The Director of the CFTC Division of Enforcement (the "Division") provided guidance for staff on assessing compliance programs when considering appropriate penalties or other sanctions. The guidance will be included in the CFTC Enforcement Manual and will be binding on Enforcement Division staff.
In the Memorandum, Division staff are instructed to undertake a "risk-based analysis" and to consider the type of entity involved, its role in the market, and the potential impact of its misconduct on customers or the market.
The guidance provides a framework for conducting compliance program review. The framework includes "whether the compliance program was reasonably designed and implemented to achieve three goals: (1) prevent the underlying misconduct at issue; (2) detect the misconduct; and (3) remediate the misconduct." The compliance program guidance described these elements:
Prevention. The Division will evaluate (i) a company's written policies and procedures, (ii) the training of staff, supervisors and compliance personnel, (iii) any failure to address previously identified deficiencies, (iv) the adequacy of resources devoted to compliance, and (v) the independence of the compliance program from business functions.
Detection. The Division will assess (i) the sufficiency of an organization's internal surveillance efforts, (ii) the organization's handling of complaints and its internal-reporting system, and (iii) the organization's procedures for identifying suspicious activity.
Remediation. The Division will take into account the efforts of an organization to (i) successfully address the impact of the misconduct, (ii) "appropriately discipline" the responsible parties, and (iii) determine any deficiencies in the compliance program and address them.
In addition, the guidance requires staff to "consider whether, upon discovery of any misconduct, the compliance program itself has been reviewed and modified to address any deficiencies."