Business Not as Usual – COVID 19: US Securities and Derivatives Industry Regulators Provide Relief and Guidance

Key Points

• This Katten Advisory focuses on the impact of the COVID-19 outbreak on regulatory compliance obligations of financial firms operating in the United States, with a focus on securities and derivatives industry matters.
• Key US regulatory bodies, including the Commodity Futures Trading Commission, the Securities and Exchange Commission, the National Futures Association and the Financial Industry Regulatory Authority, have issued guidance and/or specific relief in light of the COVID-19 pandemic, and many of these critical releases issued to date are summarized herein.
• This Advisory also includes, as appendices, a summary chart of illustrative business continuity plan (BCP) requirements applicable to certain derivatives and securities industry firms and a practical "checklist" that firms can use to assess and respond to issues during this challenging time.
• For further information and guidance around COVID-19, the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), and Johns Hopkins University & Medicine maintain robust websites of relevant information, which are being updated on an ongoing basis.¹

COVID-19 — Specific Guidance from Regulators

Multiple regulators have issued informational guidance and/or specific regulatory relief in response to the COVID-19 outbreak.²

To the extent there may be unique regulatory compliance challenges, firms are advised to discuss them in advance with relevant regulators and seek relief, if possible; in all cases, firms should ensure that all regulatory breaches or difficulties meeting regulatory standards are documented with as much specificity as possible.

In the sections that follow, we summarize each regulator's compliance guidance and/or relief issued to date to address this pandemic.

CFTC

On March 17, the Commodity Futures Trading Commission (CFTC) issued a series of no-action letters to provide certain CFTC-regulated entities and registrants with temporary regulatory relief from a targeted set of regulatory requirements.³

• The CFTC's Division of Swap Dealer and Intermediary Oversight (DSIO) issued a set of Staff Letters⁴ aimed at a broad range of market participants — including futures commission merchants (FCMs), introducing brokers (IBs), swap dealers (SDs), retail foreign exchange (forex) dealers, floor brokers, and members of designated contract markets (DCMs) and swap execution facilities (SEFs). These letters provide for temporary no-action relief from a number of CFTC regulatory requirements, as described below.
  1. Until June 30, 2020, DSIO will not recommend enforcement action against FCMs, IBs, SDs, retail forex dealers, floor brokers and members of DCMs and SEFs for failure to record the time and date on certain order records and trade information by time stamp or other timing device as required by CFTC rules if the personnel who are responsible for preparing such records are mandated by the firm's BCP to be absent from their normal offices, provided that the required records are created, are maintained, and include any required date and time to the nearest minute. This date and time entry could be manually entered.
  2. Until June 30, 2020, DSIO will not recommend enforcement action against FCMs, IBs, SDs, retail forex dealers, and floor brokers for failure to record the oral communications of personnel who would otherwise be required to use a recorded line pursuant to CFTC rules if such personnel are mandated by the firm's BCP to be absent from their normal offices, provided that a written record of the communication is maintained that identifies date, time, participants and subject matter, and that the firm takes "affirmative steps" to collect and maintain any written materials prepared by affected personnel in connection with such communications.
  3. Until June 30, 2020, DSIO will not recommend enforcement action against floor brokers who are not physically located in a pit or other place determined by a contract market, nor will floor brokers be subject to a requirement to register as an IB because of failure to so locate, if the floor broker is required by the DCM's BCP to be absent from such place.
  4. DSIO will not recommend enforcement action against FCMs and SDs who would otherwise be required to provide the CFTC with a copy of their Chief Compliance Officer (CCO) annual reports prior to September 1, 2020, provided that they submit such reports within 30 calendar days of their original due dates.
• The CFTC's Division of Market Oversight (DMO) issued a set of Staff Letters⁵ covering SEFs and DCMs. These letters provide for temporary no-action relief from certain audit trail-related requirements for SEFs and DCMs, as well as an extension of the deadline for submission of CCO annual compliance and certain financial reports for SEFs.
  1. Until June 30, 2020, DMO will not recommend enforcement action against any SEFs that cannot meet requirements around recording of voice communications, to the extent that voice trading personnel are outside their normal offices, provided that the SEF makes reasonable efforts to record in writing the time, date, parties and subject matter of unrecorded conversations, all transaction terms are captured in SEF systems, and orders (even if placed on unrecorded lines) are retained in the SEF's normal audit trail.
  2. Until June 30, 2020, DMO will not recommend enforcement action against DCMs that fail to comply with audit trail requirements, to the extent that those failings are a result of interactions with market participants who are relying on the DSIO Staff Letters described above, provided that the DCM requires such participants to comply with the applicable conditions of those DSIO Staff Letters and that orders entered by such participants are retained in the DCM's normal audit trail.
  3. DMO will not recommend enforcement action against any SEF or SEF CCO for failure to timely submit to the CFTC either an annual compliance report or a fourth quarter financial report (where either report would have been due prior to September 1, 2020), provided that such reports are submitted no later than 120 days after the end of the fiscal year for that SEF.

SEC

The Securities and Exchange Commission (SEC) has provided COVID-19 related conditional regulatory relief with respect to certain obligations of investment advisers and investment companies, and has issued no-action relief with respect to compliance with Consolidated Audit Trail-related obligations of national securities exchanges and securities brokerage firms.⁶

• With respect to federally registered investment advisers, the SEC has made available conditional relief from filing/delivery obligations for filings due on or before April 30, 2020 (which would include many advisers' annual Form ADV and Form PF filings) if a filer cannot meet a deadline due to the impact of COVID-19. This relief allows for an extension of the relevant filing deadline for up to 45 days from its original date but requires communication of the reasons for the requested relief to the SEC and/or clients.⁷
• The SEC has updated certain online FAQ pages to address certain issues that investment advisers are facing as a result of the COVID-19 pandemic. The SEC clarified that advisers do not need to add additional offices to their Form ADV filings to reflect temporary telework arrangements that are part of a firm's BCP.⁸ With respect to the so-called "custody rule" (SEC Rule 206(4)-2), the SEC indicated that, if a client mails or otherwise delivers assets to the adviser at one of its office locations, it would not consider an adviser to have received those assets until firm personnel can actually access deliveries at that location.⁹ In addition, an existing custody rule FAQ provides that SEC staff would not recommend enforcement action if a pooled investment vehicle's audited financial statements are distributed after the standard 120-day deadline if the adviser reasonably believed the statements would be distributed in a timely fashion, but were not so distributed "under certain unforeseeable circumstances."¹⁰
• Additionally, the SEC has granted the following conditional regulatory relief to registered investment companies and business development companies, provided that they have been adversely affected by COVID-19: relaxation of requirements around in-person voting by boards of directors; temporary extensions (up to 45 days) of deadlines for Form N-CEN and Form N-PORT filings, as well as due dates for semiannual and annual report and prospectus deliveries; and allowance for certain firms to call or redeem securities upon fewer than 30 days' notice (which notice is accomplished by filing Form N-23C-2).¹¹
• The SEC's Division of Trading and Markets (DTM) has provided the participants in the Consolidated Audit Trail (CAT) NMS Plan (i.e., the national securities exchanges and the Financial Industry Regulatory Authority (FINRA)) with no-action relief from enforcing their CAT compliance rules with regard to CAT implementation deadlines against members of such exchanges and against members of FINRA.¹² DTM indicates that its no-action relief applies through May 20, 2020, but could be extended.

NFA

On March 4, National Futures Association (NFA) issued a Notice to Members¹³ reflecting its understanding that, in developing contingency plans to deal with the impact of COVID-19, members may have "specific concerns" regarding their ability to comply fully with all CFTC and NFA requirements, particularly if some or all of their staff are unable to work from the firm's offices or backup facilities. According to the Notice, NFA and CFTC staff "intend to take a practical approach that will give [m]embers appropriate flexibility in implementing contingency plans needed to continue to conduct business" if regulatory relief is required. However, NFA encourages members to review their BCPs to ensure they address situations like COVID-19 and contain up-to-date information (e.g., current key persons and contact information). NFA also recommends that members consider providing employees with new or updated training on working from remote locations.¹⁴

On March 13, NFA provided relief from the requirement that all associated persons (APs) who are not located in a member's main office must work from a branch office that has been listed on the member's Form 7-R, which office must be supervised by a branch office manager. NFA stated that it will not pursue disciplinary action against a member that permits APs to work temporarily from locations not listed as branch offices and without branch managers, provided that the member implements alternative supervisory methods to adequately supervise the APs' activities and meet its recordkeeping requirements. Member firms should also ensure that these procedures are documented.¹⁵

On March 18, NFA issued another Notice to Members¹⁶ allowing for parallel temporary relief for its members in line with the regulatory relief granted in the no-action letters issued by the CFTC on March 17, as discussed above. NFA additionally provided relief to forex dealer members (FDMs) in the form of 30-day filing deadline extensions for FDMs' CCO annual reports, if such FDMs would otherwise have had CCO annual report filing due dates between March 31 and September 1, 2020.

FINRA

On March 9, FINRA issued a Regulatory Notice¹⁷ containing updated pandemic-related guidance and regulatory relief for its member firms. The Notice encourages member firms to review their BCPs to consider pandemic preparedness and contact their FINRA Risk Monitoring Analysts to discuss the possibility of implementing those BCPs if needed and any other issues with respect to pandemic-related disruptions of their businesses. The Notice provides a range of specific regulatory relief in various areas, including with respect to supervision and oversight of associated persons working in remote offices or via telework arrangements; however, FINRA made clear that it still expected member firms to establish and maintain a supervisory system reasonably designed to oversee each associated person working remotely. Other relief granted by FINRA relates to suspension of Form U4 requirements for temporary relocations of registered persons and Form BR filing requirements for new temporary office locations. However, if a member relocates personnel to a temporary location that is not currently registered as a branch office or identified as a regular non-branch location, the firm should provide written notification to its FINRA Risk Monitoring Analyst as soon as possible, and such notice should include at a minimum the office address, the names of each member firm involved, the names of registered personnel affected, a contact telephone number, and, if possible, the expected duration of the relocation. The Notice also grants certain extensions or late-fee waivers in connection with filings or qualifications. FINRA stated that it understands that members may require additional time to respond to open inquiries or investigations and to make upcoming filings, and members should contact FINRA staff to seek extensions where needed. The Notice further advises that if appropriately registered personnel are unavailable to service customers, firms should post notice on their websites to inform affected customers of the appropriate person to contact concerning execution of trades and access to funds and securities.

Additionally, FINRA has created coronavirus-related FAQs that will provide temporary relief to member firms from certain FINRA rules and requirements.¹⁸ To date, the FAQs grant member firms temporary relief from the requirement in FINRA Rule 1010(c) that all Form U4 filings must be manually signed, subject to certain conditions.

Business Continuity Requirements

Currently, most financial services companies operating in the United States are subject to requirements that they have comprehensive BCPs in place. With respect to requirements issued by securities and derivatives industry regulators, illustrative examples of these obligations are generally summarized in the comparison table set forth in Exhibit A. Note that firms must generally designate emergency contact persons and provide their information to applicable regulators; in light of the current situation, firms should be sure to promptly review and update any such information.

Employment, Cybersecurity, and Other Legal and Practical Considerations

Exhibit B to this Advisory includes a list of actions or assessments that firms should take in light of the COVID-19 outbreak. This list is not intended to be exhaustive, but rather a pragmatic guide toward high-value preparatory or responsive activities to which firms might choose to dedicate their resources under current circumstances. Many of the items in Exhibit B relate to considerations around employees' working from home, which is now being required by an ever-increasing number of financial services companies.

The most important measure companies and individuals can take during the current crisis is to be informed by facts. Knowledge of COVID-19 and its impact on the community is quickly evolving day by day, so the best practice that any firm can follow is to closely monitor communications from government sources - particularly the CDC and the WHO¹⁹ - for additional guidance and information.

EXHIBIT A – BCP Requirements Summary Chart

	CFTC (17 C.F.R. § 23.603)	SEC (17 C.F.R. § 270.38a-1; Inv. Mgmt. Guidance Update No. 2016-04)	NFA (Compliance Rule 2-38; Interpretative Notice No. 9052)	FINRA (Rule 4370)
Covered entities	Swap dealers (SDs) and major swap participants (MSPs)	Registered investment companies and business development companies20	NFA Members (i.e., futures commission merchants (FCMS), introducing brokers (IBs), commodity pool operators (CPOs), commodity trading advisors (CTAs) and retail forex dealers)	FINRA Members (i.e., securities broker-dealer firms)
Essential contents (as applicable)21           Essential contents (as applicable) (cont.)	(1) Identification of (a) documents, data, facilities, infrastructure, personnel and competencies essential to operations and obligations of the firm; (b) supervisory personnel responsible for implementing the BCP and emergency contacts; and (c) potential interruptions at third parties that are necessary to the operations of the firm and a plan to minimize the impact of such disruptions; (2) Communication plan for the following persons in the event of a disruption: counterparties; swap data repositories; execution facilities; trading facilities; clearing facilities; regulatory authorities; data, communications and infrastructure providers and other vendors; disaster recovery specialists and others essential to recovery of documentation and data, resumption of operations, and compliance with Commodity Exchange Act and CFTC rules; (3) Procedures for back-up facilities, infrastructure, staffing and other resources for the recovery of data and documentation and to resume operations as soon as reasonably possible (ordinarily, by the next business day); (4) Maintenance of back-up facilities, infrastructure and staffing arrangements in areas geographically separate from the firm's primary facilities, infrastructure and personnel (including contractual arrangements for use of facilities and infrastructure of third parties); and (5) Back-up or copying, with sufficient frequency and off-site storage, of documents and data essential to the operations and regulatory obligations of the firm.	(1) Covering the facilities, technology/systems, employees, and activities conducted by the firm's adviser and any affiliated entities, as well as dependencies on critical services provided by other third-party service providers; (2) Including a broad cross-section of employees from key functional areas across the fund complex typically including, but not limited to, senior management (including officers of the fund), technology, information security, operations, human resources, communications, legal, compliance, and risk management to assist in efforts to ensure continuity and resiliency when events occur; and (3) With respect to critical service providers: (i) understanding their backup processes and contingency plans, and how they interact with the firm's BCP; (ii) understanding how the providers monitor, detect and respond to security incidents, as well as having communication protocols to implement if needed with respect to providers; (iii) addressing how the BCPs of key providers might interact with each other and with the fund's BCP; and (iv) contemplating how a service provider disruption might impact the firm's business under various scenarios.	(1) Establishing back-up facilities, systems, and personnel that are located in one or more reasonably separate geographic areas from the Member's primary facilities, systems, and personnel (e.g., primary and back-up facilities should be located in different power grids and different telecommunication vendors should be used), which may include arrangements for the temporary use of facilities, systems, and personnel provided by third parties; (2) Backing up or copying essential documents and data (e.g., general ledger) on a periodic basis and storing the information off-site in either hard-copy or electronic format; (3) Considering the impact of business interruptions encountered by third parties and identifying ways to minimize that impact; and (4) Developing a communication plan to contact essential parties such as employees, customers, carrying brokers, vendors and disaster recovery specialists.	(1) Data back-up and recovery (hard copy and electronic); (2) All mission critical systems; (3) Financial and operational assessments; (4) Alternate communications between customers and the member; (5) Alternate communications between the member and its employees; (6) Alternate physical location of employees; (7) Critical business constituent, bank, and counter-party impact; (8) Regulatory reporting; (9) Communications with regulators; and (10) How the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
BCP review required?	Yes – annually	Yes – at a minimum annually	Yes – periodically	Yes – annually
Key contacts	Each SD and MSP must provide to the CFTC the name and contact information of two employees whom the CFTC can contact in the event of an emergency or other disruption. The individuals identified must be authorized to make key decisions on behalf of the SD or MSP and have knowledge of the firm's BCP.	Firms must designate Chief Compliance Officers (CCOs), and these individuals' contact information is regularly reported to the SEC and can presumably be used by the SEC in case of emergency.	Each FCM, SD, MSP and retail forex dealer must provide NFA with names and contact information for all key management employees (as identified by NFA) and the addresses for its primary and alternate disaster recovery sites. Each IB, CPO and CTA must provide NFA with an individual whom NFA can contact in the event of an emergency (with an additional backup contact if the member has more than one principal). Emergency contact persons must be authorized to make key decisions in the event of an emergency.	Member must report to FINRA prescribed emergency contact information for the member, including designation of two associated persons as emergency contact persons. At least one emergency contact person must be a member of senior management and a registered principal of the member. A member with only one associated person must designate as a second emergency contact person an individual, either registered with another firm or nonregistered, who has knowledge of the member's business operations.

EXHIBIT B – COVID-19 "Checklist"

Employee and cybersecurity related matters

• Establish and/or test emergency communication systems for employees.
• Communicate essential aspects of the firm's business continuity plan (BCP) to employees, particularly as may be amended in light of the COVID-19 pandemic, and ensure that all employees understand their roles and obligations pursuant to the BCP.
• Plan for long periods of working from home (WFH), understanding that employee-supervision requirements must be met and cybersecurity protections should be accorded particular importance.
  • Take all reasonable steps to ensure compliance with regulatory and supervisory obligations and firm policies. Document all regulatory-related decisions, in particular to the extent that full compliance cannot be achieved.
  • Document, in writing, practical and sufficiently specific procedures that should be followed while operating on a WFH basis. Consider in particular dealings with customers and counterparties and maintenance of confidentiality and data privacy, and include specific guidance on how required records (including records around trade orders) that are generated remotely should be retained and transmitted to the firm.
  • Issue clear guidance on employees' use of virtual private networks, secure Wi-Fi networks, two-factor authentication, and personal devices/accounts.
  • Implement means to train employees on and test compliance with WFH procedures.
  • Monitor usage of all major systems against capacity limitations, and anticipate how a capacity constraint would be addressed.
  • Inform all customer or third party contacts of the best methods by which to reach firm personnel.
  • To the extent possible, encourage supervisors to stay in close contact with all subordinates, preferably by video or telephone. Regularly schedule team "check-ins" can be helpful to boost morale and identify common issues with WFH systems.
  • Enhance cybersecurity surveillance and alert employees to the heightened risk of potential cyberattacks in the WFH environment. Employees should remain vigilant of potential phishing scams, exercise caution when handling emails, and report any suspicious communications.
• Implement reasonable business travel protocols, including restricting nonessential business travel and requiring a self-quarantine period for employees who have visited high-risk areas or are exhibiting symptoms of illness.
• Understand obligations to provide reasonable accommodation for disability and family/individual sick leave, while also respecting medical privacy, and wage payment obligations to employees who do not or cannot report to work. Monitor government sources for potential updates related to these issues.
• Ensure employee-related policies and procedures comply with applicable local, state and federal laws.
• Be cognizant of preventing unlawful discrimination in the workplace by not making determinations of risk based on race or ethnicity.

Customer relations, trading, financial risk and regulatory related matters

• Review contracts with customers and counterparties to ensure that compliance with all provisions can be maintained; take note of provisions that might be effected by the COVID-19 pandemic (e.g., force majeure, material breach, material adverse change/effect, investment/leverage restrictions, required notices).
• Consider whether any public/investor-facing disclosures or materials and/or materials submitted to applicable regulators or markets should be updated in light of developments related to COVID-19.
• Establish and/or test backup communication channels to connect with customers, counterparties and regulators.
• Consider proactively reaching out to all customers to keep them abreast of firm operations and provide them with emergency firm contacts.
• Ensure processes are in place to handle routine communications with customers and regulators.
• Review and update internal and external authorizations around trading, account access, and service-provider approvals.
• Closely monitor leverage and margin arrangements, and review any related documentation, especially with respect to covenants, conditions, and collateral requirements.
• Consider potential for margin calls; assess whether degrees of leverage and/or counterparty exposure are appropriate in light of market volatility.
• Conduct stress tests to identify any potential or nonobvious risks to firm liquidity.
• Be particularly cognizant of communication obligations with respect to any deterioration or worsening of the firm's financial condition.
• Keep apprised of new communications or guidance from governmental or regulatory bodies.

Service provider and insurance related matters

• Identify key service provider and other third-party relationships (e.g., with clearing firms, custodians, fund administrators, telecommunication services, outsourcing companies, mail services, utilities).
  • Establish and/or test backup lines of communications with these providers.
  • Create plains to address potential disruptions in service at these providers.
  • Review contracts with these providers to identify provisions that might be implicated by the COVID-19 outbreak (e.g., performance risk allocation, force majeure, material breach, material adverse change/effect, required notices).
  • Review provider's BCPs or contingency plans for potential interdependencies or weaknesses, and create a plan to address such shortcomings.
• Review commercial insurance policies for any potentially available coverage and any express exclusions/limits.
  • Assess notice and claim requirements under existing policies, especially relating to proof and quantification of loss, and have a plan in place to prepare and send such communications to insurers promptly.
  • Determine whether liability insurance policies might cover emergency actions taken by agents of the firm, and document decisions and justifications for actions in a manner that would support potential claims on these policies.

---