The CFTC’s Pledge
The CFTC is committed to enforcing laws, rules, and regulations within the derivatives markets it oversees to help ensure that firms and individuals operating in such markets provide legally required privacy rights to their consumers and customers, and that they properly safeguard personal information to protect individuals and the integrity and stability of the markets.
Gramm-Leach-Bliley Act (GLBA) Privacy Protections and Security Safeguards
The CFTC’s GLBA rules (17 C.F.R. §160)require covered financial institutions to implement privacy and security programs designed to give notice to consumers, offer choice in some instances, and ensure the protection of nonpublic personal information.
The Commission’s rules require covered financial institutions to provide notice to customers about data processing, data protection, and data sharing practices. Additionally, consumers have the right to “opt out” of having their personal information shared with nonaffiliated third parties.
Regarding security safeguards, covered financial institutions must employ effective physical and electronic safeguards to protect nonpublic customer information. The CFTC further recommends that its covered entities notify their potentially affected customers, former customers, vendors, and potentially impacted third parties, such as clearing firms, should a suspected or actual data breach occur.
To assist covered entities in meeting GLBA requirements, the CFTC has issued a staff advisoryfor covered entities that contains recommended best practices for mitigating certain risks to customer information. The CFTC recommends, among other best practices, that registrants assess existing privacy and security risks; design and implement controls to minimize such risks; regularly test privacy and security controls; report at least annually to their board on these issues; and implement an incident response program that includes notifying the Commission and individuals whose information was or may be misused in certain situations.
Although not a GLBA rule, the CFTC Business Affiliate Marketing rule (17 C.F.R. §162) requires institutions to provide consumers with the opportunity to block certain CFTC-regulated entities from soliciting the consumer based on certain financial information, such as transaction information. Additionally, CFTC-regulated entities that possess or maintain consumer report information in connection with their business activities must develop and implement written policies and procedures for the proper disposal of such information. Examples of reasonable disposal measures include shredding papers and destroying or erasing electronic media.
Detecting “Red Flags
The CFTC’s “red flags” rule (17 C.F.R. §162) requires financial institutions and creditors to develop and implement a written identity theft prevention program designed to detect, thwart, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The program should include policies and procedures designed to: detect and identify red flags, for example, a suspicious change of address; respond to the red flags to prevent and mitigate identity theft; regularly review and update the program to reflect changes in risks to customers and changes in business operations; require approval by the board of directors or an appropriate committee; and ensure employee training. The rule includes guidelines to assist entities as they formulate and maintain their programs.
System Safeguards to Protect Market Integrity
The CFTC’s commitment to protecting privacy and safeguarding information regarding U.S. financial markets in a time of rapid technological change includes efforts to maintain the integrity and soundness of the derivatives markets. The American economy depends upon the availability of dependable and secure markets, which assumes the protection of personal and market information. For example, the CFTC has adopted “core principles” for Designated Contract Markets (“DCMs”), Swap Execution Facilities (“SEFs”) and Swap Data Repositories (“SDRs”) requiring them to notify the CFTC promptly of all cybersecurity incidents that actually or potentially jeopardize security of information, including incidents involving data loss. The Commission also issued regulations that require futures commission merchants (“FCMs”) and swap dealers (“SDs”) to develop risk management policies and procedures that address risks related to, among others, systems, data and technology, which would cover areas such as anti-money laundering, identity theft, unauthorized access, and cybersecurity (17 C.F.R. §§ 1,3, 23).
Have Any Privacy Questions?
Contact the Privacy Office
By Mail: Commodity Futures Trading Commission
Attn. Privacy Office
1155 21st St., N.W.
Washington, D.C. 20581
By Email: Privacy@cftc.gov