Weak Compliance Programs Won’t Protect You from Criminal Misconduct

The Department of Justice’s (DOJ’s) Criminal Division has now hired “Compliance Counsel” but the Department has no plans to move towards making a formal compliance defense available to those charged with regulatory violations.  Assistant Attorney General Caldwell also noted that “[t]he quality and effectiveness of a compliance program is also an important factor that prosecutors consider in determining whether to bring charges against a business entity that has engaged in some form of criminal conduct.”  Ms. Caldwell went on to caution  against mere “window dressing” and “paper programs,” encouraging companies to opt for fostering a corporate culture that actually, actively and visibly supports compliance if they want the DOJ to view their efforts favorably when misconduct occurs.

The Assistant Attorney General specifically listed the following questions that the DOJ will ask when evaluating a particular company’s program – these are good questions to evaluate your own compliance program and perhaps encourage some year-end updates:

  • Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
  • Do the people who are responsible for compliance have stature within the company?
  • Do compliance teams get adequate funding and access to necessary resources?  (Of course, we won’t expect that a smaller company has the same compliance resources as a Fortune-50 company.)
  • Are the institution’s compliance policies clear and in writing, easily understood by employees, and translated into languages spoken by employees when necessary?
  • Does the institution ensure that its compliance policies are effectively communicated to all employees?
  • Are its written policies easy for employees to find?
  • Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
  • Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances?  (This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.)
  • Are there mechanisms to enforce compliance policies?  (Including both those that incentivizing good compliance and those that disciplining violations.)
  • Is discipline even handed? (The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences.)
  • Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance? (This means more than including boilerplate language in a contract.  It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies, regardless of geographical location.)

The message from the DOJ is clear: formal compliance defense or not, in this day and age your compliance program cannot have “what appear to be good structures on paper, but fail in practice to devote adequate resources and management attention to compliance.”  Thus, a specially tailored and sufficiently funded compliance program that is zealously implemented has the potential to not only prevent misconduct, but mitigate penalties when violations do occur.