Editor’s Note: On September 15, 2022, the Program on Corporate Compliance and Enforcement (PCCE) at New York University School of Law hosted Deputy Attorney General Lisa O. Monaco while she delivered a speech detailing significant changes to the Department of Justice’s corporate prosecution policies. The speech and accompanying policy memo are available here. Over the coming days and weeks, PCCE will be publishing reactions to the new DOJ policies by practitioners, scholars, and compliance officers.
The changes to the Department of Justice’s (DOJ’s) corporate criminal enforcement policy announced by Deputy Attorney General Lisa Monaco at NYU School of Law on September 15 have prompted in-house and external counsel to reassess approaches to internal investigations, prosecutorial discovery requests, and negotiations with prosecutors in pending cases. However, the speech, and especially the concurrently-released DOJ memorandum, also offer significant implications for enterprise-wide compliance and risk management programs. This note highlights program elements that compliance officers and those who oversee compliance programs should be thinking about in five important areas: issues escalation and management; policy enforcement and related discipline; the role of compliance performance in employee compensation; supervision of employee communications; and as an overarching theme, continuously managing a firm’s changing risk management profile.
Program Support for Prompt Self Reporting and Responses to DOJ Requests
The new guidance is clear that cooperation credit rests in large part on the speed and transparency with which corporations disclose misdeeds and related investigative and evidentiary materials. This must include and, indeed, prioritize information regarding the accountability and culpability of individuals for corporate actions. The absence of accurate and up-to-date job descriptions, compliance policies and procedures that clearly define responsibilities for conduct and compliance across all three lines of defense, augmented by clearly documented decision-making practices, will significantly complicate the ability to identify accountability for corporate actions. Documented role and decision-making clarity is particularly important in matrix-management or dual-reporting situations. In large, complex firms, care should also be taken that the cadence of governance meetings (i.e., monthly, quarterly) does not create a risk of slowing decision-making around the resolution of issues with potential regulatory consequences.
Further, the ability to internally escalate and investigate matters in a timely fashion rests upon having an enterprise-wide, well-documented escalation policy and issues management program, fed by information from multiple channels. An issue-escalation and tracking system that is carefully watched by a designated owner and is sensitive to these issues is essential. Channels should include employee escalations as well as customer and third party complaints, employee exit interviews, and the results of quality control, risk monitoring, and testing programs. In corporate cultures that, even for logical reasons, disfavor the escalation of a problem without a proposed solution in place, there may be a need to educate both staff and their supervisors on the need to re-balance speed and analysis, and reward both speaking up and taking accountability. Compliance programs that provide credit for business self-identification of issues and prompt escalation, mandate root cause analysis, validate the effectiveness of remediation, and have both positive and negative impact on individual and business performance ratings support a culture that is capable of meeting DOJ standards.
For companies that engage in business outside the US, the DOJ has made clear its expectation that companies find a way to provide relevant information housed outside the US. Thus, companies would be well-served to develop information management protocols and privacy compliance policies and programs that are cognizant of all relevant obligations.
A Double Look at Compliance Program Effectiveness
DOJ has clarified both how and when having an effective compliance program will impact the terms of a corporation’s resolution of DOJ matters, including whether a monitor will be required. Significantly, prosecutors are now instructed to evaluate the adequacy and effectiveness of the compliance program at two points in time—(1) the time of the offense itself and (2) the time of the “charging decision” (presumably any resolution that resolves the case).
The identification of these two points in time, and in particular, the express disregard of the state of the program at the time the regulatory self-disclosure is made, may, if handled sensitively by prosecutors, help accomplish the goal of hastening information sharing since, at least theoretically, it should not matter whether remediation is fully complete at the time investigation materials are shared, if work is underway and continues through the time of resolution.
This dual-track program assessment sends several other messages to those who design and execute compliance programs, as well as to those (including boards) who oversee them, particularly given the prospect that these two assessments might yield different findings depending on whether a compliance program is found to have improved or degraded over time and what that says about a firm’s culture and commitment to avoiding misconduct.
Further, at the time of either a significant change in corporate executive leadership or a merger, acquisition, or change in ownership, executives and boards would be well served to make it a priority to test and strengthen the firm’s compliance program, lest the sins of their forebears be visited upon them in the future. Indeed, DAG Monaco implied as much in her speech.
Lastly on this point, it should be good news that companies will be compared to similarly situated peers when DOJ evaluates their history of legal and regulatory enforcement, and presumably their compliance programs. Companies should thus include regular industry benchmarking as part of compliance, control and governance programs, and should be prepared to articulate and substantiate the peer group to which they belong—not necessarily a clear choice in the increasingly integrated world of finance and technology.
Compliance Program Effectiveness Measures Emphasized—and Added
The DOJ’s previously issued June 2020 guidance on evaluating compliance programs included numerous elements, several of which have been called out for emphasis in the new memorandum. These include identification and measurement of risk, monitoring of payment and vendor systems for suspicious transactions, assurance that disciplinary decisions made within the human resources function consider compliance lapses, and evidence that senior management visibly supports and encourages compliance.
Further, the recent clarification “identifies additional metrics relevant to prosecutors’ evaluation of a corporation’s compliance program and culture”: (1) the link between the compliance program and compensation systems and (2) control of employees’ use of third party devices and applications—i.e., personal smartphones, tablets, and the growing proliferation of communication applications—when conducting corporate business, whether in the office or remote locations.
Disciplinary Action & Compensation
Despite the decades-old US Federal Sentencing Guidelines reference[1] to consideration of compliance performance in key personnel decisions, many compliance departments still struggle with both identifying and obtaining metrics that fairly reflect compliance performance, and ensuring that compliance performance measurable impacts compensation. This challenge is often exacerbated by the lack of a unified system for tracking and reporting policy violations, as well as often fragmented human resources mechanisms for tracking employee discipline. The extent to which the consequences for material policy infractions are consistently determined and applied across the enterprise, and perceived as fair by employees, is an important cultural barometer. Moreover, the ability to produce metrics on discipline buttresses the case that the corporation regularly considers employee accountability for material rule infractions. Management and boards should understand whether their company tracks and assesses and compliance and regulatory-related policy infractions and disciplinary actions centrally, or leaves individual units to handle enforcement on their own, and the extent to which compliance performance is reflected in various bonus and compensation calculations.
The DOJ has underscored its belief that the ability to “claw back” compensation in the case of malfeasance is an essential ingredient in driving individual accountability. Beginning in the mid-2000s[2], many large firms instituted deferred compensation policies that provided an incentive for executive and risk-taking employees to consider longer-term risk implications—as well as a way to initiate a clawback if needed. Yet, without some of the foundational tools described above for determining individual culpability, and routinely considering those instances in which a clawback or other impact on variable compensation is appropriate, the policies risk being seen as “paper policies”. Given the DOJ’s emphasis on individual liability, directors should ask for, and regularly receive, data demonstrating that the company’s disciplinary regime and clawback policies are both adequate and consistently enforced. In companies with a clawback policy, boards should look at how it has been used over the past 10 years, and compare that with the company’s 10-year regulatory and disciplinary history.
Boards should also understand in general the extent to which there is independent second- and third-line oversight over and input into variable (bonus) compensation, as well as the correlation between compliance and control performance assessments and manager remuneration (including promotions).
Third Party Devices and Applications
It is clear that an effective compliance program must, when relevant, address sales practices, recordkeeping across communications channels, information protection, and third party oversight given the risk these activities pose. DOJ’s new instruction to prosecutors to consider, in their assessment of compliance programs, the effectiveness of “corporate policies and procedures governing the use of personal devices and third party messaging platforms to ensure that business-related electronic data and communications are preserved” adds urgency to a very contemporary compliance challenge. The DOJ’s highlighting of this issue foreshadowed the SEC’s sanctioning of 16 large broker-dealers for failures in this regard only days later.[3] Firms will be expected to have robust policies and processes to identify and monitor usage of these hard and soft technologies, as well as to provide training, and to enforce their policies and address violations when they are identified.
Enforcement History and Recidivism
In making charging decisions, the DOJ will consider enforcement matters in which the corporation was involved over the last ten years. This history should be documented, and be ready for production to the DOJ should an enforcement situation arise. As important, given the implications for future enforcement, this documented history should be appropriately considered in risk assessments conducted by compliance departments as well as by internal auditors. Ongoing testing should support the readiness of the company to demonstrate the continued effectiveness of compliance and control programs put in place to prevent the recurrence of past mistakes. Finally, the root cause analyses and lessons learned through the resolution of each situation—including the consequences to the company and individuals—should be used, as appropriate, in training and in the management of related risk situations and considered in risk assessment processes.
Footnotes
[1] See US Federal Sentencing Guidelines, www.ussc.gov.
[2] See, e.g., “Clawback Provisions for Executive Compensation,” Yuanyuan Guo and Sonja Pippin, Strategic Finance (1/1/202); but see “Why executive Clawbacks Don’t Work,” Sanjai Bhagat and Charles M. Elson, Harvard Business Review, (3/22/2021).
[3] “SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures,” SEC Press Release 2022-174 (9/27/2022).
Kathryn Reimann ’82 is former Chief Compliance Officer, and currently is an Adjunct Professor at NYU School of Law, and a Senior Fellow in the Program on Corporate Compliance and Enforcement, as well as a corporate advisor and independent board director
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statement made on this site and will not be liable for any errors, omissions or representations. The copyright for this content belongs to the author(s) and any liability with regard to infringement of intellectual property rights remains with the author(s).