On November 1, 2010, two amendments to the United States Sentencing Guidelines (the “Guidelines”) pertaining to organizations will become effective that offer organizations significant opportunities to guard against and mitigate the consequences of criminal conduct committed by employees or the organization’s agents. Organizational leadership—and in particular, compliance and ethics officers—will need to reassess and adjust their existing compliance and ethics programs and take affirmative, proactive steps to reap the benefits of these amendments. For vigilant organizations, the Guidelines amendments offer much additional protection at minimal cost. For the unwary, the Guidelines can undermine even the most well intended of compliance and ethics programs.

The Importance of Having an “Effective Compliance and Ethics Program”

To corporate officers without oversight responsibilities, the significance of having a compliance and ethics program that qualifies as “effective” for purposes of the Guidelines is likely not at all obvious. After all, most corporations do not plan on finding themselves in the position of being sentenced by a federal court for criminal corporate misconduct. And yet, while it is true that having a qualifying compliance and ethics program is important because it reduces an organization’s Guidelines culpability score, the true importance of maintaining such programs transcends the Guidelines altogether. As a practical matter, the existence of an effective compliance and ethics program—as that term is understood in the Guidelines—is often determinative of the threshold question whether a corporation is to be prosecuted in the first place. Indeed, the requirements of an effective compliance and ethics program are expressly referenced in “Principles of Federal Prosecution of Business Organizations,” the manual outlining the standards of prosecution for the United States Department of Justice.

Summary of Existing Guidelines Requirements

Since 2004, the Guidelines have set forth seven (7) general requirements for an organization’s compliance and ethics program to qualify as “effective.” These requirements, which are unaffected by the 2010 amendments, are:

  1. establish standards and procedures to prevent and detect criminal conduct;
  2. ensure that its governing authority is knowledgeable about the content and operation of its compliance and ethics program;
  3. use reasonable efforts to exclude from its “substantial authority personnel” anyone the organization knew or should have known had previously engaged in conduct inconsistent with its compliance and ethics program;
  4. communicate periodically its standards and procedures and other aspects of its compliance and ethics program through, inter alia, effective training programs;
  5. take reasonable steps to ensure that its compliance and ethics program is followed;
  6. promote and enforce its compliance and ethics program through appropriate incentives and disciplinary measures; and
  7. take reasonable steps to respond appropriately after criminal conduct has been detected.

The 2010 Guidelines Amendments Relating to Organizations

For organizations, the most significant of the 2010 amendments are the following:

First, the new amendments add an Application Note to the Commentary to § 8B2.1 (“Effective Compliance and Ethics Program”) clarifying what “reasonable steps” can be taken to respond appropriately after criminal conduct is suspected. In this regard, the Guidelines for the first time expressly state that one such step may be the use of outside counsel, “to ensure adequate assessment and implementation of any modifications” to the organization’s compliance and ethics program. U.S.S.G. § 8B2.1, App. Note 6.

Second, and most significantly, the 2010 amendments add an exception to the existing rule that, notwithstanding the existence of an effective compliance and ethics program, the organization should not benefit if “high-level personnel” were involved with or should have known about the criminal conduct. Specifically, the new amendments provide that an organization can still be credited for having an effective compliance and ethics program—even where high-level personnel were involved with or should have known about the criminal conduct at issue—if four conditions are met. U.S.S.G. § 8C2.5 (f)(3)(C). The four conditions are:

  1. the individual or individuals with operational responsibility for the organization’s compliance and ethics program have “direct reporting obligations” to the governing authority of the organization or an appropriate sub-group thereof;
  2. the compliance and ethics program detected the conduct at issue before discovery outside the organization or before such discovery was reasonably likely;
  3. the organization promptly reported the offense to appropriate governmental authorities; and
  4. no individual with operational responsibility for the compliance and ethics program participated in, condoned, or was willfully ignorant of the offense. U.S.S.G. § 8C2.5(f)(3)(C)(i) - (iv). Critically, new Guidelines commentary clarifies that an individual has “direct reporting obligations” to the governing authority or an appropriate subgroup thereof if “the individual has express authority to communicate personally to the governing authority or appropriate subgroup thereof (A) promptly on any matter involving criminal conduct or potential criminal conduct, and (B) no less than annually on the implementation and effectiveness of a compliance and ethics program.“ U.S.S.G. § 8C2.5, App. Note 11.

The Opportunity for Organizations

Simply stated, the amendments to the Guidelines can be a good thing for organizations—they offer, as they say, a “lot of protection for a little effort.” Specifically, they offer the opportunity to significantly decrease organizational compliance and ethical risks by taking steps not unduly cumbersome or expensive.

But action is required. What action? First, organizations should be quick to enlist outside counsel to investigate and assess any suspected non-compliance. Once engaged, counsel should also be asked to suggest appropriate modifications to the organization’s compliance and ethics program in light of any non-compliance detected. In this way, organizations can ensure that they are deemed to have taken “reasonable steps” upon the suspicion of criminal conduct.

Second, organizations should engage in any necessary restructuring to make the Chief Compliance and Ethics Officer directly responsible to the Board of Directors or a subgroup thereof, such as an Audit Committee. Organizational policies should also reflect, in writing, that the Chief Compliance and Ethics Officer has the express authority (and indeed, the duty) to communicate personally with the Board or its designated subgroup regarding any criminal conduct or potential criminal conduct. Also, the Chief Compliance and Ethics Officer should report no less than annually on the implementation and effectiveness of the organization’s compliance and ethics program.