Prosecutors weigh in on effective compliance programs

The Fraud Section of the Department of Justice’s Criminal Division recently published one of the most comprehensive compliance resources in years, but it came with so little fanfare that it might have flown under the radar of many ethics and compliance departments. Fret not, all was laid bare during a keynote panel at Compliance Week 2017.

In February, the Fraud Section published a document, “Evaluation of Corporate Compliance Programs,” containing eleven sections, each accompanied by sample topics and questions on what the Fraud Section said it may ask in making an individualized determination in evaluating a corporate compliance program.

“We don’t refer to it as guidance,” said Pablo Quiñones, chief of the Strategy, Policy, and Training Unit at the Justice Department’s Fraud Section. “It’s not meant to do anything other than serve as a resource to our prosecutors about the kinds of questions they can ask in particular cases, but need not necessarily ask.”

Many of the topics and questions in the document reflect what’s already in other public documents, including the U.S. Attorneys’ Manual; the U.S. Sentencing Guidelines; corporate resolution agreements; the FCPA Resource Guide; and in the Good Practice Guidance on Internal Controls, Ethics, and Compliance adopted by the Organization for Economic Co-operation and Development (OECD).

“In terms of the formulation of the document itself, it was a collaborative effort within the Department to look at what we were doing and find a better way to collect that information into a single document,” Quiñones said.

The Fraud Section’s guide is receiving strong accolades from compliance practitioners who have taken the time to digest it. “The document is very simple and very helpful to use with your leadership teams in an unbiased way to talk to them about the importance of your role,” said Kurt Drake, chief ethics and compliance officer at paper company Kimberly-Clark.

The first section of the document, for example, talks about root cause analysis. To truly understand the root cause of any misconduct, remediating the matter—and most importantly, preventing the misconduct from occurring again—is critical, Drake said.

It appears that many others in the compliance community have not yet read “Evaluation of Corporate Compliance Programs.” An onsite poll taken during the keynote panel found that half of 175 respondents have not read it, whereas another 31 percent said “it helped move the ball forward,” and 15 percent said they find it to be “incredibly useful.” Four percent said they don’t quite understand it.

Compliance monitors. During the panel discussion, both Quiñones and Kara Brockmeyer, former chief of the SEC’s FCPA Unit, also discussed the circumstances that make it more likely than not that a company will be slapped with a compliance monitor as part of a settlement. Put simply, when faced with an investigation, the government wants to see that the company already has a compliance program up and running and can show how the program is working, the tweaks it has made, and that it has everything under control, Brockmeyer said.

“It’s not meant to do anything other than serve as a resource to our prosecutors about the kinds of questions they can ask in particular cases, but need not necessarily ask.”
Pablo Quiñones, Chief, Strategy, Policy and Training Unit, Fraud Section, Department of Justice

Under those circumstances, the company is “much less likely to end up with a monitor” than a company that says it’s currently reviewing and working on the issue. “That’s a much more difficult discussion to have,” Brockmeyer added.

Other contributing factors as to whether a corporate monitor will be appointed depends on the level of the conduct, how high within the company the misconduct occurred, and how broad in scope the misconduct was, she said. Another contributing factor is if the company is a recidivist (if they’ve had a problem in the past and they have a problem again). “That’s a good indication the compliance program isn’t working,” Brockmeyer said. 

From the Justice Department’s perspective, because misconduct usually involves serious criminal violations, the focus often is on whether the compliance program will be sustainable in identifying future misconduct and whether it has remediated the issue at hand. “A monitor may be necessary when there isn’t sufficient strength and sustainability to the existing program to assure us that it won’t happen again,” Quiñones said.

During an investigation, it’s important to have compliance actively participate in the process by getting just enough insight to help the company move forward in real time, said Stephen Cohen, former associate director of the SEC’s Division of Enforcement. “I can think of a couple of other cases where that’s not the case, where the compliance function is being talked about but not present in the ongoing dialogue,” added Cohen, who is now with law firm Sidley.

Compliance effectiveness vs. resources. Panelists also provided insight on how compliance teams can wisely spend their tight compliance budgets. Benchmark data is a good starting point to gauge how much compliance resources the company needs.

“It is never a good idea to be an outlier—either spending much less on compliance than your similarly sized competitors or spending much more—because if you’re spending much more, it means you’re not doing it effectively,” Brockmeyer said. And if you’re spending much less, she added, the government is going to have some hard questions as to how the compliance department is covering everything it needs to be covering.

EVALUATION OF CORPORATE COMPLIANCE PROGRAMS

Below are a few sample topics and questions from the Evaluation of Corporate Compliance Programs.
Analysis and Remediation of Underlying Misconduct
Root Cause Analysis–What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?
Prior Indications – Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?
Remediation – What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis?
Senior and Middle Management
Conduct at the Top – How have senior leaders , through their words and actions, encourage d or discourage d the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leaders hip m odel led proper behavior to subordinates?
Shared Commitment – What specific actions have senior leaders and other stakeholders (e.g., business and operational managers, finance, procurement, legal, human resources) taken to demonstrate their commitment to compliance, including their remediation efforts? How is information shared among different components of the company?
Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
Source: Department of Justice

“I do not think more is better, I think smart is better,” said Hui Chen, the Justice Department’s in-house compliance counsel (who spoke as a member of the audience and not on the panel). Smart means using the data you have, analyzing what the company’s priorities and risks are, and “you go at it in the most efficient manner possible,” she said.

Ethics and compliance as the ‘corporate conscience.’ Ethics and compliance practitioners play an extremely valuable role. Quiñones described compliance as the “corporate conscience of the company.”

Ethics and compliance practitioners “help the company take stake in what it does, how it does it, and whether it is effectively dealing with the potential misconduct of individuals within the company,” as well as the impact that misconduct might have on the success of a company, the operation of the company, and the potential resulting liability, Quiñones said.

A poll conducted during the keynote panel found that many chief ethics and compliance officers (CECOs) feel they do play a prominent role in their companies. One-third of 174 respondents said the CECO is “part of senior management and reports to the CEO,” while another one-third said the CECO is “part of senior management and reports to the general counsel.” Seventeen percent said they have no dedicated compliance officer, indicating that this role is held by another individual in the company, while another 17 percent said the CECO is “part of senior management and reports to the board.”

Panelists also discussed the conflict of wearing both the legal and compliance hat. Sometimes what is best from a legal standpoint in terms of avoiding or reducing liability is not necessarily what is in the good conscience of the company, Brockmeyer noted.

As the only compliance practitioner on the panel, Drake took a different view: “If you have a seat at the table, that’s what matters.” It’s not so much about hierarchy, but rather what’s more important is that the person the CECO reports up to “gets compliance.” In other words, he said, that the CECO’s direct supervisor respects and understands the CECO’s role.

While separating legal from compliance is debatable, separating ethics and compliance, on the other hand, should be non-negotiable. “It’s a mistake not to consider the role of ethics for a chief compliance officer,” Cohen said. “I am a fan of ‘chief ethics and compliance officer’ as a title.”

“To not consider ethics in the context of compliance is a missed opportunity to communicate to the organization what values the company has.” Separating the two suggests that ethics and compliance are distinct; that compliance is simply about preventing employees from doing something that is legally wrong or out of step with the company’s standards of business conduct or rules and regulations; and that ethics is about everything else.

“When you join them, it communicates to your organization, ‘We value ethics in what we do,’ that compliance isn’t just about following the law, but is connected to how we go about doing our business,” Cohen said.

Concluded Brockmeyer: “If the message is, ‘business wins at all costs,’ no matter what you do with your compliance program, you’re not going to be able to stop the company from getting into trouble.”