NFA approved the adoption of a new interpretive notice to Compliance Rules 2-9 ("Supervision") and 2-36 ("Requirements for Forex Transactions") that requires CFTC-registered firms that outsource regulatory obligations to implement a written supervisory framework governing the outsourcing arrangements.

NFA stated that firms should tailor their written supervisory frameworks to their specific business activities, and should address the following areas:

  • Initial Risk Assessment. A firm should determine the appropriateness of outsourcing a particular regulatory function, including the third-party provider's security with regard to confidential, personally identifying information, the provider's location and the impact on customers if the third party fails to carry out its responsibilities;
  • Onboarding Due Diligence. A firm should perform due diligence on any prospective third-party provider before entering into a contractual outsourcing arrangement, and, where relevant, should assess the provider's IT security, financial stability, key employees, regulatory history and business continuity plans. Additionally, firms should inquire about whether the provider intends to use subcontractors to carry out the outsourced functions;
  • Written Agreement. A firm should enter into a written outsourcing agreement that requires the third-party service provider to comply with applicable regulatory requirements, including production of documents, and to notify the firm of any material failure to perform the regulatory function;2
  • Ongoing Monitoring. A firm should (i) engage in risk-based reviews, (ii) have in place a process of escalation to senior management if a provider fails to perform its responsibilities, and (iii) incorporate best practices related to contractual renewals;
  • Termination. A firm should have sufficient notice to ensure that it can maintain regulatory capabilities if a third-party provider terminates the outsourcing agreement. Additionally, a firm should make a "reasonable effort" to ensure that the provider no longer has access to confidential information after the termination; and
  • Recordkeeping. Firms must maintain records pursuant to NFA Compliance Rules 2-10 ("Recordkeeping") and 2-24 ("Qualification Testing of Associated Persons") to demonstrate their compliance with this interpretive notice.

The interpretive notice will go into effect 10 days after submission to the CFTC, assuming there is no CFTC objection.

Commentary - Conor Almquist

NFA's proposed interpretive notice regarding outsourcing would establish what seems to be a very reasonable minimum set of requirements applicable when outsourcing functions to third-party service providers.

Particularly notable is NFA's flexibility regarding due diligence, which recognizes that the level of due diligence should be commensurate with the risk associated with the regulatory function, with heightened emphasis for critical systems and confidential data. While it is a good reminder that firms should ensure that service providers are aware of applicable NFA and CFTC rules and regulations and have sufficient regulatory experience to perform the outsourced functions, it is particularly critical for firms to remember that ultimate responsibility for any outsourced functions remains with the firm, and any failure to perform by the vendor may result in the firm being subject to discipline.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.