Turnkey periodically shares common audit deficiencies observed in National Futures Association (“NFA”) exams. Typically supporting 10 to 15 audits simultaneously, we gain insight into the areas NFA emphasizes most. We most recently wrote on this topic in July of 2024. You can review our article from last summer here: Common NFA Audit Deficiencies Summer 2024 Edition.

At the end of each calendar year NFA typically produces a similar publication as a notice to members. This publication is compiled, presumably, by NFA going over all exam findings for the calendar year and presenting those most frequently cited by their audit teams. NFA published it’s 2024 update in this are during February of 2025. NFA’s publication of this information was provided three separate alerts one covering Swap Dealers (“SD”), another covering Futures Commission Merchants (“FCM”), Forex Dealer Members (“FDM”), and Introducing brokers (“IB”), and finally one covering Commodity Pool Operators (“CPO”), and Commodity Trading Advisors (“CTA”).

Turnkey has summarized what we believe to be the highlights from these notices. The topics featured below also echo what Turnkey has observed with our clients during routine regulatory exams. Turnkey can further confirm that NFA’s views in these areas are consistent with current examination areas of emphasis. All registrants should carefully consider their policies and procedures in these areas for 2025.

Member and Self-Exam Questionnaire Confusion

Anyone who has been in the commodity interest industry for any length of time will tell you that NFA’s technology systems are terrible. Unfortunately, during 2024 NFA made an even bigger mess of these systems. During the year they updated rules on who can access these systems and put regulations around which employees can submit certain reports. They further complicated member responsibilities by moving previously public information about exemptions into private online registration system dashboards. NFA’s technology department put the icing on the cake by trying to link the Annual Member Questionnaire to other NFA reporting systems. This in Turnkey’s experience has been an absolute disaster.  The reason for this common deficiency in our view is the result of NFA’s tinkering with its systems.

The annual member questionnaire must be filed by all NFA members at least once per year or as material business changes occur. This filing is made by logging into the online registration system. The responses on this filing drive many of NFA’s other reporting functionalities.  Calls for CPO PQRs or CTA PRs on a quarterly basis are driven by this filing. Firm activity status in BASIC is driven by this filing. How NFA staff reviews information about members and assesses risk is driven by this filing. NFA has become utterly dependent upon the results of this submission to govern how it plans and targets firms for audit. It is no question then that they have strongly been enforcing how and when this questionnaire is filed. If managed incorrectly by a firm NFA is flying blind due to how they have recently architected their systems for a higher level of risk automation.

NFA also has another obligation for members called the “Self-Examination Questionnaire”. This must be completed once annually and is not the same thing as the Member Questionnaire from above. Turnkey has suggested NFA change the name of one of these obligations many times. If NFA were to do this it would make things much clearer to members. Our requests unfortunately continue to fall on deaf ears. Rather than rename one of the questionnaire’s NFA seems to have doubled down and pushes on with examination pressure in this area for accurate and timely completion of both documents. If you have not recently updated your Member Questionnaire or completed your Self-Exam Questionnaire you should do so expediently.  Beware however, NFA has also changed how its search function works on its website making it nearly impossible to find anything. The search is now segmented so that queries only look for information in specific areas. You must choose when searching between All, News and Notices, Electronic Filing Systems, User Guides, Workshops, Webinars, Publications & Alerts, and FAQs. In Turnkey’s experience “All” does not return “All” results in many instances. You may click here, to download the most recent self-exam questionnaire to complete and keep on file at your firm

Third-Party Service Providers

Starting in September of 2021, registrants were required to implement policies and procedures related to Third Party Service Provider (“TPSP”) outsourcing under NFA Interpretive Notice 9079. NFA has been observing member firms failing to implement policies which include a full consideration of vendor initial risk assessments, onboarding due diligence, ongoing monitoring, termination and recordkeeping. Here again NFA has been woefully vague in setting clear expectations in this area. Turnkey has found examination teams are also inconsistent in their application of NFA’s expectations. NFA tried to resolve confusion by publishing Appendix E of the Self-Examination Questionnaire. Unfortunately, though, as noted by NFA and written about above, NFA has made this appendix difficult for members to find, access, and understand. Practically speaking, what Turnkey has observed NFA focused on is the following. 1) Firms are not doing an annual review of the TPSP and having an AP/Principal sign off on that review at least every 365 days. 2) firms are not keeping historical documentation of reviews completed on qualifying TPSP vendors. NFA expects documentary support of how evaluations were done and when they were done. 3) Even though many vendors will not negotiate contract terms, NFA has occasionally been taking the position that members must attempt to negotiate termination clauses and notice periods. While this may not always be possible, members should be aware of this expectation as it has not clearly been communicated by NFA and is not being evenly applied across exams as of today.

Cybersecurity

Cybersecurity obligations have been in place for member firms for many years. In most instances firms have in place adequate policies and procedures for information system security programs (“ISSP”), staff are being trained in this area, and safe guards have been implemented. NFA recently has taken the position that cybersecurity training is mandatory for any individual that access a company device or technology system. Turnkey agrees with NFA’s view in this area. It makes sense and is practical that any user of company systems may pose a cyber threat. Many firms mistakenly believe that training should only be provided to APs and Principals and that simply is not the case.  NFA also is now taking the position that training must be provided to people before they access company networks. Practically speaking this means training should be taken at the “time of hire”. Many firms have policies that call for training to occur for example within the first sixty to ninety days of employment with the firm – this isn’t good enough anymore. Turnkey recommends firms develop a staff onboarding and offboarding process whereby all training is administered at the date of hire. For assistance with training obligations and an onboarding and offboarding policy contact Turnkey today. We provide all training resources and do this for many of our customers to make life seamless when adding or removing team members.

Firms should also be aware that NFA is now requiring firms to include a section in the policies on “lessons learned” after a breach. Audit teams quite literally look for the term “lessons learned” and expect a description of what a member firm will do if a breach occurs. NFA wants to see a thought-out plan of how changes to company policy will be implemented and communicated post breach. If you do not have this consideration in your ISSP you likely will be cited during your next review.

Supervision, Electronic Record Keeping, and Communications

Turnkey has been hammering on this area of concern for over two years. It is by far, in our opinion, the riskiest and most challenging area covered during NFA examinations today for member firms. NFA has unfairly adopted a zero-tolerance policy in this area. Members working with Turnkey have demonstrated strong supervisory policies, strong controls, and consistent communication review programs in many instances. Even firms with robust policies and processes pay the price if NFA identifies any communication that was not captured, recorded, or supervised. NFA exam teams often request thousands of emails, calls, texts, and messenger communications during today’s reviews. They expect these to be readily available and produced in a timely fashion. Turnkey believes NFA is using software and a form of AI search to consider this content. Exam teams have an uncanny ability to find the proverbial “needle in the haystack” when it comes to a missing communication thread.

Turnkey also learned that NFA is not done in this area and sees it as an enforcement priority for 2025. NFA will be imminently releasing an Interpretive Notice about electronic communications, record keeping and supervision obligations. Turnkey has reviewed a draft of this notice and unfortunately things are only going to become more challenging going forward after its release. If your firm has not invested heavily in this area, has not put in place strong penalties for non-compliance with company policy, or does not have a regular review process for trade reconstruction and communication supervision it’s time to get very serious in this area. If your firm has not implemented training for electronic communication best practices this is required and will be considered by NFA going forward. Please be sure to review Turnkey’s various publications on this topic for more insight. If you need further assistance in this area or would like to discuss purchasing Electronic Communications Training materials please contact Turnkey today.

Still Confused?

If you have any further questions, want to learn more, or would like to see how Turnkey Trading Partners can help your firm, please let us know by filling out our contact form and one of our team members will be in touch with you within 24 hours.