The classic 1957 American mystery film “Three Faces of Eve,” about a woman with multiple personalities, may well describe the approach taken by the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) in evaluating the effect company compliance programs have in enforcement proceedings. Both enforcers reject the notion of a compliance defense. Both agree that compliance is key in remediating wrongful conduct and preventing its reoccurrence in the future. And, both agree that effective compliance can result in a declination even if a violation is found.
Recent comments by the DOJ’s compliance expert, posted on LinkedIn, appear to mirror the schizophrenic approach the federal government takes to compliance. Hui Chen, former DOJ compliance counsel, chided the authors of unidentified compliance articles for a “lack of precision and intellectual rigor.”1 Recommendations from compliance professionals should be built on “substantiation,” evidence, accuracy, and conclusions tethered to clearly articulated logic, according to the comments. Compliance professionals should avoid relying on generalized statements or hyperbole and should be “more specific and concrete,” Ms. Chen wrote.
The point of Ms. Chen’s posting is difficult to ascertain. No one would dispute the fact that guidance on the subject should be founded on appropriate evidence and principles. No one would argue that companies need to tailor their compliance systems to the specific situations faced by the business—a “one size fits all” approach is inappropriate.
Ms. Chen’s LinkedIn comments, however, concern articles and blogs that of necessity discuss general principles and building blocks, which ultimately serve as the predicate for compliance systems. Viewed in this context, the remarks are puzzling. If the point was to remind compliance professionals to start with the basic building blocks and apply those principles to the specific circumstances of the firm, then the comments serve a useful purpose, although somewhat awkwardly presented.
Indeed, viewed in this context, the first critical step for firms seeking to build a compliance program to overcome the government’s unhinged approach to compliance should begin with the principles detailed by the DOJ and SEC in their guide on the FCPA.2 Those principles require as follows:
- Tone at the top: “ . . . compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” Id. at 57. This necessitates more than a well-written program. It requires that the firm create a dynamic, pervasive culture that demands fair play.
- Code of conduct: The foundation of any system is often the code of conduct. The Guide states that the policies and procedures of an organization should “outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures . . . .” Id. at 57-58. These can take a variety of forms, such as a web-based compliance program for the approval of routine gifts, travel, and entertainment.
- Responsibility: Critical to any program is assigning responsibility “for oversight and implementation of a company’s compliance program to one or more specific senior executives within the organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources . . . .” Id. at 58.
- Risk assessment: Fundamental to an effective compliance program is risk assessment. One size does not fit all, nor does it fit every part of a single organization. The approach and procedures may differ across an entity depending on the risks assessed. The Guide states that factors to be considered by an organization “include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” Id. at 59.
- Training and updating: To be effective, compliance procedures must be communicated throughout the organization and periodically updated in view of experience. This can be done in a variety of ways, such as through web-based and in-person training sessions. Personnel should also conduct periodic reviews and updates of the system pursuant to the organization's past experiences along with the dictates of the marketplace. Id. at 59.
- Incentives and disciplinary measures: The procedures must apply to every person in the organization. Critical to this is engraining integrity and ethics into the company’s overall promotion, compensation, and evaluation process, which provides positive incentives for compliance achievement. At the same time, the company must install an appropriate disciplinary scheme as a remedy for those who do not comply with the system. Id. at 59.
- Third party due diligence: Agents, consultants, distributors, and other third-parties have frequently been at the center of FCPA actions. An effective set of procedures focused on risk-based principles, an understanding of the business rationale for using the third-party, and any corresponding payments coupled with ongoing monitoring of these relationships is key. Again, this is not a one size fits all approach but rather a program crafted to the dictates of the marketplace and particular situation of the specific company. Id. at 60.
- Confidential reporting: Finally, any program must provide a mechanism for confidential reporting. This mechanism can be used to encourage employees to report questions and issues to the organization. There should also be provisions for conducting appropriate follow-up on the reports and, where necessary taking the appropriate remedial steps.3
Step two in building a compliance defense requires the company to bring the system to life. To do this, the Chief Compliance Officer (CCO) must facilitate the implementation of the system, bring it off the printed page and instill it in to the life blood of the organization. Former SEC Chief of Staff Andrew Donohue—himself a former CCO—recently detailed how this is done:4
- Knowledge of business: The CCO should know the business better than those who run it and should have a deep knowledge of the regulatory regimes under which the organization operates;
- Risks: It is essential that the CCO identifies the key risks faced by the organization;
- People: The CCO must understand and appreciate the people and their focus;
- Systems: It is critical that the CCO understand the systems employed, its limitations and the people involved with them; and
- Resolution: When an issue is identified, it must be addressed and resolved quickly.
Mr. Donohue’s final point may be the most important. The effective CCO must constantly ask: “What am I missing?” The effective CCO must work to instill a culture that constantly evaluates, adjusts, and updates its compliance system to respond to business growth and changes in the environment and marketplace. When this is properly done, the system improves the overall functioning of the business.
If the compliance system is properly constructed, implemented, and brought to life it can be used as a compliance defense, moving past the seemingly contradictory approach to compliance taken by the enforcers. When an issue arises, the system can be used by the firm in meetings with the DOJ and SEC on the question to first discuss the effectiveness of the compliance system and then to characterize the issue as an outlier. This contrasts sharply with the more typical approach taken by firms in which any reference to compliance is relegated to the remediation part of the conversation as Mr. Donohue notes. Building an effective compliance system permits the firm to move past the “Three Faces of Eve” approach of the DOJ and SEC at the meeting and to seek a declination.
1 As of June 23, 2017, Ms. Chen has left the DOJ. At the time of her comments, however, Ms. Chen was serving as the DOJ’s compliance counsel.
2 A Resource Guide to the U.S. Foreign Corrupt Practices Act, Criminal Division of the U.S. Department of Justice and Enforcement Division of the U.S. Securities and Exchange Commission (revised Nov. 2015) (the “Guide”).
3 See also United States Attorneys’ Manual, Title 9 – Criminal, 9-28.000 – Principles of Federal Prosecution of Business Organizations, 9-28.800 Corporate Compliance Programs (revised Nov. 2015); U.S. v. Marubeni Corporation, Criminal No. 314 cr 00052 (D. Conn. filed March 19, 2014) (settlement with recidivist FCPA violator articulating principles to be incorporated into firm’s compliance system).
4 Mr. Donohue delivered these remarks to Rutgers Law School Center for Corporate Law and Governance’s New Directions in Corporate Compliance Conference.