Proposed § 23.602 was intended to implement section 4s(h)(1)(B) of the CEA, which requires each SD and MSP to conform with Commission regulations related to diligent supervision of the business of the SD and MSP. The proposed regulations required SDs and MSPs to establish a system to supervise all activities relating to its business performed by its partners, members, officers, employees, and agents, that such system be reasonably designed to achieve compliance with the CEA and Commission regulations, that such system designate a person with authority to carry out the
supervisory responsibilities of the SD or MSP, and that all such supervisors meet qualification standards that the Commission finds necessary or appropriate.
The Working Group recommended that the Commission not require designation of a single individual with responsibility for supervision, but should allow for designation of a reporting line and that designated supervisors should be permitted to delegate
supervisory authority. The Working Group also recommended that SDs and MSPs be given discretion to determine supervisor qualifications, rather than meet “qualification standards as the Commission finds necessary or appropriate.”
MFA recommended that the Commission clarify that the rules do not impose any new (a) fiduciary obligations or duties (i.e., duties beyond those to which participants in the futures and derivatives markets would otherwise be subject to by agreement or by operation of common law), or (b) supervisory duties on market participants. MFA argued that proposed § 23.602 (Diligent Supervision) is similar to the NFA’s supervision rule for FCMs (Compliance Rule 2-9), and MFA is concerned that § 23.602 may impose fiduciary and supervisory obligations on registrants similar to those that the NFA imposes on FCMs with respect to third parties.
In response to The Working Group’s first comment, the Commission is revising the proposed rule to require “at least one person” rather than “a person” be designated with authority to carry out supervisory responsibilities, which should permit SDs and MSPs more flexibility in designing and implementing the required supervisory system. With respect to the remaining comments of The Working Group, the Commission believes that full accountability for compliance with the CEA and Commission regulations is best served by requiring designation of individuals with supervisory responsibility and that reporting line responsibility is not adequate.
With respect to MFA’s comments, the Commission observes that the rule relates generally to the supervision necessary to achieve compliance with the CEA and
Commission regulations by the registrant. Many of the specific activities to be
supervised are subject to the CEA and other Commission rules that are outside the scope of this rulemaking. The Commission does not intend that § 23.602 impose a fiduciary duty on SDs or MSPs beyond that which would otherwise exist.
Other than the foregoing, the Commission has adopted the rule as proposed. J. Business Continuity and Disaster Recovery - § 23.603
Proposed § 23.603 required SDs and MSPs to establish a business continuity and disaster recovery plan that includes procedures for and the maintenance of back-up facilities, systems, infrastructure, personnel, and other resources to achieve the timely recovery of data and documentation and to resume operations generally within the next business day. The proposed regulations also required SDs and MSPs to have their business continuity and disaster recovery plan tested annually by qualified, independent internal audit personnel or a qualified third party audit service.
Tellefsen and Company, L.L.C. (Tellefsen) commented that most, if not all, of potential SDs have the technology and network infrastructure in place to achieve a next day recovery time objective. However, Tellefsen recommended that the Commission carefully evaluate the business continuity management capabilities of MSPs before establishing a hard date by which these metrics must be in place, as the Commission may have greatly underestimated the time and scope of work for firms to develop, implement and test their business continuity management capabilities (Tellefsen estimates 68-200 person days). The Working Group also argued that the Commission should not require
next business day recovery for non-systemically important SDs or MSPs, but should only require recovery “reasonably promptly.”
The Working Group argued that the Commission should not require staffing of back-up facilities to avoid the burden of requiring two persons for the same job. The Working Group also recommended that the Commission should not require annual testing of the business continuity and disaster recovery plan by independent auditors because independent audits would be too costly.
SIFMA recommended that the Commission clarify that an SD’s or MSP’s business continuity and disaster recovery plan may be part of a consolidated plan established for the various entities in a holding company group if they share common personnel, premises, resources, systems, and infrastructure. SIFMA also recommended that the Commission permit SDs and MSPs subject to the business continuity and disaster recovery requirements of a prudential regulator, or other regulator determined to be comparable by the Commission, to comply with § 23.603 on a substituted compliance basis.
The Commission believes that Tellefsen’s concerns regarding the ability of MSPs to comply with the required recovery period will be addressed through the phased
implementation of the rule, discussed below.
In response to The Working Group’s comment regarding staffing of back-up facilities, the Commission is modifying the proposed rule to clarify that, so long as prompt recovery is reasonably ensured, SDs and MSPs may provide for alternative staffing of back-up facilities as required under the circumstances. The Commission also agrees with the Working Group that annual testing may be performed by qualified
internal personnel and is modifying the proposed rule accordingly. However, the Commission believes that independent audits are required to ensure that business
continuity and disaster recovery plans remain in compliance with the rule, but that annual audits would be unnecessary and unduly burdensome and costly. Therefore, the
Commission is revising the proposed rule to require independent audits only every three years.
The Commission believes that all SDs and MSPs may be critically important to the proper functioning of the swaps market. SDs are critical participants in the swap market and MSPs may, by definition, have exposures that could have serious adverse effects on the financial stability of the United States. Therefore, the Commission
continues to believe that a one business day recovery period is the necessary objective for SDs’ and MSPs’ business continuity and disaster recovery plans. Accordingly, the Commission is not modifying the final rule in this respect.
In response to SIFMA’s comments, the Commission confirms that so long as a consolidated business continuity and disaster recovery plan established for the various entities in a holding company group that includes an SD or MSP, or any such plan that is required by a prudential regulator of the SD or MSP, meets the requirements of the rule, such SD or MSP would be in compliance with the Commission’s rule. The Commission believes that this result is contemplated by the rule as proposed and so is not modifying the rule in this respect.
K. General Information: Availability for Disclosure and Inspection - § 23.606