Fri, May 30, 2025

A Look into the Future: NFA Exam Common Deficiencies and Exam Preparation Strategies

On February 12, 2025, the National Futures Association (NFA) issued Notices to Members outlining common NFA exam deficiencies and trends in recent exams.1 Additionally, information from NFA’s March 18, 2025, Member Workshop outlined key exam findings and highlighted NFA management’s efforts to help members prepare for exams. The transparency and focus on preventive resources for member firms will assist all member firms in preparing for an NFA exam. NFA also released a helpful guide to understanding these common deficiencies and how to prepare for an exam.

The NFA Exam Process

NFA takes a “risk-based approach” when selecting which members to examine. In determining its schedule, NFA will consider and review numerous factors, including filing data, recent exams of the member firm, industry trends, Commodity Futures Trading Commission (CFTC) requests and requirements, and product niches (digital assets, swaps, forex). Most member firms can expect an initial exam in the first two to three years after registration and then, assuming no material issues in the exam and subsequent filings, every three to six years afterward. However, these timelines are not exact, and NFA may examine any member at any time (with or without prior notice).

NFA announces most exams four to six weeks before the official start date, typically over the phone. Following this, it distributes a standard questionnaire via email (commodity pool operators may also receive an internal controls questionnaire) and may request preliminary documentation, such as compliance manuals, pool or firm balance sheets and net capital calculations. These items help the NFA determine the exam’s scope. Before the on-site visit (when applicable), NFA will set up a 45–60 minute operations call, during which the exam team and member firm discuss the NFA exam process and the member firm’s operations, and the exam team answers the member firm’s questions regarding the on-site visit and logistics of the exam. Shortly thereafter, the NFA will issue the initial document request list, which previews the breadth and depth of the exam.

The on-site visit is typically the exam’s formal kickoff and will include interviews with the member firm’s senior leadership, walkthroughs of internal controls and discussions of the areas of emphasis. After the fieldwork, unless NFA identifies significant issues, the remainder of the exam will be done virtually. Subsequent calls and document requests may follow, although the exam team may be silent for several weeks. NFA notifies the member firm of potential findings as they arise and requests corrective action before the exam concludes.

NFA will issue an exam report at the end of the exam. Should there be any findings, NFA will require a response, discussing the circumstances leading to the findings, the corrective action implemented and any changes to internal controls (if necessary).

Common Findings on NFA Exams

Written Information Systems Security Program Procedures and Artificial Intelligence

During the Member Workshop, NFA emphasized that member firms should ensure their written information systems security program (ISSP) procedures2 are specific to their operations and cover (1) the frequency and evidence of review by senior management, (2) documentation of the firm’s adherence to outlined procedures, and (3) maintenance of a robust incident response and escalation procedure to be followed in a potential cybersecurity incident.

As the technology used by member firms changes, NFA expects the integration of artificial intelligence will require changes to the scope and risks covered by an ISSP. Therefore, member firms should ensure all procedures regarding the use of artificial intelligence (in the ISSP and elsewhere) align with their actual use of artificial intelligence. Generally, member firms should review their ISSP procedures and update their policies as technological and information security risks evolve. NFA highlighted that outdated procedures and inaccurate descriptions of the use and risks of artificial intelligence are common findings during exams.

NFA also stated that “all employees with an e-mail address” should complete formal ISSP/cybersecurity training at least once a year.

Recordkeeping and E-communications

Recordkeeping is another area where NFA has frequent findings. It is important that member firms develop and adhere to a recordkeeping procedure that demonstrates robust supervision of the firm. In general, all firms must retain records related to trading logs, internal emails, financial records and correspondence from external parties. Additionally, introducing brokers engaging in block and swap trading activity should review records routinely and complete trade reconstructions using a risk-based sampling method.

For member firms subject to e-communications review, procedures should outline permitted devices, personal device usage and acceptable communication methods (voice, text). Firms should regularly monitor e-communication.

Third-Party Service Providers

As a newer requirement, compliance with the Third-Party Service Providers (TPSP) Interpretive Notice is an area of emphasis and represents a growing proportion of NFA exam findings.3 Historically, some member firms have treated TPSP due diligence as an afterthought. TPSP rules apply to all registration categories and to all vendors performing outsourced compliance functions that were onboarded or whose contracts were renewed since September 2021. Specifically, NFA identified a lack of regular reviews and an inability to produce sufficient evidence related to ongoing due diligence as areas leading to exam deficiencies.

NFA noted that firms are often unaware of which vendors fall under the TPSP requirements. Generally, outsourced compliance functions include investor suitability and qualified eligible participant consultation, subscription and redemption reporting, quarterly or recurring due diligence reporting, outsourced recordkeeping and processing functions, information security and technology provision, and any outsourced training. Due to the language of Interpretive Notice 9079 and the heightened focus on TPSP in recent NFA exams, consultation with experts like Kroll or outside counsel is beneficial to member firms in determining which functions to outsource and how to perform ongoing due diligence on outsourced providers accurately and comprehensively.

In addition to determining which vendors are subject to TPSP requirements, member firms must have written procedures that cover five key areas: (1) initial risk assessment, (2) onboarding due diligence procedure, (3) ongoing monitoring, (4) termination and (5) recordkeeping. Appendix E of the NFA Self-Examination Questionnaire outlines critical questions regarding risks associated with outsourced functions and can be an invaluable resource to firms as they draft and implement their TPSP due diligence policies.4

Supervisory Associated Persons and Branch Offices

NFA has noticed an increase in findings regarding individuals acting as associated persons (APs)5 who are not registered as such. Specifically, persons who supervise the NFA-related activity of APs must also be APs. During the Member Workshop, the NFA announced that its board of directors recently approved a new interpretive notice regarding AP supervision that will require written supervisory procedures focused on several key areas: qualifications of AP supervisory personnel, pre-hiring due diligence, pre-trade and internal communications, order handling and trading activities, and training. The draft notice will go through CFTC review before final publication and an implementation date.

In addition, NFA clarified its branch office definition and when it applies. Under NFA Interpretive Notice 9002,6 a branch office is a location where firm business activities occur that require registration of at least one AP. Each branch office must be registered with NFA, have a registered branch office manager who has passed the NFA Series 30 exam,7 and hold itself out as the same entity as the main office.

APs who work remotely from their residence, whether full time or part time, are not considered branch offices as long as all APs working from that location are related (including through marriage), the APs do not conduct in-person business or handle customer funds from the location, and all records created from the location related to CFTC/NFA-regulated business are accessible to the main or applicable branch office.

By understanding and addressing these common deficiencies, member firms can enhance their compliance practices and ensure a smoother NFA exam process. Staying informed about NFA’s expectations and proactively implementing robust procedures will help firms navigate the complexities of regulatory requirements and maintain a strong compliance posture.




Sources:
 1 Educational resources, common deficiencies and other important regulatory information for FCM, FDM and IB Members. (2025). In National Futures Association. https://www.nfa.futures.org/newsnotices/newsArticle.aspx?MT=&Topic=&AllYrs=&Year=2025&ArticleID=5714 and https://www.nfa.futures.org/newsnotices/newsArticle.aspx?MT=&Topic=&AllYrs=&Year=2025&ArticleID=5714 
 2 9070 – NFA COMPLIANCE RULES 2–9, 2–36, and 2–49: INFORMATION SYSTEMS SECURITY PROGRAMS. (2025). In National Futures Association. https://www.nfa.futures.org/rulebooksql/rules.aspx?Section=9&RuleID=9070
 3 9079 – NFA COMPLIANCE RULES 2–9 AND 2–36: MEMBERS’ USE OF THIRD-PARTY SERVICE PROVIDERS. (2021). In National Futures Association. https://www.nfa.futures.org/rulebooksql/rules.aspx?Section=9&RuleID=9079
 4 Appendix E – Use of Third-Party Service Providers Questionnaire. (n.d.). In National Futures Association. https://www.nfa.futures.org/members/member-resources/files/self-exam-files/self-exam-questionnaire-appendix-e.pdf
 5 ASSOCIATED PERSON (AP) REGISTRATION. In National Futures Association. https://www.nfa.futures.org/registration-membership/who-has-to-register/ap.html
 6 9002 – REGISTRATION REQUIREMENTS; BRANCH OFFICES. (2021). In National Futures Association. https://www.nfa.futures.org/rulebooksql/rules.aspx?RuleID=9002&Section=9
 7 Series 30 – NFA Branch Manager Exam (formerly, Branch Managers Exam – Futures). In Financial Industry Regulatory Authority. https://www.finra.org/registration-exams-ce/qualification-exams/series30#:~:text=The%20Series%2030%20exam%E2%80%94the,The%20passing%20score%20is%2070%25.



U.S. Financial Services Compliance and Regulation

Navigate the ever-changing U.S. financial regulatory environment with confidence. Kroll provides unparalleled expertise in SEC, FINRA, NFA and CFTC regulations, helping clients mitigate risks, maintain current compliance programs and confidently overcome regulatory challenges.