On July 30, 2015, Andrew Weissman, the chief of the Fraud Section of the U.S. Department of Justice (DOJ) Criminal Division, announced that the DOJ is in the process of hiring a former prosecutor to serve as a full-time expert in compliance programs. With this move, the DOJ is taking a significant step to ensure that companies have tough but realistic compliance programs that detect and deter wrongdoing by executives. The new compliance expert will be tasked with investigating corporate compliance programs to determine whether they are effective or mere window dressing.
Existence of a compliance program alone is not sufficient to justify not charging a corporation for criminal misconduct undertaken by its officers, directors, employees, or agents. To avoid liability, companies must thoroughly examine their compliance programs to ensure that they are up to the government's standards. In order to meet these standards, a compliance program must be robust and effective.
Companies need look no further than the Federal Sentencing Guidelines for guidance on the minimum requirements of a robust corporate compliance program. Under the Sentencing Guidelines, ethics and compliance programs must be "reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct." A company not only must exercise due diligence to prevent and detect criminal conduct, but also must promote a culture that encourages ethical conduct and commitment to compliance with the law. The key components of a "best practices" corporate ethics and compliance program include:
- Organizational Structure and Leadership. The Sentencing Guidelines require that a company's board of directors be knowledgeable about the content and operation of the compliance program and exercise reasonable oversight over its implementation and effectiveness. The company must assign senior management personnel with overall responsibility for the program, and it must also designate specific individuals, such as a chief ethics and compliance officer, with the day-to-day operational responsibility for the program. Such individuals must not have a history of engaging in illegal or unethical activities or other conduct inconsistent with an effective compliance program. The individual(s) with the day-to-day responsibility should have adequate resources to operate effectively and report directly to the company's board of directors or a committee of the board responsible for the company's compliance program.
- The Right Compliance Program for the Business and Industry. The company's ethics and compliance policies and procedures should be tailored to the industry and location in which the company operates and the company's history. For instance, companies that operate in countries with higher risk for corrupt practices should in particular include robust anti-corruption policies and procedures in their compliance programs, including provisions for diligence on third-party business partners. Companies that have experienced prior regulatory or criminal issues should ensure that their compliance programs are adequately structured to prevent those issues from reoccurring.
- Communication and Training. Companies must take reasonable steps to communicate periodically and in a practical manner its ethics and compliance policies and procedures to all employees and agents of the organization. Training should be tailored, tracked, attested to, documented, followed up, and refreshed. The company should also foster an environment where employees are not afraid to seek guidance on the company's compliance program or report possible violations for fear of retaliation.
- Monitoring, Testing, and Enforcement. Effective compliance programs must include auditing and testing. The compliance program must also have an established information and reporting system reasonably designed to provide members of management with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization and its employees' compliance with the company's policies and procedures and the law. If any violations are detected, the organization must respond appropriately and take measures to prevent further similar conduct.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.