NFA Compliance Rules 2-9 and 2-36: Members’ Use of Third-Party Service Providers
On March 24, 2021, the National Futures Association (“NFA”) provided Notice to Members requiring each Member to adopt and implement supervisory framework over its outsourced function to mitigate outsourcing-related risks. The NFA’s adopted Interpretive Notice becomes effective on September 30, 2021. The NFA indicates that the supervisory framework must address the following:
-
a) initial risk assessment;
-
b) onboarding due diligence;
-
c) ongoing monitoring;
-
d) termination; and
-
e) recordkeeping.
Primary areas of risk may include information security, regulatory and logistics that Members should consider. The NFA emphasizes that although some functions may be outsourced, it is ultimately the Members responsibility for complying with NFA and CFTC requirements. The NFA has also developed a supplement to the Self-Examination Questionnaire related to third-party service providers that may help Members understand these requirements.