NFA Institutes New Requirements for CPO Internal Controls Systems

Chelsea EllisBest Practices, Market Rules & Responsibilities, Operations


Effective April 1, 2019, every National Futures Association (“NFA”) member commodity pool operator (“CPO”) that handles customer funds must implement an internal controls system (“ICS”) that “is designed to deter fraudulent activity by employees, management, and third parties” to ensure that each Member CPO properly safeguards customer funds, provides accurate and timely financial reports, and fully complies with CFTC and NFA requirements regarding the handling of customer funds. See NFA Interpretive Notice 9074 (the “Notice”). The requirement that each Member CPO implement an ICS is based on already existing NFA Rule 2-9 mandating that each NFA Member diligently supervise its employees and agents.

What constitutes an adequate ICS?

The NFA understands that each Member CPO will implement a different ICS depending each Member CPO’s size, operations, and activities. However, the NFA provided some minimum components that each Member CPO must implement.

First, each Member CPO must have written compliance procedures to ensure that the CPO’s operations are in compliance with NFA rules and CFTC regulations.  These written compliance procedures must fully explain the CPO’s internal controls framework and describe the CPO’s supervisory system. Each Member CPO should also have an escalation policy that describes the procedure for an employee to report to senior management if the employee suspects that the internal controls systems are not being followed. The escalation policy is also required to include guidance on whether certain conduct should be reported to the CFTC.

The Notice also identifies three key areas CPOs must focus on in order to maintain a strong control environment – separation of duties, risk assessment, and recordkeeping.

Separation of Duties

The Notice emphasizes that imposing a separation of duties policy is essential in ensuring that each CPO has an adequate ICS. More specifically, the NFA recommends that duties should be assigned to different employees in way that guarantees that there is routine cross-checking or automated checking of work in material areas. In relation to commodity pool assets, the Notice states that functions relating to the custody of such assets should be separated from financial reporting functions (e.g., record keeping and accounting for the assets). Lastly, regarding pool funds, a single person should not be responsible for initiating a transaction, approving the transaction, recording the transaction, and reconciling the account to third-party documentation and information.

Risk Assessment

The NFA identifies three specific risk assessment areas that CPOs should focus on when conducting their own risk assessment.  

The first risk area discussed is pool subscriptions, redemptions, and transfers. The Notice lists the following as examples of appropriate control procedures that a CPO should adopt as part of its ICS:

  • verification that pool investments are held in correctly titled accounts and not improperly commingled with other individuals’ assets;
  • periodic reconciliation of transactions between the pool’s ledger and third-party depositories;
  • assessment and authorization of redemptions; and
  • confirmation that transactions involving commodity pool funds do not violate NFA’s prohibition of loans to CPOs and affiliates.

The next risk assessment area the Notice discusses is risk management and investment and valuation of pool funds. The following are examples of appropriate control procedures:

  • approval of investments in agreement with the commodity pool’s strategy;
  • verification that investments are valued according to the CPO’s valuation policies;
  • continuous due diligence of third-party depositaries and counterparties;
  • constant monitoring of risks regarding investments held at third parties; and 
  • ongoing monitoring of pool liquidity.

The last area of risk assessment discussed pertains to the use of administrators. The following are examples of appropriate control procedures:

  • continuous monitoring and due diligence of the administrator;
  • obtaining evidence that the administrator’s controls were tested by auditors of the administrator or an independent specialist; and
  • maintenance of independent financial records to reconcile against the administrator’s records or, if the CPO does not prepare shadow books, periodic reconciliation of internal records with records of banks, brokers and other third parties.


In addition and in accordance with NFA Rule 2-10, a CPO must maintain records that support the implementation and effectiveness of its ICS.


NFA requires that the above changes for CPOs’ internal controls procedures be properly implemented by April 1, 2019. With this deadline fast-approaching, Ziliak Law can help CPOs understand and comply with NFAs new requirements.