finance office Photo: Tzido Sun via Shutterstock

"I'm shocked, shocked to find that gambling is going on here," is the famous line by Casablanca's Captain Renault that might best describe the way senior management feels when corporate misconduct is discovered at their company. Because criminal liability may attach to an organization whenever an employee commits an act within the apparent scope of his or her employment, many companies are exposed to huge amounts of liability for the acts of but one, potentially rogue employee. But prosecutors and regulators, both in the United States and abroad, have been increasingly making it clear that being "shocked" to learn of corporate misconduct by a rogue employee is no defense. What will be of assistance to the defense of the company is a thoughtful, comprehensive, and effective compliance program that can induce prosecutors and other regulators to often significantly reduce the applicable fine and sometimes even decline to bring charges in the first place if an organization's program is well thought out and designed to handle real-life business risks.

Most notably and instructive is the DOJ's recent compliance guidance, released in April 2019, giving prosecutors a framework for evaluating the effectiveness of corporate compliance programs. This also gives companies instruction on how to proactively organize their compliance programs within the framework of what the DOJ expects. In the wake of increased guidance from regulators, companies should expect much less sympathy when they fail to implement programs and policies according to that guidance.

Benefits of Compliance

No compliance program can account for every possible risk. Even comprehensive and generally effective programs may fail—and often do when employees intentionally evade controls. See, e.g., Speech, Deputy Attorney General Rod J. Rosenstein Delivers Keynote Address on FCPA Enforcement Developments, Dep't of Justice (March 7, 2019). Unfortunately, even when an employee acts contrary to the established ethics and compliance program, the company may still be on the hook for criminal liability. At both the charging and sentencing stages, the perceived effectiveness of the company's compliance program will unquestioningly influence the DOJ's determinations and has in the past proven to drastically alter the company's outcome.

The U.S. Sentencing Guidelines grants the court the authority to reduce the sentence based on the existence of an effective compliance program. (U.S.S.G. §8C2.5) This may both reduce the potential fine range a charged company faces and lessen other possible penalties imposed by the court, including the appointment of a monitor or similar overseer.

Even better, the presence of an effective compliance program may affect the prosecutor's decision to bring a charge or charges in the first place. The factors in the U.S. Attorney's manual to be considered when determining whether to bring criminal charges include "the existence and effectiveness of the corporation's pre-existing compliance program" and the corporation's remedial efforts "to implement an effective corporate compliance program or to improve an existing one." Principles of Federal Prosecution of Business Organizations 9-28.300, Department of Justice. Prosecutors face many alternatives to bringing criminal charges, including choosing to only prosecute the offending employees or pursuing civil or regulatory alternatives. In addition to reductions for the compliance program itself, having an effective compliance program also allows companies to flag misconduct early on and obtain reductions for self-reporting and cooperation.

Companies that do not take care to implement effective programs expose themselves to headline-making fines and reputational damage. For example, after its widely reported "fake accounts" scandal, Wells Fargo was fined $3 billion to settle criminal and civil charges, and in early 2020, committed to make "fundamental changes to our business model, compensation programs, leadership and governance." Brian Monroe, Wells Fargo to Pay $3 Billion to DOJ, SEC to Resolve Criminal, Civil Charges Tied to 'Fake Accounts' Scandal, Assoc. of Certified Financial Crime Specialists (Feb. 21, 2020).

Recent Focus on Compliance

The past few years have seen a focus from regulators on compliance, both in the United States and abroad. Different divisions of the DOJ, Office of Foreign Assets Control (OFAC), and the United Kingdom's Serious Fraud Office (SFO) have all issued guidance on what they expect from corporate compliance programs. May 2, 2019, OFAC Framework for Compliance Commitments; Jan. 17, 2020; UK SFO Compliance Guidance. Companies must tailor their ethics and compliance programs to adequately respond to the array of guidance from different regulators out there.

Most notably, the Criminal Division issued guidance in April 2019, creating a robust framework, including checklists in different categories on what companies should be sure to address. See April 30, 2019, Department of Justice Criminal Division Evaluation of Corporate Compliance Programs. On the same day this guidance was released, the DOJ conducted first-of-its-kind compliance training on evaluating a program's operational functionality. Additionally, Deputy Assistant Attorney General Matthew S. Miner referred to compliance programs as a "super factor" in charging decisions. U.S. Dep't of Justice, Deputy Assistant Attorney General Matthew S. Miner Remarks at the American Conference Institute 9th Global Forum on Anti-Corruption Compliance in High Risk Markets, July 25, 2018.

Also, in 2019, the Antitrust Division updated their manual to address evaluating compliance programs at the charging and sentencing stages, which was not previously considered. Likewise, OFAC recently released a framework for compliance commitments.

Companies that have operations abroad must also be aware of what is expected by other countries' regulators—among these, the United Kingdom's SFO, which in 2020 released guidance similar to the Criminal Division's April guidance. Operations abroad may also lead to Foreign Corruption Practices Act (FCPA) concerns, and companies' policies should be sure to address those risks. March 8, 2019, Foreign Corrupt Practices Act Revised Corporate Enforcement Policy; July 11, 2019.

While companies must still comply with other federal regulations, such as the Sarbanes Oxley Act, as well as state regulations, the focus on compliance from a myriad of regulators should signal to companies the importance of establishing compliance programs in line with current guidance.

Companies Not Doing Enough

Compliance programs have many opportunities to fail. Programs must comply with a wide array of state, federal, and global regulatory regimes. Strong compliance programs take work, and to the detriment of the company, many suffer from underfunding, poorly structure, and a lack of meaningful risk assessment and review. Hui Chen & Eugene Soltes, Why Compliance Programs Fail—and How to Fix Them, Harv. Bus. Rev., 2018. According to Deloitte and Compliance Week, only 70% of firms attempt to measure the effectiveness of their compliance programs. Id.

Integrating Recent Guidance Into a Company's Compliance Program

The Sentencing Guidelines provide a baseline for what a company should have included in their compliance program. Companies must at a minimum:

  • Establish written procedures;
  • Ensure that the company's governing authority understands the content and exercises reasonable oversight;
  • Take reasonable steps to identify and remove employees the company knows or should have known have a history of engaging in misconduct;
  • Communicate periodically with officers and employees;
  • Take reasonable steps to ensure the program is being followed and have a confidential system where employees can report or seek guidance without a fear of retaliation.

The DOJ April 2019 Guidance provide a more comprehensive framework, asking companies to look at three main questions:

(1) Is the program well designed?

(2) Is the program being implemented in good faith?

(3) Does the corporation's compliance program work in practice?

The main areas on which companies should focus include meaningful risk assessment, evaluating "lessons learned", creating a "culture of compliance", providing effective training, due diligence on third-party relationships and targets of mergers or acquisitions, and meaningful review and evaluation of what is and is not working.

Conclusion

Even the most effective compliance programs cannot account for and prevent every possible instance of misconduct, but given the recent comprehensive guidance, prosecutors will not likely be sympathetic to companies that fail to proactively enforce the procedures and policies in place. Companies must also avoid a "set it and forget it" mentality when it comes to compliance. Rather the company should reevaluate its risk profile at regular intervals and redesign and retrain the employees as the conditions dictate. Properly designed, robust business growth and corporate profitability does not have to be at odds with solid ethics and compliance—in fact, to once again quote Casablanca, it can be "the beginning of a beautiful friendship."

John J. Carney is a partner and co-leader of BakerHostetler's national white-collar, investigations and securities enforcement and litigation team. William B. Waldie is managing director with Alvarez & Marsal's disputes and investigations practice. Kayley Sullivan is an associate with BakerHostetler.