Interpretive Notices

9074 - NFA COMPLIANCE RULE 2-9: CPO INTERNAL CONTROLS SYSTEM

[Effective April 1, 2019.]

INTERPRETIVE NOTICE

INTRODUCTION

NFA Compliance Rule 2-9 places a continuing responsibility on every Member to diligently supervise its employees and agents in all aspects of their commodity interest activities. For those Members that have control over customer funds, these supervisory obligations include developing a framework that deters errors and fraudulent activity by employees, management and third parties in order to safeguard customer funds, produces financial reports that are timely, accurate and reliable and maintains full compliance with all regulatory requirements addressing the control of those funds. Since an adequate internal controls system is the foundation for building that framework, NFA's Board of Directors (Board) believes that it is essential for CPO Members, which handle customer funds, to have an adequate system of internal controls in order to meet their supervisory obligations under Compliance Rule 2-9. Therefore, the Board has determined that each CPO Member must implement an internal controls system that is designed to deter fraudulent activity by employees, management, and third parties in order to address the safety of customer funds and provide reasonable assurance that a CPO's commodity pool's financial reports are reliable and that the Member is in compliance with all CFTC and NFA requirements.

NFA recognizes that, given the differences in the size and complexity of the operations of CPO Members, including the number of persons employed by the CPO, there must be some degree of flexibility in determining what constitutes an adequate internal controls system. NFA also recognizes that some CPO Members are subject to related requirements of other regulators and have designed processes and controls in accordance with those Requirements. Compliance with those requirements by a CPO Member, and in some instances the CPO's pool and/or service provider, may satisfy a CPO Member's supervisory obligations under Compliance Rule 2-9 to have an adequate system of internal controls. The purpose of this Notice is to provide CPO Members with guidance on designing and implementing an adequate internal controls system and the minimum components that must be included. Each CPO Member, however, must conduct its own review to identify any other areas that should be included in the CPO's internal controls system based on the CPO's size, operations and activities.

INTERNAL CONTROLS SYSTEM

In order to implement an adequate internal controls system, the CPO must have a strong control environment. As a starting point, the CPO must adopt and implement written policies and procedures reasonably designed to ensure the CPO's operations are in compliance with applicable NFA rules and CFTC regulations. Additionally, management must demonstrate its commitment to integrity and ethical values and emphasize the importance of establishing and following the internal controls.¹ The CPO should also have written policies and procedures that fully explain the CPO's internal controls framework, and describe the CPO's supervisory system, which should be reasonably designed to ensure that the policies and procedures are diligently followed by all employees. No employee, including senior management, should inappropriately circumvent the firm's internal controls system. Each firm should have an escalation policy in place for employees to report to the CPO's senior management if they believe individuals have attempted to improperly override the CPO's internal controls system in any respect. The firm's escalation procedures should also address whether and when a matter should be reported to the firm's regulator.

In developing and implementing the particular controls, the CPO should conduct a risk assessment to see where its most critical risks arise, and then design and implement controls to address those risks. This is not a one-time assessment and should be completed periodically to take into account new risks that may arise especially with any changes in the firm's business or operations. Moreover, the CPO should monitor the effectiveness of implemented controls to ensure that the controls function properly and make adjustments where necessary.

There is one internal controls procedure that is widely accepted as a key control activity regardless of the risk area—and that is separation of duties.

Separation of Duties

A CPO's internal controls system should require, when possible, appropriate segregation of duties designed to ensure that no single employee is in a position to carry out and conceal errors or fraud or have control over any two phases of a transaction or operation that are covered by this Interpretive Notice. To the extent possible, persons who perform the day-to-day functions in areas involving the handling of pool funds, trade execution activities, financial records and risk management should be different from the persons who supervise those functions. In those instances where supervisors also handle day-to-day functions, one of the CPO's principals or other appropriate supervisory person should periodically review the supervisor's work in material areas.

Generally, in order to ensure proper segregation of duties, whenever possible, the CPO should require that:

• Duties are assigned to different employees in a manner, or there are appropriate automated controls, that ensure that there is regular cross-checking of the work performed in material areas;

• Operational functions relating to the custody of pool assets should be separated from financial reporting functions such as recordkeeping/accounting for the assets; and

• In the pool funds area (e.g., subscriptions, transfers and redemptions), no one person should be responsible for initiating a transaction, approving the transaction, recording the transaction and reconciling the account to third party documentation and information.

Risk Assessment

Although each CPO Member should conduct its own risk assessment, there are a number of risk areas that are generally applicable to the business operations of most CPOs. Set forth below is a discussion of those risk areas and control activities that would form the basis of an adequate internal control system.

A. Pool Subscriptions, Redemptions and Transfers

A strong internal controls system should be designed to provide reasonable assurance that the CPO is continually in compliance with the requirements related to pool subscriptions, redemptions and pool transfers and has appropriate controls in place to safeguard participant and pool assets. Among other things, these controls should include:

• Verification that pool investments are held in accounts properly titled with the pool's name and are not commingled with the assets of any other person (this is also an appropriate control for risk management and investment and valuation of pools funds);

• Reconciliation (on a periodic basis) of transactions between the pool's general ledger, banks and other third party depositories (this is also an appropriate control for risk management and investment and valuation of pools funds);

• Authorization of redemptions, including verification that the request is made by a participant, adequate funds are available, the proper Net Asset Value has been calculated (e.g., fee calculations and profit and loss allocations) and amount of funds is released, and timely payment is made to a pool participant or authorized third party; and

• Verification that transactions involving pool funds do not violate NFA Compliance Rule 2-45, Prohibition of Loans by Commodity Pools to CPOs and Affiliated Entities.

B. Risk Management and Investment and Valuation of Pool Funds

The investment activity carried out by the firm and the pools it operates is also a high risk area. The CPO should have a risk management program that emphasizes the importance of the firm's business principals or trading principals playing a direct and primary role in assessing and monitoring the risks posed by their particular areas. Important control activities include:

• Approval of investments to ensure that each type of investment is authorized and is consistent with the pool's strategy;

• Verification that the CPO values investments in accordance with the CPO's valuation policies;

• Ongoing due diligence of counterparties and other third party depositories that includes reviewing the depository's or counterparty's reputation, trading strategy, past performance and any actions taken by regulators;

• Ongoing monitoring of the risks associated with investments held at third parties utilized by the pool(s) including market risk and credit risk; and

• Ongoing monitoring of pool liquidity to ensure the pool is able to satisfy redemption requests, margin calls and other financial obligations.

C. Use of Administrators

CPOs often use a third-party administrator to facilitate the preparation of pool financial records and account statements or assist in certain areas, including subscription and redemption processing, valuation, reconciling and reporting balances, or issuance of pool account statements. In those situations, an adequate internal controls system would include controls designed to ensure that the CPO performs adequate due diligence related to the use of the administrator. Among other things, these controls should include:

• Initial and ongoing due diligence on the administrator²; and

• Obtaining evidence of a test of controls and security measures conducted at the administrator by an internal audit department or independent specialist.³

The CPO should also consider whether its own independent financial records (i.e., shadow books) are necessary as a control to ensure that the CPO's records and financial statements are in agreement with those of the administrator's records and financial statements. If the CPO does not prepare shadow books, it should consider periodic reconciliation of its internal records with the records of banks, carrying brokers and other third parties.

RECORDKEEPING

In addition to establishing an internal controls system and developing written policies and procedures that fully describe it⁴, each CPO must maintain records that support the implementation and effectiveness of its internal controls system in accordance with NFA Compliance Rule 2-10.

CONCLUSION

NFA recognizes that the particulars of a CPO's internal controls system will vary based on the Member's size and complexity of operations. There is no one-size-fits-all internal controls system, and processes that differ from those described above can be used to develop an adequate internal controls system. In designing and implementing an internal controls system, however, each CPO should assess its areas of risk and implement controls that deter fraudulent activity by employees, including management, and third parties in order to address the safety of customer funds and provide reasonable assurance that the books and records of a CPO's commodity pool(s) are current and accurate so that the pool's financial reports are reliable and that the Member is in compliance with all CFTC and NFA requirements.

¹ The internal controls system should be supported by strong information technology controls operating within the firm's Information Systems Security Program (ISSP). NFA Interpretive Notice 9070 – NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs requires all NFA Members to establish and implement a governance framework that supports the firm in identifying and managing information security risks and to adopt and enforce a written ISSP, appropriate to its circumstances, to secure customer data and access to the firm's electronic systems.

² Initial due diligence of an administrator may include the consideration of several factors including the administrator's costs, reputation, expertise, timeliness of work and attention to detail, responsiveness, work history with the firm or senior members of the firm, technological tools, income tax expertise and cybersecurity system. A CPO's ongoing due diligence may include regular communications with the administrator and other processes and procedures that provide some assurance that the CPO continues to be comfortable with the administrator, its services and personnel.

³ For example, the administrator may engage an independent third party to conduct a System and Organization Controls examination under the Statement on Standards for Attestation Engagements for service organizations issued by the American Institute of Certified Public Accountants or similar examination under the Assurance Reports on Controls at a Service Organization standard issued by the International Auditing and Assurance Standards Board.

⁴ The internal controls policies and procedures may be documented in a single document or in documents maintained throughout a Member's various departmental areas so long as the internal controls policies and procedures can be made available upon appropriate requests by NFA and the CFTC.