I.

I respectfully dissent from the order and settlement in the administrative proceeding In re Goldman Sachs & Co. LLC, because I believe that this enforcement action is fundamentally unfair, unjust, and does not best serve the public interest.  Based on my review of the record, I believe that this enforcement action is wrong—we are not doing the right thing here on vendor issues arising out of the unprecedented move to remote work because of the COVID-19 pandemic, and I cannot support it.

Regulation by enforcement has a darker counterpart.  This order and settlement reflects the Commission’s disturbing trend of “examination by enforcement”—where the Division of Enforcement imposes a disproportionately high civil monetary penalty for one-off, non-material operational or technical issues with no misconduct, harm to clients, or financial losses, and that every other major regulatory authority addresses through an examination program conducted by supervisory staff (i.e., examiners).

By taking this approach, the CFTC is an outlier amongst U.S. and non-U.S. regulators.  It does not best serve the Commission’s mandate to provide oversight of market participants, and it does not meaningfully contribute to market integrity.  Examination by enforcement is inherently ad hoc, not applied consistently across market participants, and does not provide a horizontal view to inform the Commission of potential systemic risk.

Ten years after the enactment of the Dodd-Frank Act is far too long for the Commission to have failed to develop an examination program for its most systemically important registrants, and the reliance on enforcement actions and headline-grabbing dollar figures is no substitute for ongoing oversight by supervisory staff with the requisite expertise and experience to actually understand and ensure that our registrants have robust risk management and compliance programs.  Bank examiners undergo years of specialized training and certification, and often have more than a decade of examination experience before being assigned to cover a global systemically important bank (GSIB).

In contrast, the Division of Enforcement is the only division that can uphold our agency’s statutory mission to protect our markets from fraud, manipulation, or other abusive practices.  This is where the Division is the pre-eminent expert in prosecuting fraud in the global commodity markets.  The Division has had resounding success in using our unique global jurisdiction to seek and penalize bad actors, and this should be the first priority.  I would like to see the Division focus its talent and resources on cases that will bring justice for victims, protect those that cannot protect themselves, and root out misconduct and wrongdoing—this is our core mission and core strength.

II.

Moreover, I believe that this enforcement action and civil monetary penalty is a callous approach to the challenges and unspeakable human tragedy of the COVID-19 pandemic, and the near-overnight switch to remote work that was required due to civil and criminal quarantine laws and other restrictions imposed by governments everywhere as the world struggled to combat the spread of infection and disease.

Regulations never contemplated and were never designed for remote work, and some were even impossible to comply with under the circumstances (such as physical or location-based requirements).  The shift to remote work created extensive compliance challenges for our registrants that I do not think the Commission or the staff neither comprehend nor appreciate.

I do not doubt that hundreds of thousands of people in operations, technology, finance, risk, compliance, legal, regulatory, Human Resources, and other control function personnel across the industry and across the world, all rose to the occasion and worked valiantly and around-the-clock to design and implement new technology solutions, procedures, and processes to comply with regulatory requirements.  These new compliance solutions took time to implement, and as unforeseen issues popped up, might have needed additional fixes. Many, many of these personnel did all this during personal upheaval to their lives and while working remotely themselves, as team members, colleagues, family, and friends died from COVID.

Every government authority and regulator around the world provided temporary relief or forbearance from regulatory requirements in light of the pandemic and devastating impact to business, including the CFTC and other U.S. regulators. But I am not aware of any regulator in any public consent order imposing sanctions and penalties for one-off, non-material operational or technical issues arising from the pandemic—especially for the use of vendors to support remote work. It will only be the CFTC with that dubious distinction and disregard for the human reality.

That is why I think this is wrong.

III.

The Commission should take an approach to operational and technical issues that is consistent with the requirements and intent of CFTC rules 3.3 and 23.602, which is how swap dealer compliance programs have been implemented since 2012 under the oversight of the Market Participants Division and the NFA.

With respect to swap dealers, I note that under CFTC rule 3.3(e)(5), material non-compliance issues are required to be included in the annual compliance report that is filed with the CFTC and NFA.  In addition, it is a best practice to promptly self-report material non-compliance issues to the CFTC’s Market Participants Division and the NFA, and not to wait until the filing of the annual report.[1]

Further, CFTC rule 23.602(a) requires that a swap dealer has a system to supervise swap dealer activities that is reasonably designed to achieve compliance with the Commodity Exchange Act and Commission regulations.

However, I have previously stated: “In instances of especially egregious or prolonged deficiencies, material weakness, or misconduct by management, then enforcement actions may be appropriate, and the Commission should not shy away from this step.”[2]

Applying this standard, in the instant case, there are no findings that the Respondent has material weaknesses or deficiencies in its operational risk management (including technology risk management or third-party risk management), or that Respondent has failed to implement a reasonably designed compliance program. In fact, the order lacks any remedial undertakings to improve the compliance program at all.

There are no allegations that these two unrelated vendor issues were material non-compliance issues, or resulted in a material impact to the firm, harm to clients, or financial losses, or involved misconduct.  The record does not demonstrate that there was any way that Respondent could have identified or prevented these two separate and unrelated vendor issues prior to Respondent’s use of either vendor, or that Respondent failed to follow its third-party risk management policies or procedures.

To the contrary, Respondent promptly and diligently performed a root cause analysis beginning in March 2020 and remediated the Truphone vendor mobile phone issue within weeks.  The order notes that the entire vendor hardware was replaced by Respondent with an alternative system by September 2020.  Respondent identified and promptly remediated the completely separate and unrelated Omni vendor soft turret issue that also arose out of the pandemic and Respondent’s need to shift to remote work and resulting inability to use the hard-wired trading turrets physically located in each office.

It is fantastical for the Commission to expect perfection—100% compliance for 100% of the time—when it comes to operations and technology systems and processes.  That is impossible.  Yet that is exactly the message that this order sends, and because it is impossible, how seriously can you take it? Instead, it is unfair and unjust, and the Commission appears unmoored from reality, alone and apart from all other regulators.

IV.

Enforcement actions for one-off, non-material operational or technical issues is shooting fish in a barrel.  But where there is evidence that registrants have especially egregious or prolonged deficiencies or material weakness in their risk management or compliance programs, the Commission should take a holistic approach to holding management accountable and consider requiring comprehensive remedial undertakings, including imposing a compliance monitor as appropriate.

Such consequences would send a sharp signal to market participants that the Commission is serious about strengthening registrants’ risk management and compliance programs, and be far more impactful and meaningful than death by a thousand cuts to rack up enforcement metrics or dollar figures.

V.

Knowing when to have compassion is a strength in leadership.  The Commission has nearly boundless discretion in exercising its prosecutorial authority in bringing enforcement actions, and is rarely challenged in imposing administrative sanctions and penalties.  I am saddened and disappointed by the choices made and the approach to the facts in this case for two separate and unrelated vendor issues arising out of the COVID-19 pandemic, both of which are wholly separate and unrelated to the non-material and limited internal systems recording issue in 2019.

The Commission is not in the right here. While I recognize the efforts of the Division of Enforcement, I cannot support this action, and I must respectfully dissent.