Proactive Compliance, Strategic Defense: Leveraging Compliance Programs to Mitigate Regulatory Enforcement Risk

This client alert synthesizes key takeaways for structuring compliance programs for entities that are subject to the enforcement authority of multiple regulatory agencies—in particular, the Commodity Futures Trading Commission (CFTC), the Department of Justice (DOJ), and the Federal Energy Regulatory Commission (FERC). While enforcement priorities may change under different administrations, recent enforcement actions and agency guidance underscore the importance of a well-structured compliance program, not only to identify and prevent misconduct, but also to mitigate the consequences of enforcement actions in the event of alleged or actual violations. Crucially, in an enforcement posture, the CFTC, FERC, and DOJ penalty guidelines all expressly consider effective compliance programs as a factor in determining the consequences for a violation.

While this alert focuses on just a few takeaways and recent examples, companies will be well-served by evaluating their own business and risk footprint while considering their exposure to civil and criminal enforcement.

Key Features

Under any administration, these key structures and practices may help prevent misconduct and mitigate penalties and ancillary consequences of enforcement actions:

• Independence: Compliance programs should function autonomously in order to maintain their independence. Independence from business units enhances the ability to provide unbiased guidance and oversight and avoids both conflicts of interest and the appearance of conflicts. In addition, independence helps protect the privileges discussed below through clear demarcation of roles.

• Direct Reporting: The compliance function or Chief Compliance Officer (CCO) should report directly to the General Counsel or Board of Directors, further ensuring independent oversight and avoidance of unintentional attorney-client privilege or attorney work product waivers. Protecting privilege and work-product protections facilitates open and honest communication which, in turn, allows counsel to provide informed advice.

• Multi-Agency Optimization: Compliance programs should gain the trust of their internal clients and reflect the priorities and standards of the multiple regulatory agencies with jurisdiction over the company while accounting for the nuances of each regulator's priorities. As an example, because the CFTC requires that the compliance programs of all derivatives market participants must be "reasonably designed" and implemented, even unregistered companies should consider CFTC regulation and guidance issued with respect to registrant companies, in addition to exchange requirements.

Additional Compliance Program Considerations

Why do compliance programs matter?

• Agencies factor an effective compliance program into their enforcement discretion. The DOJ, FERC, and the CFTC may even decide to take no action where they find that effective programs are in place.¹

• Where agencies do take enforcement action, the existence of effective compliance programs can mitigate the consequences, including by reducing criminal and civil penalties and by avoiding a requirement to instate a third-party monitor.²

How do enforcement agencies evaluate compliance programs?

• Programs should address the compliance risks relevant to the company.³

• Companies should be able to demonstrate the processes implemented to monitor those risks and the steps taken to train personnel throughout the organization on related policies and procedures.

  • According to the CFTC's Division of Enforcement (CFTC Enforcement), a "sufficient" compliance program is one that is "reasonably designed and implemented" to prevent, detect, and remediate non-compliance issues.⁴

  • FERC notes that reliance on generic training and a failure to update practices as market conditions evolve can reduce the value of a compliance program.⁵

• Programs should work in practice.⁶ It is not enough to have a well-written plan. Effective compliance programs should continuously improve; devote adequate resources to detection and investigation; and foster and demonstrate a culture of compliance.⁷

What are additional compliance program "best practices"?

• Sufficient funding and resource allocation for compliance functions.⁸

• Independence of the compliance function from business processes.

  • The CFTC expresses this as independence of the Chief Compliance Officer from influence, interference, or retaliation, including, but not limited to, the business unit, operations, and others.⁹

• Appropriate leadership and reporting structure.

  • Led by a Chief Compliance Officer or other qualified individual.¹⁰

  • Reporting structure that provides direct lines to the Board of Directors or the audit committee.¹¹

• Strong policies and procedures to timely prevent, detect, investigate, and address non-compliance.¹²

  • Policies and procedures should adapt to changes in industry trends.¹³

Enforcement Developments

Top-Down Commitment; Bottom Line Consequences: Senior management must actively engage in the essential elements of well-functioning compliance programs: ongoing support and enforcement against non-compliance. When compensation, promotion, and disciplinary actions take compliance into account, and when adequate resources are devoted to the compliance function, companies can expect more favorable treatment. To the contrary:

• Voltus, Inc. and Gregg Dixon (FERC): In January 2025, Voltus, a virtual power plant operator, agreed to pay $18 million to settle claims that it violated FERC's Anti-Market Manipulation Rule.¹⁴ FERC alleged that Voltus used customer data without authorization, misrepresented resource capacity, and retained revenues from improperly registered resources.¹⁵ Former CEO Gregg Dixon, implicated in directing these activities, agreed to pay a $1 million penalty and resigned from the company’s Board of Directors.¹⁶ Per the settlement, Voltus must update its compliance policies under the supervision of its Chief Legal Officer and Director of Regulatory Compliance and submit annual compliance monitoring reports to FERC Enforcement.¹⁷

Programs that Pivot: Companies should tailor and update their compliance frameworks to account for evolving regulations, new administration priorities, and the intricacies of multiple agencies across the jurisdictions in which they operate.

• Vitol, Trafigura, and more (CFTC): In recent years, CFTC Enforcement ramped up enforcement actions and fine amounts. Foreign-held corporations were not excused. For example, Trafigura paid $55 million for allegedly misappropriating nonpublic information, manipulating benchmarks, and including illegal whistleblower restrictions in contracts.¹⁸

• New Regulation Affecting Energy Derivative Markets: After finalizing an expanded federal position limits rule that applies to energy swaps and futures contracts,¹⁹ CFTC Enforcement settled several federal position limits charges involving energy derivative contracts. The respondents included Vitol, Aspire Commodities, Merrill Lynch Commodities, and others who were charged with natural gas, Henry Hub, and crude oil position limit violations.²⁰ In Merrill Lynch Commodities, Inc., the firm agreed to pay $1.5 million to settle allegations of exceeding federal position limits in NYMEX natural gas contracts.²¹ These "first of kind" actions will likely continue to impact the energy derivative markets as CFTC leadership focuses on deterring market manipulation.²²

• Whistleblowers and Watchdogs: Companies should update compliance programs to address new DOJ priorities, focus on tariffs, cartels, immigration, sanctions, and whistleblower protections, and strengthen controls and reporting. On May 12, 2025, the DOJ published its new guidance for prosecuting white-collar and corporate crime.²³ The "Galeotti Memorandum" updates DOJ enforcement priorities for the Criminal Division and streamlines corporate investigations and prosecutions.²⁴ It also expands the DOJ's whistleblower and self-reporting programs.²⁵ Legal and compliance departments should study these changes, which will impact companies dealing with DOJ investigations or those operating under a corporate integrity agreement. The DOJ's updated policies prioritize white-collar enforcement that aligns with "America First" objectives, focusing on foreign companies harming US interests, tariff evasion, cartels, government fraud, immigration crimes, and sanctions enforcement.²⁶ This is also true in the Foreign Corrupt Practices Act (FCPA) guidelines issued by the DOJ in June, which prioritize protection of the competitiveness of US companies and promotion of US national security interests, while further incentivizing corporate self-disclosure.²⁷ Companies that strengthen compliance programs and self-report misconduct should benefit from the changes announced in the Galeotti Memorandum and the new FCPA guidelines.

We would like to thank our former colleague, Thomas Donadio, for his contributions to this alert.

¹ Policy Statement on Penalty Guidelines, 130 FERC ¶ 61,220 (March 18, 2010); U.S.S.G. §§ 8B2.1, 8C2.5(f), and 8C2.8(11); CFTC Staff Advisory on Materiality or Other Criteria That Operating Divisions Will Use to Determine Referrals to the Division of Enforcement (Apr. 17, 2025).

² CFTC Enforcement Advisory: Guidance on Evaluating Compliance Programs in Connection with Enforcement Matters (Sept. 10, 2020) ("CFTC Enforcement Advisory: Compliance Programs"). Available here.

³ See DOJ, "Evaluation of Corporate Compliance Programs" at 2-10 (Sept. 2024) ("DOJ Corporate Compliance"). Available here.

⁴ CFTC Enforcement Advisory: Compliance Programs. 

⁵ FERC, Office of Enforcement, Effective Energy Trading Compliance Practices at 20-22 (Nov. 2016) (“FERC Effective Energy Trading Compliance Practices”). Available here.

⁶ DOJ Corporate Compliance at 2, 16-22 (Sept. 2024).

⁷ Id.

⁸ DOJ Corporate Compliance at 12; FERC Effective Energy Trading Compliance Practices at 20-22; CFTC Enforcement Advisory at 2.

⁹ CFTC Enforcement Advisory at 2.

¹⁰ DOJ Corporate Compliance at 11.

¹¹ Id. at 12.

¹² Id. at 7-8; FERC Effective Energy Trading Compliance Practices at 20-22; CFTC Enforcement Advisory at 2.

¹³ FERC, Office of Enforcement, 2024 Report on Enforcement at 47 (Nov. 21, 2024).

¹⁴ Voltus, Inc. and Gregg Dixon, Docket No. IN21-10-000, Order Approving Stipulation and Consent Agreement, 190 FERC ¶ 61,008 (Jan. 6, 2025).

¹⁵ Id. at P 85.

¹⁶ Id. at PP 99-100.

¹⁷ Id. at PP 107-111.

¹⁸ In the Matter of Trafigura Trading LLC, CFTC Docket No. 24-08, Order at 11 (June 17, 2024). Available here.

¹⁹ Position Limits for Derivatives, 86 Fed. Reg. 32336 (Jan. 14, 2021).

²⁰ See, e.g., In the Matter of Vitol, Inc. and Vitol SA, CFTC Docket No. 24-14 (Aug. 14, 2024). Available here. See also, In the Matter of Aspire Commodities LLC, CFTC Docket No. 24-30 (Sept. 25, 2024). Available here.

²¹ In the Matter of Merrill Lynch Commodities, CFTC Docket No. 24-31, Order at 9 (Sept. 25, 2024). Available here.

²² "The Complex Fraud Task Force will be responsible for all preliminary inquiries, investigations, and litigations relating to complex fraud and manipulation across all asset classes." CFTC Division of Enforcement to Refocus on Fraud and Helping Victims, Stop Regulation by Enforcement (Feb. 04, 2025), Release Number 9044-25.

²³ Criminal Division Memorandum, Focus, Fairness, and Efficiency in the Fight Against White-Collar Crime (May 12, 2025). Available here.

²⁴ Id. at 7-8.

²⁵ Id. at 5.

²⁶ Id. at 4-5.

²⁷ Memorandum from the Deputy Attorney General, Guidelines for Investigations and Enforcement of the Foreign Corrupt Practices Act (FCPA) (June 9, 2025), https://www.justice.gov/dag/media/1403031/dl. For further analysis of the new FCPA enforcement guidelines, please see Steptoe’s client alert from June 16, 2025, DOJ's New FCPA Enforcement Guidelines: Continuity with a Twist | Steptoe.