Effective April 1, 2019, National Futures Association (NFA) members that are commodity pool operators (CPOs) will be required to implement internal controls systems designed to (i) protect customer funds, (ii) maintain accurate books and records and (iii) assure compliance with all requirements of NFA and the Commodity Futures Trading Commission (CFTC). The new internal controls requirements are set forth in Interpretive Notice 9074 (Interpretive Notice), which NFA released on January 31, 2019 in a notice to members. These requirements are a component of each NFA member’s broader obligation under NFA Compliance Rule 2-9 to diligently supervise its employees and agents in their commodity futures activities on behalf of the member.
In the Interpretive Notice, NFA acknowledges that the standards for assessing the adequacy of a CPO’s internal control system may vary according to the size and complexity of the member’s operations. NFA also recognizes that certain CPOs may be subject to similar requirements of other regulators, compliance with which may satisfy the CPO’s obligations under the Interpretive Notice. However, NFA sets forth a series of key components that must be incorporated into the CPO’s internal control system.
Required Components of Internal Control Framework
To implement an adequate system of internal controls, a CPO must have a strong control environment. The Interpretive Notice sets forth the following guidelines for cultivating a strong control environment:
- Each CPO must establish and implement written policies and procedures that are reasonably designed to ensure that its operations comply with applicable NFA rules and CFTC regulations.
- Management of the CPO must demonstrate its commitment to ethics and the importance of implementing and following internal controls, including strong information technology controls within the CPO’s information systems security program.
- Each CPO should have written policies and procedures in place that describe the CPO’s internal controls framework and supervisory system. The supervisory system should be reasonably designed to ensure that employees are diligently following the written policies and procedures. The CPO should also have an escalation policy in place for employees to report to senior management in cases where they suspect the internal controls systems are being improperly overridden. The escalation policy should include guidance on whether and when certain matters should be reported to the appropriate regulator.
- Each CPO should periodically monitor the effectiveness of its internal controls to ensure that they are properly functioning and adjust the design and implementation of those controls that do not function properly.
The Interpretive Notice specifically identifies two key components of the control environment —separation of duties and risk assessment — that are required for a CPO’s internal control system to be deemed adequate under NFA’s guidance.
Separation of Duties
Separation of duties, wherever possible, is essential to implementing an adequate internal controls system. The Interpretive Notice sets forth the following recommendations for ensuring proper separation of duties:
- Duties should be assigned to different employees in such a manner that there is routine cross-checking or automated checking of work in material areas.
- Operational functions related to custody of commodity pool assets should be segregated from financial reporting functions.
- No single person should have authority to initiate a transaction, approve the transaction, record the transaction and reconcile the account to third-party information
Risk Assessment
Each CPO should regularly conduct risk assessments specifically tailored to its size, operations and activities. However, the Interpretive Notice sets forth three risk areas that generally apply to the operations of most CPOs, along with a nonexhaustive list of control procedures related to such risk areas that would support an adequate internal control system:
- Commodity pool subscriptions, redemptions and transfers. Examples of appropriate control procedures include:
- verification that pool investments are held in properly titled accounts and not improperly commingled
- periodic reconciliation of transactions between the pool’s records and third-party records
- evaluation and approval of redemptions (including verification of the source of the redemption request, calculation of net asset value, redemption amount and timely payment)
- verification that transactions involving commodity pool funds do not violate NFA prohibitions against loans to CPOs and affiliates
- Risk management and investment and valuation of commodity pool funds. Examples of appropriate control procedures include:
- approval of investments in accordance with the commodity pool’s strategy and risk management guidelines
- verification that investments are valued in accordance with the CPO’s valuation policies
- ongoing due diligence of third-party depositaries and counterparties
- monitoring of risks related to investments held at third parties
- routine monitoring of pool liquidity
- Use of administrators. Examples of appropriate control procedures include:
- due diligence and ongoing monitoring of the administrator
- obtaining documentation related to test of controls and security measures performed by auditors of the administrator
- maintenance of independent financial records (i.e., “shadow books”) to reconcile against the administrator’s records or, if shadow books are not maintained, periodic reconciliation of internal records against records of banks, brokers and other third parties
Recordkeeping Requirement
Each CPO is also required to maintain records that demonstrate the implementation and effectiveness of the CPO’s internal controls system in compliance with NFA Compliance Rule 2-10.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.