New CFTC Compliance Guidance Echoes Approach by Other Agencies
On September 10, 2020, the Commodity Futures Trading Commission (“CFTC”) Division of Enforcement released its long-awaited “Guidance on Evaluating Compliance Programs in Connection with Enforcement Matters,” which will be incorporated into the CFTC’s enforcement manual and used by CFTC enforcement staff when reviewing the efficacy of corporate compliance programs moving forward. The release of the CFTC’s compliance guidance marks the second major piece of guidance to be promulgated by the CFTC this year — the first being CFTC’s guidance concerning the assessment of civil monetary penalties this past May. In its compliance guidance, the CFTC echoed similar guidance recently released by the Department of Justice1 and the CFTC emphasized that the CFTC expects companies to take a risk-based approach to compliance.
The CFTC’s guidance breaks down its assessment of compliance programs by reviewing three major categories: (1) prevention, (2) detection, and (3) remediation.
The first category that CFTC staff will assess when evaluating a compliance program in enforcement matters is whether a company’s compliance program is designed to prevent the type of misconduct at issue. The CFTC will look to the following factors when evaluating prevention:
- The existence and nature of an entity’s written policies and procedures that were in effect during the relevant time frame and whether they were designed to address the misconduct at issue;
- Whether employees, supervisors, executives, and compliance personnel were trained regarding the misconduct at issue;
- Whether the company devoted adequate resources, including funding and staffing, to compliance;
- The efficacy of reporting and oversight of the compliance function and the degree to which it was separated and had independence from the business functions; and
- Whether the entity acted to remediate previously identified failures and weaknesses within the compliance function, and whether that contributed to, or failed to prevent, the misconduct at issue.
Detection is the second key component that the CFTC will consider in its evaluation. Specifically, the CFTC will want to know whether the compliance function independently identified the misconduct at issue or if it was triggered by media allegations, law enforcement or other third parties. In evaluating this element of a company’s compliance program, the CFTC will consider:
- Internal monitoring efforts;
- Internal reporting systems;
- Ways in which the entity receives complaints and protects whistleblowers; and
- Procedures for identifying, investigating, and evaluating unusual activity to determine if misconduct has occurred.
Finally, the CFTC will assess the steps taken by an entity to investigate and remediate potential misconduct. This includes identifying and curing deficiencies in the compliance program that may have allowed potential misconduct to occur. In determining whether an entity’s compliance program has taken adequate remediation measures, the CFTC will seek to determine the following:
- Whether the company acted to address the impact caused by the misconduct, including financial losses that were incurred;
- Whether and the degree to which the company disciplined culpable individuals; and
- Whether the company found and remediated the specific compliance weaknesses that may have contributed or failed to detect the misconduct.
Transparency at the CFTC
With the release of multiple pieces of new guidance in 2020 and the introduction of the enforcement manual in 2019, the CFTC is demonstrating a concerted effort to increase transparency within the wider business and legal communities. The CFTC also made statements regarding this trend toward transparency in press releases about both the compliance program and civil monetary penalty guidance. This increased transparency, should it continue, allows the entities subject to CFTC rules and regulations to gain deeper insight into CFTC decision-making and anticipate points of pressure when dealing with any potential misconduct.
Similarities to Other Agency Guidance
The new CFTC guidance shares common ground with recently released guidance from other law enforcement authorities, which can be especially helpful when practitioners are forced to engage with the CFTC and other agencies concerning the same matter. For example, the guidelines from DOJ and the CFTC both now place new emphasis on whether compliance programs are adequately resourced in order to function effectively. The government is now clearly more interested in seeing just how many people comprise compliance departments and what kind of monetary resources are devoted to compliance programs. As a result, this guidance may serve to empower compliance professionals within organizations to address how potential cuts to compliance may be viewed by law enforcement authorities, especially when this resourcing issue has been flagged by authorities in the midst of the ongoing COVID-19 pandemic, and the impact that has had on companies’ bottom lines.
Taken as a whole, there is little new information in the CFTC’s guidance, but in-house counsel, compliance professionals and those in the white collar bar should review the guidance to help enhance compliance functions and know how best to defend their programs if they appear before the CFTC in the future.
1 Ephraim “Fry” Wernick, Mike Ward and Lincoln Wesley, DOJ Updates Its Guidance on Corporate Compliance Programs, The V&E Report (June 2, 2020), https://www.velaw.com/insights/doj-updates-its-guidance-on-corporate-compliance-programs/.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.