Skip to Main Content
Our Commitment to Diversity

NFA Proposes Interpretive Notice Addressing CPO Internal Controls

Date: 3 January 2019
U.S. Investment Management Alert
By: Cary J. Meer, Lawrence B. Patent, Zachary A. Mason


By letter dated December 10, 2018, the National Futures Association (“NFA”), the self-regulatory organization for the U.S. derivatives industry, submitted to the U.S. Commodity Futures Trading Commission (“CFTC” or “Commission”) a proposed interpretive notice, entitled “NFA Compliance Rule 2-9: CPO Internal Controls Systems” (the “Interpretive Notice”), which provides commodity pool operators (“CPOs”) with guidance on designing and implementing an internal controls system. The Interpretive Notice requires each CPO member to implement an internal controls system designed to ensure the CPO’s operations are in compliance with applicable NFA rules and CFTC regulations, provide reasonable assurance that the books and records of the CPO’s commodity pools are reliable, and protect customer funds. The Interpretive Notice also emphasizes the importance of conducting risk assessments to identify critical risk areas and develop an internal controls system that addresses those risks. The Interpretive Notice is not yet effective, but we expect that it will become effective, substantially as proposed, in early 2019. [1]

The Interpretive Notice acknowledges that internal controls systems may differ based upon the CPO’s operations. However, it also specifies that each system should incorporate certain key components, including:

  1. separation of duties;
  2. compliance with requirements related to pool subscriptions, redemptions, and transfers;
  3. an emphasis on risk management and investment and valuation of pool funds;
  4. adequate due diligence related to the use of administrators; and
  5. a strong information technology controls system.

In addition, the NFA recognizes that CPO members may be subject to related requirements of other regulators, such as the U.S. Securities and Exchange Commission (“SEC”), and may already have an internal controls system in place, either alone or in conjunction with their service providers, that may satisfy the NFA requirements. Nevertheless, CPO members should review the Interpretive Notice to ensure that any existing system is in compliance with the requirements set forth by the NFA.

Internal Controls System: Policies and Procedures

NFA Compliance Rule 2-9 (“Rule 2-9”) requires that each NFA member supervise its employees and agents in the conduct of their commodity futures activities. [2] Pursuant to the Interpretive Notice, the NFA has determined that each CPO member must adopt and implement an adequate internal controls system to ensure that the CPO is satisfying its supervisory obligations under Rule 2-9.

As a starting point, the Interpretive Notice explains that a CPO must implement written policies and procedures reasonably designed to ensure the CPO’s operations are in compliance with relevant NFA rules and CFTC regulations. The written policies and procedures should also fully explain the framework of the internal controls system and describe the CPO’s supervisory system. These policies and procedures may be contained in a single document or multiple documents, as long as they can be made available upon request by the NFA or the CFTC.

In the event an employee believes an individual is in violation of any aspect of the CPO’s internal controls system, the policies and procedures should have an escalation policy in place that (1) allows employees to report such incident to CPO’s senior management, and (2) addresses whether and when the incident will be reported to the firm’s regulator. The Interpretive Notice also requires that a CPO’s management demonstrate its commitment to ethical values and emphasize the importance of complying with the internal controls system. In addition, a CPO must maintain records that support the implementation and effectiveness of its internal controls system in accordance with NFA Compliance Rule 2-10.

Although the Interpretive Notice recognizes that CPO members should be afforded a certain amount of flexibility in developing an appropriate internal controls system, it also identifies certain critical risk areas of any system, as outlined below.

Separation of Duties

The Interpretive Notice identifies separation of duties as a critical component of any system. The Interpretive Notice states that an internal controls system should, when possible, ensure that no employee is in a position to carry out or conceal errors or fraud, or to exercise control over two phases of a transaction or operation. Employees performing day-to-day functions related to the handling of pool funds, trade execution activities, financial records, or risk management should, to the extent possible, be different from the persons who supervise those functions. If a supervisor handles any such functions, a CPO principal or other supervisory person should review the supervisor’s work.

According to the Interpretive Notice, to ensure proper separation of duties, each CPO member should require that:

  1. Duties be assigned to different employees in a manner, or there be appropriate automated controls, to ensure regular cross-checking of work;
  2. Operational functions relating to the custody of pool assets be separate from financial reporting functions, such as recordkeeping and accounting for assets; and
  3. With respect to pool interests (e.g., subscriptions, transfers, and redemptions), no one person be responsible for initiating a transaction, approving a transaction, recording the transaction, and reconciling the account to third-party documentation and information.

Pool Subscriptions, Redemptions, and Transfers

The Interpretive Notice also states that an internal controls system should be designed to provide reasonable assurance that the CPO is in compliance at all times with the requirements related to pool subscriptions, redemptions, and transfers. Such controls should include:

  1. Verification that pool investments are held in accounts properly titled with the pool’s name and are not commingled with the assets of any other person;
  2. Reconciliation (on a periodic basis) of transactions between the pool’s general ledger, banks, and other third-party depositories;
  3. Authorization of redemptions, including verification that the request is made by a participant, adequate funds are available, the proper net asset value has been calculated, and timely payment is made to a pool participant or authorized third party; and
  4. Verification that transactions involving pool funds do not violate NFA Compliance Rule 2-45, which prohibits loans by pools to CPOs and affiliated entities.

Risk Management and Investment and Valuation of Pool Funds

The Interpretive Notice also identifies the investment activities carried out by a CPO and its pools as a high-risk area. Therefore, the Interpretive Notice suggests important controls with respect to risk management and investment and valuation of pool funds, including:

  1. Approval of investments to ensure that each type of investment is authorized and consistent with the pool’s strategy;
  2. Verification that the investments are valued in accordance with the CPO’s valuation policies;
  3. Ongoing due diligence of counterparties and other third-party depositories, including review of the depository’s or counterparty’s reputation, trading strategy, and past performance, and any actions taken by regulators;
  4. Ongoing monitoring of the risks associated with investments held at third parties, including market risk and credit risk; and
  5. Ongoing monitoring of pool liquidity to ensure the pool is able to satisfy redemption requests, margin calls, and other financial obligations. [3]

Use of Administrators

In addition, the Interpretive Notice recognizes that CPOs often utilize third-party administrators to facilitate their operations. Accordingly, the Interpretive Notice provides that a CPO should implement an internal controls system designed to ensure that the CPO performs adequate due diligence related to such an administrator. Those controls should include:

  1. Initial due diligence of the administrator, including consideration of the administrator’s costs, reputation, expertise, timeliness of work and attention to detail, responsiveness, work history with the firm or senior members of the firm, technological tools, income tax expertise, and cybersecurity system;
  2. Ongoing due diligence of the administrator, including regular communications with the administrator, and other processes and procedures that provide assurance that the CPO continues to be comfortable with the administrator, its services, and its personnel; and
  3. Obtaining evidence of a test of controls and security measures conducted at the administrator by an internal audit department or independent specialist. 

The Interpretive Notice also notes that a CPO should consider whether its financial records (i.e., shadow books) are necessary as a control to ensure that its records are in agreement with the administrator’s records.

Information Technology Controls

The Interpretive Notice further provides that a CPO must have a strong information controls system that operates within the firm’s information systems security program (“ISSP”) and adequately supports the firm’s internal controls system. Pursuant to NFA Interpretive Notice 9070, entitled “NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs” (“Notice 9070”), which was initially effective on March 1, 2016, a CPO must undertake substantial cybersecurity program reviews, including risk assessments, the review of compliance policies and procedures and incident-response protocols, and the review of technical systems and safeguards and vendor relationships. Notice 9070 also requires CPOs to develop and implement a written ISSP reasonably designed to provide cybersecurity safeguards that are tailored to the characteristics of the individual firm. The NFA recently proposed amendments to Notice 9070 that, among other things, would (a) require training of personnel on at least an annual basis, and (b) specifically require notice to the NFA if a cybersecurity incident results in (1) loss of customer or counterparty funds; (2) loss of a CPO’s capital; or (3) notice to customers or counterparties under federal or state law. [4]

Risk Assessments

Finally, in developing and implementing an internal controls system, the Interpretive Notice notes that CPOs should conduct periodic risk assessments to evaluate and address the firm’s critical risks. Such period assessments should also consider any new risks that may arise, particularly with any changes in a CPO’s business or operations. A CPO should also monitor the effectiveness of its system and make adjustments when necessary.


The Interpretive Notice sets forth guidance on designing and implementing an adequate internal controls system to ensure compliance with Rule 2-9, and also sets forth minimum components that must be included in a CPO’s internal controls system. CPOs, including those with existing internal controls systems and who may also be subject to regulation by other regulatory bodies such as the SEC, should review the Interpretive Notice and evaluate whether any policies or procedures need to be revised to ensure compliance with the Interpretive Notice. In addition, it is important to conduct periodic risk assessments of internal controls and information technology controls in order to evaluate the adequacy of such controls and make any necessary adjustments. 


[1] The Interpretive Notice is available by clicking here. The NFA invoked the “ten-day” provision under Section 17(j) of the Commodity Exchange Act, which means that the Interpretive Notice could become effective ten days after receipt by the CFTC unless the CFTC notifies the NFA that the CFTC has determined to review the Interpretive Notice. However, consistent with standard NFA practice, the NFA will likely wait to receive a response from the CFTC staff that the Commission is not taking review before the Interpretive Notice becomes effective, which is expected to occur in early 2019.

[2] CFTC Regulation 166.3 also requires such supervision.

[3] The Interpretive Notice also notes that controls (1) and (2) under “Pool Subscriptions, Redemptions and Transfers,” as described above, would also be appropriate controls for risk management and investment and valuation of pools funds.

[4] The proposed amendments, submitted by letter dated December 4, 2018, are available by clicking here.

Cary J. Meer
Cary J. Meer
Washington DC

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Find more items tagged as: Financial Services, Hedge Funds
Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel