This is the second in a series of posts where we will explore critical elements of a successful compliance program. In February, the Department of Justice’s Fraud Section offered a new perspective on what the government expects in an anti-corruption compliance program, in the form of a series of questions that companies should be prepared to answer about their program. The guidance offers companies a roadmap for building or assessing their compliance program. In this series, we will explore recent and past guidance on key compliance topics, as well as key takeaways for companies of all sizes.
It would be a mistake for companies to dismiss the Fraud Section’s recent guidance, which one high-level DOJ official suggested may be used more broadly by DOJ’s Criminal Division, as business as usual. It is not just more of the same. The guidance does more than merely flesh-out existing direction; it operationalizes compliance. Consider two examples from the guidance’s “Autonomy and Resources” section:
- Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?
- Compliance Role – Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred?
The government’s interest in the resources, autonomy, and authority companies devote to compliance functions should come as no surprise. The 2012 DOJ and SEC FCPA Resource Guide notes that “[i]n assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” After all, even the most thoughtfully designed compliance program cannot succeed without sufficient resources.
Companies have long known that the DOJ and SEC will ask whether their board of directors and management allocate the right kind and amount of resources to compliance. Questions about budgets, corporate structure, and staff qualifications are to be expected. In that sense, much of the Fraud Section’s recent guidance regarding the Evaluation of Corporate Compliance Programs is unsurprising. As a result, companies may view the new guidance as merely a more detailed recitation of existing expectations. That’s only partially correct. The document does provide a helpful road-map for companies preparing to answer questions about their compliance program, including an exploration of Funding and Resources, Autonomy, Experience and Qualifications, Stature, and Outsourced Compliance Functions.
But with its new guidance, DOJ appears to be expressing a new interest in the practical effects of a company’s resource and autonomy decisions. Companies should be prepared not only to provide relevant examples showing how their thoughtfully tailored compliance program functions effectively, but also to answer tough questions about the alleged misconduct at issue. Did the compliance function identify the problem and fail to stop it, or did the problem go unnoticed? If the compliance function did flag the issue, why was compliance presumably unable to prevent the misconduct? Was it a lack of resources? Was it a reporting structure that prevented compliance from raising the issue directly with senior decision-makers and/or the board? Or was it a function of the board of directors not having the relevant compliance expertise to understand and address the compliance concern, as the guidance’s Oversight section recommends?
DOJ is signaling that abstract discussions of compliance design are no longer enough. Presenting organizational charts, budgeting documents, and aspirational messages from senior decision-makers will not suffice. The government wants to understand where the rubber meets the road. They want to use the alleged misconduct as a mirror to test companies’ assertions. They want to see how companies’ compliance programs actually succeeded – or failed – and understand why.