- Each Commodity Pool Operator (CPO) Member must develop a framework and implement an internal controls system that deters errors and fraudulent activity by employees, management, and third parties in order to safeguard customer funds.
- This framework should also provide reasonable assurance to participants that the financial reports for a CPO’s commodity pool are reliable.
- Since the size and complexity of the operations of CPO Members varies, a degree of flexibility is given in determining what constitutes an adequate internal controls system.
- This notice offers guidance on designing and implementing an adequate internal controls system and the minimum components to be included per NFA.
Internal Controls System
- The CPO must adopt and implement written policies and procedures reasonably designed to ensure the CPO's operations are in compliance with applicable NFA rules and Commodity Futures Trading Commission (“CFTC”) regulations.
- The CPO must maintain written policies and procedures that fully explain the CPO's internal controls framework, and describe the CPO's supervisory system, which should be reasonably designed to ensure that the policies and procedures are diligently followed by all employees.
- The policy should also include language regarding escalation steps for employees to report to the CPO's senior management if they believe individuals have attempted to improperly override the CPO's internal controls system in any respect. The firm's escalation procedures should also address whether and when a matter should be reported to the firm's regulator.
- Management must demonstrate its commitment to integrity and ethical values and emphasize the importance of establishing and following the internal controls.
Separation of Duties
- A CPO's internal controls system should require, when possible, appropriate separation of duties to ensure that no single employee can carry out and conceal errors or fraud or have control over any two phases of a transaction or operation that are covered by this Interpretive Notice.
- Persons who perform the day-to-day functions in areas involving the handling of pool funds, trade execution activities, financial records and risk management should be different from the persons who supervise those functions.
- In those instances where supervisors also handle day-to-day functions, one of the CPO's principals or another appropriate supervisory person should periodically review the supervisor's work in material areas.
- To ensure proper separation of duties, whenever possible, the CPO should require that:
- Duties are assigned to different employees in a manner, or there are appropriate automated controls, to ensure that there is regular cross-checking of the work performed in material areas;
- Operational functions relating to the custody of pool assets should be separated from financial reporting functions such as recordkeeping/accounting for the assets; and
- In the pool funds area (e.g., subscriptions, transfers and redemptions), no one person should be responsible for initiating a transaction, approving the transaction, recording the transaction and reconciling the account to third party documentation and information.
- Risk Assessment: Below includes more details on the risk areas and control activities that would form the basis for an adequate internal control system:
A. Pool Subscriptions, Redemptions and Transfers: A strong internal controls system should provide reasonable assurance that the CPO is continually in compliance with the requirements related to pool subscriptions, redemptions and pool transfers and has appropriate controls in place to safeguard participant and pool assets. Among other things, these controls should include:
- Verification that pool investments are held in accounts properly titled with the pool's name and are not commingled with the assets of any other person (this is also an appropriate control for risk management and investment and valuation of pools funds);
- Reconciliation (on a periodic basis) of transactions between the pool's general ledger, banks and other third-party depositories (this is also an appropriate control for risk management and investment and valuation of pools funds);
- Authorization of redemptions, including verification that the request is made by a participant, adequate funds are available, the proper Net Asset Value has been calculated (e.g., fee calculations and profit and loss allocations) and amount of funds is released, and timely payment is made to a pool participant or authorized third party; and
- Verification that transactions involving pool funds do not violate NFA Compliance Rule 2-45, Prohibition of Loans by Commodity Pools to CPOs and Affiliated Entities.
B. Risk Management and Investment and Valuation of Pool Funds: The investment activity carried out by the firm and the pools it operates is also a high-risk area. The CPO’s risk management program should emphasize the importance of the firm's business principals or trading principals playing a direct and primary role in assessing and monitoring the risks posed by their particular areas.
- Important control activities include:
- Approval of investments to ensure that each type of investment is authorized and consistent with the pool's strategy;
- Verification that the CPO values investments in accordance with the CPO's valuation policies;
- Ongoing due diligence of counterparties and other third-party depositories through the review of the depository's or counterparty's reputation, trading strategy, past performance and any actions taken by regulators;
- Ongoing monitoring of the risks associated with investments held at third parties utilized by the pool(s), including market risk and credit risk; and
- Ongoing monitoring of pool liquidity to ensure the pool is able to satisfy redemption requests, margin calls and other financial obligations.
C. Use of Administrators: If the CPO uses a third-party administrator, an internal controls system should ensure that the CPO performs adequate due diligence related to the use of the administrator. Among other things, these controls should include:
- Initial and ongoing due diligence on the administrator;
- Obtaining evidence of a test of controls and security measures conducted at the administrator by an internal audit department or independent specialist;
- Consideration of whether the CPO’s independent financial records (i.e., shadow books) are necessary as a control to ensure that their records and financial statements are in agreement with those of the administrator's records and financial statements. If the CPO does not prepare shadow books, it should consider periodic reconciliation of its internal records with the records of banks, carrying brokers and other third parties