Tag: ECCP

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Data Analytics – Day 8 – Data Democratization

In the world of compliance, data analysis plays a crucial role in identifying risks, making informed decisions, and ensuring legal and regulatory compliance. It enables companies to make fact-based decisions and mitigate risks effectively. By leveraging AI, organizations can identify high-risk payments and reduce investigation costs. This not only saves time and resources but also ensures that compliance teams can present risk in a timely and data-driven manner. We previously noted that it is not simply about having the data but also accessing it and then using it.

A key in this process is the implementation of data warehouses and cloud data warehousing solutions. The goal is to eliminate data silos and enable easy data access and analysis. By implementing a modern data stack, companies centralize their data, making it compliance-friendly as mandated by the DOJ (in the 2020 Evaluation of Corporate Compliance Programs) and more generally accessible to employees across the organization.

AI-driven data analysis and compliance solutions are revolutionizing the way organizations approach compliance and data utilization. By leveraging AI technology, these companies enable businesses to make fact-based decisions, identify risks, and ensure regulatory compliance. Investing in data governance and business intelligence tools is crucial for extracting value from data and driving business success. With the democratization of data access, organizations can empower employees to be data-informed and achieve greater efficiency.

 Three key takeaways:

  1. Data analysis is not simply about having the data but also accessing it and then using it.
  2. Data democratization recognizes that effective data utilization is linked to compliance and good business practices.
  3. With the democratization of data access, organizations can empower employees to be data-informed and achieve greater business efficiencies.

For more on KonaAI, click here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 9 – Dynamic Compliance Policies

One of the key changes coming out of the Covid-19 pandemic is the need for dynamism on corporate policies. This message was driven home in a  MIT Sloan Management Review article,“Turbulent Times Demand Dynamic Rules”. The authors believe, “Circumstances can change rapidly in an uncertain world — organizational rules should be designed to change along with them.”

This concept is most appropriate in the compliance arena in the area of risk management. As your risks change, your management of those risks should adapt to the new reality. This is why the DOJ intoned in the 2023 Evaluation of Corporate Compliance Programs (ECCP) that you should assess your risks as they change, modify your risk protocols, monitor your risk management strategy and then update your compliance programs through continuous monitoring.

This dynamic policy process can build dynamic rules to enhance your company’s ability to anticipate and cope with risk changes. When the corporate compliance function embraces experimentation and learning in the creation and reformulation of policies, it builds flexibility into the organization’s structure, processes, and practices. This type of flexibility is essential as we have moved from disaster recovery to business resiliency to business as usual, especially in the field of risk management.

Three key takeaways:

1. After Covid-19, your policies must be as dynamic as your business.

2. There are three general areas to improve the dynamic features of policy creation and improvement; transparency, experimentation and innovation.

3. Garner feedback from your users on the effectiveness of your compliance policies.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 5 – Training on your Code of Conduct

What about the training on your finalized Code of Conduct? While there have been criticisms of code training, if you consider training as one source of your 360-degrees of compliance communications, the rollout of a new or updated code can be an opportunity. This rollout fits directly into the concept of 360-degrees of compliance communications as rollout is part of both communications and engagement. The delivery of a Code of Conduct is a key element of its effectiveness. By allowing your employees and other stakeholders to engage and interact with the code, through live or interactive training, the effectiveness can be better monitored and measured.
Beginning with the DOJ’s 2017 Evaluation and continuing into the 2023 ECCP, is the DOJ’s emphasis in the effectiveness of training. I think everyone would understand you do need to train but now the government’s talking to us about effective training. Begin with live training that can be held at the corporate headquarters with senior management and executive involvement. Many companies will videotape a message from the CEO to help celebrate the rollout. Then there is the opportunity for localized training that gives employees an opportunity to see, meet, and speak directly with a compliance officer, not an insignificant dynamic in the corporate environment. Such personal training also sends a strong message of commitment to the Code of Conduct. It gives employees the opportunity to interact with the compliance officer by asking questions which are relevant to markets and locations outside the corporate office, which can often provide employees with the opportunity to have confidential in-person discussions.
However, your Code of Conduct training should be an extension of the way you communicate compliance in your organization. If it is divorced from your 360-degrees of compliance communications style, you may well be missing an opportunity to drive better understanding of the code and denigrate the effectiveness of the training. Whatever approach is used, one of the critical factors is the length of time of the training session. Although lawyers and ethics and compliance professionals can (sometimes) sit through a multi-hour Code of Conduct lesson, it is almost impossible to keep the attention of business and operations employees for such a length of time. The presentation and number of PowerPoint slides must be kept to a manageable length before the attendee’s eyes start to glaze over.

 Three key takeaways:

  1. Consider a video message from your CEO to help roll out your Code of Conduct initiation or update.
  2. Tailor your Code of Conduct training to your workforce.
  3. Consider interactive and modular approaches to Code of Conduct training.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program: Day 19 – Compliance Culture At The Bottom

One of the most important focuses of the DOJ’s 2023 ECCP was around culture. This means how far has the culture of compliance been driven down into an organization. The 2019 Guidance posed the following:
Culture of Compliance – How often and how does the company measure its culture of compliance? Does the company seek input from all levels of employees to determine whether they perceive senior and middle management’s commitment to compliance? What steps has the company taken in response to its measurement of the compliance culture?
These questions point to a CCO or compliance practitioner demonstrating how a culture of compliance is being burned into the very fabric of an organization. While leadership at and from the top has long been considered by both the DOJ and compliance professionals as a key element to move compliance forward, the 2019 Evaluation has also crystalized thinking around compliance culture throughout the organization, including at the bottom
Too often, strategies to move a compliance program or even an initiative come from the top of an organization and are pushed down. To fully operationalize compliance, you must have leadership in compliance further down the organization which (hopefully) has been a part of the design process and can lead the implementation throughout an organization.

Three key takeaways:

  1. While tone at the top is critical, the tone at the bottom can work to more fully operationalize compliance.
  2. 95% of the work is done at this bottom level.
  3. Use HR to come up with a strategy to move compliance into the bottom for more complete operationalization.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program: Day 10 – Sales Incentives and Compliance

In the DOJ’s 2023 ECCP, Incentives and Disciplinary Measures it stated:
Incentive System – Has the company considered the implications of its incentives and rewards on compliance? How does the company incentivize compliance and ethical behavior? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?
When considering how a company could use incentives to further a compliance program and the role of HR in this process, we should also consider how incentives might lead to the converse, as they did in the now-infamous Wells Fargo fraudulent-accounts scandal. When you misalign these two concepts with a faulty sales strategy it can lead to a catastrophic failure, literally costing the company millions of dollars in fines, loss of business and depreciation of shareholder value. Whatever your incentive structure, there will be employees who try to game the system. Some will do it with the tacit or explicit approval of management. You, as the CCO, may be required to act.

Three key takeaways:

  1. Even a benign sales incentive program came become skewed.
  2. A sales incentive program can become high risk or illegal if not properly monitored.
  3. If there is alignment between the strategy, purpose and structure of an incentive system, it often makes the difference between a good and a bad one.

For more information, check out The Compliance Handbook, 4th edition here.

Categories
Everything Compliance

Episode 114, The Monaco, Polite & ECCP Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quartet of Tom Fox, Jonathan Marks, Matt Kelly and special guest Scott Garland from Affiliated Monitors, who discuss at the recent speeches by DAG Lisa Monaco and Kenneth Polite, announcing changes in the DOJ’s Evaluation of Corporate Compliance Programs. We conclude with our fan fav Shout Outs and Rants section.

  1. Matt Kelly looks at the changes around clawbacks. He shouts out to the PCAOB for reminding folks that cryptocurrency ‘reserve reports’ are not worth the paper they are printed on.
  2. Jonathan Marks considers what the two speeches and changes in the ECCP mean for corporate governance. He shouts out to US House of Representatives for overwhelmingly voting to investigate the origins of Covid-19.
  3. Tom Fox looks at the changes to incentives, both financial and non-financial in the 2023 ECCP. He rants about the Tennessee legislature attempt to ban Shakespeare, movies such as Tootie and Some Like It Hot, politicians such as George Santos; all in the guise of banning drag shows.
  1. Special Guest Scott Garland looks at the changes in the monitor selection process and what that means for the line attorney prosecuting a FCPA violation. He shouts out to the Department of Justice for their continued evolution in their thinking about compliance and compliance programs.

The members of the Everything Compliance are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
  • Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

The Week That Was in Compliance – The ECCP: Part 4 – Final Thoughts

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we will conclude our multi-part review of this document by some of the other key changes and additions to the document and what it all means for the compliance professional going forward.

 Use of Monitors

In the introduction its states, “Moreover, Criminal Division policies on monitor selection instruct prosecutors to consider, at the time of the resolution, whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems and whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future to determine whether a monitor is appropriate.” This language is a firm reject of the Benzkowski Memo and the prior administration’s reticence to employ monitorships as a tool to ensure compliance with not only the settlement documents but also the creation and implementation of a compliance program.

Internal Compliance Controls

Under Section II, entitled “Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?”, is the new language, “In this regard, prosecutors should evaluate a corporation’s method for assessing and addressing applicable risks and designing appropriate controls to manage these risks.” This simple sentence packs quite a wallop as it mandates a risk assessment, design and implementation of appropriate internal compliance controls and then monitoring of those controls to see if they are managing the risks identified in the risk assessment. Many of these concepts are fleshed out in the ECCP but it is clear this is a minimum expectation from the Department of Justice (DOJ).

Adequate Compensation and Salary/Bonus Review for Compliance

Under Section III, “Does Your Compliance Program Work in Practice”, is the following new language: “Independence and Empowerment – Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?”

This is a significant new addition to the ECCP. It forces a company to adequately compensate those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation as it also requires a company not to retaliate via low salaries or limited raises or other compensation for doing their jobs as compliance officers. In other words, if the Chief Executive Officer (CEO) is being investigated by compliance; that same CEO should not be setting or reviewing the salary of the Chief Compliance Officer (CCO) or those doing the investigation. This mandates that the DOJ will review the entire corporate organization on these issues.

Final Thoughts

This brings us to the end of a series of momentous announcements by the DOJ. While we have not discussed the changes in monitor selection announced by Polite as it largely deals with internal DOJ process, we would note that it will require a more lengthy and rigorous request process for those prosecutors’ seeking monitors, as well as a review process up to perhaps even the DAG. This alone could lengthen out an entire Foreign Corrupt Practices Act (FCPA) enforcement action.

The incentives language, both financial and non-financial, will require a much deeper analysis by a corporate compliance program in the areas of compensation, as well as promotion, than has even been mandated. The first thing I would do as a CCO is go down the hall to speak with the head of Human Resources (HR) to get an understanding of how compensation is based and what factors of doing business ethically and in compliance are reviewed for both salary and discretionary bonus amounts. The same would hold true for promotion into both middle and senior management. All of these will need to have metrics or other auditable frameworks around them so they can be reviewed, tested and data presented to the regulators if they come knocking.

The language around messaging apps needs to be taken to heart by not simply the compliance function but all senior level executives. While the Securities and Exchange Commission (SEC) has garnered the most publicity for its fines levied on regulated industries, the new language of the ECCP makes clear the DOJ is equally concerned about this issue. Woe be it to any company which finds itself in a FCPA investigation or enforcement action where said company does not meet these DOJ requirements. The DOJ will most probably assume a willful failure to meet the strictures of the 2023 ECCP.

Obviously, the Biden Administration DOJ is stepping away from some of the initiatives of the Trump Administration DOJ. However, in other areas this DOJ is building on some of the steps of the prior administration. It is clear the DOJ is continuing to evolve in its thinking about what constitutes a best practices compliance program and will continue to do so. Compliance professionals will need to study these new initiatives and implement their requirements.

Categories
Blog

The Week That Was in Compliance – The ECCP: Part 3 – Messaging Apps

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we review another new addition to the ECCP, dealing with messaging apps.

There is not much which seems to excise the regulators in the compliance space as much as messaging apps. The Securities and Exchange Commission (SEC) has brought multiple and very large enforcement actions against regulated industries around their allowing employees to use messaging apps with no corporate oversight. The Department of Justice (DOJ) has been talking about messaging apps for over two years and now incorporated its guidance into the ECCP.

The ECCP opened this section by noting, “Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication.” For any company under investigation or in a Foreign Corrupt Practices Act (FCPA) enforcement action, the DOJ will evaluate its “policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law…governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.” Off the shelf policies will not be sufficient as the company’s management of messaging apps “should be tailored to the corporation’s risk profile and specific business needs.” Not surprisingly the DOJ is also concerned about storage, access and even backups, requiring that “business-related electronic data and communications are accessible and amenable to preservation by the company.” Training and communication of these policies and procedures will also be evaluated and “whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”

The Messaging Apps

Under the section entitled “Communication Channels”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What electronic communication channels does the company and its employees use, or allow to be used, to conduct business?
  • How does that practice vary by jurisdiction and business function, and why?
  • What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?
  • What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?
  • What is the rationale for the company’s approach to determining which communication channels and settings are permitted?

Under this section, compliance must delineate which messaging apps a company uses and why. Is it consistent or does it vary country by country? What mechanism has your organization put in place to manage this risk? Finally, how are the communications preserved and what is your rationale for your system?

Policies and Procedures

Under the section entitled “Policy Environment”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced?
  • What are the relevant code of conduct, privacy, security, and employment laws or policies that govern the organization’s ability to ensure security or monitor/access business-related communications?
  • If the company has a “bring your own device” (BYOD) program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies?
  • How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?
  • Do the organization’s policies permit the company to review business communications on BYOD and/or messaging applications?
  • What exceptions or limitations to these policies have been permitted by the organization? If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?

This section presents several areas a compliance professional should look into for their program. Do you have an appropriate set of policies and procedures in place and are they the same for company issued phones and BYOD phones? If not, why not. Do you have a data retention policy in place for messaging apps and their platforms and is it applied consistently (if at all)? Does your organization review business communications through messaging apps or does your organization even have the right to do so? Finally, are messages preserved somewhere?

Under the section entitled “Risk Management”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What are the consequences for employees who refuse the company access to company communications? Has the company ever exercised these rights?
  • Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications? Has the use of personal devices or messaging applications—including ephemeral messaging applications—impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?
  • How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?
  • Is the organization’s approach to permitting and managing communication channels, including BYOD and messaging applications, reasonable in the context of the company’s business needs and risk profile?

This  final section might as well have been named ‘consequence management’ but I guess that moniker was already taken. Here the DOJ wants to know what consequences recalcitrant  employees faced for failure to follow the appropriate  policies and procedures.  Moreover, did any employee actions around messaging apps hinder or block internal investigations or regulators queries or attendant responses?  Next, is an appropriate level of internal security being exercised for such communications? Finally, are the company’s action reasonable in the context of its business needs and risk management protocol?

Obviously, there is quite a bit in these three sections every compliance professional will have to consider. But the framework already exists which you can adapt. It is risk assessmentrisk management strategyongoing monitoringongoing improvement. It may take some work but your blueprint to handle these requirements exists.

Join us tomorrow when we conclude our review of the 2023 ECCP.

Categories
Blog

The Week That Was in Compliance – The ECCP: Part 2 – Consequence Management

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we review another new addition to the ECCP, that being ‘consequence management’. This certainly includes clawbacks but there is also other language which compliance professionals will need to incorporate into their compliance program beyond clawbacks.

The Department of Justice (DOJ) has been talking about clawbacks for some time now. However, the revised language of the ECCP puts more rigor around what the DOJ is now mandating. This section begins by noting that financial penalties as well as financial incentives can influence employee behavior and that prosecutors are now required to consider both aspects. It states:

“By way of example, prosecutors may consider whether a company has publicized disciplinary actions internally, where appropriate and possible, which can have valuable deterrent effects. Prosecutors may also consider whether a company is tracking data relating to disciplinary actions to measure effectiveness of the investigation and consequence management functions. This can include monitoring the number of compliance-related allegations that are substantiated, the average (and outlier) times to complete a compliance investigation, and the effectiveness and consistency of disciplinary measures across the levels, geographies, units or departments of an organization…Some companies have also enforced contract provisions that permit the company to recoup previously awarded compensation if the recipient of such compensation is found to have engaged in or to be otherwise responsible for corporate wrongdoing. Finally, prosecutors may consider whether provisions for recoupment or reduction of compensation due to compliance violations or misconduct are maintained and enforced in accordance with company policy and applicable laws…Compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance.”

Clawbacks

With the Pilot Program and other announcements in the Monaco and Polite speeches, the DOJ has made clear that companies need to seek to recover amounts paid out to executives which were illegally received as corporate compensation. This could include both salary, stock options or similar payments or discretionary bonuses. Regarding your corporate clawback protocol itself, the ECCP poses the following questions:

  • What percentage of executive compensation is structured to encourage enduring ethical business objectives?
  • Are the terms of bonus and deferred compensation subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before or after the award was issued?
  • Does the company have a policy for recouping compensation that has been paid, where there has been misconduct?
  • Have there been specific examples of actions taken (e.g., promotions or awards denied, compensation recouped or deferred compensation cancelled) as a result of compliance and ethics considerations?

All of this means every compliance program will need to analyze each of these components as set out. It will also require a review of executive contracts to determine if there are clawback provisions set out in each employment contract. If there are no such provisions, they will need to be inserted. Finally, what “specific examples of actions taken” does a company have to show to the DOJ should they come knocking?

Consequence Management

The DOJ also mandated that compliance programs take a deeper dive into their entire financial incentive program; both incentives and dis-incentives. While not previously discussed in speeches, these new requirements seem to flow from the general statements made by both Monaco and Polite over the past year. In this area, the ECCP mandates the following inquiries:

  • How has the company ensured effective consequence management of compliance violations in practice?
  • What insights can be taken from the management of a company’s hotline that provide indicia of its compliance culture or its management of hotline reports?
  • How do the substantiation rates compare for similar types of reported wrongdoing across the company (i.e. between two or more different states, countries, or departments) or compared to similarly situated companies, if known?
  • Has the company undertaken a root cause analysis into areas where certain conduct is comparatively over or under reported?
  • What is the average time for completion of investigations into hotline reports and how are investigations that are addressed inconsistently managed by the responsible department?
  • What percentage of the compensation awarded to executives who have been found to have engaged in wrongdoing has been subject to cancellation or recoupment for ethical violations?
  • Taking into account the relevant laws and local circumstances governing the relevant parts of a compensation scheme, how has the organization sought to enforce breaches of compliance or penalize ethical lapses?
  • How much compensation has in fact been impacted (either positively or negatively) on account of compliance-related activities?

Obviously, there is some overlap with the clawback language but there is quite a bit new in these questions. The DOJ ties hotline and speak up reports directly to a company’s culture of compliance. This is almost a direct tie back to the findings of Kyle Welch in his seminal work on a speak up culture. But the DOJ goes on to ask about substantiation rates, closure rates, consistent and fair application of discipline (and rewards when called for) and root cause analysis; which are not simply technical aspects of compliance programs but are concrete steps companies can implement to engender trust with employees that their concerns will be taken seriously and then acted upon when they are raised. Once again, as with clawbacks, these are levels of analysis that many compliance programs have not yet taken but are now required to do so.

Join us tomorrow when we consider messaging apps under the revised ECCP.

Categories
Blog

The Week That Was in Compliance – The ECCP: Part 1 – Incentives

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we will begin a multi-part review of this document by considering financial incentives.

This section begins with a new introduction which makes clear the seriousness in which the Department of Justice (DOJ) views incentives, both financial and other types of incentives. The ECCP states, “The design and implementation of compensation schemes play an important role in fostering a compliance culture. Prosecutors may consider whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies. Some companies have also enforced contract provisions that permit the company to recoup previously awarded compensation if the recipient of such compensation is found to have engaged in or to be otherwise responsible for corporate wrongdoing. Finally, prosecutors may consider whether provisions for recoupment or reduction of compensation due to compliance violations or misconduct are maintained and enforced in accordance with company policy and applicable laws. Compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance.”

However, the DOJ reiterated that “providing positive incentives, such as promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership, can drive compliance. Prosecutors should examine whether a company has made working on compliance a means of career advancement, offered opportunities for managers and employees to serve as a compliance “champion”, or made compliance a significant metric for management bonuses. In evaluating whether the compensation and consequence management schemes are indicative of a positive compliance culture.”

Neither of these concepts for incentives are new. Financial incentives were a part of the original 10 Hallmarks of an Effective Compliance Program, as delineated in the 2012 edition of the FCPA Resource Guide. It was brought forward in the 2020 2nd edition. Promotions, rewards and bonuses were also discussed in both of those documents as well as other DOJ pronouncements and formulations over the years. However, this is the first time the DOJ has specifically spelled out the role of the ‘compliance champion’ as both an indicia of a best practices compliance program as well as a mechanism to demonstrate a ‘positive compliance culture.’

The ECCP also added a new section on financial incentives which directs prosecutors to specifically evaluate how a company designs and applies financial incentives. It states:

Incentive System – Has the company considered the implications of its incentives and rewards on compliance? How does the company incentivize compliance and ethical behavior? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethicsconsiderations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?

Rephrasing these questions, a compliance professional might consider them in the following manner:

  1. How does the company incentivize compliance and ethical behavior?
  2. Has the company considered the implications of its incentives and rewards on compliance?
  3. Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?
  4. Have there been specific examples of actions taken (g., promotions or awards denied) as a result ofcompliance and ethics considerations?

These four questions basically breakdown into the following continuum: (1) Assessment, (2) Analysis, (3) Implementation; and (4) Monitoring.

Incentive program assessment. Here you need to review your corporate incentive program for all employees, most particularly the discretionary bonus program but also your non-financial incentives such as promotion. Is your bonus program only related to individual sales, division sales or other similar metric or overall company performance? You can begin with some questions suggested by the ECCP: What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization? Has the company evaluated whether commercial targets are achievable if the business operates within a compliant and ethical manner?

If you do not have any component for doing business ethically and in compliance, your entire compliance program is probably falling short at this point. You should also see if this is a query for promotion and not simply does an employee.

Incentive program analysis. Here you need to see what perverse incentives may exist in your organization. Obviously if meeting your target numbers is the sole criteria, your program is once again falling short. On the promotion front, you need to analyze patterns of promotion to (1) see if any employees with ethical or compliance program violations have been promoted; and (2) also determine if employees are promoted simply for NOT have any ethical violations. This would lead to a review of whether or not promoted employees have been actively participated in improving or maintaining a culture of compliance. How does the company incentivize compliance and ethical behavior? What percentage of executive compensation is structured to encourage enduring ethical business objectives?

Incentive program implementation. After implementation of the incentive program, it must be monitored. The ECCP suggests an inquiry into the following area: Has the company considered the impact of its financial rewards and other incentives on compliance? Additionally, what role, if any, did the corporate compliance function have in advising on the bonus program or participating in setting the bonus and promotion structures?

Incentive program monitoring. Here there needs to be ongoing monitoring of the incentive program, including has the company ensured effective management of the incentive program? The ECCP suggests a review of how much compensation has in fact been impacted (either positively or negatively) on account of compliance-related activities?

Join me tomorrow where I take a deep dive into discipline or the new formulation, “consequence management.”