Back to Morgan Lewis’s “Lawflash” – here is what it says about other aspects of Weissmann’s recent remarks.
“A corporation’s internal compliance policies and practices, and its compliance professionals, are the first lines of defense against fraud, abuse and corruption. As all of you know, there is no “one size fits all” compliance program. Rather, effective compliance programs are those that are tailored to the unique needs, risks and structure of each business or industry. While a corporate compliance program must, by definition, address regulatory risk and the risk of potential violations of law, a strong compliance program will not stop there. A strong program also will aim to deter employee misconduct, whether or not that misconduct poses obvious regulatory risk.
While companies have for years appropriately adopted a “risk-based” approach to compliance, we have seen that corporations all too often misdirect their focus to the wrong type of risk. We have repeatedly seen corporations target the risk of regulatory or law enforcement exposure of institutional and employee misconduct, rather than the risk of the misconduct itself. The result: compliance programs are too often behind the curve, effectively guarding against yesterday’s corporate problem but failing to identify and prevent tomorrow’s scandals.
In designing compliance programs, companies would be wise to examine all of their lines of business – including those not subject to regulation – and determine where specific risks are and how best to control or mitigate them. It is also critical that compliance programs take into account the operational realities and risks attendant to the particular company’s business, and are designed to prevent and detect particular types of misconduct likely to occur in a particular line of business.
For example, to comply with the Foreign Corrupt Practices Act (FCPA), businesses that tend to be exposed to corruption must employ different internal controls than businesses that have less exposure to corruption.
Too often we have heard companies say that a particular course of criminal conduct took them by surprise, when a hard look at the business practices would have identified the risk. And, far too often, we have heard companies exclaim in defense that everyone else is doing it – that others in the industry are engaged in the same misconduct. But as you all know, an industry-wide compliance failure is not a defense to knowing and willful criminal activity.
With this principle that compliance programs should be proactive, and not merely reactive in mind, there are some general hallmarks of effective compliance programs that I’d like to share with you today.
- A company must ensure that its senior leaders provide strong, explicit and visible support for its corporate compliance policies.Corporate management must enforce compliance policies, not tacitly encourage or pressure employees to engage in misconduct to achieve business objectives.
- We look not just at the written policies, but to other messages otherwise conveyed to employees, including through in-person meetings, emails, telephone calls, incentives/bonuses, etc.; and will make a determination regarding whether the company meaningfully stressed compliance or, when faced with a conflict between compliance and profits, encouraged employees to choose profits.
- Senior executives should be responsible for the implementation and oversight of compliance.Those executives should have authority to report directly to independent monitoring bodies – for example, internal auditors or the board of directors.
- A company’s policies should be clear and in writing and should easily be understood by employees.But having written policies – even those that appear specific and comprehensive “on paper” – is not enough.
- Compliance teams need adequate funding and access to necessary resources.And they must have an appropriate stature within the company.
- A company should have an effective process – with sufficient resources – for investigating and documenting allegations of violations.
- A company periodically should review its compliance policies and practices to keep it up to date with evolving risks and circumstances, including when the company merges with or acquires another company.In particular, if a U.S.-based entity merges with, acquires or is acquired by a foreign entity, all compliance policies should be reviewed and revised accordingly.
- A company should have an effective system for confidential, internal reporting of compliance violations.
- A company should implement mechanisms designed to enforce its policies, including incentivizing compliance and disciplining violations.
- A company should sensitize third parties with which it interacts (for example, vendors, agents or consultants) to the company’s expectation that its partners are compliant.This means more than including boilerplate language in a contract.It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies.
Corporations also must ensure compliance with the laws of all the countries in which they operate. We appreciate that this may present a major compliance challenge, as international corporations often must bridge cultural, as well as geographic, divides. But such challenges do not justify non-compliance.
Overall, our message is simple: we expect corporate entities to take compliance risk as seriously as they take other business-related risks.
When a compliance program works and a company suspects or discovers potential criminal wrongdoing, a company would be wise to conduct a thorough internal investigation. While we in the Criminal Division will not tell a company how it should conduct an investigation, we evaluate the quality of a company’s internal investigation, both through our own investigation and in considering what if any charges to bring against a company. In that regard, we have seen some “best practices” with regard to internal investigations.
Good internal investigations uncover the facts. They don’t promote corporate talking points or whitewash the truth. The investigation should be focused on rooting out the relevant facts, identifying and interviewing the knowledgeable actors and capturing and preserving relevant documents and other evidence. The investigation should seek to identify responsible individuals, even if those individuals hold senior positions at the company.
It is reasonable to take resources – time and money – into account. If an internal investigation unearths criminal conduct, the inquiry should be thorough enough to identify the relevant facts, players, documents and other evidence, and to get a sense of the pervasiveness of the misconduct. But, we do not believe that it is necessary or productive for a company to employ its internal investigators to look under every rock and pebble – particularly when a company has offices or personnel around the globe that do not appear to be involved in the misconduct at issue. In fact, doing so will cost companies much more in the end, both in fees but also because it ultimately will delay our investigation and delay resolution and closure for the company.
For example, if a multi-national corporation discovers an FCPA violation in one country, and has no basis to suspect that the misconduct is occurring elsewhere, the Criminal Division would not expect that the internal investigation would extend beyond the country in which the violation was discovered. By contrast, if the known offenders operated in multiple countries, we would expect that the internal investigation would extend into those locations as well.
Once your company learns of potential criminal conduct and confirms it through a reasonable internal investigation, the company then must choose whether to disclose the conduct to the government, and whether to cooperate in the government’s investigation. These are the company’s choices, and very few companies have a legal obligation to disclose criminal misconduct to the department. Likewise, there is no obligation to cooperate beyond compliance with lawful process. But if a company chooses to cooperate with the government in its investigation – particularly at an early stage – the company likely will receive significant credit for such efforts when the government is contemplating what prosecutorial action to take.
In conducting an investigation, determining whether to bring charges and negotiating plea or other agreements, federal prosecutors take into account, among other factors, the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents. Prosecutors also consider the availability of alternative or supplemental remedies such as civil or regulatory enforcement action.
To receive cooperation credit, a company must do more than comply with subpoenas or other compulsory process. Companies must provide a full accounting of the known facts about the conduct or events under review, and affirmatively must identify responsible individuals (and provide evidence supporting their culpability), including corporate executives and officers – and they must do so in a timely way. A company’s cooperation may be particularly helpful where the criminal conduct continued over an extended period of time, and the knowledgeable or culpable individuals and/or the relevant documents are dispersed or located abroad. Under these circumstances, cooperation includes helping to circumvent barriers to the investigation by making knowledgeable personnel available for interviews or testimony, and by producing documents and other evidence that otherwise may not be readily accessible to the government.
We recognize that some foreign data privacy laws may limit or prohibit the disclosure of certain types of data or information. Over the years, the Criminal Division has developed an understanding of certain oft-cited data privacy laws, and we will challenge what we perceive to be unfounded reliance on these laws to justify withholding requested information. Companies should avoid this by giving careful consideration to the government’s requests for information, refraining from making broad “knee jerk” claims that large categories of information are protected from disclosure and producing what can be disclosed.
Corporate accountability through a strong, tailored compliance program and thorough internal investigations should be the standard for your companies.
Corporate accountability through compliance, investigations and protections against breaches is a good practice for all of your companies. And in the Criminal Division, I am emphasizing accountability on our side as well, particularly through our work with regulators and other law enforcement agencies, and through increased transparency about our decision-making where possible.
Many of the cases handled by the Criminal Division also involve parallel investigations or civil or enforcement actions by civil or regulatory authorities. Even if certain misconduct could be pursued civilly or through regulatory action, criminal investigation and prosecution often is appropriate.
It is department policy that criminal prosecutors and civil attorneys coordinate with one another and with agency attorneys, to the extent permissible, to protect and advance the government’s overall interests. Early and effective coordination is critical to ensuring the efficient use of resources and the best ultimate outcome.
We have heard concerns expressed about regulatory “piling on.” We agree that there is the potential for unfairness when a company is asked to pay penalties and fines to different regulators and enforcement authorities based on the same set of facts.
Different law enforcement authorities have distinct and important functions. Companies know who their regulators are, and they know that they are subjecting themselves to those regulatory schemes and the laws of the countries in which they operate. But we are trying to address this concern and are mindful of making sure that companies are not punished unfairly.
Since becoming Assistant Attorney General, one of my priorities has been to ensure that the Criminal Division is as transparent as possible about its decision making. While we are limited in the information we can disclose to the public about matters in which we decline to prosecute, when we file charges, secure a guilty plea or enter into a deferred prosecution or non-prosecution agreement, the Criminal Division will place in the public record detailed information explaining the rationale for the particular resolution whenever possible.
Whether we secure a guilty plea or enter into an NPA or DPA, these resolutions generally have the same key components: admissions, a detailed statement of facts, remediation and/or enhanced compliance requirements and penalties. Depending on the facts and circumstances of a particular case, the Criminal Division also may require the imposition of a compliance monitor. Companies would be wise to study these publicly-available documents to measure their compliance or to assess their exposure.
In our view, increased transparency benefits everyone. From the Criminal Division’s perspective, if companies know the benefits that likely will flow from self-reporting or cooperating with the government’s investigation, we are confident that more companies will be willing to voluntarily disclose identified misconduct and cooperate, including against culpable individuals. In addition, transparency takes a significant amount of the guess work out of assessing the likely benefits of cooperation, as well as the costs of refusing to cooperate or offering limited or partial assistance.
Regardless of the form of resolution, the Criminal Division is committed to enforcing compliance with its terms. In particular, when a company that is subject to the terms of an NPA or a DPA violates the terms of the agreement, if proportional to the breach, the Criminal Division will not hesitate to tear up the agreement and prosecute the offending entity based on the admitted statement of facts. If we do so, as with the other resolutions, the Criminal Division will be transparent and include its rationale in publicly-filed documents. In addition to statements contained in public filings in cases investigated or prosecuted by the Criminal Division, our commitment to transparency also is effectuated by the participation of Criminal Division personnel in conferences such as this one.”