Revisions to U.S. Sentencing Guidelines for Compliance Programs

At their April meeting, the U.S. Sentencing Commission voted to adopt changes to Chapter 8 of the Sentencing Guidelines Manual. That chapter defines an effective compliance and ethics program and has been one of the sacred texts of the compliance profession.

Here is my summary of the changes:

Changes to §8B2.1

In defining an Effective Compliance and Ethics Program, they are inserting a new Note 6 that focuses on the steps to take after the detection of criminal conduct.

First, the organization must respond appropriately to the criminal conduct, including restitution to the victims, self-reporting and cooperation with authorities.

Second, the organization must assess its program and modify it to make the program more effective. They seem to encourage the use of an independent monitor to ensure implementation of the changes.

Changes to §8C2.5(f)

In calculating the culpability score for having an effective compliance and ethics program, they have removed the near automatic disqualification if the bad actor was  a high level executive. You can get credit, provided you meet the new criteria:

  • the head of the compliance program must report directly to the governing authority or appropriate subgroup (for example, the audit committee of the board of directors),
  • the compliance program must discover the problem before discovery outside the organization was reasonably likely,
  • the organization must promptly report the problem to the government, and
  • no person with operational responsibility in the compliance program participated in, condoned or was willfully ignorant of the offense.

Changes to §8D1.4

The amendment simplifies §8D1.4 (Recommended Conditions of Probation – Organizations) (Policy Statement) on the recommended conditions of probation for organizations. The new section consolidates the list of conditions that are appropriate conditions for probation.

Status of Changes

The changes have to be submitted to Congress and won’t take effect until November 1, 2010. (Unless Congress votes to reject the changes.)

Publication of Changes

You would think that the Sentencing Commission would publish this change on their website or publish a press release. No information about the amendment, the submitted comments or meeting minutes have yet made their way to the website for the United States Sentencing Commission.

Fortunately Susan Hackett of the Association for Corporate Counsel and Melissa Klein Aguilar of Compliance Week were able to alert us and publish a copy of the changes.

Sources:

Proposed Amendments to Sentencing Guidelines

The United States Sentencing Commission has proposed some changes to the Federal Sentencing Guidelines. Of the eight changes, one should catch the eye of compliance professionals.

There is a proposed amendment to Chapter Eight of the Guidelines Manual regarding the sentencing of organizations, including proposed changes to §8B2.1 (Effective Compliance and Ethics Program) and §8D1.4 (Recommended Conditions of Probation — Organizations).

§8B2.1

In §8B2.1 (Effective Compliance and Ethics Program) they are inserting a new Note 6 that would add a new requirement for an effective compliance and ethics program. The note focuses on the steps to take after the detection of criminal conduct.

First, the organization must respond appropriately to the criminal conduct, including restitution to the victims, self-reporting and cooperation with authorities.

Second, the organization must assess its program and modify it to make the program more effective. They seem to encourage the use of an independent monitor to ensure implementation of the changes.

§8D1.4

The proposed amendment amends §8D1.4 (Recommended Conditions of Probation – Organizations) (Policy Statement) to simplify the recommended conditions of probation for organizations. The new section consolidates the list of conditions that are appropriate conditions for probation.

Request for Comments

In addition to the proposed amendment the Sentencing Commission has is considering an issue and are asking for comment:

Should the Commission amend §8C2.5(f)(3) (Culpability Score) to allow an organization to receive the three level mitigation for an effective compliance program even when high-level personnel are involved in the offense if

(A) the individual(s) with operational responsibility for compliance in the organization have direct reporting authority to the board level (e.g. an audit committee of the board);
(B) the compliance program was successful in detecting the offense prior to discovery or reasonable likelihood of discovery outside of the organization; and
(C) the organization promptly reported the violation to the appropriate authorities?

Written comments are due by March 22, 2010.

Sources:

Seven Questions to Ask to Optimize Your Compliance Programs

compliance_week_logo

Compliance Week put on a webinar covering Practical Guidance: Seven Questions to Ask to Optimize Your Compliance Programs. Bruce McCuaig, Vice President, Risk and Compliance and Mike Rost, Vice President, Marketing of Paisley presented.

Mike started off with some background of Paisley, then moved onto the “Why?” of Compliance. Companies want to avoid the downside that comes from compliance failures.

Bruce then took over and set forth the seven questions:

  1. Do you have an effective compliance program?
  2. Have you assessed the scope of your compliance program?
  3. Is your compliance program risk-based?
  4. Do you have effective controls over your compliance risks?
  5. Is your compliance program integrated?
  6. Are you leveraging technology to support your compliance program?
  7. Do you have a plan to instill and sustain your compliance program processes?

Effectiveness has a basis in the federal sentencing guidelines. You need to have culture of compliance. You need to be effective in prevention. You need to document standards and procedures. You need to communicate and report. There is a need for continual improvement.

In assessing the scope of your compliance program, you need to look at the laws, standards and regulations that you must comply with. What jurisdictions to you operate in? What subjects do I need to pay attention to? You need to take a top-down risk-based approach to address the scope of your program. You need to find the most significant risks to compliance.

To think about if your compliance program is risk-based, you need to look at the root cause of possible failure. They break it into three pieces. You need to look at behavioral or cultural factors, impact factors and external factors. Behavior focuses on people. Do your people know the rules. Impact factors look at systems and external are things outside your control.

For effective controls you need to know the rules, know the rules have to be followed. You also need to know when the rules are broken. If they are broken they need to be penalized for failure. It is important that employees read and certify that they understand the rules. Where compliance failures are a risk, the regulators expect there to be a dedicated compliance officer. You need to use compliance metrics.

An un-integrated approach has redundancy in testing and documentation, with common activities across business lines. Bruce sees five point of convergence:

  • Shared context in organization and process structure
  • Common language of risk and control
  • Common methodology
  • Enterprise wide reporting
  • GRC convergence technology

Bruce thinks technology is important. You need a library of intelligent information on laws and regulations. You need to manage the life-cycle of the policies and procedures. They are useful to show that everyone has read and affirmed their understanding of the policies.

Bruce labels the four steps of maturity: (1)  reacting, (2)  anticipating, (3) collaborating, and (4) orchestrating.

See also:

A Benchmarking Survey on Third-Party Codes of Conduct

Society of Corporate Compliance & Ethics

Rebecca Walker of Kaplan & Walker LLP is the author of a report on A Benchmarking Survey on Third-Party Codes of Conduct (register to download) sponsored by The Society of Corporate Compliance and Ethics. The SCCE received survey results from more than 400 compliance professionals on how they deal with third-party compliance policies. As Rebecca point out in the report: “Organizations are also subject to risks of misconduct by virtue of the actions of agents and other third parties who act on their behalf or partner with the organization in some way.”

Among the relevant findings in the survey:

  1. Only 47% of companies disseminate their internal employee code of conduct to to third parties.
  2. Only 26% of companies require that third parties certify to their codes of conduct.
  3. Of those 26%, 92% did not have a threshold as when they required certifications.
  4. Only 17% of organizations have a code of conduct that is applicable to third parties.

Rebecca points out the U.S. Sentencing Guidelines provide incentives to have your compliance programs reach out to third parties:

Sentencing Guideline §8B2.1(4):

(A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

(B) The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

One of the problems with pushing out your compliance program to third parties is that they may have the may have their own which differs with your program. The bigger problem is you setting the compliance standards but not enforcing them. Rebecca offers some ways to extend compliance and ethics requirements to third-parties. These are some highlights:

  • Conduct due diligence regarding business partners’ compliance and ethics programs.
  • Incorporate language into contracts with third parties requiring compliance.
  • Train third parties on the ethics and compliance program or on particular company policies or procedures.

Thanks to Corporate Compliance Insights for pointing out this survey: Third Party Controls Lacking In Ethics and Compliance Expectations Says SCCE Survey.

Assessing Corporate Culture

Ed Petry of the Ethical Leadership Group put together a two part paper on Assessing Corporate Culture: Assessing Corporate Culture – Part I and Assessing Corporate Culture – Part II.

[There are] specific steps that compliance and ethics officers can take to begin the process of identifying their organizations’ culture including:
• Conduct surveys, focus groups and interviews of employees and third parties to determine what people really think about the organization, what motivates them, what’s rewarded and punished, and what are the “unspoken rules” and corporate stories that they believe best illustrate acceptable and unacceptable behavior;
• Distinguish and describe the important subcultures within the organization; and
• Identify what is really being heard by employees – which may be quite different from the message you and senior management are intending to convey.

You should do deep dives that follow roughly track the elements of the revised Sentencing Guidelines:

  • Is there consistency and clarity within your organization regarding the limits of acceptable behavior?
  • Does the Board and management act in accordance with their responsibilities to build and sustain a commitment to ethics and compliance?
  • Is compliance, ethics or even legal requirements – or the people responsible for them at the company – marginalized?
  • Do performance goals and incentives encourage and put unreasonable pressure on employees to act contrary to ethics and compliance standards?
  • Do employees feel they can ask questions or raise concerns?
  • Is bad conduct tolerated – especially at the senior level?

An Effective Compliance Program under the U.S. Sentencing Commission Guidelines

Section 8B2.1 of the 2007 version of the United States Sentencing Commission Guidelines define and “effective compliance and ethics program” for purposes of section (f) of § 8C2.5 for the Culpability Score and section (c)(1) of §8D1.4  for Recommended Conditions of Probation – Organizations:

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

(1) The organization shall establish standards and procedures to prevent and detect criminal conduct.

(2)    (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

(3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.

(4)   (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

(B) The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

(5) The organization shall take reasonable steps—

(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;

(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

(6) The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

(7) After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.

(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.