National Futures Association Adopts Interpretive Notices Regarding Internal Controls and Cybersecurity

Effective April 1, 2019, the National Futures Association (“NFA”) recently adopted two interpretive notices that, respectively, impose additional obligations regarding formal supervision of key financial functions (“The Internal Controls Notice”),[1] and expand and clarify past guidance on addressing cybersecurity risks (“The Cybersecurity Amendments”).[2] Both affect all private fund managers that are NFA members, and require the attention of senior administrative personnel.

1. The Internal Controls Notice. NFA Compliance Rule 2-9 imposes a general requirement for NFA members to “diligently supervise” their personnel. The Internal Controls Notice is intended to supplement Rule 2-9 and provide CPOs with guidance on the design of an adequate financial controls system as well as to set forth certain “minimum components” of such a system. The Notice emphasizes the importance of a strong internal controls environment, including the active participation of senior management in establishing the integrity of the internal controls system and separation of duties (i.e., no single employee should be in a position to both carry out and conceal errors or fraud or have control over any two phases of a transaction or operation covered by the NFA’s interpretive notice). Prescribed controls measures for key risk areas, such as investment activity, financial transactions and use of administrators, are also identified. For instance, controls should include verification of proper account custody, periodic reconciliation of ledgers, step-by-step confirmation of the redemption process and verified compliance with Rule 2-45; third-party administrators should be subject to appropriate diligence (including auditors’ reports) to confirm performance and capability. In terms of the specificity of its requirements, the Internal Controls Notice breaks new ground for the NFA.
2. The Cybersecurity Amendments. The NFA’s 2016 cybersecurity interpretive notice prescribed that members create a written framework of supervisory practices to address unauthorized access risks and established general requirements relating to such programs. Building upon this guidance, The Cybersecurity Amendments clarify who has authority to approve an information systems security program or “ISSP,” strengthen employee information security training requirements (which must now occur at least annually after training at hiring), mandate familiarity with other applicable data privacy regulatory regimes, and, perhaps most notably, create a new, “narrowly drawn,” cybersecurity breach notification requirement for NFA members triggered by loss of member, customer or counterparty funds, or notice being delivered to customers or counterparties under state or federal law.

This article appeared in the August 2019 edition of the SRZ Private Funds Regulatory Update. To read the full Update, click here.

---

[1] See NFA Interpretive Notice I-19-03, NFA adopts Interpretive Notice entitled NFA Compliance Rule 2-9: CPO Internal Controls System (Jan. 31, 2019), available here.

[2] See NFA Interpretive Notice I-19-01, NFA Amends Interpretive Notice Regarding Information Systems Security Programs—Cybersecurity (Jan. 7, 2019), available here.

---

This communication is issued by Schulte Roth & Zabel LLP and Schulte Roth & Zabel International LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2019 Schulte Roth & Zabel LLP and Schulte Roth & Zabel International LLP.

All rights reserved. SCHULTE ROTH & ZABEL is the registered trademark of Schulte Roth & Zabel LLP.