Business leaders would be wise to take precautionary steps that may lessen a company’s vulnerability to criminal charges. They may have built a business with the best of intentions. Yet as companies grow, they bring more people onto the team. Those team members may make decisions that violate regulations or laws. Although a company may not be able to escape civil liability for misdeeds by employees, company leaders can take steps to persuade prosecutors that they built a company with a good-faith effort to avoid problems with the law.
If company leaders persuade prosecutors that they strive to operate as good corporate citizens, they may qualify for leniency through either a deferred-prosecution agreement or a non-prosecution agreement. Although civil penalties can be severe, criminal penalties may obliterate a company’s prospects to continue operations.
On June 1, 2020, the U.S. Department of Justice published a white paper to guide prosecutors on what they should consider when assessing whether to bring criminal charges against a company. Anyone with an interest could learn from the DOJ guidance. It shows that if companies build effective compliance programs, prosecutors may be more inclined to offer leniency through a deferred-prosecution agreement, or a non-prosecution agreement.
Our website at Compliance Mitigation offers a link with commentary to that white paper, but this portion of the lesson will explain our interpretation of what we learned.
The guidance draws from the “Principles of Federal Prosecution of Business Organizations,” which identifies specific factors prosecutors should consider when assessing whether to bring criminal charges against a corporation:
The adequacy and effectiveness of the corporation’s compliance program at the time of the offense,
The adequacy and effectiveness of the corporation’s compliance program at the time of a charging decision,
The corporation’s remedial efforts to implement an adequate and effective corporate compliance program, or
The corporation’s remedial efforts to improve an existing compliance program.
When deliberating over a plea for leniency, the prosecutors will pay particularly close attention to the corporation’s compliance program. Presumably, if a company has a good compliance program, the company will receive more favorable treatment.
Assistant Attorney General Brian Benczkowski instructs prosecutors to consider:
whether the corporation has made significant investments in its corporate compliance program,
whether the corporation has made significant improvements to its internal control systems, and
whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future to determine whether a monitor is appropriate.
Click below to download the DOJ Evaluation of Corporate Compliance Programs report.
Prosecutors don’t want to see boilerplate compliance programs. Rather, each company should complete a risk assessment, and create training systems and control systems that are appropriate for the company. A healthcare provider may have a different risk exposure than a telemarketing company. As such, each company should invest to build compliance programs that address risk levels, and each company should implement well-documented internal controls.
Since I’ve met thousands of business professionals that went to prison, and many of those people claimed that they did not know or understand the implications of decisions they made on the job, it would seem that compliance programs should include basic lessons on white-collar crime. Regardless of what industry a business may serve, if the business uses a telephone, a website, email, snail mail, or interacts with consumers, the business stands vulnerable to investigations and potential criminal charges. After all, companies don’t break the law—people that work in companies break the law. Sadly, many of those people do not know the criminal implications of decisions they make.
According to the white paper, prosecutors make a reasonable, individualized determination in each case that considers various factors, including:
The company’s size,
Regulatory landscape, and
Other factors, both internal and external to the company’s operations that might impact its compliance program.
Prosecutors have to ask three fundamental questions when assessing whether a deferred-prosecution agreement or non-prosecution is appropriate:
Is the corporation’s compliance program well designed?
Is the program being applied earnestly and in good faith? In other words, is the program adequately resources and empowered to function effectively?
Does the corporation’s compliance program work in practice?
According to the DOJ,
“… the critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees.”
US Department of Justice
Also, prosecutors want to know “whether corporate management is enforcing the program or is the corporation tacitly encouraging or pressuring employees to engage in misconduct.”
For example, if the company has a policy statement that says it will not tolerate bribery, but rewards sales professionals that bribe others to do business with the company, the company may face harsher scrutiny from prosecutors. In fact, prosecutors may bring criminal charges against the company, and possibly, against leaders, alleging “willful blindness” to the violations of law. As described earlier, prosecutors will not hesitate to bring conspiracy charges against a business leader that condones violations of law.
The DOJ wants prosecutors to examine “the comprehensiveness of the compliance program,” ensuring that there is not only a clear message that misconduct is not tolerated, but also policies and procedures, including:
appropriate assignments of responsibility,
systems of incentives and discipline.
Taken together, the compliance programs should be well-integrated into the company’s operations and workforce.
To start, a prosecutor will want to evaluate whether a company has undertaken an effective risk assessment. The company should create messaging to show that it has identified, assessed, and defined its risk profile. The compliance program should devote appropriate scrutiny and resources to the spectrum of risks.
Company leaders should anticipate that prosecutors will ask the following questions:
What are the reasons behind this company’s compliance program?
How has the company’s compliance program evolved over time?
When assessing whether a company should qualify for leniency, the DOJ white paper advises prosecutors to consider whether the compliance program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.”
Some factors prosecutors will consider include:
location of operations (Does the company operate in areas where higher risks of corruption exist?),
industry sector (What risks typically exist in the company’s sector?),
competitiveness in the market (How does the company compete fairly in the marketplace?),
regulatory landscape (What steps does the company take to stay abreast of regulatory changes?),
potential clients and business partners (What due diligence does the company do on partners?),
transactions with foreign governments (What rules exist with regard to doing business with foreign governments?),
payments to foreign officials (What steps has the company taken to comply with FCPA laws?),
use of third parties (Does the company use third parties to deflect risk?),
gifts (Does the company have a policy in place to address gifts?),
travel (How does the company justify travel expenses?),
entertainment expenses (What relationship do entertainment expenses have to legitimate business?),
charitable and political donations (In what ways do donations relate to legitimate business?).
The DOJ white paper suggests that prosecutors may be more inclined to grant leniency to the business, and possibly offer a deferred-prosecution agreement if:
The company leaders can how they went through a risk analysis process,
The company can demonstrate that its compliance program is based on what it learned from the risk analysis.
The company can show that it periodically updates its compliance program.
Prosecutors expect company officials to periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify each requirement to reduce the risk of criminal conduct.
A salient point in the government’s guidance is that prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction. If the company makes “revisions to corporate compliance programs in light of lessons learned,” that company may receive favorable treatment from a prosecutor.
Risk Management Process:
To identify, analyze, and address the particular risks a company faces, it should take the time to write out a full story. For example, the company can take proactive measures by writing out:
The company’s process to identify staff members it hires,
Create a clearly defined organizational chart, with job descriptions and lines of accountability or authority,
Write out the company’s customer-acquisition strategy,
Write policy statements to show how the company processes orders or protects customer privacy,
Create scripts for employees to follow when communicating with consumers
Create a cloud-based documentation retention policy,
Create tools that show how the company trains team members,
Create a corporate code of conduct that documents the company’s disciplinary process.
The above risk-management tool should help the company determine how best to design a compliance program that would be specific to its industry and risk profile. A company that interacts with officials in foreign countries, for example, may invest more time and training to guard against the potential for bribery; a company that operates in the telemarketing industry may create compliance programs that offer more training on the FTC Rule and the Telemarketing Sales Rule.
Prosecutors will want to know about the company’s resource allocation for compliance. Expect prosecutors to ask questions such as:
Does the company devote a disproportionate amount of time policing low-risk areas instead of high-risk areas?
High-risk areas may include:
Questionable payments to third-party consultants,
Suspicious trading activity,
Excessive discounts to resellers and distributors.
Does the company give greater scrutiny to high-risk transactions?
For example, a large-dollar contract with a government agency in a high-risk, country, as compared to a more modest and routine contract.
Does the company have a policy in place to measure transactional risk?
Prosecutors will want to know how frequently the company updates and revises the compliance program. They will ask questions such as:
Is the risk assessment current and subject to periodic review?
Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?
Has the periodic review documented updates in policies, procedures, and controls?
Do these updates account for risk discovered through misconduct or other problems with the compliance program?
Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned from the company’s prior issues?
Does the company learn from the experiences of other companies operating in the same industry and or geographic region?
Is the company tracking the efforts it makes to learn about how risks change in the industry?
Policies and Procedures:
Prosecutors will expect a well-designed compliance program to include policies and procedures that give both content and effect to ethical norms. The compliance programs should address and aim to reduce risks identified by the company as part of its risk assessment process.
Business leaders should expect prosecutors to examine:
Whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant laws.
Whether the company’s code of conduct is accessible and applicable to all company employees.
Whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.
What is the company’s process for designing and implementing new policies and procedures?
What is the company process for updating existing policies and procedures?
Has that process changed over time?
Who has been involved in the design of policies and procedures?
Have business units been consulted prior to rolling out the policies and procedures?
What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risk the company faces?
How has the company communicated its policies and procedures to all employees and relevant third parties?
If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access?
Have the policies and procedures been published in a searchable format for easy reference?
Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
Responsibility for Operational Integration:
Who has been responsible for integrating policies and procedures?
Have the policies and procedures been rolled out in a way that ensures employees’ understanding?
In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
What guidance and training have been provided to key gatekeepers in the control process?
Do they know how to identify misconduct?
Do they know when and how to escalate concerns?
Training and Communications:
Prosecutors will consider training and communications as a hallmark of a well-designed compliance program. Prosecutors will assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization.
Do officers, directors, relevant employees, agents, and business partners receive periodic training?
Has the company relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise?
Does the company give employees practical advice?
Does the company give employees case studies to address real-life scenarios?
Does the company give guidance on how to obtain ethics advice on a case-by-case basis?
Does the company offer training to enable employees to identify and raise issues to appropriate personnel within the company?
Does the company offer training that adequately covers prior compliance incidents?
Does the company have a tool to measure the effectiveness of its training curriculum?
Does the company disseminate the compliance training in a manner that employees understand?
Prosecutors will want to know:
What training have employees in relevant control functions received?
Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred?
Have supervisory employees received different or supplementary training?
What analysis has the company undertaken to determine who should be trained and on what subjects?
Form/Content/Effectiveness of Training:
Has the training been offered in the form and language appropriate for the audience?
Is the training provided online or in-person (or both), and what is the company’s rationale for its choice?
Has the training addressed lessons learned from prior compliance incidents?
Is there a process by which employees can ask questions arising out of the trainings?
How has the company measured the effectiveness of the training?
Have employees been tested on what they have learned?
How has the company addressed employees who fail all or a portion of the testing?
Has the company evaluated the extent to which the training has an impact on employee behavior or operations?
Communications about Misconduct:
Prosecutors will also inquire about the steps the company has taken to document misconduct. Business leaders should expect prosecutors to ask:
How has senior management communicated to employees the company’s position concerning misconduct?
What messaging has leadership given when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?
What resources have been available to employees to provide guidance relating to compliance policies?
How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so?
Confidential Reporting Structure and Investigation Process:
Prosecutors will want to make sure that the company maintains an efficient and trusted mechanism for employees to report:
Allegations of a breach of the company’s code of conduct,
Company policies, or
Suspected or actual misconduct.
To qualify for leniency, business leaders should have policies in place that:
Allow employees to make such reports anonymously and confidentially.
Protect employees against any retribution for making such reports.
To assess whether a company qualifies for leniency, or deferred-prosecution agreements, prosecutors will ask:
Does the company have an anonymous reporting mechanism?
How do employees know about the reporting mechanism?
Has anyone ever used the reporting mechanism?
What measures has the company taken to test whether employees feel comfortable using the mechanism?
Does the company have a “hotline” where employees can report misconduct?
Properly Scoped Investigations by Qualified Personnel:
Business leaders should expect prosecutors to ask:
How does the company determine which complaints or red flags merit further investigation?
How does the company ensure those investigations are properly scoped?
What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented?
How does the company determine who should conduct an investigation, and who makes that determination?
Does the company apply timing metrics to ensure responsiveness?
Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?
Resources and Tracking of Results:
To persuade prosecutors that the company stands behind its compliance program, business leaders must prepare themselves to answer questions that show how they track results, such as:
Are the reporting and investigating mechanisms sufficiently funded?
How has the company collected, tracked, analyzed, and used information from its reporting mechanisms?
Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses?
Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?
Even a well-designed compliance program may be unsuccessful in practice if the implementation is lax, under-resourced, or otherwise ineffective. Business leaders should expect prosecutors to probe whether a compliance program is a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner.”
Has the company provided for staff to audit, document, analyze, and utilize the results of the corporation’s compliance efforts?
In what ways has the company shown its commitment to the compliance program?
Does the company culture spread awareness that the company will not tolerate any criminal conduct?
Commitment by Senior Leaders:
Business leaders should anticipate that prosecutors will want to know whether the senior leadership team embraces the idea of compliance. Prosecutors will examine the extent to which senior leaders articulate the company’s ethical standards. They will want to know:
How have senior leaders, through their words and actions, encouraged or discouraged compliance?
What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
How have they modeled proper behavior to subordinates?
Have managers tolerated greater compliance risks in pursuit of new business or greater revenues?
Have managers encouraged employees to act unethically to achieve business objectives?
Have managers impeded compliance personnel from effectively implementing their duties?
Where within the company is the compliance function housed?
To whom does the compliance function report?
Is the compliance function run by a designated chief compliance officer?
Why has the company chosen the compliance structure it has in place?
What are the reasons for the structural choices the company has made?
Incentives and Disciplinary Measures:
Prosecutors will want to know whether the company has clear disciplinary procedures in place and whether it enforces them consistently across the organization. Prosecutors will ask:
In what ways does the company show that non-compliance will lead to swift consequences, regardless of the position or title?
How does the company incentivize compliance?
How does the company strive to detect criminal conduct?
Does the company publicize disciplinary actions internally?
What positive incentives does the company provide for demonstrating compliance?
Does the company tie bonuses or career advancement to compliance?
Does the Company’s Compliance Program Work in Practice?
The Principles of Federal Prosecution of Business Organizations requires prosecutors to assess “the adequacy and effectiveness of the corporation’s compliance program at two separate junctures:
At the time of the offense, and
At the time of the charging decision.
If the compliance program detected misconduct, and the company took action by self-reporting or conducting an internal investigation, prosecutors may conclude that the compliance program has been working effectively.
Has the compliance program evolved over time?
Has the company made significant investments in its compliance program?
Has the company invested in internal control systems?
Does the company make continuous improvements?
In what ways does the company investigate allegations of misconduct?
In what ways does a company conduct a root-cause analysis for noncompliance?