Heightened Regulation of Corporate Compliance Programs
In his Employment Issues column, Philip Berkowitz writes: In the current regulatory environment, employers must anticipate that more, not less, government and regulatory authorities will impose increasingly scrupulous obligations to ensure the existence of rules and procedures safeguarding the rights of whistleblowers and assuring that employers promote lawful, ethical conduct, while screening for unlawful conduct.
July 10, 2019 at 12:30 PM
9 minute read
In the post-#MeToo era, employers' responses to internal complaints of wrongdoing are under increased scrutiny from every possible direction. This includes shareholders, consumers, the media, and, perhaps most important, government and regulatory authorities.
Seven short months ago, in January 2019, financial services employers woke up to learn of a new whistleblower program directive issued by the New York State Department of Financial Services (DFS). This set off an urgent scramble among New York-based banks, insurance companies, and other entities regulated by the DFS, to assure that their internal policies meet these new standards.
Not to be outdone, in April of this year, the U.S. Department of Justice Criminal Division issued an “updated” Evaluation of Corporate Compliance Programs Guidance. This document is for the benefit of prosecutors who are trying to determine the appropriate resolution, prosecution, monetary penalty, and compliance obligations contained in any corporate criminal resolution, such as a monitorship or reporting obligations. The document identifies 12 subcategories of consideration and areas of analysis for making this determination.
For legal, human resources, and compliance counsel and professionals pelted by this hailstorm of directives, this all may harken back to the mother of all these guidelines and regulations: the U.S. Organizational Sentencing Guidelines, issued in 1991 by the U.S. Sentencing Commission, an independent agency of the Judicial Branch.
The Organizational Sentencing Guidelines, many of you will know, are designed to help judges determine, when imposing sentence on an organization convicted of criminal conduct, whether it has in place “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
So, the courts, the DOJ, and regulatory bodies provide guidance on developing corporate compliance, whistleblower reporting, and internal investigation programs, to no fewer than three audiences: to the organization itself, to prosecutors who may make recommendations in determining an appropriate recommended sentence, and to sentencing judges.
There is, as to be expected, no small overlap in these three guidances, but the more recent directives put particular emphasis on whistleblower anonymity, a consideration that has taken on new importance in the #MeToo era. We review these here.
|DOJ Guidance: Three Key Questions
The DOJ's April 2019 Guidance emphasizes that there are nevertheless three main questions for prosecutors to consider during a criminal investigation: (1) Was there a well-designed compliance program; (2) was the compliance program effectively implemented; and (3) did the compliance program work as intended.
In determining whether the program is well-designed, prosecutors are directed to consider whether the company has undertaken an accurate and thorough risk assessment. They are advised to consider whether corporations use appropriate methodology to identify and detect risks that are likely to occur in their particular industry or business, and to look for appropriate resource allocation based on the levels of risk and whether the risks were periodically reviewed and updated.
Prosecutors also assess whether policies, training and communication are sufficiently robust to encourage a culture of compliance and responsibility. The company's reporting process should emphasize disclosure of suspected misconduct and dissuade any fear of retaliation. There is also an emphasis on confidential reporting options. Qualified intake personnel must be in place to assess which complaints merit action, and to assure that any further steps are properly “scoped” to determine whether to carry out a larger investigation.
Third parties—agents, consultants, distributors and the like—may add to risk, and thus must be included in a thorough risk assessment to understand where added dangers may lurk. Similarly, during a merger or acquisition process, corporations must undertake due diligence to uncover any corruption or misconduct within the target company.
Effective implementation of the compliance program is also key for satisfaction of the DOJ guidance. Prosecutors are instructed to investigate whether a compliance program is a “paper program” only or whether it is appropriately implemented and staffed. Upper and middle management should set the appropriate tone. Prosecutors will review communications, training, reinforcement and oversight (by individuals with appropriate expertise) of compliance policies to see whether leadership has encouraged appropriate compliance with their words and actions.
The compliance program must also have appropriate staff, seniority, autonomy, and funding, and the company must provide evidence that incentives and disciplinary methods are consistently applied in order to drive reporting and dissuade wrongdoing.
Finally, the DOJ examines the practicality of the compliance program to ensure that it functions as intended. Misconduct alone does not prove that corporate compliance measures were insufficient. Prosecutors will look for continuous testing, improvement, and review of the program. They will examine the analysis, remediation and mitigation of any discovered misconduct, such as carrying out internal audits and updates or enhancements to the program, as well as recognition of the seriousness of any misconduct, an acceptance of responsibility, and the implementation of changes that should reduce the risk of another failure.
It is worth emphasizing, in summary, that the DOJ Guidance emphasizes three areas of particular weight and focus: (1) the importance of an anonymous reporting process and well-designed investigation process; (2) effective oversight and management of third parties; and (3) comprehensive vetting of an acquisition target.
|DFS Guidance
The DFS's “ten pillars,” again, overlap to some degree with the DOJ Guidance. They, too, emphasize the need to have in place reporting channels that are independent, well-publicized, easy to access, and consistent. In the #MeToo era, they emphasize the need to provide strong protections for a whistleblower's anonymity.
The Guidance requires that the employer have in place established procedures for identifying and managing potential conflicts of interest, and that staff members are adequately trained to receive whistleblowing complaints, determine a course of action, and competently manager any investigation, referral, or escalation.
Further, the Guidance demands that employers establish procedures for investigating allegations of wrongdoing, ensuring appropriate follow-up to valid complaints, protecting whistleblowers from retaliation, and providing confidential treatment of these complaints.
The DFS Guidance recommends, as well, that regulated employers give appropriate oversight of the whistleblowing function to senior management, internal and external auditors, and the Board of Directors. Perhaps most important, the Guidance demands that the employer have in place a top-down culture of support for the whistleblowing function.
|Organizational Sentencing Guidelines
The Guidelines provide in sentencing an organization convicted of criminal conduct, a court must consider whether it has in place an effective compliance and ethics program. See USSG Ch.8. The organization must exercise due diligence to prevent and detect criminal conduct, and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. Id. §8B2.1.
Minimally, the program must include procedures that are consistent with the following:
(1) The organization must establish standards and procedures to prevent and detect criminal conduct.
(2) The organization's governing authority (such as its Board of Directors) must be knowledgeable about the content and operation of the compliance and ethics program and exercise reasonable oversight with respect to its implementation and effectiveness. High-level personnel must ensure that the organization has an effective compliance and ethics program. Specific individual(s) within high-level personnel must be assigned overall responsibility for it.
Specific individual(s) must also be delegated day-to-day operational responsibility for the program. They must report periodically to high-level personnel and, as appropriate, to the governing authority, on the effectiveness of the program. They must have adequate resources, authority, and direct access to the governing authority or an appropriate subgroup.
(3) The organization must use reasonable efforts not to include in this process any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective program.
(4) The organization must conduct effective training programs and otherwise disseminate information appropriate to such individuals' respective roles and responsibilities.
(5) The organization must take reasonable steps to ensure that the compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; to evaluate periodically the effectiveness of the organization's compliance and ethics program; and to have and publicize a system whereby the organization's employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
(6) The program must be promoted and enforced consistently through appropriate incentives to perform in accordance with the program; and appropriate disciplinary measures for criminal conduct and failing to take reasonable steps to prevent or detect criminal conduct.
(7) After criminal conduct has been detected, the organization respond appropriately to the conduct and to prevent further similar conduct, including making necessary modifications to the organization's compliance and ethics program. In doing so, the organization must periodically assess the risk of criminal conduct and design, implement, or modify each requirement, in order to reduce the risk of such conduct.
|Conclusion
In the current regulatory environment, employers must anticipate that more, not less, government and regulatory authorities will impose increasingly scrupulous obligations to ensure the existence of rules and procedures safeguarding the rights of whistleblowers and assuring that employers promote lawful, ethical conduct, while screening for unlawful conduct.
Policies must not only echo these guidelines—they must include practical and pragmatic procedures that reflect a fully compliant workplace culture, and hence help shield the employer from potential liability.
Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm's U.S. international employment law and financial services practices.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrump, ABC News Settlement in Defamation Lawsuit Includes $1M in Attorney Fees For President-Elect
Can Law Firms Avoid Landing on 'Enemy' List During the Trump Administration?
5 minute readDeluge of Trump-Leery Government Lawyers Join Job Market, Setting Up Free-for-All for Law Firm, In-House Openings
4 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250