CFTC Issues Guidance on Corporate Compliance Programs

Last week, the Commodity Futures Trading Commission issued new guidance for its staff to consider when evaluating corporate compliance programs, which will factor into how the CFTC resolves corporate enforcement matters, including the determination of civil monetary penalties and other non-monetary resolutions.  The guidance, to be incorporated into the CFTC enforcement manual, follows closely on the heels of the agency’s recently released civil monetary penalty guidance and is further evidence of the CFTC’s ongoing efforts to increase transparency around its enforcement actions.  While similar thematically to the compliance guidance recently issued by the U.S. Department of Justice,¹ the CFTC’s guidance is notable for its sharper focus on prevention, detection, and remediation of the conduct at issue as compared to the more expansive DOJ guidance.  While the CFTC’s guidance suggests a narrower focus to its compliance evaluations, given the prevalence of parallel CFTC/DOJ matters,² companies would be wise to evaluate their compliance programs against both sets of guidance.

CFTC’s compliance considerations.  Under the new guidance, CFTC staff is instructed to consider whether a company’s compliance program was reasonably designed and implemented to prevent and detect the underlying misconduct and evaluate the company’s remediation efforts.

• Prevention.  In evaluating the efficacy of a compliance program’s prevention function, CFTC enforcement staff is instructed to consider whether a company’s written policies and procedures and training reasonably addressed the misconduct at issue.  The agency will also consider if sufficient resources were allocated to compliance, whether the structure, oversight, and reporting of the compliance function was sufficiently independent from the business functions, and if a failure to cure previously identified deficiencies contributed to the misconduct.

• Detection.  The CFTC enforcement staff is directed to evaluate whether the compliance program was reasonably designed to detect the relevant misconduct.  In doing so, staff must consider the company’s internal surveillance and monitoring efforts, internal-reporting system and handling of complaints, and procedures for identifying and evaluating unusual or suspicious activity.

• Remediation.  Staff will evaluate the company’s remediation efforts, including the steps that were taken to assess the misconduct and any deficiencies in the compliance program that may have contributed to the misconduct.  In considering remediation, staff will ask if a company timely and effectively addressed the impact of the misconduct, appropriately disciplined those responsible, and identified and addressed any deficiencies in the compliance program itself.

What companies should do next.  How a company’s compliance program stacks up against this new compliance framework will be a factor in the CFTC’s determination of civil monetary penalties and other non-monetary resolution.

The CFTC’s compliance guidance, while the agency’s first of its kind, tracks many of the same benchmarks as the DOJ’s guidance, which the CFTC guidance explicitly references.   The DOJ’s guidance similarly instructs prosecutors to consider the efficacy of a compliance program’s policies and procedures, training, internal-reporting system and handling of complaints, and the allocation of appropriate resources to compliance.   The CFTC’s remediation considerations also mirror those in the DOJ guidance, including whether the company appropriately disciplined those responsible and identified and addressed the underlying deficiencies in the compliance program.

But the CFTC’s guidance is much narrower in scope than its DOJ equivalent, focusing exclusively on whether a company’s compliance program was designed to prevent and detect the “misconduct at issue” and any subsequent remediation.  In contrast, the DOJ’s guidance purports to instruct companies on everything from vendor management to human resources.   As a result, the CFTC’s guidance consists of just three pages as compared to the 20 single-spaced pages the DOJ devotes to instructing companies how to operate compliance programs.  The DOJ’s guidance asks companies to proactively monitor, assess, and improve their compliance programs on an ongoing basis. The DOJ also expects that a company’s compliance obligations will extend beyond its own internal compliance function to include oversight of third-party partners and vendors.   Additionally, the DOJ instructs prosecutors to consider how a company’s compliance program scrutinizes potential acquisition targets and if the compliance function is integrated post-acquisition.   While the CFTC’s seemingly less rigorous guidance may signal a different approach, companies would be wise to treat it as a floor given the broader scope of the DOJ guidance.  Those measures may enhance (and will not harm) efforts to avoid or mitigate enforcement action by the CFTC.

Overall, the new CFTC guidance is another useful gauge for companies to measure the effectiveness of their corporate compliance programs.   And where the DOJ’s standards could be criticized as overly ambitious and falling outside the core competence of criminal prosecutors, the CFTC’s guidance reflects a more confined view of its role when evaluating compliance that is tethered to the misconduct at issue.  One question that the CFTC guidance raises is whether other regulators, such as the Securities and Exchange Commission, will issue similar instructions to the respective enforcement staffs and whether such guidance will track the CFTC’s narrower approach to evaluating compliance programs.

¹ Released in 2019, and updated in June 2020, DOJ’s “Evaluation of Corporate Compliance Programs” is a roadmap for federal prosecutors to evaluate corporate compliance programs for the purposes of charging and resolution.  Read our previous DOJ guidance client alert here.