On September 10, 2020, the Commodity Futures Trading Commission (CFTC) announced the issuance of binding guidance on the way the Division of Enforcement will review a registrant’s compliance program as part of an enforcement matter (the Guidance). The CFTC’s recently issued Penalty Guidance that directs enforcement staff to consider the "[e]xistence and effectiveness of the company’s pre-existing compliance program" and post-violation conduct such as the company’s "efforts to improve a compliance program" as mitigating circumstances when setting penalties. This newest Guidance explains how the CFTC will conduct its review of compliance programs in the enforcement setting.
The Guidance begins by explaining that CFTC review of a compliance program is to be guided throughout by a multifactor, risk-based analysis. That analysis includes consideration of whether the company’s compliance program is designed and implemented to achieve the key aims of preventing, detecting, and remedying the misconduct at issue. Another consideration is whether the company reviewed and, if appropriate, revised the compliance program itself upon discovering the misconduct. The Guidance then proceeds by setting forth the various considerations particular to each of the three key goals of prevention, detection, and remediation.
First, with respect to prevention, the CFTC considers, among other things, whether:
- the company’s policies and procedures reasonably address the relevant misconduct
- training reasonably addressed the type of misconduct at issue
- the company’s failure to cure any previously identified deficiencies in the compliance program (particularly deficiencies identified in regulatory findings) contributed to, or failed to prevent, the misconduct
- the company had dedicated adequate resources to compliance and
- all aspects of the compliance function are sufficiently independent from the business functions.
Second, the CFTC will consider the processes and procedures the company uses to detect misconduct and whether, in the matter at issue, its compliance mechanisms independently detected the misconduct. Relevant considerations include, among other things, the adequacy of the company’s:
- internal surveillance and monitoring efforts
- internal-reporting system and processes for handling complaints (including provisions for anonymous complaints and whistleblower protections) and
- procedures to identify and evaluate unusual or suspicious activity to determine whether any misconduct has occurred.
Finally, with respect to remediation, the CFTC considers what steps the company took, upon discovering the misconduct, to assess and address the misconduct, and whether any deficiencies in the compliance program may have permitted the misconduct or prevented its detection. This includes consideration of, among other things, whether the company took sufficient and timely action to:
- address the misconduct’s impact, including to mitigate and cure financial harm to others and to restore integrity to the relevant market
- discipline those responsible for the misconduct and
- identify and address deficiencies in the compliance program that may have frustrated prevention and timely detection of the misconduct.
The Guidance is the most recent push in the CFTC’s efforts to ensure the transparency of its processes for registrants and the public. The compliance program is the cornerstone of a company’s policies and procedures for conforming with applicable laws and regulations, and the Guidance helps companies understand how the CFTC will review their compliance programs in the context of enforcement. Prudent companies may wish to center these considerations as they devise and revise their compliance programs going forward, and to seek experienced counsel to facilitate the process.
For direct access to the CFTC press release and Guidance, see CFTC Issues Guidance on Factors Used in Evaluating Corporate Compliance Programs in Connection with Enforcement Matters.
Learn more about the implications of the Guidance by contacting either of the authors.