New Outsourced Compliance Guidance – Implications for CFTC-Registered Private Fund Managers

Akin Gump Strauss Hauer & Feld LLP

Key Point

  • As of September 30, 2021, private fund managers registered with the CFTC as CPOs or CTAs will be required, under new NFA guidance, to supervise certain third-parties performing regulatory functions.
  • Effective September 30, 2021, private fund managers that are registered with the Commodity Futures Trading Commission (either as commodity pool operators or commodity trading advisors) and are National Futures Association members will be required, under a new NFA interpretive notice,1 to demonstrate that they are effectively supervising third-parties that perform regulatory functions.

While a registered private fund manager is already required, under NFA Compliance Rule 2-9(a), to “diligently supervise its employees and agents in the conduct of their commodity interest activities,” the new interpretive notice expressly states that the manager “may be subject to discipline” if a third party’s acts or omissions cause compliance failures by the manager.

“To mitigate the risks associated with outsourcing,” the new interpretive release requires that a registered private fund manager “must have a written supervisory framework over its outsourcing function.” The NFA identified five areas to include in such a framework, and published a related list of questions to address in the Self-Examination Questionnaire.2

Initial Risk Assessment

The interpretive notice states that registered private fund managers should determine which regulatory functions are appropriate to outsource and evaluate any associated risks, and warns that “unless a Member determines that it may adequately manage the risks associated with outsourcing a particular function, a Member generally should not move forward with outsourcing the function.”

The primary areas of risk flagged in the interpretive notice include: (i) the type of confidential, personally identifying or other valuable information the service provider may have access to and the steps it takes to safeguard such information; (ii) the impact of any potential compliance failures by the service provider; and (iii) whether the service provider has the necessary resources to meet its contractual obligations and provide access to all required records.

Onboarding Due Diligence

Once a Member has established which regulatory functions are appropriate to outsource, the Member should perform due diligence to ensure any potential third-party service provider (i) is aware of relevant rules and regulations; (ii) has sufficient experience; and (iii) has the necessary operational capabilities. Due diligence should be heightened for third-party service providers who may obtain or have access to confidential data.

Key areas to consider include IT security, financial stability, background of key employees, regulatory history, business continuity and contingency plans. The NFA suggests a written agreement with a third-party service provider outlining the scope of services and addressing any additional terms, including whether the service provider uses subcontractors for any function and establishing a termination right if material changes are made with respect to the use of subcontractors.

Ongoing Monitoring

Under the interpretive notice, registered private fund managers, should establish both an ongoing review of particular functions and a periodic holistic review of performance. In addition, they should require notification of any material changes to operations, systems or processes, and establish escalation to senior management in the event of a third-party service provider’s failure to perform its duties or change in risk profile (e.g., in the event of a regulatory fine or business failure).

Termination

Sufficient notice from third-party service providers should be required prior to termination, and the manager should be able to obtain all manager and client records and to ensure former service providers return and no longer have access to confidential information.

Recordkeeping Relating to Third-Party Service Providers

Covered fund managers must maintain appropriate records pursuant to NFA Compliance Rules 2-10 and 2-49 to demonstrate compliance with the interpretive notice.

Impact on CPO/CTA Members’ Use of Third-Party Service

While the new interpretative notice did not specifically target any particular categories of service providers, many private fund managers engage third-parties for their administration, compliance and finance functions, all of which may fall within the interpretative notice’s scope of concern. As the trend of outsourcing non-investment functions continues, registered managers should ensure that their supervisory efforts increase accordingly. The timing of effective date of the interpretive notice (the end of Q3) suggests that the NFA expects this effort to be highlighted in the 2021 annual self-assessment. 

1 The Interpretive Notice can be found here.

2 A comprehensive list of questions a Member may use to formulate its written framework to address the Interpretive Notice’s requirements can be found here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.