This post summarizes two recent speeches by DOJ/SEC enforcement officials that touched upon topics relevant to Foreign Corrupt Practices Act enforcement.
In the first speech, Assistant Attorney General Leslie Caldwell, speaking at a financial industry event, focused her comments on compliance and the DOJ’s new compliance attorney position.
In the second speech, SEC Chair Mary Jo White talked about SEC enforcement strategies.
As indicated above, Caldwell focused her comments on compliance and the DOJ’s new compliance attorney position. For prior posts on these topics, see here and here including why the DOJ should be in favor of a compliance defense. See also “Revisiting a Foreign Corrupt Practices Act Compliance Defense.”
Caldwell stated in pertinent part:
Internal Compliance Officers Perform a Critical Function
[Compliance officers] are often the first line of defense against [legal violations] Prosecutors cannot be everywhere, and by the time the Criminal Division gets involved, it’s usually too late to stop criminal activity. Well before a grand jury subpoena is served or a witness is interviewed, compliance officers like you can and do step in and stop issues from becoming problems down the road.
As much as full-throated compliance programs are essential to preventing fraud and corruption, the quality and effectiveness of a compliance program is also an important factor that prosecutors consider in determining whether to bring charges against a business entity that has engaged in some form of criminal conduct.
In this after the fact review, the department looks closely at whether compliance programs are simply “paper programs,” or whether the institution and its culture actually support compliance. We look at pre-existing programs, as well as what remedial measures a company took after discovering misconduct – including efforts to implement or improve a compliance program.
Criminal Division’s Compliance Counsel
Over the past twenty years or so, the very notion of “compliance” has been evolving rapidly. Most companies, and maybe especially in the financial sector, have placed more and more emphasis on building strong compliance structures. Programs have become more sophisticated and more industry and company-specific.
Companies increasingly have tailored compliance programs that make sense not just for their industries but also for their business lines, their risk factors, their geographic regions and the nature of their work force, to name a few.
Unfortunately, a surprising number of companies still lack rigorous compliance programs. And even more companies have what appear to be good structures on paper, but fail in practice to devote adequate resources and management attention to compliance.
Still other companies fail to consider obvious risks, even in important parts of their businesses. […]
To be sure, it’s important for institutions to be mindful of regulatory priorities and guidance in devising and carrying out a tailored, risk-based compliance program. But a narrow, cramped view of compliance – that it requires only adherence to specific regulations – ultimately will inure to the company’s detriment. […]
I believe that the Criminal Division has gotten much better at evaluating compliance programs over the years. We understand that there is no “one size fits all” compliance program. We understand that there are vast differences in the quality and effectiveness of programs, even among similar companies. We have gotten better at suggesting tailored reforms to compliance programs when we resolve a corporate matter.
But we are prosecutors, not compliance professionals. So, as you may be aware from press coverage, the Criminal Division has hired a compliance counsel to work in the Fraud Section. While it’s too early to talk about specifics – her first day in the office is tomorrow – I can tell you generally what we’re thinking about.
We want to get the benefit of the expertise of someone with significant high-level compliance experience across a variety of industries, which this person has. Our goal is to have someone who can provide what I’ll call a “reality check.”
First, the compliance counsel will help us assess a company’s program, as well as test the validity of its claims about its program, such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks, or essentially window dressing.
Second, she will help guide Fraud Section prosecutors when they are seeking remedial compliance measures as part of a resolution with a company, whether by prosecution or otherwise. We don’t want to impose unrealistic, unnecessary or unduly burdensome requirements on companies. At the same time, we want to make sure that appropriate compliance enhancements are included when they are needed.
We understand that no compliance program is foolproof. We also appreciate that the challenges of implementing an effective compliance program are compounded by the ever-increasing cross-border nature of business and of criminal activity.
Many [companies] operate all over the world. They are creating products and delivering services not only here in the United States but overseas and are operating across many different legal regimes and cultures.
For this reason, we have chosen a compliance counsel who has the experience and expertise to examine a compliance program on a more global and a more granular level.
I want to correct one impression that has been expressed elsewhere. Some have suggested that our retention of a compliance counsel is an indication that the department is moving toward recognizing or instituting a “compliance defense.” That is not the case.
Rather, the Criminal Division will continue to review companies’ compliance programs as one of the many factors to be considered when deciding whether to criminally charge a company or how to resolve criminal charges. Our hiring of a compliance counsel should be an indication to companies about just how seriously we take compliance.
Hallmarks of an Effective Compliance Program
You’re likely wondering what metrics this compliance counsel will use to assess a particular program. And I’ll talk about that in a moment, but first I want to put your mind at ease about something.
The vast majority of compliance violations do not result in criminal prosecution. Rather, the Criminal Division pursues charges when the offending conduct is intentional and particularly egregious or pervasive.
We’re not interested in prosecuting mistakes or accidents, or bad business judgments. And we are not looking to prosecute compliance professionals. To the contrary, we view you as the good guys and as our allies. And we want to make sure that when we review a pre-existing compliance program, or suggest remedial measures, that we get it right.
So, what will the compliance counsel do? She will help us evaluate each compliance program on a case-by-case basis – just as the department always has – but with a more expert eye, and she will work with our prosecutors to assess:
- Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
- Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to necessary resources? Of course, we won’t expect that a smaller company has the same compliance resources as a Fortune-50 company.
- Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
- Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
- Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.
- Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations. Is discipline even handed? The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message – to other employees, to the market and to the government – about the institution’s commitment to compliance.
- Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance? This means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.
These are just some of the elements of a strong compliance program. When the Criminal Division evaluates a company’s compliance policy during an investigation, we look not only at how the policy reads on paper, but also at the messages conveyed to employees, including through in-person meetings, emails, telephone calls and compensation. We look at whether, as a whole, a company tolerated compliance failures year after year because the alternative would have meant a reduction in revenues or profits.”
Regarding individual prosecutions, White stated:
“Any discussion of strong enforcement tools must include a discussion of our priority of pursuing individuals. Personal accountability, of course, is a basic tenet of law enforcement. And individual accountability, particularly at the most senior levels, is a core part of our enforcement program because firms can only act through their people and it is people to whom we are trying to send our strong message of deterrence. While some cases, because of the available evidence or charges, are appropriate to bring only against companies, we must always look to identify and charge those people who are responsible for their company’s wrongdoing. In Fiscal Year 2015, about two-thirds of our substantive actions included charges against individuals.
Redress for wrongdoing can never be seen merely as a cost of doing business made good by cutting a corporate check. When people fear for their own reputations, careers, or pocketbooks, they are more likely to stay in line. So when investigating misconduct, our staff first looks at the individual conduct and works out to the entity, rather than starting with the entity as a whole and working in.
And when we do bring charges against individuals, we consider, in addition to tough charges and penalties, our remedies to prevent future wrongs as well. One of our most potent tools is an order imposing a bar on an individual – a bar from, for example, working in the securities industry or serving on the board of a public company. Such an order can reduce the likelihood that the defendant can defraud and victimize the public again.”
As detailed in this post, approximately 80% of corporate SEC FCPA enforcement actions since 2008 have not resulted in any related enforcement action against a company employee.