Much needs to be tied up at the end of the year but unfortunately time speeds up. So before this interesting year wraps, I’d like to shine the spotlight on two guidances — a brand new one from the CFTC and an older one from the New York state government that got little coverage the first time around.
New CFTC Guidance for CCO Reports
The CFTC’s Division of Swap Dealer and Intermediary Oversight (DSIO) has just released a guidance for chief compliance officers (CCO) of futures commission merchants (FCMs), swap dealers and major swap participants (registrants) to comply with the requirement to prepare an annual report on the state of the registrant’s compliance program under CFTC Regulation 3.3(e), officials say.
The regulation “specifically requires a CCO to prepare an annual report covering the most recently completed fiscal year of the registrant and provide the report to the registrant’s board of directors or senior officer,” CFTC officials say. CCOs must also provide an annual report to the CFTC. In general, regulation 3.3(e) requires the report to contain “certain enumerated areas of discussion.”
In a related action, the DSIO issued time-limited, no-action relief to “certain registrants concerning the timing of the filing of the CCO annual report,” officials say. Regulation 3.3(f) requires the CCO annual report to be furnished to the CFTC within 60 days after the end of the registrant’s fiscal year.
“In light of the timing of publication of the staff advisory, the no-action relief grants registrants that have a fiscal year ending on or before January 31, 2015 an additional 30 days to furnish the Commission with their annual reports,” according to CFTC officials.
“If a registrant is still unable to comply with the requirement to furnish the annual report at the end of the 90-day period, it may furnish the report to the commission no later than 120 days after the end of its fiscal year, provided that, no later than 90 days after the end of its fiscal year, the registrant informs the division of any material non-compliance events that occurred during the fiscal year that is the subject of the annual report,” officials say.
NY DFS Letter about Cyber-Security Tests
Speaking of guidances, earlier this month, Benjamin M. Lawsky, superintendent of financial services, issued a letter to all banks regulated by the New York State Department of Financial Services (DFS). The letter points out the issues and factors that will be part of “new targeted, DFS cyber-security preparedness assessments,” officials say.
DFS officials will examine banks and their protocols for preventing cyber breaches and penetration; corporate governance for cyber-security; defenses against breaches, including multi-factor authentication; the security of their third-party vendors; and several other issues.
“The new cyber-security assessments will become regular, ongoing parts of all DFS bank examinations moving forward,” say DFS officials. “Taking this step will help encourage stronger cyber-security practices at banks since regulatory examination ratings can have significant impacts on the operations of financial institutions, including their ability to enter new business lines or make acquisitions.”
Targeted cyber-security tests “will help encourage a laser-like focus on this issue by both banks and regulators,” Lawsky says. “Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.”
The Lawsky letter signals the start of the new cyber-security testing process, which will cover the following questions and subjects:
- Cyber-security management issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cyber security insurance coverage and other third-party protections.
Farewell 2014!
As 2014 winds down, FTF News and Financial Technologies Forum (FTF) will be slowing down a bit during the holiday season.
On the news side this week, we will be running a review of the top stories for the year. Depending upon the news that breaks, we’ll be posting intermittently after Christmas Day as this has been an eventful year that shows no signs of slowing down.
FTF will have a skeleton crew in place during the interregnum and we will be back at it on January 5, 2015.
Whatever holidays you celebrate (and even if you don’t), we wish you a peaceful and much-deserved break from the action.
Need a Reprint?
Leave a Reply