New Internal Control Requirements for CPOs

Earlier this month, the NFA issued Interpretive Notice 9074 (the “Notice”) in relation to NFA Compliance Rule 2-9 for CPOs. The Notice pertains to CPOs with control over customer funds and addresses how firms should manage employees and supervise third parties in order to meet the supervisory obligations under the Compliance Rule.

The NFA recognizes the fact that firms vary in size and structure and often report to multiple regulators. A firm’s internal control systems created for another primary regulator may be sufficient to meet the NFA requirements as well. The Notice describes the minimum components of an effective internal control environment. It states that a CPO’s internal controls must include the following:

  • Written policies and procedures that completely describe the internal control framework
  • An escalation policy for employees to follow, including when to report information to regulators
  • A written risk assessment that is updated periodically to account for new risks and changes to operations
  • A separation of duties to allow for cross-checking of functions either manually or via automation
  • Operations surrounding the custody of pool assets should be separate and apart from other financial reporting functions
  • For pool transactions, no one person should be responsible for the entire process, from initiation to reconciling the transaction
  • Safeguarding assets should include:
    • Ensuring accounts are properly titled and not commingled
    • Reconciling transactions between the general ledger, banks, and other third parties as appropriate
    • Verifying redemption requests to ensure proper ID of customers, verification of funds, and review of NAV calcs
    • Verify that CPO transactions do not violate Rule 2-45, Prohibitions on Loans by pools to CPOs and affiliates
  • Business principals and/or trading principals should have a primary role monitoring certain risks, such as:
    • Approval of investments
    • Verification of portfolio values
    • Due diligence of counterparties or other third parties
    • Ongoing monitoring of risks posed by third parties
    • Ongoing monitoring of pool liquidity
  • Third party administrators must be supervised and monitored, including:
    • Initial and ongoing due diligence of the administrator
    • Obtaining evidence of its testing controls and data security measures from the administrator
  • Recordkeeping for the internal controls system must be in accordance with NFA Rule 2-10

Most SEC registered investment advisory firms that are also CPOs will already satisfy the requirements of this Notice, as long as its processes are adequately documented. However, a poorly documented compliance program will fall short of both SEC Rule 206(4)-7 as well as NFA Rule 2-9.

This Notice serves as a reminder that firms should update written policies and procedures regularly to account for changes in business operations and the associated risks presented by those operations.

The new requirements above become effective for NFA member firms on April 1, 2019.

View NFA Notice 9074, “NFA Compliance Rule 2-9: CPO Internal Controls System”