Authored by: Samuel Gehebe
On March 24, 2021, the National Futures Association (NFA) released the Interpretive Notice establishing general requirements regarding members’ use of third-party providers. The Interpretive Notice is effective September 30, 2021 and discusses NFA Compliance Rules 2-9 and 2-36: Members’ Use of third party service providers.
NFA Members may fulfill their regulatory obligations by engaging a third-party service provider(s) or vendor(s) to perform certain functions that would otherwise be undertaken by the members to comply with NFA and Commodity Futures Trading Commission (CFTC) requirements. If an NFA member outsources a regulatory function, the member remains responsible for complying with NFA and/or CFTC requirements and may be subject to discipline if a third-party service provider’s performance causes the member to fail to comply with the NFA and/or CFTC requirements. An NFA member must have a written supervisory framework over its outsourcing function to mitigate the risks associated with outsourcing certain functions.
An NFA member using a third-party service provider(s) that performs functions to assist the member in fulfilling its regulatory obligations that address NFA and/or CFTC requirements must comply with the following general requirements set forth in the NFA’s Interpretive Notice.
An NFA member should determine whether a particular regulatory function is appropriate to outsource and evaluate the risk associated with outsourcing the function. The potential risks associated with outsourcing a function may vary. An NFA member should analyze and identify certain primary areas of risk including the following:
An NFA member should also consider other potential areas of risk applicable to its business and the regulatory function that is being outsourced.
An NFA member should perform due diligence on any prospective third-party service provider prior to entering a contractual outsourcing arrangement. This will allow the member to determine whether the service provider can successfully carry out the outsourced function in a manner designed to comply with NFA and/or CFTC requirements. This includes ensuring that the third-party service provider has sufficient regulatory experience, is aware of relevant NFA and CFTC requirements and has the operational capabilities to fully and accurately carry out the outsourced functions. For third-party service providers that obtain or have access to an NFA member’s critical and/or confidential data or that will support critical regulatory-related systems, the onboarding due diligence process should be more robust, and include assessing IT security, financial stability, background of key employees, regulatory history, and business continuity and contingency plans.
If the third-party service provider subcontracts any of the regulatory functions, the NFA member should request the identity of the subcontractor(s) and assess the risks associated with subcontracting these functions. The NFA member should require the third-party service provider to notify the NFA member of any change in a subcontractor and retain the ability to terminate the relationship if the third-party service provider makes any material changes involving the subcontractor that would have an adverse effect on the performance of the outsourced functions.
A written agreement between an NFA member and the third-party service provider should be executed that fully describes the scope of services being performed and addresses any guarantees and indemnifications, limitations of liability and payment terms. Each NFA member should review its relationship with the third-party service provider to ensure to the extent possible that contractual terms are appropriate and reflect the outsourcing relationship as intended. An NFA member should make a reasonable effort to ensure that the third-party service provider agrees to comply with all applicable regulatory requirements when entering a written agreement. There should also be a consideration as to the appropriate signor of the written agreement depending on the criticality and associated risk of the function being outsourced.
Ongoing monitoring of the third-party service provider’s ability to properly carry out the outsourced function(s) and meet its contractual obligations should be conducted by the NFA member. The monitoring should involve the ongoing review of a particular outsourced function to ensure that it is being performed appropriately. Holistic reviews of the third-party service provider’s performance, regulatory compliance, IT security, financial stability, business continuity and contingency plans, audits or examination results, websites, public filings, insurance coverage, and references should be performed periodically. An NFA member should require a third-party service provider to notify it of any material changes to the provider’s material systems or processes utilized to carry out the outsourced regulatory function. The frequency and scope of the ongoing monitoring reviews should be tailored depending on the criticality and associated risk of the outsourced function(s).
An NFA member should consider whether it has adequate resources and qualified personnel to perform ongoing monitoring. As a precaution, an NFA member should have a process of escalation to senior management when a third-party service provider fails to perform the outsourced function or its risk profile materially changes.
With regards to contract renewals, an NFA member should consider incorporating best practices.
The agreement with the third-party service provider should require that the provider give the NFA member sufficient notice prior to terminating its relationship. This is to ensure that the NFA member can maintain operational, regulatory or other capabilities supported by the third-party service provider. An NFA member must be able to meet all NFA and/or CFTC requirements after termination, including recordkeeping requirements.
An NFA member should also make a reasonable effort to ensure that a terminated third-party service provider no longer has access to confidential information and data about the NFA member, its customers and/or their counterparties. An NFA member should ensure that a terminated third-party service provider does not unnecessarily retain confidential information. In appropriate circumstances, confidential information and data should be returned to the NFA member and its customers and/or counterparties.
Records must be maintained pursuant to NFA Compliance Rules 2-10 and 2-49 by any NFA member that engages a third-party service provider to perform a function to meet a regulatory obligation pursuant to an NFA and/or CFTC requirement to demonstrate that the member has addressed areas described in the Interpretive Notice.
In conclusion, an NFA member should implement the requirements and consider the items in the NFA’s Interpretive Notice when considering outsourcing various functions to a third-party service provider.
Connect with Baker Tilly’s regulatory compliance specialists to discuss your specific needs and challenges.