Last week, the Department of Justice (DOJ), without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new document will be called the 2020 Update. The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple; it ends, once and for all, the dysfunctional reliance on paper compliance programs written by lawyers for lawyers and those who advocate for them. The DOJ has now articulated what both the business and compliance communities have learned that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. Today, I want to conclude with some final thoughts on the 2020 Update.
Coincidence or not, the release of the 2020 Update as we are in the worst economic downturn since the Great Depression and trying to reopen the American economy in the wake of the worst pandemic in over 100 years makes clear the importance of compliance as a regulatory scheme to comply with laws such as the Foreign Corrupt Practices Act (FCPA). There have been misplaced calls by some for a hiatus on compliance so that business can get back on its feet. Those commentators advocate that it is somehow acceptable to override compliance and financial controls because of the unprecedented times that currently exist. Such thinking was wrong then and its wrong now. Bribery and corruption under the FCPA has been illegal since 1977 and remains so today. Compliance programs are the way to operate within the boundaries of the law and this is even more true now.
The push around data, ongoing monitoring and continuous improvement of compliance programs also re-emphasizes that compliance is now properly seen as a business process and is no longer the purview of lawyers and the legal department. Compliance is there to prevent, detect and remediate issues before they become full blown legal violations. This call for increased improvement of your compliance program, on an ongoing basis, will eventually lead to more thorough and robust transaction monitoring by organizations. By doing so, companies will have the opportunity to make their business processes and operations more efficient and at the end of the day more profitable.
While many commentators have focused on the section of 2020 Update which mandates that the compliance function have access to data throughout the organization, I think the more important import is that there is a plethora of data available to a CCO and company which they are not using. Obviously, hotline complaints are a rich source of data and can be used in a variety of ways. But the 2020 Update also spoke to questions raised about policies and procedures. Where did those questions come from? Who in the company raised them? Who in the company is accessing your policies and procedures and in what geographic region are they located? What does that tell you about your compliance program? If you cannot travel for some period of time due to Covid-19, you should identify ways to assess and address the questions the customers of your compliance program (i.e., employees) are raising.
The same types of analysis can be true for other information. Where are your Corporate Social Responsibility (CSR) initiatives located? Are they in high-risk jurisdictions? What visibility do you have into them before the money is spent? What about marketing budget spends? Any large expenditures in high-risk jurisdictions? What about hiring? When was the last time you looked at your organization’s hiring in high-risk jurisdictions? All of these could provide information that can be incorporated back into your compliance program.
The final aspect from the 2020 Update was first raised by Dick Cassin. The question Cassin cited to was “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?” Cassin went on to add, “Why is the added emphasis on monitoring to “ensure consistency” so important? Because inconsistency — showing favoritism to those who violate the compliance program, or don’t implement it — undermines the entire idea of compliance, and those responsible for making it happen.”
This speaks to institutional justice and institutional fairness. These are not simply to cornerstones of a compliance program but they are the cornerstones of any company. If there is no fairness and justice, what is the point of working for a company? I recognize this is an evolutionary step but the CCO and compliance function must lead this dialogue in an organization. If the ubiquitous control-overrider and compliance corner-cutter becomes the highest grossing salesperson, receives the biggest bonus and most promotion; this all speaks lack of fairness and justice in an organization. It is more than just fairness at the point in time. If such situations exist, employees will correctly conclude that there are no consequences to such action or more invidiously, the only way to get ahead in an organization is to lie, cheat and steal. This is even more so, if the top management actively or tacitly encourages such behavior.
Yet the cost of such a culture is far more than simply the fine or penalty and attendant legal fees incurred. Today, it is far more about the reputational impact. The loss of business is first and foremost but employees today want to work at ethical companies. The compliance program cannot be seen as simply window-dressing. Wells Fargo has never recovered from its fraudulent accounts scandal but, equally importantly, who would ever want to work at such a place where to raise your hand to report unethical and even illegal conduct meant termination.
The DOJ should be applauded by every compliance practitioner for the 2020 Update. They have reinforced the importance and value of CCOs and corporate compliance programs. As we move back to reopening our economy and a renewed sense of the need for racial justice, the 2020 Update lays out some of the key tools for every compliance professional to utilize.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2020