CFTC Division of Enforcement Releases Guidance on Evaluating Compliance Programs

The CFTC Joins Other Regulators in Bringing Into the Spotlight an Enforcement Focus on Compliance Programs

September 15, 2020

On September 10, 2020, the Division of Enforcement (“Division”) of the Commodity Futures Trading Commission (“CFTC”) released guidance (“CFTC Guidance”) outlining factors the Division will consider when evaluating compliance programs in connection with enforcement actions.[1]

The CFTC Guidance ties into guidance released by the Division in May directing staff to consider an entity’s compliance program when recommending a penalty or other resolution as part of an enforcement action.[2] 

Specifically, the CFTC Guidance states that the Division will focus on evaluating the reasonableness of the entity’s compliance program in achieving three goals: prevention, detection, and remediation.[3]

The release of the CFTC Guidance, which will be available in the CFTC’s Enforcement Manual, continues the Division’s trend under Director James McDonald of providing more transparency into the Division’s enforcement practices and policies.  It also confirms a government focus on an entity’s pre-existing compliance program during an enforcement proceeding, with the CFTC now doing so in addition to the DOJ and the SEC.

The Guidance

Typically, when the CFTC brings an enforcement proceeding against a CFTC registrant or other participant in the market, it undertakes a review and assessment of that entity’s compliance program.

In the CFTC Guidance, the Enforcement Division states that, in reviewing and assessing the entity’s compliance program, the Division will concentrate on whether the program was reasonably designed and implemented to prevent, detect, and remediate alleged misconduct.[4]  The CFTC Guidance also highlights the specific factors the Division will consider when assessing whether the entity has met these goals.[5]

  • Prevention: In assessing whether the entity’s compliance program was reasonably designed and implemented to prevent misconduct, the CFTC Guidance states that the Division will evaluate, among other factors, whether the entity had (i) written and timely updated[6] policies and procedures in place during the period of alleged misconduct that were meant to reasonably address the misconduct at issue, (ii) reasonably trained its staff to prevent the alleged misconduct at issue, (iii) failed to cure previously identified deficiencies in its compliance programs (with a failure to address regulatory findings being of particular significance), (iv) devoted adequate resources to its compliance program, and (v) a compliance program that was sufficiently independent from business functions.[7]
  • Detection: In assessing whether the entity’s compliance program was reasonably designed and implemented to detect misconduct, the CFTC Guidance states that the Division will assess whether the entity had (i) adequate internal surveillance and monitoring programs, (ii) an internal-reporting system with ability to handle complaints, including protection for whistleblowers, and (iii) sufficiently broad procedures that can identify and evaluate a wide array of unusual or suspicious activity, including the source, gravity, and extent of that activity.[8]
  • Remediation: In assessing whether the entity’s compliance program was reasonably designed and implemented to remediate misconduct, the CFTC Guidance states that the Division will review factors including, whether in a sufficient and timely matter, the entity (i) addressed the impact of misconduct, such as by mitigating and curing any financial harm caused by the misconduct, including harm to others and restore integrity to the relevant markets, (ii) appropriately disciplined the individuals responsible for the misconduct (including those indirectly responsible),[9] and (iii) identified and addressed any deficiencies in the entity’s compliance program that may have contributed to the failure to prevent or swiftly detect the misconduct at issue.[10]

Regulatory Context

The CFTC Guidance is consistent with a trend by U.S. authorities, such as the Criminal Division (“Criminal Division”) of the Department of Justice (“DOJ”) and the Division of Enforcement of the Securities and Exchange Commission (“SEC”) to focus on an entity’s compliance program as part of an enforcement or criminal proceeding.  The CFTC Guidance is less specific than guidance issued by the DOJ, and instead follows the approach taken by the SEC in providing a framework rather than a prescriptive directive of how the CFTC will weigh various components of an entity’s compliance program. 

In June of this year, the DOJ Criminal Division updated its guidance to federal prosecutors on evaluating compliance programs.[11]  Compared to the CFTC’s Guidance, the guidance issued by the DOJ Criminal Division centers more on the evolution of an entity’s compliance program, including recommending that prosecutors assess how an entity used data to incorporate “lessons learned” into improving its compliance program.[12]  However, like the CFTC, the Criminal Division’s guidance does not specify how prosecutors should “credit” an entity for various improvements or changes it made to its compliance program in recommending a resolution.[13] 

The SEC’s Division of Enforcement also highlights the importance of an entity’s compliance program.  Specifically, the Division states in both its Enforcement Manual and published guidance that “self-policing prior to discovery of the misconduct, including establishing effective compliance procedures” is a factor the Division will consider when determining whether, and to what extent, it grants leniency during an investigation.[14]  The Enforcement Division’s guidance also does not specify how staff should weigh this factor in its analysis. 

Furthermore, CFTC registrants are subject to broad supervision and, for swap dealers and futures commission merchants, chief compliance officer (“CCO”) requirements that overlap in some respects with the CFTC Guidance.  Such registrants should carefully consider whether their existing compliance programs are consistent with the CFTC Guidance.  Although the CFTC Guidance is framed as informing the Division’s penalty guidance, it is possible that the Division or self-regulatory organizations will view a registrant’s compliance with supervision or CCO requirements through the lens of the CFTC Guidance, which is notable because a failure to satisfy those requirements itself constitutes a violation even absent some other violation of law.


While the CFTC Guidance does not represent a significant shift in policy, it does provide some clarity as to the factors the Division will look to when assessing an entity’s compliance program.  However, it remains to be seen how the Division will prioritize the importance of these factors, including whether the Division will highlight the absence or presence of these components and the subsequent impact of that finding in settlement orders.  Without this insight, market participants may be unable to use this framework to clearly guide decision-making.  Nonetheless, as the CFTC continues to be an increasingly active enforcement agency, any additional transparency will likely be welcomed by both market participants and their advocates, both as a tool for those under investigation to more effectively defend themselves in CFTC enforcement proceedings[15] as well as by serving as another regulatory signal to those not under investigation to continually assess and improve their compliance programs as appropriate.

This article was republished by New York University School of Law Compliance & Enforcement Blog.

[1] See CFTC Issues Guidance on Factors Used in Evaluating Corp. Compliance Programs in Connection with Enf’t Matters, CFTC (Sept. 10, 2020),

[2] See Memorandum from James M. McDonald, Director CFTC, on Civ. Monetary Penalty Guidance to CFTC Div. of Enf’t Staff (May 20, 2020),

[3] See Memorandum from James M. McDonald, Director CFTC, on Guidance on Evaluating Compliance Programs in Connection with Enf’t Matters to CFTC Div. of Enf’t Staff, at 2 (Sept. 10, 2020),

[4] See id. at 1-2.

[5] See id. at 2-3.

[6] Of note, the CFTC Guidance specifically states that the Division will consider whether policies and procedures had been updated to reflect current rules and regulations, as well as other guidance and legal developments. See id. at 2 n.6 (emphasis added).

[7] For example, it will likely be important for compliance staff to have independent reporting lines to senior management. See id. at 2. 

[8] See id. at 2-3.  The CFTC Guidance states that the Division will specifically assess whether the entity had policies in place that were narrowly tailored, such that they only covered one type of product, individual, or time period, or whether the policies were broad enough to uncover similar misconduct in other areas.  See id. at 3 n.7.

[9] The CFTC Guidance does not specify how one might be considered “indirectly responsible” for misconduct, although the Division frequently reviews the role played by supervisors when evaluating misconduct.

[10] See id. at 3.

[11] The DOJ also released guidance on this issue in 2017 and 2019. See Alert Memorandum from Cleary Gottlieb on DOJ Updates Guidance Regarding Corp. Compliance Programs (June 9, 2020).

[12] See Evaluation of Corp. Compliance Programs, U.S. Dep’t of Just., Crim. Div., at 2-3 (June 2020).

[13] See id. at 2, 5, 9. 

[14] Enf’t Manual, SEC Div. of Enf’t, at 98 (Nov. 28, 2017),; see Spotlight on Enf’t Coop. Program, U.S. SEC (Sept. 20, 2016),

[15] Director James McDonald stated that, with the release of the Guidance, “[a]nyone who’s interacting with the enforcement division should expect that they are going to get asked about compliance . . . [a]nd they are going to get asked these questions.” Dylan Toker, CFTC Issues Guidance on Corp. Compliance Programs, Wall St. J. (Sept. 10, 2020, 6:09 PM),