The Commodity Futures Trading Commission (CFTC) issued orders on September 27, 2022, filing and settling charges against various affiliates of financial institutions for failing to maintain, preserve, or produce records that were required to be kept under the CFTC’s recordkeeping requirements and failing to diligently supervise matters related to their businesses. As FERC also has record retention requirements, we discuss key takeaways on compliance and communication methods in light of the CFTC’s orders.
The CFTC found that the companies failed to ensure that their employees, including those at senior levels, communicated internally and externally using approved communication methods, and found that employees had been engaging in business-related communications on their personal devices through unapproved communication methods including personal text messaging, personal email, and other instant messaging applications. The CFTC also found that the entities generally did not maintain and preserve these written communications as required and therefore were not able to promptly provide them to the CFTC when requested.
In addition to the settlements with the CFTC, many of the entities were also investigated by the US Securities and Exchange Commission (SEC). The SEC, on September 27, announced that it had also settled charges of violating the recordkeeping provisions of the federal securities laws and failing to maintain and preserve electronic communications with many of the same entities.
Like the CFTC and the SEC, FERC also has record retention requirements, which enable it to monitor and enforce its rules and regulations and to enhance market transparency. Compliance with FERC’s record retention requirements is essential and should be a part of a company’s ongoing compliance responsibilities. Failure to maintain compliance with recordkeeping requirements may create exposure for a company on several fronts, depending on the scope of its business activities.
There are several important FERC compliance-related takeaways from the CFTC orders:
- Implementing Policies and Procedures. Companies should ensure that their internal policies and procedures address, with specificity, the methods of communication that their employees can and cannot use to conduct business. They should also ensure that their employees understand the policies and are aware of the approved communication methods. Companies may also wish to distribute and confirm receipt of the policies periodically (e.g., annually).
- Setting a Tone at the Top. Companies should ensure that senior management, supervisors, and managers exemplify compliance with internal policies and procedures. One of the key findings in the CFTC orders was that individuals in senior positions violated the communication policies and procedures by using unapproved methods of communication to conduct business. This can have the effect of making the use of unapproved methods of communication into an acceptable practice even if it directly contravenes written policies and procedures.
- Enforcing Policies and Procedures. Companies should ensure that they are enforcing their internal policies and procedures that address approved and unapproved communication methods. They should conduct regular reviews to confirm that their employees are engaging in business-related communications only through approved communication methods and to maintain awareness of all forms of communication that employees use to conduct business.
- Ensuring Proper Retention of Communications. Companies should also ensure that they are retaining communications for the required retention periods so that they are able to retrieve and produce copies of communications and other documents when asked without issue or delay. Ongoing compliance with the record retention requirements is particularly essential in an investigation conducted by FERC’s Office of Enforcement and in an audit conducted by FERC’s Division of Audits and Accounting.