Alert March 11, 2014

CFTC Staff Issues Best Practices for Customer Information Safeguards

The CFTC’s Division of Swap Dealer and Intermediary Oversight issued a Staff Advisory outlining recommended best practices for covered financial institutions to comply with Title V of the Gramm-Leach-Bliley Act of 1999 (“Title V”), which requires financial institutions to respect the privacy of their customers and protect the security and confidentiality of nonpublic personal information, and Part 160 of the CFTC’s regulations, which help implement Title V.  The best practices in the Staff Advisory are designed to be consistent with those adopted by the federal banking agencies and the FTC and those proposed by the SEC.  The recommendations apply to futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, major swap participants and swap dealers that are subject to the Part 160 regulations (“covered entities”).

The Staff Advisory recommends that each covered entity adopt a written information security and privacy program tailored to its specific business that, at a minimum, includes the following basic elements, which are discussed in greater detail in the Staff Advisory:  (1) designation of a specific employee with privacy and security management oversight responsibilities and of employee(s) to implement and assess the program; (2) identification of all reasonably foreseeable internal and external risks to the confidentiality of customer personal information; (3) implementation of safeguards to control the identified risks; (4) staff training to implement the program; (5) regularly testing of the program with independent testing every two years; (6) oversight of third party service providers with access to customer records and information; (7) regular evaluation and adjustment of the program in light of specified factors; (8) response procedures for incidents of unauthorized access; and (9) an annual assessment of the program provided to the covered entity’s board of directors.  The Staff Advisory concludes with a statement that the best practices are issued “with the expectation that the Division [of Swap Dealer and Intermediary Oversight] will enhance its audit and review standards as it continues to focus more resources on [Gramm-Leach-Bliley Act] Title V compliance” and a citation to a 2009 settlement in which a foreign currency broker was sanctioned for placing confidential personal consumer information of approximately 13,000 customers and prospective customers on a personal website that was accessible on the Internet for at least a year.