CFTC Issues Compliance Program Guidance
White Collar Crime and Internal Investigations Alert 11/16/20 Luke V. Cass, Hector Diaz
On September 10, 2020, the Commodity Futures Trading Commission (“CFTC” or the “Commission”) issued its “Guidance on Evaluating Compliance Programs in Connection with Enforcement Matters” (the “Compliance Program Guidance” or “Guidance”). The Guidance provides a framework for Commission staff to determine the effectiveness of corporate compliance programs. Below, we summarize the Guidance and provide several key takeaways for companies to avoid increased fines and penalties for misconduct.
The Compliance Guidance
In May 2020, the CFTC issued its Civil Monetary Penalty Guidance. The Penalty Guidance detailed the factors the CFTC will consider when imposing penalties on traders for misconduct. One of these considerations is whether a mitigating or aggravating fact should be applied based on the pre-violation presence of an effective compliance program to prevent, catch, and remediate misconduct. Specifically, the Penalty Guidance directed CFTC staff to evaluate: (1) the effectiveness of pre-violation compliance programs and; (2) post-violation improvements made to a compliance program as aggravating and mitigating factors in determining civil monetary penalties.
The Compliance Program Guidance further details the factors that CFTC officials will use to determine whether an organization’s compliance program should qualify as either a mitigating or aggravating factor. Under the Guidance, and using a risk-based analysis, the CFTC will evaluate whether an organization’s compliance program “was reasonably designed and implemented to” meet three goals stated by the Commission: “(1) prevent the underlying misconduct at issue; (2) detect the misconduct; and (3) remediate the misconduct.”
Understanding that these goals are ill-defined in their own right, the Commission further detailed specific elements it deems necessary for a compliance program to meet these goals:
1. Prevention: Was the program reasonably designed and implemented to effectively prevent the misconduct at issue? Evaluation of this factor should include consideration of, among other things, whether:
a. written policies and procedures in effect throughout the period of misconduct reasonably addressed the type of misconduct at issue;
b. training of staff, supervisors, and compliance personnel reasonably addressed the type of misconduct at issue;
c. a failure to cure any previously identified deficiencies in the compliance program contributed to, or failed to prevent, the misconduct at issue (a failure to satisfactorily address regulatory findings is of particular significance);
d. adequate resources, including funds, had been devoted to compliance; and
e. the structure, oversight, and reporting of the compliance function is sufficiently independent from the business functions.
2. Detection: Was the program reasonably designed and implemented to effectively detect the misconduct at issue? Evaluation of this factor should include consideration of, among other things, the adequacy of:
a. internal surveillance and monitoring efforts;
b. the organization’s internal-reporting system and its handling of complaints (including provisions for anonymous complaints and protection for whistleblowers); and
c. procedures for identifying and evaluating unusual or suspicious activity to determine whether any misconduct has occurred, with due regard for the sources, gravity, and extent of the organization’s risk of violations.
3. Remediation: Upon discovery of the misconduct, what steps were taken to assess and address both the misconduct and any deficiencies in the compliance program that may have permitted the misconduct to occur or initially evade detection? Evaluation of this factor should include consideration of, among other things, whether, in a sufficient and timely manner, appropriate action was taken to:
a. effectively address any impact of the misconduct, including to mitigate and cure any financial harm to others and restore integrity to the relevant markets;
b. appropriately discipline the individuals directly and indirectly responsible for the misconduct; and
c. identify and address any deficiencies in the compliance program that may have contributed to a failure to prevent or quickly detect the misconduct.
A functioning and effective compliance program may stave off certain penalties when misconduct is uncovered. The lack of an effective program may also lead to increased penalties. While no compliance program will perfectly detect misconduct, creating a “culture of compliance” where an organization’s employees are dedicated to ensuring that their conduct aligns with their statutory, regulatory, and ethical obligations is vital.
In light of the Guidance, industry participants should take one of two steps. First, if an organization does not have a compliance program, it should immediately begin the process of creating one. In the alternative, if your organization already has a compliance program, they should use the Commission’s issuance of the Guidance as an opportunity to audit, reevaluate, and modify the existing compliance program and its internal controls to ensure it meets the CFTC’s stated goals.
Market participants should also consider the following five takeaways:
1. Effective compliance programs will be a major factor in how the CFTC evaluates the appropriateness of monetary penalties.
2. Effective compliance programs are equipped to prevent, detect, and remediate misconduct. They will include:
- Annual training for all employees detailing (1) the types of misconduct they should be on the lookout for; (2) any statutory or regulatory updates that have been implemented in the last year; and (3) whistleblower procedures, rights, and other protections.
- Annual evaluation of internal policies and procedures to ensure that they are adequately defined to continue preventing, detecting, and remediating misconduct.
- Annual evaluation of technical systems to ensure that they are up-to-date and secure.
3. The compliance program and compliance officer must be independent of the business side of the organization.
- The independence of the compliance officer is evidence through adequate documentation supporting the position. When evaluating this factor, organizations should also evaluate the compliance officer’s reporting obligations and procedures. For example, a compliance officer’s ability to report suspected misconduct directly to the board of directors is a hallmark of his or her independence for the business side of the organization.
4. Routine reports to the board of directors by the compliance officer.
5. Disciplinary procedures are applied equally to all positions regardless of whether the individual is low-level or in the executive suite. However, factors such as leading or blessing a fraudulent scheme should be considered when making a disciplinary decision.
For more information regarding the CFTC’s Compliance Program Guidance, internal investigations, or compliance programs question please contact your Quarles & Brady attorney or: