U.S Deputy Attorney General Rod Rosenstein recently announced the Department of Justice’s revised corporate enforcement policy for the Foreign Corrupt Practices Act. The revised policy is based on an FCPA pilot program (in place since April 2016), which provided mitigation credit for voluntary reporting of wrongdoing and specified levels of cooperation and remediation in connection with the resulting investigation.
Much has been made about the new policy provisions that create a presumption of DOJ declination and specify percentage reductions from the U.S. sentencing guidelines in the event that a company self-discloses, cooperates and/or remediates in accordance with specified policy requirements. Certainly, these provisions significantly further the shift toward encouraging company cooperation, as well as continue the focus on holding individuals accountable, and deserve careful attention.
It was, however, Deputy Attorney General Rosenstein’s third “policy enhancement” that most caught my eye. That provision provides detail about how the DOJ evaluates compliance programs, specifying what he calls “hallmarks of an effective compliance program.”
The policy first states that the criteria for an effective compliance and ethics program may vary based on the size and resources of the organization, which seems fair enough. It then provides a list of criteria (quoted below), which it says will be periodically updated:
- The company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.
- The resources the company has dedicated to compliance.
- The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.
- The authority and independence of the compliance function and the availability of compliance expertise to the board.
- The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.
- The compensation and promotion of the personnel involved in compliance in view of their role, responsibilities, performance, and other appropriate factors.
- The auditing of the compliance program to assure its effectiveness.
- The reporting structure of any compliance personnel employed or contracted by the company.
None of these criteria are groundbreaking. They closely correspond to those in the U.S. federal sentencing guidelines, which provide the foundation for most existing, effective compliance programs. They are perhaps most noteworthy as a clear indication of the DOJ’s continuing, emphatic focus on the necessity of effective compliance programs and, therefore, should be carefully considered.
For example, most companies (often wrongly) believe they have a proper culture of compliance and devote sufficient resources to it, making it hard to generate meaningful board or management discussion around those highly subjective points. But how about the next few bullets?
- Are your compliance personnel truly experienced?
- Do they have actual authority and independence? How high up the organization chart do they report and to whom?
- What about the availability of compliance expertise to the board?
- When was the last time you did an enterprise-wise risk assessment?
- How is compensation tied to the performance of compliance personnel, if at all?
- How often do you conduct an independent (or even an internal) audit of your compliance program? Every three years? Every five years? Never?
As many directors and C-suites (though perhaps still a minority) have already realized, it is not enough to simply believe the company is generally compliant, nor is it even enough for the company to, in fact, be generally compliant. The absence of an effective, cohesive, enterprise-wide compliance and ethics program is a ticking time bomb. This is becoming ever more true now that compliance programs are common among all shapes and sizes of companies, having irreversibly moved from “best” to “essential” corporate practices.
Deputy Attorney General Rosenstein’s announcement is another high-profile reverberation in a compliance program drumbeat that keeps getting louder and faster – and transcends DOJ enforcement or FCPA compliance issues. Every company should pause to consider how its program would stack up against the policy’s criteria.