Heightened Regulation of Corporate Compliance Programs
In his Employment Issues column, Philip Berkowitz writes: In the current regulatory environment, employers must anticipate that more, not less, government and regulatory authorities will impose increasingly scrupulous obligations to ensure the existence of rules and procedures safeguarding the rights of whistleblowers and assuring that employers promote lawful, ethical conduct, while screening for unlawful conduct.
July 10, 2019 at 12:30 PM
9 minute read
Philip M. Berkowitz
In the post-#MeToo era, employers' responses to internal complaints of wrongdoing are under increased scrutiny from every possible direction. This includes shareholders, consumers, the media, and, perhaps most important, government and regulatory authorities.
Seven short months ago, in January 2019, financial services employers woke up to learn of a new whistleblower program directive issued by the New York State Department of Financial Services (DFS). This set off an urgent scramble among New York-based banks, insurance companies, and other entities regulated by the DFS, to assure that their internal policies meet these new standards.
Not to be outdone, in April of this year, the U.S. Department of Justice Criminal Division issued an “updated” Evaluation of Corporate Compliance Programs Guidance. This document is for the benefit of prosecutors who are trying to determine the appropriate resolution, prosecution, monetary penalty, and compliance obligations contained in any corporate criminal resolution, such as a monitorship or reporting obligations. The document identifies 12 subcategories of consideration and areas of analysis for making this determination.
For legal, human resources, and compliance counsel and professionals pelted by this hailstorm of directives, this all may harken back to the mother of all these guidelines and regulations: the U.S. Organizational Sentencing Guidelines, issued in 1991 by the U.S. Sentencing Commission, an independent agency of the Judicial Branch.
The Organizational Sentencing Guidelines, many of you will know, are designed to help judges determine, when imposing sentence on an organization convicted of criminal conduct, whether it has in place “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
So, the courts, the DOJ, and regulatory bodies provide guidance on developing corporate compliance, whistleblower reporting, and internal investigation programs, to no fewer than three audiences: to the organization itself, to prosecutors who may make recommendations in determining an appropriate recommended sentence, and to sentencing judges.
There is, as to be expected, no small overlap in these three guidances, but the more recent directives put particular emphasis on whistleblower anonymity, a consideration that has taken on new importance in the #MeToo era. We review these here.
DOJ Guidance: Three Key Questions
The DOJ's April 2019 Guidance emphasizes that there are nevertheless three main questions for prosecutors to consider during a criminal investigation: (1) Was there a well-designed compliance program; (2) was the compliance program effectively implemented; and (3) did the compliance program work as intended.
In determining whether the program is well-designed, prosecutors are directed to consider whether the company has undertaken an accurate and thorough risk assessment. They are advised to consider whether corporations use appropriate methodology to identify and detect risks that are likely to occur in their particular industry or business, and to look for appropriate resource allocation based on the levels of risk and whether the risks were periodically reviewed and updated.
Prosecutors also assess whether policies, training and communication are sufficiently robust to encourage a culture of compliance and responsibility. The company's reporting process should emphasize disclosure of suspected misconduct and dissuade any fear of retaliation. There is also an emphasis on confidential reporting options. Qualified intake personnel must be in place to assess which complaints merit action, and to assure that any further steps are properly “scoped” to determine whether to carry out a larger investigation.
Third parties—agents, consultants, distributors and the like—may add to risk, and thus must be included in a thorough risk assessment to understand where added dangers may lurk. Similarly, during a merger or acquisition process, corporations must undertake due diligence to uncover any corruption or misconduct within the target company.
Effective implementation of the compliance program is also key for satisfaction of the DOJ guidance. Prosecutors are instructed to investigate whether a compliance program is a “paper program” only or whether it is appropriately implemented and staffed. Upper and middle management should set the appropriate tone. Prosecutors will review communications, training, reinforcement and oversight (by individuals with appropriate expertise) of compliance policies to see whether leadership has encouraged appropriate compliance with their words and actions.
The compliance program must also have appropriate staff, seniority, autonomy, and funding, and the company must provide evidence that incentives and disciplinary methods are consistently applied in order to drive reporting and dissuade wrongdoing.
Finally, the DOJ examines the practicality of the compliance program to ensure that it functions as intended. Misconduct alone does not prove that corporate compliance measures were insufficient. Prosecutors will look for continuous testing, improvement, and review of the program. They will examine the analysis, remediation and mitigation of any discovered misconduct, such as carrying out internal audits and updates or enhancements to the program, as well as recognition of the seriousness of any misconduct, an acceptance of responsibility, and the implementation of changes that should reduce the risk of another failure.
It is worth emphasizing, in summary, that the DOJ Guidance emphasizes three areas of particular weight and focus: (1) the importance of an anonymous reporting process and well-designed investigation process; (2) effective oversight and management of third parties; and (3) comprehensive vetting of an acquisition target.
DFS Guidance
The DFS's “ten pillars,” again, overlap to some degree with the DOJ Guidance. They, too, emphasize the need to have in place reporting channels that are independent, well-publicized, easy to access, and consistent. In the #MeToo era, they emphasize the need to provide strong protections for a whistleblower's anonymity.
The Guidance requires that the employer have in place established procedures for identifying and managing potential conflicts of interest, and that staff members are adequately trained to receive whistleblowing complaints, determine a course of action, and competently manager any investigation, referral, or escalation.
Further, the Guidance demands that employers establish procedures for investigating allegations of wrongdoing, ensuring appropriate follow-up to valid complaints, protecting whistleblowers from retaliation, and providing confidential treatment of these complaints.
The DFS Guidance recommends, as well, that regulated employers give appropriate oversight of the whistleblowing function to senior management, internal and external auditors, and the Board of Directors. Perhaps most important, the Guidance demands that the employer have in place a top-down culture of support for the whistleblowing function.
Organizational Sentencing Guidelines
The Guidelines provide in sentencing an organization convicted of criminal conduct, a court must consider whether it has in place an effective compliance and ethics program. See USSG Ch.8. The organization must exercise due diligence to prevent and detect criminal conduct, and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. Id. §8B2.1.
Minimally, the program must include procedures that are consistent with the following:
(1) The organization must establish standards and procedures to prevent and detect criminal conduct.
(2) The organization's governing authority (such as its Board of Directors) must be knowledgeable about the content and operation of the compliance and ethics program and exercise reasonable oversight with respect to its implementation and effectiveness. High-level personnel must ensure that the organization has an effective compliance and ethics program. Specific individual(s) within high-level personnel must be assigned overall responsibility for it.
Specific individual(s) must also be delegated day-to-day operational responsibility for the program. They must report periodically to high-level personnel and, as appropriate, to the governing authority, on the effectiveness of the program. They must have adequate resources, authority, and direct access to the governing authority or an appropriate subgroup.
(3) The organization must use reasonable efforts not to include in this process any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective program.
(4) The organization must conduct effective training programs and otherwise disseminate information appropriate to such individuals' respective roles and responsibilities.
(5) The organization must take reasonable steps to ensure that the compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; to evaluate periodically the effectiveness of the organization's compliance and ethics program; and to have and publicize a system whereby the organization's employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
(6) The program must be promoted and enforced consistently through appropriate incentives to perform in accordance with the program; and appropriate disciplinary measures for criminal conduct and failing to take reasonable steps to prevent or detect criminal conduct.
(7) After criminal conduct has been detected, the organization respond appropriately to the conduct and to prevent further similar conduct, including making necessary modifications to the organization's compliance and ethics program. In doing so, the organization must periodically assess the risk of criminal conduct and design, implement, or modify each requirement, in order to reduce the risk of such conduct.
Conclusion
In the current regulatory environment, employers must anticipate that more, not less, government and regulatory authorities will impose increasingly scrupulous obligations to ensure the existence of rules and procedures safeguarding the rights of whistleblowers and assuring that employers promote lawful, ethical conduct, while screening for unlawful conduct.
Policies must not only echo these guidelines—they must include practical and pragmatic procedures that reflect a fully compliant workplace culture, and hence help shield the employer from potential liability.
Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm's U.S. international employment law and financial services practices.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Skadden and Steptoe, Defending Amex GBT, Blasts Biden DOJ's Antitrust Lawsuit Over Merger Proposal
4 minute read
Read the Document: DOJ Releases Ex-Special Counsel's Report Explaining Trump Prosecutions
3 minute read
After Solving Problems for Presidents, Ron Klain Now Applying Legal Prowess to Helping Airbnb Overturn NYC Ban
7 minute readTrending Stories
- 1South Florida Attorney Charged With Aggravated Battery After Incident in Prime Rib Line
- 2'A Death Sentence for TikTok'?: Litigators and Experts Weigh Impact of Potential Ban on Creators and Data Privacy
- 3Bribery Case Against Former Lt. Gov. Brian Benjamin Is Dropped
- 4‘Extremely Disturbing’: AI Firms Face Class Action by ‘Taskers’ Exposed to Traumatic Content
- 5State Appeals Court Revives BraunHagey Lawsuit Alleging $4.2M Unlawful Wire to China
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
