On September 10, 2020, the Commodity Futures Trading Commission’s (“CFTC” or “the Commission”) Division of Enforcement (“the Division”) issued guidance for CFTC staff on the factors to be considered when evaluating compliance programs in connection with enforcement matters.[i] The guidance will be inserted in the CFTC Enforcement Manual. Although not binding on the Commission or any other Division of the CFTC, the Compliance Guidance is binding on Enforcement staff.

In recent years, the Division has taken several steps to increase transparency regarding the performance of its enforcement functions. First, the Division published its Enforcement Manual, which is updated periodically and publicly available on the CFTC’s website.[ii] On May 20, 2020, the Division issued guidance to staff regarding factors to be considered in recommending a civil monetary penalty in an enforcement action.[iii] Those factors include the existence and effectiveness of an existing compliance program, as well as efforts to improve that compliance program following detection of a violation.[iv] The recently issued Compliance Guidance provides factors to be used in evaluating such compliance programs.

The Compliance Guidance focuses on whether the compliance program was reasonably designed and implemented to achieve prevention, detection, and remediation of the misconduct at issue. The Compliance Guidance acknowledges that this assessment depends upon the specific facts and circumstances involved and further states that “[a]t all points, the Division will conduct a risk-based analysis, taking into consideration a variety of factors such as the specific entity involved, the entity’s role in the market, and the potential market or customer impact of the underlying misconduct.”[v]

The Compliance Guidance provides a number of factors for staff to consider in determining whether a compliance program was reasonably designed and implemented to achieve the three goals identified above. 

Prevention of the Misconduct

In assessing whether the compliance program was reasonably designed and implemented to prevent the misconduct, staff should consider things such as:

• Did existing written policies and procedures reasonably address the type of misconduct?
• Did training (for staff, supervisors, and compliance personnel) reasonably address the type of misconduct?
• Did a failure to cure previously identified compliance program deficiencies either contribute to, or fail to prevent, the misconduct?  
• Were adequate resources—including monetary resources—devoted to compliance?
• Was the compliance function’s structure, oversight, and reporting sufficiently independent from the business functions?

Detection of the Misconduct

In considering whether the compliance program was reasonably designed and implemented to effectively detect the misconduct, staff is expressly directed to consider whether the misconduct was independently identified through compliance mechanisms. Staff is also directed to review existing processes and procedures intended to detect misconduct. This analysis should include things such as:

• Were internal surveillance and monitoring efforts adequate?
• Were the company’s systems for internal-reporting and handling of complaints adequate, including provisions for anonymous complaints and whistleblower protections?
• Were the company’s procedures for identifying and evaluating unusual or suspicious activity adequate, including consideration of the sources, gravity, and extent of the company’s risk of violations?

Remediation of the Misconduct

The final factor looks at what steps were taken, after the discovery of the misconduct, to assess and remediate both the misconduct and any deficiencies in the compliance program that may have enabled it to occur or escape detection. This analysis includes both the appropriateness and timeliness of these steps, and includes things like:

• Was appropriate, timely action taken to effectively address and remediate any impact of the misconduct, including curing financial harm to others and restoring market integrity?
• Were the individuals “directly and indirectly” responsible appropriately disciplined?
• Were steps taken to identify and address any deficiencies in the compliance program?