DOJ’s New Evaluation of Corporate Compliance Programs

The Justice Department released a refreshed set of guidelines on how prosecutors should evaluate corporate compliance programs.

The Principles of Federal Prosecution of Business Organizations in the United States Attorney’s Manual describe factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. One of these factors is “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The Guidelines are meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective.

For those of us involved in compliance for high-regulated companies in finance, I take the guidance with a word of caution. Regulators are the first line of compliance program creation. If you screw up badly, they pull in the agency’s lawyers. It’s only when you end up in the super serious list, like criminal charges, that you end up with the Department of Justice where these Guidelines are operative.

So what has changed in the Guidelines document?

It’s bigger. The original guidance was only four pages. The new guidance blossoms up to 19 pages.

It’s written for non-compliance people. The previous guidelines were written more like a checklist for those with a compliance background. I heard the new guidelines were released in a training session for DOJ attorneys. I guess it will be the front-line prosecutors using these guidelines to help in their decision-making process.

I need to take a deeper dive into the guidelines. More to come.

Sources:

Revisions to U.S. Sentencing Guidelines for Compliance Programs

At their April meeting, the U.S. Sentencing Commission voted to adopt changes to Chapter 8 of the Sentencing Guidelines Manual. That chapter defines an effective compliance and ethics program and has been one of the sacred texts of the compliance profession.

Here is my summary of the changes:

Changes to §8B2.1

In defining an Effective Compliance and Ethics Program, they are inserting a new Note 6 that focuses on the steps to take after the detection of criminal conduct.

First, the organization must respond appropriately to the criminal conduct, including restitution to the victims, self-reporting and cooperation with authorities.

Second, the organization must assess its program and modify it to make the program more effective. They seem to encourage the use of an independent monitor to ensure implementation of the changes.

Changes to §8C2.5(f)

In calculating the culpability score for having an effective compliance and ethics program, they have removed the near automatic disqualification if the bad actor was  a high level executive. You can get credit, provided you meet the new criteria:

  • the head of the compliance program must report directly to the governing authority or appropriate subgroup (for example, the audit committee of the board of directors),
  • the compliance program must discover the problem before discovery outside the organization was reasonably likely,
  • the organization must promptly report the problem to the government, and
  • no person with operational responsibility in the compliance program participated in, condoned or was willfully ignorant of the offense.

Changes to §8D1.4

The amendment simplifies §8D1.4 (Recommended Conditions of Probation – Organizations) (Policy Statement) on the recommended conditions of probation for organizations. The new section consolidates the list of conditions that are appropriate conditions for probation.

Status of Changes

The changes have to be submitted to Congress and won’t take effect until November 1, 2010. (Unless Congress votes to reject the changes.)

Publication of Changes

You would think that the Sentencing Commission would publish this change on their website or publish a press release. No information about the amendment, the submitted comments or meeting minutes have yet made their way to the website for the United States Sentencing Commission.

Fortunately Susan Hackett of the Association for Corporate Counsel and Melissa Klein Aguilar of Compliance Week were able to alert us and publish a copy of the changes.

Sources:

Making the Case for Compliance at Private Companies

More focus has been aimed at the need for compliance programs at public companies. Of course, that focus has been largely drive by the requirements of Sarbanes-Oxley. The other focus comes from highly regulated industries like financial services that require compliance programs.

That doesn’t mean that private companies can ignore compliance. There are many more private companies than public companies.

An article by Corpedia caught my eye: Making the Case for Compliance Programs at Privately Held Companies. (Since I work at a private-held company.)

As the article points out, the Federal Sentencing Guidelines do not change based on the ownership structure of the company. Private companies would need to take the same steps as private companies if they want to get credit for having an effective compliance program.

Another big reason for a compliance program is not discussed in the article. Under the Stone v Ritter and Midland Grange decisions, company officers and directors can be held responsible for the illegal conduct of employees. These cases follow up the case in expanding liability for company directors.

An effective compliance program would presumably reduce or prevent any illegal activity and shield the directors and officers from liability by showing that the illegal conduct was by a rogue employee.

One factor to keep in mind is that many private companies lack a meaningful board of directors. For many private companies, the board of directors really means the company’s principal. If there is a board, it may consist largely of family members, insiders and company officers. All the talk about access to the board of directors is lost on those us running compliance programs inside private companies.

Sources:

Proposed Amendments to Sentencing Guidelines

The United States Sentencing Commission has proposed some changes to the Federal Sentencing Guidelines. Of the eight changes, one should catch the eye of compliance professionals.

There is a proposed amendment to Chapter Eight of the Guidelines Manual regarding the sentencing of organizations, including proposed changes to §8B2.1 (Effective Compliance and Ethics Program) and §8D1.4 (Recommended Conditions of Probation — Organizations).

§8B2.1

In §8B2.1 (Effective Compliance and Ethics Program) they are inserting a new Note 6 that would add a new requirement for an effective compliance and ethics program. The note focuses on the steps to take after the detection of criminal conduct.

First, the organization must respond appropriately to the criminal conduct, including restitution to the victims, self-reporting and cooperation with authorities.

Second, the organization must assess its program and modify it to make the program more effective. They seem to encourage the use of an independent monitor to ensure implementation of the changes.

§8D1.4

The proposed amendment amends §8D1.4 (Recommended Conditions of Probation – Organizations) (Policy Statement) to simplify the recommended conditions of probation for organizations. The new section consolidates the list of conditions that are appropriate conditions for probation.

Request for Comments

In addition to the proposed amendment the Sentencing Commission has is considering an issue and are asking for comment:

Should the Commission amend §8C2.5(f)(3) (Culpability Score) to allow an organization to receive the three level mitigation for an effective compliance program even when high-level personnel are involved in the offense if

(A) the individual(s) with operational responsibility for compliance in the organization have direct reporting authority to the board level (e.g. an audit committee of the board);
(B) the compliance program was successful in detecting the offense prior to discovery or reasonable likelihood of discovery outside of the organization; and
(C) the organization promptly reported the violation to the appropriate authorities?

Written comments are due by March 22, 2010.

Sources:

Principles of Federal Prosecution of Business Organizations

doj

At last week’s Compliance Week Conference, I saw a paradigm shift in thinking about the factors to be included in a compliance program. Most compliance programs have placed a lot of emphasis on the federal sentencing guidelines. After all, those guidelines give credit for having an effective compliance program. So you want to have an effective compliance program.

But by definition, the sentencing guidelines are only useful once the organization has been indicted and convicted with a crime. We are better off preventing the organization from being indicted in the first place. So, perhaps we are better off looking at the Principles of Federal Prosecution of Business Organizations (.pdf) from the Department of Justice.

The Principles are more nuanced than the Sentencing Guidelines. They take into account the issues of prosecutorial discretion. In contrast, the Sentencing Guidelines are a compromise between prosecutors, the defense bar and the judicial bench.

Your Compliance Program and Enforcement

compliance-week-dark-blue

This session at Compliance Week Conference 2009 was another “dark session” so I am not sharing detailed notes, merely a perspective on some issues that were presented. John Roth, an Assistant U.S. Attorney in the Fraud and Corruption Section shared his insights and Bruce Carton did his best Phil Donahue impression by eliciting questions from the audience.

There was a big turnout for this session. The organizers were only expecting 20-30 and ended up with over 100. Anything said by Mr. Roth was his opinion alone and not necessarily those of his office or the Attorney General.

One item was the difference between the Principles of Prosecution in the U.S. Attorney General’s Handbook and the Federal Sentencing Guidelines. The Guidelines only come into play once the organization has been indicted and convicted. The Principles of Prosecution help the Attorney General’s Office decide whether to prosecute in the first place. The Guidelines are a product of compromise between the Attorney General, the defense bar and federal judges. At this point they have also been made discretionary instead of mandatory. It seems that compliance programs should be more focused on the Principles of Prosecution instead of the Federal Sentencing Guidelines.

There was much discussion that it is much easier to identify a bad compliance program (or no compliance program) than a good compliance program. Much of the learning comes from failures of compliance programs instead of the successes.

Prosecution success causes more prosecution in those areas. FCPA prosecutions are increasing because they are being successful. We can expect to see more. The were rumors that the FBI has formed a squad to focus on FCPA criminal investigations.

A Benchmarking Survey on Third-Party Codes of Conduct

Society of Corporate Compliance & Ethics

Rebecca Walker of Kaplan & Walker LLP is the author of a report on A Benchmarking Survey on Third-Party Codes of Conduct (register to download) sponsored by The Society of Corporate Compliance and Ethics. The SCCE received survey results from more than 400 compliance professionals on how they deal with third-party compliance policies. As Rebecca point out in the report: “Organizations are also subject to risks of misconduct by virtue of the actions of agents and other third parties who act on their behalf or partner with the organization in some way.”

Among the relevant findings in the survey:

  1. Only 47% of companies disseminate their internal employee code of conduct to to third parties.
  2. Only 26% of companies require that third parties certify to their codes of conduct.
  3. Of those 26%, 92% did not have a threshold as when they required certifications.
  4. Only 17% of organizations have a code of conduct that is applicable to third parties.

Rebecca points out the U.S. Sentencing Guidelines provide incentives to have your compliance programs reach out to third parties:

Sentencing Guideline §8B2.1(4):

(A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

(B) The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

One of the problems with pushing out your compliance program to third parties is that they may have the may have their own which differs with your program. The bigger problem is you setting the compliance standards but not enforcing them. Rebecca offers some ways to extend compliance and ethics requirements to third-parties. These are some highlights:

  • Conduct due diligence regarding business partners’ compliance and ethics programs.
  • Incorporate language into contracts with third parties requiring compliance.
  • Train third parties on the ethics and compliance program or on particular company policies or procedures.

Thanks to Corporate Compliance Insights for pointing out this survey: Third Party Controls Lacking In Ethics and Compliance Expectations Says SCCE Survey.

Assessing Corporate Culture

Ed Petry of the Ethical Leadership Group put together a two part paper on Assessing Corporate Culture: Assessing Corporate Culture – Part I and Assessing Corporate Culture – Part II.

[There are] specific steps that compliance and ethics officers can take to begin the process of identifying their organizations’ culture including:
• Conduct surveys, focus groups and interviews of employees and third parties to determine what people really think about the organization, what motivates them, what’s rewarded and punished, and what are the “unspoken rules” and corporate stories that they believe best illustrate acceptable and unacceptable behavior;
• Distinguish and describe the important subcultures within the organization; and
• Identify what is really being heard by employees – which may be quite different from the message you and senior management are intending to convey.

You should do deep dives that follow roughly track the elements of the revised Sentencing Guidelines:

  • Is there consistency and clarity within your organization regarding the limits of acceptable behavior?
  • Does the Board and management act in accordance with their responsibilities to build and sustain a commitment to ethics and compliance?
  • Is compliance, ethics or even legal requirements – or the people responsible for them at the company – marginalized?
  • Do performance goals and incentives encourage and put unreasonable pressure on employees to act contrary to ethics and compliance standards?
  • Do employees feel they can ask questions or raise concerns?
  • Is bad conduct tolerated – especially at the senior level?

An Effective Compliance Program under the U.S. Sentencing Commission Guidelines

Section 8B2.1 of the 2007 version of the United States Sentencing Commission Guidelines define and “effective compliance and ethics program” for purposes of section (f) of § 8C2.5 for the Culpability Score and section (c)(1) of §8D1.4  for Recommended Conditions of Probation – Organizations:

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

(1) The organization shall establish standards and procedures to prevent and detect criminal conduct.

(2)    (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

(3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.

(4)   (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

(B) The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

(5) The organization shall take reasonable steps—

(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;

(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

(6) The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

(7) After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.

(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.