On September 10, 2020, the CFTC announced the issuance of new, public, guidance to its enforcement staff on evaluating the adequacy of corporate compliance programs. The new guidance provides enforcement staff a framework with which to assess participants’ compliance programs, and is intended to ensure consistency and transparency in such reviews.
The latest publication continues the Commission’s efforts to increase transparency in the enforcement process. In May, the CFTC formally issued guidance regarding Enforcement’s decisions to recommend the imposition of civil monetary penalties, and last year the Division issued its first public Enforcement Manual. More details on these previous issuances from the CFTC can be found here and here.
Chairman Tarbert applauded the latest guidance, saying it “highlights once again the CFTC’s commitment to transparency and clarity”. In the press release accompanying the guidance, Tarbert emphasized the importance of clarity for market participants in how the Commission reviews compliance programs. The CFTC, he said, “depends on good corporate citizens, acting through compliance programs – as partners in furthering the integrity and resilience of our markets. It’s in both the agency’s interests and of compliance personnel that the Commission is clear about how and what we’ll evaluate.”
In evaluating a compliance program, enforcement staff, according the guidance, should consider whether it was reasonably designed to achieve the goals of preventing, detecting, and remediating misconduct. In conducting its analysis of the effectiveness in reaching these goals, staff should look to a number of factors, including:
Prevention
- If the firm’s training program and written policies and procedures reasonably address the relevant misconduct.
- Whether, and to what extent, previously identified, yet uncured, deficiencies contributed to the relevant misconduct.
- Whether the firm has devoted “adequate” resources to the compliance program.
- Whether the compliance function is sufficiently independent from the business functions.
Detection
- If the misconduct at issue was detected through not only compliance mechanisms but also the procedures in place designed at detecting the misconduct.
- If the firm has adequate systems for surveillance, monitoring, internal reporting, customer complaints (including protection for whistleblowers).
- Whether the firm has adequate procedures for identifying and evaluating suspicious activity.
Remediation
- Once discovered, was the impact of the misconduct effectively addressed, including mitigation and cure for any financial harm to others, and the restoration of integrity to the relevant markets?
- Were the individuals responsible appropriately disciplined?
- Were any deficiencies that led to the failure to prevent or detect the misconduct identified and effectively addressed?
While the enforcement guidance generally formalizes already well-known best practices, it could provide a helpful tool for compliance professionals when auditing their procedures. An encouraging aspect of the guidance is that it requires staff to conduct a risk-based analysis, and consider a variety of factors including a participant’s role in the market and the impact of the misconduct on the market or customers. Given the variety of market participants, a risk-based approach allows for needed flexibility in analyzing compliance programs. Not all market participants are subject to the same risks, and their compliance programs should not be judged as if they are. The guidelines illustrate the Commission’s continued dedication to increasing transparency into its internal processes; however, generalized principles provide little concrete help to compliance departments. As always, the clearest guidance will come from the cases brought by enforcement.