The Commodity Futures Trading Commission’s (CFTC) Division of Enforcement issued an advisory on Oct. 17 providing guidance on the nature of resolutions in enforcement actions. The advisory spoke to the sufficiency of monetary penalties and under what circumstances an admission should be required as part of a proposed resolution; however, its main impact was the position on corporate compliance monitorships.

Specifically, the Enforcement Division affirms that a monitor is appropriate not only where the misconduct is sufficiently pervasive and severe such that the entity would be unable to remediate its misconduct without assistance, but also where “the entity requires the assistance of a neutral third party to advise regarding remediation, but can otherwise remediate its misconduct without oversight.”

The CFTC’s advisory is the most recent example of a larger trend toward imposing monitorships as part of an enforcement action even when an entity may be able to or even already has remediated its misconduct. Several federal agencies are following the monitorship trend. For example, the U.S. Department of Justice (DOJ) uses a multi-factorial approach to evaluate when a monitorship is appropriate, including whether the entity voluntarily self-disclosed, whether the entity has implemented an effective compliance program, whether the misconduct was long-lasting or pervasive, and more. The DOJ currently has 34 active monitorships.

The Securities and Exchange Commission’s (SEC) stance on monitorships is best outlined in A Resource Guide to the U.S. Foreign Corrupt Practices Act – released by the DOJ and the SEC – which takes a similar multi-factorial approach to determining whether a compliance monitor is appropriate.

The Department of Commerce’s Bureau of Industry and Security (BIS) is over five years into its first monitorship – of Chinese telecom company ZTE Corporation (ZTE)(1)  – the largest ever.

Likewise, in 2022, the Office of the Comptroller of the Currency (OCC) issued a Consent Order against Anchorage Digital Bank for failure to adopt and implement a compliance program adequately covering Bank Secrecy Act/Anti-Money Laundering program elements.

Monitorships are not limited to the federal sphere. Most recently, in a March 2023 consent order with Coinbase, Inc. (a cryptocurrency trading platform), the New York Department of Financial Services required that Coinbase hire an “independent consultant” to assess its Bank Secrecy Act/Anti Money Laundering and Office of Foreign Assets Control Sanctions program and to provide recommendations on areas for improvement. Notably, Coinbase entered into a Memorandum of Understanding in February 2022, over a year before the consent order, agreeing to retain an independent third party to review its compliance program and make recommendations.

Best Practices for Companies

What does all of this mean for companies eager to stay on the right side of the government’s increasingly more aggressive enforcement actions? At a high level, it’s clear that a monitorship is another, and ever more popular, weapon in the government’s arsenal. More important, however, is what a monitor is: a neutral third party brought in to provide independent perspective on an entity’s compliance efforts – using what accountants call “professional skepticism.”

Monitors or “independent consultants” can be imposed by the government, but they also can be a tool for companies to leverage. For a company with a nascent compliance infrastructure, it might make sense – particularly in the current environment – to bring in a third party to assess existing risks and advise on compliance efforts as part of a larger disclosure to the government. Such a proactive approach could help limit a longer-term monitorship or help obtain additional leniency in settlement negotiations. Even for companies with robust compliance programs, where there is no indication of wrongdoing, that company may be well served to engage an independent third party to test the efficacy of its program.

In the public company sphere, a best practice for boards overseeing compliance programs is to bring in a third party auditor no more than one year after launch to assess the program’s adequacy. The independent audit requirement is common annual practice on the Anti-Money Laundering/Know Your Customer front. This should be standard for any regulated entity for several reasons: 1) to ensure continued compliance with regulations, 2) to provide an early alert system, and 3) to offer comfort to board members and senior managers.