The National Futures Association (NFA) announced on January 31, 2019 that it had adopted an Interpretive Notice requiring each registered commodity pool operator that is an NFA Member (CPO Member) to implement an internal controls system. This Interpretive Notice will take effect on April 1, 2019. Along with the NFA’s recent amendments to its Information Systems Security Program (ISSP) requirements, registered CPOs now need to address two compliance program changes by April 1.
The NFA indicated that a CPO Member’s internal controls system must be designed to “deter fraudulent activity by employees, management, and third parties in order to address the safety of customer funds and provide reasonable assurance that a CPO’s commodity pool’s financial reports are reliable and that the Member is in compliance with all CFTC and NFA requirements.”
The Interpretive Notice acknowledges that certain CPO Members are subject to the requirements of other regulators, and that CPO Members’ processes and controls for compliance with such requirements “may satisfy” the NFA requirements. The Interpretive Notice also states that internal controls policies and procedures can be maintained in different documents so long as the documents can be made available to the NFA and CFTC upon request. Accordingly, CPO Members may be able to conclude that they do not need to take many, if any, additional steps to ensure compliance. However, CPO Members should review their practices, policies and procedures prior to April 1, 2019, to confirm whether and/or how they address the NFA requirements.
The Interpretive Notice includes guidance for CPO Members regarding designing and implementing an adequate system of internal controls, as well as the “minimum components” of such controls. Among other things, the Interpretive Notice states that:
- The CPO Member must have a “strong control environment,” including having written policies and procedures that are “reasonably designed to ensure the CPO’s operations are in compliance with applicable NFA rules and CFTC regulations.” The policies and procedures should “fully explain the CPO’s internal controls framework, and describe the CPO’s supervisory system,” which should cover all employees (including firm management) and incorporate escalation procedures.
- The CPO Member’s internal controls system should require the separation of duties, particularly for functions involving handling of pool funds, trade execution, custody of pool assets, financial records and risk management. According to the Interpretive Notice, such separation of duties should be designed to ensure that no single person is “in a position to carry out or conceal errors or fraud or have control over two phases of a transaction or operation…”
- Each CPO Member should conduct a risk assessment to identify the areas in which the CPO Member’s most critical risks arise, and design internal controls (including written policies and procedures) to address such risks. While critical risk areas may vary across different firms, the NFA identified the following risk areas as generally applicable to most CPOs, and the Interpretive Notice provides certain guidance on control activities in these risk areas:
- Pool subscriptions, redemptions and transfers, including safeguarding of participant and pool assets;
- Investment activities (including ongoing holding of investments) and valuation of pool investments; and
- Use of pool administrators and related CPO Member diligence and reconciliation activities.
- The CPO Member must maintain records that “support the implementation and effectiveness” of its internal controls system.
The Interpretive Notice also indicates that a CPO Member’s internal controls system should be supported by information technology controls under the firm’s ISSP.
While parts of the Interpretive Notice discuss the internal controls systems requirements as being applicable to CPO Members that “accept, hold and redeem customer funds,” other statements in the Interpretive Notice are phrased more broadly as applying to all CPO Members. This suggests that the NFA will expect all CPO Members to address these requirements. Also, the requirements likely will be considered as part of NFA exams of CPO Members following April 1, 2019.
The NFA will provide guidance regarding the requirements of the Interpretive Notice at upcoming NFA Member workshops in Chicago on February 25, 2019 and New York on February 27, 2019. Thereafter, we understand that materials from those workshops will be publicly available on the NFA’s website.