With the departure of Hui Chen from her position as the Compliance Counsel at the Fraud Section of the Justice Department, now is a good time to consider how the focus of the Department around corporate compliance programs evolved during her tenure, culminating in the release of the Evaluation of Corporate Compliance Programs (“Evaluation”) document in February 2017.

Compliance program metrics

Chen came on board with the Justice Department in the fall of 2015 and almost immediately afterward, we saw a substantial release of information that the compliance practitioner could use in a best practices compliance program. The first instance was in a speech by then Assistant Attorney General Leslie R. Caldwell to the SIFMA Compliance and Legal Society New York Regional Seminar, in November 2015. Caldwell then went on to lay out the metrics under which she said Chen would consider on a variety of topics.

Policies and procedures:

Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?

Does the institution review its policies and practices to keep them up-to-date with evolving risks and circumstances?

Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations. Is discipline even-handed?

Third parties:

Does the institution sensitize third parties like vendors, agents, or consultants to the company’s expectation that its partners are also serious about compliance?

Senior management and the board:

Does the institution ensure that its directors and senior managers provide strong, explicit, and visible support for its corporate compliance policies?

Compliance departments:

Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to necessary resources?

Chen’s NYU remarks

That same month, at the New York University Program on Corporate Compliance and Enforcement, Chen shared a panel discussion with Chief of the criminal fraud section of the U.S. Department of Justice Andrew Weissmann, and she discussed four primary areas that she indicated she would focus on as DOJ Compliance Counsel.

Thoughtful design of the compliance program. Chen noted that stakeholders need to be a part of the compliance program design process and have input into the compliance internal controls. If a company has a violation, Chen said she would look at whether the compliance program addressed the wrongful conduct or if there was a gap in compliance coverage. Finally, she added, a root cause analysis would need to be performed on any risk failures and then incorporated into the program going forward.

How operational is the compliance program? This was the first the phrase “operationalization” was uttered by a Justice Department representative. Chen explained that the compliance program should be tied to the functional unit of a company; human resources (HR), Payment, audit, vendor management, business development, and all traditional cost functions need to be involved in the operation of the compliance program in their respective areas of influence. Chen indicated the key question she would focus upon was how did the compliance program remediate the conduct that led to the violation.

While Chen’s time at the DoJ may be over, her influence there will continue to be felt for years to come. Her work on the guidance began in earnest as soon as she arrived at the DoJ, and while the Evaluation might not have elevated itself beyond buzzwords and jargon among some government officials and compliance professionals, it is indeed an evolution in compliance thinking that is greeted with much enthusiasm by the compliance community.

How well does the CCO communicate with stakeholders? Chen indicated there must be evidence that the CCO got out of the office and met with the stakeholders. She also wanted to see that a corporate compliance program had more than simply a seat at the table but was actively involved with operational decision making. Providing an example around compensation, she said compliance needs to be a part of the discussions around how compensation systems are designed and particularly around discretionary bonus systems. She admitted that compliance’s views on compensation are not always sought but in her mind, it is one area that, if utilized, would demonstrate a commitment to compliance by the organization.

How well Is compliance resourced? Regarding CCO compensation, Chen had two of areas of inquiry. First: The amount the CCO is paid could be an issue. For instance, is the CCO compensated at an amount at or near the general counsel level? If it is one-half, what does that communicate within the organization? She also would inquire as to whom in the company sets the CCO compensation and who reviews it.

Chen emphasized that this meant more than monetary resources or even head count. She specified the twin resources of attention and commitment. She would inquire into how often the CCO met personally with the chief executive officer, audit committee, and the full board of directors. She also said she would inquire into the details of these briefings, asking, for instance, if the briefings were based on employee surveys or quantitative data or were they simply based on anecdotal information? She said that it is important that compliance have a real dialogue with the C-Suite and not a rote briefing.

The ECI Interview

In February 2016, in an interview with Laura Jacobus of ECI Connects, posted on Ethics and Compliance Initiative (ECI) Connects, Chen further articulated what constituted an “operationalized” compliance program:

Detects and prevents misconduct, whether that misconduct is corruption or something else. It should be cross-functional, requiring both commitment and collaboration;

Requires the commitment of the whole company to compliance, especially its leadership and key stakeholders;

Works only when the ownership and the commitment are shared, and that means the efforts of ensuring compliance gets the right resources and processes must be a shared effort. So, if technology is needed to enhance a compliance process, the IT function needs to be fighting for that resource; if the payment process needs to be strengthened, finance should be responsible for making sure that’s done, etc.; and

Requires stakeholder buy-in and accountabilities.

Presaging some of the questions listed in the Evaluation, Chen said some of the indicia she would look for would include:

How well front-line workers understand their jobs: Does the clerk in the accounts-payable room understand his job to be processing payments as quickly as he can, or does he understand that he is supposed to keep an eye on certain things and escalate issues he identifies?

Does the new salesperson understand her job to be making the deal at all costs, or does she understand that there are boundaries?

Are the compliance and control personnel empowered to identify, escalate, and address problems?

Are processes continually improved based on lessons learned; people disciplined for non-compliance; or deals rejected and approvals not granted?

FCPA Pilot Program and ongoing remediation

When the DoJ announced its new program around FPCA enforcement, the “Pilot Program,” in April 2016, it also released a written document, entitled “The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance” (“The Guidance”), more fully laying out the specifics of this Pilot Program and providing more background and information for the compliance practitioner. One requirement under the Pilot Program was that a company engage in ongoing remediation during the pendency of an FCPA investigation. While it is incumbent to recall that the Pilot Program only applies in charging decisions for companies under FCPA investigation, Part A, Requirements, in Subpart III, entitled “3. Timely and Appropriate Remediation in FCPA Matters,” laid out more information about what it expected regarding a best practices compliance program.

The Guidance stated, “an effective compliance program…may vary based on the size and resources of an organization” but should include the following:

Whether the company has established a culture of compliance, including an awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;

Whether the company dedicates sufficient resources to the compliance function;

The quality and experience of the compliance personnel such that they can understand and identify the transactions identified as posing a potential risk;

The independence of the compliance function;

Whether the company’s compliance program has performed an effective risk assessment and tailored the compliance program based on that assessment;

How a company’s compliance personnel are compensated and promoted compared to other employees;

The auditing of the compliance program to assure its effectiveness; and

The reporting structure of compliance personnel within the company.

While there are some items that have been a part of the discussion of what constitutes an effective compliance program for a long period of time—such as culture of compliance, performing a risk assessment and using that risk assessment to tailor your compliance program, reporting structure of the compliance function and auditing of your compliance program—there are also some new points to consider.

This guidance requires “sufficient resources to the compliance function,” and independent of that function, the experience and quality of compliance personnel and not just the compensation paid to compliance personnel but how it compares to other employees together with their promotion. If a compliance team is run on a shoestring, it will likely be downgraded for the lack of commitment to doing business in compliance with the FCPA. The same is true for compliance personnel promotions and other opportunities for advancement within an organization. Not many organizations have such a mature compliance function that a CCO is appointed to another senior-level position within an organization.

Finally, as noted, the DoJ is now looking at the quality of the CCO and compliance function. Laying this out is new, even if the DoJ may have informally frowned on sending an untrained or unqualified lawyer or another in to run the compliance regime. The clear implication was that the DoJ will be looking at salaries. Once again, if a company attempted to get by on the cheap, it may certainly come back to bite it in the end.

While Chen’s time at the DoJ may be over, her influence there will continue to be felt for years to come. Her work on the guidance began in earnest as soon as she arrived at the DoJ, and while the Evaluation might not have elevated itself beyond buzzwords and jargon among some government officials and compliance professionals, it is indeed an evolution in compliance thinking that is greeted with much enthusiasm by the compliance community.