United States: High-Stakes Corporate Compliance: Reducing Risk And Managing Potential Sanctions

Vince Farhat is a Partner in the Los Angeles office
David Schneider is an Associate in the Northern Virginia office

  • Compliance-related investigations, suspensions, and debarments are on the rise.
  • The government looks favorably on a strong corporate compliance program.
  • Independent monitors oversee a sanctioned business's compliance activities.
  • When qualifying a monitor, objectivity and merit are essential factors.
  • Successful monitorships are built on detailed agreement, communication, and collaboration

The past few years have seen significant increases in compliance-related government investigations, suspensions, debarments, and other actions by government agencies, regulators, and law enforcement. A Government Accountability Office study in 2011 concluded that Suspension and Department officers were not being as aggressive as they should,1 sparking Congressional hearings and then more aggressive sanctioning of government contractors by state and federal regulators, agency Inspectors General, and the Department of Justice (DOJ). This increased government scrutiny covers a range of issues, including False Claims Act (FCA) violations; Procurement Integrity Act violations; Federal Acquisition Regulations (FAR) violations; regulatory infractions; quality control; Foreign Corrupt Practices Act (FCPA) violations; health, safety, and welfare violations; bribery; and kickbacks.

Many government enforcement actions focus on corporate compliance and corporate ethical culture. In this landscape, creating a culture of compliance has become a maxim of good corporate governance. But how does an entity determine whether it has established such a culture? This article discusses key elements of an ethics assessment and the role independent monitors can play in collecting unbiased information, reducing risk, and mitigating potential sanctions.

Creating a culture of compliance

A strong and well documented culture of compliance burnishes a company's reputation and helps it identify problems when they are still at a small and manageable stage. It also helps a company defend itself if it becomes the target of a government ethics investigation. The DOJ publishes the United States Attorney Manual (USAM), which identifies factors for U.S. Attorneys to consider when deciding whether to prosecute companies.2 Two of the factors listed involve corporate compliance programs:

  1. The existence and effectiveness of the corporation's pre-existing compliance program; and
  2. The corporation's remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one.

A strong compliance program may encourage an enforcement agency to consider accepting a remediation plan rather than seeking costly and punitive sanctions. In cases in which a matter goes to prosecution, an effective compliance program may help limit the damages.

The USAM commentary states that the DOJ "encourages" corporate compliance programs, however, "the existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal misconduct undertaken by its officers, directors, employees, or agents." That is, the mere existence of a compliance program does not give a company a free pass from liability. USAM indicates important elements of a real and effective compliance program3 including whether:

  • the company can effectively detect and prevent misconduct;
  • the corporation's directors exercise independent review over the proposed corporations actions rather than unquestionably ratifying officer's recommendations;
  • the company's internal audit functions [are] conducted at a level sufficient to ensure their independence and accuracy; and
  • the directors established an information and reporting system in the organization reasonably designed to provide management and directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization's compliance with the law.

Further guidance regarding the elements of an effective corporate ethics and compliance program is set forth in the advisory Federal Sentencing Guidelines (FSG).4 In addition to the USSC, other agencies such as the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Department of Health and Human Services (HHS) have compliance guidelines that can affect corporate liability. Companies should also look at the applicable agency guidance when developing a compliance program.5

As with the factors listed in the USAM, the FSG requirements for an effective compliance program can help position a company to advocate for a non-prosecution or deferred prosecution agreement and/or to curb the financial damage sustained (e.g., in the form of fines) if an agreement is negotiated. The U.S. Sentencing Commission modified the sentencing calculation relative to compliance and ethics programs in 2010 in order to incentivize selfreporting and creation of direct reporting lines between compliance officers and the corporate governing authority. In addition, it delineated some limited situations in which an organization could receive credit for an effective ethics and compliance program, even if high level personnel were involved in the misconduct.6

Although the FSG lists seven factors of a strong compliance program,7 its overarching principles are that an organization must exercise due diligence to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. The FSG recognizes that even the best compliance programs cannot detect or prevent every possible crime; however, the compliance program must be reasonably designed, implemented, and enforced so that it is generally effective in preventing and detecting criminal conduct. In light of these considerations, it is wise for companies to train employees on how to make ethical decisions and how to respond appropriately to complaints and allegations of misconduct.

Both the USAM and the FSG give guidance about the factors important in determining whether an ethics and compliance program is real or pro forma (i.e., for the sake of form, a "paper" program), but they also allow for variability based on the size of the company and other characteristics. In general, larger companies are expected to have more formal ethics and compliance programs and more extensive mechanisms for measuring their implementation; many large companies appoint a chief ethics/compliance officer (CECO). The FSG states:

(2) (A) The organization's governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

From a practical perspective, experience has shown it is helpful if this individual has strong communication and training skills, is respected by the employees, has adequate staff and funding for the job, and understands and respects the obligations of the role. The key to success for this position, however, is ensuring that the CECO has the necessary independence, authority, and placement within the company; usually this means direct reporting responsibilities to the decision making authorities of the company: the CEO, COO, and the board of directors. Best practices include a quarterly report from the CECO to the board, which has a fiduciary responsibility in a public company to know the ethical posture of the company.

Although a CECO can build or implement an adequate program, a true culture of compliance requires commitment from a company's leadership. The "tone at the top" of such an organization is one in which all levels of staff are encouraged to do the right thing and managers are expected to be role-models of ethical and compliant behavior. The tools which support this type of culture include:

  • An up-to-date and useable code of conduct that states the company's and the employees' responsibilities and focuses on the unique vulnerabilities of the company;
  • Values-based and compliance-focused ethics and compliance training;

    • Effective education in this area comprises a mix of live and computer-based initiatives, with examples based on scenarios likely to be encountered in the field.
    • Tests of comprehension reinforce the message and identify areas in which the organization needs to improve its messaging.
  • A mechanism for providing advice to employees who have ethics or compliance questions;
  • Written acknowledgement by all employees of their duty to report observed ethical violations;
  • A mechanism for collecting reports of violations, such as an anonymous reporting hotline that allows employees to convey information without fear of retribution;
  • A fair process for dealing with reports, complaints, allegations, and investigations. In instances in which violations are found, disciplinary action should be both progressive (e.g., proportionate to the seriousness of the violation) and consistent across the organization (i.e., not based on a person's rank in the company or how much business he/she brings in). Ideally, the program should function as both a carrot and a stick, incentivizing employees to act properly while disciplining improper actions;
  • Internal auditing to determine whether the ethics and compliance program is being followed and to look for possible misconduct or criminal activity; and
  • Periodic reassessment of the overall effectiveness of the company's ethics and compliance efforts, as well as updating of its program and processes.

The FSG encourages periodic independent assessments as a means of determining this overall effectiveness from an objective standpoint, and identifying areas of risk. Commentary to FSG states:

6. Application of Subsection (b)(7).— Subsection (b)(7) has two aspects.

First, the organization should respond appropriately to the criminal conduct...

Second, the organization should act appropriately to prevent further similar criminal conduct, including assessing the compliance and ethics program and making modifications necessary to ensure the program is effective. The steps taken should be consistent with subsections (b)(5) and (c) and may include the use of an outside professional advisor to ensure adequate assessment and implementation of any modifications.

Independent monitors: Reducing risk and managing potential sanctions

An organization can benefit from the services of an independent monitor in several situations.

As noted above, companies are encouraged to not only conduct internal assessments of their ethics and compliance programs, but periodically to have them independently evaluated. A large organization with well-established rules and processes can benefit from the viewpoint of an outsider who is not wedded to the current system or influenced by the politics within the company. A smaller organization with a less formal ethics and compliance program can benefit from the focus of an independent monitor and from the monitor's knowledge of best practices in the field. Engaging this type of outside professional advisor will help a company identify its evolving areas of risk and improve its systems for preventing unwanted behavior, thereby further demonstrating its commitment to compliant and ethical behavior, if it is subject to investigation by a regulatory authority or enforcement agency.

For many companies, however, the idea of using an independent monitor is first raised in discussions of deferred prosecution or non-prosecution agreements, plea agreements in criminal matters, debarment proceedings, settlement agreements, probation or corrective actions, or corporate integrity agreements. In a typical scenario, a company might self-report an ethics violation to the agency for which it is providing contracted services. The self-report, along with a demonstrated ethics and compliance program, might indicate that the company was a suitable prospect for a non-prosecution agreement, rather than prosecution or sanction. The non-prosecution agreement would require correction of the reported problem plus ongoing independent monitoring for an agreed-upon period to support its continued compliance.

An independent monitor who will take on the role of overseeing the compliance activities of businesses or professionals who have been sanctioned for violating laws or regulations should be a person (or organization of people) with in-depth knowledge of and experience with regulatory schemes. Selecting an independent monitor is simultaneously one of the most important and most difficult decisions regarding the use of a monitor. In 2008, Acting Deputy Attorney General Craig S. Morford wrote a memorandum (the Morford Memo) for U.S. attorneys, regarding the "Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations."8 The Morford Memo provides principles for drafting independent monitor-related provisions, and these were updated in 2010 by Acting Deputy Attorney General Gary Grindler.9 Collectively, these documents describe the monitoring process overall and the selection of a monitor in particular. The Suspension and Debarment officials of several federal government agencies have since adopted these principles in their selection of monitors.

The most important factor in qualifying a monitor is the monitor's objectivity/lack of conflict of interest. The monitor should not have a personal or business relationship with the company, should not be a stockholder, a former employee of the business, nor someone looking for a permanent position there. In addition, the monitor should be selected on the basis of merit. A company which has been subject to a Medicare/ Medicaid fraud investigation, for example, would look for a monitor well-versed in forensic accountancy as well as Medicare/Medicaid billing and coding practices.

Other criteria for an effective monitor can be inferred from the Morford Memo. Where the Memo indicates that monitoring should focus on addressing and reducing the risk of a recurrence of the established misconduct, one can assume that a monitor who understands establishing clear parameters for the project would be preferable to one who goes into an assignment ready to look at anything and everything. Where the Memo indicates that it may be appropriate for the monitor to submit periodic reports to the company, the government, or both, it can be inferred that the monitor should be an able communicator. Where the Memo indicates that the company will be expected to implement or respond to recommendations made by the monitor, one can assume that the monitor should be of a practical mindset—able to give advice about how to correct a problem, rather than one with a "gotcha" mentality who simply relishes finding violations. And, because the monitor is neither an investigator for the government nor an advocate for the company, and yet needs to be trusted by both, the monitor must be of high integrity.

Usually a monitor put in place as a result of a settlement agreement is paid by the monitored company and issues reports to both the government and the company. The agreement between the company and government directs the monitor's course of action, the scope and frequency of the oversight, as well as its duration. Newer agreements have incorporated the 2010 Grindler recommendation and address what to do if there is a dispute between the monitor and the company. Most agreements require the monitor to report on the good faith efforts of the company (or lack thereof) to comply with their terms, the extent of its cooperation with the monitor, identified areas of concern, improvements recommended and changes implemented, areas in need of additional attention, and adherence to ethics and compliance programs. It is usual practice for the government to allow the company to receive a copy of the monitor's report.

A successful relationship between an independent monitor and the client company is built on (1) a detailed agreement, (2) communication, and (3) collaboration. It is natural for a company to be concerned about opening its business to an outsider, but open dialogue between the monitor and the company makes the monitorship more efficient and effective, resulting in more pertinent and individually tailored recommendations. The thoroughness of the monitor's work and the level of company cooperation will also build the trust of the government.

It bears repeating that an independent monitor is not an investigator. The assumptions behind a settlement agreement include (1) the company acknowledges shortcomings in its systems, and (2) the government accepts its proposal to correct these problems. The monitor, therefore, is reporting on the process of identifying and correcting weaknesses, not on all compliance matters within an organization. Analyses of company weaknesses—especially of systems failures—vary tremendously, according to the underlying issues. As mentioned above, a billing fraud issue might trigger a forensic accounting assessment. A FAR ethics violation, on the other hand, might warrant a review of the company's ethics policies and its ethical culture. The tools of such information gathering include document and policy reviews, interviews, participation in staff training, conducting focus groups, and surveys.

No matter what the underlying issue is, the monitor should provide an assessment of the company's internal controls. This is important for several reasons:

  • Typically, the failure of the company's internal controls led to the acknowledged problem;
  • The company's ability to consistently identify and correct its own problems will prevent future lapses; and
  • Strong internal controls signify to the government that the company can be trusted.

All risk cannot be eliminated, but the assessment should help a company determine how its programs, policies, pay, and promotion structures may be contributing to its risk of unethical or noncompliant activity. And, as noted above, the monitor should offer practical recommendations for improvement which can be measured and tracked. An effective monitor is one who can convey these recommendations while maintaining the neutrality to report on their implementation in an objective and truthful manner.

Conclusion

The current compliance environment is a high-stakes game for companies doing business with, or under the regulatory eye of, government agencies. The use of independent monitors is one more tool that companies and their counsel have available to demonstrate commitment to remediation and a willingness to work with the government—a tool which may help them avoid the more punitive approaches to compliance that government agencies are taking with ever greater frequency.

Originally published in Compliance & Ethics Professional, September/October 2013.

Footnotes

1. U.S. Government Accountability Office: Suspension and Debarment: Some Agency Programs Need Greater Attention, and Government wide Oversight Could Be Improved. GAO-11-739, Aug 31, 2011. Available at http://1.usa.gov/13337GH

2. United States Attorneys Manual. Available at http://1.usa.gov/19xBEo2

3. Ibid, at 28.800.

4. USSC, Federal Sentencing Guidelines. Available at http://bit.ly/17TWrOy

5. See e.g., SEC 17 CFR Parts 270, 275, and 279, Compliance Programs of Investment Companies and Investment Advisors; Final Rule, December 24, 2003. http://1.usa.gov/14iH2dp; See also, FINRA Rule 3130 Annual Certification of Compliance and Supervisory Processes. Available at http://bit.ly/16Enf3W; See e.g., HHS Compliance Guidance http://1.usa.gov/1aWWxa4

6. USSC Guidelines Manual, Supplement to Appendix C, Amendment 744, pp. 361-363, November 1, 2010. Available at http://bit.ly/13ZOJlL

7. 2012 USSC Guidelines Manual, §8B2.1. Available at http://bit.ly/1ebrG9g

8. Craig S. Morford, Department of Justice Memorandum, March 7, 2008. Available at http://1.usa.gov/1bKqPR2

9. Gary G. Grindler: Additional Guidance on the Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations, Department of Justice Memorandum, May 25, 2010. Available at http://1.usa.gov/1aWWTNI

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Emails

From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.