On April 29, 2010 the US Sentencing Commission (the Commission) submitted to Congress important amendments to the US Sentencing Guidelines regarding the sentencing of organizations. These amendments, which become effective November 1, 2010 in the absence of action by Congress, stand to make important changes to the guidelines in two areas: (1) eliminating the absolute bar to credit — practically speaking, lesser penalties — for having an effective compliance and ethics program in place when high level personnel are involved in the wrongdoing and thus expanding the circumstances in which compliance credit is available; and (2) outlining the necessary remediation efforts required by an organization to receive credit for the compliance program when potential unlawful conduct is discovered. The Commission also declined to approve proposed amendments regarding the role of corporate compliance monitors and document retention policies in compliance programs.
In sum, the amendments provide a timely reminder of the importance of a well-crafted and thoughtful compliance program and once again highlight the important role compliance programs play in organizational risk management.
The Amendments Approved by the Sentencing Commission
It is no secret that the Department of Justice (DOJ), the Securities Exchange Commission (SEC), and the federal sentencing guidelines make corporate compliance programs — including detection and disclosure of potential wrongdoing — key to reducing an organization’s liability or avoiding prosecution altogether. The US Attorney’s Manual, for example, lists "the existence and effectiveness of the corporation’s pre-existing compliance program," and "the corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one," among the factors relevant to whether an organization should be charged.1 Likewise, it explains that "[t]he Department encourages … corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own." Similarly, the Sentencing Guidelines offer a three-point reduction in an organization’s culpability score for maintaining an "effective compliance and ethics program," and recommend that a company be required to develop such a program as a condition of probation.2 The Guidelines, though no longer binding on courts, provide the framework for the imposition of criminal punishment — and, as a practical matter, often guide the government and parties in discussions about resolving criminal investigations.
The Guidelines currently state that "to have an effective compliance and ethics program … an organization shall: (1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law." To meet this standard, the Guidelines "minimally require" a compliance program to have seven features:3
- Established standards and procedures to prevent and detect criminal conduct;
- Active oversight of the content and operation of the program by the organization’s Board;
- Reasonable efforts to exclude from positions of substantial authority any individuals that it knew or should have known engaged in conduct inconsistent with an effective compliance and ethics program;
- Reasonable steps to periodically educate an organization’s members on the compliance program’s standards and procedures;
- Reasonable steps to ensure that the program is followed, including monitoring and auditing to detect criminal conduct, periodic evaluations, and a system for employees to anonymously seek guidance regarding potential criminal conduct;
- The program is promoted and enforced consistently through appropriate incentives to comply, and through appropriate disciplinary measures for failing to do so; and
- Reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct.
These guidelines have provided the foundation for many corporate compliance and ethics programs.
The amendments approved by the Commission address the "commentary" to the guidelines, which provides explanations from the Commission on how the guidelines should be interpreted. The two amendments stand to expand the availability of credit for an effective compliance program and also outline the steps required of an organization once wrongdoing is detected.
Expanded Availability of Credit for an Effective Compliance and Ethics Program
The most significant change in the new amendments is the elimination of the automatic bar to compliance credit when "high level personnel" are involved in wrongdoing. Under the current guideline, a company is automatically disqualified from receiving any credit — even if it has an effective compliance program in place — if "high-level personnel" were involved in the criminal activity.4 The phrase "high-level personnel" has been understood to be quite broad, and inclusive of even those employees not at the most senior levels. Accordingly, compliance credit has been unavailable in nearly all cases, even when liability results from the actions of individuals lower in the organizational hierarchy.5 The disqualification provision, therefore, can lead to inequitable results. Under the current guideline, for example, a company with a widespread lower-level fraud could be eligible for compliance credit while a company with a single rogue executive would not — regardless of the quality of its compliance program.
The provision approved by the Commission now allows compliance credit if four conditions are met:
- "the individual or individuals with operational responsibility for the compliance and ethics program (see §8B2.1(b)(2)(C)) have direct reporting obligations to the governing authority or an appropriate subgroup thereof (e.g., an audit committee of the board of directors);
- the compliance and ethics program detected the offense before its discovery outside the organization or before such discovery was reasonably likely;
- the organization promptly reports the offense to the proper governmental authorities; and
- no person with operational responsibility for the compliance and ethics program participated in, condoned, or was willfully ignorant of the offense."
This amendment, although certainly expanding the availability of compliance credit, also imposes additional obligations on companies both in terms of the structure of the program and also the requirements once wrongdoing is detected.
First, in order to receive credit, an organization’s compliance program must be structured such that the person with "operational responsibility" for the program has "direct reporting obligations" to the Board or an appropriate subgroup of the Board. The Commission explained in an application note that under this provision, an individual has "direct reporting obligations to the governing authority" if: "[T]he individual has express authority to communicate personally to the governing authority or appropriate subgroup thereof (A) promptly on any matter involving criminal conduct or potential criminal conduct, and (B) no less than annually on the implementation and effectiveness of the compliance and ethics program." The Commission’s emphasis on unfettered personal access to the Board underscores the value it sees in keeping compliance officers independent from company management. Likewise, its use of "express authority" underscores the Commission’s view that the compliance officer’s right of access should be formalized in company policy.
Second, to receive credit, the organization’s compliance program must have detected the wrongdoing before outsiders discover it or before they were reasonably likely to do so. The Commission’s view is that a compliance program is not effective if it does not detect wrongdoing internally in a timely manner.
Third, to receive credit, the organization must "promptly" self-report the offense to the government. This is a significant provision worthy of attention. Whether to self-report potential wrongdoing to the government is a serious decision requiring a delicate assessment of all the facts and circumstances. Although the DOJ, as well as the SEC, have taken into account whether a company self-reports wrongdoing in charging decisions and monetary penalties, self reporting may not always be in the best interests of the company. That said, should a company decide not to self report — and the government discover the wrongdoing — this amendment will prohibit the company from receiving the formal compliance credit under the guidelines, no matter how cooperative the company is once a governmental investigation begins.
The fourth requirement is the one that modifies the absolute bar when high-level personnel are involved in wrongdoing. The amendment now prohibits credit only when the person in charge of the compliance program participated in, condoned or was willfully ignorant of the wrongdoing. Thus, the focus of the bar is no longer on "high-level personnel" generally, but rather on the specific person with "operational responsibility" for the company’s compliance and ethics program.
Clarification on the Remedial Steps Necessary for Compliance Credit
The other notable change approved in the amendments is new guidance on what remediation steps — the seventh requirement of an effective compliance program — are required to receive compliance credit once wrongdoing is identified. The amendment sets up two phases of remediation required in order to receive credit. First, a company must make reasonable efforts to remedy the harm that has taken place and, second, the company must revise its compliance program to prevent similar criminal conduct in the future.
To remedy the harm, the amendment states that a company should take "reasonable steps, as warranted under the circumstances, to remedy the harm resulting from the criminal conduct." According to the Commission, this "may include, where appropriate, providing restitution to identifiable victims, as well as other forms of remediation."6 The Commission adopted this permissive language in response to concerns raised in the written comments that restitution may not always be appropriate even when there are identifiable victims — such as when restitution might operate as an admission in a parallel proceeding. This change reinforces that companies retain the discretion to tailor their remediation efforts to the facts of their case. Restitution is one of the available options the guidelines recognize, but a company may decline to make restitution if it has a good reason not to — for example, if doing so would operate as an admission in a parallel proceeding — without jeopardizing its eligibility for compliance credit. The amendment further notes that "[o]ther appropriate [remediation] responses may include self-reporting, cooperation with authorities, and other forms of remediation."7
Also notable is language the Commission declined to adopt. The proposed amendment had also addressed the role of independent compliance monitors and the requirements of a document retention policy in corporate compliance programs. With respect to compliance monitors, the proposed amendments stated that "[t]he organization may take the additional step of retaining an independent monitor to ensure adequate assessment and implementation of the modifications." Following comments on the proposed amendments from interested parties, the Commission declined to adopt this language. Instead, it approved commentary stating that the remediation "steps taken … may include the use of an outside professional advisor to ensure adequate assessment and implementation of any modifications." The change in terminology indicates that the amendment endorses the use of risk management and compliance consultants during a company’s remediation-phase assessment, not the often costly and intrusive third-party "corporate monitors" that are sometimes appointed to oversee consent decrees and deferred prosecution agreements.
The Commission also declined to adopt language regarding a company’s document retention policy. The proposed amendments had stated: "Both high-level personnel and substantial authority personnel should be aware of the organization’s document retention policies," and should "conform any such policy to meet the goals of an effective compliance program under the guidelines and to reduce the risk of liability under the law."8 The proposed amendment also stated that "all employees should be aware of the organization’s document retention policies and conform any such policy to meet the goals of an effective compliance program under the guidelines and to reduce the risk of liability under the law." Largely in light of concerns that highlighting this aspect of a compliance policy would give it undue prominence in sentencing decisions and could cause companies to narrow its compliance focus at the expense of other compliance efforts, the Commission declined to adopt this amendment.
Practice Tips to Prepare for Changes in Compliance and Ethics Program Expectations
There is no one-size-fits-all compliance program and companies need to understand their culture, needs and risks before adopting and implementing a plan. Nevertheless, in light of the amendments to the guidelines, there are a number of practical steps a company can consider should it decide to structure its compliance program consistent with guidelines expectations:
- Consider modifications to your organizational structure. A system where the Chief Compliance Officer reports to the GC rather than the Board or a Committee of the Board may be considered an ineffective structure under the new guidelines commentary. Make certain that the person with day to day operational compliance authority has a direct reporting relationship with the Board or an appropriate subcommittee thereof.
- Clearly define Board role. Identify someone on the Board as the responsible Board member for compliance issues and have standing meetings with management’s designated compliance authority. Often, this will be the Audit Committee Chair and the Chief Compliance Officer.
- Develop and maintain a continuous controls monitoring system. It is not enough to have a Code, Policies and a Hot Line; they should be tested regularly for effectiveness and modified if and when appropriate. For example, send test cases through the system and document any problems and fixes.
- Investigate red flags. Do not fall into a trap of willful ignorance. If a potential problem is brought to the attention of responsible persons in the compliance organization, it must be investigated.
- Take meaningful remedial action, including a thoughtful assessment of whether to self-report to the government. Once criminal conduct is identified, take steps to understand how it occurred and put in place measures to detect or prevent reoccurrence. At this point, companies may face difficult question of whether to self-report the potential violation to governmental authorities. The guidelines make clear that to receive credit, self-reporting is required before the government discovers the wrongdoing. But notwithstanding this new guidelines amendment, companies should not reflexively contact the government without a careful and delicate assessment of the particular facts and circumstances at issue.
- Consider using outside advisors. After criminal conduct is discovered, the company use of an outside professional advisor to evaluate the compliance system and ensure adequate assessment and implementation of any needed modifications may be rewarded. The advisors may be attorneys, auditors and accountants, risk management, compliance or other consultants. They need not be traditional "monitors," but external validation and/or advice can be beneficial.
Conclusion: The Importance of an Effective Compliance and Ethics Program
The new amendments to guidelines, assuming they are approved by Congress, expand and clarify the role of compliance and ethics programs in organizational sentencing and once again highlight the important role compliance programs play in organizational risk management. Every company should have a formal compliance and ethics policy in place and should periodically review and update its policy in response to new guidance and emerging risks.
The amendments to the sentencing guidelines provide a timely opportunity for companies to assess their policies and consider whether changes are necessary in light of the new guidance from the Commission. Companies that regularly assess their risks, maintain comprehensive compliance programs and respond proactively when potential violations are discovered, will find themselves in a stronger position to prevent violations before they occur, respond effectively when problems are found and ultimately to minimize their exposure to liability from the conduct at issue.