Remarks by Commissioner Caroline D. Pham at the NYU Law Program on Corporate Compliance and Enforcement Fall Conference
"If You See Something, Say Something"
November 14, 2022
“If you see something, say something.” These words were a maxim during the nearly seven-and-a-half years that I worked at a bank. It was something that was drilled into the sales and trading teams on the trading floors and in other lines of business, and it was something that Compliance officers repeated in so many trainings and so many refreshers. When in doubt, if you see something, say something. Escalate to your supervisor, your Compliance officer, your Legal coverage, HR, Ethics Office, the anonymous hotline, or other channels—there was no excuse to not escalate.
Since my term began about six months ago, I have repeatedly said that risk management must be at the core of the business and that we need to get back to the basics. Thank you for inviting me here today to speak to leaders and practitioners in compliance and enforcement. This group includes aggressive prosecutors, top legal minds, and vigilant compliance leaders, and many former colleagues. It’s an honor to share with you my thoughts on the importance of self-reporting violations to authorities, and building processes to identify, escalate, and report potential non-compliance issues.
As usual, I’ll state my standard disclaimer, which is that the views I share today are my own as a Commissioner, and do not necessarily reflect the views of the CFTC or of other Commissioners.
“If you see something, say something.” This applies to not only employees of our registrants, but also to the firms that we oversee. But when should you say something to the authorities?
The CFTC, or Commission, has had a long-standing policy of recognizing cooperation, self-reporting, and remediation in its enforcement orders, which may include reductions in penalties, as set forth in various Enforcement Advisories and the Enforcement Manual. Some of the factors that are considered include self-reporting of misconduct; cooperation during the course of the investigation; and engaging in substantial remediation to address the misconduct and develop or strengthen related internal controls. It’s no surprise that the level of recognition and potential reduction in penalty depends on the level of cooperation and remediation, such as whether it is “substantial” or “material.”
Applying the factors in our Enforcement Advisories and Enforcement Manual may be more straightforward when it comes to market abuse and misconduct, where there are clear harms to clients or to market integrity. But firms take varying approaches when it comes to self-reporting compliance program or risk management program issues. As you can see, the Commission has recently resolved a number of high-profile enforcement actions for these types of violations.
It is critical that firms establish an effective program to identify, escalate, and self-report material or potentially material non-compliance issues to the relevant authorities, and oftentimes this is included in escalation policies. Not only it is required by many laws and regulations around the world, including our rules, but there are real incentives to do so based on the Commission’s cooperation policies.
For governance, risk, and control issues, in determining materiality, it is my view that firms should not consider each instance in isolation, but must take a step back and take a holistic view that includes prior violations or related issues. This means that in the aggregate, or due to the extent or pervasiveness of deficiencies (such as repeat or systemic issues), an issue may arise to the level of materiality even if it may not constitute material non-compliance on its own. In some circumstances, it may also make sense to self-report non-compliance issues that are not material or potentially material.
Let’s turn that into a common-sense approach. Don’t be “too cute.” If you have longstanding systemic issues that will take years to remediate, it should be reviewed for materiality and disclosure to the Commission in the Annual Compliance Report. And if you are disclosing a material non-compliance issue in your Annual Compliance Report, you should have first self-reported it to the Market Participants Division, and not the day before you file. You could also provide periodic updates about meaningful progress on remediation. Regulators, like management, don’t like surprises, and engaging in a proactive and transparent manner will help to build goodwill and trust. So, if you see something that you think you should tell your regulator, say something to your regulator.
That is all the time that I have today, but I look forward to continuing to share my views on compliance and enforcement, because I think the Commission should also take a proactive, no-surprises approach. The more that the Commission is able to share its expectations through guidance and speaking orders, the more that our registrants can meet those expectations by implementing and enhancing their compliance programs and risk management programs. Thank you.