Corporate Compliance Measures During the COVID-19 Crisis

There is no doubt that turbulent times create more opportunities for fraud and mismanagement and the ongoing COVID-19 pandemic has not been an exception. During the short period of time COVID-19 has been a global issue, it has not only wreaked havoc on health care and financial systems worldwide, but created many opportunities for mismanagement, fraud and criminal activities: A Van Gogh painting has been stolen from the Dutch museum that was closed due to COVID-19; the Department of Justice (DOJ) recently announced its first enforcement action against COVID-19 fraud; an Austrian ski resort is being investigated by prosecutors for its failure to address rapid spread of COVID-19.

As a result, companies must remain particularly vigilant to create and enforce robust corporate compliance program measures to address these threats. Here, we discuss best practices for corporate compliance programs during these uncertain times.

During a crisis – especially one with unforeseeable and unpredictable patterns – management is faced with many operational issues, from business and cash flow disruptions to layoffs and furloughs. At the same time, companies are subjected to additional scrutiny from regulators, customers and shareholders; thus, notwithstanding many operational distractions, they should devote attention and resources to ensure the proper implementation and operation of their compliance programs. In the midst of the 2008 financial crisis, the SEC reminded CEOs of SEC-registered firms about their compliance obligations, stating that “[w]hile many firms are considering reductions and cost-cutting measures, we remind you of your firm’s legal obligation to maintain an adequate compliance program reasonably designed to achieve compliance with the law.” The SEC reminded CEOs that their companies “must be vigilant and proactive in preventing, detecting and correcting problems that could occur.”

Preventative Measures

Whether your company has already a robust compliance program in place or is in the process of developing one, preventative measures during a crisis of this magnitude must include an assessment of internal and external material risks faced by a company. Such risks, for example, may include an increase in suspicious trading activity; questionable payments to third parties; improper payments to government officials, vendors and consultants; cybersecurity threats caused by an increase in remote work activities; misconduct by terminated or furloughed employees; and other fraudulent acts. As resources may be limited, priority should be given to high-risk areas and transactions. As noted by the DOJ in its recently updated Compliance Program Guidelines, “prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”

Next, a company should establish strategies to deal with these threats, and these strategies should be applicable throughout its operations. For example, internally, the company should reinforce the preventative measures previously put in place, which may include reminding employees about the company’s code of conduct, relevant laws, industry standards and training materials, in particular when any new training is likely to be put on hold during the crisis. As noted by the DOJ, it might be effective for the company “to give employees practical advice or case studies to address real-life scenarios and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise.” These measures should take into account and equally apply to current employees as well as employees who are subject to furloughs and layoffs, as disgruntled employees are more likely to engage in misconduct and misappropriate or disclose company trade secrets and confidential information.

Externally, a company should continue to maintain open and constant line of communications with customers. For example, many post-2008 customer complaints against financial firms and brokers involved lack of responsiveness during the volatile market times when the values are subject to constant and significant changes.

Similarly, external communications should be maintained with accountants, vendors, banks and regulators. Ongoing monitoring of third-party relationships should continue, and outside vendors, like internal personnel, should be reminded about the company’s compliance measures. In unstable situations, such as war or pandemic, when the law enforcement and regulation is overextended and understaffed, the risk of illegal transactions – including bribes and kickbacks to government officials – through consultants and third parties is particularly high. As noted by the DOJ, a company needs to have “an understanding of the qualifications and associations of third-party partners, including the agents, consultants and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

Detecting Misconduct

Compliance measures aimed to detect misconduct and impropriety are of utmost importance during the spikes in fraudulent activity. A company should devote enough resources to “investigations of … complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations and appropriate follow-up and discipline.” In fact, post-2008 financial crisis government investigations resulted in severe monetary penalties against many companies and their owners for failure to adequately investigate customer and other complaints. A $25 billion settlement executed by federal and state government authorities with the nation’s five largest mortgage service providers required each servicer to develop and implement robust consumer complaint management procedures and processes.

The hallmarks of a well-functioning compliance program aimed to detect illegal activity are “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees or agents.”

Corrective Measures

If the misconduct is detected, a company should not delay the implementation of the corrective measures, and, if necessary, voluntary disclosure of the misconduct. The company’s response, including any disciplinary or remediation measures, should be well documented. Additionally, the company should conduct a “root cause analysis” and, where appropriate, implement remediation measures to address the root cause. In fact, the DOJ often provides cooperation credit for voluntary disclosure of misconduct unknown to the government, cooperation in an ongoing investigation or undertaking remedial measures in response to a violation. “Such remedial measures may include undertaking a thorough analysis of the root cause of the misconduct, appropriately disciplining or replacing those responsible for the misconduct, accepting responsibility for the violation and implementing or improving compliance programs to prevent a recurrence.”

Timely detection of misconduct and implementation of corrective measures to prevent further misconduct will ensure that the company is in a strong position to face, if necessary, regulatory inquiries and civil complaints in the aftermath of the COVID-19 crisis.