Recent proposed guidance from the National Futures Association (“NFA”), (NFA Compliance Rule 2-9: CPO Internal Controls Systems (“Interpretive Notice”)1), cites safety of customer funds, reliability of financial reports and compliance with all Commodity Futures Trading Commission (“CFTC”) and NFA requirements as the key considerations for commodity pool operators (“CPOs”) in the design and implementation of their internal controls systems. Not all CPOs are created equal. The size and complexity of their operations can vary greatly and as such, NFA recognizes that this is not a “one-size-fits-all” proposition. Further, CPOs often work with third-party service providers and in doing so, rely to some degree on their controls systems, while still retaining the ultimate responsibility for fulfilling their regulatory obligations. Regardless of their operational structure, all CPOs have a continuing obligation under NFA Compliance Rule 2-9 (“Rule 2-9”) to diligently supervise their employees and agents in the conduct of commodity futures activities.2 To this end, the recent Interpretive Notice from NFA, which is expected to become effective early 2019, provides CPOs with guidance on the design and implementation of adequate internal controls systems as well as specifying certain key components that must be included.
In order to fulfill their supervisory obligations under Rule 2-9, CPOs must operate within a framework that safeguards customer funds through systems that are designed to (1) deter fraudulent activities by employees, management and third parties, (2) produce timely, accurate and reliable financial reports, and (3) ensure compliance with all applicable regulatory requirements. Implementation of an adequate internal controls system is the cornerstone of this framework. To achieve an effective system, the CPO must:
- Have a comprehensive understanding of the environment in which the CPO operates and all applicable NFA rules and CFTC regulations to which it is subject.
- Perform a risk assessment to identify areas of critical risk or vulnerability within the CPO’s operations including information security risks. Update the assessment on a periodic basis or in view of material changes to the CPOs operations, service providers, or other developments.
- Develop written policies and implement related procedures designed to ensure regulatory compliance and mitigate identified risks. This should include the development and adoption of strong controls in the area of information technology under an Information Systems Security Program (“ISSP”) as required by NFA Interpretive Notice 9070 – NFA Compliance Rules 2-9, 2-36 & 2-49: Information Systems Security Programs, which was recently amended with the new provisions coming into effect April 1, 2019.3
- Communicate and fully explain the controls system and related procedures to all employees and third-party service providers to ensure their understanding, emphasize the importance that all procedures be diligently followed, and provide procedures for escalation if non-compliance is suspected.
- Perform ongoing monitoring of adherence to procedures and the effectiveness of the controls, making improvements as necessary.
Key components that NFA proposes must be part of every CPO’s internal controls system are as follows:
1. Separation of Duties
CPOs are required to build into their internal controls systems segregation of duties sufficient to ensure that no single person (including employees, management & third parties) is in a position to carry out and conceal fraud or errors or to have control over more than one phase of a transaction or operation. NFA specifically identified functions involving the “handling of pool funds, trade execution activities, financial records and risk management” as key in this regard. In general, the performance of day to day functions in these areas should be supervised by someone other than the person performing those activities. In instances where this may not be possible, a principal of the CPO or other appropriate supervisory personnel should review the work of the supervisor performing those day to day functions.
NFA cites the following requirements:
- Cross-checking – any work performed in material areas of operation should be assigned amongst employees such that it facilitates cross-checking on a regular basis. Automated controls may also be implemented to achieve or support similar results.
- Custody vs Recordkeeping – employees involved in operation functions related to the custody of pool assets should be separate from employees involved in the financial reporting process for those same assets.
- Cash Control – no single person in pool funds operations should be authorized to initiate, approve and record/reconcile transactions involving the receipt of pool subscriptions, payment of pool redemptions, or transfer of any pool funds.
2. Risk Assessment
CPOs are required to perform a risk assessment to identify areas of critical risk in their operations. Controls should then be designed and implemented to mitigate identified risks. NFA identified the following three specific risks areas and related control activities that should be addressed by every CPO:
Pool subscriptions, redemptions and transfers
In designing its internal controls system, CPOs must implement policies and procedures that support its ongoing compliance with all regulatory requirements related to pool subscriptions, redemptions and transfers as well as ensuring the safeguarding of participant and pool assets. Controls must address:
- Verification that pool assets are held in accounts titled in the legal name of the pool and are not held in commingled accounts
- Periodic reconciliation of transactions between the pool’s books and records, brokers, banks, etc.
- Proper authorization and timely and proper payment of any verified redemption request.
- Verification that no transaction involving pool funds violates NFA Compliance Rule 2-45, Prohibition of Loans by Commodity Pools to CPOs and Affiliated Entities.4
Risk Management and Investment and Valuation of Pool Funds
The investment activity of each CPO and its pool operation activities represent high-risk areas which should be monitored by firm principals, trading and/or risk personnel through a robust risk management program. Control should be designed in this area to address:
- Only authorized investments, consistent with the pool’s strategy/offering documents, are traded.
- Investment valuation policies are implemented and followed consistently.
- Ongoing counterparty due diligence is conducted on all material service providers.
- Ongoing monitoring of both credit and market risks related to investments and pool custodians.
- Ongoing monitoring of pool liquidity to ensure the pool can readily satisfy its obligations including margin calls and redemption requests.
Use of administrators
The use of third-party administrators by CPOs to facilitate fund operations including recordkeeping, valuation, transfer agency, investor reporting, etc. does not alleviate the CPOs compliance obligations in these areas. CPOs are required to perform ongoing oversight and due diligence of their administrators and accordingly, controls should be designed to address:
- Performance of initial and ongoing due diligence of the administrator.
- Confirmation that the administrator has undergone, and continues to have performed on a regular, periodic basis a test of controls either by an internal audit department or by an independent qualified provider, and receipt of reports evidencing such testing.
The Interpretive Notice also recommends that the CPO consider the use of shadow accounting as a control to ensure that they agree with the pool’s official books and records kept by the administrator.
3. Recordkeeping
Notwithstanding all of the foregoing, remember that documentation is key and required by NFA in accordance with NFA Compliance Rule 2-10.5 Documentation should support the CPO’s ongoing oversight of implemented procedures and the effectiveness of the internal controls system and be readily available for review upon request from NFA.
[1] https://www.nfa.futures.org/news/PDF/CFTC/Interp-Notc-CR-2-9-CPO-Internal-Controls-System.pdf
[2] https://www.nfa.futures.org/rulebook/rules.aspx?Section=4&RuleID=RULE%202-9
[3] https://www.nfa.futures.org/rulebook/rules.aspx?Section=9&RuleID=9070
[4] https://www.nfa.futures.org/rulebook/rules.aspx?RuleID=RULE%202-45&Section=4
[5] https://www.nfa.futures.org/rulebook/rules.aspx?RuleID=RULE%202-10&Section=4