The Commodities and Futures Trading Commission (CFTC) has become the latest regulatory agency to spell out what it wants corporate compliance programs to accomplish in the form of a two-page memo, published Sept. 10, 2020, explaining how CFTC staffers will evaluate the effectiveness of compliance programs.
The CFTC is an independent agency that regulates the U.S. derivatives markets, including futures, swaps, and certain types of options.
Broadly speaking, this CFTC guidance is no surprise. It’s very much in step with the Justice Department’s guidelines for effective corporate compliance programs, hitting on questions of how to prevent misconduct in the first place, detect misconduct that happens anyway, and remediate compliance program weaknesses so the misconduct won’t happen again.
So what can compliance officers learn from a close reading of the document? For commodities firms (especially smaller ones with less sophisticated programs) potentially quite a lot. Even compliance professionals in other fields can benefit from understanding the logic and motives behind the CFTC memo. Let’s take a look.
Part I: Focus on effective prevention
As we’ve seen in other guidance, the “prevention” section of the CFTC document begins by posing one question: “Was the program reasonably designed and implemented to effectively prevent the misconduct at issue?”
The CFTC offered a few ways it might answer that question. For example, CFTC agents will want to know whether your firm had written policies in effect through the period of misconduct and that those policies reasonably addressed the misconduct in question. Agents will also want to see whether your firm had failed to fix any previously identified compliance program weaknesses, and if those failures contributed to the misconduct under scrutiny now.
The importance of written policies and of fixing problems — OK, compliance officers have heard those points before. The new 2020 CFTC guidance also talks about employee training, CCO independence, and adequate budgets. Those points shouldn’t be news either.
Another way to think about prevention, however, might be to focus on two broad questions:
- Am I conducting a thorough risk assessment?
- Do I have sufficient ability to act on those risks once I identify them?
Those are the pillars of prevention. The compliance officer needs to understand where compliance risks exist for his or her firm - and must be able to respond to those risks with a thoughtful compliance program. That’s what makes prevention happen.
Part II: Detect misconduct
Misconduct will happen eventually, no matter how strong the compliance program’s preventative measures are. So the CFTC guidance raises a similar question about detection: “Was the program reasonably designed and implemented to effectively detect the misconduct at issue?”
Detection involves a different set of program capabilities: surveillance of employee communications, an internal reporting system, and data analytics to identify suspicious transactions hidden in oceans of data.
Not every business thinks about detection in quite those terms. For example, employee surveillance is a requirement for financial firms (like those regulated by the CFTC), but not so much for other business sectors.
On the other hand, note the part about data analytics — or, as the CFTC guidance says, “procedures for identifying and evaluating unusual or suspicious activity to determine whether any misconduct has occurred.” The Justice Department has also talked about the importance of data analytics to detect corporate misconduct, and specifically mentioned the commodities sector as an area of interest.
So while the prevention section of this guidance is more about risk assessment and freedom to act; detection is more about actual mechanisms your program will use to find misconduct: hotlines, employee monitoring systems, data analytics systems. Those tools need to exist as part of your program. They need to be configured correctly and to work.
Part III: Document remediation steps
The question raised in the remediation section of the guidance is straightforward: “What steps were taken to assess and address both the misconduct and any deficiencies in the compliance program that may have permitted the misconduct to occur or initially evade detection?”
The CFTC then goes on to identify three factors it will consider:
- Did your firm mitigate any damage done by the misconduct, including efforts to “cure financial harm to others and to restore integrity to the relevant markets?”
- Did your firm appropriately discipline anyone directly or indirectly responsible for the misconduct?
- Did you identify and fix any deficiencies in the compliance program that allowed the misconduct to happen?
So what’s really at issue in this section? The corporate commitment to a strong compliance function.
After all your risk assessments and autonomy to build a program that prevents misconduct, after all the technology mechanisms you use to detect misconduct — in the end, the firm has to have a determination to follow through on its commitment to good ethical conduct. That means providing succor to victims, disciplining offenders, and devoting resources to improve.
For many firms, especially those subject to CFTC oversight, that commitment won’t necessarily be easy. Commodities firms work on transactions at lightning speed, and their profits can often hinge on small margins of error. Moreover, the record-keeping and supervision requirements for trading firms are complex.
So while the fundamental capabilities of a compliance program are easy to see — after all, the CFTC fit them on two pages, with room for footnotes — building an effective program is much harder.
On the other hand, now we have yet another regulatory agency promulgating the same basic vision of corporate compliance programs that it wants to see. All the agencies are converging on those standards first set forth by the Justice Department.
As onerous as building a compliance program might be, you can no longer say you weren’t sure what you were supposed to do.