On September 12, 2023, Turnkey Trading Partners President, Susan Osmanski was a panelist at the National Introducing Brokers Association (“NIBA”) Compliance Officers Group conference. The event was held in Chicago to cover industry compliance trends and regulatory audit hot topics. The panel was established to address persistent inquiries from conference attendees regarding the nuanced implications of third-party service provider policies (“TPSP”), due diligence, and overall compliance. Turnkey was a pioneer and remains a recognized leader in this area. We have been writing about National Futures Association (“NFA”) obligations related to TPSP policies since NFA made them mandatory in 2021.  Turnkey is thankful to NIBA for including us on the panel and believes that Susan Osmanski was uniquely positioned to provide authoritative insights on this subject matter.

History of Third-Party Supervisory Policies

In late 2021, the National Futures Association (“NFA”) introduced a significant regulatory development through an Interpretive Notice titled “NFA Compliance Rules 2-9 and 2-36: Members’ Use of Third-Party Service Providers.” This Interpretive Notice mandated that NFA Member firms, which outsource regulatory functions, adopt and implement a comprehensive supervisory framework to mitigate risks associated with outsourcing.

As a renowned third-party service provider to the derivatives industry, Turnkey is directly affected by this notice and has been working diligently with our clients on Third-Party Service Provider policies and procedures for over two years. Our team has carefully considered its implications, striving to provide objective guidance. While certain aspects of the notice may pose challenges, NFA’s intention is clear: registrants and member firms have always been responsible for regulatory functions and record-keeping obligations, whether outsourced or not. Notice 9079 merely lays out NFA’s expectations and reinforces the principle that outsourcing does not absolve firms of responsibility.

To assist NFA Members, the Interpretive Notice specifies the essential areas that must be covered within the supervisory framework and offers guidance on the specific activities that each Member should undertake in these areas. These areas include:

  1. Initial risk assessment: NFA’s notice does not prohibit outsourcing but applies to third-party vendors assisting in fulfilling NFA and/or CFTC regulatory obligations. To determine this, firms should conduct an initial risk assessment, considering: Information Security, Regulations, and Logistics.
  2. Onboarding due diligence: After an initial risk assessment has been performed, firms must then engage in further due diligence of third-party service providers. The type and amount of due diligence performed should be commensurate with the risks associated with the activity being outsourced.
  3. Ongoing monitoring: Firms should conduct ongoing monitoring of a Third-Party Service Provider’s ability to properly carry out an outsourced function. This review must be completed using a risk-based approach. Turnkey recommends all vendors be evaluated at least annually. Some vendors that are critical to company operations may need to be evaluated more frequently. Generally, firms should rely on the initial risk assessment of an outsourced function to determine how critical a third-party service provider is to company operations and how often a review should be completed.
  4. Termination: Firms should develop proper “off-boarding” procedures for the termination of a third-party vendor. This should include securing any shared materials.
  5. Recordkeeping: NFA’s intention is not misplaced.  Ultimately CFTC registrants and NFA member firms have always been responsible for all regulatory functions and record keeping obligations. This fact has been true whether these functions were outsourced to third-parties or not. Notice 9079 simply lays out the framework for NFA’s expectations in this area. It also serves as a reminder that registrants cannot simply outsource record keeping or critical functions to wash their hands of malfeasance.

Panel Highlights

  • It is crucial to note that NFA emphasizes that irrespective of outsourcing arrangements, Members remain ultimately responsible for adhering to NFA and CFTC requirements.
  • NFA expects firms to regularly review TPSP vendors and evaluations over time. During exams over the past two years NFA staff has been requesting evidence of such reviews.
  • It is not uncommon for NFA to consider firm responses to the questions included within its TPSP supplement to the Self-Examination Questionnaire.
  • NFA has begun evaluating vendor agreements and reconciling those agreements against the obligations for consideration included within the TPSP interp. It has been observed that vendor agreements which do not include all elements mentioned within the TPSP can become a topic of conversation during exams.
  • NFA’s Interpretive Notice does not prohibit outsourcing, but establishes expectations. Vendors required to be considered under a firms TPSP only include those who assist a firm in meeting a commodity interest regulatory obligation. The most common TPSP functions are related to record retention, ISSP and technology outsourcing obligations, and accounting.

Turnkey, an award-winning compliance consulting and accounting firm, encourages firms to prioritize compliance with these requirements. Non-compliance can have consequences, as NFA has been testing in this area during examinations. The TPSP obligation encompasses various critical areas, and Turnkey is well-equipped to assist firms in meeting these obligations.

If you have any questions or concerns about complying with these regulatory obligations, would like to connect with Susan Osmanski or anyone else on the Turnkey team, please do not hesitate to contact Turnkey at (312) 324-0040 or through our website.