On April 30, 2019, the US Department of Justice (DOJ) published a guidance document, “The Evaluation of Corporate Compliance Programs” (Guidance), aiming to provide greater transparency into its prosecution decisions. While the Guidance is primarily meant for the consumption of prosecutors considering an investigation and/or bringing charges against a corporation, it provides valuable insight for compliance conscious entities that are proactively looking to develop and further strengthen their corporate compliance programme (CCP).
The Guidance complements the principles set out in the Justice Manual, which describes specific factors that prosecutors must take into consideration, including inter alia, the adequacy and effectiveness of the corporation’s compliance programme at the time of both the offence and the charging decision, and the corporation’s remedial efforts to implement an adequate and effective corporate compliance programme or to improve an existing one. Additionally, the US Sentencing Guidelines advise that consideration should be given to whether the corporation had in place at the time of the misconduct an effective compliance programme to calculate the appropriate criminal fine.
An effective CCP can indeed prove to be highly beneficial for a company undergoing a potential investigation. The DOJ has explicitly incentivised and rewarded effective CCPs because a good programme enables the prevention and timely detection of misconduct, which in turn allows for efficacious enforcement by external regulatory agencies. For instance, in September, 2016, the DOJ declined to prosecute Harris Corporation, despite violations of the Foreign Corrupt Practices Act (FCPA) by its newly acquired subsidiary, CareFx Corporation, in part because the company maintained an effective compliance programme that allowed it to detect and report misconduct. The voluntary disclosure made by the company, combined with Harris Corporation’s full cooperation and remediation, led to the declination.
In light of the given background, it is indeed relevant for multinationals doing business in India to acknowledge the significance of the Guidance, and take active steps in line with it, to adequately ring-fence their interests. The Guidance provides a great amount of transparency into the evaluation criterion considered by prosecutors and simultaneously provides clarity to compliance officers and counsels on how to develop, structure and evaluate their compliance programme. In the paragraphs that follow, we have attempted to briefly provide a ‘checklist’ of what may comprise an effective compliance programme in the eyes of the DOJ.
Checklist for an effective compliance programme
1. A Well–Designed Programme
The first critical factor in evaluating the effectiveness of a CCP is determining whether the corporation maintains a well–designed compliance programme. This is to say that, the comprehensiveness of the programme should be evaluated taking into account aspects such as adequacy and effectiveness of internal policies and procedures, risk–based procedures, assignments of responsibility, training programmes, systems of incentives and discipline etc., to ensure that the CCP is well integrated into the company’s operations.
- Risk assessment – At the very outset, the company must identify, analyse and address the particular risks that it may be exposed to. While carrying out risk assessment procedures, varying risk factors must be assessed, including inter alia, the location of business operations, industry sector, competitiveness of the market, regulatory landscape, potential clients and business partners, government touchpoints, use of third parties, etc. Compliance officers must analyse the effectiveness of the company’s risk assessment and the manner in which the compliance programme has been tailored based on the assessment. Risk assessment procedures must also be subject to periodic review and updates.In fact, pre–M&A risk assessments are extremely significant as they allow for an accurate evaluation of the value of the target entity. Furthermore, it is crucial to ensure that instances of misconduct, if any, are sufficiently addressed prior to the conclusion of the transaction, so as to ensure no damage is incurred to the company’s reputation and business interests.
- Policies and procedures – A well–designed compliance programme comprises adequate policies and procedures to give both content and effect to expected ethical standards and to address potential risks identified as part of its risk assessment process. In addition to developing a strong policy framework, compliance officers must ensure that these policies and procedures are sufficiently communicated and inculcated into the compliance culture of the company.
- Compliance trainings – It is important for compliance officers to examine whether the compliance programme is being disseminated to, and understood by, employees in practice. Furthermore, special attention should be given to high risk and control employees to ensure that tailored trainings are periodically provided to address specific risks to which the company is exposed.
- Reporting and investigation process – Another hallmark of a well-–designed compliance programme is the existence of an efficient and trusted mechanism for making anonymous or confidential disclosures of a known or suspected misconduct. Compliance officers must take proactive steps to create a workplace atmosphere that encourages bona fide disclosures, without fear of retaliation or adverse employment actions. Compliance officers must also assess the company’s process for handling investigations of such disclosures, including routing it to the appropriate personnel, timely completion of investigative steps and appropriate follow up and discipline.
2. Effective Implementation
While evaluating a corporation’s CCP, the second factor that requires consideration is whether the compliance programme is being successfully implemented in practice. This is to say that, prosecutors shall evaluate whether the CCP is being implemented, reviewed and revised, as appropriate, in an effective manner.
In terms of the actual implementation of the programme, compliance officers must assess the ethics and compliance culture existing in the corporation. It is important that senior management sets a strong tone at the top for the rest of the company. Prosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards and conveyed and disseminated them in clear and unambiguous terms and demonstrated adherence.
Furthermore, the successful implementation of the compliance programme must also be evaluated, taking into account the overall structure of the programme. More specifically, factors such as the autonomy of the programme, adequacy and independence of authority and stature, sufficiency of personnel and resources within the compliance function, incentives and disciplinary measures implemented etc. must be carefully evaluated, keeping in mind the size, structure and risk profile of the particular company.
3. Working of the Corporate Compliance Programme
The Principles of Federal Prosecution of Business Organisations under the Justice Manual require prosecutors to assess “the adequacy and effectiveness of the corporation’s compliance program at the time of the offence, as well as at the time of a charging decision.” Due to the backward-looking nature of the first inquiry, prosecutors must specifically assess whether the programme was working effectively at the time of the offence. In assessing whether the company’s CCP was effective at the time of the misconduct, prosecutors shall consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct and the nature and thoroughness of the company’s remedial efforts. Such an assessment would indeed require a ‘root cause’ analysis to understand the reason(s) for the misconduct, systemic weaknesses, payment system involved, vendor management, disciplinary actions taken and efforts undertaken to remediate the misconduct.
It is hence important for compliance officers to ensure that the CCP is adequate and effective in detecting misconduct. Also, once detected, it is equally important for the compliance officers to ensure that both immediate as well as long-term remediation efforts are put in place to plug any possible loopholes and prevent similar events in the future.