By: Turnkey Trading Partners

On May 12, 2021, President Joe Biden signed an executive order requiring improvement of US Cybersecurity. Among other things, Biden’s order required that all Federal agencies in possession of private identifying information (“PII”) implement and mandate multi-factor authentication (“MFA”) for users of systems where this data is stored and accessible. Under this order the Commodity Futures Trading Commission (“CFTC”) was implicated. Since the CFTC outsources many functions to the National Futures Association (“NFA”), NFA was forced to also comply.

What does this mean?

Briefly, for those who are unfamiliar, MFA is a security mechanism used to protect digital accounts and information from unauthorized access. It requires users to provide two or more forms of identification before granting access to an account or system. NFA will be implementing an MFA system in accordance with the Biden executive order on behalf of the CFTC.

NFA’s new system offers three options for secure authentication:

1) Email – Upon entering a username and password for an NFA system, a user will request a code to be sent to their valid email address. The email will be sent by Microsoft on behalf of the NFA and will contain a unique six-digit passcode. That code must be copied back into the NFA system in order to gain access. Please be sure to allow the email address to pass through your spam filters, as this will be the address that sends your unique passcode.

2) Telephone Delivery (Two Options)

a. Text / SMS – A time-based one-time (TOTP) passcode will be sent via text message to the phone number associated with the user’s NFA ORS profile.

b. Voice Call – A member can choose to have a code sent via a verbal message to a land line or cell phone.

3) Authentication app – NFA is allowing members to utilize two external authentication applications; one offered by Google the other from Microsoft. To learn more about external authentication options follow this link.

What do I Need to Do?

Unfortunately, Turnkey does not have high hopes for the rollout.  NFA’s technology systems are notoriously bad and are the brunt of industry jokes and frustration. During the informational meeting, NFA emphasized that the authentication method a firm would like to use – Phone, Text, Email, or Authentication Application must be selected and set up within NFA’s existing security manager system. IT IS CRITICAL users update their Phone number, email, and other pertinent details in the security manager portal as soon as possible. This information will be used to rollout MFA.

How Long Do I Have?

Unfortunately, not long. Please also be advised that NFA’s rollout is scheduled to occur during the peak filing period for both CTA and CPO quarterly reports.  Please be mindful of the following dates to ensure access to ORS remains available to your firm.

MFA by registrant category

Futures Commission Merchants (FCM): May 1, 2023

Retail Foreign Exchange Dealer (RFED): May 1, 2023

Swap Dealer (SD): May 7, 2023

Introducing Brokers (IIB and GIB): May 14, 2023

Commodity Pool Operator (CPO): June 4, 2023

Commodity Trading Advisors (CTA): June 4, 2023

Conclusion – Do Not Procrastinate!

It is very important that firms review security manager profile information as soon as possible. Turnkey truly wishes NFA the best of luck with its MFA roll out. We would like nothing more than to see the transition go smoothly. Unfortunately, though, we are pessimistic about how this change may impact the industry over the next several months. Being intimately familiar with NFA systems and member behavior we’re confident NFA’s help and support desks will be flooded with calls. Over the next several filing periods it will be important for member firms not to procrastinate when making filings or adjustments to ORS. There is a very high probability for kinks or bugs in NFA’s new process. Member firms should allow time for any potential technological problems which may arise while NFA works out the kinks of its new processes.