Splitting the difference: SEC vs NFA exams

Claudia Ranieri and Susan Lynskey of Alaric Compliance Services examine the gap between the Securities and Exchange Commission and National Futures Association’s requirements.

Some private fund managers may need to register with the Commodities Future Trading Commission. That means another layer of regulation on top of the Securities and Exchange Commission’s requirements – and the two do not always align.

Claudia Ranieri, Alaric Compliance Services

All CFTC registrants must join the National Futures Association, its self-regulatory organization, and managers must understand how its requirements differ in order to have a successful review.

1. Number of examinations

The SEC confirmed in its 2017 Agency Financial Report that it examined 15 percent of registrants in 2017, a 50 percent increase from three years ago. The NFA, on the other hand, endeavors to review all registrants within the first two to three years after registration, which makes it all the more important for firms to familiarize themselves with the areas examiners will scrutinize.

2. Hypothetical performance

Investment advisors registered with both organizations are subject to the advertisements and promotional materials regulations contained in the Advisers Act, some SEC no-action letters, NFA Compliance Rule 2-29 and CFTC Rule 4.41.

Susan Lynskey, Alaric Comliance Services

The NFA is more restrictive on the use of hypothetical performance representations and what may meet SEC standards may not meet its requirements. During a recent exam, a registrant was required to remove all information about hypothetical performance, even though it was acceptable by SEC standards.

3. The health of the registrant

NFA examiners may spend as much as 25 percent of their time evaluating the viability of a registrant in an effort to protect investors. Registrants should be prepared to show they are not carrying excessive debt to keep the entity viable in various performance scenarios. Regulators will assess a firm’s asset-to-liability ratios on its financial statements and quarterly reporting, among other things.

4. Senior sign-off for the cybersecurity plan

NFA examiners will also devote a large portion of their visit assessing a firm’s information systems security plans (ISSP). Compliance officers should maintain detailed records of when and why their cybersecurity plans may change over time, and senior executives should approve all plans and plan changes in writing. NFA requires members to maintain a written cybersecurity program, regularly assess the security and risks related to that program, deploy protective measures against those risks and to provide relevant employee training and assess third-party vendor risk. The SEC has yet to release ISSP ‘mandates’ per se, but has issued guidance in the form of investor alerts and investor bulletins to help market participants protect themselves against cyber threats.

Several SEC and NFA focus areas are aligned, including the requirements to diligently supervise employees and maintain appropriate books and records.

The SEC requires advisors to effectively supervise employees, including practices surrounding hiring, oversight, and management of conflicts of interest, complaint handling and reporting. Likewise, CFTC Supervision Rule 2-9 requires registrants to diligently supervise employees and agents of the member firm. Monitoring activities include establishing, implementing and periodically testing policies, procedures, and internal controls reasonably designed to assure compliance, and providing on-going training for appropriate personnel.

The SEC’s Books and Records Rule requires registrants to make and keep records relating to their business, including accounting and other business records. Advisors are generally required to keep such records for at least five years, while broker-dealers are required to retain securities purchase and sales blotters for at least six years, and copies of confirmations for only three years. Similarly, the NFA/CTFC require members to maintain and make available for inspection at their main business address records that support and explain their activities. All required records must be kept for five years and be readily accessible for the most recent two.

Registrants who hold a CFTC Rule 4.7 exemption may be subject to less stringent compliance requirements. This exemption is available for registrants whose investors are qualified eligible persons, including certain investment professionals, knowledgeable employees as well as individuals whose net worth exceeds $1,000,000 or whose income exceeds $200,000 in each of the two most recent years and meet at least one of the relevant portfolio requirements.

Claudia Ranieri is an attorney and director and Susan Lynskey is a director at Alaric Compliance Services.