Financial institutions shouldn’t gamble when it comes to strengthening their compliance programs.

Don’t Gamble With Compliance – The House Always Wins

Radar spoke with regulatory experts to explore the U.S. Department of Justice’s new guidelines on compliance programs, determining that they need to be strengthened systematically in order to be more flexible and robust than ever before.

How fast is your corporate compliance program evolving? This is exactly what the new United States Department of Justice (DOJ) guidance on the Evaluation of Corporate Compliance Programs wants to know. 

Federal prosecutors are now no longer measuring compliance systems based solely on their effectiveness, but on whether the program actively evaluates itself and continuously improves based on relevant new information and changing risks. 

Punishments for Allowing the Quality of Compliance Programs to Slide Are Severe

In November 2019, Tower Research Capital LLC, a New York-based financial services firm, paid US$67.4 million in criminal monetary penalties, criminal disgorgement, and victim compensation, to resolve unlawful trading charges following a DOJ investigation.

Tower must now review its internal controls and policies and procedures, and modify its compliance program to ensure that it is designed to deter and detect violations of the Commodity Exchange Act and commodities fraud statute. Failure to do so could result in even tougher penalties being handed down at a later stage, prosecutors said.

The new guidance is referred to colloquially as the “House Rules” in corporate law enforcement, as those enterprises that gamble with their compliance approach are almost certain to “go bust” if they fail to understand how this particular casino works.

The latest change came in June this year when the DOJ’s criminal division revised the guidance for the first time since April 2019 in response to “some important topics and sample questions that the Fraud Section has frequently found relevant” when evaluating a firm’s existing compliance regime.

“Although the update did not fundamentally alter the structure of the guidance, the revisions directly impact how companies should assess and monitor their compliance programs,” said Charles Duross, partner at law firm Morrison & Foerster. 

“Specifically, companies should note the update’s emphasis on greater dynamism in corporate compliance programs.”

The move provides a clear insight into how the DOJ views the changing corporate compliance landscape, experts said. Of particular relevance is the use of data analytics, incorporating any lessons learned into compliance programs, analyzing the effectiveness of training programs, and the accessibility of compliance policies and procedures. There is also more focus on integrating acquired entities into a company’s compliance systems, which must be adequately resourced and empowered to function effectively. There is no leniency for a parent company arguing that a recently acquired business has a different compliance culture to its new owner. It places more emphasis on robust due diligence pre-acquisition.

“As with the prior versions, the revised guidance is another example of the DOJ’s efforts to be more transparent in its expectations for corporate compliance programs and its responsiveness to the experiences and concerns of the business community,” said Duross.

What are the “House Rules”?

The Evaluation of Corporate Compliance Programs is official DOJ guidance, and while not mandatory, it is used by federal prosecutors to advise and direct investigations, as well as prosecution decisions. Prosecutors use the guidance to help assess whether a corporation has an effective compliance program. This is then a central factor in deciding whether to:

  • Conduct an investigation
  • Bring criminal charges
  • Negotiate a plea or other corporate resolution

In addition, the evaluation occurs “both at the time of the offense and at the time of the charging decision and resolution.” This assessment is critical under the United States Sentencing Guidelines and is a consideration when calculating any appropriate organizational sentence and criminal fine.

“A company with a compliance program that fails to address concerns identified in the guidance will be at higher risk of government involvement and potential sanction, and will not receive the full benefits available under the guidance or the sentencing guidelines,” said Colin Jennings, partner at law firm Squire Patton Boggs. 

The revised guidance states prosecutors are required to make:

“..a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”

To do so, prosecutors will ask three fundamental questions when evaluating a corporate compliance program:

  • Is it well-designed?
  • Is it being applied earnestly and in good faith? Or in other words, is the program adequately resourced and empowered to function effectively?
  • Does it actually work in practice?

The second question has been updated from the previous edition, which only asked “is it implemented effectively?”, said Jennings. 

“This change reflects the broader theme of the update, which is that prosecutors should not only look to whether a compliance program is implemented properly, but rather if the compliance program can adapt and respond to concerns, challenges, and new information that arises,” added Jennings.

It also provides advice on sensitive issues, such as employee training, testing, third-party relationships, and the impact of mergers and acquisitions on any compliance program.

Compliance training is evaluated on the basis of “whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject-matter expertise.” 

Specifically, prosecutors want training sessions where employees can ask questions and will look at whether the company has “evaluated the extent to which the training has an impact on employee behavior or operations.” 

Employee reporting and whistleblowing mechanisms, if they exist, are to be assessed along with their accuracy in capturing employee concerns. Prosecutors will not only look at whether a hotline works, but also at how comfortable employees are in using these channels, how the company uses the information reported, and if the hotline is periodically tested. 

“Simply having a hotline or reporting system without fully appreciating and maintaining it will raise red flags under this new guidance,” said Jennings.

The update also asks prosecutors to determine whether compliance and control personnel have sufficient access to sources of data that allow for timely and effective compliance. In particular, prosecutors are to find and evaluate any roadblocks that limit access to relevant sources of data and, if so, what the company is doing to address them. 

It won’t be enough to have policies and procedures accessible when requested. It is also a requirement to have them “published in a searchable format for easy reference”. The updated guidance reflects the DOJ’s belief that a proper compliance program will have free access to data, including policies and procedures, that can be easily referenced by compliance employees.

“At first blush, the guidance may appear to have the most practical application for companies already sitting at the DOJ’s table playing the cards they have been dealt,” said Alex Major, partner at McCarter & English law firm in Washington, D.C. 

“However, for the strategic company, playing three to four moves ahead and wishing to keep the money they walked in with, the guidance provides a way to increase the odds and lessen the risk if you find yourself in an ill-fated staredown with a stone-cold dealer. While the themes of gambling and compliance make it easy to craft an allegorical structure, compliance is not a game and should never be a gamble.”

 

For more stories, download the full edition of Radar 9 here.