On September 10, 2020, the Commodity Futures Trading Commission’s (CFTC, or the Commission) Division of Enforcement (Division) director issued a memorandum to Division staff setting forth a framework for evaluating the effectiveness of a company’s compliance program in the context of an enforcement matter (Guidance).1 The Guidance follows the Division’s May 2020 guidance on determining civil monetary penalties in enforcement actions (Penalty Guidance) and the Department of Justice’s (DOJ) June 2020 revisions to its guidance “Evaluation of Corporate Compliance Programs,” originally published in 2017 (DOJ Guidance).2
While the memorandum largely consolidates and formalizes existing CFTC guidance, and is consistent with the more detailed DOJ Guidance,3 it provides some additional insight into the emphasis the Division places on the scope and speed of remediation in the enforcement process. These insights continue the Commission’s ongoing commitment to provide more transparency into its deliberative process,4 and serve as helpful guideposts to market participants as they structure and enhance their existing compliance programs.
Summary of Guidance
In May 2020, the Division issued the Penalty Guidance, which is intended to provide “market participants with greater transparency as to Division staff’s decision-making criteria regarding civil monetary penalties” in connection with resolving an enforcement matter.5 Among other factors, the Penalty Guidance directed Division staff to consider relevant mitigating and aggravating circumstances, including the “[e]xistence and effectiveness of the company’s pre-existing compliance program” and post-violation “efforts to improve a compliance program.” The new Guidance provides a framework for evaluating corporate compliance programs when assessing civil monetary penalties, and also highlights that Division staff may undertake the same evaluation “in connection with non-monetary terms of a resolution, such as remediation or other undertakings.” While not binding on the Commission, this Guidance is intended to be binding on Division staff.
Under this framework, the Division primarily assesses the effectiveness of a compliance program using three factors:
- Prevention: The Division considers whether the program was reasonably designed and implemented to prevent the misconduct at issue, including whether the company adopted appropriate policies and adequately trained its staff. In addition, the Division considers whether the compliance function is adequately resourced and “sufficiently independent from business functions.” The Division also considers whether the company’s failure to address prior issues contributed to, or failed to prevent, the misconduct at issue.
- Detection: The Division also analyzes whether the compliance program was reasonably designed and implemented to detect the misconduct at issue. As part of this analysis, the Division considers whether the company independently identified the misconduct, as well as the sufficiency of the company’s internal surveillance and monitoring efforts and its internal-reporting and complaint-handling systems.
- Remediation: Finally, the Division considers a company’s efforts to “assess and address” both the relevant misconduct and any compliance program deficiencies “[u]pon discovery of the misconduct.” As part of this analysis, the Division considers the company’s efforts to “cure any financial harm to others and restore integrity to the relevant markets,” “appropriately discipline the individuals directly and indirectly responsible for the misconduct,” and remediate deficiencies in the compliance program “that may have contributed to a failure to prevent or quickly detect the misconduct.”
In evaluating these factors, the Division employs a “risk-based analysis” based on “the specific entity involved, the entity’s role in the market, and the potential market or customer impact of the underlying misconduct.” The Division also considers input from other divisions of the Commission with “relevant knowledge, experience, or expertise.”
We note two key takeaways from the Guidance. First, as then-Director McDonald made clear, the Division was not seeking to provide “prescriptive guidance” that would result in “one-size-fits-all” requirements.6 This approach provides institutions with some flexibility to tailor their programs to their particular needs, as well as allow for advocacy in any subsequent enforcement proceedings. This aligns broadly with the DOJ’s approach, which outlines an expansive (but flexible) list of inquiries that prosecutors may find relevant when evaluating the sufficiency of a compliance program.7
Second, any institution that has discovered an issue should consider commencing any remedial activity immediately. The Guidance is clear that the Division expects such efforts to begin “upon discovery” of the misconduct, and thus before any investigation or action by the Division, and certainly well before the Division makes any formal recommendations regarding the conduct at issue or the culpability of relevant individuals. Further, the Guidance also provides that these efforts should include an evaluation of whether any disciplinary action is necessary, including for those who were “indirectly” responsible for the misconduct, such as supervisors and control functions who did not act on red flags or other indicia of misconduct.