Unintended consequences of seemingly innocuous amendments to a CME Group rule regarding order entry into the Globex electronic matching system could impose an extremely difficult burden and increased potential liability on clearing members for direct access clients they authorize. Moreover, while many firms struck by the ransomware WannaCry two weeks ago continued to struggle with recovering corrupted data, the US Department of Homeland Security, the Securities and Exchange Commission and the UK Financial Conduct Authority issued useful guidance to help minimize the potential destructive impact of future malware attacks. As a result, the following matters are covered in this week’s edition of Bridging the Week:
There will be no publication of Bridging the Week on May 29 because of Memorial Day.
Compliance Weeds and My View: Unfortunately, seemingly innocuous amendments to a CME Group rule – 536.B.1 – could impose a Damoclean sword of an extremely difficult burden and increased potential liability over clearing members for direct access clients they authorize. This does not appear to be the intent of the CME Group, but it appears to be a consequence.
Currently, under CME Group Rule 536.B.2, entities certified to access Globex directly must create “an audit trail” of each “message” (e.g., an order) entered into the electronic matching system. (Click here to access the elements of this audit trail.) Clearing members that authorize such access are responsible for “maintaining or causing to be maintained” the electronic audit trail for such systems for five years, although they may delegate such responsibility to clients that are also clearing members or equity member firms. (Click here to access CME Group Rule 536.B.2.)
Rule 536.B.2 goes on to explain that “Each such electronic audit trail must be complete and accurate for every electronic communication such system receives or generates,” and the audit trail must contain all required audit trail fields. However, Rule 536.B.1 solely requires Globex terminal operators to enter accurately in the first instance only certain, but not all mandatory audit trail fields.
CME Group’s rule amendments reflect a desire to harmonize Rules 536.B.1 and 536.B.2 to make clear that it expects terminal operators to enter all required audit trail information accurately in the first instance. This way, when the audit trail information is retained by a direct access client or its clearing member, the information should be correct and meaningful when it is reviewed at a later time for regulatory or other reasons. Conceptually, this makes sense.
However, because of the way the rule is currently constructed and proposed to be amended, clearing members would potentially guarantee such accuracy when they have no effective means to ensure such correctness. This makes no sense.
The version of Rule 536.B.1 in effect today already imposes a very challenging responsibility on clearing members – although CME Group has not applied the rule to date in an unreasonable fashion. The amendments to the rule, however, make a problematic rule worse – although there is no reason to expect anything but a continued reasonable approach by CME Group itself in applying the rule.
Notwithstanding, CME Group should make clear that they do not expect clearing members to guarantee the accuracy of all data in all mandatory audit trail fields entered by terminal operators for which they grant direct access. They could do this by amending Rule 536.B.1 or by clarifying its view in a Market Regulation Advisory Notice – perhaps by cross referencing another CME Group rule – Rule 574. Pursuant to this provision, a clearing member might be held liable for a violation of an exchange's rules by a direct access client it authorizes, but solely if it “has actual or constructive knowledge of [the] violation ...and the clearing member fails to take appropriate action.” (Click here to access CME Group Rule 574 – see last paragraph. Click here to access CME Group MRAN RA1520-5, a logical MRAN to amend). This provision, at least, establishes a standard that can be practically applied.
The SEC’s Office of Compliance Inspections and Examinations noted that, during recent examinations of 75 registered broker-dealers, investment advisers and investment companies, it observed that 5 percent of BDs and 26 percent of IAs and funds did not conduct periodic cyber-risk assessments. Moreover 5 percent of BDs and 57 percent of IAs and funds did not conduct penetration tests and vulnerability scans on firm critical systems. OCIE encouraged registrants to review cybersecurity resources it has publicized (click here to access a sample) as well as those made available by the Financial Industry Regulatory Authority (click here to access). (Click here for further background on prior SEC and FINRA assessment of cybersecurity threats to regulated firms in the article “Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats” in the February 8, 2015 edition of Bridging the Week.)
FCA also provided links to helpful guidance to deal with the specific WannaCry ransomware (click here to access).
Helpful to Getting the Business Done: Last fall, Katten Muchin Rosenman attorneys published a very helpful guide to avoid and deal with ransomware attacks. (Click here to access the September 27, 2016 article “Is Your Business Prepared for the Ransomware Epidemic.”) The guide recommended that, among other precautions, firms should implement ongoing risk analysis, incident response and business continuity planning, regular backups, workforce training, technical safeguards, access controls, and third-party vendor management. Signing up for insurance should also be explored.
However, no matter how excellent are the precautions taken by firms, all employees must exercise common sense. As recommended by Homeland Security, employees must be trained not to open links in unsolicited or unrecognized emails.
The crooks are getting cleverer and cleverer too. Just last week I received a personal email that appeared to be from my best friend from high school (who now lives abroad), suggesting that I would enjoy opening a particular link. When I reviewed my “friend’s” email address, I noticed his name was there, as expected. However, when I looked behind his name, I saw an email address I did not recognize. After I wrote to my friend at a different email address, he confirmed to me that the earlier email was not from him. I knew then it was malware. I promptly deleted it. If this was a firm computer, I would have first alerted our IT team.
These days, what looks like a duck, waddles like a duck, and sounds like a duck, may still not be a duck. We all must be vigilant!
Legal Weeds: Recently, the Commodity Futures Trading Commission commenced and settled two enforcement actions, sounding in the securities concept of insider trading, but relying on its own legal basis – the relatively new provision of law and CFTC rule that prohibits employment of a manipulative or deceptive device or contrivance in connection with futures or swaps trading. (Click here to access Commodity Exchange Act Section 6(c)(1), US Code § 9(1), and here to access CFTC Rule 180.1.)
Most recently, in September 2016, the CFTC brought and settled charges against Jon Ruggles, a former trader for Delta Airlines, for trading accounts in his wife’s name based on his knowledge of trades he anticipated placing for his employer. The CFTC claimed that this constituted trading on illicitly misappropriated information – a type of prohibited insider trading.
To resolve the CFTC’s charges, Mr. Ruggles agreed to pay a fine of US $1.75 million; disgorge all trading profits on a specified schedule over 42 months; and never again trade on a market overseen by the CFTC. (Click here for additional information in the article “Ex-Airline Employee Sued by CFTC for Insider Trading of Futures Based on Misappropriated Information" in the October 2, 2016 edition of Bridging the Week.)
In its first action sounding in insider trading, the CFTC alleged in 2015 that Arya Motazedi, a gasoline trader for an unnamed large, publicly traded corporation, similarly misappropriated trading information of his employer for his own benefit. (Click here for information regarding the CFTC’s enforcement action against Mr. Motazedi in the article “CFTC Brings First Insider Trading-Type Enforcement Action Based on New Anti-Manipulation Authority” in the December 6, 2015 edition of Bridging the Week.)
The CFTC has used its manipulative or deceptive device or contrivance authority in a wide range of enforcement actions stemming from its first use in the JP Morgan “London Whale” episode to subsequent allegations of illegal off-exchange metals transactions, claims of more traditional manipulation of wheat, allegations of spoofing and insider trading. The CFTC has made clear it sees its new authority “as a broad, catch-all provision reaching fraud in all its forms – that is, intentional or reckless conduct that deceives or defrauds market participants” and will use it whenever possible – including for allegations of trading on the basis of material nonpublic information obtained as a result of a breach of a duty of confidentiality, or through fraud or deception. (Click here to access the CFTC’s views on the reach its authority under CFTC Rule 180.1 in the Federal Register adopting release for this provision.)
For further information:
After Victims Want to Cry Because of Attacks by WannaCry, Worldwide Regulators Issue Helpful Guidance About Ransomware:
Broker-Dealer CMBS Traders Charged with Lying to Customers to Increase Firm Profits:
Canadian Self-Regulator Proposes Changes to Customer Protection Regime:
CBOE Futures Exchange Issues Best Practices for Trading Privilege Holders:
CFTC Creates New FinTech Initiative – A Lab, Not a Sandbox:
FINRA Seeks Comments on Rules Governing Outside Business Activities and Private Securities Transactions:
Hedge Fund Icon Settles SEC Insider Trading Allegations:
Innocuous Changes in CME Group Globex Rule Could Inadvertently Increase Potential FCM Liability Bigly:
Love in the Office Between Unnamed US Attorney and Subordinate Criticized by Department of Justice Inspector General:
New Names Added to OFAC’s Specially Designated Nationals List:
NFA Proposes That Swap Dealers Be Permitted to Piggyback on Internal Credit Risk Models Reviewed by Prudential Regulators for CFTC Capital Rule Compliance:
Shanghai Clearing House CFTC Registration Relief Extended for Six Months:
The information in this article is for informational purposes only and is derived from sources believed to be reliable as of May 20, 2017. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made.