NFA to Require Asset Manager Members to Adopt Written Supervisory Framework for Third-Party Service Providers – Action Required
On March 24, 2021, the National Futures Association (“NFA”) issued a notice to members announcing the effective date of recently adopted Interpretive Notice 9079 - NFA Compliance Rules 2-9 and 2-36: Members’ Use of Third-Party Service Providers (the “Notice”). Effective September 30, 2021, NFA members, including registered commodity pool operators and commodity trading advisors (collectively, “firms”) who outsource to a third-party service provider or vendor (a “third-party service provider”) functions necessary for compliance with NFA and/or Commodity Futures Trading Commission (“CFTC”) requirements (“regulatory functions”) must adopt and implement a written supervisory framework for their outsourcing activity to mitigate associated risks. Firms are reminded that even if they outsource regulatory functions, they remain responsible for complying with all NFA and/or CFTC requirements, and are therefore subject to discipline if the third-party service provider fails to perform.
While the written supervisory framework should be tailored to each firm’s specific needs and business, it should address, at a minimum: (i) an initial risk assessment, (ii) onboarding due diligence, (iii) ongoing monitoring, (iv) termination of the service provider relationship and (v) recordkeeping, each of which are discussed in greater depth below. The supervisory framework does not, however, have to address each of these areas in isolation, provided that the issues and risks associated with each area are addressed when initiating and managing outsourcing relationships.
A firm that is part of a larger holding company structure that has a dedicated procurement or vendor management department responsible for onboarding and maintaining third-party service provider relationships for the firm may meet its obligations under the Notice through such department, as long as that department addresses the areas described in the Notice with respect to the firm.
To help firms better understand their obligations under the Notice, the NFA is developing a supplement to the NFA Self-Examination Questionnaire and will address the Notice in forthcoming educational programs.
Initial Risk Assessment
Before outsourcing a regulatory function to a third-party service provider, firms should consider whether that particular regulatory function is appropriate to outsource and evaluate the risks associated with outsourcing it. A firm should not outsource a particular function unless it determines that the firm can adequately manage the risks associated with such outsourcing.
The NFA expects firms to identify and analyze the following primary areas:
- Information Security — The type of confidential, personally identifying or otherwise valuable information a third-party service provider may obtain or have access to and the measures it puts in place to protect that information;
- Regulatory — The impact to the firm, its customers and its counterparties if the third-party service provider fails to carry out the function properly; and
- Logistics — The location of the service provider and whether it has the resources to meet its contractual obligations and provide the firm with access to required records.
In addition, firms should consider other potential areas of risk applicable to their business and the regulatory functions being outsourced.
Onboarding Due Diligence
A firm should conduct the due diligence necessary to determine, with appropriate certainty, that a prospective service provider will be able to perform the outsourced function in compliance with applicable regulations. Firms should consider whether a third-party service provider has the requisite knowledge, experience and operational capabilities to perform the outsourced regulatory functions. The amount of due diligence necessary depends on the risks involved and the firm’s business needs. Heightened due diligence is required if the service provider will support the firm’s critical regulated systems or have access to, or otherwise obtain, critical or confidential data. Firms should also determine whether a third-party service provider will subcontract any of the outsourced functions and, if so, consider what additional diligence will be required.
To mitigate the risk of non-performance or disagreements regarding the scope of services performed, the NFA expects firms to enter into written agreements with third-party service providers. While a firm’s ability to negotiate the terms of an outsourcing agreement may be limited, it should ensure, to the extent possible, that the contract is appropriate and reflects the outsourcing relationship as intended.
Each firm should monitor its service providers’ ability to perform outsourced functions and meet their contractual obligations through ongoing monitoring and periodic holistic reviews of the services provided. The scope and frequency of such reviews should be tailored to the criticality of, and risk associated with, the outsourced function. In addition, each firm should consider, in light of its business and the nature of the functions outsourced, whether it has devoted adequate resources and qualified personnel to monitoring third-party service providers.
Furthermore, a firm should (i) require third-party service providers to provide notice if there are any material changes in how the provider performs the outsourced function, (ii) evaluate the risk associated with becoming overly reliant on a particular service provider and consider alternatives that could serve as “exit strategies,” (iii) assess the risk of any proposed changes to its third-party service provider contracts and (iv) develop a procedure to escalate performance failures or material changes in a service provider’s risk profile to senior management.
Firms remain responsible for complying with all CFTC and NFA requirements, including recordkeeping requirements, following the termination of a relationship with a third-party service provider. Consequently, firms should determine whether their outsourcing agreements provide for sufficient notice prior to termination to allow for the safekeeping of records and develop a plan to protect confidential information upon the termination of an outsourcing relationship.
The NFA expects each firm to maintain records demonstrating that it has addressed the areas described in the Notice.
Please contact Leigh R. Fraser, Jeremy A. Liabo, Katherine J. Forrester-Quek or the Ropes & Gray attorney who usually advises you for further information, or with any questions you may have.