Compliance officers spend countless time and resources trying to build an effective and robust ethics and compliance program, and yet nobody is entirely sure how to define it correctly.

During a keynote panel at Compliance Week 2016, enforcement officials from the Securities and Exchange Commission and the Department of Justice tried to cut through the confusion, speaking candidly about compliance program effectiveness, personal liability, and what the new compliance counsel role means for compliance programs moving forward.

When asked what constitutes an effective compliance program, Andrew Weissmann, chief of the Criminal Division’s Fraud Section, first stressed that the Department of Justice sees companies through the lens of a criminal problem that’s been brought to the agency, not from the day-to-day lens of a compliance officer. Just because a company may be facing an investigation, that’s not to say the company doesn’t have an effective compliance program, he said.

What the Justice Department wants to see is that the company has adequate controls in place and ways to minimize risk. “You can’t eliminate the risk; you can minimize the risk,” Weissmann said.

In the event that an issue arises, for example, how did the company learn from that? How did the company do a root cause analysis and integrate what it learned into the compliance function? How is it identifying emerging risk areas?

Like the Justice Department, the SEC similarly looks at issues through the lens of hindsight after an issue has already arisen. “I like to ask compliance officers to come in to hear about their compliance program at the outset of an investigation,” said Stephen Cohen, associate director of the SEC’s Division of Enforcement. “Lots of times, lawyers look at me quite stunned when early on in an investigation I ask not only to hear about the compliance program, but recently I’ve even asked to meet the chief compliance officer.”

Cohen said the reason he asks about the compliance program at the outset of an investigation is because, by the end of an investigation, the company has had “an awful lot of time” to figure out with their lawyers exactly how they want to present their compliance program to the SEC. Without the benefit of having years to “refine” their story, he said, if a company doesn’t have a compelling story about why its compliance program is effective, “it’s a good window into who we are going to be dealing with for the next couple of years.”

“I like to ask compliance officers to come in to hear about their compliance program at the outset of an investigation.”
Stephen Cohen, Associate Director, SEC’s Division of Enforcement

Cohen said the SEC specifically wants to see that the company’s chief ethics and compliance officer has the necessary resources, clout, authority, and independence to do its job effectively.

‘Independence’ defined

Both Cohen and Weissmann also shared how they define “independence.” Generally speaking, the pair indicated that the sort of factors they weigh include how compliance officers are hired and fired; what decision-making authority they have; and what lines of reporting are available to them.

For example, Cohen said one factor in weighing independence is whether the compliance officer is part of the company’s senior management team. “Nothing sends a stronger message about the status of a compliance officer than their position,” he said.

Cohen also inquired: “Who in the company can fire the compliance officer?” If the CEO or general counsel is under investigation for misconduct and has authority to fire the compliance officer, that’s a concern, he said.

Who can second guess the decision of that CEO or general counsel? Are decisions about misconduct honored or overturned? If so, by whom and on what basis? “[Compliance officers] ought to have at a minimum a reporting line to the board,” Cohen added.

In companies where compliance reports to legal, Weissmann said the Justice Department would look for instances where compliance has the independence and authority to voice any disagreements it might have with legal. Has the company accounted for that potential conflict of interest between legal and compliance? Is there recourse for compliance to go to the board or go to the CEO?

Weissmann added that compensation and resources are other important factors in weighing independence: Who is in charge of deciding how the compliance officer is compensated? How are salaries and bonuses determined?

Cohen reiterated this sentiment. In many companies, “stature and pay are perceived to go hand-in-hand,” he said, so it says a lot about a company “if the senior most person in compliance is making several times less than their supposed peers.”

“Pay and incentives outside of compliance are also relevant if we’re talking about the culture of compliance,” Cohen added. “Pay and incentive for ethics and compliance behavior—as part of pay, bonuses, or otherwise—is certainly an extremely strong of indicia of a company that has a good culture of compliance and ethics.”


Below are the bios of Stephen Cohen, an Associate Director of the SEC’s Division of Enforcementthe, and Andrew Weissman, Chief of the Criminal Division’s Fraud Section.
Stephen Cohen
Stephen Cohen is an Associate Director of the SEC Division of Enforcement, in which he assists in planning and directing the agency’s enforcement efforts. Previously, Cohen spent two years as Senior Advisor to SEC Chairman Mary Schapiro, providing counsel on a wide range of legal and policy matters, including enforcement and compliance issues and various aspects of the Dodd-Frank Act such as the whistleblower legislation and rulemaking.
Cohen joined the SEC as an Assistant Chief Litigation Counsel in the Division of Enforcement in 2004. Before coming to the SEC, Cohen was in private practice, primarily involved complex commercial litigation. He also served as a trial attorney at the U.S. Department of Justice, where he was part of the Attorney General’s Honors Program. Cohen also clerked for the Honorable Ursula Ungaro in the Southern District of Florida.
Source: SEC
Andrew Weissmann
Andrew Weissmann is Chief of the Criminal Division’s Fraud Section. Prior to rejoining the Criminal Division after serving as the FBI’s general counsel under former Director Robert Mueller and, most recently, teaching criminal procedure and national security law courses and seminars at NYU School of Law.  Before his tenure at the FBI, Weissmann was in private practice for five years.
Prior to joining that law firm, Weissmann served as special counsel to the Director of the FBI. Before that he was the deputy director and then the director of the Enron Task Force from 2002 through 2005, where he oversaw the investigations and prosecutions of more than 30 individuals, including Jeffrey Skilling, Kenneth Lay, and Andrew Fastow, as well as the corporate prosecutions of Merrill Lynch and CIBC. Weissmann began his career with the Department of Justice in 1991 at the U.S. Attorney’s Office in the Eastern District of New York, where he served in various leadership positions, including as chief of the Criminal Division, until joining the Enron Task Force.
Source: Department of Justice

Personal liability

During the keynote panel, Weissmann and Cohen also tried to ease compliance officers’ fears of personal liability. Weissmann, for example, stressed that the Justice Department’s jurisdiction is only for criminal violations. “We are not going after compliance officers for criminal liability.”

Compliance officers will only be found liable in the rare instances where they are found to be complicit in the criminal conduct. “Our general view of compliance is that they are allies in the kind of work that we are trying to do, which is reduce the risk of criminality,” Weissmann said.

Cohen reiterated that same message. Since 2003, the SEC has brought more than 8,000 enforcement actions, only five of which were brought against chief compliance officers at investment advisers, he said.

“The point being is not only do we not target compliance officers, but we have very high criteria for charging them,” Cohen said. “They are not being charged simply because they are a compliance officer; we do not come in and second guess the judgments of a compliance officer and second guess their actions.”

In the rare cases where the SEC has charged compliance officers, Cohen said, it’s because those individuals were responsible for causing the firm’s compliance failures that lead to misconduct in the first place.

Both Cohen and Weissmann stressed that compliance is a shared responsibility overall. “If the business is not partially accountable for compliance, that is usually a sign of a problem,” Weissmann said.

At the Department of Justice, in some cases that have resulted in criminal enforcement actions, compliance was ignored altogether. Individuals in the company will ask if they can engage in certain conduct; compliance says “no,” and the conduct happens anyway, Weissmann said.

At the SEC, in the “lion’s share” of investigations, in which liability most often results from document review, “compliance officers are nowhere to be found,” Cohen said. “Nobody is asking them questions. Nobody has meetings with them. It’s clear they are not interacting with compliance.”

“In a company that has a good ethical and compliance culture,” Cohen said, “you see that the ethics and compliance function is a true partnership with the business.”