The CME issued a summary action against an individual today for "reckless disregard for the adverse impact on the orderly conduct of trading." In this instance, the individual had "large positions" in Live Cattle and Feeder Cattle futures. He entered orders during the post settlement period that "exceeded all the quantity in five visible levels of the order book in relatively short periods of time and resulted in significant and disruptive price movements." The exchange noted that the individual should have known the orders were visible to the market and would cause the price movements observed after the orders were placed. The fine was $20 and a suspension from market access for 20 days. The order is here - https://www.cmegroup.com/notices/disciplinary/2019/05/CME-17-0755-BC-CODY-EASTERDAY.html#pageNumber=1
Please note there are a couple different things to unpack here:
first, the order indicates the trader should have known the relative size of the order versus the existing visible screen liquidity. This should mean to any trader that the exchange expects you to take into account market liquidity when determining the appropriate size of visible orders; and 'second, the issue was using a visible order book. The exchange allows block trades for a reason. A primary reason is to allow an escape valve for exactly this situation - the need, or desire, to execute a very large trade in a less liquid market. Use of a block trade allows the order to get executed in a manner that reflect but does not disrupt the market. Firms or traders that can anticipate the need to execute large orders should understand the availability of brokered or direct block trades, the reporting requirements for the different types (including method of reporting and reporting time windows), and the authorities required so as to have a pre-approved method for avoiding this situation, and
finally, firms and individuals should have a firm handle on their open positions and time period for closing these transactions and plan for closing positions in a manner that conforms to exchange rules.

DCM LLC provides a full line of consulting services for participants in commodity markets with special expertise in risk, compliance and trade surveillance.

Friday, the CBOT issued a rule, effective June 2 for June 3, 2019 trades, changing the rules on delivery for corn, soybeans and wheat. The Army Corps has announced maintenance work in 2020 on the Illinois River that will heavily impact barge traffic in the Mid-Continent. That caused the CBOT to review its rules on barge load out procedures - specifically 
            "Due to the anticipated closure, the Exchange reviewed the language in Rule 703.C.G.(9) and found it to be outdated. Rule                    703.C.G.(9) stipulates specific barge freight to be paid by the taker to the maker of delivery under this rule. However, since                barge freight has become significantly more expensive in the last two decades, the amount specified in Rule 703.C.G.(9) is                  no longer relevant. "
In response, the CBOT changed Rule C.G.(9) to remove all fixed barge load out fees  and substituted "current barge freight rates as the applicable fee. This is likely to insert a degree of price volatility in certain situations that many firms currently do not consider as a risk. 
​Another small example of how market regulation notices can have a spill over effect into risk management concerns.

While the CFTC recently published guidance on how an investigation is managed, DCM believes the Department of Justice updated its guidelines to prosecutors on evaluating a corporate compliance program published two weeks ago is more critical to compliance operations.  The DOJ guidance talks to what DOJ expects a firm to be doing when they consider acting against that firm.What does that mean?

This is the document that is supposed to inform a prosecutor in a criminal case as to how the review a company's compliance program should impact the "charging decision or resolution" as to whether the company is to be charged with a crime, a plea deal is to be agreed to or sentencing for a crime. Let's unpack this - as a consultant, I note that this could mean the level of a compliance program could impact whether a company is even charged for a crime. So, a compliance program that meets the guidance could not just reduce my sentence but has at least the potential to keep me out of court. That sounds like a reputational risk win right there.
​
This guidance is a significant expansion of the prior guidance – from 9 to 19 pages. It does follow basically the same structure as prior guidance but with a lot of new pieces. It also shifts away from a foundation of what did the company do to find underlying misconduct in a specific instance to whether the compliance program as a whole is well founded.

The new guidance has fundamentally altered the structure of the guidance from the original edition. The prior guidance has a single introduction and then listed eleven topics. The new guidance asks three basic questions:

1. “Is the corporation’s compliance program well designed?”; and
2.  “Is the program being applied earnestly and in good faith?” In other words, is the program being implemented effectively; and
3.  “Does the corporation’s compliance program work” in practice? 

The guidance then groups the original eleven sections under these three questions – shifting the impact from illustrating specific topics to consider towards integrating these topics into an illustration of how each topic reflects upon one of these questions. For example, the topic “Senior and Middle Management” is now “Commitment by Senior and Middle Management” under “Is the program being applied earnestly and in good faith?”. This lends new focus onto how the DOJ would consider failures in this area reflect on its review of the program.

In general, the guidance now stresses that "policies and procedures – from appropriate assignments of responsibility, to training programs, to systems of incentives and discipline – that ensure the compliance program is (sic) well-integrated into the company’s operations and workforce."  The prior guidance spoke to whether there were “applicable procedures to prohibit the misconduct” – this was focused on whether there was a procedure to prohibit the misconduct being looked at, not a systemic view of the program. This really means that:

• Would the policies and procedures cover the risks the company perceives, not just the activity in question:
  • A key point that comes out is that a compliance program that targets high risk areas while being less comprehensive on low risk areas can still be used to a company's credit. Another point is that the guidance also makes an interesting distinction between high risk, large items - " (for instance, a large-dollar contract with a government agency in a high-risk country" - and lower risk items - "more modest and routine hospitality and entertainment". This later point could shift some effort away from areas that many firms spend significant resources managing.
• The policies and procedures you have need to be the ones that people in your company are actually doing.
  • DCM has observed that often the written documents are too multitudinous and cumbersome to keep current. This could be a become a major gap – it is better to keep processes clear and concise and, if necessary, refer to desk manuals as the proper procedure documentation. It is common that desk manuals are maintained more effectively than centrally maintained procedure manuals or written supervisory procedures.
    
    

“Is the corporation’s compliance program well designed?”
 
The DOJ has grouped six sections from the prior guidance under this specific area and now done a fairly deep dive into how effective and current the company assessment of compliance risk is. It has retained six specific areas of focus on program design but has shifted some of the operational impacts: ​

• Risk Assessment
• Policies and Procedures
• Training and Communications
• Confidential Reporting Structure and Investigation Process (Internal whistle blowing process)
• Third Party Management (FCPA and ABL covered here)
• Mergers and Acquisitions (pre-analysis of any compliance issues in target company)

Risk Assessment
The guidance is looking for regular updates of the risk assessment and then the ability to track changes in the risk assessment to changes in policies and procedures - many companies have very tenuous documentation of the connection between updated compliance risk assessments and the policies and procedures that are adjusted due to that assessment and why. The guidance also points to metrics – both in tracking misconduct and how it loops back to inform the compliance program.

• From DCM’s point of view, this indicates the DOJ is focusing on how the risk assessment is used to develop key compliance metrics to track operations and inform management as to potential issues. One observed example at clients is significant reductions in customer complaints – does the metric indicate whether the issue is a reduction in incoming complaints or an indication of increasing failure to record complaints. This has been seen in instances – and the regulators frown on systems that don’t inform management of these types of occurrences.

 
Policies and Procedures
The guidance conforms to fairly standard industry practices for code of conduct, tone from the top, and comprehensiveness. A couple points are worth noting:

• The guidance does ask about the companies process for policy and procedures design and it now asks whether the process has changed over time - that later point is not always one companies look at. No changes may mean that the review is just “going through the motions” and not actually focusing on whether the existing design process works;
• The guidance has added a section about whether there is process for monitoring the legal and regulatory landscape underpinning the policies and procedures - this is something being developed in global banks but that isn't always documented well for roles and responsibilities in non-bank environments.
  • DCM has noted the roles and responsibilities for this requirement is not always documented in the processes and procedures.
• The guidance has included a reference to linguistic “or other barriers” to foreign employees as whether the policies and procedures are communicated to "relevant employees and third parties". This is something that has not been observed as a specific point of concern in the past.

Training and Communications
Every company has some training program. However, ​ the guidance raises new points that are not always included in a company's program. These include:

• The idea that a company should consider supplemental or different training for supervisory staff
  • Most programs DCM observes have no supplement for senior staff
• The guidance now has references to looking at what is the form and format of training - what is in-person and what is online and the rationale for choosing a specific format.
• Is there testing for comprehension and what action is there is an employee fails (my experience is most on line training allows you to keep retaking until you pass - will that really meet this standard?)

Confidential Reporting Structure and Investigation Process (Internal whistle blowing process)
The guidance addresses internal communication of compliance issues by employees. This section actually speaks to the issues most commonly being addressed by larger firms. Specific new points are:

• How is the process publicized to staff and has it been used – this would indicate the DOJ would be curious if there have never been any referrals under the reporting system and whether that is an indication staff are subtly discouraged from using the system
• The guidance now asks about the process of determining who will conduct an investigation and make the determinations for the investigation
• The guidance changes the question of response in this area from one looking at root cause analysis to looking at metrics of timing of the investigation and accountability for actions based on the results – previous guidance talked to how the investigation response process had worked and reporting up chain.
• The guidance adds an entirely new section on resourcing the reporting and investigation process – is it adequately funded and resourced? Is there a system for using reporting and investigation systems for analysis and reporting metrics? How does this system feed back to the entire compliance program to inform regarding compliance weaknesses?

Third Party Management (FCPA and ABL covered here)
The guidance has already brought bribery and corruption issues into compliance programs here. Much of the content is similar. The new guidance does amplify a couple topics:

• Rather than just looking at the instances of specific misconduct, does the company track red flags from due diligence and does the company have audit rights to examine the books of third parties it retains (and has it actually performed audits)?
• Does the company track third parties that have been red flagged and terminated in due diligence and how does the company assure they are not rehired?
  • Again, the guidance moves from a how do you find misconduct to how do you track it and make sure it doesn’t circle back and happen again?

Mergers and Acquisitions:
The specific points addressed in the guidance did not change from the prior guidance. There is an introductory statement that does include the caution that
“Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.  
The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.”

• DCM has noted that pre-merger compliance reviews are rarely performed. This has been a point the DCM principals have raised in multiple client contacts – we recognize that this is an impediment to a swift close, which the parties and their advisors are focused on. The DOJ is noting this is an issue that should be addressed early or it may be considered a signal that compliance is not really a central focus of company management.

 “Is the program being applied earnestly and in good faith?”
The guidance has grouped three areas in the section regarding earnest and good faith implementation:

• Commitment of Senior and Middle Management
• Autonomy and Resources
• Incentives and Disciplinary Measures

The point of the guidance addresses here is very clear as it states:
“Even a well-designed compliance program may be unsuccessful in practice if implementation is lax or ineffective.  Prosecutors are instructed to probe specifically whether a compliance program is a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner".

• The point about the paper program is very well taken. DCM staff have observed programs where there are libraries of controls with matrices of coverage – only to discover during testing that a large proportion of the controls have been modified, eliminated, or merged. The point of this emphasis is that the actuality and documentation of what a compliance program covers needs to match what senior management are being told it covers.

Commitment of Senior and Middle Management:
There is a new discussion to head this section – all addressing the need for tone from the top and leadership for compliance to be effective.

• One point to note is the inclusion of whether senior management has set a tone for compliance actions in regards to whether they “demonstrated rigorous adherence by example”
  • DCM recognizes that this is a difficult topic for many companies but it should be noted that it was specifically referred to in the guidance.
• The guidance also now addresses management pressures due to financial objectives: “Have managers tolerated greater compliance risks in pursuit of new business or greater revenues?  Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?” The guidance follows up with the question “Have they persisted in that commitment in the face of competing interests or business objectives?”
  • In light of recent penalties in the banking industry, DCM would recommend that companies consider compliance risk assessments for all new business as well as heightened compliance oversight in areas of underperforming operations. It may even be appropriate to perform a compliance audit in areas where an underperforming operation has experienced a rapid turnaround – even if the underlying justification for the turnaround is cost cutting. Cost cutting and performance pressures on remaining staff can caused unintended misconduct.

Autonomy and Resources
This is an area where the focus of the guidance shifted significantly between the original guidance and the new guidance. The original guidance spoke the compliance role in terms of operational activities, their stature (titles, compensation, reporting lines), and funding and resources. Those topics still appear but a new focus on the role of compliance at the management level – engagement of compliance at a strategic level. Questions concerning compliance's input on transactions or deals and whether it has been responded to, up to and including having transactions or deals stopped by compliance.

• Another area that the guidance raises is the commitment of compliance management and staff to their compliance roles – do they have other non-compliance roles and responsibilities? Are they either distracted or overloaded and not performing the compliance function appropriately?
  • DCM understands that smaller firms have a logical rationale for embedding or at least significantly aligning the compliance function with the risk oversight function. The guidance does not appear to eliminate that possibility but it would indicate that the roles and responsibilities should be allocated in light of compliance department needs to assure appropriate resourcing.
• The guidance for the first time inquires as to the reviews of the performance of the compliance function and who performs the reviews? The discussion specifically references internal audit – “Prosecutors should evaluate whether “internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy,” as an indicator of whether compliance personnel are in fact empowered and positioned to “effectively detect and prevent misconduct.””
  • DCM staff have participated in a number of reviews of compliance controls being performed for prudential regulators. The range of skills – especially concerning data quality and data analysis – may not be available within the firm’s internal audit function.

Incentives and Disciplinary Measures
The prior guidance focused primarily on whether the incentives and compensation incentivized bad behavior – the new guidance expands that focus to include looking at whether incentive structure incentivizes ethical behavior (not always easy to effectuate).
The prior guidance also focused on the specific misconduct being examined and the follow through for that instance. The new guidance focuses more on the process itself – is it consistent, has the company looked to identify instances where the process is applied inconsistently.

The new guidance calls this area “a hallmark of an effective implementation”. It even notes “Some companies have even made compliance a significant metric for management bonuses and/or have made working on compliance a means of career advancement.”

• While the topic areas are the same, the discussion is greatly expanded. One key question that occurs multiple times in this section is are process, decisions, and disciplinary actions applied consistently in each instance and across the organization?
  • DCM has observed some organizations with a specific set of metrics for escalation and response to compliance violations. However, the systems rarely track the decisions not to escalate and have metrics for how those decisions were made. This is a very difficult area because the decision not to escalate is frequently made at the desk level – consistency is going to be difficult to monitor in very large organizations. But this appears to be a point of significant interest to the DOJ.
• The new guidance asks whether there are “pre-textual reasons ... provided to protect the company from whistleblowing or outside scrutiny” – this is specific point would indicate that the DOJ will look to see if the process is run in a way to bury issues rather than uncover them.
  • DCM recognizes this is a difficult topic for any company. This falls under the common rubric of “conduct risk” - the potential that informal practices will motivate good people to do improper things because they believe that is important to retaining their job or pleasing management.
• The new guidance has shifted the “Accountability” section from the Incentives section – within the “Is the program being applied earnestly and in good faith?” section to the Analysis and Remediation of Any Underlying Misconduct section within the next “Does the Corporation’s Compliance Program Work in Practice?” section.

 
“Does the Corporation’s Compliance Program Work in Practice?”
The discussion in the guidance here is very interesting as it incorporates two very different concepts. First, was the program working effectively at the time misconduct occurred? Second, is the program now working effectively at the time the prosecutor is considering bringing charges or proffering a sentencing recommendation? This indicates that a company’s response between the time an investigation opens and charges or a sentence are considered can have a major impact. That was not discussed in the prior guidance.

• DCM has observed differing firms that respond negatively or positively to a regulatory or legal inquiry. This guidance extends past cooperation to positive response. This has been observed in some but not all instances.

Continuous Improvement, Periodic Testing and Review
The focus is in the first line of the discussion here – “One hallmark of an effective compliance program is its capacity to improve and evolve.” This is not always the case and can be a significant burden to smaller organizations. If a small firm has a one or two-person compliance function, how does this process get managed and effectuated?

• Internal Audit – the prior guidance spoke to how audits would help uncover misconduct and what findings and communication got to the board. The new guidance talks, again, to the audit process – how are audit areas determined, how are audits conducted. This speaks to a focus less on whether a company’s internal audit function conducted reviews and more as to how do you determine whether the internal audit function was performing appropriate and effective reviews.
  • It was noted above in the Autonomy section that Internal Audit may not have the resources to conduct appropriate reviews of compliance controls. Many of these controls are very task and market specific. A company should consider whether its internal audit can appropriately review the effectiveness as well as the operation of a control.
• Evolving Updates – the new guidance adds a question to this section regarding whether the company has performed gap analysis to determine risks that are not being appropriately addressed.
  • This can just be good practice to perform periodic gap analysis to determine if the scope or composition of business activities have created gaps in compliance landscape.
• Culture of Compliance – this is an entirely new section that was absent from the prior guidance. The guidance asks whether the company actually reviews the status of its culture of compliance – does it query all levels of employees regarding their perception senior and middle management’s commitment to the culture and what have the done in response?
  • DCM has not observed this outside of very large, top tier companies. It might be something for companies to consider how they would do this and whether it would be effective

. Investigation of Misconduct
This is a completely new section in this guidance. It does capture a portion of a section called “Analysis and Remediation of Underlying Misconduct” from the prior guidance – that section has been retained in the guidance - but it has a broader coverage and focus. The prior section focused on whether root and systemic causes of the misconduct were examined, whether there were prior indications of issues, and what remediation occurred – all actions focused on the specific event.

The new guidance focuses on the investigations process – is there a “well-functioning and appropriately funded mechanism”? This speaks to an ongoing process with dedicated resources. This is not likely to occur in many smaller entities. Therefore, the real question is what would evidence an appropriate mechanism for investigations? The guidance may offer more options here:

• Properly Scoped Investigation by Qualified Personnel – the guidance calls for investigations that are “properly scoped, and were independent, objective, appropriately conducted, and properly documented”. This can be done on an ad hoc basis but a company should clearly consider these factors when confronted with an issue.
  • DCM staff have observed that all too often the investigation is directed to be quick, unobtrusive, and light on documentation. The guidance would indicate this would fail multiple sections of this guidance if prosecutors were to feel that is the case.

Analysis and Remediation of Any Underlying Misconduct
This section has been retained from the prior guidance though, as noted above, a section was moved to Investigations. It has also incorporated the “Operational Integration” section from the prior guidance. The discussion for this section focuses on whether there is a pattern of misconduct within the organization that would indicate the company has not worked to eliminate underlying causes or compliance system weaknesses that encourage misconduct. Much of the content is directly from the prior guidance.

• One indicator in the shift from event to process analysis is of an entirely new section “Prior Weaknesses” in the new guidance. The old guidance (which section is still in this guidance) asked whether there were opportunities to detect misconduct that were missed; the new guidance asks what controls failed and how they failed to detect the misconduct and whether the functions responsible for those controls have been held accountable.
  • DCM sees this as a significant shift – it presumes you would have controls in place to detect misconduct and there is a punishable failure, as opposed to a missed opportunity, and the guidance asks whether there has been accountability assessed. This could be interpreted to mean the guidance asks who has been punished for the failure and how as part of the charging and sentencing guidance.
• As noted above, the Accountability section was incorporated in this portion of the guidance as opposed to being under Incentives.

In general, DCM believes the guidance makes five major points:

1. Tone from the top includes the example set by senior and middle management – not just what the emails say.
2. Compliance needs to be uniformly applied – special circumstance exceptions will be an indicator of an inadequate compliance function, not business norms;
3. Compliance needs to be an integrated process, not a set of one-off actions in response to crises;
4. Compliance function staffing and resources should be justifiable at the level they are set;
5. Effective review and improvement of the compliance function is an important factor under the guidance.

 
DCM LLC provides ongoing blog posts on regulatory and compliance issues and can provide a full suite of trade surveillance and compliance services -as well as strategic and commercial services to the commodity trading marketplace. Please see us at www.sourcingcommodity.com