What 2023 Brought to Compliance – The 2023 ECCP

January 2023 saw the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). It brought forward several new initiatives laid out in the 2020 Update to the Evaluation of Corporate Compliance Programs, include additions and deletions. It also incorporated many of the concepts from the 2022 Monaco Memo. It contained new incentives, both financial and non-financial; consequence management; messaging apps and provide a summary for the compliance professional.

Incentives

This section begins with a new introduction which makes clear the seriousness in which the Department of Justice (DOJ) views incentives, both financial and other types of incentives. The ECCP states, “The design and implementation of compensation schemes play an important role in fostering a compliance culture. Prosecutors may consider whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies. Some companies have also enforced contract provisions that permit the company to recoup previously awarded compensation if the recipient of such compensation is found to have engaged in or to be otherwise responsible for corporate wrongdoing. Finally, prosecutors may consider whether provisions for recoupment or reduction of compensation due to compliance violations or misconduct are maintained and enforced in accordance with company policy and applicable laws. Compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance.”

The ECCP also added a new section on financial incentives which directs prosecutors to specifically evaluate how a company designs and applies financial incentives. These four questions basically breakdown into the following continuum: (1) Assessment, (2) Analysis, (3) Implementation; and (4) Monitoring.

Incentive program assessment. Here you need to review your corporate incentive program for all employees, most particularly the discretionary bonus program but also your non-financial incentives such as promotion.

Incentive program analysis. Here you need to see what perverse incentives may exist in your organization.

Incentive program implementation. After implementation of the incentive program, it must be monitored.

Incentive program monitoring. Here there needs to be ongoing monitoring of the incentive program, including has the company ensured effective management of the incentive program? 

Consequence Management

The DOJ has been talking about clawbacks for some time now. However, the revised language of the ECCP puts more rigor around what the DOJ is now mandating. This section begins by noting that financial penalties as well as financial incentives can influence employee behavior and that prosecutors are now required to consider both aspects. It states:

By way of example, prosecutors may consider whether a company has publicized disciplinary actions internally, where appropriate and possible, which can have valuable deterrent effects. Prosecutors may also consider whether a company is tracking data relating to disciplinary actions to measure effectiveness of the investigation and consequence management functions.

Clawbacks

The DOJ has made clear that companies need to seek to recover amounts paid out to executives which were illegally received as corporate compensation. This could include both salary, stock options or similar payments or discretionary bonuses. All of this means every compliance program will need to analyze each of these components as set out. It will also require a review of executive contracts to determine if there are clawback provisions set out in each employment contract. If there are no such provisions, they will need to be inserted. Finally, what “specific examples of actions taken” does a company have to show to the DOJ should they come knocking?

Consequence Management

The DOJ also mandated that compliance programs take a deeper dive into their entire financial incentive program; both incentives and dis-incentives. While there is some overlap with the clawback language but there is quite a bit new in these area. The DOJ ties hotline and speak up reports directly to a company’s culture of compliance. The DOJ goes on to ask about substantiation rates, closure rates, consistent and fair application of discipline (and rewards when called for) and root cause analysis; which are not simply technical aspects of compliance programs but are concrete steps companies can implement to engender trust with employees that their concerns will be taken seriously and then acted upon when they are raised. Once again, as with clawbacks, these are levels of analysis that many compliance programs have not yet taken but are now required to do so.

Messaging Apps

The ECCP opened this section by noting, “Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication.” For any company under investigation or in a Foreign Corrupt Practices Act (FCPA) enforcement action, the DOJ will evaluate its “policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law…governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.” Off the shelf policies will not be sufficient as the company’s management of messaging apps “should be tailored to the corporation’s risk profile and specific business needs.” Not surprisingly the DOJ is also concerned about storage, access and even backups, requiring that “business-related electronic data and communications are accessible and amenable to preservation by the company.” Training and communication of these policies and procedures will also be evaluated and “whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”

Final Thoughts

What does it all means for the compliance professional going forward? The 2023 ECCP and the year in compliance bore out the following.

 Use of Monitors

In the introduction its states “Moreover, Criminal Division policies on monitor selection instruct prosecutors to consider, at the time of the resolution, whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems and whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future to determine whether a monitor is appropriate.” This language is a firm rejection of the Benzkowski Memo and the prior administration’s reticence to employ monitorships as a tool to ensure compliance with not only the settlement documents but also the creation and implementation of a compliance program.

Internal Compliance Controls

Under Section II, entitled Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively? Is the new language, “In this regard, prosecutors should evaluate a corporation’s method for assessing and addressing applicable risks and designing appropriate controls to manage these risks.” This simple sentence packs quite a whoolop as it mandates a risk assessment, design and implementation of appropriate internal compliance controls and then monitoring of those controls to see if they are managing the risks identified in the risk assessment. Many of these concepts are fleshed out in the ECCP but it is clear this is a minimum expectation from the DOJ.

Adequate Compensation and Salary/Bonus Review for Compliance

Under Section III, Does Your Compliance Program Work in Practice, is the following new language “Independence and Empowerment – Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?”

This is a significant new addition to the ECCP. It forces a company to adequately compensation those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation as it also requires a company not to retaliate via low salaries or limited raises or other compensation for doing their jobs as compliance officers. In other words, if the CEO is being investigated by compliance; that same CEO should not be setting or reviewing the salary of the CCO or those doing the investigation. This mandates that the DOJ will review the entire corporate organization on these issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

What are you looking for?