Though corporate compliance programs can be expensive, companies that fail to implement such programs are about to double down on their gamble as a result of a newly imposed increase in civil fines. Prior to this increase, compliance plans have sometimes been pushed to the back burner due to cost and burden to the company. Not only does the company have to draft and research the plan and train the employees, but it has an obligation to monitor the plan to make sure it works. Compliance monitoring takes time away from the actual running of the business itself. As a result, many companies either ignore compliance, or put into place compliance programs that simply gather dust on a shelf. Given the high cost of noncompliance, investing in compliance now can be an ace up the corporate sleeve. As an example, studies show that the average cost of noncompliance in the field of data security compliance, including the cost of fines and penalties as well as business disruption, reduced productivity, legal fees and other legal and non-legal settlement costs, was over two and half times the cost of compliance.1 That ratio may be higher outside of the area of data security.
As set forth in this notice, with the rise in civil fines, the stakes for noncompliance are about to go up.
How much will civil penalties increase?
Section 701 of the Bipartisan Budget Act of 2015 (which has the unwieldy title of the “Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015”), requires that by July 1 of each year, starting with 2016, the heads of each government agency must adjust civil penalties to account for inflation. The first set of adjustments will take effect on August 1, 2016. The formula used to adjust the penalties is based on the Consumer Price Index since the last increase with a cap at a maximum 150% increase over the current penalty. As a result, federal agencies have been working to calculate and announce their adjusted civil penalty amounts. Agencies are given the discretion to increase amounts less than the CPI formula if the full increase would negatively affect the economy or result in social costs that outweigh benefits.
The Railroad Retirement Board was the first to respond, issuing an interim final rule adjusting its False Claims Act (“FCA”) and Program Fraud Civil Remedies Act (“PFCRA”) civil monetary penalties from a range of $5,500 - $11,000 to a new range of $10,781 - $21,563 per violation. The Department of Justice (“DOJ”) recently announced it will match that increase for its FCA penalties. Considering the typical FCA case involves multiple claims, if not hundreds or thousands of claims, those penalties will quickly add up. Additionally, FCA penalties are added on top of treble damages that can sometimes themselves be in the millions of dollars.
Other agencies soon followed suit, such as the Directorate of Defense Trade Controls (“DDTC”), the division of the Department of State that regulates the manufacture, sale, export and re-transfer of defense articles, which more than doubled its maximum penalties from $500,000 per violation to a whopping $1,094,010 per violation.
What other penalties will increase?
Some other notable penalty increases are listed below:
Agency2
|
Prior Penalty Range
|
New Penalty Range effective August 1, 2016
|
DOJ for violations of the FCA
|
$5,500 to $11,000 per violation
|
$10,781 to $21,563 per violation
|
DDTC
|
Up to $500,000 per violation
|
Up to $1,094,010 per violation
|
Federal Trade Commission (FTC) for violations of premerger notification requirements in the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”)
|
Up to $16,000 per day
|
Up to $40,000 per day
|
Office of Foreign Assets Control (OFAC) for sanctions falling under the International Emergency Economic Powers Act (“IEEPA”)
|
Up to $250,000 per violation
|
Up to $284,582 per violation
|
OFAC for sanctions falling under the Foreign Narcotics Kingpin Designation Act (“FNKDA”)
|
Up to $1,075,000 per violation
|
Up to $1,414,020 per violation
|
DOJ for violations of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) (covers violations of criminal statutes related to or affecting financial institutions and government agencies such as bank fraud)
|
Up to $1,100,000 per violation and up to $5,500,000 per continuing violation
|
Up to $1,893,610 per violation and
up to $9,468,050 per continuing violation
|
Department of Labor (“DOL”) for serious violations of the Occupational Safety and Health Act
|
Up to $7,000 per violation and up to $70,000
for willful or repeated violations
|
Up to $12,471per violation
and up to $124,709 for willful or repeated violations
|
DOL for violations of minimum-wage or overtime requirements
|
$1,100 per repeat or willful violation
|
$1,894 per repeat or willful violation
|
Department of Homeland Security (“DHS”) for the unlawful employment of aliens
|
First violation: $375 to $3,200; second violation: $3,200 to $6,500; subsequent violations: $4,300 to $16,000.
|
First violation: $539 to $4,313; second violation: $4,313 to $10,781; subsequent violations $6,469 to $21,563.
|
Nuclear Regulatory Commission (NRC) for violations of the Atomic Energy Act related to nuclear power reactors
|
$140,000 per day per violation
|
$280,469 per day per violation
|
Some additional agencies increasing their fines under the new mandate include the National Highway Traffic Safety Administration, the Federal Aviation Administration, the Equal Employment Opportunity Commission, the Environmental Protection Agency, the Bureau of Land Management and many others. Other civil penalty increases can be found by searching the Federal Register or individual agency websites.
In addition to monetary fines and penalties, companies who violate the statutes and regulations described above are sometimes required to put in place a compliance monitor or are subject to other penalties including increased reporting requirements. An accusation of a violation alone causes huge costs for companies in terms of investigative costs, loss of earnings, lost good will, negative publicity, and a drop in credit ratings. For example, Walmart reportedly has paid over $738 million in costs and fees as of April of this year in the investigation of its alleged FCPA violations, not including any loss of earnings, etc.
How can a compliance program help?
Although it does require an upfront investment of money, time, and resources, putting into place a compliance plan is integral to avoiding the higher monetary and intangible costs of noncompliance. Among many reasons, it gives employees a roadmap to complying with applicable laws and regulations as well as company policy. It also provides the company with easy justification to dismiss a noncompliant employee, removing the known source of noncompliant behavior while simultaneously sending a message to others who might not comply. Additionally, it makes it easier for companies to self-discover violations before a whistleblower or even a competitor report the violations to the government. And further, in certain cases it can provide the company with mitigation credit or safe harbor protection from the government in the event a violation is discovered. The sentencing guidelines specifically provide for mitigation credit for companies who have instituted compliance programs, uncovered and addressed criminal conduct quickly, self-reported and cooperated with the government.
What goes into a compliance program?
What goes into a compliance program depends in large part upon the particular laws and regulations applicable to the company or industry. Some common compliance programs most companies have in place cover areas of law and compliance such as anti-corruption (bribery, gifts and entertainment), antitrust, export and trade compliance, environmental compliance, immigration (I-9/eVerify), securities trading, HIPAA (personal health information), document retention, and computer usage.
Some of the minimum hallmarks of any effective compliance program are as follows:
- A commitment from senior management and a clearly articulated policy of compliance.
- Clearly spelled out compliance policies and procedures.
- The assignment somewhat autonomous oversight of compliance to a senior executive within the organization, along with sufficient resources dedicated to compliance.
- Performance of a risk assessment to tailor compliance to the individual needs of the organization. The government expects companies to focus on those areas that provide actual risk rather than wasting compliance dollars on areas for which the company is not at risk.
- Provision of training and continuing advice to employees and agents as to how to comply.
- Incentives for compliance and reporting violations as well as appropriate and clearly disciplinary procedures for noncompliance, up to and including dismissal.
- Existence of a confidential reporting system and procedures for internal investigations into reported violations.
- Periodic testing, auditing, and review to ensure the compliance procedures in place are actually being used and are working.
It is important to note that it is worse to have a compliance program that gathers dust on a shelf than not to have one at all. Why? The Government can argue it is some evidence that a company knew how to comply but chose not to do so.
With planning and attention, avoidance of the greatly increasing costs of noncompliance is relatively easy and much preferable to the alternative—ask anyone who has tried to beat the house and lost their bet by going through the remedial process of noncompliance. If you have additional questions or would like help with your compliance program, please contact Parker Poe.
2 Many of the agencies listed have increased multiple penalties. For the sake of brevity, we have listed only the most notable.