Editor’s note: The following transcript of Assistant Attorney General Kenneth Polite Jr.’s keynote address at Compliance Week’s 2022 National Conference is edited by Compliance Week. Intentional omissions are signaled with ellipses.
For those of you who don’t know, I’ve had the great fortune of serving in a lot of different capacities during the time of my legal career. I’ve served as a prosecutor, I’ve served as a defense attorney … and, uniquely, I’ve also served as a chief compliance officer for a Fortune 500 company. I can tell you the detection and prevention of criminal conduct has been a constant across all three of those roles. But I also recognize that perhaps the most challenging of those roles was as a compliance officer.
I understand the resource challenges that you face. I understand the challenges that you have related to accessing data. The relationship challenges. The fact that oftentimes our compliance functions are labeled as cost centers not contributing to the bottom line of our organizations. The siloing of those functions.
All at the same time, you are called upon to be a resource for information. You’re asked to be an enforcer of law and policy—all while somehow being asked to be the primary architects of your company’s ethical cultures.
I’ve seen first-hand, though, how a strong compliance program can ward off misconduct and empower ethical employees. Although I now serve as the head of the Criminal Division and I believe enforcement is a critical tool for us, I also recognize it is not the only tool that we have. I firmly believe that the number of prosecutions and enforcement actions that we bring is not necessarily the best estimate or the most accurate measure of our success.
Again, having served in those three different capacities in my legal career, I know that your roles as a compliance official is perhaps the most impactful of the three. Why? Because you have a direct role in utilizing what is, in my view, the most effective tool in addressing crime and misconduct: helping to prevent it in the very first place.
That is why you will hear, you will see, and you have seen how closely we evaluate corporate compliance programs during our corporate investigations and after our corporate resolutions. We will give significant credit to companies that build strong controls to help detect and prevent misconduct.
I’m often asked, ‘Can you give us more guidance?’ Frankly, I can’t give you any more guidance, even if I wanted to. There’s not a one-size-fits-all for these. I often point to our resolutions. Look at our resolutions as guideposts.
Indeed, a few of our very recent results highlight the benefits of investing in a meaningful and effective compliance program as well as the cost of failing to make that investment upfront. We follow the facts of all these cases, and we determine the appropriate punishment based upon those facts. There are no preset outcomes. But I say this because it underscores what a difference you can make by empowering your compliance team and having an effective compliance program.
First, in March of this year, our FCPA Unit announced a corporate enforcement policy declination for Jardine Lloyd Thompson Group Holdings. Look up the declination letter—it highlights that this company was able to detect and disclose the misconduct to the Department of Justice and made enhancements to its compliance program to help mitigate the risk of reoccurrence of that misconduct going forward, all of which contributed to our decision to decline prosecution. It wasn’t the only factor; the others are set forth in the letter, including cooperation, provision of information about individuals, and remediation, but it is fair to say that without that significant investment in their compliance program, the outcome would have been different for that resolution.
On the flip side, we have recently announced resolutions with companies that failed to implement effective compliance programs, which contributed to recidivism. It contributed to pervasive misconduct within their organization. While the facts of these two separate matters are quite different—I’m talking about NatWest, and I’m talking about Balfour Beatty—both companies pleaded guilty in December and agreed to the imposition of an independent monitor for three years. Again, look at the plea documents. The Criminal Division determined that three-year monitorships were warranted in both cases because the companies had failed to fully implement and test their compliance programs by the time of the resolution.
This is not one-size-fits-all. Far from it. We tailor our responses and our resolutions to the particular cases.
If you look at one resolution from just last month, in April, our FCPA Unit again entered a deferred prosecution agreement with Stericycle. The company had failed in the past to implement an effective compliance program, which allowed for pervasive bribery and corruption to occur within its operations. But after that misconduct was discovered, the company did make significant enhancements to its program. But because the controls were so new and because they had not been fully implemented or tested by the time of the resolution, it was our assessment—and the company agreed to this—to impose a monitor for a shorter period of time, only two years.
I also want to describe in detail about how we evaluate corporate compliance programs to ensure that companies are designing and implementing effective compliance systems and controls, creating a culture of compliance, and promoting ethical values. We conduct that analysis at two different points: one when the misconduct occurred, and secondly at the time of the resolution itself. We use the same criteria at both times. As our guidance makes clear, we expect an effective corporate compliance program to be much more than a company’s policies, procedures, and internal controls. What we expect is that the company’s programs are well-designed; adequately resourced; empowered to function effectively; and last but not least, that they work in practice.
What does that mean? Let me start with the first one. When we say that we expect a company’s compliance program to be well-designed, we and I closely examine the company’s process for assessing risk and building a program that is tailored to then match those resources to that specific risk profile. We want to see whether the company has implemented policies and procedures that are designed to address the key risk areas identified in that risk assessment and that those policies and procedures are easily accessible, understandable, and reachable by your company’s employees and business partners. We want to know how the company is training its employees, management, and third parties on those risk areas. Policies, training, and other processes should address relevant high-risk elements of the company’s business model, such as third-party relationships or even mergers and acquisitions.
What we want to see at its baseline is this: That the company has established a process for reporting violations of law and violations of company policy. And that it encourages employees to stand up and speak up without fear of retaliation. That those reports are then taken seriously; appropriately documented; investigated; and if they are substantiated, that they are then remediated.
Secondly, when we are evaluating whether a compliance program is adequately resourced and empowered to function effectively, we and I want to know more than just dollars, more than just headcounts, more than just reporting lines. We will review the qualifications and expertise of your compliance personnel and other gatekeeper roles. We want to know if compliance officers have adequate access to and engagement with business functions, management, and the board of directors. We seek to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the organization and is promoted as a resource in the organization. A company’s commitment to promoting compliance and ethical values at all levels, from the chief executive officer on down, is absolutely critical.
Last but not least, we want to see evidence that the compliance program is actually working and functioning effectively in practice. We look at whether the company is continuously testing the effectiveness of its compliance program—that it’s improving, that it’s adapting, that it’s updating the program to ensure that its sustainable and adapting to changing risks. We want to know that the company can identify compliance gaps or violations of policy or law. And equally as important, we want to know how the company addresses the root causes of those gaps or violations and finds ways to improve its controls and prevent reoccurrence of issues.
I certainly want to hear the stories about how you responded to that misconduct. What steps did you take to discipline the bad actors? But I also want to hear the success stories. I want to hear your compliance success stories: The transactions that were rejected due to the compliance risk, positive trends in your whistleblower reporting, and the partnerships that have developed between compliance officers and your business functions. We are also interested in how a company measures and tests its culture and how it uses the data from that testing to embed and continuously improve its ethical culture.
Now, there are a few separate questions of whether a company can demonstrate an ethical culture in practice. I referenced this earlier. But at bottom it’s this: Do employees feel empowered to bring issues forward? Do they feel empowered to raise questions and concerns to management’s attention? Are managers and compliance officers providing ethical advice to salespeople, for example, even though that advice may mean loss of business?
I can tell you that each and every day our Criminal Division prosecutors and investigators are using data analytics to detect and combat criminal schemes across this country and across this globe. I urge you, your corporations, and your companies to do the same—to consider what data analytic tools you could use to monitor compliance with laws and policies within your own operations and to help ferret out wrongdoing when it occurs. In addition, whether and how the company responds to prior misconduct speaks volumes to its commitment to compliance and an ethical culture.
I know many of you as friends and colleagues, and so I know the work that you’re doing on behalf of companies to help them design and implement compliance programs. Some of you may be making compliance presentations to our prosecutors in the very near future. Let me give you a few guideposts in these types of areas as well—when you’re in the room making your Filip Factor presentations.
On a practical level, when you’re communicating with us, it’s important to demonstrate how a compliance program has been upgraded to address the root causes of the misconduct. Again, how it’s being tested and updated to ensure that its sustainable and adaptable. I prefer not to hear a check-the-box presentation from outside counsel. … I like to see the chief compliance officer taking a prominent role in those presentations. Even leading the compliance presentation, the portion related to the compliance program, and demonstrating their knowledge and ownership of the compliance program. That’s not just for show, but I want to know … that is a leader that is empowered by that organization.
I’ll highlight one example for you: In a recent Filip Factor presentation, we turned to the chief compliance officer—who happened to be there along with outside counsel and general counsel—and asked a question, and the general counsel answered. That single act gave me all the information that I needed. That one act demonstrated, literally and figuratively, that chief compliance officer had no voice in that organization.
Based on what we learn about the company’s compliance program, we determine whether an independent monitor is appropriate and should be imposed. Again, our deputy attorney general recently spoke about monitorships—we believe that monitorships are effective tools for strengthening corporate compliance programs and companies where there are compliance weaknesses. Monitors can be allies to compliance officers, making recommendations that create lasting and sustainable change in corporate culture. When a monitorship is imposed, we follow the Criminal Division’s well-settled selection procedures.
Monitors of course are not appropriate in every case. For example, where a company has invested—not just from a financial perspective, but from a concerted commitment from the top down—in implementing a strong compliance program. Where a company has been able to test its controls and demonstrate that those controls are effective. Where a company has made a relevant update to its programs to adapt to changing risks. Where a company has cultivated a strong culture of compliance and ethical values, our prosecutors may decide not to impose a monitorship at all.
We have an entire section within the Fraud Section, an entire unit, focused in this area. Very recently, we changed the name of this section from Strategy, Policy, and Training to Corporate Enforcement, Policy, and Compliance to align that name frankly with the unit’s mission. We’ve announced new management there—it’s comprised of prosecutors, former compliance officials, and former defense attorneys with deep experience in compliance monitorships and corporate enforcement matters.
As I noted at the outset, I formerly served as a chief compliance officer. I believe I’m the first person to serve as head of the Criminal Division having served in such a role, but I’m proud to share with you that I am not the only person within the Criminal Division that has deep compliance experience. In fact, I’m not the only former chief compliance officer now working in the Criminal Division. We have a deep bench now in this unit, and we will continue to add more resources to it.
That unit, just so you have a full appreciation, has responsibility for many aspects of the Fraud Section’s corporate criminal enforcement practice. When a company comes in to make a compliance presentation, it will face tough, probing questions from this group. The unit also provides training on compliance and monitorship matters to prosecutors across the entire Department of Justice and works on policy issues. Having these resources helps us to use a consistent approach when evaluating whether a monitorship is appropriate.
When we determine that a monitor is not necessary, just to be clear, that does not mean that the company’s obligations to actually disclose to us comes to an end. In fact, that company still has obligations to continue to test and improve and demonstrate the effectiveness of its compliance programs going forward all the way up through the end of that resolution. Companies without a monitor are still required to comply with ongoing obligations and report to the Department of Justice regarding the status of their compliance obligations.
As you will see, and you will continue to see, we are holding companies accountable for failing to comply with their obligations under our corporate resolutions, including obligations to implement an effective compliance program, obligations to cooperate with us, and obligations to report allegations of misconduct. Our message is clear: Companies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the Department of Justice and by my Criminal Division. Support your compliance programs now—or pay later.
Chief compliance officers should have true independence, authority, and stature within their organizations. In order to further empower those individuals, for all of our corporate resolutions, including guilty pleas, deferred prosecutions, and non-prosecution agreements, I’ve asked my team to now consider requiring not just chief executive officers but also chief compliance officers to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to help detect and prevent violations of the law. In certain resolutions, you will see this required additional certification language. By taking this step, we are ensuring that chief compliance officers receive all relevant compliance-related information and can voice any concerns that you have prior to certification.
Again, I’ve been in your chair. I understand all the challenges that you face. This announcement related to this additional certification is not intended to be punitive; it is a new tool in your arsenal to help combat those challenges. It’s the type of resource compliance officials, including myself, have wanted for some time because it makes clear you should have and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within those organizations to ensure them and the Department that company has an ethical and compliance-focused program.
One final word. We often talk about our corporate enforcement function, and the primary goal is individual accountability, so I want to make sure I’m connecting the emphasis on strengthening compliance to some of our recent announcements highlighting the importance of individual accountability. When you’re before us for those presentations and you’re asked questions about the strength of your compliance program and whether it is adequately creating, maintaining, and supporting an ethical culture, the question again goes to individual accountability. We want to know that investment in compliance not simply because we want to see you’ve hired more consultants or that you bought more sophisticated training software.
Again, as a former chief compliance officer who now serves as the head of the Criminal Division, I want to know whether you are doing everything you can to ensure that when an individual employee is facing that singular ethical challenge, he has been informed, he has been trained, and he has been empowered to choose right over wrong. Or, if he makes the wrong choice, you have a system that immediately detects, remediates, disciplines, and then adapts to ensure that no others follow suit. That is how powerful a role you have in improving our corporate culture and improving our world. Embracing that calling today and every day—that is my call to you today. I look forward to working with all of you individually and collectively in preventing and combating criminality in our workplace and in our world at large.