Interpretive Notices

9069 - NFA COMPLIANCE RULE 2-36: RISK MANAGEMENT PROGRAM FOR FOREX DEALER MEMBERS

INTERPRETIVE NOTICE

Each NFA Member Futures Commission Merchant (FCM) is required under NFA Compliance Rule 2-26 (incorporating CFTC Regulation 1.11) to establish, maintain and enforce a system of risk management policies and procedures designed to monitor and manage the risks associated with its activities as an FCM (known as a Risk Management Program). Each NFA Member Swap Dealer (SD) and Major Swap Participant (MSP) is subject to similar requirements under NFA Compliance Rule 2-49 (incorporating CFTC Regulation 23.600) and must have a Risk Management Program with respect to monitoring and managing the risks associated with its swap dealing activities.

NFA's Board of Directors (Board) believes that each NFA Forex Dealer Member (FDM) should be subject to Risk Management Program requirements with respect to monitoring and managing its forex activities.¹ Therefore, the Board is amending NFA Compliance Rule 2-36 to specifically require FDMs to establish, maintain and enforce a Risk Management Program designed to monitor and manage the risks associated with their forex activities.² The purpose of this interpretive notice is to provide guidance relating to the FDM Risk Management Program requirements.

Written Risk Management Program

Each FDM must establish, maintain, and enforce a Risk Management Program designed to monitor and manage the risks associated with its forex activities. Each FDM must adopt written policies and procedures that describe its Risk Management Program, and those policies and procedures along with any material changes thereto must be approved in writing by the firm's governing body.³ The Risk Management Program must also include procedures for the timely distribution of the written Risk Management Program to relevant supervisory personnel. The FDM must maintain records of the persons to whom the Risk Management Program is distributed, along with the date of distribution. The FDM must also submit a copy of the Risk Management Program to NFA and/or the CFTC upon request.

Risk Management Unit

Each FDM must establish and maintain a risk management unit. This unit must have sufficient authority; qualified personnel; and financial, operational and other resources to carry out the firm's Risk Management Program. The risk management unit must report directly to the firm's senior management⁴ and be independent from those employees involved (including in a supervisory capacity) in pricing, trading, sales, marketing, advertising, and solicitation activities of the FDM (collectively business trading unit).

Elements of the Risk Management Program

At a minimum, the Risk Management Program must include policies and procedures to monitor and manage the following risks:

a. Market Risk shall take into account, among other things, for all counterparties (i.e., ECP and Non-ECP) the daily measurement of market exposure, volatility of prices, basis and correlation risks, leverage, sensitivity of option positions (if applicable), and position concentration to comply with market risk tolerance limits; timely and reliable valuation data derived from, or verified by, sources that are independent of the business trading unit; and periodic reconciliation of profits and losses resulting from valuations with the general ledger.

b. Credit Risk shall take into account, among other things, for all counterparties the daily measurement of overall credit exposure to comply with forex counterparty credit limits; monitoring and reporting violations of counterparty customer credit limits performed by persons independent of the business trading unit; the firm's process for monitoring and adjusting security deposit requirements imposed upon all counterparty customers; and regular valuation of collateral (including appropriate haircuts) used to cover credit exposures and safeguarding of collateral.

c. Liquidity Risk shall take into account, among other things, the daily measurement of liquidity needs, risks presented by prime brokers and/or liquidity providers, and, if applicable, procedures for liquidating all non-cash collateral in a timely manner and without significant effect on price and application of appropriate collateral haircuts that accurately reflect market and credit risk.

d. Foreign Currency Risk shall take into account, among other things, the daily measurement of the amount of capital exposed to fluctuations in the value of foreign currency to comply with applicable limits and the establishment of safeguards against adverse currency fluctuations.

e. Legal Risk shall take into account, among other things, the determination that any transaction and netting arrangements entered into have a sound legal basis, account opening documents are properly completed and adequate risk disclosure provided, and an evaluation of what impact any potential litigation may have upon firm capital.

f. Operational Risk shall take into account, among other things, secure and reliable operating and information systems with adequate, scalable capacity and independence from the business trading unit; safeguards to detect, identify and promptly correct deficiencies in the operating and information systems; automated financial and risk management controls reasonably designed to prevent the placing of erroneous trades, including those that exceed pre-set capital, credit or volume thresholds; and reconciliation of all data and information in operating and information systems.

g. Counterparty Risk shall take into account, among other things, all risks including but not limited to, settlement risks, pricing risks associated with offsetting the FDM's forex positions with counterparties, including different prime brokers, banks and other FDMs.

h. Liabilities to Retail Forex Customers Risk shall take into account, among other things, the process to ensure that the FDM has sufficient assets to cover the amount owed to retail forex customers on a daily basis. This process must include:

• a separation of duties among individuals responsible for advising customers on trading activities, approving or overseeing customer cash receipts and disbursements and recordkeeping and reporting financial transactions;
• a method for ensuring the firm is accurately computing its liability to retail forex customers and accurately monitoring and valuing the funds used to cover the liability to retail forex customers;
• a method for evaluating on a continued basis the depositories used to hold funds used to cover the amount owed to retail forex customers including ensuring that the depositories meet specified criteria relating to the depository's capitalization, creditworthiness, operational reliability and access to liquidity, as well as the requirements of CFTC Regulation 5.8 and NFA Financial Requirements Section 14;
• a method for assessing the appropriateness of specific investments of funds used to cover the liability to retail forex customers in permitted investments under CFTC Regulation 1.25; and
• the timely recording of all transactions, including transactions impacting retail forex customers' accounts, in the FDM's books and records.

i. Technological Risk shall take into account, among other things, the process to identify and guard against all risks relating to technology including but not limited to the risks associated with both proprietary and third party trading platforms, the security of proprietary and third party platforms, technology changes and the firm's business continuity plan.

j. Capital Risk shall take into account, among other things, that the FDM has sufficient capital to be in compliance with the Commodity Exchange Act and its regulations and NFA Financial Requirements, as well as having sufficient capital and liquidity to meet the reasonably foreseeable needs of the FDM.

k. Any Other Applicable Risks.

Risk Tolerance Limits

The Risk Management Program must also set risk tolerance limits for each of the elements described above and discuss the underlying methodology used in setting these limits, as well as any policies and procedures governing exceptions to these limits and detecting and reporting to appropriate management. These risk tolerance limits must be reviewed and approved quarterly by the firm's senior management and annually by the firm's governing body. The FDM must maintain a copy of these approvals.

Additionally, the Risk Management Program must include policies and procedures for detecting breaches of risk tolerance limits set by the FDM and alerting supervisors within the risk management unit and senior management, as appropriate.

Stress Testing

As part of the Risk Management Program, the FDM must conduct stress tests under extreme but plausible conditions of all positions in the proprietary account and in each counterparty account (both retail customers and ECPs) at least on a semi-monthly basis.

Affiliate Risk

The Risk Management Program must also consider all risks posed by the FDM's affiliates, including the risks affiliates pose when the FDM functions as the primary risk manager and/or liquidity provider for affiliates, the FDM's other business lines and any other trading activity engaged in by the FDM.

Periodic Risk Exposure Reports

Each FDM's risk management unit must provide to senior management and its governing body quarterly written risk exposure reports, which set forth all applicable risk exposures of the FDM, breaches of any established risk limits, any recommended or completed changes to the Risk Management Program, the recommended time frame for implementing the recommended changes; and the status of any incomplete implementation of previously recommended changes to the Risk Management Program.

Each FDM must also provide senior management and the governing body with interim risk exposure reports immediately at any time the FDM detects a material change in the risk exposure of the FDM. An FDM must provide to NFA a copy of all quarterly and interim risk exposure reports provided to its senior management and governing body within 5 business days of providing the report to the FDM's senior management and governing body.

Supervision of the Risk Management Program

The FDM must have a supervisory system in place to ensure that the Risk Management Program is being diligently followed by all appropriate personnel.

Review and Testing

The FDM must ensure that the Risk Management Program is reviewed and tested at least annually or upon any material change in the FDM's business that is reasonably likely to alter the FDM's risk profile by qualified internal audit staff that are independent of the business trading unit, or by a qualified third party audit service, which reports to FDM staff that are independent of the business trading unit. The review must include an analysis of adherence to, and the effectiveness of, the risk management policies and procedures, and any recommendations for modifications to the Risk Management Program. The results of the review must be reported to and reviewed by senior management and the FDM's governing body.

The FDM must document all internal and external reviews and testing of the Risk Management Program including the date of the review or test; the results; any identified deficiencies; the corrective action taken; and the date the corrective action was taken.

Recordkeeping

An FDM shall maintain copies of all written policies and procedures, changes thereto, and approvals required in this notice pursuant to NFA Compliance Rule 2-10 for the period required under CFTC Regulation 1.31.

¹ The FDM Risk Management Program requirements are drawn from similar requirements set forth in CFTC Regulations 1.11 and 23.600. In light of the counterparty nature of forex transactions and the fact that FDMs accept customer funds, the Board believes it appropriate to apply certain requirements set forth in CFTC Regulations 1.11 and 23.600.

²RFEDs that are also registered as an FCM and/or SD may have one risk management program that addresses all the risks associated with the activities of each registration category.

³Governing body means (a) board of directors; (b) a body performing a function similar to a board of directors; or (c) any committee of a board or body.

⁴Senior management means, any officer or officers specifically granted the authority and responsibility to fulfill the requirements of senior management by the governing body.