On June 1, 2020, the Department of Justice (DOJ), without any fanfare, quietly slipped out its 2020 revision of the Evaluation of Corporate Compliance Programs guidance. As with its predecessors in 2017 and 2019, this update further refines the DOJ’s guidance to companies about how often they should review the structure of their ethics and compliance programs, the importance of a compliance officer’s access to data, and greater clarity on how companies should integrate mergers and acquisitions into their existing programs and corporate culture.
This third installment of the guidance underscores why and how law enforcement pays such close attention to a company’s ethics, compliance, and anti-fraud activities. Since early 2017, the DOJ has clarified its previously nebulous position on the value of proactive compliance efforts by introducing a series of memos and additions to the Justice Manual aimed to answer the following questions:
- What do government regulators expect a company’s ethics and compliance programs to look like?
- What steps can companies take before an ethical failure, or between the time of an offense and resolution, to structure (or remediate) ethics, compliance, and anti-fraud activities in a manner that will help mitigate the consequences of enforcement actions?
- How can a company determine whether its ethics and compliance activities are having the intended impact?
While government guidance provides insight into the potential value of strong ethics and compliance programs when resolving enforcement matters, the DOJ or other government agencies do not proactively evaluate a company’s ethics and compliance posture unless that company is under investigation. So how then do companies determine the sufficiency of their ethics and compliance activities?
The role of a compliance monitor
Quite often, government agencies will require companies to engage an independent monitor as a key element in the resolution and settlement of an enforcement matter. A compliance monitor is an objective neutral party that reports to both the government and the company on the company’s compliance with the terms of a settlement. A monitor may be engaged as part of a deferred prosecution agreement, consent decree, suspension and debarment action, or as a condition of antitrust/merger approvals. Regardless of the underlying matter, a compliance monitor must be a qualified independent party who designs and implements a custom monitoring program to satisfy the unique requirements of the applicable government agreement. In most cases, monitors are required to conduct a comprehensive assessment of a company’s ethics and compliance program, anti-fraud activities, and corporate culture as part of their responsibilities under the government agreement.
In October 2018, then-Assistant Attorney General Brian Benczkowski issued his memo, “Selection of Monitors in Criminal Division Matters,” which was the first major DOJ pronouncement regarding corporate monitors under the Trump administration. The Benczkowski Memo represents a significant shift from earlier guidelines, signaling to both prosecutors and businesses the administration’s view that monitorship appointments will not be taken lightly and will be required only when clearly warranted.
The Benczkowski memo addresses two broad considerations identified in the previous DOJ guidance (the Morford Memo ) that should guide prosecutors when assessing the need and propriety for appointing a monitor: “The Criminal Division should favor the imposition of a monitor only where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens” on the corporation.
In evaluating the potential benefits of a monitor, prosecutors are directed to consider, among other factors, the following questions:
- Did the underlying misconduct involve manipulation of books and records?
- Was the misconduct pervasive across the business organization?
- Did the corporation make investments in its corporate compliance program?
- Have internal controls been implemented to demonstrate that they would prevent or detect similar misconduct?
April 2019 and June 2020 DOJ guidance
In both April 2019 and June 2020, the DOJ updated its original Evaluation of Corporate Compliance Programs. The 2019 update amplified both the 2017 guidance and the Principles of Federal Prosecution of Business Organizations from the Justice Manual, which enumerates factors prosecutors should consider in the investigation, charging, or resolution of corporate crimes. The June 2020 guidance document clarified, amplified, and, in several instances, expanded upon previous versions.
In deciding the adequacy and effectiveness of a company’s compliance program, prosecutors are requested to consider three fundamental questions:
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?”
- “Does the corporation’s compliance program work in practice?”
Let’s look at these three questions in greater depth.
Is it well designed?
Prosecutors are advised to understand the company’s business from a commercial perspective and determine how the company has assessed and identified its risk profile and the resources devoted to deal with such risks. There is a strong link established between a company’s fraud risk assessment and the design of an ethics and compliance program that specifically addresses those risks. In addition, the company is expected to establish policies and procedures that incorporate a compliance culture into its day-to-day operations.
Assessment of the company’s ethics and compliance activities is also extended to the policies and procedures for identifying and resolving red flags during the due diligence over third-party contractors, vendors, suppliers, and consultants. During pre- and post-acquisition due diligence during mergers or acquisitions, the company is expected to assess the compliance posture of the acquired company and have a plan to fully integrate the new employees and organization into the corporate culture of the acquiring company.
Is it adequately resourced and empowered to function effectively?
The 2019 and 2020 updates distinguish between a paper program and one that is operational and effective. The DOJ identifies several characteristics of a robust, effective program, including:
- Commitment by senior and middle management,
- Autonomy and resources provided to the program and the chief ethics and compliance officer, and
- Implementation of both performance incentives and disciplinary measures to ensure compliance.
Does it work in practice?
The existence of misconduct does not necessarily mean that a company’s compliance program is ineffective. The guidance considers both a retrospective and current review process—the effectiveness of the program at the time of the incident(s), any remediation that has taken place, and the state of the program and related activities at the time of the charging decision or resolution.
Some of the factors to be considered in determining if the program worked include the following:
- How was the misconduct in question detected?
- Were adequate resources available to investigate misconduct?
- Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
- At the time of a charging decision or resolution, did the company have a compliance program and internal control systems that can demonstrate continuous improvement? Do these improvements allow the company to prevent or detect similar incident(s) in the future?
What is an independent monitor’s role?
Traditionally, the role of an independent monitor has been reactive: the monitor is engaged in accordance with the terms of the deferred prosecution agreement, administrative agreement, consent decree, or other government settlement. The monitor will assess compliance with a variety of the agreement terms and is typically focused on assessing the ethical culture of the company and the sufficiency and impact of the company’s ethics, compliance, and anti-fraud efforts. The issuance of and recent updates to the DOJ guidance provide an excellent framework for the monitor to conduct its assessment and provide meaningful feedback to both the government and the company, along with recommendations for improvement.
Why proactive monitoring and assessment make sense
We are living through interesting times, and the concept of a new normal can also be applied to how we think about monitoring. The combination of the Benczkowski Memo on the appointment of monitors and the Evaluation of Corporate Compliance Programs provides a detailed road map for companies on how to minimize and potentially mitigate the fines and penalties that may result from compliance failures. In addition, the existence of strong compliance programs or demonstrated remedial efforts can, according to Benczkowski, result in a decision not to impose a monitor at all (a desirable outcome in terms of cost and intrusiveness). More importantly, effective anti-fraud activities and ethics programs can help create and strengthen controls, procedures, and corporate culture, and help drive the right employee behaviors that can prevent fraud and other misconduct in the first place.
Consideration should be given to using monitors proactively to independently assess ethics and compliance activities with an eye toward achieving the goals described above. Especially during the current COVID-19 pandemic, companies are facing elevated risk levels due to a variety of factors, including widespread increases in remote work with little advanced planning; relaxed policies and controls to accommodate workforce and workflow changes; and the significant impact of the pandemic on employees who may be experiencing shifts to the factors of opportunity, rationalization, and pressure that can lead to fraud and other employee misconduct.
As demonstrated by Ethisphere, publicly traded companies committed to best practice ethics and compliance programs, compared within the S&P large cap index, outperformed the rest of the sector over five years by 13.5%. Ethical behavior is good business.
No better time than now to be proactive
Simply put, now is the time for companies to proactively assess whether these new risks (and many preexisting ones) are being adequately addressed by their ethics and compliance activities and would be favorably viewed by government regulators and law enforcement. The DOJ has already begun prosecuting those companies that have experienced difficulty with the weak, contradictory, and quickly changing regulatory environment surrounding the stimulus funding programs, and enforcement in government contracting, antitrust, and healthcare has continued unabated. Proactive monitoring would help demonstrate and document a commitment to ethics and compliance and enable companies to stay a step ahead of the inevitable tidal wave of enforcement action. In many ways, it’s either “pay me now or pay me later.”
- The 2020 installment of the Evaluation of Corporate Compliance Programs underscores why and how law enforcement pays close attention to a company’s ethics, compliance, and anti-fraud activities.
- The Department of Justice and other government agencies do not proactively evaluate a company’s ethics and compliance posture unless that company is under investigation.
- Quite often, government agencies will require companies to engage an independent monitor as a key element in the resolution and settlement of an enforcement matter.
- Companies should proactively assess whether new risks are being adequately addressed by their ethics and compliance activities and would be favorably viewed by regulators.
Proactive monitoring would help demonstrate and document a commitment to ethics and compliance, enabling companies to stay a step ahead of a potential enforcement action.