We begin our exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie called for her review of compliance programs. Today we review the first criteria and tie it to one specifically made applicable to financial institution but to which I believe both should and will soon apply to non-financial institutions. These metrics are:
- Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
- Does US senior management maintain a material role in implementing and maintaining a company’s overall compliance framework?
These requirements move beyond simply having the correct ‘Tone at the Top’ which every Board and senior management articulate. They charge those two groups in a company with a substantive role in the actual doing of compliance going forward. One of my concerns is this metric sets up Board members and senior management for prosecution under the Foreign Corrupt Practices Act (FCPA) in the new era of the Yates Memo where companies are required to investigate and turn over individuals to the DOJ for prosecution if they want to receive any credit for cooperation. Of course, the Yates Memo also articulated the DOJ’s stated intention to more aggressively prosecute individuals as well.
Here I think you can begin with two questions. First, does the Board of Directors exercise independent review of a company’s compliance program? Second, is the Board of Directors provided information sufficient to enable the exercise of independent judgment?
Boards of Directors should take a more active role in overseeing the management of risk within a company. Now this includes having a FCPA compliance program in place and actively oversee that function. This means if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Some of the areas for hard questions include
- Corporate Compliance Policy and Code of Conduct – Is there an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee, translated into appropriate local langauges. Is there documents of delivery and training on this or these documents?
- Risk Assessment – Has the Board assessed the compliance risks associated with its business?
- Implementing Procedures – The Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy. Once again, have these implementing procedures been translated as appropriate and do employees understand these procedures? Are all of the above documented?
- Training – Has the Board been trained to understand its role in an effective compliance program?
- Monitor Compliance – Has the Board independently tested, assessed and audited to determine if its compliance policies and procedures are a living and breathing program and not just a paper tiger.
There are several paths a Board of Directors can take to fulfill this duty. Obviously the full Board can be apprised of compliance issues and handle them appropriately. However this may be unwieldy or not workable if there is a large Board and the compliance function only has limited time to present a quarterly and annual report. The Audit Committee is usually considered a natural venue for the compliance function to report to as it handles issues somewhat related to compliance already. However I believe that with the convergence of the Yates Memo and this metric for the new DOJ Compliance Counsel, it is time for companies to create a Compliance Committee separate and a part from the Audit Committee. This Board-level Compliance Committee would be charged with oversight of FCPA compliance and ethics but could also be the reporting venue for anti-money laundering compliance (AML), export control compliance and all other such disciplines within an organization. Further after the Volkswagen emissions-testing scandal, not only have a robust compliance program but direct and transparent Board oversight may be the only thing stopping injury to your reputation from a competitor’s illegal or unethical conduct.
Strong Explicit Support
Tone at the Top has been a well-worn phrase for many years so I think the DOJ is looking for more than simply statements of support. I also believe that the DOJ is now looking beyond simply an ambassador of compliance role for senior management. Now this talk of compliance and support for compliance will start to come together in real dollars being made available to a compliance department for technological solutions and head count availability.
It is incumbent that any Chief Compliance Officer (COO) must have sufficient authority and independence to oversee the integrity of the compliance program. This includes a direct reporting line to the company’s Board of Directors and Audit/Compliance Committee but more importantly “unfiltered” access to the Board. The CCO must have a clear mandate, delegation of authority, senior-level positioning, and empowerment to carry out his/her duties. This also means a ‘seat at the table’ so the CCO is now a C-Suite level position in any organization.
It is absolutely mandatory that the CCO be given both the physical resources in terms of personnel and monetary resources to adequately perform the required task. Under monetary resources the CCO should have a budget independent of the General Counsel, rather than a shared budget. This also means appropriate head count for personnel resources.
Active Senior Management Involvement
Here I suggest that a company create a Management Oversight Committee. The makeup of this committee should generally be persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transactions, which are going to be considered. I think you should have more that more than one department should be represented on the Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Internal Audit, Compliance & Legal Departments and Business Unit Operations.
This Management Oversight Committee would review significant compliance issues over a period of one to three months. It can provide not only an additional level of support to the CCO or compliance function but also triage compliance issues for appropriate remediation. It also has the effect of keeping senior management involved in the compliance function on an oversight basis. Clearly the DOJ wants more senior management involvement and by having such a Management Oversight Committee in place, it would put senior management directly in the reporting line if an incident arises or perhaps more importantly if trends begin to develop which indicate that compliance related issues could be moving towards full FCPA violations. In other words, the Management Oversight Committee could help assist the CCO move from detection and prevention to prescription of compliance issues to prevent them from becoming full violation by delivering an appropriate risk based solution.
Taken together these two new metrics make clear that the DOJ is expecting both a Board of Directors and senior company management to take a more active role in any FCPA compliance program going forward. It also means both of these groups must actively support and promote the CCO and the compliance function with time, resources and respect. Finally all of this must be thoroughly and continuously documented.
The bottom line is that Board of Directors and Senior Management must be actively engaged in your compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2015