At Turnkey Trading Partners, we frequently observe that in matters of compliance, some of the most straightforward tasks are frequently overlooked. We also understand that staying compliant while running a business is not easy. With that in mind we wanted to share some practical information about annual attestations that we believe most every National Futures Association (“NFA”) member firm (Futures Commission Merchants, Introducing Brokers, Commodity Trading Advisors, Commodity Pool Operators) will find useful and be able to implement with little effort.

Frequency of Policy Reviews

Every Member firm is required to maintain a variety of written policies and procedures.  A firm should update these documents when and if material changes in policies or procedures occur.  Further, revised policies or procedures should be distributed to all APs and relevant firm personnel and management should ensure that everyone understands the changes.  Many firms, particularly small firms, rarely have any changes to operations or policies.  While this may be true, all policies and procedures should be reviewed periodically to ensure they are still valid, and to assess whether any updates need to be made.  All firm policies and procedures should be reviewed annually, at a minimum but perhaps more frequently dependent upon risk.  A firm principal, authorized supervisor, or other appropriate individual should sign an attestation that the policy has been reviewed and the attestations should be retained in the firm’s permanent records.

What Attestations Are Required?

One of the first questions we often get when advising clients with their record-keeping obligations is, “what attestations do we actually need?” Here is a comprehensive list of attestations that should be made annually and kept on file:

  • Policies and Procedures/Operations/Compliance Manual (including Supervision and Recordkeeping)
  • Business Continuity & Disaster Recovery Plan (“BCDR”) Testing
  • Anti-Money Laundering (“AML”) Program
  • NFA Self-Examination Questionnaire
  • Information Systems Security Program (“ISSP”)
  • Third – Party Service Provider Program (“TPSP”)

Who Must Sign Off?

After gaining an understanding of the attestations that need to be executed, the obvious second question is, “who needs to sign these attestations?” The answer depends on the size and structure of the firm.  Typically, a firm Principal that is in a supervisory role and a member of management will sign the various procedure attestations.  However, it may be appropriate for members of management that are responsible for certain areas to complete the review and attestation related to certain written policies.  For instance, the person named as AML Compliance Officer should sign for the AML Program.

What Should An Attestation Say?

Now that we know which attestations to sign and who needs to sign them, the third question is, “what does the typical policy attestation look like?” To make this simple we will provide an example below. Please keep in mind that this attestation can be reworked to attest to each respective policy.


Information Systems Security Program (“ISSP) Attestation

As a Firm Principal and appropriate supervisor, I have reviewed and evaluated the [FIRM NAME]’s Information Systems Security Program (“ISSP”). On this date, the firm’s Information Systems Security Program was reviewed, tested, and determined to be adequate for the operations of [FIRM NAME].  I have approved the Information Systems Security program as reasonably designed to enable our firm to meet its obligations to protect customer personal identifying information. 

All attestations must have a signature and date on them to meet the expectations of regulators. Usually under the signature line the title or role of the person signing is also included.

When Do Staff Members Need To Sign?

When reviewing and updating policies, another important factor is distributing any written policy and procedure updates to APs and appropriate staff.  One should consider whether a signed acknowledgement from APs and staff is appropriate.  As a rule of thumb, if there are material changes to written policies, the firm should obtain written acknowledgements from appropriate personnel.  You can create a template created for each respective policy acknowledgement needed and send them to every AP an applicable staff.

This leads to the final question we often receive, especially at larger firms with many APs, “what is the easiest way to get all of the APs to sign these.” There are two simple ways to obtain acknowledgements from your team.

  • Put the acknowledgement at the end of the written policy document that is distributed to APs and applicable personnel. Email it to them with instructions to review the policy change, then print, sign, and scan the acknowledgement and email it back to you.


  • If you utilize an e-sign product (Dropbox Sign, Docusign, etc…) for contract execution, create a template in the program and send it for signatures to the appropriate people. This way both parties will receive a PDF copy and the signatures will be verified. Retain the PDF version of the executed acknowledgements in firm records.

Still Confused?

We hope this helps relieve some of the guess work many firms seem to face when it comes to policy and procedure attestations. If you have any further questions, want to learn more, or would like to see how Turnkey Trading Partners can help your firm, please let us know by filling out our contact form and one of our team members will be in touch with you within 24 hours.