Hot Commodity: CFTC Issues Key Guidance to Companies Regarding CFTC’s Compliance Expectations
Following the issuance of its civil monetary penalties guidance in May, the Commodity Futures Trading Commission (“CFTC”) Division of Enforcement (the “Division”) on September 10, 2020 announced new guidance outlining factors that it will consider when evaluating corporate compliance programs in CFTC enforcement actions ( the “Guidance”). The existence and effectiveness of a company’s pre-existing compliance program, along with any efforts to improve the program after a violation, are among the factors that the CFTC will consider in evaluating an appropriate penalty in an enforcement action.
The Guidance comes on the heels of a number of other U.S. enforcement agencies publishing their own guidance on the evaluation of corporate compliance programs, including the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) publishing its “Framework for OFAC Compliance Commitments” and the U.S. Department of Justice (“DOJ”) Criminal Division’s “Evaluation of Corporate Compliance Programs.” Indeed the CFTC’s Guidance instructs Division staff to, where appropriate, consider such other agencies’ guidance in conducting their analysis.
Under the Guidance, Division staff will consider whether compliance programs were reasonably designed and implemented to achieve three goals: (1) prevention; (2) detection; and (3) remediation of the underlying misconduct. Division staff will also consider whether the compliance program has been reviewed and modified to address any deficiencies upon discovery of misconduct. In its evaluation, the Division will conduct a risk-based analysis that takes into consideration, among other things, the specific entity involved, the entity’s role in the market, and any potential market or customer impact of the relevant misconduct.
Detailed considerations for each of the three compliance program goals are as follows:
Under the Guidance, Division staff will look at whether the compliance program was reasonably designed and implemented to prevent the relevant misconduct, including evaluating whether:
- Written compliance policies and procedures in effect throughout the period of misconduct reasonably addressed such misconduct, including whether these policies and procedures were updated to reflect current rules and regulations, relevant guidance, and other legal developments;
- Training of staff, supervisors, and compliance personnel reasonably addressed the relevant misconduct;
- Any failure to cure previously identified deficiencies in the compliance program contributed to, or failed to prevent, the relevant misconduct, including failure to satisfactorily address regulatory findings;
- The company has devoted adequate resources, including funds, to compliance; and
- The structure, oversight, and reporting of the compliance function of the company are sufficiently independent from its business functions.
The Division will also evaluate whether a company’s compliance program was reasonably designed and implemented to effectively detect the relevant misconduct, including whether the company has compliance mechanisms, processes, and procedures in place aimed at detecting misconduct such as:
- Internal surveillance and monitoring efforts;
- The company’s internal reporting system and system of handing complaints, including anonymous complaints and adequate whistleblower protection; and
- Procedures to identify and evaluate unusual or suspicious activity to determine whether misconduct has occurred, with due regard to the sources, gravity, and extent of the organization’s risk of violations, including whether efforts for detection and evaluation of potential wrongdoings were narrowly tailored (e.g. to a specific individual, product, date, etc.) or sufficiently broad to uncover similar instances of misconduct across the company and whether questions and concerns were appropriately elevated.
Finally, Division staff will evaluate the steps the company took, upon discovery of the relevant misconduct, to assess and address both the misconduct and any deficiencies in the company’s existing compliance program that may have permitted the misconduct to occur or evade detection in the first instance. In reviewing remedial efforts, the Division will consider whether the company, in a sufficient and timely manner, appropriately took action to:
- Effectively address any impact of the misconduct, including to mitigate and cure any financial harms to others, and restore integrity to the relevant markets;
- Appropriately discipline the individuals directly and indirectly responsible for the misconduct; and
- Identify and address deficiencies in the compliance program that may have contributed to the company’s failure to prevent or quickly detect the misconduct (which also are taken into account in determining appropriate civil monetary penalty).
The Guidance is the first of its kind that the Division has issued and is consistent with the CFTC’s recent efforts to promote transparency and clarity within the agency. Together with the CFTC’s guidance on civil monetary penalties, it provides companies with a clear framework for evaluating existing compliance programs, deterring bad behavior, and fostering a culture of compliance for businesses.