On April 30, the United States Sentencing Commission submitted to Congress several amendments to the Federal Sentencing Guidelines’ standards governing corporate compliance and ethics programs. Unless Congress passes legislation rejecting them, the amendments will automatically take effect on November 1, 2010. These amendments warrant attention for two reasons. First, they clarify the steps that companies should take after detecting criminal conduct in order to remedy the resulting harm and to prevent future criminal conduct. Second, the amendments augment the compliance officer’s reporting obligations to the company’s board of directors. Companies should review and modify existing corporate compliance programs in light of these changes to ensure that they conform to the new standards.

The Sarbanes-Oxley Act of 2002 directs the Sentencing Commission to ensure that the guidelines applicable to the sentencing of corporations “are sufficient to deter and punish organizational criminal misconduct.” Sec. 805(a)(5). Pursuant to this directive, the Guidelines provide a substantial sentencing credit or penalty reduction to convicted corporations that have robust compliance and ethics programs in place at the time of the offense.

The Sentencing Guidelines’ provisions regarding compliance and ethics programs have import well beyond the relatively few companies that stand convicted of criminal offenses. Prosecutors and government regulators commonly consider the adequacy of a company’s compliance program when determining whether to bring criminal charges or a civil enforcement action against a company, or whether to offer a non-prosecution agreement. A robust compliance program can also help a company avoid or mitigate liability in private litigation. Accordingly, all companies should be mindful of the guidelines applicable to compliance and ethics programs.

Guidelines for Effective Compliance and Ethics Programs

Under the current Sentencing Guidelines, in order to maintain an “effective” compliance and ethics program, a company must, at minimum, meet the following standards:

  1. Standards and Procedures - Establish standards and procedures to prevent and detect criminal conduct;  
  2. Oversight Authority - Ensure that the board of directors and high-level personnel in the company exercise reasonable oversight authority over the implementation and efficacy of the compliance program;  
  3. Operational Responsibility - Assign specific individual(s) from within the company’s highlevel personnel to take overall responsibility for the compliance program, and delegate specific individual(s) to exercise day-to-day operational responsibility for the program;
  1. Periodic Reporting - Ensure that individual(s) with operational responsibility for the prograMmayre3p,o2r0t1p0eriodically to high-level personnel or the board of directors on the effectiveness of the compliance program, and are provided with adequate resources, authority and access to the board;  
  2. Exclude Wrongdoers from Positions of Authority - Use reasonable efforts to exclude any person who has engaged in illegal or inappropriate conduct from positions of substantial authority within the company;  
  3. Training - Conduct effective training programs and otherwise disseminate information to ensure that the board of directors, highlevel personnel and other employees with substantial authority receive information about the standards, procedures, and other aspects of the compliance program;  
  4. Auditing - Monitor the efficacy of the compliance and ethics program, including auditing to detect criminal conduct, periodically evaluating the program’s effectiveness, and maintaining and publicizing a system for employees to report suspected criminal conduct within the organization without fear of retaliation;  
  5. Enforcement of Compliance Program - Ensure that the compliance program is promoted and enforced consistently within the organization by providing incentives to perform in accordance with the program and establishing appropriate disciplinary measures for engaging in or failing to prevent or detect criminal conduct; and  
  6. Responses to Criminal Conduct - Following the detection of criminal conduct, take reasonable steps to respond appropriately to and prevent further similar conduct, including making any necessary modifications to the compliance and ethics program.  

Standards for Responding Appropriately to and Preventing Further Similar Criminal Conduct

The new amendments clarify what constitutes “reasonable steps” to respond appropriately to criminal conduct and to prevent further similar criminal conduct (item 9, above). These changes provide valuable guidance to companies concerning the actions they should take following the discovery of criminal conduct within the organization.

First, in the amendments, the Commission specifies that “reasonable steps” may include restitution to identifiable victims or other forms of remediation, where appropriate, as well as self-reporting or cooperation with authorities.

Second, the amendments provide that, following the detection of criminal conduct, the company should assess the existing compliance and ethics program and make modifications necessary to ensure the program’s effectiveness. Importantly, this process may include the use of an outside professional advisor to ensure adequate assessment of the existing compliance program and the effective implementation of any modifications.

Although companies must always evaluate their compliance and ethics programs following the detection of criminal conduct, they need not engage an outside monitor in all cases. Engagement of a monitor should be considered in cases where, at minimum, the criminal conduct identified is severe or the compliance program requires significant modifications.

Enhanced Reporting Obligations

The new amendments augment the compliance officer’s reporting obligations to the company’s “governing authority” (typically, the board of directors or audit committee). Prior to the amendments, the Guidelines denied sentencing credit to companies with otherwise effective compliance and ethics programs if any high-level personnel in either the company or the business unit where the offense occurred participated in, condoned, or were willfully ignorant of the offense. The new amendments create an exception to this absolute bar in cases where all of the following conditions are met:

  1. the individual(s) with operational responsibility for the compliance program (the compliance officer(s)) have direct reporting authority to the board of directors or audit committee;  
  2. the compliance program detects the offense before it is discovered outside the company;  
  3. the company promptly reports the offense to governmental authorities; and
  1. no person with operational responsibility for the compliance and ethics program has participated in, had knowledge of, orcondoned the offense.

This exception highlights the need for a robust reporting relationship between the compliance officer and the board. The Commission has specified that the compliance officer’s direct reporting authority to the board must be “express” (i.e., in writing). In addition, the compliance officer must have authority to communicate with the board (1) promptly on any matter involving criminal conduct or potential criminal conduct, and (2) at least annually on the implementation and effectiveness of the compliance and ethics program.  

This exception should greatly extend the availability of sentencing credit to companies with effective compliance and ethics programs because the Guidelines no longer flatly deny sentencing credit in all cases where high-level personnel from the company or the relevant business unit are viewed as having participated in, condoned or willfully ignored the offense.  

Conclusions

Companies should evaluate existing corporate compliance programs in light of these new standards and make all necessary modifications to ensure that they conform. Importantly, companies should confirm that the compliance officer has express reporting authority to the board or audit committee, documented in writing, and that this power includes the authority to promptly report actual or potential criminal conduct, and to report at least annually on the implementation and effectiveness of the compliance program. Further, following the detection of criminal conduct, companies should routinely evaluate the appropriateness of restitution to any victims or other remediation, self-reporting and cooperation with authorities, and should consider whether engagement of an independent advisor is appropriate to assess and modify the existing compliance program.  

The text of the new amendments can be found here, with relevant sections highlighted beginning on page 17.