Apr 21, 2021 By: Turnkey Trading Partners In February, NFA adopted an Interpretive Notice entitled “NFA Compliance Rules 2-9 and 2-36: Members’ Use of Third-Party Service Providers” which will become effective September 30, 2021. This notice is the first time NFA has publicly laid out its expectations for how member firms outsource certain of their company functions. It is important to recognize that NFA has not prohibited any registrant or member firm from outsourcing any function. Rather, they have set standards for what they believe reasonable outsourcing risks should and could look like. The notice identifies the following primary areas which, as of September 30, 2021, should be addressed within a CFTC registrant, NFA member firm’s supervisory policies: Initial risk assessment; On-boarding due diligence; Ongoing monitoring; Termination; and Record-keeping. As an award winning, third party service provider to the derivatives industry, this notice impacts Turnkey directly. Our staff has considered this notice in detail, and has tried to place bias aside while doing so. Although certain elements of notice 9079 are onerous, NFA’s intention is not misplaced. Ultimately CFTC registrants and NFA member firms have always been responsible for all regulatory functions and record keeping obligations. This fact has been true whether these functions were outsourced to third-parties or not. Notice 9079 simply lays out the framework for NFA’s expectations in this area. It also serves as a reminder that registrants cannot simply outsource record keeping or critical functions to wash their hands of malfeasance. Initial Risk Assessment NFA’s notice does not restrict firms from outsourcing functions. It also only applies to third party vendors that perform activities which assist a firm in fulfilling its NFA and/or CFTC regulatory obligations. To determine this, firms first need to conduct an initial risk assessment of their third-party vendors. This review should consider the following areas: Information Security— The type of confidential, personally identifying information or other valuable information the provider my obtain or have access to. Regulatory— The impact to the firm, customers, and counter parties if the service provider fails to carry out the outsourced function(s) properly. Logistics— The geographic location and delivery capabilities of the service provider. Does the third party firm have the resources and capabilities to meet its contractual obligations? If an area of risk is discovered which cannot be adequately controlled or remedied, firms should undertake a risk based approach in considering whether or not a particular function should be outsourced or should be completed internally. On-boarding Due Diligence After an initial risk assessment has been performed, firms must then engage in further due diligence of third-party service providers. The type and amount of due diligence performed should be commensurate with the risks associated with the activity being outsourced. Registrants at a minimum should ask the following questions when performing on-boarding due diligence: Competency – does the third-party service provider have sufficient industry knowledge of CFTC regulations and NFA rules to properly deliver the outsourced function? Experience – does the third-party service provider have enough relevant industry experience to be relied upon for the function? Reliability – does the third-party service provider have the operational capacity and track record to provide the function accurately and sufficiently? Access to Data – vendors that have access to critical or confidential data should be more heavily scrutinized. Activities NFA lists for consideration in this area include, but are not necessarily limited to vendors that: handle customer funds, keep required records, maintain critical regulatory-related or technology systems, or are necessary to file proper industry required reports. Stability – how stable is the vendor offering the third party service? In this area NFA states the service providers history with IT security, data transmission, storage, financial stability, background of key employees, regulatory history, legal history, and business continuity or disaster recovery plans might be considered. Subcontracting – firms should investigate whether or not the third-party provider subcontracts any of the regulatory functions that the member outsources to yet another third-party firm. If so, the identity of the subcontractors should be provided, and if possible, registrants should evaluate the subcontractors involved in the outsource function. Third party firms that utilize subcontractors should be required, if possible, to notify members of material changes and allow for relationships to be terminated if such changes may have an adverse effect on the performance of the outsource function. Written Agreement Third party service terms are required to be documented in writing. Agreements should fully describe the scope of services being performed. Agreements should also address any guarantees and/or indemnifications, limitations to liability, and payment terms which may be in place. Significant agreements may also need to be signed by a firm principal. NFA has not, and cannot, require firms to include specific provisions within agreements. Members however are expected to review agreement terms and determine, to the extent possible, that they are appropriate and reflect the outsourcing arrangement as intended. Similarly, agreements should also consider, as applicable, the process for data management at the termination of the service relationship. Ongoing Monitoring Firms should conduct ongoing monitoring of a Third-Party Service Provider’s ability to properly carry out an outsourced function. This review must be completed using a risk-based approach. Turnkey recommends all vendors be evaluated at least annually. Some vendors that are critical to company operations may need to be evaluated more frequently. Generally, firms should rely on the initial risk assessment of an outsourced function to determine how critical a third-party service provider is to company operations and how often a review should be completed. When conducting a review, the following areas should be considered: Accuracy and regulatory competency of reports generated Financial stability Business continuity and contingency performance Audit or other examination results Public filings, legal claims, and general reputation Insurance coverage and liability matters IT security and track record Availability of alternative vendors and “exit” risks As part of this process registrants should also consider whether or not staff with sufficient and appropriate knowledge of the outsourced function are involved in evaluating the third-party service provider. Firms should consider whether or not review functions should be performed by senior team members or lower ranking employees. A process of escalation should also be in place to ensure that senior management is made aware of any material concerns which may arise with a third-party service provider during the course of business or when under a review. Lastly, as part of the on-going monitoring process, a registrants should consider incorporating best practices relating to contractual renewals. Firms should consider proposed changes or updates to agreements at renewal against the firms initial risk assessment of the vendor. Termination NFA recommends that service agreements with third party vendors include a sufficient notice period prior to a vendor terminating its relationship with a member firm. Firms must be able to meet all NFA and CFTC requirements, including record keeping requirements, after termination with a service provider. NFA rules 2-10 and 2-49 should be evaluated and considered in this area. Similarly, firms should attempt to verify that any electronic access which may have been granted to a service provider has been terminated at the end of an agreement. Conclusion NFA’s newest interpretive notice DOES NOT eliminate a firm’s ability to outsource functions. It doe however place a framework about NFA expectations when doing so. Turnkey is an award winning compliance consulting and accounting firm within this space. We have years of industry experience and highly competent staff. Firms seeking guidance with respect to how they might comply with NFA notice 9079 are encouraged to contact Turnkey for support. About Turnkey Since our inception nearly 15 years ago, Turnkey has assisted hundreds if not thousands of firms. It would be our privilege to assist your firm in meeting your ongoing CFTC and NFA obligations. Please contact a Turnkey Trading Partners representative today with any questions you may have. We can be reached via phone by calling (312) 324-0040. If you’d prefer to contact us by email you may reach us using the address firstname.lastname@example.org.