Alaric Compliance Alert: NFA CPO Members: Compliance and Cyber Security Program Changes to Go into Effect on April 1, 2019
In January 2019, the National Futures Association (NFA) issued two Interpretive Notices which go into effect on April 1, 2019. These Notices relate to the cyber security and compliance programs of NFA CPO Members.
In the January 7, 2019, Notice to Members I-19-01: NFA Amends Interpretive Notice Regarding Information Systems Security Programs Cybersecurity1, the National Futures Association made new amendments to its Information Systems Security Program (ISSP) Requirements. The amendments provide clarification on common questions related to training obligations and ISSP approval posed by Members to the NFA, and impose a narrowly drawn notification requirement to ensure that Members notify the NFA of cybersecurity incidents related to a Member’s commodity interest activities. The amendments will become effective on April 1, 2019.
The January 31, 2019 Notice to Members I-19-03: NFA adopts Interpretive Notice entitled NFA Compliance Rule 2-9: CPO Internal Controls System2 requires commodity pool operators (CPOs) to implement an internal controls framework to protect customer funds and to provide reasonable assurance that the books and records of the CPOs commodity pools are accurate and reliable and the CPO is in compliance with all CFTC and NFA requirements. This Interpretive Notice will take effect on April 1, 2019, and includes information and guidance on the creation and implementation of an appropriate control system. Each CPO should assess its areas of risk and implement controls that deter fraudulent activity by employees, including management, and third parties in order to address the safety of customer funds and provide reasonable assurance that the books and records of a CPO’s commodity pool(s) are current and accurate so that the pool’s financial reports are reliable and that the Member is in compliance with all CFTC and NFA requirements.
Some of the key components of an internal control system outlined in the Interpretive Notice include:
- A risk assessment identifying the most critical risks. While risks may vary among CPOs, the Interpretive Notice does identify three commonly identified risks – Pool Subscriptions, redemptions and transfers; risk management and investment and valuation of pool funds; and the use of administrators. The risk assessment should include recommendations for the design and implementation of policies and procedures and internal controls to mitigate these and other risks identified in the review process.
- The adoption and implementation of written policies and procedures reasonably designed to ensure that the CPOs operations comply with applicable NFA rules and CFTC regulations.
- Written policies and procedures designed to provide detailed explanations of the CPOs internal controls system including the CPOs supervisory system and Books and Records. The CPO must maintain Books and Records to demonstrate the implementation and effectiveness of the controls system.
- The controls necessary to maintain a separation of duties, when possible, to ensure that no single employee is in a position to carry out or conceal errors or fraud or have a control of any two phases of a transaction or operation.
- Strong information technology controls operating within the firm’s Information Systems Security Program (ISSP) to support the internal controls system.
- Establishment and implementation of a governance framework that supports the firm to identify and manage information security risks and to adopt and enforce a written ISSP, appropriate to its circumstances, to secure customer data and access to the firm’s electronic systems.
The January 31, 2019 Interpretive Notice does acknowledge that certain CPO members may be subject to the requirements of other regulatory bodies, and in such situations, prior to April 1, the CPO should review the policies and procedures and other controls and compliance activities that are currently in place to determine if these will satisfy the NFA requirements as described in the Notice.
For further guidance on these subjects, please refer to the Interpretive Notices included in the Footnotes and the NFA.Futures.org website.
Is your firm ready for a regulatory examination?
It is likely that the requirements outlined in these two Interpretive Notices will be included in NFA Exams after April 1. With over 275 years of cumulative financial services compliance expertise, we have managed over 100 regulatory examinations while serving as chief compliance officers. Leveraging this experience, our team of former regulators, lawyers, and in-house chief compliance officers can help your firm be audit-ready. Call Alaric today to learn more about our compliance services at 1-888-243-2448 or firstname.lastname@example.org.
1 January 7, 2019 Notice to Members I-19-01 NFA Amends Interpretive Notice Regarding Information Systems Security Programs Cybersecurity. https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=5085
2 January 31, 2019 Notice to Members I-19-03: NFA adopts Interpretive Notice entitled NFA Compliance Rule 2-9: CPO Internal Controls System https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=5088