On April 6, 2022 the SCCE hosted the second Corporate Compliance Enforcement Conference. Kicking things off for the day, and very much setting a keynote, was Kenneth A. Polite, Jr., Assistant Attorney General for the Criminal Division.
His comments were rich with insights. Writing them up fully would lead to a post far too long or this blog. Instead, below are my notes from his presentation. There was a great deal of direction to and support for compliance programs.
Please note: These are not direct quotes.
- The best outcome compliance programs can provide is preventing crime in the first place.
- The Department does not use any rigid formula to assess corporate compliance programs. They recognize that each compliance program warrants a particularized, individualized approach.
- They also understand a reasonable measure of predictability is important to us.
- They expect every effective corporate compliance program to be:
- Well designed
- Adequately resourced
- It must work in practice
- Closely examine company problem for assessing risk and if the program matches the risk profile.
- Is the company implementing policies and procedures that are aligned with the risks?
- Are they easily accessible to your people and business partners?
- Have people been trained on them, including third parties?
- Want to see the training program. Also want to see what steps are being taking to address high risk areas.
- Want to see if there is a process for reporting violations that encourages employees to speak up without fear of retaliation and that allegations are taken seriously and investigated and documented.
- The program needs to be adequately resourced.
- Want to know more than just the dollars, headcounts and reporting lines. Want to review qualifications and expertise of key compliance people. Is there adequate engagement with the board of directors?
- Want to know if compliance has adequate stature within the company and is promoted as a resource.
- Are front-line employees being trained based on specific roles and risk profile?
- Want to see result of employee surveys and focus groups. Do employees fear retaliation?
- Are managers held accountable in same way as employees?
- In post resolution want to make sure employees are aware of misconduct and their role in remediation.
- They want to know if the compliance program is working in practice
- Is the compliance program identifying deficiencies to self-correct?
- Is the company promoting an ethical culture?
- They want success stories like transactions rejected because of compliance risks.
- Positive ethical decisions.
- Partnerships between compliance and business functions.
- Also, how company responded to prior misconduct.
- Companies set themselves apart when can show they can independently monitor the compliance program and improve it.
- DOJ is using data analytics to combat criminal schemes. Urge you to consider the same data analytics tools to monitor compliance within your own operations.
- You should be using data to continuously improve culture.
- Want to see evidence of ethical culture in action. Are you providing ethical advice to salesforce, even if means loss of business?
- When communicating with prosecutors it’s important to demonstrate how your program has been updated to address the root causes of the misconduct and is being updated to address the next challenge.
- Don’t want to hear a check the box presentation from outside counsel. Really want to hear about the actual program in operation. Don’t see enough of chief compliance officers making that presentation and demonstrating knowledge and leadership of the compliance program. Being in the room demonstrates that they are empowered to act. Want other senior management to speak where appropriate to demonstrate their commitment to compliance.
- Can expect independent monitors when appropriate to satisfy the DOJ’s desire to ensure company will live up to its obligations. Believe monitorships are important and valuable. They can also be allies in helping create lasting change.
- The DOJ encourages a company, when presenting nominated monitors, to be sure that they are experienced and come from diverse backgrounds and experiences.
- The DOJ acknowledges that monitors are not appropriate in every case.
- Where company has invested in a concerted effort from top down in a strong compliance program, and when company can show controls are affective, and company has cultivated strong culture of ethics and compliance, may not need monitor.
- Investing in compliance expertise in prosecutors. He is not the only former chief compliance officer within the department.
- When a monitor is not necessary it does not mean the company is done testing and improving its program. Still required to comply with ongoing obligations and report to Department. DOJ will continue to assess progress to see that at the end of the term of the resolution program that company has effective, sustainable program to prevent and detect misconduct.
- More holding companies accountable for failing to meet their obligations under those agreements.
- Companies that commit to improving their compliance programs and internal controls will reap the benefits from the Department.
- Compliance should have true independence, authority and stature within the company.
- He has asked the criminal division team to require that the chief compliance officer and CEO certify at the end of the agreement that the program is reasonably able to prevent and detect violations of law. Not punitive but a new tool to use that can help compliance programs, he believes. Makes clear that must have appropriate stature in corporate decision making and company has a compliance-focused environment.
- At the end of the day the interest of the Department and compliance teams to root out corporate crime are the same. Effective lasting change driven by preventing misconduct in the first place is the aim.