Even at companies with separate legal and compliance departments, Department of Justice-enforced compliance is a key concern for in-house counsel. Those pressures only will increase in the near future and are rapidly changing. WBD Partner Claire Rauscher, a veteran white-collar defense and government investigations attorney, discussed the latest developments in DOJ as part of The Evolving Dance thought leadership series. WBD Partner Mark Henriques moderated the discussion and this article is based on that presentation.
Make no mistake: There is a new sheriff in town at the U.S. Department of Justice. Two years into the Biden Administration, it is clear the DOJ has made corporate compliance and anti-fraud efforts a top priority.
But in addition to placing greater emphasis on compliance, the DOJ has introduced new methods of measuring and enforcing compliance. More responsibilities are being placed on the shoulders of compliance officers, and Rauscher said in-house counsel and corporate compliance departments need to pay careful attention to these developments.
“You could be stepping into some pretty significant problems,” she said. “It’s a topic that is becoming more top-of-mind and I’m not sure that’s going to change in the near future.”
AAG Ken Polite Fires the First Salvo
A March 2022 speech by Assistant Attorney General Ken Polite (at NYU Law’s Program on Corporate Compliance and Enforcement) outlines many of these changes. Polite is a former federal prosecutor, defense attorney and Chief Compliance Officer at a Fortune 500 company, so Rauscher says he has a deep understanding of real-world compliance challenges. Having said that, she noted that his current role is on the enforcement side.
In his remarks, Polite said there are three key criteria for corporate compliance programs. They must:
- Be well designed;
- Be adequately resourced and empowered to function effectively; and
- Work in practice.
“This can’t be something where a company just puts something out there to check a box. That doesn’t work,” Rauscher said. These guidelines apply to all companies, public or private.
“This can’t be something where a company just puts something out there to check a box. That doesn’t work."
So what is a “well designed” compliance program? Polite said in-house compliance officials should start by examining their company’s process for assessing risk and asking, “Was the program built and tailored to manage the specific risk profile?”
“One thing the DOJ certainly understands is that you can build the best program in the world, and things will still slip through,” Rauscher said.
The next step involves properly training employees, management and third parties on risk areas and responsibilities. What is the process for reporting violations of law or company policy that encourages disclosure without fear of retaliation? Does the company take reported violations seriously, investigating, documenting and, if necessary, remediating them?
Rauscher said the third party training can be particularly difficult, but a good-faith effort will carry weight with federal regulators.
“Compliance is a cost-center within companies,” she said, meaning in-house compliance officials may get some pushback within their organizations about spending. But that shouldn’t stop a compliance department from making the case for additional resources, if needed. “You have to adequately resource the compliance people,” she said.
Rauscher also said that “adequately resourced” compliance goes beyond simply dollars, reporting lines and headcount. “The DOJ is going to look at the company’s commitment to compliance at all levels,” she said.
For example, regulators will review the qualifications and expertise of key personnel and gatekeeper roles. “You can’t just put anybody in these roles,” Rauscher said. They also will make sure that compliance officers have direct access to corporate management and the organization’s board of directors.
“The chief compliance officer (CCO) needs to be at the table during the board of directors meetings. The DOJ has spelled that out,” she said. This can be a difficult ask in some corporate cultures, but Rauscher said it is essential to mitigate compliance risks.
Crafting a Compliance Program for the New Reality
Likewise, how does the DOJ measure “works in practice?” Rauscher said the company should ask the following questions:
- Is the company constantly testing the effectiveness of its compliance program?
- Is the company improving and updating the program to adapt to changing risks?
- Can the company identify gaps or violation of law and/or policy?
- How does the company address root causes of gaps/violations and find ways to improve and prevent recurrences?
- How does a company measure and test its culture through all levels and throughout operations?
“A CCO has to have a direct line to the boardroom,” Rauscher said. “If not, that’s going to be a problem under these new guidelines.”
Also, she said it is good to be able to demonstrate how good behavior was rewarded, bad behavior was punished and processes were adapted to meet changing compliance needs. Companies should document their compliance activities carefully, in part to show a pattern of diligence.
“You’ve got to keep improving and updating your program to adapt to changing risks,” Rauscher said. “The DOJ wants to see evidence of that.”
“You’ve got to keep improving and updating your program to adapt to changing risks. The DOJ wants to see evidence of that.”
In addition, Rauscher said the DOJ wants the company’s CCO to be the point person for compliance, not outside counsel. The CCO should be the point person in the company’s communications with the DOJ. Likewise, the CCO needs to have true independence, as well as the authority and stature within the organization to make meaningful decisions.
Polite also emphasized that corporate monitors will be imposed when a determination is made that the company is not living up to its compliance and disclosure obligations.
The DOJ renamed its Fraud Section the Corporate Enforcement, Compliance and Policy Unit (CECP). The Department hired prosecutors, former compliance officers and defense attorneys with experience in compliance, monitorships and corporate enforcement matters to lead the CECP.
“It’s very different than it was before,” Rauscher said. “You now have experienced compliance professionals asking tough and probing questions during compliance presentations.” The CECP should provide a greater degree of consistency to the review process and will supervise enforcement agreements from start to finish.
DOJ Introduces Certification Requirements
Assistant Attorney General Lauren Kootman in the CECP unit stated that companies can expect a requirement in enforcement agreements that chief compliance officers must certify that compliance programs have been “reasonably designed and implemented to prevent and detect future violations of law.” Her comments were made at the June 2022 Women’s White Collar Defense Association Conference.
These certifications parallel those required by Sarbanes-Oxley (Sections 302 and 906) for CFOs and CEOs regarding the accuracy of financial statements. They only will be required in plea agreements, deferred prosecution agreements, and pre-trial diversion agreements.
“This is huge,” Rauscher said. Although the DOJ says the certification process is designed to empower CCOs by ensuring “adequate visibility and access to information” before being comfortable about signing off, Rauscher said she could understand why CCOs might see it as punitive.
“Think about that: You’re certifying that these programs are going to detect future violations of law—that’s frightening,” she said. “Financial statements are numbers—they’re fairly concrete. But this is asking you to place your confidence in a compliance program. Those are two completely different things.”
"Think about that: You’re certifying that these programs are going to detect future violations of law—that’s frightening."
On one hand, she said CCOs could face intense pressure from their organizations to certify the compliance program. On the other, CCOs face potential perjury or false statement/obstruction charges should they sign off on a program without having full confidence in it.
What can companies do to help ensure that their compliance programs meet this high standard? The DOJ has offered some guidance.
Again, it starts with the CCO having a full role in developing the compliance program by having a seat at the decision table. Kootman also recommended conducting regular employee surveys with a full analysis of those results, tying compensation to compliance incentives, and creating a thorough and effective process to deal with misconduct or violations.
If a problem does arise, the DOJ says companies should conduct a full investigation, including collecting and preserving information with a focus on employee communications and personal devices. This opens up an entirely new set of problems for compliance officers and in-house counsel, as another panel in WBD’s The Evolving Dance series discussed.
The DOJ already is using these certification requirements. When Glencore International AG and Glencore Ltd. reached a May 2022 plea agreement with federal prosecutors on market manipulation and bribery (FCPA) charges, the CEO and CCO had to submit a document certifying that the company has met its compliance obligations under penalty of perjury and criminal obstruction. Certifications will clearly become more prevalent in large scale fraud schemes.
The Impact of the “Monaco Memo”
On Sept. 15, 2022, Deputy Attorney General Lisa Monaco released a 15-page memo covering a wide range of areas, including:
- Cooperation credit and timely disclosure;
- Clarifying the benefits of voluntary disclosure;
- Clarifying how to earn maximum cooperation credit;
- The consequences of delayed notification to the DOJ;
- Guidance when prior misconduct exists;
- Dealing with global documents;
- Guidelines for the corporate monitoring process; and
- Scrutiny of executive compensation when assessing compliance programs.
Rauscher said the final point—enhanced scrutiny of executive compensation packages—bears particular attention. She said the DOJ will be looking closely at how companies reward compliant conduct and penalize misconduct.
Compensation always has been a factor when evaluating corporate compliance programs, she said, but now is a point of greater emphasis. This enhanced scrutiny requires companies to build compensation packages that reward compliance and penalize non-compliance.
The initial question company leaders should ask is, “Is compliance performance part of the company’s performance-appraisal system (for salary, promotion, stock awards, etc.)?”
Related questions for CCOs and in-house counsel include:
- Can you create metrics in performance plans/evaluations regarding adherence to regulations, policies and the law?
- Are there specific financial consequences in compensation policies for compliance failures for executive level employees?
- Are there financial incentives rewarding compliance or reporting violations?
“You can offer a carrot-and-stick approach when making these programs,” Rauscher said.
She also said Monaco’s goal is to shift the financial burdens of misconduct from the shareholders and place it on company personnel involved in the misconduct. Monaco also stated that further clarification of the announced policy priorities will be forthcoming.
How Data will Reshape Compliance
In addition to setting expanding priorities for compliance, the DOJ also is adding new roles and hiring highly credentialed attorneys to bolster its compliance enforcement efforts.
One of these new team members is Matt Galvin, hired to fill the DOJ Fraud Division’s newly created Compliance and Data Analytics Counsel position. Galvin is the former Global VP of Ethics and Compliance for Anheuser-Busch InBev, where he received a great deal of attention for implementing a data-driven compliance program.
“Galvin believes that aggregated transaction data can help companies and regulators combat corruption,” Rauscher said.
She also said that advanced analytics applies not just to FCPA compliance, but also across an entire compliance department. This likely will involve reaching outside of compliance to collect data and bringing in experts to assist on the technical side.
“You need to embrace data. Figure out where you can get data and decide how you can use it. The DOJ is going to expect this from bigger companies.”
“You need to embrace data. Figure out where you can get data and decide how you can use it,” Rauscher said. “The DOJ is going to expect this from bigger companies.”
“Higher expectations” is the overall trend from the DOJ. Companies now face a greater compliance burden, with added personal responsibilities and potential consequences for C-suite executives. Companies would be well advised to take proactive steps now to ensure compliance, rather than wait until the DOJ knocks on the door.
This article is part of Womble Bond Dickinson’s The Evolving Dance: The Changing Role of Company Counsel and Compliance Officers thought leadership series, which examines how leaders balance a myriad of strategic business and compliance mandates in an ever-evolving role. For more insights, click here to visit our The Evolving Dance hub.