Compliance continues to be an important aspect of settlements in corporate prosecutions. In a recent article, “Testing Compliance,” Greg Mitchell and I argue that neither companies, but particularly not government regulators and enforcers, should treat compliance as “hope-based,” where they ask whether it seems well-intentioned or likely to comply with best practices. Instead, they should empirically test compliance to find out whether it in fact works. It is understandable that companies do not generate self-critical testing data, when government does not require it. But it is most troubling of all that governments have not incentivized generation of information about what actually works.
The new Administration and accompanying policy shifts at the Department of Justice may provide an opportunity to rethink matters. So far, we have not seen any major announcements from the DOJ, apart from some renewed skepticism concerning the role of corporate monitors. The pre-existing and still current 2020 guidance from the DOJ on compliance is lengthy, and it does mention testing. It suggests, however, that testing might just be “periodic.” It suggests that surveying employees might be a meaningful way to assess the state of compliance. Conducting “periodic audits” is noted as something desirable, but also depending on the company’s size and complexity. Some “testing of controls” may be valuable, but perhaps “interviews of employees” are enough, based on this guidance. In the FCPA context, the DOJ has recommended “targeted audits.” However, nowhere is it clearly stated that prosecutors and others should reward actual empirical testing. Testing is described, at best, as one possible method to assure effective compliance.
Other types of regulators do incentivize and conduct such testing. Site visits, proficiency testing, and rules for conducting testing of performance, are set out in a range of areas. Clinical laboratories, for example, must use proficiency tests that meet certain minimum criteria.
Further, prosecutors could themselves seek to test compliance before making a determination that compliance is either adequate or inadequate. These assessments are important. They may affect whether the company is subject to intrusive monitoring, more serious fines, or conversely, leniency due to the perceived adequacy of compliance. Prosecutors should know by now that their judgment calls are imperfect. Companies have had prosecution agreements extended because compliance efforts have not been completed in the anticipated time. Companies have been repeatedly prosecuted for new violations. Nor do other firms have good guidance on whether it is worthwhile to invest in more compliance, absent any sense whether it is effective or not.
None of this is to say that culture of compliance, tone from the top, investigations and remediation, and other evidence, may not be highly useful when assessing compliance programs. However, testing compliance should come first. Such testing can take a number of forms, from random sampling and audits, to broader performance testing and experiments. Regulators should act as a clearinghouse of testing data, to then disseminate compliance practices that are validated and work. They can reward companies for developing compliance processes that are shown to work – and incentivize sharing of such information with others.
Today, “implementation of compliance programs without rigorous validation of those programs,”[1] is the norm, and as Mitchell and I argue, this “constitutes nothing more than a hope that these programs will protect workers, stockholders, and the general public from organizational misconduct.” Perhaps the new Administration will change matters to focus more on testing of compliance.
Footnotes
[1] Brandon L. Garrett & Gregory Mitchell, Testing Compliance, 83 Law and Contemporary Problems 47, 49 (2020) (https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=4975&context=lcp).
Brandon L. Garrett is the L. Neil Williams Professor of Law at Duke University School of Law, where he has taught since 2018. Garrett is the founder and Director of the Wilson Center for Science and Justice at Duke and the author of “Too Big to Jail: How Prosecutors Compromise with Corporations.”
Disclaimer
The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.