In June 2020, the Department of Justice (DOJ) intensified its emphasis on rooting out corporate crime with the Criminal Division’s updated guidance for the “Evaluation of Corporate Compliance Programs.” This acceleration was motivated by several factors, including heightened national security implications of misconduct and the criminal exploitation of emerging technologies and digital financial innovations.
Since then, the department has pursued a two-pronged approach: encouraging the development of a strong corporate compliance culture while also instituting forceful measures that would hold individuals and companies responsible for transgressions. Failure to hold individuals accountable or invest in robust compliance programs would result in harsh penalties. Strong compliance programs would receive a more lenient response, noncriminal resolutions and lower fines.
DOJ Warns Companies on Culture
In the first address detailing DOJ’s new posture, Deputy Attorney General Lisa Monaco spoke with prosecutors in the fall of 2021 to guide them on making charging decisions. She stressed the critical importance of a strong compliance culture and the harsh response the DOJ would have to “a corporate culture that fails to hold individuals accountable, or fails to invest in compliance, or worse, that thumbs its nose at compliance.” Her immediate actions emphasized individual accountability for transgressions and included a reinstitution of monitorship at DOJ’s discretion. She added that all prior misconduct would be evaluated when making charging decisions, including tax, antitrust, and sanctions violations.
The DOJ’s revised priorities underscored prosecutorial freedom to pursue any case regardless of difficulty and provided enhanced resources. A new Corporate Crime Advisory Group was appointed to oversee all new initiatives, develop benchmarks measuring successful cooperation, and recommend resources for enforcement.
Company Responsibilities and CCO Authority
Recently, Assistant Attorney General, Criminal Division, Kenneth Polite Jr. filled in guidance to companies, underscoring the three criteria that will be used to evaluate compliance programs. Company programs should be:
- Well-designed in good faith: The program is not a “one-size-fits-all” paper program, but focuses on a company’s particular operating infrastructure and risk profile. High-risk elements are addressed, including third-party relationships. Policies are easily accessible, searchable, and understandable. Employees are trained and able to report violations without fear of retaliation.
- Adequately resourced: The program is not only adequately funded, but compliance officers are given access to and engage with all business functions, management, and board of directors. Compliance has stature within the organization and is promoted as a resource.
- Works in practice: The program is integrated into day-to-day operations. It is a dynamic iterative process that changes with risks, tests effectiveness, and identifies compliance gaps. It effectively disciplines bad behavior and rewards good behavior, and documents response to misconduct.
Polite expressed concern that many corporate compliance officers have been challenged by lack of access to data, resources, and decision-making while also charged with being enforcers of policy and architects of ethical culture. He emphasized that the CCO role must be elevated to a position with independence and stature. CCOs must have the authority to enforce individual accountability with access to systems that detect, remediate, and discipline violations. To ensure this role, the DOJ armed CCOs with the responsibility to certify that compliance programs are reasonably designed and implemented to help detect and prevent violations.
The Significance of the DOJ Announcements
The message to companies is quite clear: invest resources to anticipate problems or pay millions, possibly billions to resolve them. If violations are discovered, an organization with a strong compliance program can expect to receive a more lenient response from the DOJ, with noncriminal resolutions or lower penalties. A company may not be monitored if it demonstrates a concerted commitment from the C-suite down, ensures that controls are effective, updates compliance programs to adapt to risks, and cultivates an ethical culture of compliance.
In practice, companies must demonstrate their commitment to CCOs and compliance personnel by granting them resources, autonomy, and access to decision-makers. To deter misconduct, a company must actively monitor and review compliance programs. This ensures they adequately detect and remediate bad behavior. Data analytic tools should be used to monitor compliance with laws and policies, measure and test ethical culture, and use the information to continuously improve it.
Fundamentally, companies must demonstrate corporate responsibility. The DOJ will review an organization’s complete record of violations, criminal, civil, and regulatory. Individual accountability must be enforced by identifying all individuals involved in misconduct and producing all non-privileged information about their involvement.
Per the AAG Kenneth Polite Jr., “off-the-shelf” solutions will not be adequate to demonstrate compliance. Find out how SAI360 Advisory Services can work with your compliance team to develop the best solutions for your organization. Request a demo to learn more about:
- Training and Needs Assessment
- Code of Conduct Refresh and Rewrite
- Code of Conduct Interactive Microsites
- Policy Review
- Leader Led Discussion Kits
- Program Assessment
- Culture Assessment