The CME issued a market regulation notice that reinforced the simple statement above that often is met with skepticism when DCM is teaching a training class. A trader in Singapore or London may question why it is important for them to be trained in US exchange rules and disciplinary scope. The perception is that as long as they know local rules they are OK. The answer is an emphatic NO.  If you trade US futures markets you are subject to US exchange rules and, by agreeing to jurisdiction, CFTC rules. And the exchange rules and investigatory processes are different.
The CME market regulation advisory notice today was very specific in its purpose:
"The same or similar provision will be adopted by all U.S. designated contract markets (“DCMs”), and results from an industry-wide effort to ensure that DCMs have full jurisdiction over such entities where a commission or fee is charged in connection with a client’s trading activities in the applicable DCM’s markets.1
There is a section of the CME Rules that is restated here even though it was adopted in 2012:
418. CONSENT TO EXCHANGE JURISDICTION Any Person initiating or executing a transaction on or subject to the Rules of the Exchange directly or through an intermediary, and any Person for whose benefit such a transaction has been initiated or executed, expressly consents to the jurisdiction of the Exchange and agrees to be bound by and comply with the Rules of the Exchange in relation to such transactions, including, but not limited to, rules requiring cooperation and participation in investigatory and disciplinary processes. Any futures commission merchant, introducing broker, associated person, or foreign Person performing a similar role that charges a commission or fee in connection with transactions on or subject to the Rules of the Exchange also expressly consent to the Exchange’s jurisdiction.
It is interesting that the exchange has felt it important that they are reaffirming that anyone collecting any fee, including foreign persons, associated with a transaction and any person for whose benefit that trade was executed must agree to exchange jurisdiction.
DCM has always stressed that the exchange contract requires acceptance of US jurisdiction - this notice is reaffirming that any person receiving benefit from the execution of a trade on a US exchange - and DCM would caution this could be interpreted to include advisors receiving a fee based on the fact a trade was executed - is subject to and required to comply with the exchange jurisdiction and to assist in disciplinary inquiries.
This reinforces the need of all individuals and entities  involved in access to US futures markets should understand the US rules and train appropriate staff in US market rules.
​The complete notice is here

UPDATE:

The CFTC issued a revised notice in this activity this morning to CTAs, CPOs, IBs and RFEDs - there are two changes (underlined and in bold in the letter). They are:

The first clarifies who must respond by tomorrow. It states: "You are only required to submit an email confirmation if your cloud service providers have been affected by this attack". Anyone whose cloud provider was not hacked does not need to respond.

The second exempts CTAs and CPOs from the January 20 response requirement. It changes the first sentence of the state: In addition, only if you are a registered Introducing Broker or Retail Foreign Exchange Dealer, by January 20, 2020, "

This will reduce the burden on CTAs and CPOs in particular and anyone whose cloud provider was not hacked.

Friday, January 3, the CFTC sent two separate "Cyber Threat Alert" letters out from Joshua Sterling, Director, Division of Swap Dealer and Intermediary Oversight - one to all "registered Commodity Pool Operator, Introducing Broker, Commodity Trading Advisor and/or Retail Foreign Exchange Dealer"s and one to all"registered Swap Dealers or Futures Commission Merchants". In this, the CFTC references the Wall Street Journal article of December 30, 2019 reporting on the hacking of multiple cloud services providers being hacked. The CFTC notes it appears "the attackers may have gained access to the providers’ networks, allowing the hackers to freely and anonymously hop from client to client."
The letter requests that the entities:

"confirm no later than January 10, 2020 by email to DSIOAlerts@CFTC.Gov  if your cloud service providers have been affected by this attack. If so, please include information regarding whether and when the provider(s) informed you about the attack and a summary of any steps you have taken to protect your systems and data in response this attack and your plans to notify market participants whose data may have been affected. "

By January 20, these entities must confirm whether they have had any communications from or in current communication with an assortment of entities from the service providers to customers, business partners or industry-related parties regarding the hacking event.

The industry has been moving much more rapidly to cloud based services and support. Many of those systems may include significant individual or corporate sensitive data such as trading activity, positions or even banking information. These CFTC letters could indicate that registered entities may have a risk to these customers if their data is hacked in a cloud environment. If the government starts to assert a duty to counterparties for loss of hacked trading or other information, what is the risk for companies in this environment? 

While cloud based solutions have significant advantages, do the providers provide the indemnifications or warranties to provide assurance for these risks?  Has your trading and compliance risk assessment covered these types of events? It may be time to expand your risk assessments and controls review to include your cloud providers.

A full copy of the CTA/CPO/IB/RFED letter is below:

U.S. COMMODITY FUTURES TRADING COMMISSION
Three Lafayette Centre 1155 21st Street, NW, Washington, DC 20581
Telephone: (202) 418-6700 Facsimile: (202) 418-5407


Division of Swap Dealer and Intermediary Oversight 
  Joshua B. Sterling Director 
​
TO:  CFTC Registrants 
 
FROM:  Joshua B. Sterling, Director   Division of Swap Dealer and Intermediary Oversight 
 
DATE:  January 3, 2020 
 
RE:  Cyber Threat Alert 
 
As registered participants in the markets the CFTC oversees, we recognize that you must react to unexpected events that potentially impact your legal and regulatory obligations. A December 30, 2019 Wall Street Journal article reports that approximately one dozen cloud service providers have been hacked. The reporting indicates that the attackers may have gained access to the providers’ networks, allowing the hackers to freely and anonymously hop from client to client.  
 
We ask you to consider, in light of this reporting, your organization’s systems and data vulnerability.  
 
If you are a registered Commodity Pool Operator, Introducing Broker, Commodity Trading Advisor and/or Retail Foreign Exchange Dealer, please confirm no later than January 10, 2020 by email to DSIOAlerts@CFTC.Gov  if your cloud service providers have been affected by this attack. If so, please include information regarding whether and when the provider(s) informed you about the attack and a summary of any steps you have taken to protect your systems and data in response this attack and your plans to notify market participants whose data may have been affected.  
 
In addition, by January 20, 2020, consistent with CFTC Staff Advisory 14-21 (interpreting CFTC Rule 160.30), please also advise whether you have received any communications from—or are currently communicating with—cloud service providers, customers, clients, counterparties, business partners, or industry-related parties regarding the WSJ-described attack or a related potential cyber event.   
 
We recognize that your evaluation of the situation may evolve and we ask that you notify us promptly, updating us with follow on information as you proceed in your assessment.  
 
If you have questions, please do not hesitate to contact DSIO staff: Amanda Olear, Deputy Director, (202) 418-5283 or AOlear@cftc.gov, Joe Sanguedolce, Deputy Director, (646) 746-9750 or JSanguedolce@cftc.gov, or Barry McCarty, Special Counsel, at (202) 418-6627 or CMcCarty@cftc.gov 
 
 

DCM has posted a number of disciplinary actions regarding Tag 50 - the Globex Operator ID data field on a CME message. The CME issued a Market Advisory Notice today that adds Tag 1028 - the "automated or manual indicator" to that high priority list. What is this Tag?

In the notice, the CME spells it out simply:

"Manual order entry refers to orders that are submitted to CME Globex by an individual directly entering the order into a front-end system, typically via keyboard, mouse or touch screen, and which is routed in its entirety to the match engine at the time of submission"
"Automated order entry refers to orders that are generated and/or routed without human intervention. This includes any order generated by a computer system as well as orders that are routed using functionality that manages order submission through automated means (i.e. execution algorithm)."

The industry has commonly referred to "algo trading" as something where there is a complex system developing trading orders. This Market Advisory would expand that definition of automated to, in DCM's opinion, to include a analysis system in an OMS (order management system) that, under identified conditions, enters a trade on behalf of the trader. This could also mean a spreadsheet system that has a link to drop a trade into the OMS. The advisory specifically indicates that "orders generated by automated means, including via automated spreading functionality, must be properly identified with the value “N” in Tag 1028." (the "N" tag indicates an automated order - manual orders are a "Y" value)
This begins to make sense to us here at DCM. There has been a significant number of electronic audit trail summary fines for broker/dealers failing to maintain a complete and accurate audit trail of customer orders. It is not stated that this advisory follows on that set of reviews but a major point raised in the advisory regarding proper inclusion of the Tag 1028 information:

"This has been a required data element on CME iLink interface order submissions since June 2011 and is now being added as a regulatory requirement. "
​
It should be noted there was a prior advisory - MRAN RA1210-5 (cited in this advisory) that indicated this was a required field but did not include the "regulatory requirement" language. That order was issued September 20, 2012.

This indicates that the CME may begin considering the failure to include or inaccurate listing of the Tag 1028 value on a Globex order in a similar manner as it considers an improper Tag 50 value or usage - which had been seen to carry high 5 digit fines and suspension of trading privileges on CME. This escalates the importance of getting Tag 1028 information correct.
DCM and firms it works with have the ability to help companies review their Tag 1028 information and their internal order generation, assess if there are gaps in their controls, and revise those controls.
Please contact us if you would like to discuss this or other regulatory issues.

The full CME advisory notice is here 

The ICE US Futures issued an advisory notice on December 9 to specify " in broad terms, the key elements of a satisfactory program of supervision". While only 2 pages, there a several very important points stressed in the document:

First, ICE wants to " remind market participants that the adoption of written supervisory policies, alone, is not sufficient to discharge a firm’s supervisory duty under Rule 4.01(a)".  One of the specific points they address to that is to "periodically train its employees/agents regarding Exchange Rules and Rule changes". DCM has been advising clients that a single annual training may not be considered adequate supervision, especially if it a general overview rather than addressing key changes and provisions of exchange rules. Similarly, this would suggest that exchange specific or at least exchange comparative (i.e., differences in CME, ICE US, and ICE Europe rules) training is advisable.
Second, ICE stresses size of firm and level of exchange activity are a determinant in "appropriate", They indicate "while regular manual review and monitoring of an employee’s trading activity may be perfectly sufficient for a proprietary trading firm with 5 traders, a larger proprietary firm with 50 traders may require an automated solution to effectively review and monitor employee activity." This is one of the rare times when the potential requirement of an automated system may be applied to a firm. DCM would also caution that ICE refers to "the nature and size of Exchange activity" elsewhere in the advisory without mention of number of traders. A firm with very active traders may reach the supervisory threshold for greater resources without needing to have 50 traders.

DCM has been a tad strident on the issue of failure to supervise - ICE Futures may have made our point for us.

​The full two page notice is here

The CME just fined a trader $25K and suspended trading privileges for 25 days after the the fine is paid. I frequently talk to clients about the importance the exchanges (and the CFTC) place on proper use of the trader log in (referred by the CME as Tag50 to reflect where in the order and transaction message the trader ID appears. One of the points i raise is that the trade oversight mechanisms start from the Tag50 and the deal with aggregated data from there.
In this case, the CME emphasized that point. 
 
         "Yang’s conduct impeded the Exchange’s ability to further investigate potentially violative messaging activity by one or more individuals who utilized Yang’s Tag 50"

The actions were not undertaken by the trader but the use of the Tag50 made an investigation harder. The trader paid a significant penalty and a suspension. This should be a caution to all firms and traders that you are responsible for any mistake someone else makes using your id - just don't lend it out. The order is here

I hope everyone has a great Thanksgiving (if in the US).

.Readers of this blog, our clients, and people who have been at a DCM seminar presentation in the past may recall DCM's distinction between trade compliance and market compliance. We use trade compliance to refer to oversight of transactional activities - bid, offer, execution and the related issues like disruptive trading - while we use market compliance to refer to oversight of other areas of the regulatory rules that frequently deal with market transparency - such as block trade reporting and Tag 50 log ins. Frequently, disciplinary actions under the market compliance rules are accompanied by smaller fines and possibly a short suspension (especially in the case of improper use of Tag 50s).
But every once in a while, the market is reminded that market transparency and accuracy is just as important to the exchanges under market compliance as it is under trade compliance. Today the ICE issued a disciplinary notice for Merrill Lynch International that entailed a $200K fine. The notice is here. 
The notice indicates that the firm had failed to report block trades within the 15 minute reporting window " at various times" of a 4 month period. They also were alleged to have misreported the time of execution of the block trade (which can be a concern - the individual may know the reporting time and attempt to fudge the execution time to cover their failure to report). They also cited that a broker must - for every trade or with by some other standing direction - have explicit direction that a trade may be executed as a block.
Finally, since there appear to be failures in what one might expect to be standard control processes for a brokerage firm, a failure to supervise violation was also referenced.
This is a fairly significant fine for a market compliance issue but it is by no means the largest. It does, however, serve as abundant caution that it is not just trade compliance that can bring significant impacts from the exchange disciplinary process.

One of the areas DCM has addressed multiple times this year (and last year) is the exchanges increasing trend towards imposing "failure to supervise" fines on the companies where traders have improper behavior. Mitsubishi  RTM (the metals trading side - not the oil side) was just fined $250,000 for "failure to supervise". The disciplinary notice had a couple items that you don't always see but that we stress in our review of training programs:
1. The company "failed to properly train one of its traders, a secondee (“Trader A”), who had no prior trading experience, before placing Trader A into a temporary trading rotation to trade futures on NYMEX".

• Companies should always have a structured and rigorous "movers and joiners" training program;
• The program should cover traders, compliance oversight staff, and operations staff in mid and back office

​2. New staff should always have strict structures around permissible trading activity. Trade limits and controls should be strictly enforced. The CME noted something I haven't seen before:
"ailed to provide sufficient training specific to trading CME Group markets, or CME Group trading rules, including disruptive trading, to Trader A. As a result, Trader A attempted to trade through experimentation, resulting in executing disruptive trades that violated Exchange rules."

• "trade through experimentation" is such a wonderful phrase; it may explain much of my trading career

​3. The CME made a significant statement of the responsibility chain:
"The Panel concluded that, pursuant to Exchange Rule 433, (it) was strictly liable for the acts of its employee whose conduct the Panel concluded violated Exchange Rule 575.A."

• the language is frequently associated with liability but the "strictly liable" is a particular emphasis here

​
The trading appears to have been basic spoofing or disruptive trading but the fine indicates the exchange's displeasure with the lack of training. This should be a blueprint for new shops entering US markets or expanding organizations.

​The CME notice is here

The CME issued an $800K fine to a Chicago trading firm for entering orders "mislead..; other market participants with respect to market liquidity, for the purpose and with the effect of artificially decreasing market volatility and the number of other market participants." Note, the violation is for misleading perceptions of liquidity. The CME also noted "In doing so, the (individual) accumulated resting order quantities so large that they would have violated his clearing firm’s risk limits had they been filled, and on several occasions he acquired positions so large they did violate those risk limits." So, not only did the individual mislead the market, the individual mislead the firm.
This is an important distinction. A simple way to consider the difference between risk and compliance oversight arises from this distinction. DCM always stresses in compliance training or in seminars we conduct that there is a simple but profound difference that should be followed:

• Risk Management = Activities to assure that a firm does not have a misconception of the risks associated with its activities in the marketplace

• Compliance = The requirement by external regulators that a firm’s activities in the marketplace do not create a misconception for other market participants of their risk of participation in the market

In this case, the CME found a violation of both those precepts. The CME also indicated that:
"The Panel further found that Hard Eight lacked adequate risk and compliance controls. Despite other members of the firm knowing the partner’s trading activity and that the partner’s trading repeatedly caused the firm to post maintenance margin, the firm failed to diligently supervise the partner and allowed the violative trading to continue."
So, the trader was violating your internal controls and you did not examine the activities - you get an $800K fine for "failure to supervise" and also the underlying violations.
By the way, the trader got a $200K fine and a nine month suspension from CME markets - so the company got a 4 times fine for failing to control the trader. A nice round $1 million in total. The company disciplinary notice is here and the individual's notice is here 

The CME issued a disciplinary notice to an energy firm for failing to submit block trades with accurate execution times. There are very specific - and short - times for filing block trade reports regardless of whether they are principal to principal or brokered. In this case, the exchange indicated the failure was "multiple block trades in Crude Oil futures to the Exchange with inaccurate execution times. Additionally, the Panel also found that Syntex failed to properly advise and train its employees as to relevant Exchange rules and Market Regulation Advisory Notices (“MRANs”) in a manner sufficient to ensure compliance with Exchange block trade reporting requirements." The fine was $40K. The notice is here.
So we, have two issues - improper reports and failure to supervise. This can be solved in one of two ways:
First, many firms, including some of the largest global energy firms, have adopted a policy of only executing block trades via a broker. When executed through a broker, the block trade reporting obligation falls to the broker - removing the issue for the company. Please remember that the trader entering the order with the broker must designate it is to be executed via a block trade - either by a global instruction that any trade of block size must be executed as a block or by specific instruction that the individual trade must be executed via a block.
Second, companies do perform training - at least annually - for staff who are authorized to perform block trades on a principal to principal basis. DCM has created and performed training of this type for clients. The major points covered are the requirements for a block trade, the mechanics of a block trade, the timing requirements by product, and the exchange portal for block trade filings. Both ICE and CME have electronic portals for filings and the form is standardized.
There really is no reason to have this type of notice and fine if you follow one of these two paths.

The CME issued a disciplinary notice today for a $1.25 Million fine for an individual. The individual was a broker at a firm who entered trades for customer accounts without a power of attorney. As the notice indicates, the customers may have made verbal authorizations for small orders but the individual blew through the risk limits and, in some cases, the financial capabilities of the customers. The total losses exceeded $10 Million, which the brokerage firm repaid (but imagine the mess of sorting that out with your brokerage firm). If any of those customers was confirming their trading on a daily basis, this would not have happened. This is the epitome of the classic "buy and forget" trading strategy - that is how many entities implement "buy and hold".
The trader was fined $1.25 million and barred for life from the exchange or from entering orders on behalf of a customer. The notice is here .
This happens - believe me. DCM staff have been in a situation where a client entered trades after discussions with DCM but did not check their broker statement. DCM was in transit overseas that day and the next. When the statement came in, the order had been doubled. Neither the client or the IB (or so they said) had tapes. The client believed the IB and billed DCM for the loss. We paid rather than go through the costs.
The simple fact is every account should be verified EVERY day before the next day opening of the market. Larger firms should confirm trades in near real time - just because you think that what you asked for is going on doesn't mean it is. Every phone order should be read back in confirmation of the trade. If your traders are not requiring read backs of fills on phone orders - make them. Any phoned in order that is not read back by the broker should be subject to cancellation. Simple risk measures can avoid a major amount of pain.