Elements of an Effective Corporate Compliance Program
By Jodi Avergun
Posted: 24th January 2018 08:25Companies that are either located in, or transact business in the United States – even if they are not in highly regulated industries like health care or finance – are subject to an almost ever-increasing array of regulations with which they must comply. Add to that the financial incentives provided by the whistleblower provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act 2010 (“Dodd-Frank Act”) and companies can find themselves at the center of regulatory or criminal investigations in an instant. When this happens, companies under investigation can lessen the blow of any penalty by demonstrating to prosecutors that it had in place an effective compliance program.
The emphasis on an effective compliance program to deter criminal conduct derives both from Section 8B2.1 of the U.S. Sentencing Guidelines, and The Principles of Federal Prosecution of Business Organizations chapter of the U.S. Attorney’s Manual. The “effective program” described in both documents is the single most important tool, other than self-disclosure and cooperation, on which a company can rely in seeking leniency from the Department of Justice (“DOJ”) at sentencing or in charging decisions. More importantly, the presence of an effective compliance program is a critical weapon in a company’s arsenal to protect it from reputational and financial harm – and of course from government investigations.
Emphasising the paramount importance of an effective compliance program, in 2015, the U.S. Department of Justice’s Fraud Section engaged an industry expert in ethics and compliance as compliance counsel to the Fraud Section. Her role was to evaluate companies’ claims regarding their compliance programs and to provide guidance and counsel to DOJ prosecutors as they considered leniency applications or appropriate penalties based on the effectiveness of a company’s compliance programs. Although the compliance counsel left her post a few months short of her planned two year tenure, the existence of an effective compliance program remains a key driver in corporate behaviour and a key factor considered in charging and leniency decisions.
Basic Architecture of an Effective Compliance Program
Taken together, the Sentencing Guidelines and the Principles of Federal Prosecution of Business Organizations provide a high-level roadmap of the key components of an effective compliance program. For example, the Guidelines provide that the company must promote “an organisational culture that encourages ethical conduct and a commitment to compliance with the law” and that the organisation’s “governing authority” be “knowledgeable about the content and operation of the compliance and ethics program and… exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
The Guidelines, though written in contemplation of calculating fines for companies that have committed misconduct, are also useful as guidance for companies not under investigation. The Guidelines specifically describe the basic building blocks that must be present in order for a company to be viewed as having an effective compliance program. These include:
- written standards and procedures to prevent and detect criminal conduct;
- knowledgeable and resourced board and management, with dedicated compliance personnel;
- due diligence on personnel with substantial authority to bind the company;
- regular communication and effective training;
- monitoring and auditing for criminal conduct, periodic evaluation of the compliance program, and the ability of employees to report misconduct without retaliation;
- consistent enforcement throughout the organisation; and
- response to misconduct and modifications to program as needed.
In February 2017, the DOJ’s Fraud Section released an evaluation document listing “important topics” and questions with which DOJ would assess corporate compliance programs. The evaluation document poses a series of questions that DOJ encourages compliance professionals to consider and consult as they design their compliance programs, and which in turn DOJ prosecutors will consider as they evaluate the effectiveness of the compliance program of a company under investigation. DOJ has emphasised in public comments since the publication of the evaluation document that such document does not pronounce guidelines. Rather it is a guide to the critical thinking in which DOJ expects corporate leaders to engage to drive common sense, analytical and data-driven approaches to evaluating compliance risks and creating policies that address those risks.
The topics, which derive from commentary within the Sentencing Guidelines, the U.S. Attorney’s Manual, the 2013 OECD Anti-Corruption Ethics and Compliance Handbook and the 2012 joint DOJ and SEC Resource Guide to the FCPA, indicate how companies seeking to build and maintain effective compliance programs think about, design and self-evaluate their systems. They also signal the factors prosecutors will analyse in evaluating the effectiveness of the compliance policies of companies under investigation for purposes of determining leniency and punishment. The broad areas of inquiry include understanding (i) how a company analyses and remediates discovered misconduct, (ii) the involvement of top management in compliance, (iii) the resources devoted to compliance and the autonomy of the compliance function, (iv) the content, (v) the process of disseminating policies and procedures, (vi) how a company integrates compliance into its day‑to‑day operations, (vii) the role of risk assessment in designing compliance policies, (viii) whether there are incentives to prioritise compliance and conversely, disciplinary measures to punish non-compliance, (ix) periodic training and review of existing policies, (x) the extent and effectiveness of third‑party due diligence and controls, and if relevant, (xi) how compliance is integrated into M&A processes.
Reacting to the Evaluation Document
There is really no company that does business in or with the United States that is immune from the risk of criminal conduct, though some are more susceptible to the risk than others. But given the high level of risk as well as the high costs of non-compliance from both a reputational and financial perspective, companies are newly considering their compliance programs and measuring them against the standards revealed in the 2017 evaluation document. Despite the presence of a regulatory-unfriendly White House, there is a current trend in corporate America to engage in top-down reviews of their compliance programs measured against the standards of the 2017 evaluation document. A number of public companies have issued RFPs this year for external compliance assessments and others are in the works. And it makes sense to do so. An effective compliance program can help avoid significant negative consequences, including, expanded and costly investigations, civil and criminal prosecution, fines and disgorgement, the imposition of a compliance monitor, shareholder litigation and reputational damage. Even the best-designed, data-driven, fully supported compliance program will not assure full compliance with the law. But understanding the elements that DOJ expects a company to consider in designing compliance policies and programs, and self-evaluating against those criteria is the safest way to implement a truly effective compliance program.
Jodi Avergun is Chair of the White Collar Defense and Investigations Group at Cadwalader, Wickersham & Taft LLP. She represents public and private corporations, financial institutions and individuals in government investigations and follow-on litigation. Jodi has successfully defended her clients in internal investigations, matters before regulatory bodies, and in civil and criminal matters in federal court, and currently counsels her clients on their compliance programs. Prior to joining Cadwalader, Jodi served in numerous leadership capacities in the Department of Justice, including as chief of staff of the DEA and as an Assistant U.S. Attorney in the Eastern District of New York.
Jodi can be contacted on +1 202 862 2456 or by email at email@example.com
In a complex scheme that is beyond the scope of this article, the Sentencing Guidelines for Organizations set out a formula for arriving at a “culpability score” that correlates to a range of fines that corporate offenders must pay on being found guilty of an offense. The culpability score considers such variables as the size of the company, the extent of the misconduct, and the financial loss caused by the misconduct and awards points that increase the score. Having an effective compliance program subtracts points from the culpability score, and significantly lower fines result. [cite]