Appendix C to Part 3 - Guidance on the Application of § 3.3(e), Chief Compliance Officer Annual Report Form and Content
17:1.0.1.1.3.7.7.1.6 : Appendix C
Appendix C to Part 3 - Guidance on the Application of § 3.3(e),
Chief Compliance Officer Annual Report Form and Content A.
Description of the Registrant's WPPs (§ 3.3(e)(1))
In acknowledgment of the large number of WPPs that a Registrant
implements to comply with CFTC regulations, the Commission
understands that for purposes of the CCO Annual Report, specific
WPP descriptions may be appropriately brief while still identifying
the basic purpose of the policy or procedure and how the policy or
procedure operates to achieve that purpose. The CCO Annual Report
should include a summary overview that describes the general forms
and types of WPPs the Registrant has, such as a compliance manual
specific to the Registrant, global corporate manuals or policies,
and/or business-unit-specific WPPs that support the applicable
regulatory requirements. This summary overview would provide a
narrative of the Registrant's system or program of WPPs, how they
work as a whole, and how the Registrant generally puts the WPPs
into practice as part of its compliance activities. With respect to
the COI policy, it is the Commission's view that the CCO should
describe the COI policy specific to the Registrant, addressing the
specific requirements of § 1.71 or § 23.605 of this chapter, as
applicable.
B. Assessment of the Effectiveness of the Policies and Procedures
(§ 3.3(e)(2))
The Commission expects a CCO Annual Report to contain a
comprehensive discussion of: the assessment process; and the
results of the effectiveness assessment. The regulation does not
dictate the form or manner for the effectiveness assessment.
Rather, the Commission would expect each Registrant to follow a
process and present the resulting assessment in a form and manner
that is appropriate for the size and complexity of the Registrant's
applicable business activities and structure. While § 3.3(e)(2) no
longer has a “requirement-by-requirement” standard, the CCO Annual
Report should address all of the general areas of regulation
applicable to the Registrant.
C. Areas for Improvement and Recommended Changes (§ 3.3(e)(3))
1. Section 3.3(e)(3) requires two components in the CCO Annual
Report: an identification and discussion of each area that needs
improvement; and a discussion of what changes are recommended to
address each area needing improvement. In addressing these two
elements, the CCO Annual Report should include, as applicable: A
discussion of why the particular area needs improvement; a
discussion of the proposed improvements and the time frame for
their implementation; and a cross-reference to the regulation that
a recommended change would address.
2. In general, identifying areas in need of improvement and
recommending steps to effect those improvements should be a core
function of compliance. Accordingly, a CCO Annual Report that makes
no recommendations for changes or improvements to the compliance
program may raise concerns about the adequacy of the compliance
program review intended by the CCO Annual Report process. Moreover,
there should be continuity from one reporting cycle to the next,
such that where a previous CCO Annual Report discussed future
changes or improvements that were being considered or planned,
subsequent CCO Annual Reports should discuss the outcomes of the
changes that were implemented during the most recent scope period,
any monitoring or testing of those changes, whether any compliance
issues arose from the changes and, if there were any issues, how
those issues were handled. While this section may address
improvements to the compliance program that have already been
completed, the Commission believes that this section primarily
should discuss recommended improvements in process and/or future
plans to improve the Registrant's compliance program or resources
devoted to compliance.
D. Resources Set Aside for Compliance (§ 3.3(e)(4))
1. The resources description required by § 3.3(e)(4) should be
appropriate for assisting the Registrant's senior management and
the CFTC in assessing whether sufficient resources are dedicated to
compliance. Accordingly, the description should include the
following types of information: the budget allocated to the
compliance department of the Registrant for compliance with the CEA
and Commission regulations; full-time compliance staffing levels
for such compliance activities; partially allocated staff counts
(if applicable), with information on how much of such employees'
time is devoted to the Registrant's compliance matters that are
subject to CFTC oversight; an explanation of managerial resources
(the explanation should clearly identify the division between
staffing resources and management resources devoted to compliance);
general infrastructure information (e.g., computers,
compliance-oriented software, technology infrastructure, etc.); and
if applicable, a description of the use of third party vendors or
outsourcing for compliance activities. In most cases, to
effectively inform the board of directors or senior officer and the
Commission, the description should include quantifiable information
for the financial, managerial, operational, and staffing resources
allocated to compliance with the CEA and Commission
regulations.
2. The Commission understands that a discussion of specific
compliance budget allocations may not be as straightforward as
described above depending on the size and complexity of the
Registrant's compliance program and the extent to which the
Registrant's compliance resources may be shared for other non-CFTC
regulated business activities. The purpose of the CCO Annual Report
requirement is to convey to senior management and the CFTC a clear
understanding of the resources the Registrant has set aside for
compliance with the CEA and Commission regulations. While some of
the compliance resources used in a Registrant's CFTC
compliance-related program may be used for compliance activities in
other parts of a larger corporate enterprise, this sharing of
resources does not negate the Registrant's obligation to discuss
how the Registrant's compliance program is being resourced. For
those instances where compliance resources are shared, it is
recognized that the description of the shared resources may
reasonably be more general in nature, providing approximations and
estimates based on expected needs. However, the Commission expects
that the CCO Annual Report will still address shared resources in
as much detail as is necessary to convey the information needed to
assess the overall compliance activities of the Registrant.
3. Section 3.3(e)(4) also requires that the CCO Annual Report
include a discussion of any material deficiencies in compliance
resources. If there have been reductions in the compliance program
of the Registrant since the prior reporting period, for example, if
there has been a reduction in compliance staff, a significant
compliance budget decrease, or the Registrant initiated significant
new business activities without a corresponding increase in
compliance resources, the CCO Annual Report should include an
explanation of why the compliance resources are not deficient in
light of the changes. If there are no material deficiencies in the
resources devoted to compliance, the Commission recommends that the
CCO Annual Report contain an express statement to that effect so
that the recipients of the report can see that the requirement was
assessed.
E. Material Noncompliance Issues (§ 3.3(e)(5))
The CCO Annual Report should include an explanation of the
standard the Registrant used to determine a non-compliance event's
materiality. In addition, this section of the CCO Annual Report
should contain a description of each material non-compliance issue
identified either through self-assessment procedures conducted
within the Registrant, or noted by any external entities which
conducted a review of the Registrant (such as a designated
self-regulatory organization). The description should also include
the corresponding actions taken, described in reasonable detail, as
well as specific references to the Commission regulation or
regulations that are implicated by the non-compliance event.
Specifically, the Commission recommends that the CCO Annual Report
include a discussion of the Registrant's deliberations on a course
of remediation, how the implementation of the remediation is being
or was executed, any follow-up testing of the remediation, and any
noteworthy results from such testing. Additionally, the Commission
recommends that CCOs consider including an overview of how the CCO
or compliance department handles and tracks non-compliance events
in general.
F. Material Changes to WPPs (§ 3.3(e)(6))
When describing any material changes to the WPPs, a description
of the standard of materiality used should be provided. This
description will provide meaningful context for any reported
changes to the WPPs.
[83 FR 43523, Aug. 27, 2018]