During remarks at the Securities Industry and Financial Markets Association Compliance and Legal Society New York Regional Seminar, Leslie Caldwell, assistant attorney general for the Justice Department’s Criminal Division, offered some insight about the newly established compliance counsel and what metrics the compliance counsel will use to assess compliance programs.

Recently, the Criminal Division has hired a compliance counsel to work in the Fraud Section. Although Caldwell did not disclose who the agency appointed to fill this role, other reports have identified her as Hui Chen, the former global head of anti-bribery and corruption at Standard Chartered Bank. “We want to get the benefit of the expertise of someone with significant high-level compliance experience across a variety of industries, which this person has,” Caldwell said.

During her remarks Caldwell acknowledged that companies "increasingly have tailored compliance programs that make sense not just for their industries but also for their business lines, their risk factors, their geographic regions and the nature of their work force, to name a few," she said. "Unfortunately, a surprising number of companies still lack rigorous compliance programs, and even more companies have what appear to be good structures on paper, but fail in practice to devote adequate resources and management attention to compliance."

Although the Criminal Division has improved at evaluating compliance programs over the years and suggesting tailored reforms, she said, it still needs help in this area. "We are prosecutors, not compliance professionals," she said.

This is where the role of the compliance counsel comes into play.

“First, the compliance counsel will help us assess a company’s program, as well as test the validity of its claims about its program, such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks,” Caldwell said. 

“Second, she will help guide Fraud Section prosecutors when they are seeking remedial compliance measures as part of a resolution with a company, whether by prosecution or otherwise,” said Caldwell. “We don’t want to impose unrealistic, unnecessary or unduly burdensome requirements on companies. At the same time, we want to make sure that appropriate compliance enhancements are included when they are needed.”

Because many financial institutions operate all over the world, the Fraud Section has chosen a compliance counsel “who has the experience and expertise to examine a compliance program on a more global and a more granular level,” said Caldwell.

Caldwell disputed claims that the Fraud Section’s retention of a compliance counsel is an indication that the Department is moving toward recognizing or instituting a compliance defense. “That is not the case,” she said.

“Rather, the Criminal Division will continue to review companies’ compliance programs as one of the many factors to be considered when deciding whether to criminally charge a company or how to resolve criminal charges,” said Caldwell. “Our hiring of a compliance counsel should be an indication to companies about just how seriously we take compliance.”

Caldwell added that most compliance violations don’t result in criminal prosecution. “We’re not interested in prosecuting mistakes or accidents, or bad business judgments, and we are not looking to prosecute compliance professionals,” she said.

Compliance Metrics

Caldwell also explained how the compliance counsel will assess compliance programs. The compliance counsel will help the Criminal Division “evaluate each compliance program on a case-by-case basis—just as the Department always has –but with a more expert eye,” Caldwell said.

Specifically, she said, this individual will work with prosecutors to assess the following questions:

Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies? 

Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to necessary resources?

Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?

Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?

Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances?

Are there mechanisms to enforce compliance policies, including incentivizing good compliance and disciplining violations? Is discipline even-handed? 

Does the institution sensitize third parties like vendors, agents, or consultants to the company’s expectation that its partners are also serious about compliance? 

Is the company or financial institution candid with regulators? 

In the anti-money laundering and sanctions contexts, in particular, effective compliance requires more. In those cases, Caldwell said, prosecutors ask: What does the institution’s “know your customer” policy look like? Furthermore, if a financial institution operates in the United States—whether it is a U.S.-based bank or a U.S. branch or component of a foreign bank—is it complying with U.S. laws?

“Part of that compliance is sharing information about potentially suspicious activity with other branches or offices,” said Caldwell. “For example, if a foreign branch of a U.S. bank identifies suspicious activity related to an account held by a customer that also maintains an account with the bank in the U.S., compliance personnel in the U.S. should be alerted to the suspicious activity.” 

“The vast majority of financial institutions file Suspicious Activity Reports when they suspect that an account is connected to nefarious activity, but, in appropriate cases, we encourage those institutions to consider whether to take more action," Caldwell added. "Specifically, to alert law enforcement authorities about the problem, who may be able to seize the funds, initiate an investigation, or take other proactive steps."

“When the Criminal Division evaluates a company’s compliance policy during an investigation, we look not only at how the policy reads on paper, but also at the messages conveyed to employees, including through in-person meetings, e-mails, telephone calls, and compensation,” she said. “We look at whether, as a whole, a company tolerated compliance failures year after year because the alternative would have meant a reduction in revenues or profits.”