September 12, 2020
by Elizabeth Lan Davis

As part of an effort  to promote transparency and clarity, on September 10, 2020, the Division of Enforcement (“Division”) of the U.S. Commodity Futures Trading Commission (“CFTC” or “Commission”) made public its internal guidance to its staff for evaluating compliance programs in connection with enforcement matters.[1]  This three-page guidance, which will be incorporated into the Division’s Enforcement Manual follows a comprehensive memorandum that was previously announced by the U.S. Department of Justice (“DOJ”) in June 2020 for evaluating corporate compliance programs.  With the heightened scrutiny of compliance programs resulting in harsher penalties and undertakings, companies should conduct a comprehensive review of their respective compliance programs to ensure fulsome compliance with the guidance issued by both agencies before the regulator comes knocking at the door.

CFTC Guidance

The Division’s guidance considers whether a compliance program was reasonably designed and implemented to achieve three goals: (1) preventing the underlying misconduct at issue; (2) detecting the misconduct; and (3) remediating the conduct.  For each of these goals, the memorandum describes the factors that staff should consider in conducting its analysis. 

In examining whether a program was designed and implemented to effectively prevent the misconduct at issue, staff should consider whether the written policies and procedures in effect addressing the misconduct at issue were adequate, whether training was sufficient, whether previously identified deficiencies were remedied, whether resources dedicated to the compliance program were adequate, and whether the structure and oversight of the compliance function sufficiently independent from the business functions. 

To evaluate whether the compliance program was designed and implemented to effectively detect the misconduct at issue, staff should look at the adequacy of internal surveillance and monitoring efforts, internal-reporting systems, and procedures to identify and review unusual or suspicious activity. 

Finally, the analysis of whether the compliance program took steps to assess and remediate the misconduct and deficiencies upon discovery of the misconduct, staff should assess whether appropriate action was taken to address the impact of the misconduct, the discipline of the individuals directly and indirectly responsible for the misconduct, and the identification and remediation of any deficiencies that may have contributed to a failure to prevent or quickly detect the misconduct.

Several factors are also provided to evaluate a compliance program’s ability to prevent misconduct and the factors that relate to the program’s effective detection of the underlying misconduct.  Enforcement staff will conduct a risk-based analysis, taking into consideration a variety of factors such as the specific entity involved, its role in the market, and the potential market or customer impact of the underlying misconduct.  Staff will also consider remediation measures to assess and address both the misconduct and any deficiencies in the compliance program that may have permitted the misconduct to occur.

DOJ Guidance

The Division’s guidance also notes that, Division staff shall consult as appropriate with other divisions that have relevant knowledge experience, or expertise, as well as similar guidance issued by other government agencies, self-regulatory organizations, and exchanges.  In June, DOJ issued a detailed update to its guidance in evaluating corporate compliance programs.  The update sets forth three fundamental questions that prosecutors should ask in its evaluation: (1) whether the corporation’s compliance program is well designed; (2) whether the program is being applied earnestly and in good faith, i.e., whether the program is adequately resourced and empowered to function effectively; and (3) whether the corporation’s compliance program works in practice. 

In determining whether a program is adequately designed for “maximum effectiveness” in preventing and detecting misconduct, the prosecutor should conduct a risk assessment of the program, policies and procedures, training and communications, reporting structure and investigation process, third-party management, as well as due diligence of acquisition targets and orderly integration of the acquired entity into existing compliance programs and controls.

The update also notes that even well-designed compliance programs may be unsuccessful in practice if implementation of that program is “lax, under-resourced, or otherwise ineffective.”  The factors considered in assessing the effectiveness of a compliance program include commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures. 

Finally, whether a compliance program “works” in practice, looks at the program’s continuous improvement, periodic testing and review, investigation of misconduct, as well as the analysis and remediation of any underlying misconduct.

Heightened Compliance Scrutiny

Recent Commission enforcement orders reflect a heightened level of scrutiny and the cost of compliance has never been higher.  Penalty amounts are going up and the undertakings that firms are now required to make to rectify their compliance failings are becoming more onerous.  Firms face the significant additional costs of a compliance monitor not only as an undertaking of settlement but during the investigation itself.

Along with the Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”),[2] In re Interactive Brokers, the CFTC announced its first action charging a violation of Regulations 42.2 and 166.3 for failing to diligently supervise its employees’ handling of several commodity trading accounts that were the subject of three prior Commission enforcement actions and nonpublic investigations of two unnamed customers of the firm, by not filing suspicious activity reports and operating an adequate AML program.[3]  During the CFTC’s investigation, Interactive Brokers enlisted the services of an independent consultant to review and evaluate its AML program and supervisory issues and to make recommendations for improvement, and subsequently retained a second consultant to assess its implementation of the first consultant’s recommendations. The SEC also imposed a civil monetary penalty against Interactive Brokers in the amount of $11.5 million for failing to file SARs relating to suspicious activity involving certain US microcap securities transactions in violation of Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-8.  FINRA also imposed a fine in the amount of $15 million, for failing to develop and implement an AML program reasonably designed to adapt to the growth in Interactive Brokers’ business that had occurred since 2013 in violation of FINRA Rules 3310(a), (b), and (c), and 2010.    

Deutsche Bank recently settled charges relating to its business continuity and disaster plans and for violations of swap reporting requirements for $9 million.[4]  In 2016, Deutsche Bank had an outage of its swap reporting platform resulting in the bank being unable to report data for multiple asset classes for five days.  After having a court-appointed monitor for more than two years, Deutsche Bank implemented numerous recommendations from its monitor to improve its swap data reporting, supervision, and disaster recovery plan.

In November 2019, the Commission ordered Goldman Sachs & Co. LLC to pay a civil monetary penalty in the amount of $1 million for failing to make and keep certain audio recordings as required by its recordkeeping obligations as a swap dealer pursuant to Regulations 23.202(a)(1) and (b)(1), and 23.203(b)(2).[5]  After the installation of a security patch on certain software in one of its offices, its recording hardware had not properly resumed recording and as a result, created blank audio files.  The hardware’s failsafe alarm had not alerted the firm to this failure and did not initiate a backup recording system.  While the firm followed the vendor’s configuration instructions, steps had not been taken to verify that the system was functioning properly and capturing audio after the system upgrade, which had not been discovered until 21 days later.  The Division had a separate investigation in which it requested audio recordings from this period that the company was unable to produce.

The Commission also recently announced that it ordered the Bank of Nova Scotia to pay a $50 million civil monetary penalty to settle a separate enforcement action for violating swap dealer business conduct standards, compliance deficiencies, supervision failures, and making false or misleading statements.[6]  In addition to the steep civil monetary penalties assessed upon the Bank of Nova Scotia for failing to supervise its swap dealer activities and spoofing activities, the bank was also ordered to retain a monitor for a three-year term at its own expense as part of its undertakings pursuant to the settlement relating to its swap dealer activities as well as the separate settlement relating to its spoofing violations.[7]

These cases reflect the Division’s increasingly aggressive approach toward compliance deficiencies by bringing new types of cases, seeking higher penalties, and imposing penalties even in the case of technical difficulties. 

Conclusion

With the cost of non-compliance increasing, firms are better served by proactively reviewing their compliance programs and systems to avoid potential regulatory scrutiny.  The Division’s recent enforcement activity makes clear that it is not sufficient merely to have written policies, procedures, and systems in place.  In the current environment of heighted and increased focus on compliance, it is incumbent for organizations to ensure their compliance programs are comprehensive and that sufficient resources are provided to implement their compliance programs and monitor their compliance with regulatory obligations. 


[1] Press release, CFTC Issues Guidance on Factors Used in Evaluating Corporate Compliance Programs in Connection with Enforcement Matters, CFTC Release No. 8235-20 (Sep. 10, 2020), available at:  https://www.cftc.gov/PressRoom/PressReleases/8235-20.  

[2] See In re Interactive Brokers LLC, Release No. 89510/Aug. 10, 2020, File No. 3-19907, available at: https://www.sec.gov/litigation/admin/2020/34-89510.pdf (hereinafter referred to as “SEC Order”); In re Interactive Brokers LLC, Letter of Acceptance, Waiver and Consent No. 201504770301, available at: https://www.finra.org/sites/default/files/fda_documents/2015047770301%20Interactive%20Brokers%20LLC%20CRD%2036418%20AWC%20sl.pdf.

[3] 17 C.F.R. §§ 42.2 and 166.3 (2019).

[4] See CFTC v. Deutsche Bank AG, No. 1:16-cv-6544 (WHP) (S.D.N.Y. June 17, 2020). 

[5] See In re Goldman, Sachs Grp., Inc., CFTC Dkt. No. 20-10 (Nov. 26, 2019).  Regulation 23.202(a)(1) and (b)(1) require every swap dealer to keep daily trading records of all swaps and related cash and forward transactions it executes, including a record of all oral communications provided or received concerning quotes, solicitations, bids, offers, instructions, trading and prices that led to the execution of a swap transaction or the conclusion of a related cash or forward transaction.  Regulation 23.203(b)(2) requires such recordings must be kept for one year.

[6] See In re The Bank of Nova Scotia, CFTC Dkt. No. 20-26 (Aug. 19, 2020).

[7] See In re The Bank of Nova Scotia, CFTC Dkt. No. 20-27 (Aug. 19, 2020).

More Posts

About Commodity Corner

Commodity-Corner.com is a Murphy & McGonigle resource for those interested in legal developments in the commodities, futures, and derivatives area. The information provided by this site is intended to provide insightful analysis and perspectives, as well as regulatory and enforcement updates and trends, in this increasingly varied and complex industry.

To view Murphy & McGonigle’s Commodities, Futures & Derivatives practice, please click here.