platform or within twelve months after the firm becomes an FDM, whichever is later.17 Thereafter, an independent review must be conducted at least annually, and a qualified outside party must conduct the review every other year. The remaining annual reviews and any additional reviews (which should be performed when needed) may be conducted by either an independent internal audit department or a qualified outside party. For pure order-routing systems, the required reviews may be conducted by an independent internal audit department or a qualified outside party and must be done at least annually.
The reviews should audit the system for compliance with the requirements in this Notice. The results should be documented and reported to the firm's senior management or to an internal audit committee or department. The Member should follow up to ensure that any deficiencies are addressed and corrected. The FDM should document the corrective action taken and a member of the firm's senior management should sign off on that report. The FDM should retain this report in accordance with CFTC Regulation 1.31.
Each FDM - including each FDM that provides a trading platform to its customers through a white-labeling arrangement - must certify annually that the requirements in this Notice have been met and that the written procedures required by this Notice are up-to-date. The certification must be signed by a principal who is also a registered AP and must be filed with NFA. In completing this certification the AP/principal should review the results of the periodic reviews and any corrective action taken.
Members who solicit or introduce forex customers or manage forex customer accounts must provide annual certifications if they use an electronic trading platform offered by a counterparty that is not an FDM or if they provide or endorse a separate AORS. The certification must be signed by a principal who is also a registered AP and must be filed with NFA. The certification may, however, be limited to the applicable requirements.
1 For purposes of this Notice, the term "Forex Dealer Member" has the same meaning as in Bylaw 306, the term "forex" has the same meaning as in Bylaw 1507(b), and the term "customer" has the same meaning as in Compliance Rule 2-36(i).
2 The written procedures do not, however, have to contain technical specifications or duplicate procedures that are documented elsewhere.
3 A trading platform executes a customer's trade by assigning the other side of the trade to a counterparty. An order-routing system transmits orders to a trading platform (or to another system or individual). In most instances, the same trading system will perform both functions. NFA understands that separate systems are extremely rare in the forex markets. Nonetheless, since most of the same principles apply, these separate systems are included in this Notice.
4 If the Member provides or endorses a separate AORS, however, the Member is responsible for meeting all of the applicable requirements in connection with that system.
5 White labeling refers to the practice of leasing the right to place the lessee's name on and market another firm's trading platform as its own and then passing the trades through to the lessor. In the typical while labeling arrangement, the lessee's customers do not have a contractual relationship with, and in fact may be unaware of, the firm that owns and operates the platform. For regulatory purposes, the lessee is the counterparty to the customer's trades and the corresponding transactions with the lessor are separate transactions between the lessee and the lessor to hedge the lessee's customer obligations.
6 As a practical matter, NFA will not take disciplinary action unless the sponsor knew or should have known that the white labeler was not meeting its contractual obligation to comply with this Notice or the sponsor failed to exercise due diligence when establishing and maintaining the relationship with the white labeler.
7 For purposes of this notice, the term "customer" includes CTAs entering orders for forex customers except when referring to credit-worthiness and ability to accept risk. In those instances, the term "customer" is limited to the owner of the account.
8 For example, lack of capacity might result in excessive slippage or an order not being filled.
9 A Member could, for example, provide the disclosure in a separate e-mail to an address provided by the customer. Burying the disclosure in the account opening documents is not sufficient.
10 A Member should assess each individual customer's ability to accept risk as part of the Member's obligation to know its customers. (See NFA Interpretive Notice entitled "Forex Transactions," NFA Manual, paragraph 9053).
11 An AORS used to access an electronic trading platform need not include pre-execution and post-execution controls if the Member providing or sponsoring the AORS has determined, after a reasonable investigation, that the trading platform complies with those requirements and that the Member who controls the trading platform effectively utilizes its controls.
12 If the FDM unconditionally guarantees customers against deficits it should, of course, take any loss that occurs beyond the amount of equity in the account even when the deficit occurs because of those extraordinary market conditions. Misrepresenting the potential for customer losses is a violation of NFA Compliance Rule 2-36(b) or 2-39(a).
13 FDMs can use Form 1099-B to satisfy this requirement.
14 The report should exclude transactions by eligible contract participants as that term is defined in Section 1a(18) of the CEA.
15 Management should approve each fill outside the price range displayed by the system when a market order was placed and should document the reason for the fill price.
16 If the FDM's customer agreement provides for exceptions in volatile or illiquid markets and those exceptions are prominently disclosed, the system may be programmed to be consistent with the agreement's terms.
17 For purposes of this Notice, "qualified outside party" means an unaffiliated individual or entity that, through experience or training, understands complex IT systems and is able to test the firm's systems for compliance with the requirements in the Notice.