Within compliance and ethics circles, there is an ongoing conversation that is not gaining nearly as much attention as it deserves. The topic is the way in which corporate counsel deals with internal investigations, the bottom line of which is that lawyers are doing less writing and more speaking in their internal investigative work. As a result, there could be less that might be caught in litigation and used against their clients. There has even been discussion that this is not as negative a development as one might think, and that investigations could proceed even with this restriction.
There is an important point here, however, that is missing. First, in corporate investigations, writing is essential. There needs to be a verifiable record of what happened and why. There must be a basis to ensure disciplinary action is taken as appropriate. But most importantly, there needs to be a root cause analysis if there was indeed any wrongdoing, and the lessons learned need to be shared throughout the company. For all of the years that investigators have documented their work, they were not being careless or stupid. They knew what they were doing and wanted to maximize their effectiveness. Internal investigations are core elements of corporate compliance and ethics programs, and written communications are key for ensuring the effectiveness of any such program.
Yet, the ones who say they need to decrease their writing are, sadly, also right in doing so. They know any protection is uncertain and that they face a legal environment that is hostile to their work. Notes of any investigation and reports on the findings and recommendations will certainly be sought by adversaries. And while attorney client privilege and, for activities connected with litigation, work product protection, have their place, there remain risks. For example, protections may be deliberately or accidentally waived, and the more written information is shared in the company, the greater the risk that protections will not apply.
This is, in fact, the big story here that no one is addressing. We lawyers tell our clients about the importance of compliance and ethics programs. We tell them about the U.S. Sentencing Guidelines and the provisions in the U.S. Attorneys Manual and the SEC’s Seaboard Decision to the effect that having an effective compliance and ethics program will count when dealing with enforcers. This is all true. And there are enforcers and agencies that are serious about this, in the United States and around the world.
But we do not tell them the rest of the story—a dirty little secret that even many practitioners do not recognize. The legal system is at war with itself when it comes to corporate compliance efforts, with courts and agencies seriously undercutting corporate self-policing efforts. The perverse effects of this multifaceted attack permeate the system, but are essentially unnoticed. Perhaps we lawyers are just accustomed to the system. Yet a system that undercuts compliance and ethics efforts is one that comes at a terrible cost to our society.
In the four decades I have been doing compliance work, I have seen these developments often endured quietly by our field. Instead of encouragement and recognition, our work is used against our companies or treated with hostility by agencies and courts without the slightest deference. This has occurred, and continues to occur, on a number of different fronts:
We need effective compliance and ethics programs in companies and other organizations to protect the public. The government should be promoting, not harming these important efforts. And it is time for all champions of compliance to help to take a stand.
Sacrificing compliance and ethics to litigation. Compliance program work can be and has been used against companies in litigation, even going so far as to have notes from compliance training used to assess punitive damages in an employment discrimination case. In Stender v. Lucky Stores, Inc., 803 F. Supp. 259, 330 (N.D. Cal. 1992), for example, a company’s compliance training notes were used against it as basis for punitive damages. Conflicts of this sort have been referred to as the litigation dilemma. Those who have stopped writing in investigations have taken this unfortunate lesson to heart.
Codes of conduct. The National Labor Relations Board has taken action against companies based on their codes of conduct and other employee guides. Thus we have seen the board condemn adoption of a code of conduct as an unfair labor practice and conjure up arguments that language such as “Be respectful to the company, other employees, customers, partners, and competitors” is a violation of U.S. labor law. NLRB enforcers show no regard for corporate efforts to prevent illegal and unethical conduct.
Compliance helplines. EU privacy regulators have undercut compliance helplines and in some countries even bar anonymous employee reports. It can be illegal to allow an employee victim to report misconduct by the boss unless the employee discloses his or her own identity (thus making it easier for the boss to retaliate).
Attorney-client privilege. EU competition enforcers (and courts, following their lead) have rejected in-house attorney-client privilege to get access to counsel’s legal advice to employees, undercutting counsel’s role in helping assure compliance. Perhaps legal counsel in Europe will also learn the lesson of writing less, talking more, and being less effective in preventing misconduct.
Zero tolerance for failure. EU competition law enforcers also actually use companies’ compliance programs against the companies and give no benefit for any program, no matter how rigorous. Any program that does not prevent or catch violations is a “failed” program, worth nothing to these enforcers.
Self-policing. A variety of other agencies and courts have taken actions making compliance programs more difficult or risky, with no concern for the importance of corporate self-policing. For example, in at least one case in the United States, state open records laws have been used to expose helpline calls and cases from compliance operations in a state university. OSHA has announced overt hostility to any program that rewards work units for having safe records, on the theory that employees will be deterred from reporting injuries—even if the incentives in fact reduce injuries.
The Model Effective Compliance and Ethics Program Promotion Act
(1) Effective compliance and ethics programs as used in organizations to prevent violations of law and promote ethical conduct are in the public interest. Corporations and other organizations can provide great benefits to society, but can also cause great harm. The public’s health, safety, protection, and financial security are at stake in dealing with such organizations. Prevention of such harm is an essential function of government and a priority for all those in government. Thus organizations that adopt and operate effective compliance and ethics programs are acting in the public interest.
(2) The provisions of this Act are to be broadly construed to further the intent to protect and promote effective compliance and ethics programs. This will in turn promote the various laws that are addressed in such effective programs.
(3) An effective compliance and ethics program is a program that meets the standards of the United States Sentencing Guidelines, U.S. SENTENCING GUIDELINES MANUAL §8B2.
(4) Agencies should act to promote and recognize effective compliance and ethics programs and to guide organizations to make their programs effective.
(5) Agencies should avoid actions that discourage or interfere with development and operation of effective compliance and ethics programs.
(6) Effective compliance and ethics programs, including the records of such programs, should not be used against organizations in litigation, should not be admitted into evidence, and should not be subject to discovery.
(7) Agencies should adopt effective compliance and ethics programs for their own operations.
(8) The provisions of this Act only apply to an effective compliance and ethics program that meets the standards of this Act. A compliance program that is used to commit or conceal violations of law shall not be considered effective and shall not have the protections provided by this Act.
(9) Definitions:
a. “Litigation” includes civil litigation, criminal proceedings, and administrative proceedings.
b. “Organization” shall have the same meaning as used in18 USC §18.
c. “Agency” includes all agencies, administrations, authorities, regulatory bodies, enforcement offices, and any other part of government that may interact with organizations.
—Joe Murphy
There are certainly enforcers and agencies that value the role we can play in fighting corruption. The Fraud Section of the Department of Justice’s Criminal Division has made it clear that it considers compliance programs and will credit companies that carry out diligent compliance work in good faith. The joint Justice Department and SEC FCPA guidance, A Resource Guide to the U.S. Foreign Corrupt Practices Act, sends this same strong message.
The Canadian Competition Bureau is another example of an enforcement agency that values preventative efforts and recognizes and promotes compliance programs. In 2015, it issued Corporate Compliance Programs, a practical guide on compliance programs, and it has let businesses know that effective programs matter in its enforcement decisions.
But elsewhere in the legal system there are courts and agency officials with little to no regard for the importance of compliance and ethics work. To them, C&E seems to be nothing more than a foolish diversion to be put down as unimportant, or even a resource to be used against those naive enough to implement it.
This has undermined effective programs in ways that make no sense:
No anonymous calls allowed in some places, which facilitates retaliation
Discouraging use of helplines
Delays in implementing helplines pending bureaucrats’ approval
Codes written in legalistic terms
No note-taking in training
Dumbing down, or not even doing, written reports on investigations, risk assessment, and program assessments
Requiring time be wasted on bureaucratic exercises instead of being devoted to preventing crime and misconduct
Important lessons not shared in companies
Communications rendered less effective
Compliance and ethics professionals deterred from taking effective action
Programs handicapped in ways that make them less effective
Organizations in general, and compliance practitioners in particular, should not quietly accept these bad policies. In the years I have done compliance and ethics work I have met many dedicated compliance and ethics people who put their hearts into doing the right thing. They struggle against resistance and the status quo, trying to move companies and other organizations in the right direction. It is unfortunate that they receive so little recognition anywhere for this work. But it is truly outrageous when those in government care so little that they do not bother to consider the work of these professionals and make their difficult work even more dangerous and unwelcome. Compliance and ethics professionals represent the public interest within companies. Government should be their ally, not their adversary.
In a draft article I have submitted to the Rutgers University Law Review, I have proposed The Model Effective Compliance and Ethics Program Promotion Act, a legislative solution to balance other legitimate interests against the need to encourage and support corporate self-policing. But that is just a starting point that underscores the obvious: We need effective compliance and ethics programs in companies and other organizations to protect the public. The government should be promoting, not harming these important efforts. And it is time for all champions of compliance to help to take a stand.
Joe Murphy is the author of 501 Ideas for Your Compliance & Ethics Program and A Compliance & Ethics Program on a Dollar a Day.
No comments yet