Busy day on the CME disciplinary front - six different disciplinary notices today. The majority were regarding block trade timing misreporting and bad broker electronic audit trails.
There were two outliers - both dealing with automatic trade systems that were badly programmed and caused aberrant orders to be entered. In both cases, it appears that the issue was identified and improperly solved and redeployed. Finally, in both instances, the problem was fixed. The fines were $25K and $35K and in one case there was a 30 day suspension form ytrading for the trader who made the mistake.
The block trade notices fell in two categories - a broker reporting block trades with inaccurate times and not within the required time period or a trader failing to report within the required time period, reporting inaccurate trade details and pre-hedging in violation of exchange rules. In one case, the reporting party was a principal to the trades and was pre-trading in its own account prior to execution at a price that was to its benefit. In this case, the fine was $150K plus a $74K+ disgorgement.
The exchange has issued very specific rules as to what activity can be performed in anticipation of a block trade execution. Failure to follow these rules - which basically ban arbing the client order against the market prior to executing the block trade. The exchange has issued several disciplinary notices in this area in 2019. The amount of notices in this area would indicate that block trade execution and reporting have been undergoing increased scrutiny since 2018 - companies should reexamine their training and guidance on block trades - both reporting and trading in relation to any bilateral block trade communications.
One of the broker block trade actions also covered disclosure of counterparty information regarding the trade. Exchange rules allow for disclosure of specific trade information only when authorized by the parties to the trade. The exchange noted the failure to properly supervise and train staff in this instance as well. The broker fines were $60 and $70K.
The final notice was a very large fine - $650K - to ADM Investor Services. In this instance, a client of ADMIS was using an improper method of offsetting omnibus account positions using FIFO accounting. It should be noted that this discplinary notice does not cover the underlying entity's activities. However, notice should be taken that there are very specific allocation rules that must be followed in managing omnibus accounts. The CME noted - "As a result, inaccurate open interest data was published to the market". This, obviously, is "not a good thing".
Compounding the issue, ADMIS used customer provided information to report to the CME during the investigation - which information the CME ascertained to be incorrect. The CME cited the initial failure to keep accurate audit trails, the use of inaccurate client audit information, and the lack of supervision and training as actionable items. As noted, the fine was $650K.
The CME reinforces the simple rule - you are involved in US futures trades, you accept US jurisdiction
The CME issued a market regulation notice that reinforced the simple statement above that often is met with skepticism when DCM is teaching a training class. A trader in Singapore or London may question why it is important for them to be trained in US exchange rules and disciplinary scope. The perception is that as long as they know local rules they are OK. The answer is an emphatic NO. If you trade US futures markets you are subject to US exchange rules and, by agreeing to jurisdiction, CFTC rules. And the exchange rules and investigatory processes are different.
The CME market regulation advisory notice today was very specific in its purpose:
"The same or similar provision will be adopted by all U.S. designated contract markets (“DCMs”), and results from an industry-wide effort to ensure that DCMs have full jurisdiction over such entities where a commission or fee is charged in connection with a client’s trading activities in the applicable DCM’s markets.1
There is a section of the CME Rules that is restated here even though it was adopted in 2012:
418. CONSENT TO EXCHANGE JURISDICTION Any Person initiating or executing a transaction on or subject to the Rules of the Exchange directly or through an intermediary, and any Person for whose benefit such a transaction has been initiated or executed, expressly consents to the jurisdiction of the Exchange and agrees to be bound by and comply with the Rules of the Exchange in relation to such transactions, including, but not limited to, rules requiring cooperation and participation in investigatory and disciplinary processes. Any futures commission merchant, introducing broker, associated person, or foreign Person performing a similar role that charges a commission or fee in connection with transactions on or subject to the Rules of the Exchange also expressly consent to the Exchange’s jurisdiction.
It is interesting that the exchange has felt it important that they are reaffirming that anyone collecting any fee, including foreign persons, associated with a transaction and any person for whose benefit that trade was executed must agree to exchange jurisdiction.
DCM has always stressed that the exchange contract requires acceptance of US jurisdiction - this notice is reaffirming that any person receiving benefit from the execution of a trade on a US exchange - and DCM would caution this could be interpreted to include advisors receiving a fee based on the fact a trade was executed - is subject to and required to comply with the exchange jurisdiction and to assist in disciplinary inquiries.
This reinforces the need of all individuals and entities involved in access to US futures markets should understand the US rules and train appropriate staff in US market rules.
The complete notice is here
CFTC asks registered futures participants for response on cloud data breaches - should you be checking your risks? Update
The CFTC issued a revised notice in this activity this morning to CTAs, CPOs, IBs and RFEDs - there are two changes (underlined and in bold in the letter). They are:
The first clarifies who must respond by tomorrow. It states: "You are only required to submit an email confirmation if your cloud service providers have been affected by this attack". Anyone whose cloud provider was not hacked does not need to respond.
The second exempts CTAs and CPOs from the January 20 response requirement. It changes the first sentence of the state: In addition, only if you are a registered Introducing Broker or Retail Foreign Exchange Dealer, by January 20, 2020, "
This will reduce the burden on CTAs and CPOs in particular and anyone whose cloud provider was not hacked.
Friday, January 3, the CFTC sent two separate "Cyber Threat Alert" letters out from Joshua Sterling, Director, Division of Swap Dealer and Intermediary Oversight - one to all "registered Commodity Pool Operator, Introducing Broker, Commodity Trading Advisor and/or Retail Foreign Exchange Dealer"s and one to all"registered Swap Dealers or Futures Commission Merchants". In this, the CFTC references the Wall Street Journal article of December 30, 2019 reporting on the hacking of multiple cloud services providers being hacked. The CFTC notes it appears "the attackers may have gained access to the providers’ networks, allowing the hackers to freely and anonymously hop from client to client."
The letter requests that the entities:
"confirm no later than January 10, 2020 by email to DSIOAlerts@CFTC.Gov if your cloud service providers have been affected by this attack. If so, please include information regarding whether and when the provider(s) informed you about the attack and a summary of any steps you have taken to protect your systems and data in response this attack and your plans to notify market participants whose data may have been affected. "
By January 20, these entities must confirm whether they have had any communications from or in current communication with an assortment of entities from the service providers to customers, business partners or industry-related parties regarding the hacking event.
The industry has been moving much more rapidly to cloud based services and support. Many of those systems may include significant individual or corporate sensitive data such as trading activity, positions or even banking information. These CFTC letters could indicate that registered entities may have a risk to these customers if their data is hacked in a cloud environment. If the government starts to assert a duty to counterparties for loss of hacked trading or other information, what is the risk for companies in this environment?
While cloud based solutions have significant advantages, do the providers provide the indemnifications or warranties to provide assurance for these risks? Has your trading and compliance risk assessment covered these types of events? It may be time to expand your risk assessments and controls review to include your cloud providers.
A full copy of the CTA/CPO/IB/RFED letter is below:
U.S. COMMODITY FUTURES TRADING COMMISSION
Three Lafayette Centre 1155 21st Street, NW, Washington, DC 20581
Telephone: (202) 418-6700 Facsimile: (202) 418-5407
Division of Swap Dealer and Intermediary Oversight
Joshua B. Sterling Director
TO: CFTC Registrants
FROM: Joshua B. Sterling, Director Division of Swap Dealer and Intermediary Oversight
DATE: January 3, 2020
RE: Cyber Threat Alert
As registered participants in the markets the CFTC oversees, we recognize that you must react to unexpected events that potentially impact your legal and regulatory obligations. A December 30, 2019 Wall Street Journal article reports that approximately one dozen cloud service providers have been hacked. The reporting indicates that the attackers may have gained access to the providers’ networks, allowing the hackers to freely and anonymously hop from client to client.
We ask you to consider, in light of this reporting, your organization’s systems and data vulnerability.
If you are a registered Commodity Pool Operator, Introducing Broker, Commodity Trading Advisor and/or Retail Foreign Exchange Dealer, please confirm no later than January 10, 2020 by email to DSIOAlerts@CFTC.Gov if your cloud service providers have been affected by this attack. If so, please include information regarding whether and when the provider(s) informed you about the attack and a summary of any steps you have taken to protect your systems and data in response this attack and your plans to notify market participants whose data may have been affected.
In addition, by January 20, 2020, consistent with CFTC Staff Advisory 14-21 (interpreting CFTC Rule 160.30), please also advise whether you have received any communications from—or are currently communicating with—cloud service providers, customers, clients, counterparties, business partners, or industry-related parties regarding the WSJ-described attack or a related potential cyber event.
We recognize that your evaluation of the situation may evolve and we ask that you notify us promptly, updating us with follow on information as you proceed in your assessment.
If you have questions, please do not hesitate to contact DSIO staff: Amanda Olear, Deputy Director, (202) 418-5283 or AOlear@cftc.gov, Joe Sanguedolce, Deputy Director, (646) 746-9750 or JSanguedolce@cftc.gov, or Barry McCarty, Special Counsel, at (202) 418-6627 or CMcCarty@cftc.gov