IOSCO Seeks Views on Business Continuity and Recovery Planning by Trading Venues and Intermediaries
The International Organization of Securities Commissions issued two consultation reports on business continuity and recovery planning, including cybersecurity issues—one aimed at market intermediaries and the other at trading venues. IOSCO proposes some baseline standards for both types of entities, as well as for regulators that oversee them.
Separately, the New York State Department of Financial Services issued an update on cybersecurity in the banking sector. It indicated that it will prod banks to improve their oversight of the cybersecurity efforts of their third-party vendors through adoption of new regulations.
Among the specific components IOSCO recommended intermediaries include in their BCPs were (1) an identification of critical business functions and systems, along with primary and backup staff; (2) an assessment of the major threats and impacts considering a wide range of causes (e.g., fire, floods, local protests, terrorism and cyber attacks); (3) steps necessary to ensure clients are able to access their funds and securities promptly in case of a major disruption; (4) identification of dependencies on third-party entities, including clearing and settlement entities; (5) documented procedures for internal and external communications, including with employees, clients, service providers, regulators and other stakeholders (e.g., media); (6) an assessment of funding access and liquidity during a material disruption; and (7) an appropriate governance framework for implementing a successful BCP after a material disruption, among other baseline elements.
In order to protect against cyber attacks, as well as other threats against data, systems and client privacy, IOSCO recommended that intermediaries have a defined security and information technology policy that describes appropriate controls to restrict access to physical assets and information. This policy should address frequent back-up and recovery of data. IOSCO also recommended that intermediaries use back-up data centers to maintain electronic and hard-copy data, and should address the use of firewalls, Internet security and third-party vendors.
IOSCO noted that, although most regulators have at least “some requirements” for intermediaries to maintain BCPs, “it appears there are relatively few jurisdictions that impose the kind of ‘requirements’ with respect to BCPs where failure of a firm to comply might subject it to penalties.” As a result, it urged regulators to formally require intermediaries (1) “to create and maintain a written business continuity plan identifying procedures related to an emergency or a significant business disruption and (2) to update the BCP to reflect material changes in operations or business as well as to assess at least annually whether any other changes are warranted.”
IOSCO made similar recommendations regarding trading venues and the oversight of such entities by regulators. IOSCO specifically recommended that regulators require all trading venues to implement and maintain processes to ensure the “resiliency, reliability and integrity (including security) of critical systems” and a formal BCP.
Comments on IOSCO’s recommendations are due by close of business, June 6, 2015.
Separately, the NYS Department of Financial Services issued a report that identified weaknesses in controls by banking organizations to ensure that their third-party service providers had appropriate cybersecurity measures. According to a survey of more than 150 banking organizations, the NYDFS found that, (1) approximately 33 percent of banking organizations did not require third-party service providers to notify them of information or other cybersecurity breaches; (2) fewer than 50 percent conducted any on-site assessment of their third-party vendors; (3) approximately 20 percent did not mandate third-party vendors to represent that they have minimum information security requirements; and (4) almost 50 percent did not mandate a warranty of the integrity of the third-party vendor’s data or products (e.g., that the data is free of viruses).
My View: It has been often said that there are only two types of financial services firms: those that have experienced cybersecurity breaches and addressed them, and those that have experienced cybersecurity breaches and did not know. Firms should evaluate their cybersecurity measures against objectives standards such as those published by the National Institute of Standards and Technology in February 2014 in its Framework for Improving Critical Infrastructure Cybersecurity. Both the Securities and Exchange Commission and the Financial Industry Regulatory Authority recently published insightful observations from their reviews of cybersecurity practices at securities industry firms—on both the buy and sell sides. FINRA also identified principles and effective practices firms should consider to address cybersecurity threats. These too should be reviewed.
Class Action Complaint Filed Against Kraft Foods and Mondelez Global for Alleged Manipulation Charged Previously by CFTC: A private litigant sued Kraft Foods Group, Inc. and Mondelez Global LLC last week, alleging many of the same claims of manipulation that the Commodity Futures Trading Commission charged against the two companies the prior week. The lawsuit, brought by Harry Ploss, as trustee for the Harry Ploss Trust DTD 8/16/1993, was filed as a class action complaint in a US federal court in New York. Among other things, the lawsuit claims that, during November and December 2011, the defendants manipulated the prices of December 2011 and March 2012 wheat futures contracts traded on the Chicago Board of Trade, as well as options on such contracts. Mr. Ploss claims that he was damaged by defendants’ trading because he liquidated his short December 2011 and long March 2012 wheat futures position at the same time “as Defendants’ opposite position reached its greatest size.” Mr. Ploss was previously among the so-called “Futures Plaintiffs” in a class action lawsuit alleging manipulation against Moore Capital Management and others related to physical and futures trading in platinum and palladium between October 2007 and June 2008. That action was filed on April 30, 2010, in a US federal court in New York, the day after the CFTC entered a settlement order involving many same basic allegations—in what the judge credited was “admirable alacrity.”
ICE Futures U.S. Settles Disciplinary Actions for Intra-Day Position Limit Violation and Open Position Reporting Errors: ICE Futures U.S. settled a disciplinary action against UBS Securities LLC last week, claiming the firm may have misreported open interest in the December 2014 cocoa futures contracts on trade dates November 12 and 13, 2014. Under IFUS rules, clearing members are obligated to report open positions and adjust previously reported positions (as necessary) in accordance with specific timeframes. To settle this matter, UBS agreed to pay a fine of US $20,000. Separately, Twin Eagle Resource Management, LLC consented to payment of a fine of US $7,500 for allegedly violating a spot month position limit in the July 2014 Henry LD1 futures contract intra-day on June 24, 2014. As part of its settlement, Twin Eagle also agreed to disgorge profits of US $154,180 related to the disputed positions.
Compliance Weeds: Under ICE Clear rules, clearing members must report by 7:30 p.m. ET each business day (or such other time as the exchange may direct) their open interest in all futures contracts. They are obligated to report any adjustments by 9 a.m. the next business day. ICE Futures U.S.’s rules also expressly provide that position limits must be complied with both on an end of day and intra-day basis. CME Group has similar rules regarding reporting open positions and compliance with position limits.
IMF Warns Even Plain Vanilla Investment Funds Add Systemic Risks: The International Monetary Fund has published a report claiming that even “plain vanilla,” non-systemically important investment funds, including “simple” mutual funds and exchange-traded funds that invest in bonds and equities, may pose financial stability risks. These risks principally arise, says the IMF, because, in particular, bond funds have recently grown a lot, and are increasingly investing in less liquid assets such as emerging market bonds and high-yield corporate debt. According to the IMF, “[t]his has increased the mismatch between the liquidity of funds’ assets and liabilities, because many funds allow investors to redeem on a daily basis.” IMF claims that large redemptions from these funds—possibly instigated by an external event—could have widespread market impact because banks may be “unable or unwilling to step in to provide liquidity in such a situation.” As a result, IMF calls for better supervision of what it terms “institution-level risks.” Currently, it says, the oversight of the investment fund industry centers on investor protection and disclosure. Instead, “[p]olicy makers and regulators should adopt a macroprudential approach to assess the impact of the industry as a whole on the stability of the financial system.” A few weeks ago, the Securities Industry and Financial Markets Association’s Asset Management Group and the Investment Adviser Association submitted a letter to the Financial Stability Oversight Council claiming that asset managers and their funds do not contribute to systemic risk. Indeed, said the letter, “[f]ar from being a source for creating or exacerbating systemic risk, the asset management industry engages in activities and performs functions that consistently moderate such risks.” Last year, the Securities and Exchange Commission adopted new rules related to the structure and operation of money market funds that, among other things, imposed enhanced diversification, disclosure and stress testing requirements.
Industry Advisory Group Advocates Best Practices to Avoid Disruptive Trading of US Government Debt Securities by Automated Traders: The Treasury Market Practices Group, a group of industry professionals that support the efficiency of US government securities markets, warned of risks to such markets posed by automated traders, and issued a white paper containing best practice recommendations for both trading venues and traders. Among other things, the TPMG recommended that traders should not engage in trading strategies that “compromise market integrity,” including “those that give a false impression of market price, depth, or liquidity.” The group suggested that such activity includes trading commonly known as “spoofing,” “painting the tape” and improper self-trading. The TPMG also recommended that traders (1) formally adopt and adhere to policies prohibiting manipulative trading strategies; (2) adhere to “a robust change control process” for developing, testing and rolling out new trading technologies and algorithms; and (3) be mindful of the impact of changes to their trading strategies on market liquidity if they constitute a material share of daily trading volume. The TPMG—sponsored by the Federal Reserve Bank of New York—consists of senior business managers and legal and compliance professionals from a range of financial institutions including securities dealers, banks, buy-side firms, market utilities and others.
Former NFL Cornerback and Others Thrown Penalty Flag by SEC in Connection With Alleged Ponzi Scheme: William Allen, a former cornerback for the New York Giants and Miami Dolphins National Football League football teams, and others were charged by the Securities and Exchange Commission with operating a Ponzi scheme that raised over US $31 million from investors. The SEC’s lawsuit, filed in a US federal court in Massachusetts, claimed that from July 2012 through February 2014 potential investors were promised profits from loans to specific professional athletes. However, not all money raised from investors for specific athletes was loaned to such persons, and in some cases investors were provided incorrect or misleading information about loans they funded, charged the Commission. A substantial portion of the money raised was used for personal purposes by two of the defendants, including Mr. Allen, claimed the SEC. The SEC seeks a court order to stop the alleged wrongful conduct by the defendants, disgorgement and penalties.
And even more briefly:
CPOs That Have Delegated Certain Responsibilities to Other Registered CPOs Now Mandated to Tell NFA Formally: In order to keep track of commodity pool operators that delegate certain of their responsibilities under a recently issued CFTC no-action letter, the National Futures Association will now require CPOs taking advantage of the relief to answer a specific question eliciting relevant information when they file their annual financial statement. Late last year, staff of the CFTC made self-executing and somewhat expanded previously granted relief from registration requirements to CPOs who delegated certain activities in connection with private investment funds.
SEC Seeks Comments on Cost Benefit of Rule Permitting Investment Companies to Post Margin Directly With FCMs, Not Third-Party Custodians: The Securities and Exchange Commission is seeking comment on cost-benefit aspects of its rule that authorizes investment companies to maintain assets (e.g., margin) with a futures commission merchant (as opposed to a third-party custodian) in connection with their commodity transactions. The relief is subject to the FCM complying with the customer funds segregation requirements of the Commodity Futures Trading Commission and obtaining an acknowledgement from the clearing organization where the FCM holds a fund’s assets, in accordance with CFTC requirements. The acknowledgement should state that the clearing organization also complies with CFTC customer funds segregation requirements, The relevant SEC Rule is 17f-6.
Compliance Weeds: Rule 17f-6 may be drafted inconsistently with the relevant CFTC rule. It requires that, for an FCM to cary the account of an investment company, it must obtain from a relevant clearing organization an acknowledgment “as required under rul[e] 1.20(a) … that such assets are held on behalf of the [FCM]’s customers in accordance with the provisions of the Commodity Exchange Act” (emphasis added). However, CFTC rule 1.20(a) expressly provides that “a written acknowledgment need not be obtained from a derivatives clearing organization that has adopted and submitted to the [CFTC] rules that provide for the segregation of futures customer funds in accordance with all relevant provisions of the Act and the rules and orders promulgated thereunder” (emphasis added). I wish these provisions tied in better, but they can be read consistently.
Doctors Without Borders: As I indicated last week, I am riding in the five-borough New York City bike tour on May 3, 2015, to help raise funds for Doctors without Borders—Médecins Sans Frontières. Doctors Without Borders consists of many selfless volunteers who place themselves in harm’s way worldwide, in some of the most unsafe places, to provide urgently needed medical care to all persons without regard to nationality, politics, religion or any other self-identifying characteristic. Thanks to the generosity of many readers of Bridging the Week, I already have met my minimum fundraising goals. But I would like to do much more. Please consider supporting me in my fundraising efforts for this very worthy charity.