At the end of 2023, The Commodity Futures Trading Commission (“CFTC”) proposed an Operational Resilience Framework (“ORF”) aiming to mandate that Futures Commissions Merchants (“FCM”), Swap Dealers (“SD”), and Major Swap Participants (“MSP”) establish, document, implement, and maintain an ORF. The framework is designed to effectively manage risks related to information and technology security, third-party relationships, and emergencies or significant disruptions to normal business operations. The proposed framework consists of three essential components: an information and technology security program (“ISSP”), a third-party relationship program (“TPSP”), and a business continuity and disaster recovery (“BCDR”) plan. These components are reinforced by comprehensive requirements covering governance, training, testing, and recordkeeping. Additionally, the proposed rule would require specific notifications be given to the CFTC and customers.

This month, the National Futures Association (“NFA”) in turn has provided its comments on the CFTC’s proposed rulemaking for the ORF. The NFA recognizes the significance of risk management practices in the financial industry, particularly considering recent events such as the Covid-19 pandemic and cyber-attacks. However, NFA expressed concern that the CFTC’s current proposal may impose excessive burdens on FCMs and SDs. NFA recommends that the CFTC leverage the existing framework already enforced by NFA, which includes ISSP rules 2-9 and 2-49, NFA interpretive notice regarding 2-9 & 2-36 which addresses third-party service provider policies, and compliance rule 2-38 which requires all member firms to have a business continuity and disaster recovery plan. NFA’s argument is that much of what the CFTC is proposing in the ORF is redundant to what NFA members are already doing.

What Could This Mean for The Futures Industry?

Turnkey Trading Partners’ opinion is that whether the ORF proposal from the CFTC becomes an official rule or not, NFA member firms, especially SDs, MSPs, and FCM’s should be taking a good hard look at their current policies and updating them where necessary. If the NFA wants to convince the CFTC that their current framework is sufficient, and should not be subject to the CFTC ORF, there is a good chance these areas will be heavily tested in upcoming NFA audits. Turnkey predicted that NFA would immediately start testing the third-party service provider policies after releasing the respective TPSP interpretive notice on September 30, 2021. As forecasted, the NFA immediately started making a lack of a TPSP program a finding for anyone who was not adhering to this interp. Turnkey is now predicting that regardless of the CFTC mandate sticking or not, auditors will be heavily scrutinizing ISSP, BCDR, and TPSP policies and procedures and the accompanying testing that is required for each respective area. If in fact the ORF does stick, there could be increased training obligations such as “(i) cybersecurity awareness training for ALL personnel and (ii) role-specific training for personnel involved in establishing, documenting, implementing, and maintaining the ORF.”

Turnkey Trading Partners reviews policies and procedures for Swap Dealers, Futures Commissions Merchants, and Major Swap Participants regularly. If your firm has not reviewed and updated your policies in recent memory, contact us here. We would be happy to assist in getting your BCDR, TPSP, and ISSP up to snuff, making both the transition to an ORF framework less painful, while preparing your firm for its next NFA audit.