New Compliance Counsel Will Assess Effectiveness of Corporate Compliance Programs
Last week the U.S. Department of Justice (DOJ) revealed it is hiring a compliance counsel to assist DOJ prosecutors in assessing the effectiveness of companies’ corporate compliance programs. According to news accounts of an interview of Andrew Weissman, the Criminal Division’s Fraud Section Chief, a yet-to-be-named former prosecutor was offered the position. Weissman noted that the candidate comes from the private sector, has worked in the health care, financial, and technology industries, and has prior experience building compliance programs.1 The announcement of this new hire underscores the fact that DOJ is placing significant and increased importance on the effectiveness of corporate compliance programs when assessing whether or not to charge corporations for failing to detect or prevent criminal wrongdoing by their employees. Also noteworthy is Weissman’s announcement that the Fraud Section will be looking particularly closely at compliance programs in the health care area.2
In the May posting for the “Compliance Counsel” position, the DOJ said it was looking for “highly qualified compliance personnel to provide unique expertise in all compliance related issues allowing the Fraud [S]ection to better evaluate company remediation efforts.” The “Statement of Work” indicated the compliance counsel’s tasks would include:
- “Tak[ing] the lead in establishing metrics for the Fraud Section attorneys to assess corporate remediation efforts . . .
- Serv[ing] as the Fraud Section compliance subject matter expert (SME) in potential litigation or dispute involving the Government in any trial, hearing, or proceeding before any court, administrative tribunal, or agency . . .
- …[E]valuating whether a corporate compliance program is effective and reasonable, or a mere paper program . . .
- … [B]enchmark[ing] with compliance officers in various industries in order to establish up to date metrics that reflect the realities of compliance in the multitude of industries in which the corporate actors who appear before the Fraud Section function.
- …[W]ork[ing] with DOJ monitors appointed in Fraud Section cases to establish and assess ongoing remediation efforts.”3
According to Weissman, the new compliance counsel will help prosecutors “differentiate the companies that get it and are trying to implement a good compliance program from the people who have a near-paper program.” Weissman went on to state that the DOJ would “like to make sure we hold companies to a tough but realistic standard.”4 The DOJ expects the new compliance counsel to “take the lead in meeting with organizations that seek to establish successful remediation programs.”5 As a result of this new hire, companies need to be prepared to answer hard, pointed questions about the effectiveness and scope of their corporate compliance programs.
It is, of course, no surprise the DOJ considers the effectiveness of corporate compliance programs in both its charging and sentencing decisions for organizations. The Principles of Federal Prosecution of Business Organizations expressly directs prosecutors to consider “the existence and effectiveness of the corporation’s pre-existing compliance program” in deciding whether to charge a corporation with a crime.6 While the new compliance counsel will not be limited to working on investigations of the Foreign Corrupt Practices Act (“FCPA”), A Resource Guide to the U.S. Foreign Corrupt Practices Act, published by the DOJ and Securities and Exchange Commission in 2012 to provide helpful information about the FCPA, its provisions, and enforcement, contains an entire section on the “Hallmarks of Effective Compliance Programs.”7 In the health care and life sciences area, the U.S. Department of Health & Human Services Office of Inspector General (OIG) has developed a series of compliance program guidance directed toward the health care industry which should be taken very seriously given the new and increased focus on this industry.8 OIG also publishes its Corporate Integrity Agreements, which provide insights into the government’s current expectations about compliance program activities.9 Lastly, the United States Sentencing Commission’s Guidelines Manual expressly mentions the “existence of an effective compliance and ethics program” as one of the two factors that can mitigate the punishment of an organization.10
Recently, the DOJ has signaled an even greater focus on corporate compliance programs when deciding whether to charge companies for criminal wrongdoing. Last October, Marshal Miller, the Principal Deputy Assistant Attorney General for the Criminal Division at the time, noted that the “existence of an effective compliance program can make all the difference when a corporation is in the Justice Department’s sights.”11 Then again in May, Assistant Attorney General Leslie Caldwell stated that the “lack or insufficiency of a compliance program can have real consequences for a company when a violation of law is discovered.”12 The DOJ’s recent hire of a compliance expert reinforces a discernible trend in the DOJ’s high expectations that companies have demonstrably effective and comprehensive compliance programs.
In public statements, the DOJ has cited to BNP Paribas as an example of what happens when a company has a “poor compliance policy.” Between 2004 and 2012, BNP Paribas employees moved over $8.8 billion through the U.S. financial system in violation of U.S. economic sanctions. The criminal conduct occurred despite the presence of the company’s compliance program and repeated warnings by company compliance officers. As noted by the DOJ, BNP
Paribas’ “willful and pervasive compliance failures cost the company a parent-level guilty plea and record-breaking criminal penalties of $8.9 billion.” According to the DOJ, BNP Paribas provides a sobering example of the impact poor compliance programs can have on companies. 13
The DOJ itself admits that “companies with strong compliance programs can and do detect and report criminal misconduct by employees.” In those situations, the DOJ may decline to prosecute companies because of the success of their compliance program. The DOJ has pointed to Morgan Stanley as one example of when a company was not prosecuted “due to the company’s robust internal compliance program.” Morgan Stanley conducted yearly compliance training, distributed training materials, required certification of compliance in writing, and had discussions with employees regarding certain aspects of specific transactions. Despite these “extensive compliance efforts,” an employee was able to circumvent internal controls to corruptly transfer ownership interest in property. Morgan Stanley’s compliance program detected the employee’s criminal misconduct and voluntarily disclosed it to the government. According to the DOJ, the Morgan Stanley case is a “compliance success story.”14
Despite these two examples, it remains unclear what specific elements of a corporate compliance program will ultimately lead the DOJ to make the decision not to prosecute. This new emphasis on compliance programs may come at a high cost to companies who have to dedicate limited resources towards developing and ensuring that they continue to maintain state-of-the-art corporate compliance programs, especially since companies cannot guarantee that their programs will stop rogue employees from breaking the law.
The new compliance counsel, hopefully, will alleviate some of that uncertainty by DOJ’s apparent intention to “devis[e] general criteria for  compliance program[s] as well as more tailored criteria specific to industries and the particular company at issue.”15 Such a step could prove good news, especially since the act of merely establishing a compliance program does not insulate companies from liability.16
Companies in all industries should re-evaluate their compliance programs. Government guidance continues to evolve and even robust compliance programs may be viewed as out-of-date and/or ineffective. It is important for companies to continue to dedicate sufficient resources to ensure that their compliance programs remain state-of-the-art year after year. Companies should also regularly conduct risk analyses and benchmarking, and modify their compliance programs to address high-risk areas before being put to the test by the new compliance expert. Weissman appropriately noted that “it doesn’t do anyone good to have people wasting their compliance dollars on areas that are low risk.”17