♦AML and Cybersecurity: A Tale of Two Deadlines♦
Earlier this year the National Futures Association published Cybersecurity FAQs to provide guidance supplemental to its Interpretive Notice on information systems security. This statement in particular caught our attention:
“A Member will meet the annual requirement if it provides training at any time each calendar year.”
So technically, consecutive trainings could be anywhere from a few days apart to nearly two years apart!
Not so with Anti-Money Laundering training. This “annual” requirement is quite a bit tighter, requiring firms to “…provide training for all appropriate personnel at least every 12 months” according to NFA’s AML Interpretive Notice.
In practice, the majority of firms we service adhere to a 12-month cycle for both these mandated trainings; however, in some circumstances, Cybersecurity training may be needed more than annually. The information systems security Interpretive Notice specifies that training “…should be conducted for employees upon hiring and annually during their employment, but more frequently if circumstances warrant additional training.” Factors that may indicate more frequent training is needed include:
- An occurrence of an incident at the Member
- Significant or new risks identified in the Member’s risk assessment
- Substantive changes made to the Member’s ISSP
- Updates made to systems used by the Member
- A significant increase in the number of unauthorized attempts to breach a Member’s systems
- The public identification of a new threat
- Amount of employees working in areas susceptible to cybersecurity risks
- Multiple business locations
To stay in compliance, firm administrators on our learning system can access reports showing last training dates for each employee. In addition, we send administrators periodic reports with suggested “next training” dates for AML, Cybersecurity and Futures Ethics training.