The fundamental components of effective corporate compliance programs have not changed significantly in recent years.1 However, United States enforcement authorities are trying to reinvigorate companies’ attention to those programs.
U.S. Department of Justice leaders expressed particular concern this year about whether companies have appropriately integrated their compliance departments. In March 2022, the assistant attorney general for the U.S. Department of Justice’s Criminal Division — a former corporate chief compliance officer — described his perception of compliance professionals’ environments: “I know the resource challenges. The challenges you have accessing data. The relationship challenges. The silo-ing of your function.” He warned companies: “Support your compliance team now or pay later.”2
The United States deputy attorney general repeated these concerns in September 2022, explaining that “resourcing a compliance department is not enough; it must also be backed by, and integrated into, a corporate culture that rejects wrongdoing for the sake of profit.”3 The remarks accompanied her release of a memorandum that federal prosecutors must follow when evaluating the strength of a company’s compliance program in determining how to resolve an investigation.4 The memorandum challenges companies to ensure that compliance programs have the highest levels of company attention, are resourced appropriately and do not operate in silos.5
The emphasis on compliance program integration warrants close attention in 2023. Summarized below are four actions companies should consider to help ensure that their compliance programs are optimized and effectively positioned to respond to government review, along with the business functions that typically should participate. This is of course not an exhaustive list of aspects of compliance programs that warrant attention, but rather suggestions on elements that would likely benefit from a fresh look.
Action: Review compensation agreements and incentives with senior leadership, business team leaders, sales professionals, third-party agents and possibly others to ensure structures promote compliance and define consequences for misconduct.
Functions Involved: compliance, legal, human resources, business team leaders, compensation committee
The U.S. deputy attorney general’s memorandum provides the Department of Justice’s first formal guidance on evaluating companies’ compensation plans and agreements in connection with resolutions of criminal investigations. The most significant plans and agreements for compliance purposes are likely to involve senior executives responsible for leading functions and the company’s tone at the top; sales team leaders and sales professionals including third-party agents whose compensation might be influenced by sales volume; and professionals who routinely communicate with government officials, including employees of state-owned enterprises.
The U.S. deputy attorney general recommends that when evaluating a company’s compliance program, prosecutors should consider whether the company’s compensation arrangement, plans and agreements provide for penalties — including in the form of clawback rights — that may be levied against current or former employees and directors whose actions or omissions contributed to criminal conduct. Notably, such clawback rights would exceed requirements in newly finalized clawback rules under the Dodd-Frank Wall Street Reform and Consumer Protection Act, which do not speak to criminal activity while mandating clawback policies for publicly traded companies in the event of financial restatements. Presumably, the presence and application of more traditional concepts of compensatory penalties in the event of termination of employment for “Cause,” where Cause is defined to include violations of criminal law, would be viewed favorably by prosecutors. Additional guidance from the U.S. Department of Justice’s Criminal Division on how to reward companies that implement and apply compensation clawback policies is expected to be forthcoming.
The U.S. deputy attorney general’s memorandum also encourages the promotion of ethical corporate culture by rewarding, via financial incentives, compliance within an organization. The examples provided include the use of compliance metrics and benchmarking in setting incentive targets as well as performance reviews that take into consideration compliance-promoting behavior.
Companies should assess their current compensation arrangements to understand what recourse, if any, they have against individuals’ past or future compensation in the event of criminal misconduct. Revisions or additions to existing arrangements may require employee consent and/or adjustments to compensation program design. Any revisions will need to consider the impact of, or limitations under, applicable local laws and regulations including applicable non-United States laws and regulations. In considering whether to make revisions to their compensation program, companies may find it effective to integrate the compliance department into the compensation design workstream. Finally, compensation committees tasked with designing and implementing senior executive compensation plans should consider whether and to what extent their programs may be well-served by creating additional incentives for compliant behavior.
Action: Assess legal and compliance’s abilities to quickly collect corporate documents, including emails and text messages, originating or maintained in locations where the company operates.
Functions involved: compliance, legal, information security, local office leadership, finance
Companies’ information systems and employees’ methods of communicating internally and externally are constantly evolving. In order to meet enforcement authorities’ expectations, companies must know in advance how best to access company communications and other data essential to a thorough investigation of any allegation of misconduct. Compliance departments should work with other functions to identify potential technological barriers to collection, including employees using their own devices and communications apps with end-to-end encryption.
Laws affecting a company’s ability to gather and transmit communications and other data essential to understanding whether misconduct occurred can vary widely across the locations where the company operates.6 Companies should know in advance how feasible it will be, both logistically and legally, to gather materials from its various offices quickly following an allegation of misconduct or a subpoena, including subpoenas from U.S. enforcement authorities. This might require approaches tailored to specific laws such as the European Union’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL), as well as the companies’ information systems.7
While companies can never ensure that they will have complete access to all written communications relevant to an investigation, they will be far better off after identifying possible gaps and establishing policies and procedures to minimize those gaps.
Action: Compile compliance success stories.
Functions involved: compliance, legal, human resources, internal audit
The U.S. deputy attorney general’s memorandum instructs that companies “should be prepared to produce a list and summary of all prior criminal resolutions within the last ten years and all civil or regulatory resolutions within the last five years,” as well as any known pending government investigations.8 For most companies, that information will be readily available and not extensive. Authorities are not limited, however, to considering only criminal, civil or regulatory resolutions or pending government investigations when addressing a new matter.
Companies undoubtedly will have successfully addressed compliance concerns in prior years that never resulted in a formal resolution or government investigation. Sharing those success stories with enforcement authorities during the course of an investigation could help a company demonstrate its commitment to compliance, provided that the matters did not rise to the level that authorities would have expected to be self-disclosed (or were in fact self-disclosed). Basic examples include decisions to terminate a vendor or to terminate a planned acquisition where the company could not get sufficient assurances that its compliance policies would be strictly followed. This list can be updated periodically and remain “on the shelf” until needed rather than compiled during an investigation.
Action: Revisit due diligence processes to ensure they include evaluating prospects for successfully integrating a new business into the existing compliance program.
Functions involved: compliance, legal, finance, business team leadership, information security
Fears of successor liability based on a target company’s dated misconduct can doom acquisitions. Regrettably, this can destroy an opportunity to integrate a company with compliance challenges into a company with a robust compliance program, undermining efforts to reduce global corruption. The U.S. deputy attorney general’s memorandum reinforces that federal prosecutors will continue to take a tough stance on historical misconduct that occurred at an acquired entity. It states that misconduct at an acquired company should merely receive “less weight” in prosecutors’ evaluation of a potential resolution of a current investigation of the acquiring company if the acquired company has been “integrated into an effective, well-designed compliance program,” the acquirer had “addressed the root cause” of the misconduct at the acquired company before the current investigation, and “full and timely remediation occurred within the acquired entity” before the investigation.9
Considering this high bar, companies must continue to assess not only whether an acquisition target engaged in unlawful activity, but assess how effectively the target’s personnel will adapt to a new, robust compliance program. Obstacles to that integration could significantly reduce or eliminate the benefits of the acquisition. The compliance department plays an important role in identifying risks and defining expectations, but other functions in the acquiring company will likely be in a better position to evaluate the prospects for a successful integration into a compliance program.