Joint Statement of CFTC Commissioner Caroline D. Pham and SEC Commissioner Mark T. Uyeda: Memorandum of Understanding Between the SEC and the CFTC Regarding the Use of Form PF Data
February 08, 2024
The U.S. Securities and Exchange Commission (“SEC”) and the U.S. Commodity Futures Trading Commission (“CFTC”) have entered into a memorandum of understanding (“MOU”), under which the SEC will grant the CFTC unrestricted access to all data submitted by all Form PF filers.[1] Because the MOU contains a number of deficiencies, we dissent.
Form PF was adopted jointly by the SEC and the CFTC in 2011[2] pursuant to the Dodd-Frank Act.[3] The joint adoption is reflective of the fact that some SEC-registered investment advisers also are required to register with the CFTC as commodity pool operators (“CPOs”) or commodity trading advisors (“CTAs”).[4]
Both agencies recognize that “Form PF elicits non-public information about private funds and their trading strategies, the public disclosure of which could adversely affect the funds and their investors.”[5] While the Dodd-Frank Act provides that Form PF is filed with the SEC alone,[6] the Act also requires the SEC to share Form PF data with the Financial Stability Oversight Council (“FSOC”) for systemic risk purposes.[7]
A Form PF filing contains highly sensitive proprietary information about a specific advisory firm, inadvertent public disclosure of which could create significant harm to that firm and its clients. By law, there are confidentiality protections for Form PF data, except that the SEC may share the data with another Federal agency upon a request from that agency “for purposes within the scope of its jurisdiction.”[8]
We object to the MOU for three reasons: (1) it is not necessary for the CFTC to be provided Form PF data for non-CFTC registrants; (2) broader distribution of all Form PF data increases its vulnerability to cybersecurity threats; and (3) the MOU’s provisions for handling of confidential Form PF data are inadequate given the sensitivity of that information.
1) The CFTC Does not Have a “Need to Know”
In contrast to the assurances made when Form PF was adopted in 2011, the MOU will provide the CFTC with access to all Form PF data, which is beyond the scope of the CFTC’s jurisdiction or need. Providing Form PF data on SEC-only registrants ignores basic data protection principles.[9]
We are unclear as to why the CFTC needs access to all Form PF data to accomplish its mission. In fact, much of the Form PF data appears to be outside of the scope of the CFTC’s jurisdiction. Filers that are registered only with the SEC have no regulatory nexus to the CFTC. [10] Further, while Sections 1 and 2 of Form PF were jointly adopted by the SEC and CFTC, Form PF consists of seven sections, the latter five of which were adopted by the SEC in its sole capacity.[11]
As the SEC explained in 2011, “the policy judgments implicit in the information required to be reported on Form PF reflect FSOC’s role as the primary user of the reported information for the purpose of monitoring systemic risk. The SEC would not necessarily have required the same scope of reporting if the information reported on Form PF were intended solely for the SEC’s use.”[12] In other words, the adopting release for Form PF admits that FSOC is intended to be the primary user of Form PF data.
In 2011, the SEC and CFTC acknowledged the Dodd-Frank Act’s requirement that Form PF data may only be shared with other Federal agencies for purposes within the scope of their jurisdiction.[13] The SEC represented that its “staff is working to design controls and systems for the use and handling of Form PF data in a manner that reflects the sensitivity of this data and is consistent with the confidentiality protections established in the Dodd-Frank Act.”[14] In this regard, the SEC stated that its “staff is studying whether multiple access levels can be established so that SEC employees are allowed only as much access as is reasonably needed in connection with their duties.”[15]
Far from limiting access to persons who reasonably need it in connection with their duties, the MOU furnishes Form PF data to a separate agency for purposes that cannot plausibly be claimed to be necessary for that agency to carry out its duties. By exposing the entire universe of Form PF data to a Federal agency that has not demonstrated a “need to know,” the SEC is increasing the risk of that information being misused. This violates the SEC’s duty to maintain the confidentiality of the information under the Dodd-Frank Act.
2) Recent Cybersecurity Incidents
Cybersecurity risks represents an ongoing threat to Federal government agencies. Recently, the SEC’s X.com account was hacked,[16] which resulted in the SEC’s official account issuing an unauthorized tweet regarding bitcoin exchange-traded products.[17] According to the SEC’s website, multi-factor authentication had previously been enabled on the account, but was disabled at the SEC staff’s request, and “remained disabled until staff reenabled it after the account was compromised on January 9[, 2024].”[18]
In years prior, the SEC’s Electronic Data Gathering, Analysis, and Retrieval ("EDGAR") system was compromised.[19] The SEC later alleged that certain of the hackers accessed test filings that contained material nonpublic information and traded based on that information.[20]
Further, for almost a decade, the CFTC Office of the Inspector General (“OIG”) has raised concerns about the agency’s cybersecurity and information technology capabilities. Nearly every OIG “Assessment of the Most Serious Management and Performance Challenges Facing the [CFTC]” since 2015 has identified management and performance challenges in the areas of cybersecurity, information technology, or data protection.[21]
The ability of Federal agencies such as the SEC and CFTC to securely maintain confidential information is being constantly challenged. With respect to Form PF, this concern is amplified because the sensitivity of the information has only increased since the form was first adopted. In 2011, the SEC and CFTC stated that “[c]ertain aspects of the Form PF reporting requirements . . . help to mitigate the potential risk of inadvertent or improper disclosure,” such as extended filing deadlines that “generally contain less current, and therefore less sensitive, data.”[22]
But that is no longer the case. Since 2011, the SEC has amended Form PF to require certain large hedge fund advisers to file current reports as soon as practicable, but no later than 72 hours after, a triggering event.[23] The amendments also require all private equity fund advisers to submit quarterly reports regarding certain types of triggering events within 60 days of each fiscal quarter end.[24]
Thus, the information submitted on Form PF is more current and sensitive than in 2011. The 2011 justification relied on the staleness of Form PF data as a mitigating factor for possible improper disclosure. That justification is no longer valid.
The increased sensitivity of Form PF data, combined with the continuing challenges to government agencies in securing their own databases and accounts, make it imprudent to expose the SEC-only Form PF data to the CFTC.
3) Inadequate Provisions for Handling Confidential Form PF Data
Before sharing any Form PF data, there should be sufficient due diligence to ensure that the receiving party has adequate systems and procedures to protect that data. However, the MOU simply requires an initial certification and assurance about the receiving party’s protocols and security standards.[25] This falls far short of what the SEC would expect of its own regulated entities.
The SEC recently proposed a rule regarding the use of third-party service providers by investment advisers.[26] The SEC also proposed a rule on cybersecurity risk management for investment advisers and funds.[27] That rule would require investment advisers and funds to consider the cybersecurity risks resulting from their reliance on third-party service providers that receive, maintain, or process adviser or fund information, or are otherwise permitted to access their information systems and any information residing therein.[28]
Similarly, the CFTC recently proposed an operational resilience rule that includes managing information technology risks, as well as risks relating to third party relationships, for its registrants.[29] Notably, the CFTC’s proposal included a separate annex of nearly 15 pages setting forth prescriptive requirements for third party relationship management.[30]
It is unclear whether the cursory assessment of protocols and security standards under the MOU – which relies on certifications and assurances alone – would satisfy the standards that the SEC and CFTC propose to impose on its own regulated entities with respect to protecting information shared with third parties.
While the CFTC is not a “service provider” in the context of this MOU, the principles in the SEC’s proposed rules are clear: before disseminating any confidential information to third-parties, there should be adequate due diligence to ensure that such information will not be compromised.
The MOU could have provided for verification of the adequacy of the protocols and security standards, both initially and on an ongoing basis. The MOU also could have imposed an obligation to provide ongoing certifications and assurances. Instead, the MOU risks the security of the information by failing to institute appropriate checks to identify material weaknesses prior to sharing the sensitive information contained in Form PF reports and to monitor weaknesses that may develop over time.[31]
More troublingly, the MOU potentially permits the receiving party to share Form PF data with other Federal agencies or self-regulatory organizations.[32] Under such circumstances, Form PF data would be part of a regulatory daisy chain. It is unclear whether the SEC, as the primary party responsible for safeguarding Form PF data, would ever look through to underlying recipients to assess whether and to what extent the Form PF data is being properly used and secured.
Conclusion
Form PF contains sensitive information that the SEC committed to protecting when the form was first adopted, as required by law. Today, the SEC and CFTC embark on an information-sharing arrangement that lacks limitations on scope. Compounding the problem is a lack of appropriate security protocols. For that reason, we are unable to support this MOU.
[1] See Memorandum of Understanding Between the SEC and the CFTC Regarding the Use of Form PF Data (Feb. 8, 2024), available at https://www.sec.gov/files/mou-sec-cftc-form-pf.pdf.
[2] See Reporting by Investment Advisers to Private Funds and Certain Commodity Pool Operators and Commodity Trading Advisors on Form PF, Advisers Act Release No. 3308 (Oct. 31, 2011) [76 FR 71128 (Nov. 16, 2011)] (“2011 Adopting Release”), available at https://www.govinfo.gov/content/pkg/FR-2011-11-16/pdf/2011-28549.pdf.
[3] See 15 U.S.C. 80b–4(b); 15 U.S.C. 80b–11(e).
[4] The CFTC requires such dually-registered CPOs and CTAs to file Form PF with the SEC, but also makes clear that those dual registrants will be deemed to have filed Form PF with the CFTC for purposes of any enforcement action the CFTC might bring regarding any false or misleading statement of material fact in Form PF. See 17 CFR § 4.27(d).
[5] See 2011 Adopting Release, supra note 2, at 71155.
[6] See 15 U.S.C. 80b–4(b)(5).
[7] See 15 U.S.C. 80b–4(b)(7).
[8] See 15 U.S.C. 80b–4(b)(8).
[9] For example, the MOU provides that incidents involving Form PF data will be reported in accordance with the Federal Incident Notification Guidelines promulgated by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (“CISA”). Yet CISA’s website indicates that – with respect to information stored on its own system – CISA limits access to information “to the extent necessary to accomplish [its] mission.” See Website Privacy Policy, Cybersecurity & Infrastructure Security Agency, available at https://www.cisa.gov/privacy-policy.
[10] Form PF must be filed both by SEC-registered investment advisers and CFTC-registered CPOs and CTAs that also are SEC-registered investment advisers. See General Instruction 1 to Form PF, available at https://www.sec.gov/files/formpf.pdf.
[11] See 2011 Adopting Release, supra note 2, at footnote 3.
[12] Id. at 71129 (emphasis added).
[13] Id. at 71156. Misleadingly, the 2011 Adopting Release states that “[t]he Dodd-Frank Act contemplates that Form PF data may also be shared with other Federal departments or agencies or with self-regulatory organizations, in addition to the CFTC and FSOC, for purposes within the scope of their jurisdiction.” (Emphasis added.) Id. However, the Dodd-Frank Act only expressly provides that information will be filed with the SEC and made available to FSOC. There is no statutory provision that requires the CFTC to receive Form PF data. Rather, the CFTC is permitted to receive Form PF data only to the same extent as any other Federal agency pursuant to Section 204(b)(8) of the Advisers Act. See 15 U.S.C. 80b–4(b)(8).
[14] See 2011 Adopting Release, supra note 2, at 71156.
[15] Id.
[16] See Statement on Unauthorized Access to the SEC’s @SECGOV X.com Account, Chair Gary Gensler (Jan. 12, 2024), available at https://www.sec.gov/news/statement/gensler-x-account.
[17] See SEC probing fake post on its X account, bitcoin ETFs not yet approved, Reuters (Jan. 10, 2024), available at https://www.reuters.com/technology/us-sec-has-not-approved-bitcoin-etfs-social-media-account-compromised-2024-01-09/.
[18] See SECGov X Account, U.S. Securities and Exchange Commission (Last Modified Jan. 24, 2024), available at https://www.sec.gov/secgov-x-account.
[19] See Statement on EDGAR Hacking Enforcement Action, Chairman Jay Clayton (Jan. 15, 2019), available at https://www.sec.gov/news/public-statement/statement-clayton-011519.
[20] Id.
[21] The 2019 OIG Assessment cited a 2019 OIG review of a data governance program for trade data, which found one database application did not comply with federal requirements for securing confidential information. See CFTC OIG, Review of CFTC’s Data Governance Program: Integrated Surveillance System, Report Number: 18-AU-07 (May 7, 2019), available at https://www.cftc.gov/About/OfficeoftheInspectorGeneral/index.htm.
The CFTC maintains all CFTC OIG reports, including Annual Assessments, at https://www.cftc.gov/About/OfficeoftheInspectorGeneral/index.htm.
[22] See 2011 Adopting Release, supra note 2, at 71156.
[23] See Amendments to Form PF to Require Current Reporting for Large Hedge Fund Advisers and Amend Reporting Requirements for Large Private Equity Fund Advisers, Advisers Act Release No. 6297 (May 3, 2023) [88 FR 38146 (June 12, 2023)], available at https://www.govinfo.gov/content/pkg/FR-2023-06-12/pdf/2023-09775.pdf.
[24] Id.
[25] See Paragraphs 5.(I) and 17 of the Memorandum of Understanding Between the SEC and the CFTC, supra note 1.
[26] The rule would require advisers to conduct due diligence prior to engaging a service provider, as well as periodic monitoring of the performance of the service provider. See Outsourcing by Investment Advisers, Advisers Act Release No. 6176 (Oct. 26, 2022) [87 FR 68816 (Nov. 16, 2022)], available at https://www.govinfo.gov/content/pkg/FR-2022-11-16/pdf/2022-23694.pdf.
[27] See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Securities Act Release No. 11028 (Feb. 9, 2022), [87 FR 13524 (Mar. 9, 2022)], available at https://www.govinfo.gov/content/pkg/FR-2022-03-09/pdf/2022-03145.pdf.
[28] Id. at 13551. The adopting release for this rule notes that “Other Commission rules also require advisers to consider cybersecurity. For example…advisers subject to Regulation S–P are required to, among other things, adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. In addition, advisers subject to Regulation S–ID must develop and implement a written identity theft program.” Id. at 13581. (Internal citations omitted.)
[29] See Operational Resilience Framework for Futures Commission Merchants, Swap Dealers, and Major Swap Participants, 89 FR 4706 (Jan. 24, 2024), available at https://www.federalregister.gov/documents/2024/01/24/2023-28745/operational-resilience-framework-for-futures-commission-merchants-swap-dealers-and-major-swap.
[30] See id. For swap dealers and major swap participants, “Appendix A to Subpart J of Part 23— Guidance on Third-Party Relationship Programs” applies. The Commission proposed the same requirements for futures commission merchants in “Appendix A to Part 1—Guidance on Third-Party Relationship Programs.” See also Statement of Commissioner Caroline D. Pham on Operational Resilience Proposal for Swap Dealers and Futures Commission Merchants (Dec. 18, 2023), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement121823b.
[31] We note that the SEC makes Form PF data available to FSOC through the Office of Financial Research (“OFR”) and to the Federal Reserve Board, subject to agreements regarding appropriate use of and extensive confidentiality protections for Form PF. See Annual Staff Report Relating to the Use of Form PF Data, U.S. Securities and Exchange Commission (Dec. 9, 2022), at 1, available at https://www.sec.gov/files/2022-pf-report-congress.pdf.
[32] Accordingly, the CFTC – upon receipt of Form PF information – could further forward that information to other entities, like the National Futures Association (NFA), a self-regulatory organization, or the Chicago Mercantile Exchange (CME), a designated self regulatory organization. See e.g., CME Group, Joint Audit Committee, available at https://www.cmegroup.com/clearing/financial-and-regulatory-surveillance/joint-audit-committee.html for background on their examination and financial review responsibilities.
-CFTC-