After a successful career as a prosecutor and as corporate counsel, Hui Chen made headlines in 2015 when she joined the Department of Justice’s Fraud Division as its first-ever compliance consultant, a role meant to help the Justice Department and corporate compliance departments better understand each other so the latter could more easily abide by the demands of the former. Specifically, she helped prosecutors develop appropriate benchmarks for evaluating corporate compliance and remediation measures, and communicating those benchmarks with stakeholders … namely, companies under the Department’s jurisdiction. Companies appreciated Chen’s work as well, because the guidance she helped to develop gave them a better idea of what to expect as they tried to secure prosecution agreements and abide by monitoring and other conditions.

Chen made headlines once again in 2017 when she resigned from her position at the Justice Department as her contracted time there was starting to draw to a close. Though she could have stayed longer, she chose to leave amid the tumult of the early Trump administration, with news of various investigations and ethical conflicts. She has since established herself as a thought leader specializing in organizational ethical transformations. She is also a frequent speaker at industry events, and a prolific writer.

Your experience as the DoJ’s compliance counsel expert produced some really wonderful work, most notable the "Evaluation of Corporate Compliance Programs" document, which did much to let compliance officers better understand what the Department of Justice would expect of them. In that vein, what do you think are some of the best lessons corporations can learn from U.S. regulatory agencies to drive better compliance practice?

The most important lesson is if you do have to demonstrate your compliance program to anyone, whether it’s a regulatory body or a prosecuting agency or your own board or other stakeholders, I think you want to think in terms of what is the evidence of the claims you’re trying to make. By evidence, I mean, when you say you have a good training program, what does that mean? If you’re showing people your completion rate, all you are evidencing is that you make people sit through or click through training. If you’re going to say your program or training is good, what was the objective that you set out to accomplish and how did you measure that actually achieved that objective? That is something that has been missing a lot.

Recently, I got a question from someone who said, “We always say compliance makes good business. Are you aware of a good business case for that?” I asked, what do you mean “good business?” What does that mean? Does that mean good employee engagement? Does that mean more process? More innovation? All of those things can mean good business. So first you have to tell me what you mean by good business, and then we have to figure out how to go measure it, and then we have to actually go measure it, and then we have to separate causation for correlation. All of those steps are completely missing in the discussion that we’re having these days.

Your professional history lets you see the innovation in compliance departments as well. In what ways can regulatory agencies learn from the best practices and compliance innovations from companies themselves? To what degree must regulators and the regulated learn from each other?

Let me start by making a distinction between regulators and prosecutors. At the end of the day, there is a big difference between prosecutors and regulators. I have never been a regulator. I have been a prosecutor and I’ve been in-house. Regulators have a different set of interests than prosecutors do.

As I always remind people when I was retained by the Fraud Section, the Fraud Section has no interest in looking at people’s compliance programs just for the heck of it. They do it because that company is under criminal investigation. When that happens, we’re usually not talking about a small slip-up. We’re talking about something that is so significantly systemic and impactful that it is causing an entire organization to be potentially liable as an entity for criminal violations. That is the angle from which I was looking at programs as the Fraud Section’s compliance expert.

I think regulators actually could take a look at the examples that the Fraud section has set in creating the compliance counsel rule in getting more of the in-house and industry expertise as their input. We see a lot of regulators who have served in the regulatory role and then go to a firm that works with in-house clients but you don’t see a lot of the reverse. You don’t see a lot of them bringing the expertise of somebody who has worked in-house into a regulatory body and say, you know, tell us what works and what doesn’t. For example, I often hear healthcare companies say that under the guidance they get from the Department of Health and Human Services, they are required to train everyone on, say, anti-kickback training to everyone.

Now, is it important to give everyone, including the janitors who clean the hallways, the same training that you give to business development people? Yes, you probably want to give everyone some training, but should everyone be trained on a specific topic, is the first topic, and second, if they do have to be trained, do they all receive the same training? I think it would be really helpful if there is more of a dialogue on that from the regulators.

Where do you see the general trajectory of regulatory enforcement going in the United States? It would seem that there is a new focus on less enforcement ... or is this a case of perception versus reality?

There has been a lot of talk by the current administration about deregulation. How that will actually play out is yet to be seen because these things usually do not happen overnight. But this is one of the things where I’m increasingly focusing on the ethics part of ethics and compliance. To me, those things are intertwined.

I think one of the things companies need to think about is what is their ethical grounding? What do they want to do that reflects their institutional values? If you’re only chasing the regulatory wind then you’re going to be caught by surprise at some point one way or the other. But the important thing to think about is what is your institutional value and how do you ensure that value is actually reflected in the way you do business, regardless. I’m not saying don’t pay attention to the regulatory environment, but I think it’s important for companies to start with their values and then get that grounded and the look at what’s required of you.

Would you say that integrating ethics and compliance is a strong strategy for CECOs to prove their value to the organization?

Absolutely. I think it’s fundamental that you start there. But this fundamental element has so often been overlooked. In one of the stories Andrew Weissmann—head of the Fraud Section, but now he’s on detail to Robert Mueller’s team—liked to tell from his early days at Fraud Section, he asked a company about whether they had any compliance oversight of a particular area and the company said, no, because that area was not regulated. That story made it all the way to Loretta Lynch, the then-attorney general, because it was so incredible that the company was so candid in saying, if you didn’t regulate something, we didn’t care.

Recently, I got a question from someone who said, “We always say compliance makes good business. Are you aware of a good business case for that?” I asked, what do you mean “good business?” What does that mean? Does that mean good employee engagement? Does that mean more process? More innovation? All of those things can mean good business.

Compliance, when you’re looking at the pure meaning of the word, is just doing what is required of us. If that’s your level of focus, then every regulation in a way becomes an obstacle to overcome. Can we do things another way? Is there a way around that? But if you look at ethical grounding, that is who you are about, and certainly from the kind of cases that would make their way to the Fraud section, they are talking about fundamental stuff. You look at State Street Bank, their resolution with the Justice Department is essentially about lying to customers. No regulator said you couldn’t do a form this way or that way, but as I like to say, is that what your momma taught you?

One of the things you are working on is helping organizations achieve “ethics-driven cultural transformations.” How can an organization best pursue an ethical cultural transformation in a way that delivers measurable results that can turn even the most skeptical mind into wanting to support an ethics and compliance initiative?

This is where organizations have to dig deep into their own values systems. Itis not uncommon at all, to have a company that gets in trouble with a particular set of senior management, they boot that management out and bring in new leaders. When I was at the Justice Department, there was a particular case where a new CEO came in and did a bottom-up cultural evaluation exercise. He starting with the very bottom of the company and asked employees what does it mean to work for this company. What is the value to them about why they come to work every day? What makes them proud of being an employee of this company? Or what would make them proud? This became a bottom-up exercise, so its value is not a bunch of slogans that senior management went to a PR firm and came up with, it’s actually something that derived out of a soul-search of the entire organization from the bottom up. I think this is the kind of exercise that would be good for companies to do at some level every once in a while.

I do think more corporate values are derived from the board retaining some outside agencies to say, “these would be good to do.” And it becomes a PR exercise. I hope all those changes in titles are not just a semantic exercise but is an actual reflection of their priorities because frankly, everybody uses the word “integrity.” I don’t even know what it means any more. What I would love to do is to go to one of these companies that has integrity as one of its values and walk in to their factory or their store and ask, “what does that mean to you and your daily work when your company says it has integrity?”

I think they have get real with their employees and talk to them and with stakeholders who do business with them to flesh this out. Ethics are, by definition, just a set of principles. So, whose principles are they?

In a larger organization where a compliance issue may arise in one area but ultimately affects the entire organization, might there be a resentment issue with parts of the organization that weren’t necessarily part of the problem, but now must become part of the solution?

A lot of the times, when you have a pervasive culture issue, you need to help the employee see the root-level issue and then let the come up with how that has played out, if at all, in their work. For example, consider Wells Fargo (which I did not work on, by the way). Wells Fargo’s issue obviously is well known. I’m actually a Wells Fargo customer. To this day, I do not know if accounts have been opened in my name in the wake of their accounts scandal, I wrote to my account manager and said that I needed to confirm that this is not happening with me. I never got a response. So let’s flip this around: if I was going into Wells Fargo to diagnose their issue, I would meet with my account manager who might say he did nothing wrong, but I would say, have you assured your customers that you have done nothing wrong? And if you haven’t, then why do you choose not to do that?

I think by digging into some of those things, you begin to probe the mindset. What is my job and how can I do it? Is it to service the customers the best I can and earn their trust and their business that way, or is my job to find other customers and open legitimate accounts with them? And that reflects itself in many different ways. It may not be wrong legally, but it’s certainly not good for business. So when you dig down to it, what do I think is my purpose coming into work every day and how do I go about accomplishing that? Once you dig down to that level, there is going to be manifestations of that problem in different ways. Some may not be a legal or a compliance problem, but they certainly can be a business problem. Doing that kind of exercise is where compliance can demonstrate value. Compliance is there to solve business problems, and this would be a perfect example of that.

Compliance training and outreach becomes ever more important for organizations working across different regulatory jurisdictions and that are becoming more complex themselves. What are some areas where you think compliance programs could improve when it comes to training, outreach and communications?

I’m concerned about companies stopping after the first step of rolling out training on a topic; everybody in the company is required to do it, and once they’ve done it, the compliance officer has more pressing things to worry about. And that first step becomes the last step that they do.  

I think that in the ideal scenario I want there to be no dedicated compliance training because all of the compliance training is actually integrated into the different on the job training that every function does. If I am a sales person, for example, when I come into the company, I will be trained on how to do my job. This is our product, how we sell it…and part of that training, together with how to sell, is also how to not to sell. You incorporate anti-competition and anti-corruption training, price fixing…all the components are there. They’re just not called compliance training. They’re called how to do your job training.

Now that, I haven’t seen any companies do. One, because everybody thinks that regulators and prosecutors want standalone training. Two, it’s far more complex to accomplish because it requires an incredibly cohesive approach. If somebody managed to do it, I think that would wow the DoJ or the SEC. But you’d have to actually make it happen first.

The compliance profession has undergone significant change in the last 15 years. Where do you see the compliance field heading over the next several years, and more importantly, what do you think compliance officers will have to do to keep their skill sets relevant?

I just got back from Brazil, which is relatively new to this field. It was not surprising that half of the people I met were either currently or formerly with a U.S.-based company. The U.S.-based companies have been the ones essentially training these compliance officers in many emerging markets because they’re the ones who have this function. Many Brazilian companies are new to these concepts.

Last summer, I met a group of general counsel from Chinese state-owned companies, and they were in the U.S. on a study tour. When I talked to them, their compliance concept was they don’t really have compliance. They have lawyers, accountants and controllers and auditors. They’re not even at the compliance officer function stage. Thy have the traditional control functions and that’s what they think is compliance.

So I think there is a divergence in where the different markets are. Ultimately, we are collectively moving in the same direction, which is going toward the more integrated, strategic function in the company. But how long are we from achieving that? Within the United States, which is a more developed market, it varies. I have seen compliance officers that are truly part of the leadership, integrated into the company’s strategic decision making. I think that’s still somewhat unusual. But certainly, you see more of that in the U.S. than anywhere else. The rest of the world is at different stages from that goal.

To make sure that we move in that direction, I think compliance officers need to step up to the plate. Compliance officers need to talk like businesspeople. They need to know the business. Even when I worked for one of the Fortune 50 companies, we had compliance officers who didn’t know the products of the company, and who didn’t know where the revenue was coming from. You can’t have that. If you want to be a strategic player, you have to know the strategies of the company. You have to be up to date on what your company is doing as a whole.

If compliance officers cannot go to their business stakeholders and present return on investment data, just like anyone else in the business, they will always be seen as the laggard function that is a black hole into which we pour money and get nothing from. That’s how a lot of people perceive compliance. Until you can present something to contradict that, that would be a true assumption. And that hurts your credibility within the company. When you can say “we need to do training” and your only justification is so that some day when you’re in trouble you can show your training record, that’s not a compelling business case. If you want to ask for money for training, define your objectives and then measure results, and show some return on investment. A lot of compliance people have focused on whether they have been given a place at the table; what have you done to earn that place at the table?