The Compliance Kitchen returns with a wrap-up of the week’s top trade and economic sanction issues. In today’s episode, Silvia Surman visits the DOJ revised its Corporate Enforcement Policy and the Kitchen looks at the highlights.
Tag: DOJ
Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Stories we are following in today’s edition of Daily Compliance News:
Over the past year, the role of the Chief Compliance Officer (CCO) has shifted in some very dramatic ways. The shifts have been from disparate groups and for a variety of reasons. Yet when put together, one can see a clear and bright line expanding and elevating the role of the CCO in the corporate world. From the announcement of the requirement for CCO Certification last year up to the announcement of the Delaware Court of Chancery’s decision in the case of In re McDonald’s Corporation Stockholder Derivative Litigation, it is now clear that the CCO has as wide a remit and responsibility as any corporate officer, other than the Chief Executive Officer (CEO) of a company.
I think the following announcements, changes in DOJ and SEC focus on Foreign Corrupt Practices Act (FCPA) enforcement and now a court case out of Delaware will change the role of the CCO forever.
CCO Certification
This shift began with the speech by Kenneth Polite, Assistant Attorney General for the Criminal Division speech on May 17, 2022, at Compliance Week 2022; announcing the new requirement for CCO Certification of compliance programs for companies going through a Deferred Prosecution Agreement (DPA). This CCO Certification required the Glencore CCO to certify Glencore compliance program “is reasonably designed to detect and prevent violations of the FCPA and other anti-corruption laws” at the conclusion of the DPA. Who is the only other person required to make a similar certification at the conclusion of a DPA? The CEO of the company.
This means the CCO (and CEO) are certifying the entire compliance program meets the standards of not simply best practices but also all the enhanced requirements set out in Attachment C of any DPA. While many have focused on the question of whether this would bring criminal liability to a long-gone (or even current) CCO; this question now seems to miss the mark. Recall what Polite said when announcing the new requirement “It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.”
Monaco Memo and Changes in the Corporate Enforcement Policy
The 2022 Monaco Memo and 2023 announced changes in the DOJ’s Corporate Enforcement Policy (CEP) are bookends of a series of changes which began as far back as October 2021 when Deputy Attorney General Lisa Monaco first announced the revisions which would eventually be incorporated into the Monaco Memo and CEP. In many ways the Monaco Memo laid out the sticks while the CEP provided the carrots for current FCPA and other white-collar enforcements.
The Monaco Memo directed prosecutors to evaluate a corporation’s compliance program as a factor in determining the appropriate terms for a corporate resolution; as prosecutors should now assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision. Kenneth Polite further defined the effectiveness of a compliance program at the time of the offense as “At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that allowed the identification of the misconduct and led to the company’s self-disclosure.” This is the first time the DOJ has said that it is the detection of wrongdoing which defines the effectiveness of a compliance program. This means a company’s investment in a compliance program, CCO and corporate compliance team are all elevated in importance. This prong does not simply get you a discount, but it can put you on the road to the default position of the DOJ for a FCPA violation, a declination.
Moreover, when you couple the ABB FCPA resolution to the Monaco Memo, you see the carrots which appeared in the new CEP. ABB was the first, three-time FCPA recidivist yet was able to get an excellent resolution with the government and a fine of only $315 million despite clear aggravating factors including corruption up to and in the corporate office. From the ABB resolution, you begin to see how the role of the CCO increases dramatically.
Duty of Oversight
These trends were brought together in the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.
As I have previously noted, one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a prime reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.
The court noted that the CCO has a broad scope within an organization. The court stated “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”
What Does It Mean?
This is the part where it gets interesting. Under the CCO Certification and the Delaware court’s ruling, it is the CCO who is 1B to the CEO’s 1A. The first step every company must make it to put the CCO in position to report up directly to the Board of Directors. It also means that the days of a CCO reporting to a Chief Legal Officer (CLO) or General Counsel (GC) are certainly numbered. The Delaware Court drove this point home by specifically naming a CLO/GC as a person “responsible for legal oversight and for making a good faith effort to establish reasonable information systems to cover that area.” In other words, not responsible for the company wide remit such as the CCO.
The next area would come from the Hallmarks of an Effective Compliance Program as laid out in the FCPA Resource Guide, 2nd edition. In that document it states “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” That means financial resources and head count.
I would add, a level of professionalism and expertise in compliance means more than simply ‘being a lawyer’. Under Chapter 9, Section 47 of the US Attorney’s Manual, the DOJ is mandated to evaluate “The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.” Finally, the DOJ will also evaluate other factors such as CCO compensataion as commiserate with the position of being second in importance to the CEO.
The Delaware Court decision creating the Duty of Oversight was not designed to increase the scope, reach and importance of a CCO but the more I look at the case I believe that will be its most lasting legacy. When you look back over the past 12 months, you see that the CCO has more stature and responsibility than it has ever had before.
With a converse nod to Uncle Ben from Spiderman, with great responsibility must come great power.
The 2020 Update re-emphasized the need to perform a root cause analysis and, equally importantly, use it to remediate your compliance program. It stated, “a hallmark of a compliance program that works effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
It went on to state what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).”
The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step process in which one method can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.
When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.
Three key takeaways:
- The key is objectivity and independence.
- The critical element is how you used the information you developed in the root cause analysis.
- The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization.
Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Stories we are following in today’s edition of Daily Compliance News:
Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this special episode, I am joined by Morrison and Foerster partner James Koukios to discuss the recent Kenneth Polite speech announcing changes to the Department of Justice Corporate Enforcement Policy.
In this episode, we consider the following:
- What is the CEP;
- This is a follow on from the Monaco Memo;
- Why this change is significant for recidivists;
- How this change redefines an effective compliance program;
- The new CEP offers real, tangible, and significant benefits for compliance programs; and
- What it all means going forward.
Resources
Kenneth Polite Speech
Updated CEP
The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. In this episode, Matt and I deep dive into the recent Kenneth Polite speech announcing changes to the Corporate Enforcement Policy.
Some of the highlights include:
· What are the policy reasons for the change?
· Real credit is now being given for effective compliance programs.
· What about self-disclosure?
· What is the new definition of an effective compliance program?
· Is the DOJ trying to avoid 5th Amendment concerns? Will it work?
· New percentage discounts and what they mean?
· Why does Matt have more questions?
Resources
Tom cited in CCI
Matt Kelly in Radical Compliance
Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Jonathan Armstrong, Jonathan Marks, Tom Fox, and Matt Kelly with our fan-fav Shout Outs and Rants section.
1. Matt Kelly rants about the Department of Justice CCO certification requirement for Danske Bank.
2. Jonathan Marks rants about the recent FAA failure, which crippled the US airline industry.
3. Tom Fox has his first dual shout-out. His first shout-out is to US District Judge Middleton for sanctioning Donald Trump and his lawyer, jointly and severally for $938,000 and the recently deceased musician David Crosby.
4. Jonathan Armstrong rants about the Tory proposed law against publicizing small boats that would make showing or even talking about the Bayeux Tapestry illegal.
5. Jay Rosen shouts out to the NFL for the playoffs and for getting us the best four teams in the final four.
The members of Everything Compliance are:
- Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
- Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
- Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
- Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
- Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at marks@bakertilly.com
The host and producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.
The Compliance Kitchen returns with a wrap-up of the week’s top trade and economic sanction issues. In today’s episode, Silvia Surman looks at OFAC issues Russia-related sanctions licenses and allows for limited marine activities on SDN vessels; DOJ obtains a guilty plea for EAR violations due to unlicensed exports of chemicals to a Chinese SOE listed on the Entity List.
One cannot say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile, and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks. Yet the 2020 Update added a new emphasis that Risk Assessments should not be done not less than annually but, in reality, should be done each time your risk change. Over the past couple of years, every company’s risks changed from Work From Home to Return to the Office to Hybrid Work environments. Have you assessed these new paradigms for risks from the compliance perspective?
As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance succinctly stated, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”
There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, your protocol must be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.
Three key takeaways:
- Since at least 1999, the DOJ has pointed to risk assessment as the start of an effective compliance program.
- The DOJ will now consider your risk assessment methodology for identifying risks and gathering evidence.
- You should base your compliance program on your risk assessment.