Corporate compliance programs come in all shapes and sizes and apply whether your company is privately owned or publicly traded. These internal controls take the form of accounting and audit procedures, import-export/regulatory policies, employment guidelines, ethics/anti-corruption initiatives and so on. The intent of any compliance program is to ensure that employees know what is expected of them and that their behavior complies with and is consistent with the “rules of the road” for your business or industry. A recent letter from Andrew Weissmann, Chief of the Fraud Section, Criminal Division, U.S. Department of Justice, affirms the importance of not only having a robust compliance program, but the need to ensure the adequacy of internal enforcement of that program, in this context, for underscoring the compliant nature of the company and mitigating the consequences of any misdeeds which may occur, in the face of enforcement action by any of the federal agencies with jurisdiction over your company.

It boils down to:

  1. A well-defined/well-documented compliance program (which can vary as pointed out above);
  2. Adequate training of affected employees and related internal and external stakeholders about your compliance program;
  3. Proper internal enforcement, including discipline/consequences, for those that violate its provisions; and
  4. Timely disclosure of violations to the appropriate authoritative body.

All of this is summarized in the U.S. Sentencing Guidelines section having to do with an “Effective Compliance and Ethics Program,” see Chapter 8, Part B, Section 2. If a company wanted credit for cooperation in the context of a criminal case, it had to show it had an effective program and that, despite that program, the individuals did what they did. In other words, those individuals acted outside the course and scope of their employment and so the company should not be held responsible for their actions.

Over time, with all the pressures being put on companies, acceptance of the need for a full blown compliance program expanded, and now it is the rare company, regardless of size, which does not have one. Whereas the Sentencing Guidelines have broad philosophical statements about compliance, by letter dated April 5, 2016, Andrew Weissmann , Chief, Fraud Section, Criminal Division, U.S. Department of Justice, added a remarkable amount of detail to the overall question of what is enough?

Admittedly the context of the Weissman letter has to do with alleged criminal behavior and is designed to set a high standard for companies that, if they meet those standards (after disgorging all profits related to their Foreign Corrupt Practices Act violative behavior), will be getting up to a 50% reduction in the possible fine. However, the elements of a successful program as described in this letter are a telling commentary on what the U.S. government thinks is an adequate compliance program. This language also no doubt sets the standard across the federal government to define the minimum standards for a compliance program and so are an important consideration as companies evaluate their own compliance efforts.

The key provisions in the letter read as follows.

The following items generally will be required for a company to receive credit for timely and appropriate remediation …

  • Implementation of an effective compliance and ethics program, the criteria for which will be periodically updated and which may vary based on the size and resources of the organization, but will include:

° Whether the company has established a culture of compliance, including an awareness amount employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;

° Whether the company dedicates sufficient resources to the compliance function;

° The quality and experience of the compliance personnel such that they can understand and identify the transactions identified as posing a potential risk;

° The independence of the compliance function;

° Whether the company’s compliance program has performed an effective risk assessment and tailored the compliance program based on that assessment;

° How a company’s compliance personnel are compensated and promoted compared to other employees;

° The auditing of the compliance Program to assure its effectiveness; and

° The reporting structure of compliance personnel within the company.

Other factors the Dept. of Justice will consider in granting mitigation are likely to also be relied upon when other federal government agencies learns of misbehavior by a company. Those additional factors are:

  • Appropriate discipline of employees, including those identified by the corporation as responsible for the misconduct, and a system that provides for the possibility of disciplining others with oversight of the responsible individuals, and considers how compensation is affected by both disciplinary infractions and failure to supervise adequately.
  • Any additional steps that demonstrate recognition of the seriousness of the corporation’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.

Also of interest is the reinforcement of the Yates memo. That memo was issued on September 9, 2015 by the Department of Justice’s Deputy Attorney General Sally Yates.  Entitled Individual Accountability for Corporate Wrongdoing,  DAG Yates’ goal was to make clear to the entire Department, any activity involving the potential for liability on the part of a corporation can and must also focus on the potentially culpable the individuals involved.  Put another way, if a corporation comes to the attention of the Department for any reason, civil or criminal, for the business to get credit for cooperation, it must be prepared to turn over information condemning its employees.

Justice intends to pursue individuals where it can and companies which want full cooperation credit are going to have to provide evidence against their own employees and business partners if they want to avoid the full consequences of their lapses. If there was any doubt (and there really should not have been), that doubt is erased by the Weissmann letter. It specifically calls on companies to include “the disclosure of all relevant facts about the individuals involved in the wrongdoing.”

For those of us familiar with the voluntary disclosure concept ingrained with many agencies, some of the other requirements seem quite reasonable: 1) the disclosure has to happen before there is an “imminent threat of disclosure of government investigation”; 2) the disclosure is made reasonably promptly; and 3) the company discloses all the relevant facts.  The kicker comes in that “all the relevant facts” criteria is framed as including “the individuals involved in any FCPA violation”.  Up to now, when disclosures have been made for many types of violations, the company has typically not had to name names or directly point fingers at individuals. Will that change? Will that change only in the criminal context ? Will it be expanded to the civil context, too?

Another area where it might seem a new standard was set has to do with how “full cooperation” is defined. This section of the Weissmann letter starts with reference to disclosure of information about those involved in the criminal activity, but it goes to call on the company to be proactive (not reactive). For example, the company is expected to offer information even when not requested. Additionally, the company is to preserve, collect and disclose relevant documents and information relating to their provenance; provide timely updates about any internal investigation (including rolling updates); deconflict an internal investigation with a government investigation; provide all facts relevant to potential criminal conduct by third parties, companies and individuals, including  officers and employees; if requested, make company officers and employees with relevant information available for interview, including those located overseas (fortunately the letter acknowledges an individual’s Fifth Amendment rights) ; disclosure of all relevant facts gathered during the company’s independent investigation, including attributing facts to specific sources (subject to the attorney-client privilege); providing overseas documents , where they might be found, who found them and so on, unless barred by foreign law; unless legally prohibited, companies are also expected to facilitate third party document production and witnesses from foreign jurisdictions; and if requested, to translate documents in foreign languages.

These standards are quite high and one can quickly see where a dispute could easily arise between Justice and a company as to whether full cooperation has been forthcoming by the company. Hopefully readers will not be faced with that dilemma in the criminal context, but mistakes do happen. How much of what Mr. Weissmann has declared will make its way to the voluntary self-disclosure process encouraged by many agencies is an open question. A handful of agencies have robust mitigation guidelines, but even if they do, there remain cases where a good deal for discretion exists for the agency to exercise during decision-making. In other contexts, cases are dispose of relying strictly on the discretion of the agency’s decision makers.

Only time will tell how much Mr. Weissmann’s standards creep onto the civil side, but in the meantime, companies would do well to measure their existing compliance programs against the articulated standards because, frankly, Mr. Weissmann is merely repeating what most government prosecutors and investigators at all levels think is required for a truly robust and effective compliance program. How does yours measure up?