On September 10, 2020, the Commodity Futures Trading Commission (CFTC) Division of Enforcement (Division) issued a guidance memorandum outlining several factors that Division staff will consider when evaluating corporate compliance programs in connection with enforcement matters (Compliance Guidance).[1] This Compliance Guidance is the first such guidance to be issued by the Division and will be incorporated into the CFTC Enforcement Manual.[2] The Compliance Guidance will be binding on Division staff but not any other division or office of the CFTC or the CFTC generally.

The Compliance Guidance follows the Division's May update to its monetary penalty guidance (Penalty Guidance).[3] Among other things, the Penalty Guidance directed Division staff to consider relevant mitigating and aggravating circumstances, including the "[e]xistence and effectiveness of the company's pre-existing compliance program" and post-violation conduct including "mitigating conduct, such as attempts to cure, return of victim funds, or efforts to improve a compliance program."[4] Staff may also consider a company's compliance program in connection with determining the non-monetary terms of the resolution of an enforcement matter, such as remediation or other undertakings.

In evaluating corporate compliance programs, the Compliance Guidance instructs the Division to consider whether the compliance program was reasonably designed and implemented to (1) prevent the misconduct at issue; (2) detect the misconduct; and (3) remediate the misconduct. The Division will also consider whether the company reviewed and modified its compliance program to address any deficiencies after discovering the misconduct. Throughout its investigation, the Division will conduct a risk-based analysis, considering various factors such as the specific entity involved, the entity's role in the market, and the potential market or customer impact of the misconduct.

To evaluate a compliance program's ability to prevent misconduct, the Division will consider, among other things, (1) the written policies and procedures in effect during the relevant period; (2) the training of staff, supervisors, and compliance personnel; (3) any failure to cure previously identified deficiencies in the compliance program; (4) whether the company has devoted adequate resources to compliance; and (5) the structure, oversight, and reporting of the compliance function.

To evaluate a compliance program's ability to detect misconduct, the Division will consider whether the misconduct was independently identified through the company's compliance mechanisms and the processes and procedures in place intended to detect misconduct. Factors the Division will consider include, among other things, (1) the company's internal surveillance and monitoring efforts; (2) the company's internal reporting system and handling of complaints; and (3) procedures for identifying and evaluating unusual or suspicious activity.

Finally, the Division will consider a company's remediation measures to assess and address both the misconduct at issue and any deficiencies in the compliance program that may have permitted the misconduct to occur. To evaluate a company's remediation efforts, the Division will consider whether the company (1) effectively addressed the impact of the misconduct; (2) appropriately disciplined the individuals responsible for the misconduct; and (3) identified and addressed any deficiencies in the compliance program itself that may have contributed to a failure to prevent or timely detect the misconduct.

The Compliance Guidance provides further transparency into the Division's enforcement considerations. It establishes a principles-based approach, rather than setting out specific requirements, and provides a useful roadmap for the types of issues the Division will explore during enforcement investigations. Companies should consider this Compliance Guidance when designing, implementing, and updating internal compliance policies and procedures.