United States: U.S. Sentencing Guidelines Require "Effective" Compliance Programs: What Does That Mean?

In 1991, the United States Sentencing Commission issued the first Federal Sentencing Guidelines applicable to the sentencing of "organizations" convicted of federal crimes. Until then, the Sentencing Guidelines applied only to individuals. The Commission has just proposed new amendments to the "organizational guidelines," which will become effective later this year in the absence of action by Congress.

The organizational guidelines - codified as "Chapter Eight" of the Sentencing Guidelines - establish a "culpability score" for each offense. The culpability score, in turn, dictates a narrow range of possible punishments. The sentencing judge may depart up or down (an "upward" or "downward" departure) from this range based upon aggravating or mitigating circumstances. The final score determines the sentence, and a small variance can mean millions of dollars in fines to a corporation convicted of a federal crime.

The existing organizational guidelines call for a reduction in the points assigned to a defendant organization if it had an "effective program to prevent and detect violations of law" in place at the time the actions occurred. In order to be an "effective" compliance program, the program must meet seven requirements set out in the commentary to the organizational guidelines. On April 8, 2004, the Commission approved, for the first time since it established Chapter Eight, amendments clarifying those compliance program requirements. Among other changes, the amendments elevate the seven criteria from the status of commentary to become guidelines themselves. The Chapter Eight amendments, which will require an effective compliance and ethics program, were originally drafted by an ad hoc advisory committee, following a review mandated under the Sarbanes-Oxley Act of 2002. They were revised by the Sentencing Commission and, barring any Congressional action, will become effective November 1, 2004.

Of course, there are other reasons to have an "effective compliance and ethics program" in place besides the threat of criminal prosecution. An effective program may be required as part of the director's supervisory responsibility to the corporation. Most corporations that are audited under generally accepted accounting principles must have "internal controls." Corporate governance rating agencies give higher ratings to public companies that have established effective compliance programs.

Nonetheless, the experience is that many companies - when they most need it - cannot prove that they had an effective compliance program in place. In a survey of the first eight years of the sentencing guidelines, less than one percent of the companies convicted of criminal conduct received credit under the organizational guidelines for an effective compliance program.

With the adoption of the Sarbanes-Oxley Act, the renewed focus on corporate misbehavior, and the proposed amendments to the organizational guidelines, a company that is not actively seeking to improve its compliance program now is taking unnecessary risk.

The commentary to the Chapter Eight guidelines originally listed seven characteristics of an effective compliance program. The amendments to Chapter Eight still follow the seven-step format, but they will alter and further define these criteria. The changes reportedly reflect the Department of Justice's experience in enforcing the current Sentencing Guidelines. As mentioned earlier, the seven criteria will themselves become organizational guidelines.

Step One currently requires an organization to establish "standards and procedures...that are reasonably capable of reducing the prospect of criminal conduct." The proposed amendments further define the appropriate standards and procedures as "standards of conduct and internal control systems that are reasonably capable of reducing the likelihood of violations of law." The advisory committee's report discloses that this change furthers the Commission's belief that to be effective, a compliance program must have reduction in the likelihood of violations of law as a goal.

Step Two assigns overall responsibility for compliance to a high-level person within the organization. The amendments will further require that the leadership and the board of directors know about the compliance program, that the board oversee the implementation and effectiveness of the program, and that overall responsibility for the compliance and ethics program be assigned to a specific high-level person or people. Dismissing paper programs as ineffective, the amendments require that the person in charge of compliance operations be given adequate resources and authority to carry out his mission. These obligations are similar to, and can parallel, the requirements of the Sarbanes-Oxley Act.

Step Three now prohibits an organization from delegating "substantial discretionary authority" to someone it knows, or should know, "has a propensity to engage in illegal activities." As amended, Step Three will exclude from substantial authority any individuals "whom the organization knew, or should have known…[have] engaged in illegal activities." The commentary to the amendment reveals that this amendment now covers those who actually violated the law, even if their employers were the only defendants convicted of the prior crimes. When considering this criminal history, the organization should consider the violation's age, how related it is to the individual's job duties, and whether the violation was part of a pattern of conduct.

Step Four already requires effective communication of Step One's standards and procedures. The amendments will also expressly require compliance training, which the Commission believes is superior to mere communicating, because good training not only tells employees what the law is, but motivates them to comply. The amendments also require the training of non-employee agents, "as appropriate."

With the recent increase in outsourcing, this Step may be the hardest to accommodate. What compliance training does your company furnish to its temporary employees or consultants? If you provide consulting or other services to another company, what are your employees' obligations to that company?

Step Five now requires monitoring and auditing of the compliance program to gauge its effectiveness, and the provision of a mechanism to report violations of the law "without fear of retribution." The proposed amendment to Step Five will specifically call for mechanisms to permit "anonymous reporting," which is at least implicit in the current guidelines, and for inquiries about the law "without fear of retaliation." This new requirement will dovetail with the requirements of the Sarbanes-Oxley Act that public companies - and, in certain cases, even private companies - put mechanisms in place to assure anonymous reporting and non-retribution to whistleblowers.

While Step Five originally allowed monitoring and auditing as one method of assuring efficacy, the amendments will leave no room to choose. This mirrors the requirements of the Sarbanes-Oxley Act with respect to the need for a company to evaluate the effectiveness of its internal controls. An organization must audit and monitor its programs and change the program in response to any failings. A compliance program will be an ongoing effort.

Step Six requires standards that must be consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense. The proposed amendments will augment this stick with the carrot of incentives. Care should be taken to appropriately reward employees who have furthered the goals of the compliance program.

Step Seven requires an organization that has discovered a violation of the law to "take[ ] all reasonable steps to respond appropriately to the offense and to prevent further and similar offenses," including modifications to the compliance program. The amendments leave this requirement largely unchanged in substance, except that Step Seven would no longer require "all" reasonable steps, perhaps recognizing that any organization must make judgments and select from among alternatives in responding to reports of criminal conduct.

The amendments to the organizational guidelines will require an organization to go beyond the seven specific steps and to "otherwise promote an organizational culture that encourages a commitment to compliance with the law." A company that tells its employees to ignore the laws because they are too complicated or are not enforced is arguably not promoting "an organizational culture that encourages a commitment to compliance with the law," and may not be eligible for a downward departure, even if in other respects it has a state-of-the-art compliance program.

The amendments also recognize that screening potential employees for criminal records can lead to liability under the laws prohibiting employment discrimination. The commentary notes that Step Three does not "require conduct inconsistent with any Federal, State, or local law, including any law governing employment or hiring practice." The commentary offers no advice on how to balance this tension, but merely notes its existence.

Finally, when the government begins investigating potential violations of federal law, the amendments propose granting a reduction for cooperation with the government. The amendments further provide that, "in some circumstances, waiver of the attorney-client privilege and of work product protections may be required to satisfy the requirements of cooperation." This is one of the most significant, and most controversial, elements of the proposed amendments, but it is consistent with recent statements of the Department of Justice in this area. See Dep't of Justice, Principles of Federal Prosecution of Business Organizations, January 20, 2003 (commonly known as the "Thompson Memo"). The Securities and Exchange Commission is following similar practices in its enforcement initiatives. Recent court decisions demonstrate that this cooperation may complicate the company's defense of litigation by shareholders. McKesson HBOC, Inc. v. New York State Common Ret. Fund, Inc., 339 F.3d 1087 (9th Cir. 2003). See also U.S. v. Bergonzi, 216 F.R.D. 487 (N.D. Cal. 2003) (holding privilege waived when documents were given to governmental investigators under a confidentiality agreement).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.