CFTC-Registered CPOs Need to Take Additional Action by April 1 as NFA Adopts CPO Internal Controls System Requirements

The National Futures Association (NFA) announced on January 31, 2019 that it had adopted an Interpretive Notice requiring each registered commodity pool operator that is an NFA Member (CPO Member) to implement an internal controls system. This Interpretive Notice will take effect on April 1, 2019. Along with the NFA’s recent amendments to its Information Systems Security Program (ISSP) requirements, registered CPOs now need to address two compliance program changes by April 1.

The NFA indicated that a CPO Member’s internal controls system must be designed to “deter fraudulent activity by employees, management, and third parties in order to address the safety of customer funds and provide reasonable assurance that a CPO’s commodity pool’s financial reports are reliable and that the Member is in compliance with all CFTC and NFA requirements.”

The Interpretive Notice acknowledges that certain CPO Members are subject to the requirements of other regulators, and that CPO Members’ processes and controls for compliance with such requirements “may satisfy” the NFA requirements.3 The Interpretive Notice also states that internal controls policies and procedures can be maintained in different documents so long as the documents can be made available to the NFA and CFTC upon request. Accordingly, CPO Members may be able to conclude that they do not need to take many, if any, additional steps to ensure compliance. However, CPO Members should review their practices, policies and procedures prior to April 1, 2019, to confirm whether and/or how they address the NFA requirements.

The Interpretive Notice includes guidance for CPO Members regarding designing and implementing an adequate system of internal controls, as well as the “minimum components” of such controls. Among other things, the Interpretive Notice states that: 

• The CPO Member must have a “strong control environment,” including having written policies and procedures that are “reasonably designed to ensure the CPO’s operations are in compliance with applicable NFA rules and CFTC regulations.” The policies and procedures should “fully explain the CPO’s internal controls framework, and describe the CPO’s supervisory system,” which should cover all employees (including firm management) and incorporate escalation procedures.  
• The CPO Member’s internal controls system should require the separation of duties, particularly for functions involving handling of pool funds, trade execution, custody of pool assets, financial records and risk management. According to the Interpretive Notice, such separation of duties should be designed to ensure that no single person is “in a position to carry out or conceal errors or fraud or have control over two phases of a transaction or operation…”  
• Each CPO Member should conduct a risk assessment to identify the areas in which the CPO Member’s most critical risks arise, and design internal controls (including written policies and procedures) to address such risks. While critical risk areas may vary across different firms, the NFA identified the following risk areas as generally applicable to most CPOs, and the Interpretive Notice provides certain guidance on control activities in these risk areas:   
  • Pool subscriptions, redemptions and transfers, including safeguarding of participant and pool assets;4   
  • Investment activities (including ongoing holding of investments) and valuation of pool investments;5 and   
  • Use of pool administrators and related CPO Member diligence and reconciliation activities.  
• The CPO Member must maintain records that “support the implementation and effectiveness” of its internal controls system. 

The Interpretive Notice also indicates that a CPO Member’s internal controls system should be supported by information technology controls under the firm’s ISSP.

While parts of the Interpretive Notice discuss the internal controls systems requirements as being applicable to CPO Members that “accept, hold and redeem customer funds,” other statements in the Interpretive Notice are phrased more broadly as applying to all CPO Members. This suggests that the NFA will expect all CPO Members to address these requirements. Also, the requirements likely will be considered as part of NFA exams of CPO Members following April 1, 2019.

The NFA will provide guidance regarding the requirements of the Interpretive Notice at upcoming NFA Member workshops in Chicago on February 25, 2019 and New York on February 27, 2019. Thereafter, we understand that materials from those workshops will be publicly available on the NFA’s website.

Footnotes

^{1) NFA adopts Interpretive Notice entitled NFA Compliance Rule 2-9: CPO Internal Controls System, NFA Notice to Members No. I-19-03 (Jan. 31, 2019). The NFA is the self-regulatory organization of the futures and swap trading industry.}

^{2) For further information regarding ISSPs and recent amendments to the NFA’s ISSP requirements, please refer to Dechert OnPoint, NFA Amends its Information System Security Program Requirements; CFTC-Registered CPOs and CTAs Need to Take Action by April 1.}

^{3) In addition to processes and controls for compliance with requirements of other regulators, many registered CPOs have already implemented policies and procedures for compliance with applicable NFA and CFTC requirements, and all CPO Members are required annually to engage in the NFA self-examination process. The NFA website states that the self-examination process is designed to aid CPO Members in recognizing potential problem areas, and alert CPO Members to procedures that need to be revised or strengthened.}

^{4) In connection with this risk area, the Interpretive Notice highlights (among other matters): controls addressing improper commingling of pool property with the property of another person (CFTC Regulation 4.20(c)); and the prohibition against loans from pools to CPOs and their affiliated entities (NFA Compliance Rule 2-45).}

^{5) In connection with this risk area, the Interpretive Notice identifies (among other matters): diligence of counterparties; diligence and monitoring of third-party depositories and other third-parties holding pool assets; and monitoring of pool liquidity.}