The CFTC protects privacy and safeguards personal information according to United States law and international norms. The CFTC is committed to enforcing laws, rules, and regulations within the derivatives markets it oversees to help ensure that firms and individuals operating in such markets provide legally required privacy rights to consumers and their customers, and that they properly safeguard personal information to protect individuals and the integrity and stability of the markets.
The CFTC protects the privacy of all individuals about whom it holds personal information in accordance with the U.S. Privacy Act of 1974. Also, although the Privacy Act does not cover non-U.S. persons, the CFTC extends the Act’s protections to all individuals regardless of nationality. (Note: As a matter of Federal law, only individuals covered by the Privacy Act have the right to judicial redress.) The CFTC also uses the internationally recognized Fair Information Practice Principles (“FIPPs”) as a policy framework for its privacy and security program to enhance protections.
The CFTC works to ensure transparency about its policies and practices related to the handling of personally identifiable information (PII). It provides privacy notices for specific personal information collections and notifies the public generally about the information it holds within its Privacy Act covered systems of records.
The CFTC also publishes privacy policies on its websites, explaining what information is being collected, for what purpose, how the information is used and may be disclosed, and how long it will be retained. In addition, the CFTC publishes privacy impact assessments. These provide the same type of information to the public but add discussion of technologies being used to collect, process, and transfer information. They also describe the privacy and security risks that have been assessed and minimized in implementing a new or change to technology.
In addition to these notices, the CFTC ensures there is legal authority to collect information, minimizes collection to information necessary to carry out the specified CFTC purposes, assesses the nature and purpose for PII to be collected, offers choice about uses of information when appropriate, and provides access and correction rights and redress, with certain Privacy Act exceptions. (Note: Only individuals covered by the Privacy Act – US citizens or legal permanent residents – have the right to judicial redress.)
Moreover, the CFTC implements administrative, technical, and physical controls to protect information, following U.S. Federal information security law and internationally recognized security standards. Security measures within the CFTC include restrictions on computer access to authorized individuals, required use of strong passwords that are frequently changed, use of encryption for certain data types and transfers, and regular review of security procedures and best practices to enhance security. In addition, during the design stage of proposed technologies or significant new data collection, the CFTC’s Privacy Office evaluates proposed Commission activity for potential privacy impacts and works with other CFTC staff to mitigate privacy impacts, consistent with internationally recognized “privacy by design” principles.
The CFTC’s GLBA rules require covered financial institutions to implement privacy and security programs designed to give notice to consumers, offer choice in some instances, and also to ensure protection of nonpublic personal information.
The Commission’s rules require covered institutions to provide notice to customers about data processing, data protection and data sharing practices. Additionally, consumers have the right to “opt out” of having their personal information shared with nonaffiliated third parties.
Regarding security safeguards, covered entities must employ effective physical and electronic safeguards to protect nonpublic customer information. The CFTC further recommends that its covered entities notify their potentially affected customers, former customers, vendors, and potentially impacted third parties such as clearing firms should a suspected or actual data breach occur.
To assist covered entities in meeting GLBA requirements, the CFTC has issued a staff advisory for covered entities that contains recommended best practices for mitigating certain risks to customer information. The CFTC recommends, among other best practices, that registrants assess existing privacy and security risks; design and implement controls to minimize such risks; regularly test privacy and security controls; report at least annually to their board on these issues; and implement an incident response program that includes notifying the Commission and individuals whose information was or may be misused in certain situations.
As an example of CFTC’s enforcement of GLBA rules, in 2009 the CFTC sanctioned a foreign currency broker for violating rules designed to protect the confidential personal information of consumers and to prevent disclosure to third parties. One of the broker’s information technology employees placed files containing the confidential personal consumer information of approximately 13,000 customers and prospective customers on a personal website that was accessible on the Internet for at least a year. This security breach was possible because, at the time the employee uploaded the information, the broker did not have policies or procedures sufficient to protect confidential consumer information. The CFTC privacy and security safeguards rules are designed to decrease the number and impact of incidents like these.
Although not a GLBA rule, an additional rule, the CFTC Business Affiliate Marketing rule, requires institutions to offer more choice – it provides consumers with the opportunity to block certain CFTC-regulated entities from soliciting the consumer based on certain financial information, such as transaction information.
Additionally, CFTC-regulated entities that possess or maintain consumer report information in connection with their business activities must develop and implement written policies and procedures for the proper disposal of such information. Examples of reasonable disposal measures include shredding papers and destroying or erasing electronic media.
The CFTC’s “red flags” rule requires financial institutions and creditors to develop and implement a written identity theft prevention program designed to detect, thwart, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The program should include policies and procedures designed to: detect and identify red flags, for example, a suspicious change of address; respond to the red flags to prevent and mitigate identity theft; regularly review and update the program to reflect changes in risks to customers and changes in business operations; require approval by the board of directors or an appropriate committee; and ensure employee training. The rule includes guidelines to assist entities as they formulate and maintain their programs.
The CFTC’s commitment to protecting privacy and safeguarding information regarding U.S. financial markets in a time of rapid technological change includes efforts to maintain the integrity and soundness of the derivatives markets. The American economy depends upon the availability of dependable and secure markets, which assumes the protection of personal and market information. For example, the CFTC has adopted “core principles” for Designated Contract Markets (“DCMs”), Swap Execution Facilities (“SEFs”) and Swap Data Repositories (“SDRs”) requiring them to notify the CFTC promptly of all cybersecurity incidents that actually or potentially jeopardize security of information, including incidents involving data loss. The Commission also issued regulations that require futures commission merchants (“FCMs”) and swap dealers (“SDs”) to develop risk management policies and procedures that address risks related to, among others, systems, data and technology, which would cover areas such as anti-money laundering, identity theft, unauthorized access, and cybersecurity.
The CFTC is also seeking public comment on system safeguards to respond to the transition to automated trading and require appropriate risk controls for FCMs, SDs and major swap participants (“MSPs”). The potential safeguards would address the need for risk analysis and oversight programs which would cover six categories of risk analysis and oversight and follow generally accepted standards with respect to the development, operation, reliability, security, and capacity of automated systems.
Contact the Privacy Office:
CFTC Privacy Office
Office of the Executive Director
1155 21st St., N.W.
Washington, D.C. 20581
By email: firstname.lastname@example.org