This previous post discussing the DOJ’s recent release of a non-binding guidance document titled “The Evaluation of Corporate Compliance Programs” (ECCP) noted that the ECCP is not a legal document that establishes liability for non-compliance. In other words, if compliance professionals and others strive to have a compliance program that exceeds statutory requirements that is great, but it is not legally required. (See also this recent FCPA Flash podcast episode discussing related concepts as well as here).
Earlier this week new Principal Deputy Associate Attorney General Claire McCusker Murray (pictured) delivered this speech in which she touches upon similar issues and made the spot-on observation that “subregulatory guidance isn’t law – it’s just paper.”
In pertinent part, Murray stated:
“In our system of separation of powers, Congress makes the laws—not the President, and certainly not administrative agencies within the Executive Branch. In the modern era, of course, Congress has sometimes delegated to Executive Branch agencies the power to enact regulations that have the force of law. But, the proper way for a regulatory agency to impose obligations that are binding on the public is governed by the Administrative Procedure Act—and generally (for your purposes) requires notice-and-comment rulemaking. Of course, rulemaking can be cumbersome and slow. For that reason, agencies can be tempted to use subregulatory guidance as a short-cut when they should be undertaking notice-and-comment rulemaking instead.
Subregulatory guidance isn’t law—it’s just paper. Nevertheless, there is sometimes an (understandable) sense within industry that deviation from a regulator’s guidance can carry the risk of an enforcement action or qui tam litigation. When you add deference doctrines like Auer into the mix, there’s a real risk that guidance can, practically speaking, end up having the same effect as regulation.
In a pair of memos now codified in the Justice Manual, the Department recently curbed its own issuance of subregulatory guidance and limited the ways in which other agencies’ guidance can be used to prove violations of law both in the Department’s civil enforcement actions (such as False Claims Act cases) and in criminal prosecutions. This is a huge advance in administrative transparency and accountability vis-a-vis the regulatory community. In the wake of the new amendments to the Justice Manual, guidance documents may be used in certain evidentiary contexts—as evidence of scienter, for example, or of professional or industry standards—but the Department’s litigators may not “treat a party’s noncompliance with a guidance document as itself a violation of applicable statutes or regulations” because “guidance documents cannot by themselves create binding requirements that do not already exist by statute or regulation.”
Much has been written about these policies, but let me lay out some practical thoughts for the compliance personnel in the room. Agency guidance can obviously be helpful in educating the industry about an agency’s views—especially when the statutes and regulations are vague or ambiguous—and we all know that compliance personnel are always looking for the practical thing to do in light of new agency guidance.
When faced with new guidance, the best first step is to determine the extent to which a new guidance document mirrors the requirements of the underlying statutes and/or regulations, particularly in light of binding judicial precedent.
The key is to distinguish between two categories of guidance, the part that mirrors what the law requires and everything else. The rest might include, for example, language suggesting obligations that go beyond what the law requires, language that represents the agency’s interpretation of an ambiguity in a statute or regulation, or language where the agency is recommending “best practices.” For the first category, the response is simple: you’ll want to ensure that your business practices are consistent with the portion of the guidance that mirrors binding law. For everything else, that’s where you make a good faith risk calculation—really, a business decision, informed by a legal assessment—about whether to follow an agency’s subregulatory guidance, which may be persuasive, or whether to take another lawful approach that differs from the guidance. Unless and until the Supreme Court charts a new course with respect to Auer deference in Kisor v. Wilkie this Term, an important part of that good faith risk calculation will be informed by your legal team’s analysis of whether the guidance at issue is likely to be accorded deference.”
Relating Murray’s spot-on observations to the FCPA context, as highlighted numerous times on these pages, issuers (and only issuers) are obligated under the FCPA to have “internal accounting controls sufficient to provide reasonable assurances” that certain limited financial objectives are met. The FCPA then provides the following definition of “reasonably assurances” and “reasonable detail” – “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
Thus, when the ECCP uses the word “effective” 49 times, this is (to use Murray’s words) a concept that does not “mirror what the law requires” but something else. For this, “everything else,” Murray states that business organizations should “make a good faith risk calculation – really, a business decision, informed by a legal assessment – about whether to follow an agency’s subregulatory guidance, which may be persuasive, or whether to take another lawful approach that differs from the guidance.”
Yet, as highlighted in this prior post, the legal and policy concern with the ECCP is that in an official U.S. government document the DOJ says it is going to base decisions about prosecutions and form of resolutions, monetary penalties, and compliance obligations in corporate criminal resolutions on specific factors, most of which, are not even found in any law passed by Congress.
In other respects, Murray (who has been the Principal Deputy Associate General for approximately three weeks) repeated many DOJ talking points as follows.
“[I]t is a privilege to be addressing this group of lawyers and compliance officers because you serve as gatekeepers, who endeavor every day to make sure that businesses operate legally and ethically. You are the first line of defense, and every day you work to prevent corporate misconduct from happening in the first place.
And even when your compliance teams aren’t able to prevent wrongdoing from occurring, you and your compliance programs make it possible to detect misconduct early, take prompt remedial action, determine whether a voluntary disclosure to the government is appropriate, and ultimately move forward with the benefit of lessons learned.
This Department of Justice appreciates the challenges you face. Our Attorney General has been a General Counsel and a Director at multiple companies—you might say that corporate compliance was his day job. Our new Deputy Attorney General spent nearly thirty years advising corporations about the complicated regulatory regimes within which they operated. And a significant portion of my practice at Kirkland involved internal investigations and white collar defense in the FCPA space.
So, when we say that the Department’s leadership understands the difficulty of advising executives and boards in navigating complex transactions, fiduciary obligations, ethical quandaries, and legal minefields, we really mean it.
We know compliance is a major investment. But we also think it pays important dividends. In some sense, this is a very classical notion: for the ancients, “virtus”—what we call “virtue”—meant not just obeying a list of ethical precepts, but also achieving excellence. The writings of Plato and Aristotle are, in large part, an exploration of the thesis that living virtuously results in human flourishing. In a regime like ours, grounded in the rule of law, companies—like people—flourish when they behave virtuously. Companies with smart compliance programs are more investible and less risky, they make better partners for commercial ventures, and they last longer, creating more jobs along the way. American business is at its best when there is a level playing field, and a culture of compliance and fair dealing is a key component of that.
We also recognize, as our former Deputy Attorney General Rod Rosenstein put it last year at this conference, that upholding the law and respecting fiduciary and ethical boundaries is “a two way street.” “We ask companies to act in accordance with laws and regulations, even when doing so may be difficult or burdensome… [and w]e in law enforcement reciprocate by defending the rule of law and protecting the integrity of the marketplace.” That’s the deal that we have with you, and it is one that we will always strive to fulfill.”
FCPA Institute - Zoom (Nov. 10-12)
Elevate your FCPA knowledge and practical skills. Nine hours of integrated and cohesive instruction led by Professor Koehler (an FCPA expert with teaching experience). Learn more, spend less. Professional credential available.