How to Assess Corporate Compliance: DOJ weighs in…
While the debate continues on what role “guidance” plays in compliance, it is clear that we ignore what agencies say at our regulatory peril. Recent Department of Justice guidance adds more information for us to consider as we grapple with improving compliance throughout an institution.
AML professionals are well aware of the 2014 advisory from FinCEN on promoting a culture of compliance and it has certainly been a tremendous value add to the ongoing dialogue in the compliance community on how to increase institution support for AML and other regulatory requirements. (https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007)
Another area of concern has been how cases can be made for wrongdoing by individuals in corporations. In addition to the several cases we have discussed in many conferences, the Justice Department released the 2015 “Yates Memo” (https://www.justice.gov/archives/dag/file/769036/download), which indicated, among many things that:
“One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing. Such accountability is important for several reasons: it deters future illegal activity, it incentivizes changes in corporate behavior, it ensures that the proper parties are held responsible for their actions, and it promotes the public’s confidence in our justice system.”
The memo contains direction on what DOJ will consider to give a corporation credit for cooperation in civil and criminal cases and compliance officials have added that “guidance” to their quiver of tools to improve institutional support for AML and other regulatory responsibilities.
Now we have another important document.
More DOJ on Corporate Compliance
On April 30th, the DOJ released an update to a 2017 document from its Fraud division on how to evaluate a corporate compliance program (https://www.justice.gov/criminal-fraud/page/file/937501/download) for white collar prosecutors. The department stated that the document:
“is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”
So what are the relevant questions that must be asked as you consider charging a corporation?
- “Is the corporation’s compliance program well designed? “
- “Is the program being applied earnestly and in good faith? “ – In other words, is the program being implemented effectively?
- “Does the corporation’s compliance program work“ in practice?
Among the considerations to address these questions, the DOJ looks for a corporation to have a risk assessment which is “periodically updated.” A very interesting part of risk mitigation is that the department wants the corporation to focus on high-risk transactions and will criticize those that spend “a disproportionate amount of time to policing low-risk areas instead of high-risk areas”.
To determine if a corporation’s policies and procedures are well-designed, prosecutors will look at how comprehensive the documents are, the process of correctly communicating the documents to employees and third parties, and the level of training and guidance provided to policy “gatekeepers.”
On the actual training of the policies, it is no surprise that the department wants tailored curriculum, assessments on how successful employees are with taking any tests, and a documented process for communicating misconduct by employees.
There is also an expectation that institutions allow for employees to confidentially report misconduct, have a robust complaint-handling process, and ensure a workplace atmosphere that does not retaliate against those that follow the reporting process.
To assess effective implementation, the guidance revisits the importance of corporate culture. It calls for “tone at the top”, shared commitment throughout the entity (including with the board of directors), autonomy of given staff, and the commitment through assigned resources. A key element of effectiveness is also the incentives for strong compliance and discipline for failures and deficiencies.
Does all of this actually work?
We have long heard that policies simply on a shelf (or an electronic file folder) are worthless, so how does the DOJ determine that a compliance program works?
The evaluation that will be used by prosecutors includes the process of how the misconduct was identified and what the remedial action was to address that misconduct. A positive reference in the guidance is that the mere presence of the activity does not mean that the compliance program was ineffective. The guidance goes on to state that:
“if a compliance program did effectively identify misconduct, including allowing for timely remediation and self-reporting, a prosecutor should view the occurrence as a strong indicator that the compliance program was working effectively.”
Credit will be given if the entity attempts to continuously improve, tests or audits on a regular basis, and measures its culture of compliance. Finally, with any of these problems or issues, performing a “root-cause analysis” and addressing mistakes in a formal and systematic manner will have a broad effect and should enhance your chances for surviving a Justice Department “visit.”
Do yourself and your institution a favor and read the entire guidance and create a training program from it today!
* “Work to Do” was a 1972 song by the Isley Brothers and charted at #11 on the R&B charts. They were inducted into the Rock and Roll Hall of Fame in 1992.