Ethics & Compliance Learning
DOJ & CFTC Regulatory Guidance on Corporate Compliance: Where do we go from here?
In June 2020, the Department of Justice (DOJ) released its 2020 guidance on corporate compliance. Entitled “Evaluation of Corporate Compliance Programs,” this 20-page document relies on three fundamental questions in assessing a compliance program’s effectiveness:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
Then in September 2020, the Commodity Futures Trading Commission (CFTC) issued their 2020 guidance. Although considerably shorter than the DOJ’s (only three pages long), the CFTC has taken a more generalized, non-granular approach, providing a framework for discussions about corporate compliance and the agency’s staff.
These latest guidelines support the continuing evolution of the Federal Sentencing Guidelines for Organizations (FSGO), a set of standards that govern the sentences imposed on companies convicted of federal crimes. Established in 1991, and significantly amended in 2004, 2010 and 2017, the FSGO underscore the foundational requirement that companies self-police, especially when it comes to compliance and ethics. The latest set of guidelines further buttress that expectation.
So, what’s the main takeaway?
Bottom line: your corporate compliance program needs to be actively monitored and assessed. Ideally, it should evolve as your business evolves.
If you ever have an infraction or are in violation, you will need to answer the central questions of “How does your compliance program work?” and “Who’s monitoring that program within your organization?” The writing is on the wall and laid out clearly in both documents — corporate compliance programs can no longer exist in name only.
What the DOJ says
Analyzing the changes from the DOJ’s 2020 guidance and their guidance from 2019, Bloomberg Law’s Patty Tehrani found that certain terms showed up more frequently in the most recent version. “I flagged a few examples (or variations of them) to highlight this point. For example, access, data, resources, and time.” Emphasis on these terms seems reflective of the current pandemic world we are all doing business in for the foreseeable future.
Checklists have been replaced by measures of real effectiveness. Companies will need to be prepared to provide the results of what their compliance program is actually accomplishing.
In addition, in the DOJ’s three fundamental questions where they assess effectiveness, question two has been revised to include: “In other words, is the program adequately resourced and empowered to function effectively?” A key clarification, which also pops up in the CFTC’s guidance.
What the CFTC says
According to the CFTC, “the chief goals of a compliance program should be to prevent, detect, and correct misconduct.” In the memo released in September, which will be part of the agency’s enforcement manual, the staff is instructed to consider a number of factors when evaluating whether a company had an adequate compliance program before a possible infraction and whether it took steps to mitigate or fix the problem after it occurred. CTFC staff are now prompted to ask companies whether they have devoted adequate resources to preventing infractions and whether their compliance functions are sufficiently independent.
“It’s making clear the expectation that industry and market participants should operate in a certain way and have clear and robust systems and controls,” says Anne Termine, a lawyer at Covington Burling LLP and former chief trial attorney for the CFTC in a recent article for The Wall Street Journal.
A must-have: Adequate resources and robust controls
Both sets of guidance make the case for constant thought and investment in your compliance program as there will be higher expectations put on a company’s best practices and benchmarks. And both advocate emphasis on remediation and the steps your organization is taking to fix the underlying problems that led to the infraction.
In law, there’s a concept of “reasonable person” where a person who takes the appropriate amount of caution and sensible steps is less likely to be found negligent. In risk, this is the framework on which regulatory expectations are based. Companies have an affirmative duty to continually scrutinize what they’re doing in terms of their peers and the likelihood of impact on the organization.
What are the key takeaways?
There are several similarities in both agencies’ guidance that your organization should be aware of:
- The “WHY” behind your compliance program
Prosecutors will want more details regarding certain decisions and why your company has designed the compliance program the way it has and how has that program evolved over time.
- An individualized approach
The DOJ will assess the effectiveness of a compliance program in consideration of a “reasonable individualized” determination which will take into account factors like the company’s size, industry, geographic footprint, regulatory landscape, etc. There is no model or formula for assessing the effectiveness of compliance programs.
- Proactive is better than reactive
Maintenance and assessment measures are key, along with consistent monitoring and evaluation. Compliance program managers will have the affirmative duty to continually scrutinize not only what their company’s doing but also what other companies in their industry are doing.
- Data, data and more data
Data takes center stage as a critical factor in maintaining compliance programs. The DOJ has increased its focus on the use and access to data. A focus that is not likely to abate as many employees continue to work remotely.
Where are the trends heading?
Regulatory expectations follow social expectations. To get a glimpse of what’s to come, look no further than the social forces converging around corporate citizenship in the broader sense like climate change, environmental issues, social justice, and the way people treat other people.
Regulatory enforcement is a slow-moving behemoth. Social pressure moves much faster. Regulatory enforcement is always a laggard. That’s why doing the right thing and stepping up to societal standards will be crucial. Organizations need to be cognizant of the detail in regulatory requirements but keep an eye on the bigger picture. How do your customers, clients, and vendors view you? How do your employees and contractors view you? Compliance failures can prove costly as you’re likely to be convicted in the court of public opinion long before a court of law.
Build a better compliance program with SAI360
Due to these enhanced regulatory expectations and the ever-changing world of societal norms, it’s imperative to work with a partner who is laser-focused on your emerging needs and these emerging trends. Companies need a robust program with built-in flexibility, a variety of optimized resources, and an extensive diagnostic toolbox.
SAI360 helps those in charge of compliance programs proactively manage risk and compliance to create trust and achieve business excellence, growth, and sustainability for their organizations.
Let us help you and your organization build a robust and properly resourced compliance program. One that provides access, continually monitors data and builds a program that evolves as your company and industry evolve. The organizations that are better resourced and armed with scalable solutions will have a natural advantage because they will have the organizational agility to respond, build and grow.