In this article we outline 12 key elements that are critical components of a rock-solid compliance program for participants in commodity markets. We start with creating a “culture of regulatory compliance,” which pervades a company from top to bottom, and then work our way through day-to-day policies and steps you can take to minimize your company’s risk of non-compliance. Unfortunately, many of these key elements are more likely to be found in companies that have committed violations and paid substantial penalties, but it need not be that way! Review the checklist in the article, see how many elements you can check off, and then discuss the results with your company’s chief compliance officer. If you don’t have a chief compliance officer, then reach out to your company’s general counsel. Each company is different and yours may not have all of these key elements for various reasons, but stress-testing your compliance program now is much less stressful than waiting until after a regulatory investigation has begun. To see how your company stacks up, grab a pencil and read on.
- For any compliance program to work there must be a culture of regulatory compliance. Ideally this should be supported and promoted from top to bottom and at all layers in between. The “compliance” should be with respect to all applicable regulatory requirements, as well as all internal company policies, guidelines, codes of conduct or other corporate directives. As a matter of form, these internal “rules” may best be recorded in a Compliance Manual, which often provides the backbone for a company’s Compliance Program. Typically, a company will designate a group of employees that have the day-to-day responsibility for executing the Compliance Program, which may mean auditing commodity-related activities of company personnel, preventing and detecting violations, providing training, responding to violations, responding to inquiries from regulators, and periodically reviewing and recommending modifications and updates to the Compliance Program. Company employees should be encouraged to report violations or potential violations to the company without fear of retaliation. Employees should know that they are the first line of defense against legal, regulatory and reputational risk for the company.
- In order for a Compliance Program to prevent and detect violations, the company’s Compliance Manual should be well documented, clearly stated, easy to read, and innovative in the way it appeals to employees. Too many times, the authors of a Compliance Manual stop when they have recited all the applicable regulations and rules and then instruct employees participating in commodities markets to read the Compliance Manual. But handing an employee a copy of an agency’s regulations (e.g., Title 17 of the Code of Federal Regulations for the CFTC) with an admonition to “Go read this!” likely falls short of a successful Compliance Program. To be sure, a Compliance Manual needs to inform employees participating in commodity markets what the applicable regulatory authority expects in terms of regulatory compliance. But an even better Compliance Manual is one that is “user friendly” in a way that clearly establishes what the company expects as well from the reader. Finally, the Compliance Manual must be disseminated to all applicable employees. To accompany the Compliance Manual, we have also seen short complementary pieces (Add-ons) work very well, such as a two-page laminate with a summary of the key compliance elements. Add-ons can serve a very valuable goal of putting the right information easily within reach and keeping compliance top of mind.
- Where applicable, a Compliance Program should have oversight by the board of directors. It can be impactful if a company’s designated compliance officer reports to or has direct access to the board of directors. It is highly favorable if a company’s board of directors exercises reasonable oversight with respect to implementation and effectiveness of a Compliance Program. For instance, is the board knowledgeable about the content and operation of the program? Does the board devote adequate meeting time to compliance issues or receive training related to compliance? Does the board receive periodic updates from the company’s compliance officer regarding industry specific risks, as well as internally reported compliance issues?
- A successful Compliance Program should be supervised by an officer or other high-ranking official. This role could be split among different high-ranking officials, but with the goal being that the high-ranking official has regular interaction with the person or persons assigned responsibility for implementation of the Compliance Program. The high-ranking official should provide regular updates to senior management regarding the status of the program and any issues. The position of the high-ranking official should be formally documented (for example, by a board resolution or job description). Note that the high-ranking official needs to be fully engaged and knowledgeable about the content and operation of the Compliance Program. This person must lead by example and encourage a culture of compliance.
- A specific person should be designated by the company as the “compliance official”—in other words a Compliance Officer. The Compliance Officer should have independent access to the CEO and/or board of directors and should report periodically to senior management of the company. Depending upon the size of the company, the Compliance Officer may be a high-ranking official or a different individual serving in a separate role. In either case, the Compliance Officer is the one tasked with the day-to-day operational responsibility for the Compliance Program. The Compliance Officer needs to be given adequate resources and appropriate authority to effectively perform the functions of the job. The responsibilities of the Compliance Officer should be formally captured in a job description or by some other recorded means.
- Companies should perform background checks or other investigative checks on prospective employees who will have substantial discretion as part of their job function. This includes traders or management-level employees. A company should use reasonable efforts not to hire an individual that the company knew or should have known (through the exercise of due diligence) has engaged in violations or other conduct inconsistent with an effective, law-abiding Compliance Program. Checks should be performed at the time of hiring and when an individual is promoted into a position of authority. Checks should include education, driving history, criminal history, employment history for the past five years and any regulatory enforcement proceedings. For individuals whose job function will involve accounting or financial responsibilities, the checks might also include credit history, SEC, FINRA or state securities commission enforcement proceedings and FBI records.
- A robust Compliance Program will include employee training as an established part of the program. The frequency and quality of the training should be such that employees have a thorough understanding of relevant rules of both governmental regulatory authorities and the company’s expectations about compliance with those rules (i.e., the importance of compliance to the company). Training should be provided to employees, officers and directors, and if necessary, agents and contractors of the company. Any person that can be viewed as a relevant representative of the company should receive training.
- An effective Compliance Program will allow for an ongoing process for auditing and monitoring. For audits, the auditor (whether an internal employee or an outside consultant) should have whatever access is needed to effectively conduct the audit. The auditor should be independent from the group being audited. As for ongoing monitoring, the company should have in place an internal reporting system for evaluation of potential and actual violations. Effective monitoring of a company’s activities in commodities markets requires a system that allows employees to seek advice or report potential violations without fear of retaliation (this system may need to allow for anonymity and confidentiality, as well as compensation or incentives). We note that the CFTC (and some other agencies) pay compensation to whistleblowers for notifying the CFTC of violations or potential violations; a company’s Compliance Program may include similar incentives as well. In any case, employees should be encouraged to report misconduct and compliance issues promptly. Some companies may find it helpful to create a telephone hotline, or other anonymous information system, perhaps designating an individual to receive tips and complaints.
- For a Compliance Program to be considered robust, it should periodically assess risks. Frequent review of risks in commodity market practices and stress-testing can ensure that new controls and compliance measures are implemented in order to meet newly identified risks and to keep up with the fast pace of change in our use of digital communication methods. A company may want to consider using digital technology to monitor the use of algorithmic and electronic trading technologies. A company’s review should involve an assessment of the risk of violations or unlawful conduct. For example, a company might collect and analyze reported violations or potential violations. Also a company might analyze peer company violations in order to implement controls to avoid similar violations. A company might also consider if its employees are incentivized or dis-incentivized through compensation or some other means to either (a) circumvent rules or (b) detect, report and even prevent bad behavior. Periodic review of actual and potential risk is a positive factor for regulators.
- Periodic assessment of the Compliance Program itself is a hallmark of a solid program. A company should evaluate periodically the effectiveness of its Compliance Program and stress-test the program’s response to different hypothetical situations. Such an evaluation may be performed by internal personnel or by an external resource with the goal of identifying changes in enforcement practices and necessary revisions to detect, report and even prevent non-compliant behavior. The frequency of these evaluations should be determined by the amount of legal risk the company perceives from compliance issues, based on industry trends, regulatory agency activity and its own compliance history. Some areas of the Compliance Program may warrant more frequent evaluation than others.
- A successful Compliance Program should promote and enforce the program consistently. Policies and procedures regarding compensation and promotion should take into account an employee’s compliance or non-compliance. There should be both appropriate incentives to perform in accordance with the program and appropriate disciplinary measures for employees that are in violation and for those employees who fail to take responsible steps to prevent or detect violations. Companies may elect to include compliance metrics in performance evaluations and set goals for business units related to compliance. Companies may also elect to set specific disciplinary measures for specific compliance violations and keep records of individual compliance violations.
- A company’s ability to take prompt corrective action in response to a violation may help limit exposure going forward. A company can reduce penalties for violations through prompt and full self-reporting to regulatory authorities, disciplinary actions for non-compliant employees, along with prompt action to correct the adverse impact on customers or third parties. After such actions have been taken a company should evaluate how the conduct occurred and examine ways to prevent its re-occurrence in the future.
How did your company do? Can your company do better? Above all, regulators expect ethical conduct and a commitment to compliance with the law. Short-term gain from questionable behavior is not worth the potential costs to the company and the individual involved. One regulator has said that two of the most important factors in determining whether to impose a civil penalty and the amount of that penalty are (1) the seriousness of the offense, and (2) the strength of a company’s commitment to compliance. A strong compliance program therefore provides important mitigating factors in enforcement. For this reason, prevention, detection and commitment to full compliance should be your aim.
We know that compliance is a daily job. We also know that while manuals, internal codes of conduct and corporate policies are vitally important, compliance in its most basic form stems from good judgment and a desire to do things the right way. So here are some compliance tips that never go out of style:
Use Common Sense – There is no substitute for common sense. If something seems too good to be true or seems odd or uneconomic, it might be. Ask questions.
Assume There is a Record – Always assume that the communications you have may someday be reviewed and made public at a later date. Be mindful of what you say on the phone and what you write in emails, texts, tweets, Instagram, and any other means of digital communication.
Apply the Headline News Test – Consider the consequence if your conduct is the topic of a headline news report found on the front page of a newspaper or electronic news source. You should only want to be in the news for positive actions, not questionable activities.
Beware the Lack of a Commercial Justification – Question any transaction that has no commercial justification. Don’t give the regulators something to talk about. From time to time, it may be helpful to write an explanation of the commercial justification for any new transaction type or to explain a departure from usual or routine transactions and give that explanation to your compliance officer.
Apply the Airport Security Rule – Often conversations that appear innocent or are intended as a joke may be taken out of context and misconstrued when reviewed in writing at a later time. Again, be mindful of what you say and what you write.
Honesty Really Is the Best Policy – If you conduct yourself in an honest manner and encourage this from others, you will go a long way toward doing the right thing and helping your company conduct its business in the most ethical and compliant manner.