Earlier this week, the DOJ Criminal Division released this guidance document titled “The Evaluation of Corporate Compliance Programs” (ECCP).
The latest version of the guidance document which “sets forth topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance” is likely to generate a substantial amount of coverage. However, there is little new substantive information in the document compared to the DOJ’s February 2017 release of its Evaluation of Corporate Compliance Programs (see here for the prior post) and in fact there was little new information in the February 2017 document as it cited to sources long in the public domain). Indeed, the ECCP contains a spot-on footnote which states that many of the topics discussed appear in other resources long in the public domain.
While the ECCP is not Foreign Corrupt Practices Act specific, it is FCPA relevant. Nevertheless, the policy issue raised with the ECCP (as well as other forms of DOJ guidance) is what should happen if a business organization acts consistent with the factors, but an employee nevertheless exposes the entity to legal liability. Consistent with the FCPA-like laws of many peer countries, this should be relevant as a matter of law and not merely in the opaque, inconsistent, and unpredictable world of DOJ decision making. (See here).
There is nothing “wrong” with the ECCP per se, but keep in mind the following information when reviewing the ECCP.
The ECCP uses the word “effective” 49 times, however there is no legal requirement that business organizations have “effective” compliance programs. The FCPA’s internal controls provisions (in other words the law) require issuers to have “internal accounting controls sufficient to provide reasonable assurances” that certain limited financial objectives are met. The FCPA then provides the following definition of “reasonably assurances” and “reasonable detail” – “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” If compliance professionals and others strive to have a compliance program that exceeds statutory requirements that is great. However, the legal and policy concern with the ECCP is that in an official U.S. government document the DOJ says it is going to base decisions about the form of any resolution or prosecution, monetary penalty and compliance obligations contained in any corporate criminal resolution” on specific factors, most of which, are not even found in any law passed by Congress.
The ECCP is not a legal document that establishes liability for non-compliance. Rather, as stated in the ECCP, when legal violations are established (whether in the FCPA context or otherwise), the ECCP assists prosecutors in determining “the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations.)
The ECCP is “neither a checklist nor a formula” and “in any particular case, the topics and questions set forth [in it] may not all be relevant, and others may be more salient given the particular facts at issue.” In this regard, the ECCP contains 151 questions.
The ECCP is full of vague and ambiguous words or concepts such as: encouraging, pressuring, well-integrated, culture of compliance, appropriately tailored, efficient and trusted mechanism, properly scoped, risk-based, high-level commitment, sufficient (such as sufficient resources, autonomy, staffing, and funds), empowered, honest, meaningful efforts, stale, gap analysis, timely, thorough, properly scoped, thoughtful,
With these important data points in mind, the ECCP is organized around “three overarching questions that prosecutors ask in evaluating compliance programs.”
- “First, is the program well-designed?”
- “Second, is the program effectively implemented?”
- Third, does the compliance program actually work in practice.”
The ECCP begins with the following introduction.
“The “Principles of Federal Prosecution of Business Organizations” in the Justice Manual describe specific factors that prosecutors should consider in conducting an investigation of a corporation, determining whether to bring charges, and negotiating plea or other agreements. These factors include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.” Additionally, the United States Sentencing Guidelines advise that consideration be given to whether the corporation had in place at the time of the misconduct an effective compliance program for purposes of calculating the appropriate organizational criminal fine. Moreover, the memorandum entitled “Selection of Monitors in Criminal Division Matters” issued by Assistant Attorney General Brian Benczkowski (hereafter, the “Benczkowski Memo”) instructs prosecutors to consider, at the time of the resolution, “whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems” and “whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future” to determine whether a monitor is appropriate.
This document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).
Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make an individualized determination in each case. There are, however, common questions that we may ask in the course of making an individualized determination. As the Justice Manual notes, there are three “fundamental questions“ a prosecutor should ask:
1. “Is the corporation’s compliance program well designed?“
2. “Is the program being applied earnestly and in good faith?“ In other words, is the program being implemented effectively?
3. “Does the corporation’s compliance program work“ in practice?
In answering each of these three “fundamental questions,“ prosecutors may evaluate the company’s performance on various topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program. The sample topics and questions below form neither a checklist nor a formula. In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue. Even though we have organized the topics under these three fundamental questions, we recognize that some topics necessarily fall under more than one category.”
Under the heading “Is the Corporations’s Compliance Program Well Designed?” the ECCP states.
The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.”
Accordingly, prosecutors should examine “the comprehensiveness of the compliance program,” ensuring that there is not only a clear message that misconduct is not tolerated, but also policies and procedures – from appropriate assignments of responsibility, to training programs, to systems of incentives and discipline – that ensure the compliance program is well-integrated into the company’s operations and workforce.
It then lists the following factors:
- Risk Assessment
- Policies and Procedures
- Training and Communications
- Confidential Reporting Structure and Investigation Process
- Third Party Management
- Mergers and Acquisitions
Under the heading Risk Assessment, the ECCP states:
“The starting point for a prosecutor’s evaluation of whether a company has a welldesigned compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.
Prosecutors should consider whether the program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.” For example, prosecutors should consider whether the company has analyzed and addressed the varying risks presented by, among other factors, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.
Prosecutors should also consider “[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment” and whether its criteria are “periodically updated.” (“the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [of the compliance program] to reduce the risk of criminal conduct”).
Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area. Prosecutors should therefore consider, as an indicator of risk-tailoring, “revisions to corporate compliance programs in light of lessons learned.”
Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?
Risk-Tailored Resource Allocation – Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?
Updates and Revisions – Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”
Under the heading Policies and Procedures, the ECCP states:
“Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process. As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees. As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.
Design – What is the company’s process for designing and implementing new policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access?
Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
Gatekeepers – What, if any, guidance and training has been provided to key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?”
Under the heading Training and Communications, the ECCP states:
“Another hallmark of a well-designed compliance program is appropriately tailored training and communications.
Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. Prosecutors should also assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise. Some companies, for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise. Prosecutors should also assess whether the training adequately covers prior compliance incidents and how the company measures the effectiveness of its training curriculum.
Prosecutors, in short, should examine whether the compliance program is being disseminated to, and understood by, employees in practice in order to decide whether the compliance program is “truly effective.”
Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred? Have supervisory employees received different or supplementary training? What analysis has the company undertaken to determine who should be trained and on what subjects?
Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the audience? Is the training provided online or in-person (or both), and what is the company’s rationale for its choice? Has the training addressed lessons learned from prior compliance incidents? How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing?
Communications about Misconduct – What has senior management done to let employees know the company’s position concerning misconduct? What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?
Availability of Guidance – What resources have been available to employees to provide guidance relating to compliance policies? How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so?”
Under the heading Confidential Reporting and Investigation Process, the ECCP states:
“Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers. Prosecutors should also assess the company’s processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline.
Confidential reporting mechanisms are highly probative of whether a company has “established corporate governance mechanisms that can effectively detect and prevent misconduct.” (an effectively working compliance program will have in place, and have publicized, “a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation”).
Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees? Has it been used? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?
Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?
Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?
Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses?”
Under the heading Third Party Management, the ECCP states:
“A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.
Prosecutors should also assess whether the company knows its third-party partners’ reputations and relationships, if any, with foreign officials, and the business rationale for needing the third party in the transaction. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
In sum, a company’s third-party due diligence practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to “detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”
Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?
Appropriate Controls – How does the company ensure there is an appropriate business rationale for the use of third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?
Management of Relationships – How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? How does the company train its third party relationship managers about compliance risks and how to manage them? How does the company incentivize compliance and ethical behavior by third parties?
Real Actions and Consequences – Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed? Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not hired or re-hired at a later date? If third parties were involved in the misconduct at issue in the investigation, were red flags identified from the due diligence or after hiring the third party, and how were they resolved? Has a similar third party been suspended, terminated, or audited as a result of compliance issues?”
Under the heading Mergers and Acquisitions, the ECCP states:
“A well-designed compliance program should include comprehensive due diligence of any acquisition targets. Pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.
The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.
Due Diligence Process – Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?
Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?
Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities?”
Under the heading “Is the Corporation’s Compliance Program Being Implemented Effectively?” the ECCP states.
“Even a well-designed compliance program may be unsuccessful in practice if implementation is lax or ineffective. Prosecutors are instructed to probe specifically whether a compliance program is a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner.” In addition, prosecutors should determine “whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts.” Prosecutors should also determine “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.” (criteria for an effective compliance program include “[t]he company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated”).”
It then lists the following factors:
- Commitment by Senior and Middle Management
- Autonomy and Resources
- Incentives and Disciplinary Measures
Under the heading Commitment by Senior and Middle Management, the ECCP states:
“Beyond compliance structures, policies, and procedures, it is important for a company to create and foster a culture of ethics and compliance with the law. The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the top.
The company’s top leaders – the board of directors and executives – set the tone for the rest of the company. Prosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them. (the company’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” of it; “[h]igh-level personnel … shall ensure that the organization has an effective compliance and ethics program” (emphasis added)).
Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged compliance, including the type of misconduct involved in the investigation? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How have they modelled proper behavior to subordinates? Have managers tolerated greater compliance risks in pursuit of new business or greater revenues? Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?
Shared Commitment – What actions have senior leaders and middle-management stakeholders (e.g., business and operational managers, finance, procurement, legal, human resources) taken to demonstrate their commitment to compliance or compliance personnel, including their remediation efforts? Have they persisted in that commitment in the face of competing interests or business objectives?
Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
Under the heading Autonomy and Resources, the ECCP states:
“Effective implementation also requires those charged with a compliance program’s day-to-day oversight to act with adequate authority and stature. As a threshold matter, prosecutors should evaluate how the compliance program is structured. Additionally, prosecutors should address the sufficiency of the personnel and resources within the compliance function, in particular, whether those responsible for compliance have: (1) sufficient seniority within the organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee. The sufficiency of each factor, however, will depend on the size, structure, and risk profile of the particular company. “A large organization generally shall devote more formal operations and greater resources . . . than shall a small organization.” By contrast, “a small organization may [rely on] less formality and fewer resources.” Regardless, if a compliance program is to be truly effective, compliance personnel must be empowered within the company.
Prosecutors should evaluate whether “internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy,” as an indicator of whether compliance personnel are in fact empowered and positioned to “effectively detect and prevent misconduct.” Prosecutors should also evaluate “[t]he resources the company has dedicated to compliance,” “[t]he quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk,” and “[t]he authority and independence of the compliance function and the availability of compliance expertise to the board.” (instructing prosecutors to evaluate whether “the directors established an information and reporting system in the organization reasonably designed to provide management and directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law”); (those with “day-to-day operational responsibility” shall have “adequate resources, appropriate authority and direct access to the governing authority or an appropriate subgroup of the governing authority”).
Structure – Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)? To whom does the compliance function report? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? Are compliance personnel dedicated to compliance responsibilities, or do they have other, non-compliance responsibilities within the company? Why has the company chosen the compliance structure it has in place?
Seniority and Stature – How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? How has the company responded to specific instances where compliance raised concerns? Have there been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns?
Experience and Qualifications – Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities? Has the level of experience and qualifications in these roles changed over time? Who reviews the performance of the compliance function and what is the review process?
Funding and Resources – Has there been sufficient staffing for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance efforts? Has the company allocated sufficient funds for the same? Have there been times when requests for resources by compliance and control functions have been denied, and if so, on what grounds?
Autonomy – Do the compliance and relevant control functions have direct reporting lines to anyone on the board of directors and/or audit committee? How often do they meet with directors? Are members of the senior management present for these meetings? How does the company ensure the independence of the compliance and control personnel?
Outsourced Compliance Functions – Has the company outsourced all or parts of its compliance functions to an external firm or consultant? If so, why, and who is responsible for overseeing or liaising with the external firm or consultant? What level of access does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”
Under the heading Incentives and Disciplinary Measures, the ECCP states:
“Another hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance. Prosecutors should assess whether the company has clear disciplinary procedures in place, enforces them consistently across the organization, and ensures that the procedures are commensurate with the violations. Prosecutors should also assess the extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct. (“the organization’s compliance program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct”).
By way of example, some companies have found that publicizing disciplinary actions internally, where appropriate, can have valuable deterrent effects. At the same time, some companies have also found that providing positive incentives – personnel promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership – have driven compliance. Some companies have even made compliance a significant metric for management bonuses and/or have made working on compliance a means of career advancement.
Human Resources Process – Who participates in making disciplinary decisions, including for the type of misconduct at issue? Is the same process followed for each instance of misconduct, and if not, why? Are the actual reasons for discipline communicated to employees? If not, why not? Are there legal or investigation-related reasons for restricting information, or have pre-textual reasons been provided to protect the company from whistleblowing or outside scrutiny?
Consistent Application – Have disciplinary actions and incentives been fairly and consistently applied across the organization? Are there similar instances of misconduct that were treated disparately, and if so, why?
Incentive System – Has the company considered the implications of its incentives and rewards on compliance? How does the company incentivize compliance and ethical behavior? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?”
Under the heading “Does the Corporation’s Compliance Program Work in Practice?” the ECCP states:
“The Principles of Federal Prosecution of Business Organizations require prosecutors to assess “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision.” Due to the backwardlooking nature of the first inquiry, one of the most difficult questions prosecutors must answer in evaluating a compliance program following misconduct is whether the program was working effectively at the time of the offense, especially where the misconduct was not immediately detected.
In answering this question, it is important to note that the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense. (“[t]he failure to prevent or detect the instant offense does not mean that the program is not generally effective in preventing and deterring misconduct”). Indeed, “[t]he Department recognizes that no compliance program can ever prevent all criminal activity by a corporation’s employees.” Of course, if a compliance program did effectively identify misconduct, including allowing for timely remediation and self-reporting, a prosecutor should view the occurrence as a strong indicator that the compliance program was working effectively.
In assessing whether a company’s compliance program was effective at the time of the misconduct, prosecutors should consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.
To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks. Prosecutors should also consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.
For example, prosecutors should consider, among other factors, “whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems” and “whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future.” (observing that “[w]here a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will not likely be necessary”).
The ECCP then lists the following factors:
- Continuous Improvement, Periodic Testing, and Review
- Investigation of Misconduct
- Analysis and Remediation of Any Underlying Misconduct
Under the heading Continuous Improvement, Periodic Testing and Review, the ECCP states:
“One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale. Some companies survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are functioning well, though the nature and frequency of evaluations may depend on the company’s size and complexity.
Prosecutors may reward efforts to promote improvement and sustainability. In evaluating whether a particular compliance program works in practice, prosecutors should consider “revisions to corporate compliance programs in light of lessons learned.” (looking to “[t]he auditing of the compliance program to assure its effectiveness”). Prosecutors should likewise look to whether a company has taken “reasonable steps” to “ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” and “evaluate periodically the effectiveness of the organization’s” program. Proactive efforts like these may not only be rewarded in connection with the form of any resolution or prosecution (such as through remediation credit or a lower applicable fine range under the Sentencing Guidelines), but more importantly, may avert problems down the line.
Internal Audit – What is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process? How are audits carried out? What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often does internal audit conduct assessments in high-risk areas?
Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake? How are the results reported and action items tracked?
Evolving Updates – How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
Culture of Compliance – How often and how does the company measure its culture of compliance? Does the company seek input from all levels of employees to determine whether they perceive senior and middle management’s commitment to compliance? What steps has the company taken in response to its measurement of the compliance culture?”
Under the heading Investigation of Misconduct, the ECCP states:
“Another hallmark of a compliance program that is working effectively is the existence of a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.
Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?
Response to Investigations – Have the company’s investigations been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative finding go?”
Under the heading Analysis and Remediation of Any Underlying Misconduct, the ECCP states:
“Finally, a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.
Prosecutors evaluating the effectiveness of a compliance program are instructed to reflect back on “the extent and pervasiveness of the criminal misconduct; the number and level of the corporate employees involved; the seriousness, duration, and frequency of the misconduct; and any remedial actions taken by the corporation, including, for example, disciplinary action against past violators uncovered by the prior compliance program, and revisions to corporate compliance programs in light of lessons learned.” (“to receive full credit for timely and appropriate remediation” under the FCPA Corporate Enforcement Policy, a company should demonstrate “a root cause analysis” and, where appropriate, “remediation to address the root causes”).
Prosecutors should consider “any remedial actions taken by the corporation, including, for example, disciplinary action against past violators uncovered by the prior compliance program.” (looking to “[a]ppropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred” and “any additional steps that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).
Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?
Prior Weaknesses – What controls failed? If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?
Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?
Vendor Management – If vendors were involved in the misconduct, what was the process for vendor selection and did the vendor undergo that process?
Prior Indications – Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations? What is the company’s analysis of why such opportunities were missed?
Remediation – What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis?
Accountability – What disciplinary actions did the company take in response to the misconduct and were they timely? Were managers held accountable for misconduct that occurred under their supervision? Did the company consider disciplinary actions for failures in supervision? What is the company’s record (e.g., number and types of disciplinary actions) on employee discipline relating to the types of conduct at issue? Has the company ever terminated or otherwise disciplined anyone (reduced or eliminated bonuses, issued a warning letter, etc.) for the type of misconduct at issue?”
In the DOJ’s release announcing the ECCP, Assistant Attorney General Brian Benczkowski stated:
“Effective compliance programs play a critical role in preventing misconduct, facilitating investigations, and informing fair resolutions. [The] guidance document is part of our broader efforts in training, hiring, and enforcement to help promote corporate behaviors that benefit the American public and ensure that prosecutors evaluate the effectiveness of compliance in a rigorous and transparent manner.”
Separately in this speech delivered on the same day as the DOJ released the ECCP, Benczkowski stated in pertinent part:
“The importance of corporate compliance cannot be overstated. My deputies and I spend a lot of time talking about what companies can do to achieve the best result once the company or the Department learns of misconduct. But a company’s compliance program is the first line of defense that prevents the misconduct from happening in the first place. And if done right, it has the ability to keep the company off our radar screen entirely. In fact, of all of the Principles of Prosecution of Business Organizations that prosecutors are instructed to consider by the Justice Manual in determining an appropriate resolution of a corporate case, an effective compliance program is the only principle that has the ability to prevent the crime from occurring in the first place.
But beyond the prevention of misconduct, a compliance program factors into the Department’s investigation and resolution of corporate cases in several critical ways. As an initial matter, the company’s compliance program can play a significant role in the Department’s investigation of criminal wrongdoing. Even where a compliance program does not prevent the misconduct, an effective compliance program is much more likely to detect the misconduct at an early stage. And when the company makes a decision to voluntarily disclose misconduct after detecting it, the Department is able to take steps to preserve and gather evidence that likely would not be available at a later stage. This promotes more effective enforcement against individual wrongdoers.”
“Although the former President and former Chief Legal Officer of the company are alleged to have engaged in a bribery scheme in India, the company detected the misconduct and the board made the choice to voluntarily disclose the misconduct within a matter of weeks. As a result of the voluntary self-disclosure, full cooperation and remediation undertaken by Cognizant, the Department declined to prosecute the company under the FCPA Corporate Enforcement Policy. Based on the Department’s independent investigation, we charged the former President and former Chief Legal Officer.”
“Likewise, when a company maintains an effective compliance program, it makes it that much more difficult for company employees and agents to engage in unlawful conduct. As a result, it is more likely that evidence will be generated when those employees and agents circumvent the program to carry out their illegal scheme. The better the compliance program, the clearer the footprints that are left from the crime, and the easier for the Department to follow the tracks to the culpable individuals.
It is for these reasons – the ability of a compliance program to prevent misconduct, and to detect it early and allow the government to more effectively investigate and prosecute the wrongdoers – that the Department has strived to incentivize and reward companies that implement effective compliance programs. At the end of a corporate investigation, prosecutors weigh heavily the company’s compliance program when determining whether and how to resolve the case. This takes three primary forms:
First, pursuant to the Justice Manual, prosecutors assess the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision. This helps guide the prosecutors in determining whether they should decline to bring a case, or, if a resolution is appropriate, what that resolution should be. In fact, under the Department’s FCPA Corporate Enforcement Policy, a company is not eligible for the full range of benefits – including a declination – if it has not implemented an effective ethics and compliance program. One year ago, my Principal Deputy John Cronan announced that the FCPA Corporate Enforcement Policy would be applied beyond FCPA cases as non-binding guidance in the Criminal Division. So there can be no question about the seriousness with which we take the effectiveness of a company’s compliance program when determining whether and how to bring a corporate case.
Second, prosecutors assess a company’s compliance program at the time of the misconduct to determine the company’s culpability score under the U.S. Sentencing Guidelines, which determines the company’s ultimate fine range. If the company maintained an effective ethics and compliance program at the time of the misconduct, the company would also be eligible for a significant reduction in its overall fine. The fine would be further reduced based on the FCPA Corporate Enforcement Policy, which provides for 50% off the low end of the Sentencing Guidelines in cases where the company has voluntarily self-disclosed, fully cooperated, and fully remediated, including putting in place an effective ethics and compliance program.
Third, prosecutors look at the company’s compliance program at the time of the resolution to determine whether an independent compliance monitor is necessary to prevent the reoccurrence of misconduct, or whether the compliance program is sufficiently effective to permit the company to self-monitor. In October of last year, I announced guidance on how the Criminal Division would determine whether a monitor is appropriate in a given case. The guidance recognizes that “the imposition of a monitor will not be necessary in many corporate criminal resolutions, and the scope of any monitorship should be appropriately tailored to address the specific issues and concerns that created the need for the monitor.” In determining whether a monitor is appropriate, we will look to several key factors, most notably, the investments and improvements a company has made to its corporate compliance program and internal controls, and whether remedial measures have been tested for the ability to prevent or detect similar misconduct in the future. We also examine whether the misconduct took place in an inadequate compliance environment that no longer exists. When I first announced this new policy, many speculated that this would spell the death of monitorships. By now you should all realize that this is not true. Put simply, this guidance was not meant to do away with monitors – it was meant to focus our prosecutors’ determination on the appropriate factors so that monitors are imposed only where necessary and under the terms and scope that is appropriate for that given case. In fact, over the past two months, we announced two FCPA corporate resolutions that both included an independent compliance monitor. In the resolution of Mobile Telesystems, or MTS, the company had not yet fully implemented or tested a compliance program at the time of the resolution, and we imposed a three-year monitorship. In the resolution of Fresenius Medical Care, the company had made a number of improvements to its compliance program but had not yet fully tested that program, so we imposed a two-year monitorship focused on the factors that gave rise to the underlying misconduct. We recognize the significance of a corporate resolution for a company, and the impact that a compliance monitor can have on that company. Because the company’s compliance program is such a critical factor in our analysis, we have taken significant steps to educate our prosecutors about compliance and provide transparent and comprehensible standards to the public so that companies can understand how we evaluate compliance programs.
In October of last year, I announced that we would be implementing training programs across the Criminal Division to enhance our prosecutors’ understanding of compliance. All of our prosecutors may not have come to the Department as compliance experts. But we can leverage the expertise of those within the Department who do have that knowledge, as well as resources outside the Department to ensure that, when our prosecutors are making decisions that have profound impacts on companies, they will have the necessary tools to undertake a rigorous and informed analysis. I am proud to report that as I speak here today, the first such training is taking place in Washington. I was able to take part in some of the training this morning and it was great to see such a thoughtful discussion of these important topics.
In addition to ensuring that our prosecutors are equipped to appropriately scrutinize a company’s compliance program, we have also taken steps to better explain what we examine when evaluating a company’s compliance program and culture. I already mentioned the FCPA Corporate Enforcement Policy, which provides a detailed list of factors we consider in making such a determination, as well as the new guidance on the use and selection of monitors, which speaks to the factors we analyze in connection with the decision to impose a monitor.
[…] I am also announcing the release of an updated version of the Criminal Division’s Evaluation of Corporate Compliance Programs to better harmonize the prior Fraud Section publication with other Department guidance and legal standards. Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Department does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make an individualized determination in each case. In drafting the updated version of the document, we have sought to provide additional transparency in how we will analyze a company’s compliance program.
As the Justice Manual provides, there are three fundamental questions a prosecutor should ask in evaluating a company’s compliance program:
First, is the program well-designed?
Second, is the program effectively implemented?
And, third, does the compliance program actually work in practice?
The updated version uses these three questions as a framework to categorize the topics that the Department has frequently found relevant in evaluating a corporate compliance program, and also provides guidance from other Department and enforcement documents. As before, the topics and questions are neither a checklist nor a formula. We hope this updated version provides additional insight to both prosecutors and companies with respect to the evaluation of compliance programs.”
“As all of you well know, compliance is a fast-moving field, and one in which evolving technologies and globalization of economies and enforcement can provide both challenges and solutions. The Department believes that most companies truly want to be fully compliant with both the spirit and the letter of the law, and will take every step necessary to make sure they are developing and implementing compliance programs that are highly effective and sustainable. At the end of the day, the interests of the Department and private industry to root out corporate crime are very much aligned, and I hope and know that our collective efforts are having a positive, lasting impact on corporate behavior.”
FCPA Institute - Boston (Oct. 3-4)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.