Recent regulator statements and actions stress the need to empower compliance programs and officers and hold them accountable.
As companies navigate the post-pandemic environment, legal and compliance teams should take heed of US regulators' recent statements, insights gleaned from recent enforcement actions, and evolving best practices to build a compliance program that meets the demands of today's business realities and regulators' expectations. Two recurring themes are worth noting: ensuring that compliance programs and personnel are not only empowered but also held accountable to meet the demands of an evolving, technology-driven, hybrid business environment.
This Client Alert highlights recent US Department of Justice (DOJ) and US Securities and Exchange Commission (SEC) statements on the importance of corporate compliance programs, particularly in the context of investigations and enforcement. It also provides an overview of the DOJ's newly introduced concept of near-mandatory compliance officer certifications in corporate enforcement actions. A forthcoming Client Alert will provide practical tips for empowering corporate compliance teams and ensuring compliance teams are accountable in this post-pandemic era.
US Regulator Focus on Corporate Compliance
DOJ and SEC focus on corporate compliance programs is hardly new,1 but the Biden Administration has been particularly vocal about emphasizing this priority in White House-driven policy statements,2 as well as in speeches and other public statements made by administration officials. These statements give companies insights into how regulators are thinking about compliance, and how best to prioritize their own compliance resources and efforts. Several insights emerge from this messaging:
- Companies must ensure their programs are adequately funded and resourced.3 In May 2022, DOJ Assistant Attorney General and Criminal Division Head Kenneth Polite, Jr. specifically emphasized to the audience at Compliance Week's National Conference that the DOJ looks not just at the structure of compliance programs, but also at the resources that have been invested in them, including with respect to overall headcount, compliance budget, and qualifications of internal resources. "Companies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the Department of Justice and by my Criminal Division," he said. He added that the DOJ gives "significant credit to companies that build strong controls to help detect and prevent misconduct."4 His message to company leadership could not have been clearer: "Support your compliance programs now--or pay later." Examples of how senior management could invest in the company's compliance program and ensure it is adequately empowered to accomplish its objectives include: benchmarking the organization's internal and external compliance spend against peer companies; hiring qualified compliance personnel (i.e., employees experienced enough to do the job effectively); investing in appropriate compliance technology tools, analytics offerings, and automated resources; and ensuring sufficient compliance resources not just at company headquarters but across the company's geographic footprint, as appropriate, whether in the form of dedicated compliance headcount or local compliance liaisons.
- Compliance functions and compliance officers, including the chief compliance officer, must be empowered within the organization.5 Assistant Attorney General Polite explained at the same Compliance Week conference that when evaluating a corporate compliance program, the DOJ "seek[s] to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the organization." He reaffirmed that just as compliance programs cannot simply be paper programs, the chief compliance officers (CCOs) must not simply be figureheads. Instead, the DOJ looks to whether the CCO has adequate stature and voice within the organization. Put differently, compliance must be given a seat at the table for key decisions and the compliance function must be respected across the organization. Assistant Attorney General Polite gave the example of a recent Filip Factor presentation with a company where the compliance officer was present but sat silently as the company's outside counsel fielded the government's questions.6 "That single act gave me all the information that I needed. That act demonstrated, literally and figuratively, that [the] chief compliance officer had no voice in that organization." He instead encouraged compliance officers to take prominent roles in these presentations as a way of "demonstrating their knowledge and ownership of the compliance program." Outside of the compliance presentation context, companies can ensure their compliance functions have sufficient stature by building clear reporting lines between the CCO and the board, relevant board committees, and senior management; by ensuring there is a strong role for the CCO in key business decisions and on key management committees; by setting compensation structures and titles for the CCO and other compliance functions commensurate with the stature of their roles; and by providing the ability and opportunity for the CCO and other control functions to override the business as appropriate.
- Gatekeepers are critical parts of an effective compliance program, and individuals are a critical part of DOJ and SEC enforcement strategy. Recent announcements from the DOJ and SEC confirm that a key part of these regulators' enforcement strategy is individual liability, with a particular focus on compliance "gatekeepers" -- individuals such as compliance officers, lawyers, accountants, and auditors, whom SEC Enforcement Director Gurbir Grewal described as the "first line of defense" against misconduct in a recent speech outlining the SEC's "renewed focus on gatekeeper liability."7 Nicholas McQuaid, Deputy Assistant Attorney General of the DOJ's Criminal Division, told an audience in October 2021 that individual prosecutions in white collar cases are a "top priority" for the DOJ.8 Similarly, Attorney General Merrick Garland himself has called prosecuting "the individuals who commit and profit from corporate malfeasance ... the Department's first priority."9 And Deputy Attorney General Lisa Monaco echoed this sentiment late last year in announcing that, to give teeth to this commitment to prosecuting individuals, the DOJ was restoring prior Obama-era guidance that requires companies to provide all non-privileged information about all individuals involved in or responsible for the alleged misconduct (not just individuals "substantially involved" in the misconduct) if they wish to obtain cooperation credit.10
Assistant Attorney General Polite recently explained that this focus on individuals is an important part of the DOJ's "carrots and sticks" approach to "affect, punish, deter or change the decision-making and actions of individuals." Tying it back to the importance of individuals in compliance, he said, "[w]hen you are asked about your compliance program and whether it [i]s adequately creating, maintaining and supporting an ethical culture, the question again goes to individual accountability."11 In practice, it is unlikely that the DOJ and SEC will focus on bringing actions against "gatekeepers" who act in good faith to ensure their organizations comply with the law and that internal controls are followed. This has not been the practice to date, and we do not expect a significant change even with the stated focus on gatekeepers. However, if gatekeepers are involved in misconduct -- or intentionally turn a blind eye to it -- they may be a focus of prosecutors and SEC enforcement attorneys seeking to make good on the commitments described above. The forthcoming Client Alert will provide recommendations on how to ensure gatekeepers are empowered and equipped in the face of this enforcement focus.
- Sanctions and AML must be a compliance priority. Sanctions and anti-money laundering (AML) are both top-of-mind compliance areas for regulators, who view the two as linking the fight against corruption to US national security interests. The Biden Administration has identified AML as a key "strategic objective" in the fight against corruption and the funding of terrorist groups and other international bad actors.12 And, while not specifically a post-pandemic issue, Russia's invasion of Ukraine raises the specter of sanctions-related risks for global companies. As the US government continues to roll out new and increasingly staunch sanctions relating to Russia,13 CCOs must ensure that their companies' touchpoints with Russia, Belarus, Ukraine, and other affected regions fall on the right side of the Treasury Department's Office of Foreign Assets Control (OFAC) and the DOJ. In March, the DOJ launched its Task Force KleptoCapture, committed to enforcing sanctions against Russian oligarchs.
But it is not just Russia. In the most recent of a spate of speeches on the topic, Deputy Attorney General Monaco emphasized that sanctions enforcement is the "new FCPA."14 Her remarks highlight the parallels: "The growth of sanctions enforcement follows the path that the FCPA [Foreign Corrupt Practices Act] traveled before it. Both FCPA and sanctions enforcement are relevant to an expanding number of industries. They have extended beyond just US actions to an increasingly multilateral enforcement regime. And they both reward companies that develop the capacity to identify misconduct within the organization, and then come forward and voluntarily disclose that misconduct to the department."15 Deputy Attorney General Monaco's message was clear: "You can expect to see more action in sanctions enforcement," and regulators "expect to see a new level of sophistication and resource commitment to sanctions compliance[.]"16 In light of this focus, companies evaluating their corporate compliance programs must consider whether their AML and sanctions compliance programs meet regulator expectations and adequately protect against these risks.
CCO Certification Requirement Meant to Empower, Not Punish, the Corporate Compliance Function
Underscoring the DOJ's focus on empowering CCOs, Assistant Attorney General Polite also recently announced a new requirement whereby the CCO -- and not just the CEO, per the DOJ's prior practice -- will now be required to individually attest to the efficacy of the company's compliance program as part of DOJ resolutions. Lauren Kootman, Assistant Chief in the DOJ Fraud Section, confirmed in a recent speech that "[t]he [CCO] certifications are going to be incorporated into every most likely into every resolution." 17
The DOJ has already started incorporating CCO certifications into recent resolutions, including in Glencore's June 2022 guilty plea deal with the DOJ. As part of the international commodity firm's agreement to resolve charges for violations of the FCPA and a commodity price manipulation conspiracy, Glencore agreed to have not just its CEO (which was common in recent FCPA enforcement actions), but also its CCO certify that the company had implemented an anti-corruption program that met certain specifications agreed upon in the plea agreement.18 The certification also requires the CCO and CEO to attest that Glencore's compliance program "is reasonably designed to detect and prevent violations of" the FCPA and the Commodities Laws.19 Historically in recent FCPA resolutions, companies have agreed to have directors, CFOs, CEOs, and "an appropriate senior executive" submit certifications regarding compliance programs, reporting requirements, and other resolution elements. In corporate resolutions involving a monitor, the monitor is typically asked to make this certification. This updated policy introduces the CCO as a party responsible for making this certification on behalf of the company. The SEC has also required CEO certifications attesting to compliance programs' effectiveness, most notably in its 2019 settlement with KPMG, but to date it has not extended this requirement to CCOs.20
According to DOJ officials, "this additional certification is not intended to be punitive; it is a new tool in your arsenal" that "makes clear you should have and must have appropriate stature in corporate decisionmaking." This sentiment was echoed by Assistant Chief Kootman, who said in a speech that the "intention [behind CCO certifications] is not to put a target on the back of a chief compliance officer[,]" but instead to empower them.21 In particular, the certifications can empower CCOs not only by ensuring they have "adequate visibility and access to information" about violations and business decisions, but also by ensuring their stature within the organization: "[does the] compliance officer ... have access to important information? Or do they have a seat at the table? Are they being involved in high-risk transactions [and other] important decisions at the company?"22 David Last, the head of DOJ's FCPA Unit, similarly clarified that the move is not to "provide fodder" to prosecute CCOs or CEOs, but rather to "make sure that the company is taking compliance seriously," and to "incentivize" CEOs and CCOs to actually ensure their compliance programs are up to snuff before signing.23
The move is not without its critics. Various members of the white collar bar have raised concerns that CCO certifications will turn into a "gotcha game" whereby the DOJ will wait until after compliance officers sign certifications attesting to the effectiveness of their companies' programs before disagreeing with them that those programs are in fact well-designed, empowered, or effective.24 Others have expressed concerns that CCO certifications may raise individual liability for CCOs, or deter people from wanting to take jobs in compliance.25 It remains to be seen how these CCO certifications will work in practice and whether the requirement will indeed empower CCOs navigating their post-resolution obligations, but there is no question that the CCO certification requirement raises the stakes for CCOs. The forthcoming Client Alert will outline practical tips for companies to ensure their compliance officers are empowered to make these certifications if required.
Companies seeking to have best-in-class compliance functions would be wise to review their existing compliance programs in light of today's risk environment, ensure that their programs work well to address those risks, and elevate the stature of compliance professionals within their corporate ranks. The followup Client Alert will build on the lessons detailed in this Client Alert, setting out practical tips for companies seeking to meet and exceed regulator expectations and build a program that addresses the current hybrid work environment. Latham & Watkins' White Collar Defense & Investigations Practice features regulatory practitioners, career defense advocates, and former high-ranking government lawyers and is well-placed to advise companies on how to fortify their compliance programs in a post-pandemic environment.