Caldwell Lays it Out – DOJ Metrics for a Compliance Program

This article was republished with permission from Tom Fox’s FCPA Compliance and Ethics Blog.

Last week Assistant Attorney General Leslie R. Caldwell spoke at the SIFMA Compliance and Legal Society New York Regional Seminar. In this speech she discussed the new Department of Justice (DOJ) Compliance Counsel. While emphatically noting that this new position was not an explicit or even tacit recognition of a compliance defense, Caldwell did state that DOJ lawyers are prosecutors and not compliance professionals. She believed, therefore, that it would be helpful for the DOJ to have a resource to call upon to assist in the evaluation of whether companies in enforcement actions are actually doing compliance rather than simply having a paper program in place and then claiming they should be immune from DOJ enforcement.

Caldwell articulated two overall goals in using the Compliance Counsel. “First, the compliance counsel will help us assess a company’s program, as well as test the validity of its claims about its program, such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks, or essentially window dressing. Second, she will help guide Fraud Section prosecutors when they are seeking remedial compliance measures as part of a resolution with a company, whether by prosecution or otherwise. We don’t want to impose unrealistic, unnecessary or unduly burdensome requirements on companies. At the same time, we want to make sure that appropriate compliance enhancements are included when they are needed.” Finally, Caldwell noted that the Compliance Counsel will “help us evaluate each compliance program on a case-by-case basis – just as the department always has – but with a more expert eye.”

One of the key points Caldwell touched upon was the metrics or factors the Compliance Counsel would utilize in its evaluation. The Compliance Counsel will assess the following factors:

• Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
• Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to necessary resources? Of course, we won’t expect that a smaller company has the same compliance resources as a Fortune-50 company.
• Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
• Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
• Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.
• Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations. Is discipline even handed? The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message – to other employees, to the market and to the government – about the institution’s commitment to compliance.
• Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance? This means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.

Caldwell also provided guidance to those specifically in the financial services industry around Anti-Money Laundering (AML) compliance programs. She stated that in AML cases, DOJ prosecutors would inquire into the following areas:

• What does the institution’s “know your customer” policy look like? This seems basic, but an institution must ensure that its anti-money laundering, sanctions and other compliance policies and practices are tailored to identify and mitigate the risks posed by its unique portfolio of customers and that those customers are providing complete and accurate information.
• If a financial institution operates in the U.S. – whether it is a U.S.-based bank or a U.S. branch or component of a foreign bank – is it complying with U.S. laws? This may sound straightforward in principle, but we have seen that it is all too often not implemented in practice.

Finally, Caldwell articulated that senior management in financial institutions has a significant role in an AML compliance program. She said, “In our view, to effectuate these practices, financial institutions with a U.S. presence should give U.S. senior management a material role in implementing and maintaining a bank’s overall compliance framework.” DOJ prosecutors would make inquiries into the following areas, “Is the company or financial institution candid with regulators? When we investigate companies, we look closely at the information the companies provided to regulators about the violation. We look at whether the companies were forthcoming, or not.”

While these remarks about AML compliance programs were directed to financial institutions, they provide solid guidance to the compliance practitioner currently working on anti-corruption compliance as required by the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Further, when you tie together the final statement by Caldwell that “U.S. senior management [should have] a material role in implementing and maintaining a bank’s overall compliance framework” with the requirement that a company’s Board of Directors and its “senior managers provide strong, explicit and visible support for its corporate compliance policies,” it only emphasizes that both the Board and senior management have a significant role to play. Further, the fulfillment of that role must be fully documented going forward. I would certainly consider that this expectation will be placed upon non-financial services companies sooner rather than later. Finally, if you tie these requirements together with the Yates Memo, in which the DOJ said they want to prosecute more individuals and companies must investigate and turn over information on their own senior management, you can see the roadmap for the prosecutions of such high-level individuals.

In addition to this significant information on what the DOJ and its new Compliance Counsel will be looking at, Caldwell directed some remarks specifically at Chief Compliance Officers (CCOs) and compliance practitioners. She said, “We’re not interested in prosecuting mistakes or accidents, or bad business judgments. And we are not looking to prosecute compliance professionals.” These two statements should help put the collective minds of CCOs and compliance practitioners at ease.

Caldwell has specifically given the compliance function and corporations the DOJ’s expectations. It is now your obligation to meet these expectations. For it is in the doing of compliance that you will meet your obligations.

Over the next week or so, I will lay out some of my thoughts about how you can meet each of these metrics under which the new Compliance Counsel will evaluate your compliance program.

You should measure your compliance program against these metrics as soon as possible.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business advice, legal advice or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The author gives his permission to link, post, distribute or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.