On February 12, 2018, the Commodity Futures Trading Commission (CFTC) issued an order requiring AMP Global Clearing, a registered Futures Commission Merchant (FCM), to pay a civil penalty of $100,000 due to its failure to diligently supervise its IT provider in implementing AMP’s Information Systems Security Program. The order came after a third party was able to gain access to AMP customer records without authorization through a vulnerability in AMP’s network. The vulnerability had not been detected in three consecutive quarterly network risk assessments, despite the fact that security breaches resulting from similar vulnerabilities—including a number that occurred on network devices manufactured by the same manufacturer as AMP’s—had been reported in the media prior to the breach of AMP’s network.

The CFTC is a United States regulatory body responsible for overseeing participants in commodity futures markets, including commodities exchanges, clearing organizations, and FCMs. Any entity seeking to operate as an FCM must register with the CFTC, and in doing so the entity subjects itself to the CFTC’s enforcement authority. Among the regulations enforced by the CFTC are requirements to adopt and enforce procedures to secure personal information and the requirement to “diligently supervise” agents and third parties in implementing these procedures.

The CFTC has enforcement authority over a small subset of U.S. businesses, but its enforcement action is evidence of a continuing sea of change in how public authorities approach data protection. As AMP has undoubtedly learned, a company may not simply outsource data security obligations and therefore insulate themselves from liability. This principle is becoming a central tenet in data protection laws and regulations, including the European Union’s upcoming General Data Protection Regulation.

It is important for companies to understand which data protection laws they must follow, but it is equally important that these companies ensure that their agents and systems providers have undertaken to follow these laws as well. The growing consensus, as demonstrated by the CFTC’s order, is that taking an IT provider’s word for it is no longer sufficient.

The CFTC’s press release on its order may be read here.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.