While the CFTC recently published guidance on how an investigation is managed, DCM believes the Department of Justice updated its guidelines to prosecutors on evaluating a corporate compliance program published two weeks ago is more critical to compliance operations. The DOJ guidance talks to what DOJ expects a firm to be doing when they consider acting against that firm.What does that mean?
This is the document that is supposed to inform a prosecutor in a criminal case as to how the review a company's compliance program should impact the "charging decision or resolution" as to whether the company is to be charged with a crime, a plea deal is to be agreed to or sentencing for a crime. Let's unpack this - as a consultant, I note that this could mean the level of a compliance program could impact whether a company is even charged for a crime. So, a compliance program that meets the guidance could not just reduce my sentence but has at least the potential to keep me out of court. That sounds like a reputational risk win right there.
This guidance is a significant expansion of the prior guidance – from 9 to 19 pages. It does follow basically the same structure as prior guidance but with a lot of new pieces. It also shifts away from a foundation of what did the company do to find underlying misconduct in a specific instance to whether the compliance program as a whole is well founded.
The new guidance has fundamentally altered the structure of the guidance from the original edition. The prior guidance has a single introduction and then listed eleven topics. The new guidance asks three basic questions:
In general, the guidance now stresses that "policies and procedures – from appropriate assignments of responsibility, to training programs, to systems of incentives and discipline – that ensure the compliance program is (sic) well-integrated into the company’s operations and workforce." The prior guidance spoke to whether there were “applicable procedures to prohibit the misconduct” – this was focused on whether there was a procedure to prohibit the misconduct being looked at, not a systemic view of the program. This really means that:
The DOJ has grouped six sections from the prior guidance under this specific area and now done a fairly deep dive into how effective and current the company assessment of compliance risk is. It has retained six specific areas of focus on program design but has shifted some of the operational impacts:
The guidance is looking for regular updates of the risk assessment and then the ability to track changes in the risk assessment to changes in policies and procedures - many companies have very tenuous documentation of the connection between updated compliance risk assessments and the policies and procedures that are adjusted due to that assessment and why. The guidance also points to metrics – both in tracking misconduct and how it loops back to inform the compliance program.
Policies and Procedures
The guidance conforms to fairly standard industry practices for code of conduct, tone from the top, and comprehensiveness. A couple points are worth noting:
Every company has some training program. However, the guidance raises new points that are not always included in a company's program. These include:
The guidance addresses internal communication of compliance issues by employees. This section actually speaks to the issues most commonly being addressed by larger firms. Specific new points are:
The guidance has already brought bribery and corruption issues into compliance programs here. Much of the content is similar. The new guidance does amplify a couple topics:
The specific points addressed in the guidance did not change from the prior guidance. There is an introductory statement that does include the caution that
“Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.
The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.”
The guidance has grouped three areas in the section regarding earnest and good faith implementation:
“Even a well-designed compliance program may be unsuccessful in practice if implementation is lax or ineffective. Prosecutors are instructed to probe specifically whether a compliance program is a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner".
There is a new discussion to head this section – all addressing the need for tone from the top and leadership for compliance to be effective.
This is an area where the focus of the guidance shifted significantly between the original guidance and the new guidance. The original guidance spoke the compliance role in terms of operational activities, their stature (titles, compensation, reporting lines), and funding and resources. Those topics still appear but a new focus on the role of compliance at the management level – engagement of compliance at a strategic level. Questions concerning compliance's input on transactions or deals and whether it has been responded to, up to and including having transactions or deals stopped by compliance.
The prior guidance focused primarily on whether the incentives and compensation incentivized bad behavior – the new guidance expands that focus to include looking at whether incentive structure incentivizes ethical behavior (not always easy to effectuate).
The prior guidance also focused on the specific misconduct being examined and the follow through for that instance. The new guidance focuses more on the process itself – is it consistent, has the company looked to identify instances where the process is applied inconsistently.
The new guidance calls this area “a hallmark of an effective implementation”. It even notes “Some companies have even made compliance a significant metric for management bonuses and/or have made working on compliance a means of career advancement.”
“Does the Corporation’s Compliance Program Work in Practice?”
The discussion in the guidance here is very interesting as it incorporates two very different concepts. First, was the program working effectively at the time misconduct occurred? Second, is the program now working effectively at the time the prosecutor is considering bringing charges or proffering a sentencing recommendation? This indicates that a company’s response between the time an investigation opens and charges or a sentence are considered can have a major impact. That was not discussed in the prior guidance.
The focus is in the first line of the discussion here – “One hallmark of an effective compliance program is its capacity to improve and evolve.” This is not always the case and can be a significant burden to smaller organizations. If a small firm has a one or two-person compliance function, how does this process get managed and effectuated?
This is a completely new section in this guidance. It does capture a portion of a section called “Analysis and Remediation of Underlying Misconduct” from the prior guidance – that section has been retained in the guidance - but it has a broader coverage and focus. The prior section focused on whether root and systemic causes of the misconduct were examined, whether there were prior indications of issues, and what remediation occurred – all actions focused on the specific event.
The new guidance focuses on the investigations process – is there a “well-functioning and appropriately funded mechanism”? This speaks to an ongoing process with dedicated resources. This is not likely to occur in many smaller entities. Therefore, the real question is what would evidence an appropriate mechanism for investigations? The guidance may offer more options here:
This section has been retained from the prior guidance though, as noted above, a section was moved to Investigations. It has also incorporated the “Operational Integration” section from the prior guidance. The discussion for this section focuses on whether there is a pattern of misconduct within the organization that would indicate the company has not worked to eliminate underlying causes or compliance system weaknesses that encourage misconduct. Much of the content is directly from the prior guidance.
DCM LLC provides ongoing blog posts on regulatory and compliance issues and can provide a full suite of trade surveillance and compliance services -as well as strategic and commercial services to the commodity trading marketplace. Please see us at www.sourcingcommodity.com