DoJ’s Guidelines for Compliance Systems A useful Tool for Compliance Officers in Germany What defines an effective compliance system? The German courts and authorities do not offer a clear map for compliance officers to follow. The characteristics of an effective compliance program are currently vague and need to be specified as German case law continues to evolve. This makes matters difficult for Germany’s compliance officers in particular for those dealing with HR matters who nevertheless have to respond to many new criminal and regulatory offences and prove to the authorities that an effective compliance organisation can prevent wrongdoings. This is particularly relevant for employment law matters as German employment law changes. Employment law in Germany used to be a sheer private relationship between employer and employee with civil law litigation at worst. Now the German/ EU legislator more often holds managers and officers criminally liable in case of a breach of employment law regulations for example, under the new Temporary Employment Act or the General Data Protection Regulation. A look across the pond could be helpful now. III. The Criteria The DOJ guide addresses eleven topics, which are divided into 46 subtopics and 119 questions. These aspects are relevant for US prosecutors in the evaluation of compliance systems. At first glance, the catalogue seems intimidating for its sheer size. On the other hand, it offers a detailed, balanced source of information for the compliance officers of German companies. While the DOJ appreciates that there is (still) no overall solution for the evaluation of compliance programs, the DOJ also recognises that the criteria cannot be rigidly applied to every company or even have to be fulfilled in their entirety; this should encourage German companies – and not only those with significant US business – to proactively and intelligently review their compliance systems on the basis of the DOJ guidelines. Considering the risk, it seems hard to believe that there are local companies that act internationally but think they can make do without any compliance program at all. They should seize the DOJ guideline as an opportunity to quickly implement a compliance system tailored to their needs. The DOJ does not ask whether a certain compliance measure has been implemented but rather how this has been done. It is implied that a compliance system does exist. I. United States Department of Justice Earlier this year the Criminal Division of the United States Department of Justice (DOJ) published an extensive list of criteria by which United States Attorney in investigations can and should evaluate whether an effective corporate compliance system is in place. Designed as a questionnaire, these factors are a very useful tool for companies in Germany to thoroughly test their compliance system in their different business units. The guideline also indicates where there is a need for action, especially for companies doing a lot of business in the US with a greater exposure to the strict penalties of the US justice system. If these standards are applied to German compliance systems as well (for example by the monitors that the DOJ increasingly tends to use, also in German companies), the businesses will have their work cut out for them. In all likelihood, only a handful of companies in Germany are compliant with the criteria. II. The Filip Factors The United States Attorney’s Manual – a nonbinding guideline for US prosecutors – describes ten factors that prosecutors should consider when deciding whether to bring charges against a corporate entity. Unlike Germany, where only individuals may be held criminally liable, the US have a system of corporate liability. Two of these criteria, known as Filip Factors, define very generally that corporations have to implement and continually improve an effective compliance system. The DOJ explains these two factors more thoroughly in the paper Evaluation of Corporate Compliance Programs, using the above mentioned list of criteria. This is an explicit instruction by the DOJ defining the requirements to be fulfilled by a compliance program. The DOJ was prompted to specify these factors in the United States Attorney’s Manual mainly at the request of many US corporations seeking clarification. There is no one size fits all compliance program The effectiveness of a compliance system must be evaluated on a case by case basis, considering the company’s particular risk profile. A good compliance environment governs just as much as necessary. Regulatory overkill and obsession with details are equally unhelpful. Companies should apply a specific, recognised methodology to identify their risk profile in each business division. According to the guideline, prosecutors will also evaluate the abstract methodology used by the company to identify, analyse and address the particular compliance risks it faces. This means that the evaluation of a compliance program by the US prosecutors starts one step ahead of the program itself – beginning with the company’s method for determining its risk profile. Compliance on paper only can be detrimental A compliance system that exists only on paper will not stand up in an investigation. In the worst case, the US authorities may even regard this “fig leaf” as an attempt of the company to cover up risks by issuing one stylised policy after the other but failing to actually address the given problems. The DOJ guideline clearly focuses on the practical implementation of the compliance requirements. The DOJ’s most important questions are whether and how the company has designed, communicated to its employees, rolled out and implemented its own compliance guidelines and procedures to mitigate risks of prosecution. Another aspect is whether the company itself has evaluated the usefulness of these policies and procedures in the past. Needless to say that the DOJ also evaluates the effective implementation of a compliance system by whether the directors and senior management, through their specific words and actions, encourage the employees to refrain from any misconduct (“tone from the top”). The departments dealing with compliance issues – in particular HR – also have to demonstrate their commitment to compliance. The words and actions of the senior management as well as the commitment of these departments should be documented to withstand audits. Compliance expertise should be available at the level of the board of directors to enable them to fulfil their control and compliance functions. The size and structure of the company determines whether the board of directors/management should have its own compliance department. Compliance is not a paper tiger but a powerful element Of the eleven topics of the DOJ guideline, the biggest chapter is dedicated to the autonomy and independence of the compliance department. The DOJ expects companies to allocate sufficient personnel resources to compliance. The qualification, autonomy and financing of the compliance departments have to be ensured. The picture that the DOJ paints of a compliance department clearly is that of a powerful, mobile force, which also manifests itself in the fact that the DOJ in an investigation would explicitly ask if the compliance department has actually stopped any critical transactions in the past. It seems that the DOJ considers the absence of prohibited transactions not as evidence of clean business practices but rather as a sign of a toothless, that is to say ineffective, compliance organisation. For the DOJ, a compliance system is effective if it has been useful in the past. Compliance as a dynamic process The US prosecutors also check in their investigations whether the company has evaluated its compliance program for appropriateness and effectiveness on a regular basis and made improvements and/ or adjustments as necessary. Compliance is a continuous, dynamic process that must include and implement periodical reviews and monitoring, for example random and audit-proof evaluations. Four key points can be identified from the questions set out in the DoJ guideline: 1 2 3 4 Checklist – a systematic overview of the criteria Going beyond the four aspects highlighted above, the table below provides a summarised, systematic overview of the DOJ compliance questions for corporate entities. The 119 questions can be viewed on the DOJ website at www.justice.gov/criminal-fraud/page/File/937501/download. 1 Analysis and remediation Root cause analysis ► What specific steps has the company taken to analyse the cause of the misconduct, and who was involved in the analysis? Detection ► Were there previous opportunities to detect the misconduct, and why were these missed? Remediation ► What specific remediation measures have addressed the misconduct, and who was responsible for the remediation? 2 Management “Tone from the top” ► How has the management, through words and actions, encouraged or discouraged the misconduct? ► How has the management modelled compliant behaviour to employees? ► How does the company monitor its management’s behaviour? ► What compliance expertise is available on the board of directors and have they attended trainings? 3 Autonomy of compliance Compliance role ► Was the compliance department involved in decisions relating to the misconduct? Did they raise concerns beforehand? Status ► How has the compliance department compared with other functions in view of compensation levels, rank, reporting line, resources and access to decision-makers? ► What role does the compliance department play in strategic and operational decisions and does it have appropriate experience and qualifications? Autonomy of the compliance department ► Does the compliance department have direct reporting lines to the board of directors, and how often do they meet with the board of directors? ► Who reviews the performance of the compliance department and by what factors, and who determines the compensation of compliance officers? Empowerment ► Have there been transactions where compliance raised concerns, and how did the company respond to these concerns? ► Have there been transactions that were stopped, modified or more closely scrutinised by compliance? 3 Autonomy of compliance Funding ► How have decisions been made about personnel and resources for compliance functions? Was the company’s risk profile considered in these decisions? ► Have requests for additional resources for compliance functions been denied? If so, by whom and why? Outsourcing of compliance functions ► Has the company outsourced any compliance functions to external consultants, and if so, why? ► What access level do the external consultants have to company information, and how has the effectiveness of the outsourced process been evaluated? 4 Policies and procedures Design of compliance policies ► How were new policies and procedures designed and implemented and who was involved in the process? ► Were the business divisions consulted prior to the rollout of new policies? Applicable policies and procedures ► Has the company had policies that would have prohibited the misconduct, and how did the company assess whether these policies are effective? ► How were those responsible for the risks held accountable for supervisory oversight? Gatekeepers ► Has there been adequate training for persons who issue payments and/or approvals, and how could they voice their concerns? Accessibility ► How has the company communicated policies and procedures to the employees? Implementation ► Who has been responsible for implementing policies and procedures and with which departments/with whom have they consulted? ► How has it been assessed whether employees understand the policies and procedures? Controls ► What control mechanisms would have detected/prevented the misconduct and failed or were absent, and are these in place now? Payments ► How was the misconduct in question financed, and what processes could have prevented or detected improper access to these funds? Approval processes ► How did those with approval or certification authority know which transactions are compliance relevant and how to escalate concerns? 5 Risk assessment Risk management ► What method has the company used to identify, analyse and address risks? Information exchange ► What information has the company collected and analysed to detect the misconduct, and how did the information reach the compliance department? 6 Training and communication Risk-based training ► What training have employees in control functions received, and how was it decided who should be trained and on what subjects? ► Have trainings been tailored for high-risk and control employees? Form, content and effectiveness of training ► Has the training been offered in the form and language appropriate for the intended audience, and how was the effectiveness of the training measured? Communications about misconduct ► How was the company’s position on the misconduct communicated? ► How were the measures for noncompliance communicated within the company? Availability of guidance ► What resources have been available to employees for compliance guidance? ► How has the company assessed whether its employees resort to the available guidance? 7 Reporting and investigation Effectiveness of reporting ► How has the company collected, analysed and used compliance reports? ► How has the company assessed the seriousness of a report? ► Did the compliance department have full access to reports and investigation results? Reasonable investigations ► How has the company ensured that the internal investigations were reasonable, objective, independent and properly documented? Response to investigations ► Has the company identified root causes and system vulnerabilities as a result of investigations? ► What is the process for responding to investigative findings, and to what level do these go? 8 Incentives and disciplinary measures Accountability ► What disciplinary actions did the company take in response to the misconduct and when? Who decided the disciplinary measures? ► Were managers held accountable for misconduct that occurred under their supervision? ► How many and what disciplinary actions have been documented by the company? 8 Incentives and disciplinary measures Consistent application ► Have the disciplinary actions and incentives been objectively and consistently applied across the organisation? Incentive system ► How has the company incentivised compliance? ► Has the company considered the potential negative compliance implications of its incentives and rewards? 9 Improvement and review Internal audits ► What types of audits would have identified the misconduct, and did those audits occur and what were the findings? ► What types of audit findings have been reported to the board on a regular basis, and how has the board responded? Stress testing ► Have the compliance programs been tested on a regular basis, and how were the results documented and reported? Development ► How often has the risk analysis process been updated, and have policies, procedures and practices been reviewed for their appropriateness? 10 Business relationships Risk-based and integrated process ► Does the management process of business relationships match the company’s identified risk profile, and have they been integrated into the procurement process? Appropriate controls ► Why were third parties involved in business processes, and were incentive models for business partners weighed against compliance risks? ► How were business partners checked for compliance risks, and were they encouraged to be compliant? Consequences ► Has any third party business relationship been suspended, ended or audited for reason of compliance issues, and how was it ensured that a terminated business relationship was not revived? 11 Mergers and acquisitions Due diligence ► Was the misconduct identified during a due diligence process, and who conducted the risk analysis? Integration in the M&A process ► How have compliance functions been integrated in the M&A process? Implementation ► Have compliance procedures been implemented in the acquired company? © Taylor Wessing 2018 This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice. Taylor Wessing’s international offices offer clients integrated international solutions. Though our offices are established as distinct legal entities and registered as separate law practices, we are able to help our clients succeed by providing clear and precise solutions with high-level legal and commercial insights. For further information about our offices and the regulatory regimes that apply to them, please refer to http://deutschland. taylorwessing.com/en/regulatory and rhtlawtaylorwessing.com. Europe > Middle East > Asia taylorwessing.com About the Authors Jan-Patrick Vogel, LL.M. (Stellenbosch), specialises in HR compliance and corporate misconduct. He advises clients in the development of HR compliance organisations and the detection of and response to wrongdoings in employment/social security contexts. He is a frequent speaker at conferences and workshops. He is a member of the German Association for White Collar Crime (WisteV) and the Association of German Compliance Officers (BCM). Dr. Martin Knaup, LL.B., specialises in providing legal advice in the framework of corporate compliance, in particular when it comes to the implementation of compliance management systems as well as to investigations of compliance infringements. Martin is a member of the German Compliance Institute (DICO) and Certified Compliance Officer (University of Augsburg). Dr. Christian Maron is a Specialist Lawyer for Employment Law and advises national and international companies as well as management on all questions of individual and collective employment law. In particular he has gained broad experience on the advice of US-based clients doing business in Germany. Christian is a member of the American Bar Association (ABA). Furthermore, as a member of the American Chamber of Commerce in Germany (AmCham Germany), he is also committed in the AmCham Social & Labor Affairs Committee. Jonas Warnken is a Specialist Lawyer for employment law and advises companies as well as management on all questions of individual and collective employment law. In particular he advises US clients on all employment law related questions when entering the German market and supports them in setting up a workforce. Furthermore, he advises companies on the establishment of European Companies (SE) and on all issues relating to the participation of European employees in an SE including the negotiation of SE employee participation agreements. What we can do for you In the past few years, Taylor Wessing’s compliance activities have become one of the focal areas of its consultancy portfolio. Our experience in and commitment to all fields of compliance have helped us to develop customized, innovative compliance programmes for enterprises. Compliance is an interdisciplinary matter. Thorough and comprehensive advice in this area requires outstanding expertise in a wide variety of legal disciplines and a complete understanding of the operative industry segments concerned. Both criteria are met by Taylor Wessing as one of Europe’s leading fullservice law firms. We regard compliance not as a rigid concept governed by a uniform pattern, but rather as a set of risk-based structures geared to the concrete individual case. The crucial point is to find the right balance between risk assessment on the one hand and the design and scope of corresponding compliance measures on the other. This is exactly what our tailor-made approach does: we will adapt our counselling activities to the specific needs and situation of the relevant client.