Q&A: Ex-DOJ official on policy changes, new CCO expectations

Scott Hulsey, partner at Barnes & Thornburg, former federal prosecutor, and former chief compliance officer at General Electric Energy Connections (now GE Vernova), discusses with Compliance Week how CCOs should respond to the DOJ’s recent changes and reestablished expectations.

Q. The DOJ made policy changes in 2022 related to how it will prosecute corporate crime. Based on your experience as a former DOJ prosecutor and CCO, how do you see these policy changes playing out in 2023 regarding the compliance profession?

A. The DOJ continues to double down on the importance of effective compliance programming when considering corporate resolutions and the imposition of monitorships. Compliance controls and open reporting systems are critical to the early detection and voluntary disclosure by companies of misconduct—something which the DOJ has increasingly emphasized as critical.

The DOJ has specified new expectations in its recent updates, such as tethering compensation to compliance. Consequently, compliance professionals have a lot of new considerations to digest and implement. That said, compliance programming at its core has not changed: companies still must tailor training and controls to their risk profiles, have effective open reporting and investigation processes, and establish a protocol of addressing misconduct.

Q. Do you think these policy changes will help empower compliance professionals within their organizations?

A. The recent DOJ updates provide compliance professionals with ammunition for seeking resources and enhancing their compliance programs. Corporate executives, nevertheless, are more likely to be persuaded by business considerations rather than speculation about future wrongdoing, which may be viewed as remote. This means showing executives compliance programming results in better business practices, trustworthy partnerships, and less regulatory interference.

Q. How should corporate compliance officers respond to the DOJ policy change that increases accountability for individuals who commit and profit from corporate crime?

A. The updates have revitalized the Yates (my former boss) Memo, recognizing corporate wrongdoing is more likely to be deterred by penalizing the behavior of individuals giving rise to that misconduct. Corporate compliance officers leading investigation efforts will want to conduct investigations with this in mind—for example, prioritizing the recovery and analysis of communications and other information related to individual targets. This means also taking appropriate—and swift—remedial action against those found to be culpable, in addition to making timely decisions about disclosure.

Q. How should compliance officers respond to the DOJ’s policy changes related to corporate voluntary self-disclosure of violations? How can they encourage their employers to self-disclose?

A. In the first instance, companies will need effective controls and open reporting and investigation systems to detect misconduct. Given the DOJ’s emphasis in these updates on early disclosure, compliance professionals will be confronted with especially tough decisions. They may need to act with less evidence than they are comfortable with and possibly produce to the government evidence before fully understanding its significance. Having clear and thoughtful investigation protocols can facilitate these decisions. Compliance professionals in many cases will need to rely on outside counsel to assist in making these difficult calls.

Q. What is your opinion on the use of CCO certifications at the end of corporate resolutions? Do such certifications include a CCO to be part of the solution or do they create individual liability for that CCO?

A. The DOJ’s stated purpose in requiring certifications is to ‘empower’ CCOs by signaling to the company the importance of their role. Certifications, of course, carry potential criminal liability, if false. Determining what is falsified potentially is open to individual interpretation in the compliance context—what is ‘effective,’ ‘reasonably designed,’ etc.—leaving broad discretion to prosecutors.

There’s not a meaningful track record of enforcement to be able to accurately predict how certifications will be policed. In the meantime, CCOs understandably may be anxious about signing off on resolutions, especially where the actual ownership and implementation of the resolution rests with the business functions themselves. Compliance, after all, is a support function.