Inside the Prosecutor's Playbook: Broader Lessons from the FCPA Pilot Program
As a former federal prosecutor, I frequently counsel clients—in both the proactive and reactive aspects of my practice—to pay close attention to the government’s enforcement “playbook.” In short, the government’s top plays on offense can be revealed through its policies (i.e., what it “says”), as well as through its pattern of enforcement (i.e., what it actually “does”). Similar to the approach of every winning sports team, this playbook changes on a regular basis. Accordingly, every compliance officer whose company lies within a heavily regulated industry needs to keep up with the government’s playbook and use it as part of their team’s periodic assessments of corporate risk and the effectiveness of their compliance program.
Given that this year is the 25th anniversary of the enactment of Chapter 8 of the United States Sentencing Guidelines, which laid out the ground rules that applied to organizations,1 it seems fitting that the Department of Justice (DOJ) provided some supplemental guidance on April 5, 2016, to the classic “Big Seven” criteria (aka the Seven Elements) that first appeared in Chapter 8B2.1. The latest page in the government’s playbook only directly applies in the context of the Foreign Corrupt Practices Act (FCPA) Enforcement Plan and Guidance (pilot program).2 Unfortunately, given its title and misleadingly narrow scope, some members of the Compliance community may have missed the big announcement or the clearly broader application of the new criteria for assessing compliance effectiveness. This article attempts to highlight the value and importance of incorporating the broader lessons embodied within the recent announcement from the DOJ.
A Primer on the Seven Elements
As we are all aware, the foundation of any “effective” corporate compliance program must include the following seven components set out within the Federal Sentencing Guidelines at Chapter 8B2.13 :
- Written policy and procedures.
- Centralized oversight by a corporate compliance officer with recognized authority.
- Background checks.
- Effective training.
- Auditing and monitoring of the program.
- Adequate discipline in response to misconduct.
- Continual improvements to the program.
These “effectiveness” criteria remained in place for many years, before they were amended in 2004, to include the need for periodic risk assessments.
The Supplemental Effectiveness Criteria
On April 5, 2016, the DOJ Fraud Section released a 9-page document that outlined and summarized its FCPA enforcement pilot program. Most of this document addresses the specifics of the pilot program, which highlights the government’s expectations for voluntary self-disclosure and cooperation. However, in discussing its expectations for what must be present in a compliance program to receive “credit,” the DOJ adds the following supplemental criteria into the mix.
A Culture of Compliance
One of the new key criteria in DOJ’s review of the compliance program is whether the company has established a “culture of compliance.” Although it may have been more helpful and practical if the DOJ included some additional details as to what such a “culture” should include, like many other aspects of compliance guidance, the government prefers to “speak in generalities” so as to provide sufficient flexibility to allow each company to “respond with its own specifics.” The only additional note that DOJ did include within the recent policy was “awareness among employees that any criminal conduct… will not be tolerated.” Such an affirmative statement should be included within the training acknowledgment that each employee signs, but the DOJ will likely expect more. As always, the challenge lies in developing a reliable way of demonstrating and measuring a positive culture.
As a federal prosecutor tasked with overseeing an investigation and scrutinizing the “effectiveness” of a target company’s compliance program back in the early days, I was often presented with overly general information from defense counsel (most of whom were clueless about the “art and science” of corporate compliance). Rather than being persuaded by the lofty policy declarations and glossy training brochures (i.e., what the company “says” or “claims”), I often focused on three fundamental questions that go to the heart of corporate “culture” and genuine priorities (i.e., what the company actually “does”):
- What does the company fund?
- What does the company measure?
- What does the company incentivize (through rewards and punishments)?
Because a company’s true priorities can be measured by how it spends its time, money, and attention if a company shirks these criteria or fails to keep adequate records, that probably means they are not a priority. One of the added practical benefits of focusing on these issues is that these criteria are not subjective, but objective and quantifiable over time.
One of the more practical definitions of “corporate culture” was stated by the current FBI Director, James Comey, when he was among the top-brass at DOJ. When he spoke about “confronting corporate crime” at a White-Collar Crime Institute in 2014, Comey stated that culture is “the way things are really done around here no matter what they tell you in training.” In short, while it has always been important, corporate culture has moved to center stage. The challenge is up to each compliance team to improve and measure these criteria.
Some other new and appropriate areas of focus in assessing the effectiveness of a corporate compliance program relate to the following questions and issues surrounding the compliance team itself.
Is the Compliance Program Adequately Resourced?
On its face, this criteria is relatively straightforward and self-explanatory, because it relates to the overall compliance budget. As the old adage says, this question tests whether the company is willing to “put its money where its mouth is.” The tougher judgment call surrounds the follow-up question: “How much is adequate?” The correct answer is a function of the relative risks the company faces. This is one area where companies would benefit from industry-wide benchmarking.
Is the Compliance Team Qualified and Experienced?
This question is designed to make sure that companies don’t simply “check the box” by assigning anybody to fill the role of overseeing and managing the compliance program. Given the growth and maturity of the Compliance profession, the range of certifications and specialized training, as well as the opportunities to gain practical job experience, this criteria is easier to measure in recent years.
Is the Compliance Team Sufficiently Compensated and Promoted?
The focus of this issue and what the question is designed to reveal is the relative priority that a company places on the role of compliance. Reviewing relative salaries can still be somewhat subjective, but the key comparison is between the salaries and career trajectories of compliance leaders and those in other corporate functions. To the extent that compliance is viewed as a “career-limiting” position, that will not bode well in this latest DOJ assessment criteria.
The Independence and Reporting Structure of the Compliance Function
Two other critical and related ingredients in the latest DOJ playbook for assessing compliance effectiveness are whether the Compliance function is truly “independent” and whether the reporting structure within the company actually works. Reviewing these two criteria is a two-step process.
The first step is to look at the overall design of the compliance team, its placement within the corporate organizational chart, and the “theoretical” lines of reporting. This design reveals the theory of how things are supposed to work. However, the critical second step is to carefully review how, and whether, this design functions properly. This deeper dive requires the review of a sufficient sampling of key decisions, as well as the actual information that relates to compliance issues. To state the obvious, things often do not work as they are designed or get handled the way they should. Accordingly, whether the compliance program is truly independent will be revealed by looking at concrete decisions that involved competing priorities or the allocation of scarce resources. Similarly, whether the reporting structure works depends on whether information (e.g., “bad news”) was shared and channeled along the right paths and reached the right decision-makers.
Other Traditional Ingredients Re-Emphasized
The remaining criteria set out in the FCPA pilot program for assessing the effectiveness of a company’s corporate compliance program are not completely new, but they do warrant a close re-examination.
Every compliance officer quickly learns that the challenge of assessing and improving their program never goes away. Every review is simply a snapshot in time and needs to be repeated on a periodic basis. This is due to a variety of internal and external factors that continually change the landscape of corporate risks and the effectiveness of the internal controls within the compliance program.
Risk Assessments and Tailoring of the Compliance Program
Accordingly, DOJ often pays close attention to the frequency and adequacy of corporate risk assessments, as well as what changes or adjustments were made to the compliance program to fill any identified “gaps.”
Auditing of the Compliance Program
Similar to the importance of ongoing risk assessments, DOJ also wants to see regular auditing of the compliance program to determine whether it is effective or needs to be improved.
Appropriate Discipline for Misconduct
In order to pass muster with DOJ, every corporate compliance program must be able to demonstrate that the company takes internal discipline seriously. This does not mean that anyone who engages in any misconduct must be immediately terminated. A range of disciplinary measures can be taken, depending upon the severity of the underlying act. However, if no such discipline is taken, or if it is dispatched on an arbitrary basis, the program will lose credibility.
Any Additional Remedial Steps Taken
Recognizing that one policy cannot possibly address the full range of scenarios and circumstances that will arise, the FCPA pilot program criteria also include a “default” or “catch-all” provision, whereby companies will receive credit for:
- Demonstrating its recognition of the seriousness of the corporation’s misconduct.
- Accepting responsibility.
- Implementing measures to reduce the risk of repeating similar misconduct.
- Identifying future risks.
These final factors reinforce the willingness of DOJ to recognize and reward the range of a company’s remedial or corrective efforts.
The DOJ’s recently announced FCPA enforcement pilot program includes important criteria that apply broadly to the challenge of assessing the effectiveness of all corporate compliance programs. Even a casual review reveals that nothing about these new criteria is unique or limited to FCPA risks. In fact, all of the components discussed above represent the core and essence of corporate self-governance and can have a tremendously favorable impact on the broad enforcement discretion of regulators and prosecutors. Similar to the original “Big Seven” of the Organizational Guidelines, these new criteria fall into the three different zones that the DOJ will examination—before, during, and after the misconduct is discovered or the incident occurs.
After evaluating a company and its efforts in each of these time zones, if the government perceives your company as a “good corporate citizen,” it is more likely conclude that there is no need to bring harsh punishments. However, to obtain maximum credit, it is important not only to continually make improvements but to “show your work.” Memorializing the internal decision-making will provide the necessary transparency that DOJ often expects and requires.
Accordingly, every compliance team that reviews the effectiveness of their own compliance program—and ignores these new criteria—does so at their peril. Oh, and if this new page from the government’s enforcement playbook is overlooked, it will probably be a “game changer.”
©2016. Published in Compliance & Ethics Professional, November 2016, by the Society of Corporate Compliance and Ethics. Reproduced with permission. All rights reserved.