17 C.F.R. § 1.52
(a) For purposes of this section, the following terms are defined as follows:
(b)
(c)
(1) Each self-regulatory organization must establish and operate a supervisory program that includes written policies and procedures concerning the application of such supervisory program in the examination of its member registrants for the purpose of assessing whether each member registrant is in compliance with the applicable self-regulatory organization and Commission regulations governing minimum net capital and related financial requirements, the obligation to segregate customer funds, risk management requirements, financial reporting requirements, recordkeeping requirements, and sales practice and other compliance requirements. The supervisory program also must address the following elements:
(iv) On-site examinations.
(2) In addition to the requirements set forth in paragraph (c)(1) of this section, the supervisory program of a self-regulatory organization that has a registered futures commission merchant member must satisfy the following requirements:
(iii) The supervisory program must, at a minimum, have standards addressing the following:
(iv) A self-regulatory organization must cause an examinations expert to evaluate the supervisory program and such self-regulatory organization's application of the supervisory program at least once every three years.
(A) The self-regulatory organization must obtain from such examinations expert a written report on findings and recommendations issued under the consulting services standards of the American Institute of Certified Public Accountants that includes the following:
(1) A statement that the examinations expert has evaluated the supervisory program, including the sufficiency of the risk-based approach and the internal controls testing thereof, and comments and recommendations in connection with such evaluation from such examinations expert;
(2) A statement that the examinations expert has evaluated the application of the supervisory program by the self-regulatory organization, and comments and recommendations in connection with such evaluation from such examinations expert; and
(3) The examinations expert's report should include an analysis of the supervisory program's design to detect material weaknesses in an entity's internal control environment;
(4) A discussion and recommendation of any new or best practices as prescribed by industry sources, including, but not limited to, those from the American Institute of Certified Public Accountants, the Public Company Accounting Oversight Board, the Institute of Internal Auditors, and The Risk Management Association.
(d)
(1) Any two or more self-regulatory organizations may file with the Commission a plan for delegating to a designated self-regulatory organization, for any registered futures commission merchant, retail foreign exchange dealer, or introducing broker that is a member of more than one such self-regulatory organization, the function of:
(2) If a plan established pursuant to paragraph (d)(1) of this section applies to any registered futures commission merchant, then such plan must include the following elements:
(ii) The Joint Audit Program. The Joint Audit Program must, at minimum, satisfy the following requirements.
(C) (1) Adequate levels and independence of examination staff. A designated self-regulatory organization must maintain staff of an adequate size, training, and experience to effectively implement the Joint Audit Program. Staff of the designated self-regulatory organization, including officers, directors, and supervising committee members, must maintain independent judgment and its actions must not impair its independence nor appear to impair its independence in matters related to the Joint Audit Program. The designated self-regulatory organization must provide annual ethics training to all staff with responsibilities for the Joint Audit Program.
(2) Ongoing surveillance. A designated self-regulatory organization's ongoing surveillance of futures commission merchant member registrants over which it has oversight responsibilities must include the review and analysis of financial reports and regulatory notices filed by such member registrants with the designated self-regulatory organization.
(3) High-risk firms. The Joint Audit Program must include procedures for identifying futures commission merchant member registrants over which it has oversight responsibilities that are determined to pose a high degree of potential financial risk, including the potential risk of loss of customer funds. High-risk member registrants must include firms experiencing financial or operational difficulties, failing to meet segregation or net capital requirements, failing to maintain current books and records, or experiencing material inadequacies in internal controls. Enhanced monitoring for high risk firms should include, as appropriate, daily review of net capital, segregation, and secured calculations, to assess compliance with self-regulatory and Commission requirements.
(4) On-site examinations. A designated self-regulatory organization must conduct routine periodic on-site examinations of futures commission merchant member registrants over which it has oversight responsibilities. Such member registrants must be subject to on-site examinations no less frequently than once every eighteen months. A designated self-regulatory organization shall establish a risk-based method of establishing the scope of each on-site examination, provided, however, that the scope of each on-site examination of a futures commission merchant must include an assessment of whether the registrant is in compliance with applicable Commission and self-regulatory organization minimum capital, customer fund protection, recordkeeping, and reporting requirements. A designated self-regulatory organization must conduct on-site examinations of futures commission merchant registrants in accordance with the Joint Audit Program.
(I) Following the establishment of the Joint Audit Program, no less frequently than once every three years, the Joint Audit Committee members must cause an examinations expert to evaluate the Joint Audit Program and each designated self-regulatory organization's application of the Joint Audit Program. The Joint Audit Committee members must obtain from such examinations expert a written report, and must provide the written report to the Commission no later than forty-five days prior to the annual meeting of the members of the Joint Audit Committee to be held in that year pursuant to paragraph (d)(2)(iii)(A) of this section. The Joint Audit Committee members may also provide to the Commission a response, in writing, to any of the findings, comments or recommendations made by the examinations expert. The examinations expert's written report must include the following:
(1) A statement that the examinations expert has evaluated the Joint Audit Program, including the sufficiency of the risk-based approach and the internal controls testing thereof, and comments and recommendations in connection with such evaluation from such examinations expert;
(2) A statement that the examinations expert has evaluated the application of the Joint Audit Program by each designated self-regulatory organization, and comments and recommendations in connection with such evaluation from such examinations expert;
(3) The examinations expert's report on findings and recommendations issued under the consulting services standards of the American Institute of Certified Public Accountants and should include an analysis of the supervisory program's design to detect material weaknesses in an entities internal control environment; and
(4) A discussion and recommendation of any new or best practices as prescribed by industry sources, including, but not limited to, those from the American Institute of Certified Public Accountants, the Public Company Accounting Oversight Board, the Internal Audit Association and The Risk Management Association.
(iii) Meetings of the Joint Audit Committee.
(B) In addition to the items considered in paragraph (d)(2)(iii)(A) of this section, the Joint Audit Committee members must consider the following items during the annual meeting:
(1) The role of the Joint Audit Committee and its members as it relates to self-regulatory organization responsibilities;
(2) Developing and maintaining the Joint Audit Program for all designated self-regulatory organizations to follow with no exceptions;
(3) Coordinating self-regulatory organization responsibilities with those of independent certified public accountants, the Commission and other regulators and self-regulatory organizations (e.g., the Securities and Exchange Commission, the Financial Industry Regulatory Authority, and others, as the case may be for futures commission merchants subject to regulation by multiple regulators and self-regulatory organizations);
(4) Coordinating and sharing information between the Joint Audit Committee members, including issues and industry concerns in connection with examinations of futures commission merchants;
(5) Identifying industry regulatory reporting issues and financial and operational internal control issues and modifying the Joint Audit Program accordingly;
(6) Issuing risk alerts for futures commission merchants and/or designated self-regulatory organization examiners on an as-needed basis as issues arise;
(7) Issuing an annual examination alert for certified public accountants and designated self-regulatory organization examiners;
(8) Responding to industry issues;
(9) Providing industry feedback to Commission proposals; and
(10) Developing and maintaining a standard of ethics and independence with which all examination units of the Joint Audit Committee members must comply.
(f) A plan's designated self-regulatory organizations must report to:
(h) After appropriate notice and opportunity for comment, the Commission may, by written notice, approve such a plan, or any part of the plan, if it finds that the plan, or any part of it:
(i) After the Commission has approved a plan, or part thereof, under paragraph (h) of this section, a self-regulatory organization delegating the functions described in paragraph (d)(1) of this section must notify each of its members that are subject to such a plan:
[78 FR 68638, Nov. 14, 2013, as amended at 83 FR 7995, Feb. 23, 2018]