On February 12th, 2024 NFA distributed a notice to its members under bulletin I-24-03. Within the notice NFA covered several topics. Perhaps the most noteworthy of them was a discussion about common industry deficiencies. NFA went on to describe several regulatory obligations related to common deficiencies noted during recent NFA examinations of Member Futures Commission Merchants (FCM), Introducing Brokers (IB), Commodity Trading Advisors (CTA), and Commodity Pool Operators (CPO). Turnkey found this information interesting as we support tens of NFA member firms through NFA exams each year. This article covers the topics included by NFA in the notice to members. It also provides insight into what the Turnkey team is seeing and experiencing in customer NFA reviews so far in 2024.

 

NFA Comment: Self-Examination Questionnaire: NFA Members must annually review their operations using NFA’s Self-Examination Questionnaire. This Questionnaire is designed to aid Members in recognizing potential problem areas and to alert them to procedures that need to be revised or strengthened. A common deficiency in this area includes failing to review the Questionnaire on an annual basis. NFA encounters firms with deficient policies and procedures, indicating an inadequate review of the Self-Examination Questionnaire. Thorough Questionnaire completion and review ensures firms are alerted to deficient policies and procedures that should be updated to comply with NFA Rules.

Turnkey Comment: Turnkey fully agrees with NFA’s assessment. This is a common deficiency for member firms. The NFA Self-Exam checklist is a wonderful resource to assist firms in ensuring they are in compliance. In Turnkey’s opinion it is one of, if not the best, tools NFA makes available to members to evaluate their compliance. Turnkey customers often confuse the NFA Self-Exam checklist with NFA’s similarly named “Annual Questionnaire”. It is a very common mistake for firms to believe that they have completed a Self-Exam when in fact they have only filed the annual questionnaire within the NFA online registration system – Do not make this mistake! These are two unique obligations and both must be done annually.  Another reason the self-examination questionnaire is not completed is that it is very lengthy. Please be advised that for most firms many of the items included within the questionnaire may not be applicable.  NFA expects members to review each question (including applicable appendices) on the self-exam questionnaire. They expect firms to document this process and to produce any notes or comments generated during the evaluation when they conduct routine regulatory examinations. If you have questions about your obligations in this area feel free to contact Turnkey today to learn more about industry best practices.

 

NFA Comment Supervision: FCM, FDMs and IBs Members must have written supervisory policies and procedures to address the manner, frequency and results of monitoring written and oral communications. Such supervision includes, when required¹, maintaining a record of all oral and written communications provided or received concerning quotes, solicitations, bids, offers, instructions, trading and prices that lead to the execution of a transaction in a commodity interest and related cash or forward transaction, whether communicated by telephone, voicemail, facsimile, instant messaging, chat rooms, electronic mail, mobile device or other digital or electronic media. Common deficiencies in this area include firms not maintaining all required communications, failing to identify brokers using unapproved and unrecorded communication methods and permitting unregistered individuals to act as associated persons. 

Turnkey Comment:  Turnkey has been warning the industry about this area of deficiency for more than a year. As registrants have allowed staff to work remotely supervision has become a major emphasis for both the CFTC and NFA. Turnkey generally agrees with what NFA has published in this area.  The biggest area of concern is that NFA, at least to Turnkey’s knowledge, has not yet published clear guidance about its expectations for communication review scope selection. NFA also has not published clear guidance about its expectations for how members can police the use of personal devices. It seems that having a policy, with signed attestations from staff, banning the use of personal communication devices is often not enough.  While it is clear, and far from debatable, is that NFA expects member firms to diligently supervise all electronic communications. What is not clear is how to ultimately satisfy NFA in this area without improved published guidance. For most firms this area of concern should be at the top of the list in 2024.

 

NFA Comment Digital Assets: Members engaging in activities related to digital assets or digital asset derivatives must comply with the customer disclosure requirements established in NFA’s Interpretive Notice 9073.

Turnkey Comment: Nothing to disagree with here. Firm’s engaging in digital asset activities should review and consider all applicable NFA rules and guidance including notice 9073. Turnkey is not sure however how many members this actually will apply to. Even in 2024 a limited number of firms do any meaningful business in this area.

 

NFA Comment Third Party Service Providers: Members that outsource regulatory functions must adopt and implement a written supervisory framework over outsourced functions to mitigate outsourcing-related risks pursuant to Interpretive Notice 9079. The supervisory framework must address activities the firm will undertake with respect to initial risk assessment, onboarding due diligence, ongoing monitoring, termination and recordkeeping. Appendix E of the Self-Examination Questionnaire includes several questions to help Members understand these requirements. Firms must also maintain records demonstrating that they have addressed the items outlined in the Interpretive Notice and are following their procedures.

Turnkey Comment: Turnkey was one of the first firms in the industry to write about this obligation in April of 2021. Since that time, we have written or reviewed over two-hundred-member firm Third Party Service Provider (TPSP) policies. Starting in September of 2022, NFA began asking member firm’s for evidence of annual TPSP reviews. They also began asking for documentary evidence of how vendors had been evaluated for ongoing monitoring obligations. Turnkey has observed that firms are generally good at onboarding and offboarding vendors. Where firms have run into trouble is with ongoing monitoring and documentation of TPSP reviews. Thus far in 2024 Turnkey has seen NFA test Third Party Service Provider policies in every audit we have supported. If you have not updated your TPSP or your vendor due diligence documentation recently now would be a good time to do so. If you require assistance with this process or are unsure of how to proceed, please contact Turnkey today.

 

NFA Comment Cybersecurity: FCM, FDM and IB Members must adopt a written information systems security program (ISSP) pursuant to Interpretive Notice 9070 to address the risk of unauthorized access to or attack of their information technology systems and to respond appropriately should unauthorized attacks occur. Members are also required to notify NFA of certain cybersecurity incidents related to their commodity interest activities via NFA’s Cyber Notice Filing System. One common deficiency in this area is failure to provide cybersecurity training to employees upon hiring and annually thereafter.  Members that fail to establish and implement an ISSP may be subject to disciplinary action.

Turnkey Comment:  In general Turnkey’s view is that it is relatively uncommon for a firm in 2024 to not have in place a written information system security program (ISSP). The obligation to have an ISSP has been in place since for nearly a decade. At this point the vast majority of registrants simply do not have this issue. Turnkey would however agree that many firms have an ISSP in place that is deficient. It is relatively common for firms to engage with a third-party technology provider (see TPSP above) that provides a generic cyber security program. Such programs, while well intentioned and likely strong from a technical perspective, do not often consider CFTC or NFA compliance obligations. Firms who have just recently registered and that have not been through an NFA exam may be in for a rude awakening in this regard. If this is you, feel free to contact Turnkey today to discuss.

As it pertains to NFA’s comments about training this is in fact true. Many firms do not have adequate broker onboarding and removal policies. They often do not properly train all staff on cyber security matters within a reasonable time frame. Turnkey has also experienced that firms often forget about the obligation to annually provide cybersecurity training. This is one reason that we developed Turnkey Training. Turnkey is one of the largest vendors in this area and can help to ensure all required industry training is completed in a timely fashion. To learn more about our training solutions please contact us today.

 

NFA Comment Financial Reporting: FCM, FDM and IB Members must periodically file financial reports. Each financial report filed late will be subject to a fee of $1,000 for each business day it is late. Firms that fail to file financial reports in a timely manner may be subject to disciplinary action.

NFA Comment Subordinated Loan Agreements: FCMs and IBs that are also SEC registered broker-dealers are required to submit SLAs and any corresponding amendments to NFA when they are submitted to the firm’s designated examining authority (i.e., FINRA), pursuant to CFTC Regulation 1.17.

Turnkey Comment For Both Items Above: Most accounting deficiencies can be eliminated by retaining a competent book keeper with CFTC and NFA industry experience. Usually when accounting deficiencies occur it is due to internal staff not being aware of unique industry obligations or deadlines. It is also common for CPAs that have no commodity industry experience to prepare books in a manner which is not compliant. Certain entries that may be best for tax, business structure, or other common purposes may not be appropriate in light of CFTC registration and NFA membership obligations. To avoid shortcomings with accounting it is always best to ensure internal staff are experienced in this area. If no such internal staff exist then a third-party accounting firm, such as Turnkey, should be considered.

 

NFA Comment Ongoing Updates: On an ongoing basis, each NFA Member must update its Annual Questionnaire in the event of a material change to its operations. For example, if a Member begins doing business or begins soliciting for digital asset or micro contract products, the Member must immediately update its Annual Questionnaire. Doing so ensures that NFA’s BASIC system displays correct information about the firm’s business activities and ensures the firm receives all applicable notices relating to its reporting requirements in a timely manner.

Turnkey Comment: This is indeed a common deficiency. Many firms are not aware that the annual questionnaire (not the self-exam checklist; see above) drives many NFA system functions. Responses from member’s are used within the back office at NFA to determine if, and when financial statement reporting obligations occur. Responses also determine the type of business firms are doing and help NFA to set both its audit schedules as well as its enforcement priorities. The NFA online registration system alerts firms to update this information at least once per year. The information should however be updated any time a material change to company business occurs. If you have questions about what constitutes as something material, or if you are concerned your information may be out of date feel free to contact us today.