NFA Compliance Programs and Recordkeeping: What Futures Traders Must Know

Overview #

The NFA compliance program framework has two populations: entities that must build and maintain compliance programs, and individuals who are affected by those programs without being directly subject to them. Most retail traders fall into the second group — but the moment you accept outside capital, market a paid signal service, or introduce others to brokers, you cross into the first group whether you know it or not.

The framework centers on three statutory authorities: NFA Rule 2-46 (supervision and compliance program requirements), NFA Rules 2-4 and 2-10 (recordkeeping), and NFA Interpretive Notice 9070 (cybersecurity). Together they require registered entities to maintain written supervisory procedures, complete records of all regulated activity, documented ethics training, reviewed promotional materials, and written cybersecurity controls. Examinations — periodic for all registrants, bi-annual for many introducing brokers — verify that the written program matches actual practice.

For retail traders who aren't registered: these requirements tell you what your broker owes you, what records protect you in disputes, and what controls should exist around the performance marketing of anyone whose signals or managed accounts you're considering.

Key Concepts #

NFA (National Futures Association) — The self-regulatory organization that oversees the U.S. futures industry. Think of it as the FINRA equivalent for futures. All FCMs, IBs, CTAs, CPOs, and their associated persons must register with the NFA and operate under its rules.

FCM (Futures Commission Merchant) — The firm that holds your account, accepts margin, and clears trades. Your broker is your FCM. Examples: Interactive Brokers, TD Ameritrade Futures, Tradovate.

IB (Introducing Broker) — Introduces customers to FCMs but doesn't hold funds. Often the "retail-facing" side of a broker setup with a clearing arrangement behind it.

CTA (Commodity Trading Advisor) — Any entity that manages futures accounts for others, or advises on futures trades for compensation. If you run a signal service for pay or manage someone's futures account under a POA, you're likely a CTA.

CPO (Commodity Pool Operator) — Operates a fund or pool where multiple investors' money is combined and traded in futures. Hedge funds trading futures, managed futures funds fall under this category.

NFA Rule 2-46 — The primary rule requiring NFA members to supervise employees, agents, and activities in a manner designed to prevent regulatory violations. The foundation of the compliance program requirement.

NFA Rules 2-4 and 2-10 — The recordkeeping rules. Rule 2-4 covers general conduct and the obligation to maintain accurate books and records. Rule 2-10 establishes specific record categories and retention requirements.

Compliance Program — A written framework covering policies and procedures, supervision, recordkeeping, marketing review, ethics training, cybersecurity, and complaint handling. Required for all NFA member entities.

Promotional Material — Any advertisement, communication, or content used to attract or retain customers. Includes websites, social media posts, trade results shared publicly, pitch decks, and email campaigns. Subject to strict NFA content rules regardless of medium.

NFA Examination — Periodic review of an NFA member's books, records, controls, and practices. Not an audit in the tax sense — more like a structured regulatory inspection.

Who Actually Has to Build a Compliance Program #

This is where most traders get the framework wrong. NFA compliance obligations are tiered based on registration status.

If you're trading your own account and nothing else — no outside money, no signals sold for compensation, no introductions — you're outside the formal compliance program mandate. You're impacted indirectly because your FCM is a registered entity operating under these rules, which means your protections depend on their compliance. But you don't have to build a program yourself.

The minute you cross into any of these activities, the calculation changes:

Managing outside capital means CTA or CPO registration is likely required. With registration comes the full compliance program obligation — written procedures, recordkeeping, ethics training, marketing review, cybersecurity controls, and periodic NFA examination.

Operating a signal service for compensation is the gray zone that catches a lot of retail traders. If you're charging for trade recommendations on futures instruments, you're almost certainly a CTA under the Commodity Exchange Act. The "for compensation" element is broad — paid subscriptions, revenue-share arrangements, affiliate fees tied to client performance.

Introducing others to brokers for compensation turns you into a regulated IB. Full compliance obligations apply.

Running a trading entity with employees or agents — even staff who just handle marketing or administration — creates supervision obligations. Someone acting on your behalf in a regulated activity requires documented oversight.

The applicability matrix isn't a gray area once you understand it. The question isn't "do I trade?" — it's "do I take action in the regulated sphere on behalf of others or for compensation?"

The NFA Compliance Program: What's Actually Required #

For registered entities, a compliant NFA compliance program covers these components — and understanding them tells you what "good" looks like when evaluating any registered firm:

Written Supervisory Procedures #

The compliance program starts with documentation. Registrants need written procedures covering who can do what, how trades are reviewed, how communications are monitored, how customer complaints are handled, how discretionary authority is managed, and who has oversight over each activity.

The key principle is consistency between the written procedures and what actually happens. Auditors don't just read the policy document — they sample actual activity to see whether the procedures are followed. A well-written compliance manual that nobody reads is worse than no manual at all, because it creates a documented gap.

Ethics Training Requirements #

Ethics training is annual in most categories and covers proper disclosure practices, conflict-of-interest handling, marketing standards, and the prohibition on cherry-picking, misrepresentation, and fraudulent performance claims.

The training requirement exists because the most common enforcement actions against futures registrants involve exactly these areas: performance claims that can't be substantiated, conflicts of interest that weren't disclosed, and marketing materials that misled potential clients about strategy risk and historical returns.

Cybersecurity Program #

NFA Interpretive Notice 9070, effective March 2017, established cybersecurity program requirements for all NFA member organizations. The notice doesn't mandate specific technologies but requires that firms conduct periodic IT risk assessments, implement controls commensurate with identified risks, maintain written information systems security policies, develop an incident response plan, conduct regular training on cybersecurity risks, and assess vendor security controls.

The practical minimum for any trading entity: MFA on all account and system access, encrypted storage for client and trading data, documented incident response steps, and at least annual review of access controls when personnel changes occur.

Even for retail traders who aren't registered, these controls directly protect your account. Brokerage credential compromise is one of the most common sources of unauthorized trading and fraud. MFA on your FCM account is non-negotiable.

Recordkeeping Rules: What You Have to Keep and Why #

NFA Rules 2-4 and 2-10 establish the recordkeeping framework. For registered entities, compliance means maintaining complete and accessible records across every major business activity. For retail traders, understanding the framework tells you what documentation protects you when disputes arise.

The Core Record Categories #

Trading records are the foundation. This means account statements received from your FCM, order logs showing what you sent and when, execution reports showing how orders were filled, margin records, and profit/loss calculations. These aren't just for regulatory compliance — they're the documentation that resolves fill disputes, supports tax positions, and provides evidence if an FCM makes a liquidation error.

Client and investor records apply when managing outside money. Every managed account relationship needs an agreement, a signed risk disclosure document, KYC documentation verifying the client's identity and suitability, communication logs covering material representations made to the client, and records of every allocation and fee calculation. These records are the difference between a manageable complaint and a regulatory enforcement action.

Marketing and promotional materials require their own archive. Every version of every public claim — websites, social posts, email campaigns, pitch decks, performance reports — needs to be preserved along with the substantiation data supporting each stated figure. The archive has to include timestamps proving when each version was published and what it said at the time.

Compliance records document that the compliance program is actually operating: written procedures, training completion records, approval logs for marketing content, complaint records and how each was resolved, and results of any internal testing or review.

The NinjaTrader case from November 2025 illustrates what happens when compliance records are deficient. NinjaTrader's $250,000 NFA fine for AML and supervision failures stemmed from gaps between written policies and actual supervisory practice — exactly the kind of failure that solid compliance records would have caught earlier.

Retention Periods: The Practical Rule #

The NFA's general recordkeeping retention requirement is five years for most categories. Some records have longer requirements.

The conservative approach:

• Trade records (statements, order logs, fills, confirmations): 5 years minimum
• Marketing and performance substantiation: 5 years from the date of last use or modification
• Client agreements and disclosure documents: Duration of the relationship plus 5 years
• Tax-related records: Follow IRS requirements, which typically means 7 years for records supporting income or loss
• Compliance records (training, approvals, complaint logs): 5 years

The business case for longer retention is simple: the cost of keeping digital records for 7 years is basically zero. The cost of missing a critical document in a dispute or examination can include fines, restitution, or registration revocation.

Don't rely solely on broker portals. Account data on broker websites is not a substitute for your own archive. FCMs have gone bankrupt — MF Global and PFGBest are the canonical examples — and in both cases, customers who had their own copies of account records were better positioned than those who depended on the broker's systems.

Promotional Materials: The Highest-Risk Area for Retail Traders #

If you post trade results publicly, run a paid signal service, or market managed account services, promotional materials rules are where most compliance problems originate. NFA rules require that promotional materials be balanced, substantiated, accurate, risk-consistent, and appropriately disclosed.

Balanced — Performance presentations can't cherry-pick winning periods, instruments, or strategies. If you show your best month, you need to show context that includes your drawdown periods.

Substantiated — Every performance claim needs source data that can be verified. Not just a screenshot — the underlying trade records that support the screenshot.

Accurate — Hypothetical and simulated results must be clearly labeled as such. Backtested equity curves presented as live trading results are a direct violation.

Risk-consistent — Marketing materials can't imply that a strategy is low-risk if the historical record shows significant drawdowns. The risk disclosure has to be consistent with the actual performance profile.

The specific violations NFA enforcement actions target most frequently: showing only profitable periods, presenting backtests as live results, using vague win-rate claims without context (dates, trade count, methodology), and omitting fees, slippage, or commissions from performance calculations.

What to Keep in Your Marketing Archive #

If you produce any promotional materials, build the archive habit before you need it:

• Every version of every public-facing performance claim, with timestamps
• The source data (trade-by-trade records) supporting each calculation
• Screenshots of the live version at the time of publication
• The approval record showing who reviewed the content before publication
• The risk disclosure language that accompanied the performance claim

If you can't reconstruct the methodology and supporting data for every performance figure in your marketing, the claim shouldn't be out there.

NFA Examinations: What Auditors Actually Look For #

NFA conducts periodic examinations of registered entities — bi-annual for many introducing brokers, less frequent for smaller registrants. Retail traders aren't directly examined, but the firms they use are. Understanding the examination process tells you what "auditor-ready" looks like.

The examination request list typically includes:

Books and records — Are required records present, complete, and retrievable? Auditors will sample-request specific records to verify the archive is operational, not just described in the policies.

Supervisory procedures — Do the written procedures match actual practice? Auditors interview compliance staff and supervisors to assess whether controls are operational or merely documented.

Marketing review — Are promotional materials approved before publication? Is there a substantiation file for performance claims? Is the hypothetical/actual distinction maintained consistently?

Trade practices — Order handling, best execution considerations, discretionary account management. For CTAs: how are trades allocated across accounts when managing multiple clients?

Cybersecurity controls — Is there a written cybersecurity program? Are controls documented? When was the last review? What happens when a security incident occurs?

Complaint records — Are customer complaints logged? How are they investigated? What corrective actions were taken?

The examination failure pattern is consistent across enforcement actions: gap between written policy and actual practice, missing records, performance claims that can't be substantiated, and weak cybersecurity documentation.

The lesson for any registered entity: if there's a gap between what your written procedures say and what your records show, that gap will be found. Build systems where the records are the natural output of normal operations, not a separate effort to satisfy auditors.

Practical Guide for Retail Futures Traders #

Even if you're trading your own account and have zero compliance program obligations, these practices protect you.

Build your own record archive. Don't rely on your FCM's portal for historical records. Download and save monthly statements, trade confirmations, and order history. Keep these in an organized archive with a consistent structure. FCMs have operational issues, system outages, and in rare cases, insolvency. Your records are yours — keep them that way.

Archive every public claim before you make it. If you post trade results anywhere online — Twitter, trading forums, Discord, your own website — save exactly what you posted and when. If you ever face a dispute about what you represented, you need the contemporaneous record.

Separate live results from backtests everywhere. The NFA's backtesting disclosure requirements exist because the gap between backtested and live performance is wide in most strategies. If you share performance, the distinction has to be clear and prominent — not in footnote 12.

Enable MFA on everything. Your FCM account, your platform login, your data feed account. Account takeover is the most common path to unauthorized trading. MFA makes it dramatically harder. No compliance framework in the world matters if your account gets taken over because you're reusing an old password.

If you take outside money, get legal advice before you start. The CTA registration requirement has broad application, the exemptions are narrow, and trading outside money without appropriate registration is an enforcement priority. The cost of getting this wrong is not just fines — it can include disgorgement of all profits earned while unregistered.

Retain everything for at least 5 years. Trade records, correspondence with your broker, any written communications about your account, tax records. If a dispute arises two years from now, these records are what you have.

The Compliance Mindset: Assume It Will Be Scrutinized #

NFA compliance ultimately comes down to one operating principle: assume that everything you do in the regulated sphere could eventually be examined, whether in a broker dispute, a regulatory inquiry, or a client complaint. Design your record-keeping, your marketing, and your supervisory practices as if an examiner will eventually review them.

The cost of operating this way is minimal — organized records, saved screenshots, documented decisions. The cost of not operating this way — when it matters — can be career-ending.