Federal Government Focus on Corporate Compliance Programs Continues to Grow
Last week, first the Department of Justice’s (DOJ’s) Criminal Division released an update to the guidance document “Evaluation of Corporate Compliance Programs,” and within days the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published “A Framework for OFAC Compliance Commitments,” which provides guidance on effective sanctions compliance programs.
The updated DOJ guidance organizes several compliance program expectations around three “fundamental questions” that prosecutors ask when deciding whether to bring criminal charges against an offending corporation.
Is the corporation’s compliance program well designed? The guidance recognizes that different companies have different risk profiles depending on their industry, market locations, regulatory landscape, clients and business partners, foreign-government affairs, use of third parties, and business expenses and donations. Accordingly, DOJ expects companies to employ tailored risk-assessment methodologies to identify and rate risks specific to their business. Organizations should address risks in written compliance policies and procedures and clearly communicate them to all employees and relevant third parties. The guidance also emphasizes periodic and practical compliance training, a confidential reporting structure, and an investigation process to root out potential compliance issues. Finally, the guidance expects compliance programs to incorporate due-diligence procedures for identifying red flags in associated third parties and acquisition targets and ensuring that problem entities face appropriate consequences.
Is the compliance program implemented effectively? The guidance restates DOJ’s long-held view that effective compliance begins with a culture of ethics set by senior and middle management. To evaluate management culture, DOJ looks for concrete efforts by company leaders to encourage legal compliance, but also considers whether managers tolerate greater compliance risks or encourage unethical behaviors to achieve business ends. Next, DOJ expects personnel responsible for compliance oversight to be empowered with sufficient seniority, autonomy, and resources to audit and document company compliance and bring any issues to the attention of the board. Finally, effective implementation also requires robust and consistent disciplinary procedures to encourage employee compliance, such as reduction in pay or seniority.
Does the compliance program work in practice? Prosecutors weighing criminal charges deploy three considerations in evaluating how a company’s compliance program works on the ground. First, DOJ expects companies to undertake periodic testing and audits of their legal compliance and to update their risk assessments and policies, procedures, and practices accordingly. Second, prosecutors consider whether an offending company has an effective investigations structure that reviews any allegations or suspicions of misconduct and documents the company’s response. And finally, DOJ considers whether the company conducts root-cause analysis of any misconduct and makes systemic changes to reduce similar risk in the future.
DOJ’s updated guidance provides corporate compliance professionals helpful insight into how they should design, implement, and execute compliance programs. Yet, as DOJ recognizes, this guidance provides “neither a checklist nor a formula.” The optimal risk-based approach to compliance will vary from company to company depending on its individual risk profile, operational footprint, and historical experience.
OFAC is the primary federal agency that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals. As with DOJ’s guidance, the OFAC framework encourages organizations to implement tailored risk-based sanctions compliance programs (SCPs). At OFAC’s discretion, organizations with effective SCPs will be eligible for reduced monetary penalties if OFAC discovers sanctions violations. The framework identifies five components OFAC considers essential for effective SCPs.
Management commitment: Senior management should review and approve their organization’s SCP, provide sufficient resources for its maintenance, and engender a “culture of compliance” that promotes transparency and discourages misconduct.
Risk assessment: Organizations should conduct assessments that holistically review operations “from top-to-bottom” to identify risks posed by their clients and customers, products, and services, and risks in any other relevant areas, and should also ensure any weaknesses identified will be addressed as appropriate.
Internal controls: Organizations should implement easy-to-follow policies and procedures outlining the SCP, which should apply throughout the organization, capture day-to-day operations, and provide employees with clear instruction on how to identify risk and escalate matters requiring additional consideration.
Testing and auditing: SCPs should ensure independent audits assess the effectiveness of current processes and identify inconsistencies between these and day-to-day operations.
Training: At least annually, organizations should conduct trainings for all appropriate employees and personnel to provide job-specific knowledge based on need, communicate sanctions compliance responsibilities and developments, and assess employees’ knowledge regarding the SCP as necessary.
OFAC and DOJ both recognize that compliance is not “one size fits all.” Successful compliance programs, therefore, draw from and evolve with the experience of an organization and its employees. Properly designed and administered, compliance programs can satisfy government standards and also add value by identifying risks and neutralizing threats.
This post features contributions from Michael O’Brien.