The Commodity Futures Trading Commission (CFTC or Commission) is establishing a new Insider Risk Program, the records of which are included in a new Privacy Act system of record...
The Commodity Futures Trading Commission (CFTC or Commission) is establishing a new Insider Risk Program, the records of which are included in a new Privacy Act system of records, CFTC-59, Insider Risk Program Records (CFTC-59), published concurrently in this
Federal Register
. The Commission proposes here to update its regulations to exempt CFTC-59 from certain provisions of the Privacy Act in accordance with the requirements of the Privacy Act and the guidance contained in Office of Management and Budget (OMB) Circular A-108,
Federal Agency Responsibilities for Review, Reporting, and Publication Under the Privacy Act
(OMB A-108) in order to maintain the integrity of insider risk investigations and to keep confidential the identity of confidential sources. If the Commission adopts this proposal, the records in CFTC-59 will be exempt from those provisions of the Privacy Act pertaining to an individual's right to access and request amendment of their records.
DATES:
Please submit comments on or before June 5, 2026.
ADDRESSES:
You may submit comments identified as pertaining to “Privacy Act Exemption—CFTC-59” by any of the following methods:
1. Under Refine Documents Results—check the box to “Only show documents open for comment”
2. Under Agency—select “See More” and check the box for “Commodity Futures Trading Commission,” then press the Apply button;
3. Identify this proposal in the list of CFTC documents open for comment, press the “Comment” button to open the submission form, and follow the instructions on the form.
Alternatively, if you are viewing this proposal on
www.federalregister.gov,
click the “Submit A Public Comment” button at the top of the page to open the comment form. Follow the instructions on the form to submit your comment to
Regulations.gov.
Mail:
Send to—Christopher Kirkpatrick, Secretary of the Commission, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581.
Hand Delivery/Courier:
Address to—CFTC Comment Submission, Attn: Christopher Kirkpatrick, Secretary of the Commission, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581.
Please submit your comments using only one of these methods. To avoid possible delays with mail or in-person deliveries, submissions through
Regulations.gov
are encouraged.
All comments must be submitted in English or, if not, accompanied by an English translation. Do not include in your comment text or attachments any personal identifying information or business information that you do not want published online. Comments (regardless of submission method) will be published without review for, and without removal of, any personal identifying information or information your business may consider confidential.
If you wish to submit confidential information for the Commission's consideration, please contact the CFTC personnel listed in this Notice under
FOR FURTHER INFORMATION CONTACT
before making any submission. Please also carefully review the Commission's procedures in 17 CFR 145.9 for requesting confidential treatment under the Freedom of Information Act (FOIA) of information submitted to the Commission.
The CFTC reserves the right, but shall have no obligation, to review, pre-screen, filter, or redact all or any part of your comment submission. The CFTC also reserves the right, without further notification, to refuse to publish or to remove from public view all or any part of your submission to the extent it contains content inappropriate for publication in a comment file, such as—without limitation—obscene language, threats of violence, solicitations for commercial sales or illegal activity, or obvious spam. If a submission that is refused for or withdrawn from publication because of inappropriate content also contains comments on the merits of this proposal, such submission will be retained in the record for the matter and will be considered as required under the Administrative Procedure Act and other applicable laws, and may be accessible under the FOIA.
FOR FURTHER INFORMATION CONTACT:
Kellie Cosgrove Riley, Chief Privacy Officer,
privacy@cftc.gov,
202-418-5610, Office of the General Counsel, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581.
SUPPLEMENTARY INFORMATION:
I. Background
A. The Privacy Act
The Privacy Act of 1974 [1]
establishes a code of fair information practice principles that govern Federal agencies' collection, maintenance, use, and dissemination of an individual's personal information. The Privacy Act applies to information that is maintained in a “system of records,” defined as a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.[2]
In addition to establishing a code of fair information practice principles, the Privacy Act restricts disclosure of records containing personal information that an agency maintains.[3]
The Privacy Act also grants individuals an increased right of access to records maintained about themselves as well as the right to request amendment of those records upon a showing that they are not accurate, relevant, timely, or complete.[4]
( printed page 24378)
B. Privacy Act Exemptions
The Privacy Act permits agencies, where certain requirements are met and subject to limitations set forth in the Privacy Act, to specifically exempt systems of records from certain provisions of the Privacy Act, mainly pertaining to an individual's right to access and request amendment of their records.[5]
In order to claim an exemption, however, the agency must engage in a rulemaking process pursuant to the APA [6]
and make clear to the public why particular exemptions are being invoked.[7]
Part 146 of the Commission's regulations,[8]
entitled “Records Maintained on Individuals,” contains the rules of the Commission implementing the Privacy Act. Commission regulation § 146.12 [9]
(the Privacy Act regulation) currently asserts exemptions for certain of the Commission's systems of records that contain records relating to the Commission's investigatory mission and personal security obligations. The Commission proposes to amend Commission regulation § 146.12 to add new subsection (h) identifying CFTC-59 as a system of records for which the Commission would assert an exemption and to specify the rationale for the exemption in compliance with subsection (k) of the Privacy Act [10]
and the corresponding guidance in OMB Circular A-108.[11]
OMB A-108, issued in 2016, provides that, at a minimum, an agency's Privacy Act exemption regulations should include the specific name of any systems of records that will be exempt pursuant to the regulations, the specific provisions of the Privacy Act from which the system of records will be exempt and the reasons therefor, and an explanation of why the exemption is necessary and appropriate.[12]
C. CFTC-59
The Commission is publishing a new Privacy Act system of records, CFTC-59, Insider Risk Program Records (CFTC-59), concurrent with this notice of proposed rulemaking and is proposing here to exempt CFTC-59 from certain provisions of the Privacy Act. CFTC-59 contains records related to the Commission's Insider Risk Program investigations. An Insider is any person who has or had authorized access to or knowledge of the CFTC's resources, including employees, facilities, information, equipment, networks, and systems. An Insider Risk is a risk that an insider will use their authorized access, wittingly or unwittingly, to harm the security of organizational operations and assets, individuals, other organizations, or the Nation. Records in CFTC-59 are collected to detect, deter, and mitigate the unauthorized disclosure of information by an insider and to protect individuals, facilities, information, equipment, networks, and systems from insider risks. The Commission is proposing to exempt this system of records from certain provisions of the Privacy Act because the records are compiled to investigate actual or potential insider risks. As such, the records must be protected from disclosure to maintain the integrity of the investigative process and not provide to any individual an opportunity to access records and compromise that process, such as through the destruction of evidence, interference with witnesses, or otherwise. In addition, the Commission is proposing to exempt this system of records to keep confidential the identity of sources who provided information to the Commission during the course of investigations under an express promise that their identities would remain confidential. If an individual can access the identities of confidential sources, those sources may be unwilling to provide information that the Commission needs for its insider risk investigative activities. Specifically, the Commission is proposing to exempt CFTC-59, pursuant to subsection (k)(2) of the Privacy Act [13]
and subject to the requirements and limitations set forth therein, from the following provisions of the Privacy Act: 5 U.S.C. 552a (c)(3); (d)(1), (2), (3), and (4); (e)(1); (e)(4)(G), (H), and (I); and (f).
Request for Comment
The Commission requests comment on the justification for and scope of the proposed CFTC-59 exemptions.
II. Related Matters
A. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA) requires federal agencies to consider whether the rules they propose will have a significant economic impact on a substantial number of small entities and, if so, to provide a regulatory flexibility analysis regarding the economic impact on those entities.[14]
The proposed regulations, issued under the Privacy Act, exempt a system of records maintained by the Commission from certain provisions of the Privacy Act, primarily those provisions related to an individual's right to access and seek amendment of those records. Individuals are defined in the Privacy Act as United States citizens or aliens lawfully admitted to the United States for permanent residence.[15]
Small entities, as defined in the RFA, are not individuals under the Privacy Act and are not provided rights thereunder; therefore, small entities are outside the scope of the proposed regulations. Accordingly, the Chairman, on behalf of the Commission, hereby certifies pursuant to 5 U.S.C. 605(b), that this proposed rule will not have a significant economic impact on a substantial number of small entities.
B. Paperwork Reduction Act
The Paperwork Reduction Act (“PRA”) imposes certain requirements on federal agencies in connection with their conducting or sponsoring any collection of information.[16]
The Commission may not conduct or sponsor, and a respondent is not required to respond to, a request for collection of information unless the information collection request displays a currently valid control number issued by OMB. This proposed rule does not contain a “collection of information,” as defined in the PRA. Accordingly, the requirements imposed by the PRA are not applicable to this proposed rule.
C. Cost-Benefit Considerations
Section 15(a) of the Commodity Exchange Act (CEA) provides that, before promulgating a regulation under the CEA or issuing an order, the Commission shall consider the costs and benefits of the action of the Commission.[17]
Section 15(a) further specifies that the costs and benefits shall be evaluated in light of five broad areas of market and public concern: (1) protection of market participants and the public; (2) efficiency, competitiveness, and financial integrity of the futures markets; (3) price discovery; (4) sound risk management practices; and (5) other public interest considerations.[18]
The proposed rule is being promulgated under the Privacy Act and pertains to the rights of
( printed page 24379)
individuals with respect to records the Commission maintains about them. The proposed rules are not being promulgated under the CEA. Therefore, the Commission preliminarily finds that the considerations enumerated in Section 15(a)(2) of the CEA are not applicable here.
Request for Comment
The Commission requests comment on whether its preliminary finding is correct.
D. Antitrust Considerations
Section 15(b) of the CEA requires the Commission to “take into consideration the public interest to be protected by the antitrust laws and endeavor to take the least anticompetitive means of achieving the purposes of this Act, in issuing any order or adopting any Commission rule or regulation (including any exemption under section 4(c) or 4c(b)), or in requiring or approving any bylaw, rule, or regulation of a contract market or registered futures association established pursuant to section 17 of this Act.” [19]
The Commission believes that the public interest to be protected by the antitrust laws is generally to protect competition. The Commission has considered the proposed rule to determine whether it is anticompetitive and has preliminarily identified no anticompetitive effects.
Because the Commission has preliminarily determined that the proposed rule is not anticompetitive and has no anticompetitive effects, the Commission has not identified any less anticompetitive means of achieving the purposes of the Act.
Request for Comment
The Commission requests comment on whether the proposed rule is anticompetitive and, if it is, what the anticompetitive effects are and whether there are less anticompetitive means of achieving the relevant purposes of the Act that would otherwise be served by adopting the proposed rule. The Commission also requests comment on whether the proposed rule implicates any other specific public interest to be protected by the antitrust laws.
For the reasons stated in the preamble, the Commodity Futures Trading Commission proposes to amend Part 146 of Title 17, of the Code of Federal Regulations, as follows:
PART 146—RECORDS MAINTAINED ON INDIVIDUALS [AMENDED]
1. The authority cited for Part 146 continues to read as follows:
(h)
CFTC-59 Insider Risk Program Records.
The system of records identified as CFTC-59, Insider Risk Program Records, contains records collected to detect, deter, and mitigate the unauthorized disclosure of information by CFTC staff, including employees and contractors, and to protect individuals, facilities, information, equipment, networks, and systems from insider risks. These risks can include damage caused through espionage, terrorism, or unauthorized disclosure of privileged information or through the loss or degradation of Commission resources or capabilities. Pursuant to 5 U.S.C. 552a(k)(2) and subject to the requirements and limitations set forth therein, the Commission is exempting this system of records from the following provisions of the Privacy Act: 5 U.S.C. 552a(c)(3); (d)(1), (2), (3), and (4); (e)(1); (e)(4)(G), (H), and (I); and (f), and from the following corresponding sections of these rules: 146.3; 146.5; 146.6(d); 146.11(a)(7), (8), and (9); and 146.7(a). Exemptions from these particular subsections of the Privacy Act are justified for the following reasons:
(1) From section (c)(3) (Accounting of Certain Disclosures), because release of the accounting of certain disclosures could alert the subject of an investigation to the existence and extent of that investigation and reveal the investigative interests of the Commission and the recipient entity. Release of such information to the subject of an investigation could reasonably be anticipated to impede and interfere with the Commission's efforts to identify and investigate unlawful activities.
(2) From section (d)(1), (2), (3), and (4) (Access and Amendment), because individual access to these records could alert the subject of an investigation to the existence and extent of that investigation and reveal the investigative interests of the Commission and others. Providing a subject with access to these records could impair the effectiveness of the Commission's investigations and could significantly impede the investigation by providing the opportunity for the subject to destroy documentary evidence, improperly influence witnesses and confidential sources, fabricate testimony, and engage in other activities that could compromise the investigation. Allowing the subject of the investigation to amend records in this system of records could likewise interfere with ongoing law enforcement proceedings and impose an impossible administrative burden by requiring law enforcement investigations to be continuously reinvestigated.
(3) From section (e)(1) (Relevancy and Necessity of Information), because in the course of investigations, the significance of certain information may not be clear or the information may not be strictly relevant or necessary to a specific investigation; but, effective investigations require the retention of all information that may aid in the investigation or aid in establishing patterns of activity and provide investigative leads.
(4) From section (e)(4)(G), (H), and(I) (Agency Requirements) and (f) (Agency Rules), because the Commission is not required to establish requirements, rules, or procedures related to access and amendment of records in a system of records that is exempt from the individual access and amendment provisions in subsection (d) of the Privacy Act.
* * * * *
Issued in Washington, DC, on May 4, 2026, by the Commission.
Robert Sidman,
Deputy Secretary of the Commission.
Note:
The following appendix will not appear in the Code of Federal Regulations.
Privacy Act Regulations—Commission Voting Summary
On this matter, Chairman Selig voted in the affirmative. No Commissioner voted in the negative.