Heightened Regulation of Corporate Compliance Programs | New York Law Journal – Law.com


Philip M. Berkowitz

In the post-#MeToo era, employers’ responses to internal complaints of wrongdoing are under increased scrutiny from every possible direction. This includes shareholders, consumers, the media, and, perhaps most important, government and regulatory authorities.

Seven short months ago, in January 2019, financial services employers woke up to learn of a new whistleblower program directive issued by the New York State Department of Financial Services (DFS). This set off an urgent scramble among New York-based banks, insurance companies, and other entities regulated by the DFS, to assure that their internal policies meet these new standards.

Not to be outdone, in April of this year, the U.S. Department of Justice Criminal Division issued an “updated” Evaluation of Corporate Compliance Programs Guidance. This document is for the benefit of prosecutors who are trying to determine the appropriate resolution, prosecution, monetary penalty, and compliance obligations contained in any corporate criminal resolution, such as a monitorship or reporting obligations. The document identifies 12 subcategories of consideration and areas of analysis for making this determination.

For legal, human resources, and compliance counsel and professionals pelted by this hailstorm of directives, this all may harken back to the mother of all these guidelines and regulations: the U.S. Organizational Sentencing Guidelines, issued in 1991 by the U.S. Sentencing Commission, an independent agency of the Judicial Branch.

The Organizational Sentencing Guidelines, many of you will know, are designed to help judges determine, when imposing sentence on an organization convicted of criminal conduct, whether it has in place “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

So, the courts, the DOJ, and regulatory bodies provide guidance on developing corporate compliance, whistleblower reporting, and internal investigation programs, to no fewer than three audiences: to the organization itself, to prosecutors who may make recommendations in determining an appropriate recommended sentence, and to sentencing judges.

There is, as to be expected, no small overlap in these three guidances, but the more recent directives put particular emphasis on whistleblower anonymity, a consideration that has taken on new importance in the #MeToo era. We review these here.

DOJ Guidance: Three Key Questions

The DOJ’s April 2019 Guidance emphasizes that there are nevertheless three main questions for prosecutors to consider during a criminal investigation: (1) Was there a well-designed compliance program; (2) was the compliance program effectively implemented; and (3) did the compliance program work as intended.

In determining whether the program is well-designed, prosecutors are directed to consider whether the company has undertaken an accurate and thorough risk assessment. They are advised to consider whether corporations use appropriate methodology to identify and detect risks that are likely to occur in their particular industry or business, and to look for appropriate resource allocation based on the levels of risk and whether the risks were periodically reviewed and updated.

Prosecutors also assess whether policies, training and communication are sufficiently robust to encourage a culture of compliance and responsibility. The company’s reporting process should emphasize disclosure of suspected misconduct and dissuade any fear of retaliation. There is also an emphasis on confidential reporting options. Qualified intake personnel must be in place to assess which complaints merit action, and to assure that any further steps are properly “scoped” to determine whether to carry out a larger investigation.

Third parties—agents, consultants, distributors and the like—may add to risk, and thus must be included in a thorough risk assessment to understand where added dangers may lurk. Similarly, during a merger or acquisition process, corporations must undertake due diligence to uncover any corruption or misconduct within the target company.

Effective implementation of the compliance program is also key for satisfaction of the DOJ guidance. Prosecutors are instructed to investigate whether a compliance program is a “paper program” only or whether it is appropriately implemented and staffed. Upper and middle management should set the appropriate tone. Prosecutors will review communications, training, reinforcement and oversight (by individuals with appropriate expertise) of compliance policies to see whether leadership has encouraged appropriate compliance with their words and actions.

The compliance program must also have appropriate staff, seniority, autonomy, and funding, and the company must provide evidence that incentives and disciplinary methods are consistently applied in order to drive reporting and dissuade wrongdoing.

Finally, the DOJ examines the practicality of the compliance program to ensure that it functions as intended. Misconduct alone does not prove that corporate compliance measures were insufficient. Prosecutors will look for continuous testing, improvement, and review of the program. They will examine the analysis, remediation and mitigation of any discovered misconduct, such as carrying out internal audits and updates or enhancements to the program, as well as recognition of the seriousness of any misconduct, an acceptance of responsibility, and the implementation of changes that should reduce the risk of another failure.

It is worth emphasizing, in summary, that the DOJ Guidance emphasizes three areas of particular weight and focus: (1) the importance of an anonymous reporting process and well-designed investigation process; (2) effective oversight and management of third parties; and (3) comprehensive vetting of an acquisition target.

DFS Guidance

The DFS’s “ten pillars,” again, overlap to some degree with the DOJ Guidance. They, too, emphasize the need to have in place reporting channels that are independent, well-publicized, easy to access, and consistent. In the #MeToo era, they emphasize the need to provide strong protections for a whistleblower’s anonymity.

The Guidance requires that the employer have in place established procedures for identifying and managing potential conflicts of interest, and that staff members are adequately trained to receive whistleblowing complaints, determine a course of action, and competently manager any investigation, referral, or escalation.

Further, the Guidance demands that employers establish procedures for investigating allegations of wrongdoing, ensuring appropriate follow-up to valid complaints, protecting whistleblowers from retaliation, and providing confidential treatment of these complaints.

The DFS Guidance recommends, as well, that regulated employers give appropriate oversight of the whistleblowing function to senior management, internal and external auditors, and the Board of Directors. Perhaps most important, the Guidance demands that the employer have in place a top-down culture of support for the whistleblowing function.

Organizational Sentencing Guidelines

The Guidelines provide in sentencing an organization convicted of criminal conduct, a court must consider whether it has in place an effective compliance and ethics program. See USSG Ch.8. The organization must exercise due diligence to prevent and detect criminal conduct, and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. Id. §8B2.1.

Minimally, the program must include procedures that are consistent with the following:

(1) The organization must establish standards and procedures to prevent and detect criminal conduct.

(2) The organization’s governing authority (such as its Board of Directors) must be knowledgeable about the content and operation of the compliance and ethics program and exercise reasonable oversight with respect to its implementation and effectiveness. High-level personnel must ensure that the organization has an effective compliance and ethics program. Specific individual(s) within high-level personnel must be assigned overall responsibility for it.

Specific individual(s) must also be delegated day-to-day operational responsibility for the program. They must report periodically to high-level personnel and, as appropriate, to the governing authority, on the effectiveness of the program. They must have adequate resources, authority, and direct access to the governing authority or an appropriate subgroup.

(3) The organization must use reasonable efforts not to include in this process any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective program.

(4) The organization must conduct effective training programs and otherwise disseminate information appropriate to such individuals’ respective roles and responsibilities.

(5) The organization must take reasonable steps to ensure that the compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and to have and publicize a system whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

(6) The program must be promoted and enforced consistently through appropriate incentives to perform in accordance with the program; and appropriate disciplinary measures for criminal conduct and failing to take reasonable steps to prevent or detect criminal conduct.

(7) After criminal conduct has been detected, the organization respond appropriately to the conduct and to prevent further similar conduct, including making necessary modifications to the organization’s compliance and ethics program. In doing so, the organization must periodically assess the risk of criminal conduct and design, implement, or modify each requirement, in order to reduce the risk of such conduct.

Conclusion

In the current regulatory environment, employers must anticipate that more, not less, government and regulatory authorities will impose increasingly scrupulous obligations to ensure the existence of rules and procedures safeguarding the rights of whistleblowers and assuring that employers promote lawful, ethical conduct, while screening for unlawful conduct.

Policies must not only echo these guidelines—they must include practical and pragmatic procedures that reflect a fully compliant workplace culture, and hence help shield the employer from potential liability.

Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm’s U.S. international employment law and financial services practices.