CFTC issues own guidance on evaluating compliance programs

The three-page guidance, much shorter than the Department of Justice’s well-known “Evaluation of Corporate Compliance Programs,” recommends CFTC staff consider whether a company being investigated for misconduct has a compliance program that was reasonably designed to prevent and detect the misconduct at issue, as well as the steps the program took to remediate the identified misconduct.

“At all points, the Division will conduct a risk-based analysis, taking into consideration a variety of factors such as the specific entity involved, the entity’s role in the market, and the potential market or customer impact of the underlying misconduct,” said the guidance, which was issued as an internal memo to CFTC staff and posted on the agency’s website.

In evaluating a compliance program during an enforcement investigation, the CFTC said it would examine the program’s written policies, as well as its staff and supervisor training; whether the program failed to cure previously identified deficiencies; the adequacy of its resources; and its independence from the business function.

On evaluating a compliance program’s ability to detect wrongdoing, CFTC staff will focus on how the compliance program was designed and implemented; its internal surveillance and monitoring efforts; how it handles internal complaints, including how it protects whistleblowers from retaliation; and its procedures for identifying and evaluating unusual or suspicious activity.

Finally, CFTC staff will evaluate how well a company’s compliance program remediated the misconduct, including how quickly the impact of misconduct was addressed; how well it cured “any financial harm to others and restore[d] integrity to the relevant markets”; its discipline of individuals directly or indirectly responsible for the misconduct; and its ability to identify and address any deficiencies in the compliance program “that may have contributed to a failure to prevent or quickly detect the misconduct.”

The memo builds on guidance the CFTC issued in May on civil penalties in enforcement actions. In that memo, the agency said it would determine the size of penalties based on the gravity of the violation, whether there are mitigating or aggravating factors, whether other agencies are also assessing penalties, comparisons to actions taken in similar cases, and whether a timely settlement saves the CFTC time and resources.

CFTC Commissioner Heath Tarbert said the compliance program guidance is in line with the agency’s principles-based approach for assessing misconduct and developing an enforcement action, rather than a strictly rules-based approach.

“The CFTC depends on good corporate citizens, acting through compliance programs—as partners in furthering the integrity and resilience of our markets. It’s in both the agency’s interest and the interest of compliance personnel that the Commission is clear about how and what we’ll evaluate,” Tarbert said in a press release.

Such an approach shouldn’t be interpreted as “light touch” regulation, Tarbert has said, but instead “sound regulation” that leaves space for “flexibility and innovation” in an evolving marketplace.

“The ultimate goal of our enforcement program is to deter bad behavior and foster a culture of compliance in our markets,” Division of Enforcement Director James McDonald said in the press release. “Effective corporate compliance programs are a necessary part of that effort. This guidance will help both Division staff in evaluating a corporate compliance program and companies seeking to cultivate a culture of compliance for their businesses.”