CFTC Issues Guidance on Customer Data Security | Practical Law

CFTC Issues Guidance on Customer Data Security | Practical Law

The CFTC issued guidance on customer data privacy and security safeguards for FCMs, CPOs, CTAs, introducing brokers, retail foreign exchange dealers, swap dealers and MSPs.

CFTC Issues Guidance on Customer Data Security

Practical Law Legal Update 1-560-2806 (Approx. 4 pages)

CFTC Issues Guidance on Customer Data Security

by Practical Law Finance
Published on 12 Mar 2014USA (National/Federal)
The CFTC issued guidance on customer data privacy and security safeguards for FCMs, CPOs, CTAs, introducing brokers, retail foreign exchange dealers, swap dealers and MSPs.
On February 26, 2014, the CFTC's Division of Swap Dealer and Intermediary Oversight issued a staff advisory providing guidance on data privacy and security safeguards for:
The guidance outlines steps designed to ensure that these entities develop, implement and maintain an appropriate written information security and privacy program as required by Title V of the Gramm-Leach-Bliley Act (GLBA) and 17 C.F.R. Part 160 of the CFTC's regulations on protection of customer records and information. Under these regulations, which set out the CFTC's required administrative, technical and physical safeguards for customer records and information at these entities, these firms must:
  • Designate a specific employee who is responsible for:
    • overseeing customer data privacy and security management;
    • developing organizational plans for implementing the required controls; and
    • designating employees to coordinate, implement and regularly assess the effectiveness of the program.
  • Identify, in writing, all reasonably foreseeable internal and external risks to security, confidentiality and integrity of personal customer information and all systems used for processing customer personal information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information or systems.
  • Establish procedures and controls designed to assess and mitigate these risks before implementing new or material changes to internal systems.
  • Design and implement safeguards to control the identified risks and maintain a written record of such safeguard designs.
  • Train staff to implement the program and provide regular refresher training.
  • Regularly test or otherwise monitor these controls, systems, policies and procedures included in the firm's customer data protection safeguards, and maintain written records of the effectiveness of the controls, including the effectiveness of:
    • access controls on personal information;
    • appropriate encryption of electronic information in storage and transit;
    • controls to detect, prevent and respond to incidents of unauthorized access to or use of personal information; and
    • employee training and supervision relating to the program.
  • At least once every two years, arrange for an independent party to test and monitor the controls, systems, policies and procedures included in the firm's customer data protection safeguards, and maintain written records of the effectiveness of the controls.
  • Oversee service providers who have access to customer records and information and document that the entity is:
    • taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards; and
    • contractually requiring service providers to implement and maintain appropriate safeguards.
  • Regularly evaluate and adjust the customer data protection program in light of:
    • the results of the risk assessment process;
    • relevant changes in technology and business processes;
    • any material changes to operations or business arrangements; and
    • any other circumstances that the entity knows or reasonably believes may have a material impact on the program.
  • Design and implement policies and procedures for responding to incidents involving unauthorized access, disclosure or use of personal customer information, including policies and procedures designed to:
    • assess the incident and maintain records of the systems and information involved;
    • take further steps to contain the incident and prevent future breaches;
    • promptly investigate to determine the likelihood that personal information has or will be misused; and
    • notify individuals whose information was or may be misused and notify the CFTC regarding possible risks.
  • Provide annual assessments of the program to the entity's board of directors.
The CFTC's recommendations are consistent with guidelines and regulations issued by other federal financial regulators and the CFTC expects that these requirements will expand as the focus on protecting the privacy of customers and protecting the security and confidentiality of nonpublic personal customer information under Title V of GLBA continues.